Uploaded by Faizal Rasheed

Security Assignment

advertisement
EMC Cloud Solutions is reputed as the nation‟s most reliable Cloud solution provider in Sri Lanka.
A
number of high profile businesses in Sri Lanka including Esoft Metro Camps network, SME Bank Sri Lanka and
WEEFM are facilitated by EMC Cloud Solutions. EMC Cloud provides nearly 500 of its customers with SaaS, PaaS
& IaaS solutions with high capacity compute and storage options. Also EMC is a selected contractor for Sri Lanka,
The Ministry of Defense for hosting government and defense systems.
EMC‟s central datacenter facility is located at Colombo Sri Lanka along with its corporate head-office in
Bambalapitiya. Their premises at Bambalapitiya is a six story building with the 1st floor dedicated to sales and
customer services equipped with public wifi facility. Second-floor hosts HR, Finance and Training & Development
departments and the third-floor hosts boardroom and offices for senior executives along with the IT and Data center
department. Floor 4,5,6 hosts computer servers which make up the datacenter.
With the rapid growth of information technology in Kandy area in recent years, EMC seeks opportunity to extend its
services to Kandy, Sri Lanka. As of yet, the organization still considers the nature of such extension with what to
implement, where is the suitable location and other essential options such as security are actuallybeing discussed.
You are hired by the management of EMC Solutions as a Security Expert to evaluate the security-related specifics
of its present system and provide recommendations on security and reliability related improvements of its present
system as well as to plan the establishment of the extension on a solid security foundation.
Activity 01
Assuming the role of External Security Consultant, you need to compile a report focusing on following elementsto
the board of EMC Cloud Solutions;
1.1 Identify types of security risks EMC Cloud is subject to, in its present setup and the impact, such issues would
create on the business itself.
1.2 Develop and describe security procedures for EMC Cloud to minimize the impact of issues discussed in section
(1.1) by assessing and treating the risks.
Activity 02
2.1 Discuss how EMC Cloud and its clients will be impacted by improper/ incorrect configurations which are
applicable to firewalls and VPN solutions.
2.2 Explain how following technologies would benefit EMC Cloud and its Clients by facilitating a „trusted network‟.
(Support your answer with suitable illustrations).
i)
DMZ
ii)
Static IP iii)NAT
2.3 Discuss the benefits of implementing network monitoring systems.
Activity 03
3.1
Formulate a suitable risk assessment procedure for EMC Cloud solutions to safeguard itself and its clients.
3.2
Explain the mandatory data protection laws and procedures which will be applied to data storage solutions
provided by EMC Cloud. You may also highlight on ISO 3100 risk management methodology.
3.3
Comment on the topic, „IT Security &Organizational Policy‟
Activity 04
4.1
Develop a security policy for EMC Cloud to minimize exploitations and misuses while evaluating the
suitability of the tools used in an organizational policy.
4.2
Develop and present a disaster recovery plan for EMC Cloud for its all venues to ensure maximum uptime
for its customers (Student should produce a PowerPoint-based presentation which illustrates the recovery plan
within 15 minutes of time including justifications and reasons for decisions and options used).
4.3
„Creditors, directors, employees, government and its agencies, owners /shareholders, suppliers, unions, and
the other parties the business draws its resources‟ are the main branches of any organization. Discuss the role of
these groups to implement security audit recommendations for the organization.
Grading Rubric
Grading Criteria
LO1 Assess risks to IT security
P1 Identify types of security risks to organisations.
P2 Describe organizational security procedures.
M1 Propose a method to assess and treat IT security risks.
LO2 Describe IT security solutions
P3 Identify the potential impact to IT security of incorrect
configuration of firewall policies and thirparty VPNs.
P4 Show, using an example for each, how implementing a DMZ,
static IP and NAT in a network can improve Network Security.
M2 Discuss three benefits to implement network monitoring
systems with supporting reasons.
D1 Investigate how a ‘trusted network’ may be part of an IT security
solution.
LO3 Review mechanisms to control organisational IT
security
Achieved
Feedback
P5 Discuss risk assessment procedures.
P6 Explain data protection processes and regulations as applicable to
an organisation.
M3 Summarise the ISO 31000 risk management methodology and its
application in IT security.
M4 Discuss possible impacts to organizational security resulting
from an IT security audit.
D2 Consider how IT security can be aligned with organisational
policy, detailing the security impact of any misalignment.
LO4 Manage organizational security
P7 Design and implement a security policy for an organisation.
P8 List the main components of an organisational disaster recovery
plan, justifying the reasons for inclusion.
M5 Discuss the roles of stakeholders in the organisation to
implement security audit recommendations.
D3 Evaluate the suitability of the tools used in an organisational
policy.
Table of Contents
Internalverificationofassessmentdecisions–BTEC(RQF) ....... Error! Bookmark not defined.
Higher Nationals - SummativeAssignmentFeedbackForm..... Error! Bookmark not defined.
Computing ............................................................................. Error! Bookmark not defined.
Assignment Brief ................................................................ Error! Bookmark not defined.
Acknowledgement .............................................................. Error! Bookmark not defined.
Overview of the Company .................................................................................................. 11
1.1 I. T Security................................................................................................................... 12
1.1.1 Vulnerability .............................................................................................................. 12
Vulnerability to EMC.......................................................................................................... 12
1.1.2 Threats ........................................................................................................................ 13
1.1.3 Security Risk .................................................................................................................... 13
1.2 Organizational Security Procedures ................................................................................. 14
1.2.1 Treating I.T Security Risks............................................................................................. 14
Activity 2............................................................................................................................. 15
2.1.1 Firewall ...................................................................................................................... 15
Impact on EMC cloud solutions of a firewall misconfiguration .......................................... 15
