HND in Computing and Systems Development
Higher Nationals
Internal verification of assessment decisions – BTEC (RQF)
INTERNAL VERIFICATION – ASSESSMENT DECISIONS
Programme title
HND in Computing
Miss. Priscilla Steno
Assessor
Internal
Verifier
Unit 05: Security
Unit(s)
EMC Cloud Solutions
Assignment title
UTHAYAKUMARAN RANGITH | JAF/A-008181
Student’s name
List
which
assessment
Pass
Merit
criteria the Assessor has
awarded.
INTERNAL VERIFIER CHECKLIST
Do the assessment criteria awarded
match those shown in the assignment
brief?
Y/N
Is the Pass/Merit/Distinction grade
awarded justified by the assessor’s
Y/N
comments on the student work?
Has the work been assessed
accurately?
Is the feedback to the student:
Give details:
Y/N
Distinction
HND in Computing and Systems Development
• Constructive?
• Linked to relevant assessment
Y/N
criteria?
Y/N
• Identifying opportunities for
Y/N
improved performance?
• Agreeing actions?
Y/N
Does the assessment decision need
Y/N
amending?
Assessor signature
Date
Internal Verifier signature
Date
Programme Leader signature (if
Date
required)
Confirm action completed
Remedial
action
taken
Give details:
Assessor signature
Date
Internal
Date
Verifier
signature
Programme Leader
signature
required)
(if
Date
HND in Computing and Systems Development
Higher Nationals - Summative Assignment Feedback Form
Student Name/ID
UTHAYAKUMARAN RANGITH | JAF/A-008181
Unit Title
Unit 05: Security
Assignment Number 1
04 – 07 – 2021
Submission Date
Assessor
Date
06 – 06 – 2021
Received 1st
submission
Date Received 2nd 12 – 06 – 2021
Re-submission Date
submission
HND in Computing and Systems Development
Grade:
Assessor Signature:
Date:
Resubmission Feedback:
Grade:
Assessor Signature:
Date:
Internal Verifier’s Comments:
Signature & Date:
* Please note that grade decisions are provisional. They are only confirmed once internal and
external moderation has taken place and grades decisions have been agreed at the
assessment board.
HND in Computing and Systems Development
C Grading Rubric
Grading Criteria
LO1 Assess risks to IT security
P1 Identify types of security risks to organizations.
P2 Describe organizational security procedures.
M1 Propose a method to assess and treat IT security risks.
LO2 Describe IT security solutions
P3 Identify the potential impact to IT security of incorrect configuration of
firewall policies and third party VPNs.
Achieved
Feedback
HND in Computing and Systems Development
P4 Show, using an example for each, how implementing a DMZ, static IP and
NAT in a network can improve Network Security.
M2 Discuss three benefits to implement network monitoring systems with
supporting reasons.
D1 Investigate how a ‘trusted network’ may be part of an IT security solution.
LO3 Review mechanisms to control organizational IT
security
P5 Discuss risk assessment procedures.
P6 Explain data protection processes and regulations as applicable to an
organization.
M3 Summarize the ISO 31000 risk management methodology and its
application in IT security.
HND in Computing and Systems Development
M4 Discuss possible impacts to organizational security resulting from an IT
security audit.
D2 Consider how IT security can be aligned with organizational
policy, detailing the security impact of any misalignment.
LO4 Manage organizational security
P7 Design and implement a security policy for an organization.
P8 List the main components of an organizational disaster recovery plan,
justifying the reasons for inclusion.
M5 Discuss the roles of stakeholders in the organization to implement security
audit recommendations.
D3 Evaluate the suitability of the tools used in an organizational policy.
HND in Computing and Systems Development
Pearson Higher Nationals in
Computing
Unit 05: Security
Assignment 01
HND in Computing and Systems Development
General Guidelines
1. A cover page or title page should be attached to your assignment. Use page 1 of this
assignment brief as your cover page and make sure all details are accurately filled.
2. The entire assignment brief should be attached as the first section of your assignment.
3. The assignment should be prepared using a word processing software.
4. The assignment should be printed single sided in an A4 sized paper.
5. Allow 1” margin on top, bottom and right sides of the paper and 1.25” on the left side
(for binding).
Word Processing Rules
1. The font size should be 12 point, and should be in the style of Time New Roman.
2. Set line spacing to 1.5. Justify all paragraphs.
3. Ensure that all headings are consistent in terms of size and font style.
4. Use footer function on the word processor to insert your name, unit, assignment no,
and page number on each page. This is useful if individual sheets get detached from
the submission.
5. Use the spell check and grammar check function of the word processing application
to review the use of language on your assignment.
HND in Computing and Systems Development
Important Points:
1. Carefully check carefully the hand in date and the instructions given with the
assignment. Late submissions will not be accepted.
2. Ensure that sufficient time is spent to complete the assignment by the due date.
3. Do not wait till the last minute to print or bind the assignment. Such excuses will not
be accepted for late submissions.
4. You must be responsible for efficient management of your time.
5. If you are unable to hand in your assignment on time and have valid reasons such as
illness, you may apply (in writing) for an extension.
6. Failure to achieve at least a PASS grade will result in a REFERRAL grade.
7. Non-submission of work without valid reasons will lead to an automatic REFERRAL.
You will then be asked to complete an alternative assignment.
8. If you use other people’s work or ideas in your assignment, it must be properly
referenced, using the HARVARD referencing system, in your text or any bibliography.
Otherwise, you’ll be found guilty of committing plagiarism.
9. If you are caught plagiarising, your grade will be reduced to a REFERRAL or at worst,
you could be excluded from the course.
HND in Computing and Systems Development
Student Declaration
I hereby, declare that I know what plagiarism entails, namely to use another’s work and to
present it as my own without attributing the sources in the correct form. I further understand
what it means to copy another’s work.
1. I know that plagiarism is a punishable offence because it constitutes theft.
2. I understand the plagiarism and copying policy of Edexcel UK.
3. I know what the consequences will be if I plagiarise or copy another’s work in any of
the assignments for this program.
4. I declare therefore that all work presented by me for every aspect of my program, will
be my own, and where I have made use of another’s work, I will attribute the source in
the correct way.
5. I acknowledge that the attachment of this document signed or not, constitutes a binding
agreement between myself and Edexcel UK.
6. I understand that my assignment will not be considered as submitted if this document
is not attached to the assignment.
U.rangith@gmail.com
Date: 12.05.2021
(Provide E-mail ID)
(Provide Submission Date)
HND in Computing and Systems Development
Assignment Brief
Student Name /ID Number
UTHAYAKUMARAN RANGITH | JAF/A-008181
Unit Number and Title
Unit 5- Security
Academic Year
2020/2021
Unit Tutor
Miss Priscilla Steno
Assignment Title
EMC Cloud Solutions
Issue Date
12.05.2021
Submission Date
12.05.2021
IV Name & Date
Submission Format:
The submission should be in the form of an individual written report written in a concise,
formal business style using single spacing and font size 12. You are required to make use
of headings, paragraphs and subsections as appropriate, and all work must be supported
with research and referenced using Harvard referencing system. Please provide in- text
citation and an end list of references using Harvard referencing system.
Section 4.2 of the assignment required to do a 15 minutes presentation to illustrate the
answers.
U. Rangith
1|Page
Security |Assignment1
HND in Computing and Systems Development
Assignment Brief and Guidance:
Scenario
EMC Cloud Solutions is reputed as the nation’s most reliable Cloud solution provider
in Sri Lanka.
A number of high-profile businesses in Sri Lanka including ESoft
Metro Campus network, SME Bank Sri Lanka and WEEFM are facilitated by EMC
Cloud Solutions. EMC Cloud provides nearly 500 of its customers with SaaS, PaaS &
IaaS solutions with high-capacity compute and storage options. Also, EMC is a
preferred contractor for Sri Lanka, The Ministry of Defense for hosting government
and defense systems.
EMC’s central data center facility is located at Colombo Sri Lanka along with its
corporate head-office in Bambalapitiya. Their premises at Bambalapitiya are a six-story
building with the 1st floor dedicated to sales and customer services equipped with public
Wi-Fi facilities. Second-floor hosts HR, Finance and Training &
Development departments and the third-floor hosts a boardroom and offices for senior
executives along with the IT and Data center department. Floor 4,5,6 hosts computer
servers which make up the data center.
With the rapid growth of information technology in Kandy area in recent years, EMC
seeks an opportunity to extend its services to Kandy, Sri Lanka. As of yet, the
organization is considering the nature of such an extension with what to implement,
where it is to be a suitable location and other essential options such as security are
actually being discussed.
You are hired by the management of EMC Solutions as a Security Analyst to evaluate
the security-related specifics of its present system and provide recommendations on
security and reliability related improvements. Furthermore, you have to plan the
establishment of the extension on a solid security foundation.
Activity 01
1.1. Assuming the role of External Security Analyst, you need to compile a report
focusing on following elements to the board of EMC Cloud Solutions;
1.1 Identify types of security risks EMC Cloud is subject to its present setup and the impact
that they would make on the business itself. Evaluate at least three physical and virtual
U. Rangith
2|Page
Security |Assignment1
HND in Computing and Systems Development
security risks identified and suggest the security measures that can implemented in
order to improve the organization’s security.
1.2 Develop and describe security procedures for EMC Cloud to minimize the impact
of issues discussed in section (1.1) by assessing and rectifying the risks.
