Security - Assignment 2, Assignments of Network security

Security - Assignment 2 - 1620

Typology: Assignments

2021/2022

Uploaded on 04/08/2022

ke-danh-cap-trai-tim
ke-danh-cap-trai-tim 🇻🇳

4.6

(31)

7 documents

1 / 29

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ASSIGNMENT 2 FRONT SHEET
Qualification BTEC Level 5 HND Diploma in Computing
Unit number and title Unit 5: Security
Submission date Date Received 1st submission
Re-submission Date Date Received 2nd submission
Student Name Student ID
Class Assessor name
Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature
Grading grid
P5 P6 P7 P8 M3 M4 M5 D2 D3
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d

Partial preview of the text

Download Security - Assignment 2 and more Assignments Network security in PDF only on Docsity!

ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5: Security Submission date Date Received 1st submission Re-submission Date Date Received 2nd submission Student Name Student ID Class Assessor name Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a false declaration is a form of malpractice. Student’s signature Grading grid

P5 P6 P7 P8 M3 M4 M5 D2 D

❒ Summative Feedback: ❒ Resubmission Feedback:

Grade: Assessor Signature: Date: Lecturer Signature:

The individual Assignment must be your own work, and not copied by or from another student. If you use ideas, quotes or data (such as diagrams) from books, journals or other sources, you must reference your sources, using the Harvard style. Make sure that you understand and follow the guidelines to avoid plagiarism. Failure to comply this requirement will result in a failed assignment. Unit Learning Outcomes: LO3 Review mechanisms to control organizational IT security. LO4 Manage organizational security. Assignment Brief and Guidance: Assignment scenario You work for a security consultancy as an IT Security Specialist. A manufacturing company “Wheelie good” in Ho Chi Min City making bicycle parts for export has called your company to propose a Security Policy for their organization, after reading stories in the media related to security breaches, etc. in organizations and their ramifications. Task 1 In preparation for this task, you will prepare a report considering:  The security risks faced by the company.  How data protection regulations and ISO risk management standards apply to IT security.  The potential impact that an IT security audit might have on the security of the organization.  The responsibilities of employees and stakeholders in relation to security. Task 2 Following your report:  You will now design and implement a security policy  While considering the components to be included in disaster recovery plan for Wheelie good, justify why you have included these components in your plan. Task 3 In addition to your security policy, you will evaluate the proposed tools used within the policy and how they align with IT security. You will include sections on how to administer and implement these policies. Learning Outcomes and Assessment Criteria (Assignment 1): Learning Outcome Pass Merit Distinction

LO 3 P5 Discuss risk assessment procedures. P6 Explain data protection processes and regulations as applicable to an organisation. M3 Summarise the ISO 31000 risk management methodology and its application in IT security. M4 Discuss possible impacts to organisational security resulting from an IT security audit. D2 Consider how IT security can be aligned with organisational policy, detailing the security impact of any misalignment. LO 4 P7 Design and implement a security policy for an organisation. P8 List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion. M5 Discuss the roles of stakeholders in the organisation to implement security audit recommendations. D3 Evaluate the suitability of the tools used in an organisational policy.

  • Assignment Brief 2 (RQF)..............................................................................................................................
    • Higher National Certificate/Diploma in Computing...................................................................................
  • Task 1 - Discuss risk assessment procedures (P5)..........................................................................................
      1. Define a security risk and how to do risk assessment.............................................................................
      • 1.1 Definition.........................................................................................................................................
      • 1.2 How does a security risk assessment work?....................................................................................
      1. Define assets, threats and threat identification procedures, and give examples.....................................
      • 2.1 Define assets....................................................................................................................................
      • 2.2 Define threats...................................................................................................................................
      • 2.3 Vulnerability Appraisal....................................................................................................................
      • 2.4 Risk Assessment..............................................................................................................................
      1. Explain the risk assessment procedure....................................................................................................
      1. List risk identification steps..................................................................................................................
  • Task 2 - Explain data protection processes and regulations as applicable to an organisation (P6)..............
      1. Define data protection...........................................................................................................................
      1. Explain the data protection process in an organization.........................................................................
      1. Why are data protection and security regulation important?................................................................
      • 3.1 Principles of data protection..........................................................................................................
      • 3.2 What is the purpose of data protection?.........................................................................................
      • 3.3 Data portability..............................................................................................................................
      • 3.4 The convergence of disaster recovery and backup........................................................................
      • 3.5 Enterprise data protection strategies..............................................................................................
      • 3.6 Data protection trends....................................................................................................................
      • 3.7 Mobile data protection...................................................................................................................
      • 3.8 Differences between data protection, security and privacy...........................................................
      • 3.9 Data protection and privacy laws...................................................................................................
      • 3.10 Data protection for GDPR compliance........................................................................................
        1. 11Ways to protect your data............................................................................................................
      • 3.12 Relationships with the organization and the data protection process..........................................
      • 3.13 Why is data protection so important?..........................................................................................
  • Task 3 - Design and implement a security policy for an organization (P7)..................................................
      1. Define a security policy and discuss about it........................................................................................
      • 1.1 Define a security............................................................................................................................
      • 1.2 Discuss...........................................................................................................................................
      1. Examples of security policies...............................................................................................................
      1. Give the most and should that must exist while creating a policy........................................................
      1. Explain and write down elements of a security policy.........................................................................
      1. Give the steps to design a policy...........................................................................................................
  • inclusion (P8)................................................................................................................................................ Task 4 - List the main components of an organisational disaster recovery plan, justifying the reasons for
      1. Discuss with explanation about business continuity.............................................................................
      • 1.1 Why is business continuity important?..........................................................................................
      • 1.2 What does business continuity include?........................................................................................
      1. List the components of recovery plan...................................................................................................
      1. Write down all the steps required in disaster recovery process............................................................
      1. Explain some of the policies and procedures that are required for business continuity.......................
  • References.....................................................................................................................................................