2.1.2 VPN ............................................................................................................................ 16
2.2 Demilitarized zone (DMZ)............................................................................................ 16
2.2.1 Static IP ...................................................................................................................... 17
2.2.2 NAT (Network Address Translation) ........................................................................ 18
2.3 Network Monitoring ........................................................................................................... 19
2.3.1 Benefits of Network Monitoring ..................................................................................... 20
Activity 3 .................................................................................................................................... 21
Policy Document ................................................................................................................. 21
Information Security ........................................................................................................... 21
3.1 Risk Assessment Procedures .............................................................................................. 22
3.1.1 Risk Assessment Plan ................................................................................................ 24
3.2 Data Protection .............................................................................................................. 25
ISO 3100 ............................................................................................................................. 26
Data Act 1998 ..................................................................................................................... 27
3.3 IT Security and Organizational Policy .......................................................................... 28
Activity 4............................................................................................................................. 29
4.1 Security Policy for EMC Cloud Solutions .................................................................... 29
1.0 Purpose .......................................................................................................................... 29
2.0 Scope ............................................................................................................................. 29
3.0 Objective ....................................................................................................................... 29
4.0 Policy Statement ........................................................................................................... 29
4.1 Access to the EMC Center ............................................................................................ 29
4.2 Equipment’s in the EMC ................................................................................................... 29
4.3 Outsourcing ................................................................................................................... 30
4.4 Password Control Unit .................................................................................................. 30
Responsibilities ................................................................................................................... 30
4.2 Disaster Recovery Plan ................................................. Error! Bookmark not defined.
4.2.1 Disaster Recovery Plan for EMC Cloud Solutions .................................................... 32
4.3 IT Security Audit .......................................................................................................... 37
4.3.1 Impacts on organizational security resulting from an IT audit .................................. 38
4.3.2 Organizational Stakeholders ...................................................................................... 39
Conclusion ................................................................................................................................. 41
Table of Figures
Figure 1Firewall .......................................................................................................................... 15
Figure 2 How Virtual Private Network Works ........................................................................... 16
Figure 3DMZ Architecture ......................................................................................................... 17
Figure 4Difference Between Static IP & Dynamic IP ................................................................ 17
Figure 5NAT ............................................................................................................................... 18
Figure 6 Network Monitoring Tool ............................................................................................ 20
Figure 7 Presentation Slide 1 ...................................................... Error! Bookmark not defined.
Figure 7 Presentation Slide 1 ...................................................... Error! Bookmark not defined.
Figure 8 Presentation Slide 2 ...................................................... Error! Bookmark not defined.
Figure 8 Presentation Slide 2 ...................................................... Error! Bookmark not defined.
Figure 9 Presentation Slide 3 ...................................................... Error! Bookmark not defined.
Figure 9 Presentation Slide 3 ...................................................... Error! Bookmark not defined.
Figure 10 Presentation Slide 4 .................................................... Error! Bookmark not defined.
Figure 10 Presentation Slide 4 .................................................... Error! Bookmark not defined.
Figure 11 Presentation Slide 5 .................................................... Error! Bookmark not defined.
Figure 11 Presentation Slide 5 .................................................... Error! Bookmark not defined.
Figure 12 Presentation Slide 6 .................................................... Error! Bookmark not defined.
Figure 12 Presentation Slide 6 .................................................... Error! Bookmark not defined.
Figure 13 Presentation Slide 7 .................................................... Error! Bookmark not defined.
Figure 13 Presentation Slide 7 .................................................... Error! Bookmark not defined.
Figure 14 Presentation Slide 8 .................................................... Error! Bookmark not defined.
Figure 14 Presentation Slide 8 .................................................... Error! Bookmark not defined.
Table of Tables
Table 1 Risk Assessment Plan ................................................... Error! Bookmark not defined.
Overview of the Company
EMC Cloud Solutions is the most secure cloud solution in Sri Lanka providing high-capacity
computing and storage solutions for nearly 500 of its consumers with SaaS, PaaS, and IaaS and
has a partnership with the Ministry of Defense to host government and defense systems
The central data center complex of EMC and the headquarters is located in Bambalapitiya,
Colombo, and plan to expand its services to Kandy.
The EMC Cloud Solutions is structured of,
1st Floor - Sales, Customer services
2nd Floor - Finance and Training, HR, Development departments