Activity 02
2.1 Identify how EMC Cloud and its clients will be impacted by improper/ incorrect
configurations that are applicable to firewalls and VPN solutions. It security can include
a network monitoring system. Discuss how EMC cloud can benefit by implementing a
network monitoring system.
2.2 Explain how the following technologies would benefit EMC Cloud and its Clients
by facilitating a ‘trusted network’. (Support your answer with suitable examples).
i)
DMZ
ii) Static IP iii)NAT
Activity 03
3.1 Discuss suitable risk assessment procedures for EMC Cloud solutions and impact an IT
security audit will have on safeguarding organization and its clients Your discussion
furthermore should include how IT security can be aligned with an organizational IT
policy and how misalignment of such a policy can impact on organization’s security.
3.2 Explain the mandatory data protection laws and procedures which will be applied to
data storage solutions provided by EMC Cloud. You should also summarize ISO 31000
risk management methodology.
Activity 04
4.1 Design a security policy for EMC Cloud to minimize exploitations and misuses while
evaluating the suitability of the tools used in an organizational policy.
U. Rangith
3|Page
Security |Assignment1
HND in Computing and Systems Development
4.2 Develop and present a disaster recovery plan for EMC Cloud for all venues to ensure
maximum uptime for its customers. Discuss how critical the roles of the stakeholders
in the organization to successfully implement the security policy and the disaster
recovery plan you recommended as a part of the security audit.
(Students should produce a 15 minutes PowerPoint presentation which illustrates
the answer for this section including justifications and reason for decisions and
options used).
U. Rangith
4|Page
Security |Assignment1
HND in Computing and Systems Development
Unit Learning Outcomes:
LO1 Assess risks to IT security.
LO2 Describe IT security solutions.
LO3 Review mechanisms to control organizational IT security.
LO4 Manage organizational security.
U. Rangith
5|Page
Security |Assignment1
HND in Computing and Systems Development
Acknowledgment
I truly express my thanks to my lectures and ESOFT campus, Jaffna, which also helped
me to know a lot of new think and increase my knowledge.
First, I would like to say my special thanks of gratitude to our lecturer Miss Priscilla
Steno whose guidance and encouragement was very useful to finish this assignment
successfully. And also, thanks to Coordinator of ESOFT campus, Jaffna.
I am thanking very much to respected sir, Miss Priscilla Steno for her guide and
support of the knowledge for the related subject, it was very essential to me to achieve so far
and heartful thanks belongs to the Respected. B. Gajanan Manager of the institution for given
me a chance to conduct the course and his support to my career.
Thank you.
U. Rangith
U. Rangith
1|Page
Security |Assignment1
HND in Computing and Systems Development
Table of Contents
LO1 Assess risks to IT security. ............................................................................................ 6
Introduction ........................................................................................................................... 6
Relationship between Vulnerabilities Threats Assets and Risk ............................................. 6
Assuming the role of External Security ................................................................................. 7
Physical damages .................................................................................................................. 7
Equipment malfunction ......................................................................................................... 7
Misuse of data ....................................................................................................................... 8
Loss of data ........................................................................................................................... 8
1.2.
Develop ....................................................................................................................... 8
Property damage claim procedure ......................................................................................... 8
Regular inspection procedure ................................................................................................ 8
Monitor user action procedure .............................................................................................. 8
Create backup procedures ..................................................................................................... 9
1.3 What is risk management process? ................................................................................. 9
1.3.1 What is Risk Treatment? ............................................................................................ 10
1.3.2 Risk treatment related to scenario. ............................................................................. 10
LO2 Describe IT security solutions..................................................................................... 11
2.1.
Identify ...................................................................................................................... 11
2.1.1 What is Firewalls ........................................................................................................ 11
2.1.2 What is a firewall Policy? .......................................................................................... 12
2.1.3 What is Virtual private network (VPN)? .................................................................... 13
2.1.4 What is VPN policy? .................................................................................................. 13
2.1.5 How improper firewalls and VPNs impact to the EMC company? ........................... 14
2.2
Explain ...................................................................................................................... 15
2.2.1
U. Rangith
Static IP.................................................................................................................. 15
2|Page
Security |Assignment1
HND in Computing and Systems Development
What are static IPs? ............................................................................................................. 15
What is DHCP IPs? ............................................................................................................. 15
Advantages of DHCP IPs .................................................................................................... 16
Disadvantages of DHCP IPs................................................................................................ 16
2.2.1
DMZ ...................................................................................................................... 16
2.2.3 Real function of the DMZ ........................................................................................... 16
2.2.4 Architecture of DMZs network .................................................................................. 17
2.2.2
NAT ....................................................................................................................... 17
2.2.5 What is NAT (Network Address Translation) ........................................................... 17
2.2.6 How Static IPs, DMZ, NAT helps to the EMC company? ........................................ 18
2.2.7 Trusted Network system? ........................................................................................... 19
2.3 What is Network Monitoring System. ........................................................................... 20
LO3 Review mechanisms to control organizational IT security. ........................................ 21
3.1 Risk Assessment Procedures. ........................................................................................ 21
3.1.1 What is Risk Management .......................................................................................... 21
Identify the risk ................................................................................................................... 22
Analyzing the Risk .............................................................................................................. 22
Mitigating Risks .................................................................................................................. 22
Monitor the risk ................................................................................................................... 22
Reporting ............................................................................................................................. 23
What is a risk? ..................................................................................................................... 23
What is Risk Assessment? ................................................................................................... 23
3.2 Data protection process that applicable to an organization. .......................................... 23
•
The type of the customers they have............................................................................. 23
•
Number of costumers they have ................................................................................... 24
•
Banking information ..................................................................................................... 24
•
Information about the assets ......................................................................................... 24
U. Rangith
3|Page
Security |Assignment1
HND in Computing and Systems Development
Fixing of CCTV cameras .................................................................................................... 24
Employee monitoring .......................................................................................................... 24
Risk Assessment of EMC Cloud Solutions ......................................................................... 25
3.1
Explain ...................................................................................................................... 28
3.3.1 What is Law? .............................................................................................................. 28
3.3.2 Data Prevention Act 1998 (DPA1998) ....................................................................... 29
The 8 guiding principles of the Act are as follows; ............................................................. 29
3.3.3. Principle 1 - Fair and Lawful .................................................................................... 29
3.3.4. Principle 2 - Purposes ................................................................................................ 29
3.3.3. Principle 3 - Adequacy .............................................................................................. 30
3.3.4. Principle 4 - Accuracy ............................................................................................... 30
3.3.5. Principle 5 - Retention ............................................................................................... 30
3.3.6. Principle 6 - Rights .................................................................................................... 30
3.3.7. Principle 7 - Security ................................................................................................. 31
3.3.8. Principle 8 - International transfers ........................................................................... 31
Comparing these guiding principles with the DPA 2018’s ................................................. 31
3.4.1 Summarization of ISO 31000: 2018 related to EMC company ................................. 33
3.4.2 ISO 31000: 2018 Risk Management .......................................................................... 33
3.5 What is Audit? ............................................................................................................... 34
3.5.1 What is IT security Audit? ......................................................................................... 34
3.5.2 What an IT security Audit does for the company. ..................................................... 35
3.5.3 IT security Audits can identify the Vulnerable points and problem areas in the
company .............................................................................................................................. 35
3.6 How IT security aligned with organization policy? ...................................................... 35
3.6.1 Aligning Security with company objectives .............................................................. 36
3.6.2 How IT security Misaligned with organization policy? ............................................. 36
LO4 Manage organizational security. ................................................................................. 37
U. Rangith
4|Page
Security |Assignment1
HND in Computing and Systems Development
4.1 suitability of the tools used in the polices ...................................................................... 37
4.1.1 Creating disaster recovery plan. ................................................................................. 37
Disaster Management Plan .................................................................................................. 38
Disaster Recovery Plan ....................................................................................................... 39
Disaster Recovery Plan – Continue ..................................................................................... 40
Creating a Disaster Recovery Plan – Steps ......................................................................... 40
Creating a Disaster Recovery Plan Steps– Continue........................................................... 41
Resources involved - DRP .................................................................................................. 41
Effective DRP with Additional Resources .......................................................................... 42
4.2
Develop ..................................................................................................................... 48
4.3.1 Who is a stake holder?................................................................................................ 48
4.3.2 Role of a security stake holder related to the company. ............................................. 49
What is Security Policy ........................................................................................................ 51
Design a Security Policy ..................................................................................................... 52
Conclusion ........................................................................................................................... 55
References ........................................................................................................................... 56
U. Rangith
5|Page
Security |Assignment1
HND in Computing and Systems Development
LO1 Assess risks to IT security.
Introduction
EMC is a well reputed cloud solution provider in Sri Lanka. Normally EMC is providing their
services to SME bank in Sri Lankan and WEEFM company. EMC cloud solution Company
provides SAAS, PAAS, LAAS to their customers. And nearly their customer rate is five
hundred roughly. The head office of EMC company is situated in Bambalapitiya. The building
exists with six stories. In this building the first floor is dedicated to customer services, second
floor is for the HR and the finance and training department in the third floor. Four, five, six
floors are the computer servers. But unfortunately, in this compony there is no proper security
system physically wise or computerized. Security system is Highly important feature to a
company. Because without a security system the specific company faces to various kinds of
risks. According to the current situation of EMC cloud solution company there is no security
system at all.
Relationship between Vulnerabilities Threats Assets and Risk
Vulnerabilities are the reasons that is helping to start risk. Vulnerability is a function that all
the company may face because of that many users and network personals trying to protect their
computer systems from vulnerabilities by keeping software security patches up to date.
