Higher Nationals
Internal verification of assessment decisions – BTEC (RQF)
INTERNAL VERIFICATION – ASSESSMENT DECISIONS
Programme title
Assessor
Unit(s)
Assignment title
Student’s name
BTEC Higher National Diploma in Computing
Shanaka ushanka
Internal
Verifier
Unit 05: Security
EMC Cyber
Rangika de silva
Pass
List which assessment
criteria the Assessor
has awarded.
Merit
Distinction
INTERNAL VERIFIER CHECKLIST
Do the assessment criteria awarded
match those shown in the assignment
brief?
Is the Pass/Merit/Distinction grade
awarded justified by the assessor’s
comments on the student work?
Has the work been assessed
accurately?
Y/N
Y/N
Y/N
Is the feedback to the student:
Give details:
• Constructive?
Y/N
• Linked to relevant assessment
Y/N
criteria?
• Identifying opportunities for
improved performance?
Y/N
• Agreeing actions?
Y/N
Does the assessment decision need
amending?
Y/N
Assessor signature
Date
Internal Verifier signature
Date
Programme Leader signature (if
required)
Date
Rangika de silva
security assignment
1
Confirm action completed
Remedial action taken
Give details:
Assessor signature
Date
Internal Verifier
signature
Date
Programme Leader signature
(if required)
Date
Rangika de silva
security assignment
2
Higher Nationals - Summative Assignment Feedback Form
Student Name/ID
Rangika de silva
Unit Title
Unit 05: Security
Assignment Number
1
Assessor
2022/06/25
Date Received
1st submission
Submission Date
Shanaka ushanka
Date Received 2nd
submission
Re-submission Date
Assessor Feedback:
LO1. Assess risks to IT security
Pass, Merit &
Distinction Descripts
P1
P2
M1
D1
P4
M2
D1
LO2. Describe IT security solutions.
Pass, Merit &
Distinction Descripts
P3
LO3. Review mechanisms to control organisational IT security.
Pass, Merit &
Distinction Descripts
P5
P6
M3
M4
P8
M5
D3
D2
LO4. Manage organisational security.
Pass, Merit &
Distinction Descripts
Grade:
P7
Assessor Signature:
Date:
Assessor Signature:
Date:
Resubmission Feedback:
Grade:
Internal Verifier’s Comments:
Signature & Date:
* Please note that grade decisions are provisional. They are only confirmed once internal and external moderation has taken place and grades
decisions have been agreed at the assessment board
Rangika de silva
security assignment
3
Pearson
Higher Nationals in
Computing
Unit 5 : Security
Rangika de silva
security assignment
4
General Guidelines
1. A Cover page or title page – You should always attach a title page to your assignment. Use
previous page as your cover sheet and make sure all the details are accurately filled.
2. Attach this brief as the first section of your assignment.
3. All the assignments should be prepared using a word processing software.
4. All the assignments should be printed on A4 sized papers. Use single side printing.
5. Allow 1” for top, bottom , right margins and 1.25” for the left margin of each page.
Word Processing Rules
1.
2.
3.
4.
The font size should be 12 point, and should be in the style of Time New Roman.
Use 1.5 line spacing. Left justify all paragraphs.
Ensure that all the headings are consistent in terms of the font size and font style.
Use footer function in the word processor to insert Your Name, Subject, Assignment No, and
Page Number on each page. This is useful if individual sheets become detached for any reason.
5. Use word processing application spell check and grammar check function to help editing your
assignment.
Important Points:
1. It is strictly prohibited to use textboxes to add texts in the assignments, except for the
compulsory information. eg: Figures, tables of comparison etc. Adding text boxes in the body
except for the before mentioned compulsory information will result in rejection of your work.
2. Carefully check the hand in date and the instructions given in the assignment. Late submissions
will not be accepted.
3. Ensure that you give yourself enough time to complete the assignment by the due date.
4. Excuses of any nature will not be accepted for failure to hand in the work on time.
5. You must take responsibility for managing your own time effectively.
6. If you are unable to hand in your assignment on time and have valid reasons such as illness, you
may apply (in writing) for an extension.