Task 1 - Discuss risk assessment procedures (P5)

1. Define a security risk and how to do risk assessment 1.1 Definition A security risk assessment identifies, assesses, and implements key security controls in applications. It also focuses on preventing application security defects and vulnerabilities. Carrying out a risk assessment allows an organization to view the application portfolio holistically—from an attacker’s perspective. It supports managers in making informed resource allocation, tooling, and security control implementation decisions. Thus, conducting an assessment is an integral part of an organization’s risk management process (synopsys, 2022) 1.2 How does a security risk assessment work? Factors such as size, growth rate, resources, and asset portfolio affect the depth of risk assessment models. Organizations can carry out generalized assessments when experiencing budget or time constraints. However, generalized assessments don’t necessarily provide the detailed mappings between assets, associated threats, identified risks, impact, and mitigating controls (synopsys, 2022) 2. Define assets, threats and threat identification procedures, and give examples 2.1 Define assets An asset is any data, device, or another component of an organization’s systems that is valuable – often because it contains sensitive data or can be used to access such information (Irwin, 2017) For example, an employee’s desktop computer, laptop, or company phone would be considered an asset, as would applications on those devices. Likewise, critical infrastructure, such as servers and support systems, are assets (Irwin, 2017) An organization’s most common assets are information assets. These are things such as databases and physical files – i.e. the sensitive data that you store (Irwin, 2017) A related concept is the ‘information asset container’, which is where that information is kept. In the case of databases, this would be the application that was used to create the database. For physical files, it would be the filing cabinet where the information resides (Irwin, 2017)

 Single Loss Expectancy  Annualized Loss Expectancy (Kim & Solomon, 2018) An organization has three options when confronted with a risk:  Accept the risk  Diminish the risk  Transfer the risk (Kim & Solomon, 2018)

3. Explain the risk assessment procedure Step 1: Identify the hazards. The first step in a risk assessment is to identify any potential hazards that, if they were to occur, would negatively influence the organization's ability to conduct business. Potential hazards that could be considered or identified during risk assessment include natural disasters, utility outages, cyberattacks, and power failure (Cole, 2021) Step 2: Determine what, or who could be harmed. After the hazards are identified, the next step is to determine which business assets would be negatively influenced if the risk came to fruition. Business assets deemed at risk to these hazards can include critical infrastructure, IT systems, business operations, company reputation, and even employee safety (Cole, 2021) Step 3: Evaluate the risks and develop control measures. A risk analysis can help identify how hazards will impact business assets and the measures that can be put into place to minimize or eliminate the effect of these hazards on business assets. Potential hazards include property damage, business interruption, financial loss, and legal penalties (Cole, 2021) Step 4: Record the findings. The risk assessment findings should be recorded by the company and filed as easily accessible, official documents. The records should include details on potential hazards, their associated risks, and plans to prevent the hazards (Cole, 2021) Step 5: Review and update the risk assessment regularly. Potential hazards, risks, and their resulting controls can change rapidly in a modern business environment. It is important for companies to update their risk assessments regularly to adapt to these changes (Cole, 2021)

Risk assessment tools, such as risk assessment templates, are available for different industries. They might prove useful to companies developing their first risk assessments or updating older assessments (Cole, 2021)