Threats can be caused to the company from inside of the company and may be from the outside
the company. Normally most of the threats are affected from the outside the company. Threats
are potentials for vulnerability to turn into attacks on computer systems, network and more.
They can put individual’s computer system and business computers at risks. According to some
of the common threats are Hacking, Malware, Spam, Phishing, Botnets etc.
Assets are the physical resources that company has. Normally company measures the profit
from the remaining assets. Assets are the resources which has an economic value that an
individual, corporation or country owns with the expectation that it will provide a future
benefit.
U. Rangith
6|Page
Security |Assignment1
HND in Computing and Systems Development
Risks are the darkness situations that going to be happen to that business in near future.
Basically, the risks are defined as the external and internal vulnerabilities that occurs
negatively.
Assuming the role of External Security
Assuming the role of External Security Analyst, you need to compile a report focusing on
following elements to the board of EMC Cloud Solutions;
In a business risks are the darkness situations that going to be happen that business in near
future. Basically, the risk is defined as the external and internal vulnerabilities that occurs
negatively to the business for an example possibility of occurring damages to the business,
Increase of liabilities, loss rea certain kind of risks to a business. When we talk about the EMC
company there are various kinds of risks that can occur to the company because there is no
proper security system.
1.1.Identify types of security risks EMC Cloud is subject to its present setup and the impact
that they would make on the business itself. Evaluate at least three physical and virtual
security risks identified and suggest the security measures that can implemented in order to
improve the organization’s security.
Physical damages
Physical damages basically known as the damages that can happen to the physical
properties. There is a loss of physical security system to the EMC company because of that
the possibility of happening security damages is high to the company. When a company
facing to a physical damage it will Couse huge loss to the company because the properties
that used by the company gets damaged after that the company can’t perform well as in the
past
Equipment malfunction
Equipment malfunction means when there are no any virus guards to the computers or any
other electronics it’s get effected by viruses and it gradually get malfunctioning so without
any security, Equipment malfunction is also certain type of risk to the EMC company.
U. Rangith
7|Page
Security |Assignment1
HND in Computing and Systems Development
Misuse of data
Misuse of data is a result of loss of security system. Misusing data is badly Couse to the
company. By this rate of assets will get low in the company. Sometimes the company will
get bankrupt due to this reason. So, misusing of data is highly affected to the company.
Loss of data
Loss of data is a part of risks that can be affected to company. When there is no security.
Of the people may doing frauds to the business. These data loss is any process or event that
results in data being corrupted or deleted and badly unreadable by the user.
1.2.Develop and describe security procedures for EMC Cloud to minimize the impact of
issues discussed in section (1.1) by assessing and rectifying the risks.
Property damage claim procedure
When we talk about the first risk in the list of risks, to reduce the physical damages that
can happen to the physical properties we can use a good security system but basically the
best method is to maintain a property damage claim procedure. This means when something
unfortunately happens to our property, we can claim our loss according to the loss we gain
by using this property damage claim procedure.
Regular inspection procedure
As in the list of risk the second risk that the EMC company is facing to equipment mal
function to reduce it, we can implement a new procedure called regular inspection
procedure by this we can reduce regular equipment mal functioning when we starting to
implement this procedure, we have created an inspection schedule according to that we
have inspect our equipment in a regular basis then we can reduce equipment mal function.
Monitor user action procedure
The third risk that EMC company is facing to data misuse to avoid that we create a new
procedure called Monitor user action procedure it is a one of the best ways to avoid the data
mis use It is very important to monitor actions of users working with sensitive information.
Misuse of such data can open organization to a very high damage control and huge loss of
U. Rangith
8|Page
Security |Assignment1
HND in Computing and Systems Development
costs and even potential lawsuits. Users with high privileges also pose additional threat.
So, reducing data misusing is very important to the EMC company.
Create backup procedures
To reduce the loss of data risk we can create the backup of every data we are inputting
to the computers. By that we can reduce the risk of data loss. When a specific company
reduce their risk of data loss that company can enlarge its business area become that
company can get ideas from past situation that company has faced.
1.3 What is risk management process?
To continue a company to a long type period we have to maintain our company in a
good manner. So, we have to protect our company from security breaches, data losses,
cyber-attacks, system failures and natural disasters. To manage those risks there is a
risk management process. Risk management process means monitoring and managing
potential risks in order to minimize the negative impact they may have on an
organization. From the security breaches, data losses, cyber-attacks, system failures and
natural disasters the effective risk management process will help identify which risks
pose the biggest threat to an organization and provide guidelines for handling them. To
possess the risk management process effectively there are three steps. They are,
Risk Assessment and Analysis – The primary step of the risk management process is
called as the risk assessment and analysis stage. A risk assessment assesses an
organization experience to uncertain events that could impact its day-to-day actions and
estimates the damage those events could have on an organization income and status.
Risk Evaluation – After the risk assessment or analysis has been completed, a risk
evaluation should take place. A risk evaluation compares valued risk against the risk
principles that the organization has already recognized. Risk criteria can include
associated cost and benefits, socio economic factors, legal requirement and system
malfunctions.
Risk Treatment and Response – The last step in the risk management process is risk
treatment and response. Risk treatment is the Implementation of policies and
U. Rangith
9|Page
Security |Assignment1
HND in Computing and Systems Development
procedures that will help avoid or minimize risks. Risk treatment also extends to risk
transfer and risk financing.
1.3.1 What is Risk Treatment?
When there are any risks occurring to the company, we have to minimize those or avoid
those kinds of risks, to avoid those or reduce those risks we have to use certain kind of
strategies. By using strategies, the avoiding of risks can be known as the risk’s
treatments. Specific treatment strategies can be created to treat specific risks which have
been identified. Treatment strategies may differ, depending on the risk context.
Purpose of the Risk treatment – The purpose of the risk treatment is to reduce, remove
or transfer risk from the company. It is often better for a company to plan ahead and
prevent a risk from occurring than it is for them to take the chance and face that risk.
Planning ahead can help to save a company a lot of time and money because some risks
may prove to be very damaging to a business. When we talk about the risk treatments
there two main types of risk treatments, they are
Avoidance strategies – These tactics seek to totally stop a potential risk from happening
or impacting on a company at all. Main subdivisions of the avoidance strategies group
contain transfer and changings.
Minimize strategies – These tactics seek to reduce the influence of risk on a product or
organization, so that as little as possible damage is done. Reduce tactics are frequently
used when avoidance strategies are not possible, or have already unsuccessful.
1.3.2 Risk treatment related to scenario.
When there are any risks occurring to the company, we have to minimize those or avoid
those kinds of risks, to avoid those or reduce those risks we have to use certain kind of
strategies. By using strategies, the avoiding of risks can be known as the risk’s
treatments. To the EMC company also there are many risks that can be affected they
are physical damages that can be occurred to the EMC company, Equipment
malfunctioning, data misusing and data losing for these kinds of risks there are many
treatment or procedures that can implemented to overcome those risks they are property
damage claim procedure, regular inspection procedure, Monitor user action procedure,
U. Rangith
10 | P a g e
Security |Assignment1
HND in Computing and Systems Development
creating backup procedures by using these kinds of strategies EMC company can treat
the risk and can overcome those risks
LO2 Describe IT security solutions.
2.1.Identify how EMC Cloud and its clients will be impacted by improper/ incorrect
configurations that are applicable to firewalls and VPN solutions. IT security can
include a network monitoring system. Discuss how EMC cloud can benefit by
implementing a network monitoring system.
2.1.1 What is Firewalls
Many of the reputed It companies is used to install a firewall system to the servers
because it like security system that using to protect the important information’s. When
we broadly talk about the firewall it’s a software program that used prevents
unauthorized access to or from a private network. When there is a access from a
unauthorized network or from a another private network it’s a risks to the company
because they can take all the internal information through that so to prevent those stuffs
most companies are using firewall system. Firewalls are the tools that can be used to
enhance the security of the computers connected to a network. By installing a firewall
system, it makes the computer unique in other words the firewall absolutely isolates our
computer from internet using a Wall of cod. Firewalls has various abilities the main
ability it has was it can enhance the security by enabling granular control over what
type of system functions. Some people think that the firewall is a system that is used to
controls the traffic that passes through the network system but it’s actually software
that is used to prevent unauthorized access of network systems. Normally these are the
things that is done by the firewall system.
•
Defend resources
•
Validate access
•
Manage and control network traffic
•
Record and report on events
U. Rangith
11 | P a g e
Security |Assignment1
HND in Computing and Systems Development
2.1.2 What is a firewall Policy?
Firewall policy is a set of rules that includes how to use this software so it’s easy to
handle the software. This an application that is designed to control the flow of internet
protocol (IP). And the firewall policy is contained the types of firewalls and Firewall
Architectures. When we talk about the types of firewalls there are various kinds types,
they are,
•
Packet filters
•
Proxy servers
•
Application gateways
Packet Filters: A packet filter is a firewall that reviews each packet for user-defined
filtering rules to control whether to pass or block it. For example, the filtering rule might
need all Telnet requests to be dropped. Using this information, the firewall will block
all packets that have a port number 23 (the default port number for Telnet) in their
header. Filtering rules can be built on source IP address, destination IP address, Layer
4 (that is, TCP/ UDP) source port, and Layer 4 destination port. Thus, a packet filter
makes decisions based on the network layer and the transport layer.
