Download SECURITY - ASSIGNMET 1 and more Study notes Mobile Computing in PDF only on Docsity!
Higher Nationals in Computing
Unit 05: SECURITY
ASSIGNMENT
Assessor name: PHAN MINH TAM
Learner’s name: DANG AN THANH
ID: GCS
Class: GCS0805_PPT
Subject code: 1623
Assignment due: 1 6 / 1 2 / 2 0 2 0 Assignment submitted: 1 6 / 1 2 / 2 0 2 0
❒ Summative Feedback: ❒ Resubmission Feedback:
Grade: Assessor Signature: Date: Signature & Date:
ASSIGNMENT 2 BRIEF
Qualification BTEC Level 5 HND Diploma in Computing Unit number Unit 5: Security Assignment title Security Presentation Academic Year 2018 – 2019 Unit Tutor Issue date Submission date IV name and date Khoa Canh Nguyen, Michael Omar, Nhung 9th/01/ Submission Format Part 1 The submission is in the form of an individual written report. This should be written in a concise, formal business style using single spacing and font size 12. You are required to make use of headings, paragraphs, subsections and illustrations as appropriate, and all work must be supported with research and referenced using the Harvard referencing system. Please also provide a bibliography using the Harvard referencing system. The recommended word limit is 2,000–2,500 words, although you will not be penalised for exceeding the total word limit. Part 2 The submission is in the form of a policy document (please see details in Part 1 above). Part 3 The submission is in the form of an individual written reflection. This should be written in a concise, formal business style using single spacing and font size 12. You are required to make use of headings, paragraphs and subsections as appropriate, and all work must be supported with research and referenced using the Harvard referencing system. Please also provide a bibliography using the Harvard referencing system. The recommended word limit is 250– words, although you will not be penalised for exceeding the total word limit. Unit Learning Outcomes LO3 Review mechanisms to control organizational IT security.
LO3 Review mechanisms to control organisational IT security D2 Consider how IT security can be aligned with organisational policy, detailing the security impact of any misalignment. P5 Discuss risk assessment procedures. P6 Explain data protection processes and regulations as applicable to an organisation. M3 Summarise the ISO 31000 risk management methodology and its application in IT security. M4 Discuss possible impacts to organisational security resulting from an IT security audit. LO4 Manage organisational security D3 Evaluate the suitability of the tools used in an organisational policy. P7 Design and implement a security policy for an organisation. P8 List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion. M5 Discuss the roles of stakeholders in the organisation to implement security audit recommendations.
Table of Contents
- Unit 05: SECURITY..............................................................................................................................................
- P5 Discuss risk assessment procedures..............................................................................................................
- Define risk........................................................................................................................................................
- Define risk assessment....................................................................................................................................
- Risk assessment procedure.............................................................................................................................
- 3.1. Risk assessment step................................................................................................................................
- 3.2. The goal of risk assessment......................................................................................................................
- Risk identification steps...................................................................................................................................
- M3 Summarise the ISO 31000 risk management methodology and its application in IT security.......................
- P6 Explain data protection processes and regulations as applicable to an organisation....................................
- What is data protection ?................................................................................................................................
- Why is data protection important?...............................................................................................................
- Security the host............................................................................................................................................
- 3.1. Protecting the physical device................................................................................................................
- 3.2. Securing the Operating System Software...............................................................................................
- 3.3. Securing Static Environments.................................................................................................................
- 3.4. Application Security................................................................................................................................
- 3.4.1. Why is Application Development Security important?....................................................................
- Network security...........................................................................................................................................
- 4.1. How does Network security work?.........................................................................................................
- 4.2. How Do I Benefit From Network Security?.............................................................................................
- 4.3. Top 5 Fundamentals Of Network Security..............................................................................................
- 4.4. Types Of Network Security.....................................................................................................................
- Secure network by using network devices, technologies and design elements............................................
- 5.1. Security Through Network Devices.........................................................................................................
- 5.1.1. Standard Network Devices...............................................................................................................
- 5.1.2. Network Security Hardware.............................................................................................................
- 5.2. Security through Network Techonologies...............................................................................................
- 5.3. Security Through Network Design Elements...........................................................................................
- M4 Discuss possible impacts to organisational security resulting from an IT security audit.............................
- misalignment................................................................................................................................................... D2 Consider how IT security can be aligned with organisational policy, detailing the security impact of any
- P7 Design and implement a security policy for an organisation.......................................................................
- What is security policy?.................................................................................................................................
- Security policy cycle.......................................................................................................................................
- Design a security policy.................................................................................................................................
- 3.1. Designing a Policy...................................................................................................................................
- 3.2. Elements of a Security Policy..................................................................................................................
- 3.3. Types of Security Policies........................................................................................................................
- 3.4. Example of security policy......................................................................................................................
- 3.5. Steps to design policy.............................................................................................................................
- What is business continuiti ?.........................................................................................................................