3rd Floor - Boardroom, IT, Senior Executive offices, Data center department
4th, 5th & 6th Floors - Computer Servers
1.1 I. T Security
Security in Information technology refers to the measures that are taken to protect the digital
information from malware and threats both internally and externally. This is a defensive manner of
detecting and preventing threats using different software tools, security policies, and I.T services.
(One, 2020)
Advantages
Protects personal information from being misused
Prevents malicious attacks for the system
Doesn’t allow access to unauthorized users
Secures the confidential documents from being corrupted
Disadvantages
Configuring the accurate firewall is complicated
Implementing the secured system is costly
Updating of the applications is always necessary
More restrictions to the resources
1.1.1 Vulnerability
In cyber security, vulnerability is an exploitable weakness where a cyber-attack can gain
unauthorized access to or execute unauthorized actions on a computer system. Vulnerabilities can let
attackers run code, obtain a system's memory, install malware and steal, destroy or modify sensitive
data. The attacker must be able to connect to the computer system to exploit a vulnerability. (Watts,
2020)
Vulnerability to EMC
Power Failures.
Malware Attacks.
Effective hidden programs.
Computerized Script Functioning without malicious software.
Unidentified bugs.
Phishing.
Damage of resources.
Lack of cool temperature causing higher heat on devices.
Access of public Wi-Fi.
1.1.2 Threats
Anything that has the potential to cause serious harm to a computer system can be related to a cyberthreat. A cyber threat has the potential to make serious damage but is something that may or may
not occur and if it may occur it can lead to attacks on computer systems, networks and more. Cyber
threats can include everything from viruses, Trojans, back doors to outright attacks from hackers.
(Intellipaat, 2020)
Threat to EMC
Insecure of sensitive data
Natural disaster
Severe damage to facilities
Low life span to resources due to high heat
Using the public Wi-Fi causing the information thefts
Another major threat to an organization is its high attrition percentage.
1.1.3 Security Risk
The computer security risk is something that can harm or corrupt the sensitive information on your
system, or enable somebody else to access your computer against your awareness. (Direct,
Information Security Risk, 2020)
Types of Security Risks to EMC Cloud Organization
Computer Viruses
A computer virus is a common threat that is designed to overflow through the entire network
infecting every pc which is connected in the same network without the user knowledge, it can
corrupt and damage the organizational sensitive data, Effect the files also harming the system
software.
Trojan Horse
A trojan is a well-developed program or a scripted document that is built by hackers. Trojan has the
capability to access the organizational system and takes actions like damaging the data, modify,
delete, or block the network. Trojan works by sending an email to the victim by attaching a
document that contains malicious code, once the user clicks on the document the malicious code
will be executed.
Spyware
Spyware is an application that is installed in the user’s pc while installing applications that exist in
the application package. Spyware simply helps to monitor personal information such as Login
Credentials, Organizational business information, Internet Activity, Debit, or Credit card details
while doing an online purchase without the user’s knowledge. It is a spy agent noticing all the
sensitive personal data of the user. It can be identified and blocked using firewalls and anti-virus.
(Touhid58, 2019)
1.2 Organizational Security Procedures
The security procedure is a set of instructions that outlines the organizational policies and rules
which can be applied while dealing with a problem. Security procedures used in an organization to
establish the access for the employees with minimum access privilege that follows the policies and
instructions of the organization. in this manner the sensitive data of the organization can be
protected from unauthorized access, corruption or deletion. (Direct, Security Procedure, 2020)
1.2.1 Treating I.T Security Risks
Treating security risks is a process of researching and identifying the possible ways that a malicious
or a threat that could take place by the victim knowingly or unknowingly and focusing on
preventing such infecting applications in the implemented network. Allocating preplanned
resources, secured tools, and security-based controlled systems in the organization therefore they
can prevent threats in the future. (Solutions, 2020)
Activity 2
2.1.1 Firewall
A firewall is a filtering mechanism that keeps track of the data packets that are being sent, received,
or blocks the data packets through the network system and it establishes a controlled network. A
firewall is a defensive agent that secures the trusted network from being infected by viruses and
hackers. The data packets act according to the security rules that the organization has implemented
in the network, in this manner it can identify the data flows which goes according to its rules and
block the threats easily. (Forcepoint, What is a Firewall?, 2020)
Impact on EMC cloud solutions of a firewall misconfiguration
Firewall misconfiguration leads to data loss, phishing Operation activity of EMC organization goes
down, within the time frame said operations of the organization will be halted which leads to major
financial loss. Other attacks would lead to identity theft which could effect for various criminal
pursuits, such attacks would lead into highly sophisticated ransomware attacks which will demand a
large sum of money on releasing your own personal data.
Figure 1Firewall
2.1.2 VPN
A Virtual Private Network is an application that provides you to connect to a network via an
encrypted tunnel to protect your personal information online and your sensitive information. The
initiating and receiving network addresses are both authenticated to give online communications
better stability. To obtain entry to a restricted resource through a VPN, the individual must use the
virtual private network software. (namecheap, 2020)
Figure 2 How Virtual Private Network Works
2.2 Demilitarized zone (DMZ)
Demilitarized zone is an additional security mechanism added to the firewall, it is a neural network
that runs between the internet and the organization’s private network. It takes effect as the front end
of the firewall that reduces the data traffic to the system within its range and its backend, there’s a
supplementary layer that protects from any unauthorized access through the demilitarized zone
(DMZ) private network. (Network, 2020)
Figure 3DMZ Architecture
2.2.1 Static IP
A static IP address is an IP address which was generated individually for a computer, rather than one
allocated by a DHCP server. It's called static because static IP never changes, they are planted by the
ISP to the user to browse without any drawbacks. The static IP address can be configured to devices
such as Computers, Laptops, Phones, Routers automatically and manually. Routers are mostly
configured automatically since they put up their IP Addresses. (Techopedia, 2020)
Figure 4 Difference Between Static IP & Dynamic IP