Proxy Servers: A proxy service is an application that redirects users’ requests to the
real services based on an organization’s security policy. All message between a user
and the actual server occurs through the proxy server. Thus, a proxy server performs as
a communications broker between clients and the real application servers. Because it
performs as a checkpoint where requests are validated against specific applications, a
proxy server is usually processing intensive and can become a bottleneck under heavy
traffic conditions
Application Gateways: An application gateway is a proxy server that offers access
control at the application layer. It performs as an application-layer gateway between the
protected network and the untrusted network. Because it works at the application layer,
it is talented to examine traffic in detail and, therefore, is considered the most secure
type of firewall. It can stop certain applications, such as FTP, from incoming the
U. Rangith
12 | P a g e
Security |Assignment1
HND in Computing and Systems Development
protected network. It can also log all network actions according to applications for both
accounting and security audit purposes.
2.1.3 What is Virtual private network (VPN)?
When we browse something or search something from network system their web traffic
from snooping, interfaces, and censorship to avoid this we can use VPN (Virtual private
networks). VPN is a Secure tunnel between two or more devises to prevent from web
traffic, snooping, interference, and censorship. A VPN uses data encryption and other
security mechanisms to prevent unauthorized users from accessing data, and to ensure
that data cannot be modified without detection as it flows through the Internet. It then
uses the tunneling process to transport the encrypted data across the Internet. Tunneling
is a mechanism for encapsulating one protocol in another protocol. In the context of the
Internet, tunneling allows such protocols as IPX, AppleTalk, and IP to be encrypted
and then encapsulated in IP. Similarly, in the context of VPNs, tunneling disguises the
original network layer protocol by encrypting the packet and enclosing the encrypted
packet in an IP envelope. This IP envelope, which is an IP packet, can then be
transported securely across the Internet. At the receiving side, the envelope is removed
and the data it contains is decrypted and delivered to the appropriate access device, such
as a router.
2.1.4 What is VPN policy?
VPN policy is a set of rules that includes how to use this secure tunnel so it’s easy to
handle interference and censorship. And the VPN policy is contained the types of VPNs
and VPN Architectures. When we talk about the types of VPN there are various kinds
types, they are
Access VPNs provide remote users such as road warriors (or mobile users),
telecommuters, and branch offices with reliable access to corporate networks.
U. Rangith
13 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Intranet VPNs allow branch offices to be linked to corporate headquarters in a secure
manner.
2.1.5 How improper firewalls and VPNs impact to the EMC company?
EMC is a well reputed cloud solution provider in Srilankan. Normally EMC is
providing their services to SME bank in Srilankan and WEEFM company. EMC cloud
solution Company provides SAAS, PAAS, LAAS to their customers. Not only in
srilanka EMC company is doing transactions with external countries when doing those
transactions firewalls and VPNs are the two software that is very important to install.
Because when doing transaction through networks some unauthorized accesses can be
attacked to the network system, not only that some other private networks also can
attack to the network system. When it gets attacked by other accesses, they can get
important information of EMC company, specially by the competitors. If the
competitors EMC company get the details about the company it’s a huge risk to the
company to prevent these kinds of risks the firewalls are very important to install. And
if there are improper firewalls also, we have to face these risks.
The other reason was the existing of improper VPNs it’s the other problem that arise
when doing online transactions because when we doing online transactions without
using a proper VPNs sometimes there might have web traffic, snooping and interference
by these webs traffics transaction can’t do properly it may buffer. From the improper
VPNs the reputation of the EMC company might get damaged because of that we have
to install proper VPNs.
U. Rangith
14 | P a g e
Security |Assignment1
HND in Computing and Systems Development
2.2 Explain how the following technologies would benefit EMC Cloud and its Clients by
facilitating a ‘trusted network’. (Support your answer with suitable examples).
2.2.1 Static IP
What are static IPs?
A static Internet Protocol (IP) address (static IP address) is a permanent number assigned
to a computer by an Internet service provider (ISP). IP addresses are useful for gaming
services, website hosting or Voice over Internet Protocol (VoIP). Speed and reliability are
key advantages. According to a static address is constant, systems with static IP addresses
are vulnerable to data extraction and higher security risks.
Advantages of Static IPs
•
It’s good for creating Computer servers
•
It makes it easier for geolocation
•
It’s also better for dedicated services
Disadvantages of static IPs
•
Static IP address could be security risk
•
Static IPs are preferred for hosting servers
•
The process to set a static IP is complex
What is DHCP IPs?
A DHCP server is used to import other IP addresses and automatically configure another
network information. In most homes and small businesses, the router works as the DHCP
server. In large networks, a single computer may act as the DHCP server.
In short, the process goes like this: A device (the client) requests an IP address from a
router (the host), after which the host assigns an available IP address to allow the client to
communicate on the network. A bit more detail below ...
U. Rangith
15 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Advantages of DHCP IPs
•
Easy to manages DHCP IPs
•
We can create a tailored configuration for clients
•
Clients can use DHCPs to obtain the information needed
Disadvantages of DHCP IPs
•
There are many security issues in DHCP IPs
•
It’s gets failure when there is single DHCP server
•
There are problems in DHCP server if we are using older Microsoft Servers.
2.2.1 DMZ
DMZ means demilitarized zone this refers to host or another network system that exists as
a secure and intermediate network system in other words we define it as path between two
or more organizations internal network and the external. DMZ is mainly realized to safe
an internal network from communication with and exploitation and access by external
nodes and networks. DMZ can be a logical sub-network, or a physical network substitute
as a safe bridge between an interior and exterior network. A DMZ network has restricted
access to the internal network, and all of its communication is scanned on a firewall before
being transported internally. If an attacker plans to breach or attack an organization’s
network, a successful attempt will only result in the compromise of the DMZ network not the core network behind it. DMZ is considered more secure, safer than a firewall, and
can also work as a proxy server.
2.2.3 Real function of the DMZ
The over-all idea is that you put your public faced servers in the "DMZ network" so that
you can separate them from your private, trusted network. The use case is that because
your server has a public face, it can be greatly rooted. If that happens, and a hateful party
gains access to your server, he should be lonely in the DMZ network and not have direct
access to the private hosts.
U. Rangith
16 | P a g e
Security |Assignment1
HND in Computing and Systems Development
2.2.4 Architecture of DMZs network
There are many ways to plan a network with a DMZ. The two basic approaches are to use
either one or two firewalls, though most modem DMZs are planned with two firewalls.
The basic method can be prolonged on to create complex constructions, depending on the
network requirements. A solo firewall with at least three network interfaces can be used
to make a network architecture containing a DMZ. The outside network is formed by
joining the public internet. Different sets of firewalls rules for traffic among the internet
and the DMZ, the LAN and the DMZ, and the LAN and the internet firmly control which
ports and types of traffic are permitted into the DMZ from the internet, limit connectivity
to specific hosts in the inside network and prevent unrequested connections either to the
internet or the inside LAN from the DMZ.
2.2.2 NAT
2.2.5 What is NAT (Network Address Translation)
Network Address Translation is the procedure where a network device, usually a firewall,
allocates a public address to a computer inside an isolated network. The key use of NAT
is to limit the number of public IP addresses an organization or company must use, for
both economy and security purpose. However, to access resources outside the network,
like the internet, these computers have to have a public address in order for replies to their
requests to return to them. This is where NAT comes into play
Internet needs that require Network Address Translation (NAT) are quite compound but
happen so quickly that the end user hardly knows it has occurred. A workstation inside a
network makes a request to a computer on the internet. Routers within the network identify
that the request is not for a resource inside the network, so they send the request to the
firewall. The firewall sees the request from the computer with the internal IP. IT then
makes the same request to the internet using its own public address, and returns the
response from the internet resource to the computer inside the private network. From
outlook of the workstation, it appears that communication is directly with the site on the
internet. When NAT is used in this way, all users inside the private network access the
internet have the same public IP address when they use the internet. There are many
Benefits we can get from the Network Address Translation (NAT). they are
U. Rangith
17 | P a g e
Security |Assignment1
HND in Computing and Systems Development
•
Reuse of private IP addresses
•
Enhance security for private networks by keeping internal address private from the
external network
•
Connecting a large number of hosts to the global internet using a smaller number
of public (external) IP address, there by conserving IP address space.
2.2.6 How Static IPs, DMZ, NAT helps to the EMC company?
Static IPs – It is a permanent number assigned to a computer through internet service
provider. Static IPs are useful to web hosting or voice over internet protocol (VOIP). The
main advantage of using static IPs is speed and reliability. So, when EMC company is
doing transaction with external countries it needs a fast internet connection for these kinds
of activities the static IPs are highly help full to the EMC company.
DMZ – This refers to host or another network system that exists as a secure and
intermediate network system, in other words we can define it as a path between two or
more organizations internal network and the external. When EMC company dealing with
their clients some external network system might be attacked to the EMCs network work
system. To prevent these kinds of attacks the EMC company can use DMZ network
systems
NAT – Network address translation is used to the limits the number of public IP address
that EMC company must use, for both economically and security purposes. When there is
public IP address the network system of the EMS company is used to reply to the requests
that comes through unknown IP address. To prevent these activities NAT is highly help
full to the EMC company.
