Security Assignment 2, Study Guides, Projects, Research of Network security

This is Assignment 2 security of GW University

Typology: Study Guides, Projects, Research

2021/2022

Uploaded on 06/17/2022

bao-chi
bao-chi 🇻🇳

4.8

(13)

6 documents

1 / 43

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Assignment Brief 2 (RQF)
Higher National Certificate/Diploma in Computing
Student Name/ID Number:
NGUYEN CHI BAO/GCS200235
Unit Number and Title:
Unit 5: Security
Academic Year:
2021 2022
Unit Assessor:
Van Ho
Assignment Title:
Security Presentation
Issue Date:
April 1st, 2021
Submission Date:
Internal Verifier Name:
Date:
Submission Format:
Format:
The submission is in the form of an individual written report. This should be written in a concise,
formal business style using single spacing and font size 12. You are required to make use of
headings, paragraphs, and subsections as appropriate, and all work must be supported with research
and referenced using the Harvard referencing system. Please also provide a bibliography using the
Harvard referencing system.
Submission
Students are compulsory to submit the assignment in due date and in a way requested by the
Tutor.
The form of submission will be a soft copy posted on http://cms.greenwich.edu.vn/.
Remember to convert the word file into PDF file before the submission on CMS.
Note:
The individual Assignment must be your own work, and not copied by or from another student.
If you use ideas, quotes or data (such as diagrams) from books, journals or other sources, you
must reference your sources, using the Harvard style.
Make sure that you understand and follow the guidelines to avoid plagiarism. Failure to comply
this requirement will result in a failed assignment.
Unit Learning Outcomes:
LO3 Review mechanisms to control organizational IT security.
LO4 Manage organizational security.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b

Partial preview of the text

Download Security Assignment 2 and more Study Guides, Projects, Research Network security in PDF only on Docsity!

Assignment Brief 2 (RQF)

Higher National Certificate/Diploma in Computing

Student Name/ID Number: NGUYEN CHI BAO/GCS Unit Number and Title: Unit 5 : Security Academic Year: 2021 – 2022 Unit Assessor: Van Ho Assignment Title: Security Presentation Issue Date: April 1st, 2021 Submission Date: Internal Verifier Name: Date: Submission Format: Format: ● The submission is in the form of an individual written report. This should be written in a concise, formal business style using single spacing and font size 12. You are required to make use of headings, paragraphs, and subsections as appropriate, and all work must be supported with research and referenced using the Harvard referencing system. Please also provide a bibliography using the Harvard referencing system. Submission ● Students are compulsory to submit the assignment in due date and in a way requested by the Tutor. ● The form of submission will be a soft copy posted on http://cms.greenwich.edu.vn/. ● Remember to convert the word file into PDF file before the submission on CMS. Note: ● The individual Assignment must be your own work, and not copied by or from another student. ● If you use ideas, quotes or data (such as diagrams) from books, journals or other sources, you must reference your sources, using the Harvard style. ● Make sure that you understand and follow the guidelines to avoid plagiarism. Failure to comply this requirement will result in a failed assignment. Unit Learning Outcomes: LO 3 Review mechanisms to control organizational IT security. LO 4 Manage organizational security.

Assignment Brief and Guidance: Assignment scenario You work for a security consultancy as an IT Security Specialist. A manufacturing company “Wheelie good” in Ho Chi Min City making bicycle parts for export has called your company to propose a Security Policy for their organization, after reading stories in the media related to security breaches, etc. in organizations and their ramifications. Task 1 In preparation for this task, you will prepare a report considering:  The security risks faced by the company.  How data protection regulations and ISO risk management standards apply to IT security.  The potential impact that an IT security audit might have on the security of the organization.  The responsibilities of employees and stakeholders in relation to security. Task 2 Following your report:  You will now design and implement a security policy  While considering the components to be included in disaster recovery plan for Wheelie good, justify why you have included these components in your plan. Task 3 In addition to your security policy, you will evaluate the proposed tools used within the policy and how they align with IT security. You will include sections on how to administer and implement these policies.