2.2.2 NAT (Network Address Translation)
Network Address Translation (NAT) is a mechanism in which a network system, normally a
firewall, applies a public address within a local network to a device. NAT 's primary usage is to
restrict the amount of public IP addresses that an entity or corporation has to use. NAT enables a
single unit, such as a router, to serve as an operator between both the Internet (as well as a public
network) and the local area network (or private network), thereby having just one specific IP address
to connect a whole computer and other devices to something beyond their system. Even so,
whenever internal hosts decide to connect to the internet, a public address enters the equation.
Typically purchased from an ISP, this address would be a usable public address. which will
represent the gateway to your network. This public address would be exclusive, the address will not
be used by someone else. (Techterms, 2020)
Figure 5 NAT
Advantages of NAT
Network Address Translation would provide an enhanced security framework by hiding the
destination address in the original.
Improve the stability and efficiency of public network connections through the introduction of
multiple pools, redundancy, and balancing of the load.
They have an additional layer of protection over the network. Regulars within a NAT network could
not be reached by users on certain networks until they wish.
Disadvantages of NAT
Facilities requiring an external activation of TCP or UDP connections could also be disrupted and
often it will not be available for the purpose.
Many technologies and network frameworks simply will not work as planned
If the network has to be handled from remote locations, troubleshooting would be difficult and result
in a lack of standardization end to end.
2.3 Network Monitoring
This refers to the computer network to be monitored consistently looking for any failures and
deficiencies through any specialized management software tool. Network monitoring tools detect
and display the reports of failures on devices such as failing computer components, network devices,
client systems, low server performance in the implemented network in an organization or a large
cooperative. (Manageengine, 2020)
Figure 6 Network Monitoring Tool
2.3.1 Benefits of Network Monitoring
Visibility of the planted network
Being able to identify the data that flows through the network and performance of the network.
Whilst also tracking each connected computer and testing standard measures of performance. The
monitoring tool of the company will have strict monitoring features that will leave no component of
the network. This method, performance-related issues would not hide anywhere on the system.
Detecting use of the bandwidth
Bandwidth use is one of the most essential aspect for a network administrator to be analyze the
performance & benchmarks of the network. Preferably, the organization wants to use as much
bandwidth as potential while guaranteeing every employee operates effectively. A network
monitoring remedy will monitor the use of bandwidth, notify your infrastructure if the use of
bandwidth reaches critical performance and make reliability.
Inventory conversion to the facilities
Network monitoring tools provide you with this global perspective on how infrastructure has been
working across the period. Analyzing its patterns lets you decide whether your existing technology
will help you notify whether there’s a required growth to confront requirements of the company or
whether you'd like to adapt to new technologies.
(Hein, 2019)
Activity 3
Policy Document
The policy document is a written script that includes the potential ways of protecting the
organization from threats and malicious attacks. The policy document also includes I.T assets &
resources. The organization cultivates this document making sure that it tolerates the upcoming
risks, although an effective security policy document defines to the rule & procedures that are driven
by the employees of the organization and by being updated on the implemented organization
polices. (Ahmed, 2019)
Information Security
Information security is the constant securing practice that's been used to keep the confidential
sensitive data from getting altered, disclosure, modification, misuse, or disrupted in the system
while data flows when storing or being forwarded from one computer to another.
Information security consists of the main 3 principles of which the organization has fostered and
they are known as CIA (Confidentiality, Integrity, Availability)
Confidentiality
Confidentiality is based on the prevention of any unauthorized entities.
Integrity
Integrity is the modification and updating of the given authority in the standard manner.
Availability
Availability makes sure the authorized personals gest access in the given system. (Tunggal, 2020)
3.1 Risk Assessment Procedures
Risk evaluation should determine how and why the risks occur and how they harm those infected.
This knowledge is needed to make assessments about how to handle such risks in such a way that
decisions are rendered in an educated, reasonable, and organized manner so the actions that are
taken equally adapting the situation. Also, the evaluation of a close analysis of what could happen in
the organization which causes unnecessary harm promotes assessment of any safeguards in place
and if more preventive steps are appropriate. Risk management procedure can be decided through
the nature of the evaluation, the value of the research, the development of support, and the laws and
rules of the procedures. (Britsafe, 2020)
The Risk Management procedure consists of 5 steps.
Step 1: Identifying the Risk
Looking at the workplace to see what procedures or practices may be detrimental to the
organization. Include all employment aspects including remote staff, and non-routine duties such as
restoration and maintenance. You can also look at accidents & incidents of records and see what
risks the company has affected in the past A key cause of harm or a circumstance which may cause
damage to the organization. Natural disasters that could cause such as floods, hurricanes,
earthquakes, fire etc. Failed Internet connection. Power interruption. Workplace Accidents.
Step 2: Evaluate what might have been affected, and how
Looking at the organization, thinking over how marketing statics or external influences could affect
your employees. Wondering about who will be affected should the danger arise with any danger you
find in phase one.
Step 3: Properly evaluating the risk and take the necessary precautions
By the all compiled a list of possible risks will notify the needs to know how likely the risk will
arise, and how extreme the effects would be if the risk happens. This assessment will help you
define in which the extent of danger should be minimized and which risks you must consider
immediately.
Step 4: Record of determination
Determination on who will be impacted
Managed and tackled apparent dangers
Safety measures implemented to keep risks low
By keeping the workers active throughout the phase
Step 5: Test evaluation and upgrade where and when appropriate
Risks Assessment is periodical to be checked and put in the priority for this. If more change is
necessary therefore the analysis will help to determine whether the action has been taken and if so,