4. List risk identification steps There are four steps in risk identification:  Inventory the assets and their attributes  Determine what threats exist against the assets and by which threat agents  Determine whether vulnerabilities exist that can be exploited by surveying the current security infrastructure  Make decisions regarding what to do about the risks (Kim & Solomon, 2018)

Task 2 - Explain data protection processes and regulations as applicable to an

organisation (P6)

1. Define data protection Data protection is the process of protecting data and involves the relationship between the collection and dissemination of data and technology, the public perception and expectation of privacy, and the political and legal underpinnings surrounding that data. It aims to strike a balance between individual privacy rights while still allowing data to be used for business purposes (techopedia, 2017) 2. Explain the data protection process in an organization Data protection should always be applied to all forms of data, whether it be personal or corporate. It deals with both the integrity of the data, protection from corruption or errors, and privacy of data, it is accessible to only those that have access privilege to it (techopedia, 2017) The context of data protection varies and the methods and extent also vary for each; there is data protection on the personal level, that of business or public entities, and that of data so highly classified that it should never fall into the hands of others aside from its owners — or in other words, top secret (techopedia, 2017) In the United States, data privacy is not highly regulated, so by extension, there are no strict data protection laws that apply, although that is quickly changing as people become aware of the value of privacy and data protection. In the United Kingdom however, the legislative body passed the Data Protection Act of 1998, a revision of the very basic Act of 1984 which stated rules for data users and defined individuals' rights in regard to data that is directly related to them. The Act became effective on March 1, 2000. The law itself strives to balance the individual rights to privacy and the ability of more public organizations to use this data in the process of conducting business. The Act gives guidelines, eight principles, which a data controller must observe when handling personal data in the course of doing business, in the name of protection. These principles go along the lines of having being obtained fairly and lawfully, to it not leaving the country or territory unless under certain conditions of protection. Not all countries have data protection laws, however (techopedia, 2017) 3. Why are data protection and security regulation important? 3.1 Principles of data protection The key principles of data protection are to safeguard and make available data under all circumstances. The term data protection describes both the operational backup of data as well as business

among cloud service providers. On the other hand, it requires safeguards against data duplication (Crocetti, et al., 2021) Either way, cloud backup is becoming more prevalent. Organizations frequently move their backup data to public clouds or clouds that backup vendors maintain. These backups can replace on-site disk and tape libraries, or they can serve as additional protected copies of data (Crocetti, et al., 2021) Backup has traditionally been the key to an effective data protection strategy. Data was periodically copied, typically each night, to a tape drive or tape library where it would sit until something went wrong with the primary data storage. That's when organizations would access and use the backup data to restore lost or damaged data (Crocetti, et al., 2021) Backups are no longer a standalone function. Instead, they're being combined with other data protection functions to save storage space and lower costs (Crocetti, et al., 2021) Backup and archiving, for example, have been treated as two separate functions. The Backup's purpose was to restore data after a failure, while an archive provided a searchable copy of data. However, that led to redundant data sets. Today, some products back up, archive, and index data in a single pass. This approach saves organizations time and cuts down on the amount of data in long-term storage (Crocetti, et al., 2021) 3.4 The convergence of disaster recovery and backup Another area where data protection technologies are coming together is in the merging of backup and disaster recovery (DR) capabilities. Virtualization has played a major role here, shifting the focus from copying data at a specific point in time to continuous data protection (Crocetti, et al., 2021) Historically, data backup has been about making duplicate copies of data. DR, on the other hand, has focused on how companies use backups once a disaster happens (Crocetti, et al., 2021) Snapshots and replication have made it possible to recover much faster from a disaster than in the past. When a server fails, data from a backup array is used in place of the primary storage -- but only if an organization takes steps to prevent that backup from being modified (Crocetti, et al., 2021) Those steps involve using a snapshot of the data from the backup array to immediately create a differencing disk. The original data from the backup array is then used for read operations, and write operations are directed to the differencing disk. This approach leaves the original backup data unchanged. And while all this is happening, the failed server's storage is rebuilt, and data is replicated from the backup array to the failed server's newly rebuilt storage. Once the replication is complete, the contents of the differencing disk are merged onto the server's storage and users are back in business (Crocetti, et al., 2021) Data deduplication, also known as data dedupe, plays a key role in disk-based backup. Dedupe eliminates redundant copies of data to reduce the storage capacity required for backups. Deduplication can be built into backup software or can be a software-enabled feature in disk libraries (Crocetti, et al., 2021) Dedupe applications replace redundant data blocks with pointers to unique data copies. Subsequent backups only include data blocks that have changed since the previous backup. Deduplication began as a data protection technology and has moved into primary data as a valuable feature to reduce the amount of capacity required for more expensive flash media (Crocetti, et al., 2021) CDP has come to play a key role in disaster recovery, and it enables fast restores of backup data. Continuous data protection enables organizations to roll back to the last good copy of a file or database, reducing the amount of information lost in the case of corruption or data deletion. CDP started as a separate product category but evolved to the point where it is now built into most replication and backup applications. CDP can also eliminate the need to keep multiple copies of data. Instead, organizations retain a single copy that's updated continuously as changes occur (Crocetti, et al., 2021)