U. Rangith
18 | P a g e
Security |Assignment1
HND in Computing and Systems Development
2.2.7 Trusted Network system?
A Trusted network system is a network of plans that are linked to each other, and it can
expose only to official users, and allows for only protected data to be transmitted. A
Trusted Network System architecture uses current standards, protocols and hardware plans
to implement “trust.” Trusted Network System deliver vital security services such as user
authentication, complete network device admission control, end-device status checks,
policy-based access control, traffic filtering, automated remediation of non-compliant
devices and auditing. The Trusted Computing Group has broadcast industry standards for
Trusted Network System. Several profitable Trusted Network System technologies have
been advanced, including Cisco Trust Sec, Cisco Clean Access (formerly known as Cisco
Network Admission Control, and Microsoft Network Access Protection.
Components of the trusted network system
•
Network Access Device: All connectivity to a Trusted Network System is
implemented via a network admission device, which applies policy. NAD
functionality may exist in devices such as switches, routers, VPN concentrators and
wireless access points.
•
Posture Remediation Servers: These servers deliver remediation choices to a client
device in case of non-compliance. For example, a server may keep the latest virus
signatures and need a non-compliant client device to load the signatures before joining
a Trusted Network System.
•
Directory Server: This server validates client devices based on their identities or roles.
•
Posture Validation Servers: Posture validation servers assess the compliance of a client
before it can join a TN. A PVS is typically a specialization for one client attribute
•
Other Servers: These contain trusted versions of Audit, DNS, DHCP and VPN servers.
•
Client Device: Every client device must be assessed prior to admission to a Trusted
Network System.
•
Authorization and Access Control Server: The authorization and access control server
upholds the policy and provides rules to NADs based on the results of authentication
and posture validation.
U. Rangith
19 | P a g e
Security |Assignment1
HND in Computing and Systems Development
2.3 What is Network Monitoring System.
Network monitoring is a computer network's systematic effort to detect slow or failing
network mechanisms, such as overloaded or stopped/frozen servers, failing routers, failed
switches or other difficult devices. In the event of a network disappointment or similar
outage, the network monitoring system alerts the network administrator. Network
monitoring is a subset of network management.
Network monitoring is generally carried out through software applications and tools.
Network monitoring services are broadly used to detect whether a given Web server is
operative and connected properly to networks worldwide. Many servers that make this job
provide a more complete visualization of both the Internet and networks. And there many
benefits in Network monitoring system the main three benefits are
Protecting your network against attackers – Network monitoring system is able to identify
distrustful traffic, there by authorizing owners to act fast. A network monitoring service is
able to provide a broad overview of an SMB’s entire IT infrastructure, so that nothing is
misused. Today, exploits are more sophisticated and advanced, and are able to target a
system in a diversity of ways. Monitoring antivirus and firewall solutions separately
firewalls solutions separately may leave security gaps
Keeping Informed without inhouse staff – A network monitoring service will send
warnings and information to an SMB owner as issues arise. Otherwise, an SMB may need
to either effort to monitoring their network security themselves or hire a full-time IT
employee- Which could be very costly. Data breaches can be More harmful and more
expensive the longer they go without being noticed.
Optimizing and monitoring your network – Many small business owners are expected
towards rapid growth. This growth cannot be possible if parts of their IT infrastructure are
over- loaded or slowed. Network monitoring services will map out the infrastructure of a
small business, showing an SMB owner area of development and any issues that currently
need to be addressed.
U. Rangith
20 | P a g e
Security |Assignment1
HND in Computing and Systems Development
LO3 Review mechanisms to control organizational IT security.
3.1. Discuss suitable risk assessment procedures for EMC Cloud solutions and impact an IT
security audit will have on safeguarding organization and its clients Your discussion
furthermore should include how IT security can be aligned with an organizational IT policy
and how misalignment of such a policy can impact on organization’s security.
3.1 Risk Assessment Procedures.
Identify Potential
Risk
Monitoring &
Reviewing the Risk
Analysing the Risk
Treating the Risk
Evaluating the Risk
Figure 1 Five Steps of Risk Management Process
3.1.1 What is Risk Management
Risk management encompasses the identification, analysis, and response to risk
factors that form part of the life of a business. Effective risk management means
attempting to control, as much as possible, future outcomes by acting proactively
rather than reactively. Therefore, effective risk management offers the potential
to reduce both the possibility of a risk occurring and its potential impact.
(corporatefinanceinstitute, 2021).
U. Rangith
21 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Steps of Risk Management Process
•
Identify the risk
•
Analyze the risk
•
Mitigating Risks
•
Monitor the risk
•
Reporting
Identify the risk
First think we have to do in this process is Identify the Risk, by this identification we can
get a clear view of the risk status in the particular organization with a clear picture of the
risk.
Analyzing the Risk
After got the clear picture of the Identified Risk, we are able to analyze all of them by the
impact on the particular organization.
Mitigating Risks
Risk Mitigation includes action which is need to take to reduce an organization’s
exposure to essential risks and reduce the possibility of the risk which is not going to
happened again.
Monitor the risk
Risk monitoring is the process which tracks and evaluates the levels of risk in an
organization. The findings which are produced by risk monitoring processes can be used
to help to create new strategies and update older strategies which may have proved to be
ineffective.
(Skillmaker, 2013)
U. Rangith
22 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Reporting
Risk reporting is the vehicle for communicating the value that the Risk function brings to
an organization. It allows for proactive risk management as organizations identify and
escalate issues either as they arise, or before they are realized to take a proactive approach
to managing risks.
(PWC, 2011)
What is a risk?
Risk means a darkness situation that we will face in future. IT occurring over a relatively
short time. These risks may occur due to the results of mankind. Most of the risks can
happen to the organization due to the faults of the workers in the organization so as an
owner of the organization the owner should assess the risks.
What is Risk Assessment?
So, as we talk above risks are common thing to various big organization communities,
companies ETC. So, risk assessment means the term used to the overall process for identify
and analysis the hazards and risk that going to occur to the company or organization,
Analysis and evaluate the risk associated with that hazard. So, by identify and analysis the
risk we have to determine the appropriate or control the risk when the hazards cannot be
eliminated. We can identify certain kinds of risks through looking our work place by
identify the things, situation, process etc. That may Couse harm to the people. After we
identify the risk to avoid this risk from the organization when this determination is mad,
we can next decide what measures should be there or in the organization to effectively
eliminate or control the harm happening to the organization.
3.2 Data protection process that applicable to an organization.
Data protection is very useful things to do in an organization because in any organization
or in big companies there many useful data in it so when those data got leaked to their
competitors the organization or the company will get bank rapt for sure. These are some of
the uses full information that reputed companies have
•
The type of the customers they have
U. Rangith
23 | P a g e
Security |Assignment1
HND in Computing and Systems Development
•
Number of costumers they have
•
Banking information
•
Information about the assets
So, these kinds of information got leaked from the business or organization that may occur
a huge risk to that organization. So, there are many ways to protect these kinds of important
data they are
•
Fixing CCTV cameras
•
Employee monitoring system
Fixing of CCTV cameras
As an owner in big organization Fixing of CCTV cameras is knowledgeable decision that
taking by him because use of CCTV cameras must comply with state criminal’s eave
dropping status which require posting signs where video monitoring is taking place and
another useful that we get from the CCTV cameras are when some stealers or robbers
attacked to the organization, we can monitor it from the cameras and we can take necessary
decisions
Employee monitoring
This is also a method of data protection because some of the workers or employees may
do Froud activities to the company So as an owner we have to aware about that So
frequently monitoring the employees or workers is an important task to do. But there are
limits to monitor the employees. Because their privacy things that employee also
protecting so monitoring of the employees is permitted where the monitoring of
the employees make a clear disclosure regarding the type of the scope of the monitoring
in which its engaged.
U. Rangith
24 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Risk Assessment of EMC Cloud Solutions
Assessment Scale (Probability of threat occurrence)
Level of
Percentage
Remarks
Probability
[%)]
Minor
0-20
Low probabilities
Moderate
20-60
Normal probabilities
Major
60-60
Moderate probabilities
Critical
90-100
Critical stage of probabilities
Assessment Scale (Impact of the threat to the organization)
Level of
Percentage
Impact
[%]
Minor
0-20
Remarks
Normal
Level
of
impact
to
the
particular
organization
Moderate
20-60
Moderate Level of impact to the particular
organization
Major
60-60
High Level of impact to the particular organization
Critical
90-100
Critical Level of impact to the particular organization
Figure 2 Five Steps of Risk Management Process
U. Rangith
25 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Identified Risk
R01
Category
Non-Physical
Risk description
DDoS Attacks
Probability
Moderate
Impact
Critical
Rating
Moderate Risk
Countermeasures
•
Install a network monitoring system.
•
Identify the normal network traffic.
•
Configure firewalls and routers to block
malformed traffic well.
•
Appoint a person to monitor the network
regularly.
Identified Risk
R02
Category
Non-Physical
Risk description
Virus Attacks
Probability
Moderate
Impact
Major
Rating
Moderate Risk
Countermeasures
•
Install firewall device.
•
Install suitable antivirus software.
•
Run virus scan regularly.
•
Get windows security updates.
U. Rangith
26 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Identified Risk
R03
Category
Physical
Risk description
Power supply Failure
Probability
Minor Risk
Impact
Major
Rating
Minor Risk
Countermeasures
•
Maintaining an emergency
generator.
•
Maintaining an alternative server in
a different location.
•
Fixing solar panels on the roof of the
building.
Identified Risk
R04
Category
Non-Physical
Risk description
Data Breach
Probability
Moderate
Impact
Very High
Rating
Moderate Risk
Countermeasures
•
Secure the accessing methods
•
Encrypting Data so that the authorized person
which possess the unique key only can access it.