how much advancement has been achieved. Risk Assessment Chart contains a division on the report
date. The Report Date is the day will help to look at the risks and control it within the next step.
3.1.1 Risk Assessment Plan
No table of figures entries found.Risk Assessment Plan
EMC Cloud Solutions
Purpose: Identify the risks faced by the EMC Cloud Solutions and identify solutions to overcome it.
Organization: EMC Cloud Solutions
Completed by:
Date:
Risk
01
Equipment
Failures
Some of the
equipment is
inevitably
damaged
Server breaks
down
Data Loss
02
03
04
Description
about the risk
System failure
How the risk is
currently
managed
Comment/conc
erns
Risk
calculati
on
Step to minimize
the risk
Responsible
person
Managing the
units with the
older
equipment
The organization
may be
financially
impacted
Establishing a
maintenance
schedule
I.T Department
The impact of
server
downtime
causing lower
productivity of
the
organization
By the backups
that were taken
predicting such
event
Losing
opportunities and
causing fewer
customers to lose
interest while
providing
services
Having
networking
monitoring tools
and always being
cautious of the
devices that
works on
process,
Network
Administrator
Data loss is a
major hassle
that interferes
with the daily
functioning of
any
informationbased
organization,
and data loss is
unrecoverable
By a vital piece
of equipment
fails and
interrupts
important
activities,
the reputation
of the EMC
organization
Measures taken
by the
maintenance of
disk and
antivirus guards.
Depending only on
one recovery
method is not
applicable.
Backing up all
the data is the
most effective
protective step
against data loss.
Network
Administrator
By maintaining
the network with
IT security
experts
A secondary
pc using the
current
activities.
Equipment
failures or a
serious software
problem,
a system failure
may occur,
causing the
system to stop its
activities
Identifying its
daily
performance and
upgrading its
hardware
equipment
I.T Department
will also go
down.
No proper
decisionmaking board
05
06
Natural
disaster
Willingness to
overestimate the
actual
comprehension
or decision
Overconfidence
of how the
process could
end up before
even making a
valid decision
by the
management
Misidentifying
the problem of
the based activity
without the
proper
communication
Reviewing the
decisions & its
consequences,
Storm, Fire,
Flood
Shortage of
equipment
used to
identify the
following
events.
The vulnerability
of the equipment
in EMC
organization is
being affected by
losing its services
and data
Floors equipped
with emergency
conductors,
emergency exits,
Fire
extinguishers.
Management
Gathering
appropriate data
by setting up a
management
meeting
Management
3.2 Data Protection
Data security is the mechanism by which sensitive information is shielded from theft, misuse, or
failure. Data security is becoming more relevant as the bulk of data generated and processed points
to expand at exponential rates. Also, there is an insignificant allowance for interruption which may
make the path to sensitive information difficult. In data storing tools that are used for data protection
have included disk or backup that copies specified details to a disk-based storage array or a tape
cartridge system assuring in this manner it is safer. Replicating may be used to create an
indistinguishable copy of a website or data from more than one location.
The data protection policies and procedures for EMC Cloud company should be developed to
accommodate your particular business. The clients may need to specify what documentation policies
& procedures. (Techopedia, Data Protection, 2020)
Data that are held by EMC Cloud Organization
Accurate and stored up to date
Being handled according to the privileges of the data.
Being protected against unauthorized entry, unintentional failure, or damage.
Procured for a defined and valid purpose which must never be handled in any method inconsistent
with that intent.
ISO 3100
ISO 31000 is an international standard published in 2009 which sets out standards and
recommendations for risk management. It describes a standardized risk management strategy that
can be implemented to various risks (economic, safety, project risks) and used by any type of
company. That framework offers a common language and approach to the discussion of risk
management principles.
However, by utilizing ISO 31000 will assist companies to improve the likelihood of winning targets,
enhance the recognition of opportunities and risks, and efficiently assign and leverage risk
management services. It can be used by companies to associate their risk management strategies to a
globally accepted framework, offering clear guidelines for proactive management and
organizational strategy.
ISO 3100 has some major segment of frameworks
Policy and Governance
Sets the guidelines and shows the organization's benefaction.
Program Design
The layout of the system for the currently underway management of risk.
Implementation
Enforcing the framework and system of managing risk.
Monitoring and Review
Supervision of structure and firm performance of management platform.
Continual Improvement
Modifications to the total management system effectively.
(Peterson, 2019)
Data Act 1998
It is a form of Legislation constructed in 1984 and reviewed in 1998 to protect individuals
from incidents like data theft to them or any mistreatment towards it. All involved with data
control has a variety of roles and must comply with the standards of data security.
Information should be reasonably and legally handle for defined legitimate purposes, personal
data should be processed Without sufficient security, personal data should not be moved
beyond the European economic region personal data should be kept secretly, Personal
information must be handled reasonably and legally. Sensitive data should be appropriate,
important, and not unnecessary. Personal data should be up to date and followed accurately
The collection of personal data must comply with both the rights of individuals.
Since the EMC is a service provider this process is extremely important for its stability and
also for customer satisfaction which will be the key point of loyalty.
(pro, 2020)
Some advantages of EMC organization for customers
Legal Compliance: Ensures that the organization meets all the conditions defined the law
aims to prevent arbitration and constitutional concerns.
Customer Security: showing legal rights and regulations in order to make the customer to
trust on the company, following up in this manner will lead the confidence automatically built
in within the customer gradually.
Business Management: a better management of the company will lead to better business
activities.
3.3 IT Security and Organizational Policy
IT Security and Organizational Policy help to maintain operational efficiency by specifying the rules
and procedures to all persons who manage and use an organization's IT properties and services
according to the given policy. Establishing of an effective security policy and the implementation of
measures to ensure that regulation is a critical element in preventing and minimizing security flaws.
Regardless of circumstances, Applications, all data types, other technology resources and technology
users in an enterprise should be protected. (paloalto, 2020)
Policies can be categorized into many segments, these are some policies an organization implements
according to its rules and regulations,