- Potential Threat for organization...................................................................................................................
- 2.1. What are Phycical threats ?....................................................................................................................
- 2.2. What are non-phycical threats?..............................................................................................................
- List the components of recovery plan...........................................................................................................
- Steps required in disaster recovery process..................................................................................................
- M5 Discuss the roles of stakeholders in the organisation to implement security audit recommendations......
- D3 Evaluate the suitability of the tools used in an organisational policy..........................................................
- REFERENCES.....................................................................................................................................................
- Figure 1 ISO 31000.................................................................................................................................................. List of Figures
- Figure 2 Data security............................................................................................................................................
- Figure 3 External perimeter defenses....................................................................................................................
- Figure 4 Security through design...........................................................................................................................
- Figure 5 switch......................................................................................................................................................
- Figure 6 Proxies.....................................................................................................................................................
- Figure 7 NAC..........................................................................................................................................................
- Figure 8 Demilitarized zones.................................................................................................................................
- Figure 9 Subnetting................................................................................................................................................
- Figure 10 Cyber security triads..............................................................................................................................
- Figure 11 Security policy cycle...............................................................................................................................
- Figure 12 Elements of a Security Policy.................................................................................................................
- Figure 13 Stakeholder audit..................................................................................................................................
- Figure 14 SoladWind Network Configuration Manager.........................................................................................
- Figure 15 IronWASP...............................................................................................................................................
- Figure 16 AVG Antivirus.........................................................................................................................................
- Figure 17 Wireshark..............................................................................................................................................
ASSIGNMENT 2 ANSWERS P5 Discuss risk assessment procedures.
1. Define risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environment), often focusing on negative, undesirable consequences. Many different definitions have been proposed. The international standard definition of risk for common understanding in different applications is “effect of uncertainty on objectives”. The understanding of risk, the methods of assessment and management, the descriptions of risk and even the definitions of risk differ in different practice areas (business, economics, environment, finance, information technology, health, insurance, safety, security etc). This article provides links to more detailed articles on these areas. The international standard for risk management, ISO 31000, provides a common approach to managing any type of risk. 2. Define risk assessment Risk assessment is the process of evaluating risks to workers' safety and health from workplace hazards. It is a systematic examination of all aspects of work that considers: @ what could cause injury or harm; @ whether the hazards could be eliminated and, if not; @ what preventive or protective measures are, or should be, in place to control the risks. 3. Risk assessment procedure 3.1. Risk assessment step The Health and Safety Executive (HSE) advises employers to follow five steps when carrying out a workplace risk assessment: Step 1: Identify hazards, i.e. anything that may cause harm. @ Employers have a duty to assess the health and safety risks faced by their workers. Your employer must systematically check for possible physical, mental, chemical and biological hazards. @ This is one common classification of hazards: P a g e | 1
Step 4: Make a record of the findings. Employers with five or more staff are required to record in writing the main findings of the risk assessment. This record should include details of any hazards noted in the risk assessment, and action taken to reduce or eliminate risk. This record provides proof that the assessment was carried out, and is used as the basis for a later review of working practices. The risk assessment is a working document. You should be able to read it. It should not be locked away in a cupboard. Step 5: Review the risk assessment. A risk assessment must be kept under review in order to: ensure that agreed safe working practices continue to be applied (e.g. that management's safety instructions are respected by supervisors and line managers); and take account of any new working practices, new machinery or more demanding work targets. 3.2. The goal of risk assessment Similar to risk assessment steps, the specific goals of risk assessments will likely vary based on industry, business type and relevant compliance rules. An information security risk assessment, for example, should identify gaps in the organization's IT security architecture, as well as review compliance with infosec-specific laws, mandates and regulations. Some common goals and objectives for conducting risk assessments across industries and business types include the following: Developing a risk profile that provides a quantitative analysis of the types of threats the organization faces. Developing an accurate inventory of IT assets and data assets. Justifying the cost of security countermeasures to mitigate risks and vulnerabilities. Developing an accurate inventory of IT assets and data assets. Identifying, prioritizing and documenting risks, threats and known vulnerabilities to the organization's production infrastructure and assets. P a g e | 3
Determining budgeting to remediate or mitigate the identified risks, threats and vulnerabilities. Understanding the return on investment, if funds are invested in infrastructure or other business assets to offset potential risk. The ultimate goal of the risk assessment process is to evaluate hazards and determine the inherent risk created by those hazards. The assessment should not only identify hazards and their potential effects, but should also identify potential control measures to offset any negative impact on the organization's business processes or assets.