•
Keep updating software regularly.
•
Use biometrical devices for access
•
Install and configure a suitable
firewall
U. Rangith
27 | P a g e
Security |Assignment1
HND in Computing and Systems Development
3.1 Explain the mandatory data protection laws and procedures which will be applied to
data storage solutions provided by EMC Cloud. You should also summarize ISO
31000 risk management methodology.
3.3.1 What is Law?
For everything there must be lows and regulations that we should fallow. If not that
organization or company can’t do it for continuously. First, we have to see what is the
meaning of law. Low means a certain kind of order that is implemented by the head of the
organization to minimize the mistakes, frauds, federations among the workers who are
working in the organization
Implementing lows is a difficult task that is done by the CEO of the company because he
should know how to implement the suitable laws for the workers. When the low gets high
some employee might not work properly or when there is less laws also the worker might
not properly. Forget the work done by the workers the CEO must think from his
perspective, the company’s perspective and employee’s perspective then he can continue
his organization or the company peacefully without any mistakes, frauds and faverations
Every CEO is looking for reduce the risks that coming towards his organization for that he
should implement lows and regulations continuously but there are guidelines when
implementing lows for the risks, that guidelines when are in ISO 31000 – 2018
U. Rangith
28 | P a g e
Security |Assignment1
HND in Computing and Systems Development
3.3.2 Data Prevention Act 1998 (DPA1998)
The Data Protection Act 1998 was an act of Parliament designed to protect personal data stored
on computers or in organized paper filing systems. It enacted the EU Data Protection Directive,
1995’s provisions on the protection, processing and movement of personal data. (Rose, 2019)
There are 8 principles of the Act guided its purpose and the data protection policies of
organizations.
At its core, the DPA 1998 has eight principles which were used by organizations to design their
own data protection policies. Complying with these was essential for organizations to meet
their obligations.
Data Protection Act 1998 principles
The 8 guiding principles of the Act are as follows;
3.3.3. Principle 1 - Fair and Lawful
Personal data should be controlled and processed lawfully and fairly in relation to
individuals. A Fair Processing Notice is included in the Act, which requires the controller
to notify the subject of the following information:
•
The identity of the data controller
•
The purposes for which the personal data are intended to be processed
•
To whom the personal data may be disclosed to.
The first data protection principle gave individuals the right for their personal data to be
processed fairly and lawfully by any organization.
3.3.4. Principle 2 - Purposes
Personal data should only be obtained if it will be used for a lawful purpose. It should not
be processed for any means incompatible with the purpose.
The second data protection principle placed a specific obligation on the controller to only
use personal data for a lawful and justifiable purpose.
U. Rangith
29 | P a g e
Security |Assignment1
HND in Computing and Systems Development
3.3.3. Principle 3 - Adequacy
Personal data should only be adequate to the purpose it will be used for. It must not be
excessive to the purpose it will be used.
The third data protection principle placed an obligation on the controller to only collect the
minimum amount of information required.
3.3.4. Principle 4 - Accuracy
Personal data should be accurate and up to date. If personal data becomes inaccurate, it can
no longer be used for the purpose.
The fourth data protection principle demanded the controller only collect, store and keep
accurate information on the individual.
3.3.5. Principle 5 - Retention
Personal data should not be kept longer than it is needed for. Personal data cannot be stored
indefinitely until such a time it may serve a purpose.
The fifth data protection principle placed a limit on the amount of time the controller can
keep personal information on the individual.
3.3.6. Principle 6 - Rights
Personal data should be processed in accordance with the rights of individuals. The
following rights are mentioned in the legislation:
•
Access to personal data
•
Preventing process likely to cause damage or distress
•
Prevent direct marketing
•
Automated decision making
•
Correcting inaccurate personal data
•
Compensation
U. Rangith
30 | P a g e
Security |Assignment1
HND in Computing and Systems Development
The sixth data protection principle gave individuals the right to choose how their personal
data would be used. People now had a say in how organizations who held data about them
used that data in their activities.
3.3.7. Principle 7 - Security
Personal data should be protected using reasonable and practical means to maintain its
integrity and people’s rights and freedoms. The Act specifically states that controllers must
adopt measures to prevent the following:
·
Unauthorized processing of personal data
·
Unlawful processing of personal data
·
Accidental destruction, damage or loss to personal data
The seventh data protection principle placed a legal obligation on the controller to secure
data against unauthorized or unlawful processing and against accidental loss or destruction.
3.3.8. Principle 8 - International transfers
Personal data should not be transferred outside the EU unless the country it is being
transferred to can ensure adequate protection of the data in order to maintain the rights and
freedoms of data subjects and their personal data.
The eighth data protection principle requires the controller to inform the individual of their
intent to transfer their data overseas and to ensure the country it is being transferred to can
adequately protect the data under their own laws.
Comparing these guiding principles with the DPA 2018’s
Now that the Data Protection Act 1998 has been replaced by the Data Protection Act 2018,
a comparison can be made between the two Acts.
The new principles are as follows:
·
Lawfulness, fairness and transparency
U. Rangith
31 | P a g e
Security |Assignment1
HND in Computing and Systems Development
·
Purpose limitation
·
Data minimization
·
Accuracy
·
Storage limitation
·
Integrity and confidentiality (security)
·
Accountability
There’s seven principles now, with ‘international transfers’ and ‘security’ being covered
separately in legislation. A new accountability principle features here, making it the legal
obligation of the organization to comply with the other principles – and being able to prove
this compliance through the creation of documented policies that must be produced on
demand. This is one of the biggest differences between the two Acts.
As you can see, the principles are markedly similar to those of the Data Protection Act
1998, although the legislation behind them is very different and individuals’ rights around
the processing of their data being enhanced. Perhaps the biggest difference is the
Information Commissioner’s Office (ICO) now has the power to fine both the controller
and processor. Under the DPA 1998, they only had powers to pursue the controller for
infringement.
So, there we have it, a summary of the 8 guiding principles of the now defunct Data
Protection Act 1998. Many of the Act’s nuances live on in the Data Protection Act 2018,
but any data protection policy based on the DPA 1998 will need updating to be compliant
with the GDPR. Organizations who don’t do this now risk the effects of non-compliance,
whether that be the loss of business if unable to produce appropriate policies, or action from
the ICO.
(Rouse, 2019)
U. Rangith
32 | P a g e
Security |Assignment1
HND in Computing and Systems Development
3.4.1 Summarization of ISO 31000: 2018 related to EMC company
When we talk about the ISO 31000: 2018 this is consisting of risk management guidelines,
providing principles and frame works to manage risks in EMC company. When the CEO
of the EMC company is following those ISO 31000: 2018 low it easy to handle the EMC
company. Because all the guidelines and frameworks are in it. Any business-like small
scale and large-scale business or companies can use this ISO 31000: 2018 low.
By using this ISO 31000: 2018 low it can help the EMC company to increase the likely
hood of achieving objectives. And can easily identify the strength and weakness of the
EMC company. These things are involved to the vision and mission of the EMC company.
However, ISO 31000: 2018 act cannot be used for certification purposes. But it provides
guidance for internal and external audit programs
By maintain or following this ISO 31000: 2018 low the owner of the EMC company can
compare the risks, Threats that comes towards the EMC company. In other words, the CEO
of the EMC company can compare the threats that he faced in the past with the new threats
that comes towards. And other benefit the owner of the EMC company has was it can
compare their risk management practices with an internationally recognized Benchmark
providing sound principals for effective management and corporate governance. Another
benefit It has was the Owner of the EMC company can identify the risks before it effected
to the company. From these benefits EMC company can move forward without any threats
and risks. And owner of the EMC company can take decisions before there is risks attack
or threat attack.
3.4.2 ISO 31000: 2018 Risk Management
If the EMC company is affected with the risks the EMC company can have consequences
in terms of economic performance and professional reputation as well as the environment
safely and social out comes. If the threats or risks get effected to the economic performance
of the EMC company it a huge loss for the company because customers will reject the
company and the banks who giving loans to the company may rejected and the finally the
U. Rangith
33 | P a g e
Security |Assignment1
HND in Computing and Systems Development
employees who are depend from the EMC company get affected. After the economic
performances it get affected to the professional reputation. If the EMC company is dealing
or doing transaction with the foreign countries the professional reputation is highly
important. If it gets damaged due to the threats or risks attacks those countries also starting
to reject the company. Because of these reasons managing risks effectively helps the EMC
company to perform well in an environment full of uncertainty.
3.5 What is Audit?
In Every huge scale company, there is Audit firm to examine the current situation of the
company. If the employees did any frauds, illegal business they get caught in this situation.
That is the benefit of an audit firm. If there no any department called audit firm the
company must get bank rapt because no one is there to find out the frauds and other wrong
things that is happening in the company. In some companies there are security audits, that
means this audit is there to check weather security system is working in proper manner. If
there is no audit system to examine the security system the security system also might get
corrupted by the above things and points, we can tell that there is a huge impact to the
organization security from the IT security audits.
3.5.1 What is IT security Audit?
An IT security Audit involves an IT specialist examining an organization existing IT
infrastructure to identify the strength of its current arrangements and any potential
vulnerabilities. IT security is very important to the EMC company because by handling or
maintain IT security audits it ensures the cyber defenses are up to date as they can be
effectively detecting or giving response to any kind of threats possess by the hackers and
other criminals who manipulate IT systems for their own ends. When the EMC company
is dealing with external countries cyber defenses are very important, if it fails, very
dangerous hackers attacked to the servers and take all the important information but if the
cyber defenses are up to date there is no risk.