Equal Opportunity Policies
Laws and rules are measured equally fair for everyone and act according to it.

Attendance and Time Off Policies
Participation law sets rules and guidelines for compliance to work schedules for the
organization employees.

Policy for user accounts and passwords
Helps to update the account and passwords making sure to be secured and maintenance of
the user information.

Access of the system
This defines the authority available limitation who can browse through the system to
which extent and who can access the system.

Software Policy
Installation of software into the system can be restricted so that the user should continue
the work with the given software by the organization.
Activity 4
4.1 Security Policy for EMC Cloud Solutions
1.0 Purpose
Set out industry standards and approval protocols for the use of cloud technologies that EMC
use to make it easier for EMC data to be processed, exchanged, stored, and protected
2.0 Scope
This policy is validated for EMC workers, consultants, vendors and also validated for other
people, such as professional experts from EMC
3.0 Objective
The key goals are to minimize the use of knowledge by the various departments & organization
4.0 Policy Statement
4.1 Access to the EMC Center
all of the EMC organization staff will be needing access & should be protected by the
following policies that are applied.

Every employee of EMC should be wearing the ID that is given for access privileges
within the company.

Visitors and clients should wear an ID separately given by the EMC organization.

While visiting the EMC facility the customer or a client should act according to the given
guidelines.
4.2 Equipment’s in the EMC

Every equipment that is being used in the EMC should be authorized by its
management.

Possibly the using appliances should be installed in sites with limits on security access.

Reporting of an equipment damage or any theft of the appliances should be carried out
to the Information Security Officer.

Having sensitivity data of the EMC organization while disposing the equipment should
be altered destroyed.
4.3 Outsourcing

To assess the performance of the service provider before and after the introduction of
the outsourced process, inspections should be taken carefully.
4.4 Password Control Unit

Every system of EMC should be secured with highly maintained password.

Passwords should contain at least 3 Capital letters, 4 Numbers, while creating it.

Every user of the EMC organization should have individual identities to identify which
user is logged in to the system.