4. Risk identification steps There are five core steps within the risk identification and management process. These steps include risk identification, risk analysis, risk evaluation, risk treatment, and risk monitoring. Risk Identification: The purpose of risk identification is to reveal what, where, when, why, and how something could affect a company’s ability to operate. For example, a business located in central California might include “the possibility of wildfire” as an event that could disrupt business operations. Risk Analysis: This step involves establishing the probability that a risk event might occur and the potential outcome of each event. Using the California wildfire example, safety managers might assess how much rainfall has occurred in the past 12 months and the extent of damage the company could face should a fire occur. Risk Evaluation: Risk evaluation compares the magnitude of each risk and ranks them according to prominence and consequence. For example, the effects of a possible wildfire may be weighed against the effects of a possible mudslide. Whichever event is determined to have a higher probability of happening and causing damage, it would rank higher. Risk Treatment: Risk treatment is also referred to as Risk Response Planning. In this step, risk mitigation strategies, preventative care, and contingency plans are created based on the assessed value of each risk. Using the wildfire example, risk managers may choose to house additional network servers offsite, so business operations could still resume if an onsite server is damaged. The risk manager may also develop evacuation plans for employees. P a g e | 4
@ In brief summary:
- Risk management principles and procedures are described in ISO 31000 provides a robust system that allows organizations to design and implement strategic programs, can be repeated and proactive. Regardless of the performance level, management involvement in setting directions and regularly reviewing the results must be part of every program; this not only improves risk management, but also ensures appropriate risk handling based on the organization's goals and long-term strategy. The design of specific program elements depends heavily on the goals, resources and circumstances of the individual organization. Figure 1 ISO 31000 The process of applying ISO 31000 in IT security includes the following steps: Step 1: Establish a risk management framework
- Set up context @ Enterprises consider external and internal conditions affecting or risking operations of enterprise.
- Set up risk management policy @ Board of directors develops a risk management policy and publishes this policy to all members and stakeholders P a g e | 6
- Responsibility @ Enterprises determine the powers responsibilities of the members of the business in the application of risk management systems, including:
+ Identify, evaluate, plan, handle, monitor and report risks;
+ Develop, implement and maintain a risk management framework;
- Integration of organizational processes @ Enterprises integrate risk management content into all processes of enterprise and see risk management as an integral part of enterprise processes.
- Resources allocation @ Enterprises use rational resources in risk management. @ Leadership provides resources to implement risk management programs.
- Establishing internal reporting and information exchange mechanism @ Enterprises set up reporting mechanisms and exchange internal and external information to support and encourage members to implement their responsibilities in risk management.
- Determine risk criteria @ Enterprises determine the criteria to as a basis for risk assessment and comparison of current risks. @ Evaluation results compared with risk criteria will serve as basis for deciding to provide resources to prioritize minimizing risks. Step 2: Implementing risk management framework
- Implementing risk management framework
- Monitor and review risk management framework
- Continuous improvement of risk management framework @ Enterprises organize the implementation of risk management frameworks set up above. @ Head of departments will monitor and propose improvements to processes to minimize risks. @ Risk management board will monitor and support the necessary tools to implement the risk management system. Step 3: Identify risks P a g e | 7
Step 7: Follow and review @ Proactively monitor and review processes according to the planning of risk management process. @ Process of implementing risk management options; provide a measure of the implementation of risk management system. Step 8: Report the risks @ Head of Risk Management Department summarizes and reports to the General Director, Board of Directors together with suggestions for improvement to minimize risks. @ Risk reports will provide the basis for the Board of Directors to make future business and production decisions and serve as a basis for improving risk management methods. Step 9: Review and adjust @ The Board of Directors reviews the results of risk management and evaluation to make the basis for adjustment accordingly. @ Provide additional resources as needed to handle outstanding risks. @ Orienting to handle risks according to technical technology updates and the financial capacity of the enterprise. @ Organize the implementation of the above model in the following years. P6 Explain data protection processes and regulations as applicable to an organisation.
1. What is data protection? Data protection is the process of safeguarding important information from corruption, compromise or loss. The importance of data protection increases as the amount of data created and stored continues to grow at unprecedented rates. There is also little tolerance for downtime that can make it impossible to access important information. Consequently, a large part of a data protection strategy is ensuring that data can be restored quickly after any corruption or loss. Protecting data from compromise and ensuring data privacy are other key components of data protection. P a g e | 9
Figure 2 Data security
2. Why is data protection important? All companies have data, such as personnel files, customer data, product information, financial transactions, etc. Decisions management makes are based on this data as are the work processes followed by employees to deliver quality products and services. In fact, data is one of the most important assets a company has. For that reason alone, data protection should be a top priority for any company. This includes guarding the availability of the data to employees who need it, the integrity of the data (keeping it correct and up-to-date) and the confidentiality of the data (the assurance that it is available only to people who are authorized) Regarding customers, ensuring their data is held safe is the minimum people will expect from companies they deal with or invest money in. Adequate data governance builds trust. It safeguards the reputation of your business, establishing you as a brand that people can trust with their data. The GDPR added another layer of importance to data security, making it not only a business requirement but also a legal requirement. The GDPR requires a controller to ‘implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation.’ An important part of those P a g e | 10