U. Rangith
34 | P a g e
Security |Assignment1
HND in Computing and Systems Development
3.5.2 What an IT security Audit does for the company.
When all the IT services connected with the IT security audit the organization can have
more formidable IT system in place. There are many departments in the company when
the IT security audit connect to each department the function of the IT security audit may
range from database management to resource planning as a chain network. For a company
data is the one of the key assets that requires top security control. If the data get released
or hacked by the competitors or other firm it is a main reason to the company get bank rapt
or the company get a bad reputation, because of these reasons we have to protect our data.
IT security auditors determine the type of information we have. How it flows in and out of
organization and who has access to the information.
3.5.3 IT security Audits can identify the Vulnerable points and problem areas in the
company.
The special feature of IT security audits system has, it can identify the vulnerable points
and problem areas easily. The IT system is a vast one with several components including
hardware, software, data and procedures but the IT security system can find out the
vulnerable areas easily. From the IT security system, we can check weather our hardware
or software tools are configured properly and working properly. And security audits are
retracing the security incidents or the dangerous situation that company faced in the past
from the previous that might have exposed our security weak points. The other main thing
that is done by the audit was the focus on the carrying out tests in terms of network
weaknesses, operating system, access control and security applications.
3.6 How IT security aligned with organization policy?
Security purposes aligned with the company’s goals and documented in company policies
and procedures. company policies and procedures are not just paperwork—they are the
basis of a strong security plan. Once the company policies and procedures have been
advanced or updated with the company staffs help, your organization’s security basis will
be more current, sound and in compliance.
Companies’ cybersecurity experts:
U. Rangith
35 | P a g e
Security |Assignment1
HND in Computing and Systems Development
•
Cooperate with your organization to grow the strategies for successfully
communicating policies, standards and procedures for measuring good security
practices and agreements
•
Provide current management of the company policies, procedures and standards to
safeguard those documents are kept current and relevant
3.6.1 Aligning Security with company objectives
Aligning security with the organization’s greater business needs is becoming gradually
important, but how do you really do it? What it comes down to is being talented to map
security to business purposes. Done right, security can be a main business driver. Today,
everyone from finance to Develops to sales and engineering has security top of mind, at
least if they know what’s good for them.
In this post, we’ll offer numerous ways to tie the gap between security and the rest of the
company, allowing you to successfully bring it into the organization in order to meet any
number of business purposes.
3.6.2 How IT security Misaligned with organization policy?
Misalignment rises when the future purposes or plan is somewhat conflicting with the
actual result. The idea of alignment in IS has been travelled specially in IT business
alignment. The idea of alignment has also been examined in software expansion to address
issues around alignment between growth and testing. The concept of alignment particularly
in IT is complex as it is quite disjointed and relates to different surfaces. Hence in order to
achieve suitable alignment, it is important to safeguard focused is on specific components
of alignment rather than on the general alignment. For this reason, the lack of alignment
which is mentioned to in this study as misalignment, is discussed in the setting of firstly,
Outside entities such as customers, standards, and guidelines, regulations and third-party
software, the different roles involved in the software growth process, the current and
mandatory skills for integrating security requirements and lastly the general system
reequipments. All the recognized forms of misalignment pose as challenges to the
integration of security supplies in mobile application development. The section that
follows gives an impression of the different form’s alignment.
U. Rangith
36 | P a g e
Security |Assignment1
HND in Computing and Systems Development
LO4 Manage organizational security.
4.1 Design a security policy for EMC Cloud to minimize exploitations and misuses while
evaluating the suitability of the tools used in an organizational policy.
4.1 suitability of the tools used in the polices
Organizational design is measured in policy works as a forceful policy tool to put policy
to action. However, earlier research has not examined the project organization as an exact
form of organizational design and, hence, has not given much care to such organizations
as a planned choice when choosing policy tools. The purpose of the article is to examine
the project as a policy tool; how do such impermanent organizations function as a specific
form of organization when public policy is applied? The article is based on a framework
of policy operation and is demonstrated with two welfare reforms in the Swedish public
sector, which were prepared and applied as project organizations. The case studies and the
examination show that it is vital that a project organization fits into the overall governance
structure when used as a policy tool. If not, the project will remain summarized and will
not have sufficient influence on the permanent organizational structure. The concept of
encapsulation indicates a need to defend the project from a potential hostile environment.
The implication of this is that organizational design as a policy tool is a matter that rates
more attention in the planned discussion on implementing public policies and on the
suitability of using certain policy tools.
The overall idea is to develop a plan that will allow the IT department to recover enough
data and system functionality to allow a business or organization to operate.
4.1.1 Creating disaster recovery plan.
An organization can start its DRP plan with an instant of vital action steps and a list of
important contacts, so the most vital information is quickly and easily available. The plan
should describe the roles and tasks of disaster recovery team members and outline the
criteria to launch the plan into action. The plan then specifies, in detail, the incident
response and recovery activities.
U. Rangith
37 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Disaster Management Plan
Title Slide
What is a Disaster – Understanding the Disaster
U. Rangith
38 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Type of Disasters
Disaster Recovery Plan
U. Rangith
39 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Disaster Recovery Plan – Continue
Creating a Disaster Recovery Plan – Steps
U. Rangith
40 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Creating a Disaster Recovery Plan Steps– Continue
Resources involved - DRP
U. Rangith
41 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Effective DRP with Additional Resources
Benefits of Creating DRP
U. Rangith
42 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Benefits of Creating DRP – Continue
Key Components of DRP
U. Rangith
43 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Understanding the Structure
Risk Management of DRP
U. Rangith
44 | P a g e
Security |Assignment1
HND in Computing and Systems Development
DRP and Process
Progress – Analyzed Infrastructure
U. Rangith
45 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Risk Impact on Organization
Risk Impact on Organization – Continue
U. Rangith
46 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Team of DRP
Test the DRP by Verifying it
U. Rangith
47 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Be Prepared for Ever
(Infor Tech Researchers, 2007)
4.2 Develop and present a disaster recovery plan for EMC Cloud for all venues to ensure
maximum uptime for its customers. Discuss how critical the roles of the stakeholders
in the organization to successfully implement the security policy and the disaster
recovery plan you recommended as a part of the security audit.
4.3.1 Who is a stake holder?
Definition of the term "stakeholder": "A person, group or organization that has attention
or concern in an organization. Stakeholders can affect or be affected by the organization's
actions, objectives and policies. Some examples of key stakeholders are creditors,
directors, employees, government (and its agencies), owners (shareholders), suppliers,
unions, and the community from which the company’s attractions its resources. Not all
stakeholders are equivalent. A company's customers are permitted to fair trading practices
but they are not allowed to the same consideration as the company's employees. The
stakeholders in a corporation are the individuals and constituencies that contribute, either
willingly or unwillingly, to its wealth-creating volume and activities, and that are therefore
its potential receivers and or risk bearers.
U. Rangith
48 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Types of the Stake Holders
•
Primary Stakeholders – Usually interior stakeholders, are those that involve in
financial dealings with the business (for example stockholders, customers,
suppliers, creditors, and employees).
•
Secondary stake holders – Usually outside stakeholders, are those who although
they do not engage in direct financial conversation with the business – are affected
by or can affect its activities (for example the general public, communities, activist
groups, business support groups, and the media).
•
Excluded stake holders – Those such as children or the unbiassed public, initially
as they had no financial impact on the company. Now as the concept takes an
anthropocentric viewpoint, while some groups like the general public may be
documented as stakeholders’ others remain excluded. Such a viewpoint does not
give plants, animals or even geology a voice as stakeholders, but only an active
value in relation to human groups or individuals.
4.3.2 Role of a security stake holder related to the company.
We can view Security’s customers from two viewpoints: the roles and tasks that they have,
and the security assistances they obtain. The roles and tasks aspect is vital because it
controls how we should interconnect to our various security customers, based on allowing
and swaying them to perform their roles in security, even if that role is a humble one, such
as using an access card to gain admission to the facility. It is also vital because fulfilling
their roles and tasks as employees, managers, contractors or partners is the way that
security’s customers “pay for” the security that they obtain. If they do not see or understand
the value of security or are not joyful about how much they have to pay for it (i.e. how
much trouble they have to go through for security), they may select to bypass security,
such as by following to enter the ability.
While some individuals in our company or organization pay for security by assigning or
approving security project funding, the popular of individuals pay for security by fulfilling
their roles and tasks, and that is dangerous to establishing sound security throughout the
organization or company. Due to the importance of the roles that our workers play in
U. Rangith
49 | P a g e
Security |Assignment1
HND in Computing and Systems Development
security as well as the assistances security provides to them, we refer to the security’s
customers as stakeholders.
Security Stakeholders Exercise
In last month’s column we started with making of a personal Lean Journal, and a first
exercise of identifying the security stakeholders. Why performs this exercise? There are
many assistances for security staff and majors as well as for security managers and
directors who perform it. It helps to start with a small group first and then enlarge out using
the results of the first workout to refine your efforts. Begin at the uppermost level of
security and work down, such as the headquarters or local level for large organizations,
and security manager, staff, managers and officers at the site level. Here are some of the
benefits of this exercise:
•
Transfer’s knowledge and insights from more experienced personnel.
•
Shares knowledge between shifts and functions.
•
Can reveal security value not immediately apparent to security personnel.
•
Expands security personnel awareness of the value of their jobs.