7. Failure to achieve at least PASS criteria will result in a REFERRAL grade .
8. Non-submission of work without valid reasons will lead to an automatic RE FERRAL. You will
then be asked to complete an alternative assignment.
9. If you use other people’s work or ideas in your assignment, reference them properly using
HARVARD referencing system to avoid plagiarism. You have to provide both in-text citation and
a reference list.
10. If you are proven to be guilty of plagiarism or any academic misconduct, your grade could be
reduced to A REFERRAL or at worst you could be expelled from the course
Rangika de silva
security assignment
5
Student Declaration
I hereby, declare that I know what plagiarism entails, namely to use another’s work and to
present it as my own without attributing the sources in the correct way. I further understand what
it means to copy another’s work.
1. I know that plagiarism is a punishable offence because it constitutes theft.
2. I understand the plagiarism and copying policy of the Edexcel UK.
3. I know what the consequences will be if I plagiarize or copy another’s work in any of the
assignments for this programme. .
4. I declare therefore that all work presented by me for every aspects of my programme, will
be of my own, and where I have made use of another’s work, I will attribute the source in
the correct way.
5. I acknowledge that the attachment of this document, signed or not, constitutes a binding
agreement between myself and Pearson UK.
6. I understand that my assignment will not be considered as submitted if this document is
not attached to the main submission.
Rangikapathmal135@gmail.com
2022/06/25
Date:
(Provide Submission Date)
Student’s Signature:
(Provide E-mail ID)
Rangika de silva
security assignment
6
Assignment Brief
Student Name /ID Number
Rangika de silva
Unit Number and Title
Unit 5- Security
Academic Year
2020/2021
Unit Tutor
Assignment Title
EMC Cyber
Issue Date
2022/05/05
Submission Date
2022/06/24
IV Name & Date
Submission Format:
The submission should be in the form of an individual written report written in a concise, formal
business style using single spacing and font size 12. You are required to make use of headings,
paragraphs and subsections as appropriate, and all work must be supported with research and
referenced using Harvard referencing system. Please provide in- text citation and an end list of
references using Harvard referencing system.
Section 4.2 of the assignment required to do a 15 minutes presentation to illustrate the answers.
Unit Learning Outcomes:
LO1 Assess risks to IT security.
LO2 Describe IT security solutions.
LO3 Review mechanisms to control organisational IT security.
LO4 Manage organisational security.
Rangika de silva
security assignment
7
Assignment Brief and Guidance:
Rangika de silva
security assignment
8
Scenario
‘EMC Cyber’ is a reputed cyber security company based in Colombo Sri Lanka that is delivering
security products and services across the entire information technology infrastructure. The company
has a number of clients both in Sri Lanka and abroad, which includes some of the top-level companies
of the world serving in multitude of industries. The company develops cyber security software
including firewalls, anti-virus, intrusion detection and protection, and endpoint security. EMC Cyber is
tasked with protecting companies’ networks, clouds, web applications and emails. They also offer
advanced threat protection, secure unified access, and endpoint security. Further they also play the role
of consulting clients on security threats and how to solve them. Additionally the company follows
different risk management standards depending on the company, with the ISO 31000 being the most
prominent.
One of the clients of EMC Cyber, Lockhead Aerospace manufacturing which is a reputed aircraft
manufacturer based in the US, has tasked the company to investigate the security implications of
developing IOT based automation applications in their manufacturing process. The client has requested
EMC to further audit security risks of implementing web based IOT applications in their
manufacturing process and to propose solutions. Further, Lockhead uses ISO standards and has
instructed EMC to use the ISO risk management standards when proposing the solution.
The director of the company understands such a system would be the target for cyber-attacks. As you
are following a BTEC course which includes a unit in security, the director has asked you to
investigate and report on potential cyber security threats to their web site, applications and
infrastructure. After the investigation you need to plan a solution and how to implement it according
standard software engineering principles.
Activity 01
Assuming the role of External Security Analyst, you need to compile a report focusing on following
Rangika de silva
security assignment
9
elements to the board of EMC Cyber’;
1.1 Identify the CIA Triad concept and evaluate why and how the CIA Triad could be utilize to EMC
Cyber in order to improve the organization’s security.