Table of Contents

  • Assignment Brief 2 (RQF)
    • Higher National Certificate/Diploma in Computing
  • Task 1 - Discuss risk assessment procedures (P5)
    • 1.1 Define a security risk and how to do risk assessment
    • 1.2 Define assets, threats and threat identification procedures, and give examples
    • 1.3 Explain the risk assessment procedure
    • 1.4 Risk identification steps:
  • (P6) Task 2 - Explain data protection processes and regulations as applicable to an organisation
    • 2.1 Definition of data protection:........................................................................................
    • 2.2 Explain data protection process in an organization
    • 2.3 Why are data protection and security regulation important?
    • Why do we need security regulations?
  • Task 3 - Design and implement a security policy for an organization (P7)
    • 3.1 Definition and discussion of security policy:
    • 3.2 Give an example for each of the policies
    • 3.3 The elements of creating security policy:
    • 3.4 Steps to design a policy:
  • for inclusion (P8) Task 4 - List the main components of an organisational disaster recovery plan, justifying the reasons
      1. Business continuity:
    • 2.Components of recovery plan:

Task 1 - Discuss risk assessment procedures (P5)

1. 1 Define a security risk and how to do risk assessment a) Define a security risk: A security risk assessment finds, evaluates, and applies important application security controls. It also focuses on preventing security flaws and vulnerabilities in applications. An enterprise can see its application portfolio holistically—from the standpoint of an attacker—by conducting a risk assessment. It aids managers in making well-informed decisions about resource allocation, tools, and security control implementation. As a result, conducting an evaluation is an important aspect of a company's risk management strategy. b) Risk assessment: A Security Risk Assessment (or SRA) is a method of outlining the risks in your organisation, technology, and procedures in order to ensure that security threats are addressed by existing controls. Security risk assessments are commonly included in compliance standards, such as the PCI-DSS requirements for payment card authentication. They are required by the AICPA as part of a SOC II audit for service organizations and are also criteria for ISO 27001, HITRUST CSF, and HIPAA compliance, to mention a few. As a result, security risk assessments are commonly referred to as a risk assessment, an IT infrastructure risk assessment, a safety risk audit, or a safety audit. c) What Is A Risk Assessment For Security: A security risk assessment finds, evaluates, and prioritizes potential vulnerabilities in various information assets (i.e., systems, hardware, applications, and data), as well as the hazards that may effect those vulnerabilities. A risk assessment's main goal is to alert decision-makers about vulnerabilities in business systems so that they can adopt proactive defensive measures and plan effective risk responses. The assessment also includes an executive summary to assist executives in making educated security decisions. Security risk assessments also show management where staff need to be trained in order to reduce attack surfaces. Security Risk Assessments are carried out in order to locate risk areas by a security assessor who can analyse all aspects of the business processes. These may be as basic as a poor password-enabled device, or may be more complicated problems, such as insecure business processes. The appraiser is going to typically review everything from HR policies to firewall configurations while working to identify potential risks. d) How to do risk assessment: The depth of risk assessment models is affected by factors like as size, growth rate, resources, and asset portfolio. When faced with money or time constraints, organizations can conduct generic assessments. Generalized evaluations, on the other hand, may not always include precise mappings of assets, associated threats, recognized risks, effects, and mitigation mechanisms. The depth of the risk assessment models is influenced by factors such as scale, growth rate, capital, and asset portfolio. When facing budget or time constraints, organizations may carry out generalized evaluations.

The method of identifying threats is a way of collecting data on possible threats that can assist management in identifying information security risks. A systematic methodology that helps an organization to aggregate and measure possible threats is threat modeling. Institutions should consider using threat modeling to better understand the existence, frequency, and complexity of threats; determine the institution's vulnerability to information security; and apply this awareness to the information security program of the institution. The identification of threats involves the sources of threats, their capabilities, and their objectives. By giving actions:

  • Identify and assess threats.
  • Use threat knowledge to drive risk assessment and response.
  • Design policies to allow immediate and consequential threats to be dealt with expeditiously. **D) Example: To begin risk assessment, take the following steps:
  1. Find all valuable assets** across the organization that could be harmed by threats in a way that results in a monetary loss. Here are just a few examples:
  • Servers
  • Website
  • Client contact information
  • Partner documents •Trade secrets •Customer credit card data 2. Identify potential consequences. Determine what financial losses the organization would suffer if a given asset were damaged. Here are some of the consequences you should care about:
  • Data loss
  • System or application downtime
  • Legal consequences 3. Identify threats and their level. A threat is anything that might exploit a vulnerability to breach your security and cause harm to your assets. Here are some common threats:
  • Natural disasters
  • System failure
  • Accidental human interference
  • Malicious human actions (interference, interception or impersonation) 4. Identify vulnerabilities and assess the likelihood of their exploitation. A vulnerability is a weakness that allows some threat to breach your security and cause harm to an asset. Think about what protects your systems from a given threat — if the threat actually occurs, what are the chances that it will actually damage your assets? Vulnerabilities can be physical (such as old equipment), problems with software design or configuration (such as excessive access permissions or unpatched workstations), or human factors (such as untrained or careless staff members). 5. Assess risk. Risk is the potential that a given threat will exploit the vulnerabilities of the environment and cause harm to one or more assets, leading to monetary loss. Assess the risk according to the logical formula stated above and assign it a value of high, moderate or low. Then develop a solution for every high and moderate risk, along with an estimate of its cost.

6. Create a risk management plan using the data collected. Here are some example entries: Threat Vulnerability Asset and consequences Risk Solution System failure-- overheating in sever room High Air conditioning system is ten years old. High Severs, All services( website, email, etc.) will be unavailable for at least 3 hours. Critical High (potential loss of $50,000 per occurrence) Buy a new air conditioner (cost $3.000) Malicious human (interferences) – distributed denial- of-service (DDos) attack High Firewall configured properly and has good DDOS mitigation. Low Website. Website will be unavailable Critical Moderate (Potential loss of $5000 per hour of downtime) Monitor firewall Natural disaster— flooding Moderate Server room is on the 3rd floor. Very Low Servers, All services will be unavailable Critical Very Low No action needed Accidental human interference- accidental file deletions High Permissions are configured properly; IT auditing software is in place; backup are taken regularly. Low All files on a file share. Critical data could be lost, but almost certainly could be restored from back up. Moderate Low Continue monitoring permissions changes, privileged users, and backups 7. Create a strategy for IT infrastructure enhancements to mitigate the most important vulnerabilities and get management sign-off. 8. Define mitigation processes. You can improve your IT security infrastructure but you cannot eliminate all risks. When a disaster happens, you fix what happened, investigate why it happened, and try to prevent it from happening again, or at least make the consequences less harmful. For example, here is a sample mitigation process for a server failure: 9. Event (server failure) → Response (use your disaster recovery plan or the vendor’s documentation to get the server up and running) → Analysis (determine why this server failed) → Mitigation (if the

to minimize them should be included in your plan. The document or the risk management plan should explain that you: Conducted a proper check of your workspace

  • Determined who would be affected
  • Controlled and dealt with obvious hazards
    • Initiated precautions to keep risks low
  • Kept your staff involved in the process 5th step: Review assessment and update if necessary Your workplace is always changing, so your organization's threats are also changing. Each brings the risk of a new danger as new equipment, procedures, and individuals are implemented. To keep on top of these new risks, constantly evaluate and upgrade the risk management process.

1.4 Risk identification steps:

Within the risk identification and management process, there are five main steps. Risk identification, risk analysis, risk appraisal, risk treatment, and risk monitoring are some of the steps involved. Step 1: Risk identification: The purpose of risk identification is to reveal what, where, why, and how anything could impair an organization's ability to function. A company in central California, for example, would list "wildfire" as a possible occurrence that could disrupt business operations. Step 2: Risk Analysis: This step includes determining the likelihood of a risk event occurring and the likely outcome of each event. Using the example of California wildfire, safety managers may determine how much rainfall has occurred in the last 12 months and the degree of harm that organization could face if a fire occurs. Step 3: Risk evaluation: The severity of each danger is compared and rated based on its predominance and effects. For example, the impacts of a potential wildfire can be balanced against the implications of a potential mudslide. Regardless of which occurrence is determined to have a higher probability of occurring and causing harm, it will rank higher. Step 4: Risk treatment: Preparation for risk response is a term used to describe risk therapy. Based on the evaluated importance of each risk, risk reduction approaches, preventive treatment, and contingency measures are included into this procedure. Using the wildfire example, risk managers can choose to keep additional network servers offshore so that corporate activities can continue even if an onsite server is destroyed. The risk manager can also design evacuation plans for employees.