•
Increases sensitivity of security personnel to security stakeholders’ concerns.
•
Provides a check on the effectiveness and scope of security personnel training.
•
Helps to reinforce the common purpose and build camaraderie.
U. Rangith
50 | P a g e
Security |Assignment1
HND in Computing and Systems Development
What is Security Policy
At its core, a security policy is a written document that states how an organization plans to
protect the company’s information technology assets. The policy outlines the protections that
should be enacted to ensure that the organization’s assets face minimal risks. A security policy,
along with the accompanying procedures, standards, and guidelines, is key to implementing
information security in an organization. Having a written security policy empowers an
organization to take appropriate action to safeguard its data.
An information security policy organization can serve several functions:
•
•
•
•
•
•
•
•
It may be an intention and overall orientation, which is formally expressed by the
organization. Privacy policy is a means to convey a culture of information security and
to accept information security behaviors.
It details the specific risks and how to address them, and thus provides controls that
executives can use to guide employee behavior.
It can help create an organizational culture of security awareness.
It can help ensure that employee behavior is directed and monitored in compliance with
security requirements.
An effective security policy must carefully balance two key elements: trust and control.
There are three approaches to trust:
Trust everyone all the time. This is the easiest model to implement because there are no
restrictions. However, this model is impractical because it makes systems vulnerable to
attack.
Trust no one at any time. This model is the most restrictive, but also unrealistic. Very
few individuals will work for an organization that does not trust its employees.
Trust some people some time. This approach takes prudence in the amount of faith
given. Access is provided as needed, with technical controls to ensure trust is not
compromised.
The privacy policy strives to provide a consistent amount of trust by balancing distrust and too
much trust. It does this by trusting some people for some time and providing the right level of
access to resources for employees to perform their job functions, but not more than that.
Determining the level of trust can be a delicate matter; Too much trust can lead to security
issues, while too little trust can make it difficult to find and keep good employees.
Control is the second factor that must be balanced. One of the goals of the privacy policy is to
exercise control. The decision about the degree of control over a particular policy is not always
clear. The security and cultural needs of an organization play a key role when deciding which
level of control is appropriate. If policies are too restrictive or too difficult to enforce and
U. Rangith
51 | P a g e
Security |Assignment1
HND in Computing and Systems Development
comply with, employees will ignore them or try to break the controls. Management must
commit to the appropriate level of control that the privacy policy needs to address.
Because privacy policies are a balancing act between trust and control, not all employees have
a positive attitude towards them. Employees sometimes view security policies as a barrier to
their productivity, a way to control their behavior, or as a list of rules that are difficult to follow.
This is especially true if in the past, policies did not exist or were loosely enforced.
Design a Security Policy
When designing a security policy, you can consider a standard set of rules. They can be divided
into what a policy must do and what a policy should do.
Security policy must do
Security policy should do
•
Be implementable and enforceable
•
•
Be concise and easy to understand
•
•
Balance protection with productivity
•
State reasons why the policy is
necessary
Describe what is covered by the
policy
Outline how violations will be
handled
The design of a security policy is not the work of one or two security personnel but rather of a
group or a group. The security policy development team is responsible for developing the initial
draft of the policy, determining which team is required to review each part of the policy,
completing the required approval process, and determining how policy implementation. The
group should have these representatives.
•
•
•
•
•
Senior-level administrator
Management board members can enforce the policy
Management board members can enforce the policy
Representative from user community
Member of legal staffs
U. Rangith
52 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Polices
Policy
Description
What it will do
PN001
Acceptable encryption policy
Defines requirements for using cryptography.
PN001
Antivirus policy
Create guidelines to minimize the risk of
Number
computer viruses on the organization's network
and computers.
PN002
Audit vulnerability scanning
Outline the requirements and provide authority
policy
for one information security team to conduct
audits
and
risk
assessments,
investigate
incidents, ensure compliance with privacy
policies or track user activity.
PN003
Automatically forwarded
Specifies that no email will be automatically
email policy
forwarded to external destination without prior
approval from the appropriate manager or
director.
PN004
PN005
Database credentials coding
Define requirements for storing and retrieving
policy
database usernames and passwords.
Router security policy
Outlines the standards for the minimumsecurity configuration for routers and switches
PN006
Server security policy
Create
standards
for
minimum
security
configurations for servers
PN007
VPN security policy
stablishes requirements for remote access
virtual private network (VPN) connections to
the organization’s network
U. Rangith
53 | P a g e
Security |Assignment1
HND in Computing and Systems Development
In addition to the privacy policies listed in the table above, most organizations have a privacy
policy that addresses the use, privacy, data, human resources related to security and ethics,
password management and complexity.
•
•
•
•
•
•
•
Acceptable Use Policy (AUP)
Human Resource Policy
Password Management Policy
Privacy Policy
Disposal and Destruction Policy
Service-Level Agreement (SLA) Policy
Compliance Monitoring and Evaluation
Incidence Response Policy
Outlines actions to be performed when a security breach occurs
Most policies outline composition of an incidence response team (IRT)
Should be composed of individuals from
•
•
•
Senior management – IT Professional
Corporate council – Human Resources
Public relations
Ethics Policy
Ethical policies are guidelines for all employees of a company to do the right thing and behave
at high standards at all times. Good ethical policies create a good culture based on trust and
transparency. Main purpose of an ethics policy is to state the values, principles, and ideals each
member of an organization must agree to.
U. Rangith
54 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Conclusion
EMC is a well reputed cloud solution provider in Srilanka. Normally EMC is providing their
services to SME bank in Srilankan and WEEFM company. EMC cloud solution Company
provides SAAS, PAAS, LAAS to their customers. And nearly their customer rate is five
hundred roughly. The head office of EMC company is situated in Bambalapitiya. But in the
EMC company there is a poor security system as physically and networkcally. So, by
Implanting new security procedures we can make new system for EMC company and by using
firewalls, VPNs, DMZ, NAT we can make a good network security system to the EMC
company. So, from the things we learn above we know how to maintain the company without
any risks and if there are any risks, we know how to overcome those. Other than that, finally
we know about audit, importance about audit, who are stakeholder and role of the stakeholders.
U. Rangith
55 | P a g e
Security |Assignment1
HND in Computing and Systems Development
References
(2021). Retrieved from corporatefinanceinstitute.
Anon.
(2019,
02
13).
https://www.researchgate.net/publication/266686928_Classification_of_Security_Thr
eats_in_Information_Systems.
Retrieved
from
www.researchgate.net:
https://www.researchgate.net/publication/266686928_Classification_of_Security_Thr
eats_in_Information_Systems
Beal, V. (2015, MAY 15). entity-relationship diagram (model). Retrieved from webopedia:
https://www.webopedia.com/TERM/E/entity_relationship_diagram.html
Elmasri, R. (2013, JUNE 28). Database Management System . Retrieved from techopedia:
https://www.techopedia.com/definition/24361/database-management-systems-dbms
Hq.nasa.gov. (2019, 2 13). Hq.nasa.gov. Retrieved from https://www.hq.nasa.gov:
https://www.hq.nasa.gov
Infor Tech Researchers, I. (2007, June 20). https://www.infotech.com. Retrieved from
https://www.infotech.com/research/drp-analysis-risk-and-businessimpact#:~:text=DRP%20Analysis%3A%20Risk%20and%20Business%20Impact%20
In%20many,communicates%20with%20the%20business%20owners%20of%20those
%20assets.
Investopedia. (2019, 02 13). www.investopedia.com. Retrieved from Return on Assets - ROA:
https://www.investopedia.com/terms/r/returnonassets.asp
Navathe, S. B. (2011). FUNDAMENTALS OF DATABAE SYSTEMS. New York San Francisco:
Addison-Wesley.
PWC.
(2011,
Sep).
https://www.pwc.com.au.
Retrieved
from
https://www.pwc.com.au/industry/banking-capital-markets/assets/insight-intoeffective-risk-reporting-sep11.pdf
Rose. (2019). https://www.privacyhelper.co.uk/knowledge-hub-articles. Retrieved from
www.privacyhelper.co.uk:
https://www.privacyhelper.co.uk/knowledge-hub-
articles/data-protection-act-1998-a-summary-of-the-8-guiding-principles
U. Rangith
56 | P a g e
Security |Assignment1
HND in Computing and Systems Development
Rouse. (2019). https://www.privacyhelper.co.uk. Data Protection Act. Retrieved from
https://www.privacyhelper.co.uk:
https://www.privacyhelper.co.uk/knowledge-hub-
articles/data-protection-act-1998-a-summary-of-the-8-guiding-principles
Schudy, R. (2016). Microsoft SQL Server Installation Guide. Massachusetts: Boston
University.
Skillmaker.
(2013,
Dec).
Rrisk-Monitoring/.
Retrieved
from
https://www.skillmaker.edu.au/risk-monitoring/
Techopedia.
(2018).
Techopedia.
Retrieved
march
12,
2018,
from
12,
2018,
from
12,
2018,
from
28,
2018,
from
https://www.techopedia.com/definition/1221/normalization
Techopedia.
(2018).
Techopedia.
Retrieved
march
https://www.techopedia.com/definition/19504/functional-dependency
TechTarget.
(2000).
TechTarget.
Retrieved
march
http://searchsqlserver.techtarget.com/definition/normalization
Techwalla.
(2018).
Techwalla.
Retrieved
february
https://www.techwalla.com/articles/what-is-relational-database-schema
U. Rangith
57 | P a g e
Security |Assignment1