3.5 Enterprise data protection strategies Media failure : The goal here is to make data available even if a storage device fails. Synchronous mirroring is one approach in which data is written to a local disk and a remote site at the same time. The write is not considered complete until a confirmation is sent from the remote site, ensuring that the two sites are always identical. Mirroring requires 100% capacity overhead (Crocetti, et al., 2021) RAID protection is an alternative that requires less overhead capacity. With RAID, physical drives are combined into a logical unit that's presented as a single hard drive to the operating system. With RAID, the same data is stored in different places on multiple disks. As a result, I/O operations overlap in a balanced way, improving performance and increasing protection (Crocetti, et al., 2021) RAID protection must calculate parity, a technique that checks whether data has been lost or written over when it's moved from one storage location to another. That calculation consumes compute resources (Crocetti, et al., 2021) The cost of recovering from a media failure is the time it takes to return to a protected state. Mirrored systems can return to a protected state quickly; RAID systems take longer because they must recalculate all the parity. Advanced RAID controllers don't have to read an entire drive to recover data when doing a drive rebuild. They only need to rebuild the data that is on that drive. Given that most drives run at about one-third capacity, intelligent RAID can reduce recovery times significantly (Crocetti, et al.,

Erasure coding is an alternative to advanced RAID that's often used in scale-out storage environments. Like RAID, erasure coding uses parity-based data protection systems, writing both data and parity across a cluster of storage nodes. With erasure coding, all the nodes in the storage cluster can

Full-on data center failure : Protection against a data center loss requires a full DR plan. As with the other failure scenarios, organizations have multiple options. One option is snapshot replication, which replicates data to a secondary site. However, the cost of running a secondary site can be prohibitive (Crocetti, et al., 2021) Cloud services are another alternative. An organization can use replication along with cloud backup products and services to store the most recent copies of crucial data in the event of a major disaster and to instantiate application images. The result is a rapid recovery in the event of a data center loss (Crocetti, et al., 2021) 3.6 Data protection trends Hyper-convergence : With the advent of hyper-convergence, vendors have started offering appliances that provide backup and recovery for physical and virtual environments that are hyper- converged, non-hyper-converged and mixed. Data protection capabilities integrated into hyper-converged infrastructure are replacing a range of devices in the data center (Crocetti, et al., 2021) Ransomware : This type of malware, which holds data hostage for an extortion fee, is a growing problem. Traditional backup methods have been used to protect data from ransomware. However, more sophisticated ransomware is adapting to and circumventing traditional backup processes Copy data management : CDM cuts down on the number of copies of data an organization must save, reducing the overhead required to store and manage data and simplifying data protection. CDM can speed up application release cycles, increase productivity and lower administrative costs through automation and centralized control (Crocetti, et al., 2021) Disaster recovery as a service : DRaaS use is expanding as more options are offered and prices come down. It's being used for critical business systems where an increasing amount of data is being replicated rather than just backed up (Crocetti, et al., 2021) 3.7 Mobile data protection Among common data protection challenges, backup and recovery for mobile devices is tough. It can be difficult to extract data from these devices, and inconsistent connectivity makes scheduling backups difficult -- if not impossible. And mobile data protection is further complicated by the need to keep personal data stored on mobile devices separate from business data (Crocetti, et al., 2021) Selective file sync and share is one approach to data protection on mobile devices. While it isn't true backup, file sync-and-share products typically use replication to sync users' files to a repository in the public cloud or on an organization's network. That location must then be backed up. File sync and share does give users access to the data they need from a mobile device while synchronizing any changes they make to the data with the original copy. However, it doesn't protect the state of the mobile device, which is needed for quick recovery (Crocetti, et al., 2021) 3.8 Differences between data protection, security and privacy Although some businesses use the terms data protection, data security and data privacy, they have different purposes:  Data protection safeguards information from loss through backup and recovery  Data security refers specifically to measures taken to protect the integrity of the data itself against manipulation and malware. It provides defense from internal and external threats  Data privacy refers to controlling access to the data. Organizations must determine who has access to data. Understandably, a privacy breach can lead to data security issues (Crocetti, et al., 2021)