Step 5: Risk monitoring: Risk management is a continuous process that adapts and changes over time. By repeating and tracking the processes, it will help to assure optimal coverage of known and unknown risks. **Figure 2. Risk Management Process Task 2 - Explain data protection processes and regulations as applicable to an organisation (P6) Figure 3 Data Protection

  1. 1 Definition of data protection: a) Definition:** Data protection is the process of preventing vital information from being tampered with, compromised, or lost. The value of data protection grows as the amount of data generated and processed grows at an exponential rate. Data protection is crucial because it protects an organization's information from fraud, hacking, phishing, and identity theft. Any firm that wishes to operate efficiently must secure the security of its data by developing a data protection strategy. The importance of data protection grows in tandem with

Data is getting more and more valuable. The abilities and opportunities for retrieving various types of personal data are likewise continuously evolving. Individuals and businesses can be severely harmed by unauthorized, careless, or uneducated personal data handling. As the volume of data generation and procession continues to expand at exponential rates, the value of data security increases. There is also little downtime tolerance that can render it difficult to access critical data. Three explanations why Data Protection Regulation is relevant are given below:

  • First, the object of personal data protection is not only to protect the data of individuals, but also to protect the fundamental rights and freedoms of individuals related to such data. Although preserving personal data, it is possible to guarantee that the rights and freedoms of individuals are not violated. Incorrect processing of personal data, for example, may lead to a situation where a person is ignored for a job opportunity or, worse, loses current jobs.
  • Secondly, failure to comply with the regulations on personal data security will lead to even harsher circumstances in which it is possible to remove all the money from the bank account of an individual or even establish a life-threatening situation by manipulating health information.
  • Thirdly, data protection regulations are essential for fair and consumer-friendly trade and service provision to be guaranteed. Personal data security laws establish a situation where personal data can not be openly sold, for instance, which ensures that individuals have more control over who sells them and what kind of offers they make. Figure 6. The importance of cyber-security Why do we need security regulations? Regulations are in place to help companies improve their information security strategy by providing guidelines and best practices based on the company's industry and type of data they maintain. Non- compliance with these regulations can result in severe fines, or worse, a data breach. given 6 methods that you can protect your data better: +Risk assessments: The riskier the data, the higher the level of security required. Critical data should be carefully guarded, whereas low-risk data can be provided less protection. The cost benefit is the primary basis for these assessments, as stronger data protection requires more money. It is, however, a useful test for

determining which information should be more closely guarded and for improving the overall efficiency of the data processing system. Your risk assessment should be based on two axes: the potential severity of a data breach and the chance of a breach. The greater the risk on both of these vectors, the more sensitive the data is. A Data Protection Officer (Privacy Officer) will assist you in developing valid ground rules as part of these exams. Stop doing it on your own if you are fully certain you know what you're doing. If mislabeled data is lost, it might be disastrous. + Backups: Backups are a means to protect data from loss caused by human error or technology failure. On a regular basis, backups should be created and updated. Daily backups will add to your company's expenses but disrupting your routine business activities will cost you considerably more. Time is more valuable than money. Low-importance information does not need to be backed up as much as sensitive information, so backups should be done in accordance with the above-explained approach. These backups should be kept in a safe place, and they should most likely be encrypted. Sensitive data should never be kept in the cloud. Review storage media for degradation on a regular basis, as directed by the manufacturer, and ensure that they are stored in accordance with official guidelines (check for humidity, temperature, etc.) Compared to hard disks, tape-storage methods are still a cheaper alternative (by two-thirds). Hard drives, however, are more compact and better-suited to operations on a small scale. With disk-storage methods, data access is often much quicker. Tape storage systems are still less expensive than hard disk storage (by two-thirds). Hard drives, on the other hand, are more compact and better suited to small-scale operations. Data access is generally more faster when using disk storage technologies. +Encryption: The prime candidate for encryption is high-risk data every step of the way. This involves processing (full memory encryption) during acquisition (online cryptographic protocols), and subsequent storage (RSA or AES). Well- encrypted information is inherently secure; the data would be useless and irrecoverable to attackers, except in cases of a data breach For that reason, encryption is also expressly referred to in the GDPR as a data protection tool, which means that its proper use would definitely bring you favors in the regulators' eyes. For example, if you encounter an infringement involving encrypted data, you do not even have to report it to the supervisory authorities because the data is deemed to be sufficiently secured! You should consider encryption as your #1 data protection technique for this purpose alone. +Assess controls: A very successful risk mitigation approach is the application of access controls to the process of your business. The less people have access to data, the lower the chance of violation or loss of (inadvertent) information. Only trustworthy workers who have a legitimate reason to use it should ensure that you have access to sensitive data. We recommend that you keep regular training courses and refreshers for prior data handling, particularly after recruiting new employees.