Exposed of the user password should be immediately changed or informed to the IT
admin of the organization.
Responsibilities
Every EMC Cloud Solutions stakeholder must adopt these guidelines and policies.
4.2.1 Disaster Recovery Plan for EMC Cloud Solutions
SYSTEM
EMC Cloud Solutions network system
OVERVIEW
EMC Cloud Solutions has been identified as the most
secured cloud solution network in the region and around
500 of its consumers have the finest services and
infrastructure with SaaS, PaaS, and IaaS.
ESOFT Metro Campus Network, SME Bank Sri Lanka,
and WEEFM are its most valuable firms
EMCs head office is situated at Bambalapitiya, Colombo
PRODUCTION
SERVER
Features of the above mentioned / Specification
KEY CONTACTS
Hardware Vendor
System Owners
Database Owner
Application Owners
Software Vendors
Offsite Storage
BACKUP
STRATEGY FOR
SYSTEM ONE
DISASTER
RECOVERY PROCEDURE
There is a chance of severe storms and lightning when
Scenario 1
Lighting
Colombo experiences heavy rainfall. since EMC is a
structured building lightning is much more liable to strike
it.
Methods to cut down the risks,
• UPS should be provided just in case if the facility
does not have power
•
Scenario 2
Flood
Maintenance of the electrical consistently
With just a few feet of water, destructive flooding can
occur, or it may cover the building levels
Methods to cut down the risks,
Scenario 3
Fire
•
Implementing Flood barriers.
•
Install of a sustainable drainage
•
Coastal defense walls
The extent of exposure of an organization to a
fire is highly likely to have a substantial effect.
Methods to cut down the risks,
•
Implementing of Smoke detectors
•
Installing Fire Alarm
•
Installing Sprinkler
•
Equipped Fire extinguishers in every department
•
Emergency Exits
•
Fire escapes
Scenario 4
Tsunami
The impact of a tsunami on the coast can vary from
unnoticed to destructive. The impact of a tsunami varies
according to the type of event that caused the tsunami
therefore it could harm the entire organization.
Methods to cut down the risks,

Installing direct warning equipment from the
government who works close by the sea
Scenario 5
Virus attacks
The Internet could pose a high threat to the EMC cloud
solutions causing millions of costs for the organization if
the archive does not have mechanisms to defend itself from
antivirus code.
Methods to cut down risks,
•
Installing real-time anti spyware protection
•
Performing daily scans
•
Deploying of DNS protection
•
Keeping the system software and operating system
updated
4.3 IT Security Audit
The high-level overview of the various ways in which organizations can review and analyze
their security of the network, including cybersecurity, is indeed a security audit. By the use of
IT security audit, it enables us to discover device flaws in the implemented system. In order to
get the best results through the business goal, we can use more than one form of an IT security
audit. (Varghese, 2020)
Few more basic advantages for running security audits

Verify that the company adheres to legislation.

Making sure the safety training activities pass the change from one to one.

Ensures whether or not the new security plan is sufficient enough for the system.

Reducing the costs by closing down hardware equipment and applications while
processing the audit or by refurbishing them.
Types of Security Audits
One-time assessment
This is often seen on special occasions such as the launch of new business software.
Tollgate assessment
Tollgate determines whether a new usage method is a yes or a no.
Portfolio Assessment
Scheduled evaluations for verification and assessment of activities
4.3.1 Impacts on organizational security resulting from an IT
audit
In this cyber world, many obstacles have to be faced by an organization and overcome such
events and avoid such risks from being an attack, the cyber world is incredibly considered when
it comes to vulnerabilities and also companies could go to substantial extents and costs.
However, to prevent such cyber-attacks to the organization it is important to have a successful
cybersecurity policy.
Some of the IT Audit Impacts are given below
Data Security
The privacy, accessibility, and reliability of the data are reinforced in an IT audit. This
guarantees the protection of sensitive data from any form of cyber-attack to the system.
Better Planning and Budgeting
An audit assures the sincerity of the financial reports of an entity by an inspection of its bank
assets. It is a comprehensive procedure that can provide the evaluation of some kinds of
resources, expenses, commercial assets.
Business Improvements
The audit report can be defined for improving business processes, accounting procedures,
efficiency improvements, physical controls, etc. by the given report it is easier to analyze,
improve or to make changes that can help the organization more successful.
4.3.2 Organizational Stakeholders
Organization stakeholder operates by their ability to deliver valued commodities and services
that deliver relevant outcomes for different groups of stakeholders, what it does, and how
properly it operates. A stakeholder is either a person, group or organization who is affected by
the result of a venture. They have an intriguing within the success of the venture and can be
inside or outside the organization that's supporting the venture. Stakeholders can have a positive
or negative impact on the venture. There are a lot of individuals included in getting a venture
from initiation to effective completion. You’re progressing to ought to know how to oversee
each and everybody of them, even those who don’t work specifically under you. One such
individual is the venture stakeholder. (Faris, 2018)
There are two types of Stake holders, Internal Stakeholders and External Stakeholders
Internal Stakeholder
Internal stakeholders are people or individuals that participate in the organization structures
directly or financially.
EMC Organization internal stake holders consists of,