3.9 Data protection and privacy laws Data protection and privacy laws and regulations vary from country to country, and even from state to state -- and there's a constant stream of new ones. China's data privacy law went into effect June 1,

  1. The European Union's General Data Protection Regulation (GDPR) went into effect in 2018. In the United States, the California Consumer Privacy Act supports the right for individuals to control their own personally identifiable information. Compliance with any one set of rules is complicated and challenging (Crocetti, et al., 2021)

The GDPR covers all EU citizens' data regardless of where the organization collecting the data is located. It also applies to all people whose data is stored within the European Union, whether they are EU citizens or not (Crocetti, et al., 2021) GDPR compliance requirements include the following:  Barring businesses from storing or using an individual's personally identifiable information without that person's express consent  Requiring companies to notify all affected people and the supervising authority within 72 hours of a data breach  For businesses that process or monitor data on a large scale, having a data protection officer who's responsible for data governance and ensuring the company complies with GDPR Organizations must comply with GDPR or risk fines as much as 20 million euros or 4% of the previous fiscal year's worldwide turnover, depending on which is larger (Crocetti, et al., 2021)

3. 11Ways to protect your data + Data encryption is the process of converting data from a readable to an unreadable form in order to prevent it from being exposed. Many current technologies are now available to assist consumers with encrypting email and other data (Groot, 2022)

  • Data backup is one of the most fundamental data security measures, but it is frequently forgotten. Essentially, this produces a replica of an individual's or organization's data so that essential data is not lost, stolen, or compromised if a device is lost, stolen, or hacked (Groot, 2022)
  • Malware protection: Malware is a major issue that many computer users find offensive, and it is notorious for sprouting up in obvious locations where users are unaware (Groot, 2022)
  • Anti-malware protection is necessary for establishing a secure foundation for your device. Malware is a severe problem that affects many computer users, and it's renowned for hiding in plain sight, unnoticed by users. Anti-malware protection is critical for establishing a secure foundation for your devices. Malware (short for malicious software) is computer software that is meant to enter or damage your computer without your permission. Viruses, worms, Trojan horses, spyware, scareware, and other types of malware are examples of malware. It can be found in downloaded files, photographs, movies, freeware, and shareware, as well as on websites and emails (Groot, 2022)
  • Update your operating system: The fact is that operating system upgrades are a huge burden for users. However, these updates are an unavoidable evil since they contain crucial security fixes that will safeguard your machine from newly found dangers. If you don't apply these updates, you're putting your machine at danger (Groot, 2022)
  • Protect your wifi network at home or at work: It's usually a good idea to safeguard your wireless network with a password, whether you're a small company owner or an individual or family. This keeps unauthorized people from hijacking your wireless network if they are close by. You don't want to mistakenly disclose confidential information with other individuals who are accessing your network without permission, even if they're only trying to obtain free Wi-Fi. If your office has a Wi-Fi network, make sure it is safe, encrypted, and hidden. Set up your wireless access point or router so that it does not broadcast the network name, also known as the Service Set Identifier, to hide your Wi-Fi network (SSID) (Groot, 2022) Regulations on data protection (Data Protection Act - DPA): Under all conditions, the primary principles of data protection are to safeguard and provide data. The phrase "data protection" refers to both the operational backup and disaster recovery of an organization's data. Data availability and data management are two aspects in which data protection techniques are emerging. Data availability guarantees that users have access to the data they need to complete their tasks, even if it is damaged or destroyed. Data lifecycle management and information lifecycle management are the two primary types of data management utilized in data security. The process of automating the movement of vital data to online and offline storage is known as data lifecycle management. Information lifecycle management is a technique for pricing, categorizing, and safeguarding information assets against application and user failures, malware and virus assaults, machine failures, or downtime, as well as facility disruption. Finding ways to extract economic value from inactive copies of data for reporting, triggering testing / development, analysis, and other purposes has become a focus of data management in recent years (Groot,

3.12 Relationships with the organization and the data protection process The Data Protection Act shall apply throughout the collection of information from customers, and we are dedicated to keeping customer information secure and secret. Furthermore, the customer information protection legislation only recognizes the persons within the company who are accountable for customer information, and the law always guarantees that such information is utilized for the correct purpose and in accordance with the law. For any sale of customer information or wilful exposure of