We live in a world where computers are globally networked and accessible, making digitized information particularly vulnerable to fraud, exploitation, and destruction. Protection violations are unavoidable. Crucia's decisions and defensive moves must be quick and precise. A security policy outlines what must be done to protect information held on computers. A well-written policy offers a sufficient definition of "what" to accomplish so that the "how" can be defined, quantified, or determined. Without a security policy, every firm can be left vulnerable to the world. It's important to note that in order to determine policy needs, a risk assessment must first be completed. This can help an entity determine sensitivity criteria in terms of knowledge, processes, procedures, and structures. C) The importance: Establishing an effective security plan and taking steps to assure compliance is a critical step in preventing and reducing security breaches. To make your security policy genuinely successful, update it in response to changes in your organization, new threats, lessons learned from prior breaches, and other changes to your security posture. Make your data protection policy reasonable and enforceable. It should have an exemption structure in place to satisfy the demands and crises that occur from diverse sectors of the organization. If security is vital, it is critical to ensure that all security measures are implemented through adequately robust procedures. Structured procedures and risk management approaches are used to ensure the completeness of security rules and their rigorous implementation. In complex systems, like as information systems, policies can be split down into sub-policies to allow for the distribution of security frameworks for the application of sub-policies. However, there are certain disadvantages to this method. Simple to move in to skip straight to the sub-policies, which are essentially rules of action, and ignore the top-level regulation. When they don't, it provides the impression that the rules of operation are addressing some broad concept of protection. Because it's so difficult to conceive clearly about total protection, rules of operation described as "sub-policies" without a "super-policy" tend to be meandering regulations that don't completely enforce anything. As a result, any genuine security system requires a top-level security policy, without which sub-policies and norms of operation are pointless. 3.2 Give an example for each of the policies A) Employee requirements: Using this policy This example policy outlines behaviors expected of employees when dealing with data and provides a classification of the types of data with which they should be concerned. This should link to your AUP (acceptable use policy), security training and information security policy to provide users with guidance on the required behaviors. 1.0 Purpose must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to avoid adversely impacting our customers. The protection of data in scope is a critical business requirement, yet flexibility to access data and work effectively is also critical. It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it will reliably detect

all data. It’s primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for data leakage prevention, a focus for the policy and a rationale. 2.0 Scope