Management Directors

Employees

Internal Auditors

Investors

Marketing

Senior Designers
External Stakeholder
External stakeholders are those that do not have any connection for a corporation directly but
are anyhow influenced by the organization's revenue and performance.
EMC organization external stake holders consists of,

Associations

Government regulators

Vendors

Consultants

Trade unions
Conclusion
According to the following analysis, the credibility & privacy of the computer system and its
components are guaranteed by IT Protection. The preventive actions to remove the weaknesses,
threats, and risks that may affect computer systems are clarified in this report.
It has also developed the Risk Management Strategy, Protection Policy, and Disaster Recovery
Plan
Therefore, the conclusion of the EMC Cloud Solutions is now very well secured and trustworthy
for its guaranteed services.
References
Ahmed, A. (2019, August 29). How to Write a Policy Document. Retrieved from bizfluent:
https://bizfluent.com/how-6630292-write-policy-document.html
Britsafe. (2020). Risk Assessments. Retrieved from britsafe: https://www.britsafe.org/trainingand-learning/find-the-right-course-for-you/informational-resources/risk-assessment/
Direct,
S.
(2020).
Information
Security
Risk.
Retrieved
from
Science
Direct:
https://www.sciencedirect.com/topics/computer-science/information-security-risk
Direct,
S.
(2020).
Security
Procedure.
Retrieved
from
Science
Direct:
https://www.sciencedirect.com/topics/computer-science/security-procedure
Faris, S. (2018, June 01). Who Are the Key Stakeholders in an Organization? Retrieved from
bizfluent: https://bizfluent.com/info-8397448-key-stakeholders-organization.html
Forcepoint.
(2020).
What
is
a
Firewall?
Retrieved
from
Forcepoint:
Retrieved
from
Forcepoint:
https://www.forcepoint.com/cyber-edu/firewall
Forcepoint.
(20203).
What
is
a
Firewall?
https://www.forcepoint.com/cyber-edu/firewall
Hein, D. (2019, October 15). Benefits of Network Performance Monitoring Solutions. Retrieved
from
solutinseview:
https://solutionsreview.com/network-monitoring/8-benefits-of-
network-performance-monitoring-solutions/
Intellipaat.
(2020).
IT
threats
and
attacks.
Retrieved
from
Intellipaat:
https://intellipaat.com/blog/tutorial/ethical-hacking-cyber-security-tutorial/it-threatsand-attacks/
Manageengine. (2020). What is Network Monitoring? . Retrieved from Manageengine:
https://www.manageengine.com/network-monitoring/basics-of-networkmonitoring.html
namecheap.
(2020).
What
is
a
VPN?
Retrieved
from
namecheap:
https://www.namecheap.com/vpn/what-is-a-vpn/
Network,
D.
(2020).
Barracuda
.
Retrieved
from
DMZ
Network:
https://www.barracuda.com/glossary/dmz-network
One,
C.
(2020).
What
is
IT
Security?
Retrieved
from
Comodo
One:
https://one.comodo.com/blog/cyber-security/it-security.php
paloalto.
(2020).
What
is
an
IT
Security
Policy?
Retrieved
https://www.paloaltonetworks.com/cyberpedia/what-is-an-it-security-
from
paloalto:
policy#:~:text=An%20IT%20Security%20Policy%20identifies,organization's%20IT%2
0assets%20and%20resources.
Peterson, O. (2019, July 24). What Is ISO 31000? Retrieved from process.st:
https://www.process.st/iso-31000/
pro, I. (2020). What is the Data Protection Act 1998? Retrieved from IT pro:
https://www.itpro.co.uk/data-protection/28085/what-is-the-data-protection-act-1998
Solutions, C. R. (2020). Information Security Risk Assessment and Treatment. Retrieved from
Cambridge Risk Solutions: https://www.cambridge-risk.com/information-security-riskassessment-and-treatment/
Techopedia.
(2020).
Data
Protection.
Retrieved
from
Techopedia:
https://www.techopedia.com/definition/29406/data-protection
Techopedia. (2020). Static Internet Protocol Address. Retrieved from Techopedia:
https://www.techopedia.com/definition/9544/static-internet-protocol-address
Techterms.
(2020).
NAT
Definition.
Retrieved
from
Techterms:
https://techterms.com/definition/nat
Touhid58. (2019, July 28). COMMON TYPES OF SECURITY THREATS TO ORGANIZATIONS.
Retrieved
from
cyberthreatportal:
https://cyberthreatportal.com/types-of-security-
threats-to-organizations/
Tunggal, A. T. (2020, October 02). What is Information Security? Retrieved from Upguard:
https://www.upguard.com/blog/information-security
Varghese, J. (2020, March 29). What is an IT Security Audit and How to Do It? Retrieved from
getastra: https://www.getastra.com/blog/security-audit/it-security-audit/
Watts, S. (2020, 13 05). IT Security Vulnerability vs Threat vs Risk: What are the Differences?
Retrieved from bmc blogs: https://www.bmc.com/blogs/security-vulnerability-vs-threatvs-risk-whats-difference/
Download