  1. Any employee, contractor or individual with access to systems or data.
    1. Definition of data to be protected (you should identify the types of data and give examples so that your users can identify it ? PII ? Financial ? Restricted/Sensitive ? Confidential ? IP 3.0 Policy – Employee requirements
  2. You need to complete ’s security awareness training and agree to uphold the acceptable use policy.
  3. If you identify an unknown, un-escorted or otherwise unauthorized individual in you need to immediately notify .
  4. Visitors to must be escorted by an authorized employee at all times. If you are responsible for escorting visitors you must restrict them appropriate areas.
  5. You are required not to reference the subject or content of sensitive or confidential data publically, or via systems or communication channels not controlled by . For example, the use of external e-mail systems not hosted by to distribute data is not allowed.
  6. Please keep a clean desk. To maintain information security you need to ensure that all printed in scope data is not left unattended at your workstation.
  7. You need to use a secure password on all systems as per the password policy. These credentials must be unique and must not be used on other external systems or services.
  8. Terminated employees will be required to return all records, in any format, containing personal information. This requirement should be part of the employee onboarding process with employees signing documentation to confirm they will do this.
  9. You must immediately notify in the event that a device containing in scope data is lost (e.g. mobiles, laptops etc).
  10. In the event that you find a system or process which you suspect is not compliant with this policy or the objective on information security you have a duty to inform so that they can take appropriate action.
  1. Exemptions: Where there is a business need to be exempted from this policy (too costly, too complex, adversely impacting other business requirements) a risk assessment must be conducted being authorized by security management. See Risk Assessment process (reference your own risk assessment process). 3.0 Policy
  2. <Company X’s> data leakage prevention (DLP) technology will scan for data in motion.
  3. The DLP technology will identify large volumes (thus, of high risk of being sensitive and likely to have significant impact if handled inappropriately) of in scope data. A large number of records is defined as (tailor to your enterprise’s stance e.g. 1000 records). In scope data is defined as: (you should adjust this to reflect the data that you are regulated on, or that which could be most damaging to your organization. The below is an appropriate template for many organizations) a. Credit card details, bank account numbers and other financial identifiers b. E-mail addresses, names, addresses and other combinations of personally identifiable information c. Documents that have been explicitly marked with the ‘ Confidential’ string.
  4. DLP will identify specific content, i.e.: a. Sales data – particularly forecasts, renewals lists and other customer listings b. Exports of personally identifiable information outside controlled systems (this is data that you are particularly concerned about losing and wish to ensure is detected by the DLP policy).
  5. DLP will be configured to alert the user in the event of a suspected transmission of sensitive data, and the user will be presented with a choice to authorize or reject the transfer. This allows the user to make a sensible decision to protect the data, without interrupting business functions. Changes to the DLP product configuration will be handled through the IT change process and with security management approval, to identify requirements to adjust the information security policy or employee communications.
  6. DLP will log incidents centrally for review. The IT team will conduct first level triage on events, identifying data that may be sensitive and situations where its transfer was authorized and there is a concern of inappropriate use. These events will be escalated to HR to be handled through the normal process and to protect the individual. (you will need to tailor this for your organisation. It is common to defer enforcement to business owners of data rather than having IT conduct the triage).
  7. Where there is an active concern of data breach, the IT incident management process is to be used with specific notification provided to (for example HR, Legal and Security Management). 4.0 Technical guidelines Technical guidelines identify requirements for technical implementation and are typically technology specific.
  1. The technology of choice is
    1. The product will be configured to identify data in motion to Browsers, IM Clients, E-mail clients, Mass storage devices and writable CD media. 5.0 Reporting requirements
  2. Weekly reports of incidents to
  3. High priority incidents discovered by IT should be immediately flagged with
  4. Monthly report showing % devices compliant with DLP policy c) Workstation full disk encryption: Using this policy This example policy is intended to act as a guideline for organizations looking to implement or update their full disk encryption control policy. Adapt this policy, particularly in line with requirements for usability or in accordance with the regulations or data you need to protect. Background to this policy Full disk encryption is now a key privacy enhancing technology which is mandated my many regulatory guidelines. 1.0 Purpose must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to avoid adversely impacting our customers. A collection of global regulations (such as ) also require the protection of a broad scope of data, which this policy supports by restricting access to data hostedon devices. As defined by numerous compliance standards and industry best practice, full disk encryption is required to protect against exposure in the event of loss of an asset. This policy defines requirements for full disk encryption protection as a control and associated processes. 2.0 Scope
  5. All workstations – desktops and laptops (depending on the type of data you hold and physical security some organizations adjust this just to cover laptops).
  6. All virtual machine.
  7. Exemptions: Where there is a business need to be exempted from this policy (too costly, too complex, adversely impacting other business requirements) a risk assessment must be conducted being authorized by security management. See Risk assessment process (reference your own risk assessment process). 3.0 Policy
  8. All devices in scope will have full disk encryption enabled.
  9. <Company X’s> Acceptable Use Policy (AUP) and security awareness training must require users to notify if they suspect they are not in compliance with this policy as per the AUP.