1.2 Identify types of security risks EMC Cyber is subject to its present setup and the impact that they
would make on the business itself. Evaluate at least three physical and virtual security risks identified
and suggest the security measures that can be implemented in order to improve the organization’s
security.
1.3 Develop and describe security procedures for EMC Cyber to minimize the impact of issues
discussed in section (1.1) by assessing and rectifying the risks.
Activity 02
2.1 Identify how EMC Cyber and its clients will be impacted by improper/ incorrect configurations
that are applicable to firewalls and VPN solutions. IT security can include a network monitoring
system. Discuss how EMC cyber can benefit by implementing a network monitoring system with
supporting reasons.
2.2 Explain how the following technologies would benefit EMC Cyber and its Clients by facilitating a
‘trusted network’. (Support your answer with suitable examples).
i) DMZ
ii) Static IP
iii)NAT
2.3 Identify and evaluate the tools that can be utilized by EMC cyber to improve the network and
security performance without compromising each other. Evaluate at least three virtual and physical
security measures that can be implemented by EMC to uphold the integrity of organization’s IT policy.
Activity 03
3.1 Discuss suitable risk assessment integrated enterprise risk management procedures for EMC Cyber
Rangika de silva
security assignment
10
solutions and the impact an IT security audit will have on safeguarding organization and its clients.
Furthermore, your discussion should include how IT security can be aligned with an organizational IT
policy and how misalignment of such a policy can impact on organization’s security.
(This can include one or more of the following: network change management, audit control, business
continuance/disaster recovery plans, potential loss of data/business, intellectual property, Data
Protection Act; Computer Misuse Act; ISO 31000 standards.)
3.2 Explain the mandatory data protection laws and procedures which will be applied to data storage
solutions provided by EMC Cyber. You should also summarize ISO 31000 risk management
methodology.
Activity 04
4.1 Design an organizational security policy for EMC Cyber to minimize exploitations and misuses
while evaluating the suitability of the tools used in an organizational policy.
4.2 Develop and present a disaster recovery plan for EMC Cyber according to the ISO/IEC
17799:2005 or similar standard which should include the main components of an organizational
disaster recovery plan with justifications. Discuss how critical the roles of the stakeholders in the
organization to successfully implement the security policy and the disaster recovery plan you
recommended as a part of the security audit.
(Students should produce a 15 minutes PowerPoint presentation which illustrates the answer for
this section including justifications and reason for decisions and options used).
Rangika de silva
security assignment
11
Grading Rubric
Grading Criteria
Achieved
Feedback
LO1 Assess risks to IT security
P1 Identify types of security risks to organisations.
P2 Describe organizational security procedures.
M1 Propose a method to assess and treat IT security risks.
LO2 Describe IT security solutions
P3 Identify the potential impact to IT security of incorrect
configuration of firewall policies and thirparty VPNs.
P4 Show, using an example for each, how implementing a DMZ,
static IP and NAT in a network can improve Network Security.
M2 Discuss three benefits to implement network monitoring
systems with supporting reasons.
D1 Evaluate a minimum of three of physical and virtual security
measures that can be employed to ensure the integrity of
organisational IT security.
LO3 Review mechanisms to control organisational IT
Security
Rangika de silva
security assignment
12
P5 Discuss risk assessment procedures.
P6 Explain data protection processes and regulations as applicable
to an organisation.
M3 Summarise the ISO 31000 risk management methodology and its
application in IT security.
M4 Discuss possible impacts to organizational security resulting
from an IT security audit.
D2 Consider how IT security can be aligned with organisational
policy, detailing the security impact of any misalignment.
LO4 Manage organizational security
P7 Design and implement a security policy for an organisation.
P8 List the main components of an organisational disaster recovery
plan, justifying the reasons for inclusion.
M5 Discuss the roles of stakeholders in the organisation to
implement security audit recommendations.
D3 Evaluate the suitability of the tools used in an organisational
policy.
Rangika de silva
security assignment
13
Contents
Activity 1 .......................................................................................................................... 18
identify the CIA Triad concept and evaluate why and how the CIA Triad could be
utilized in EMC cyber to improve the organization’s security ............................... 18
introduction in to a security ....................................................................................... 18
Attacks on security .................................................................................................... 18
what is the CIA Triad?............................................................................................... 20
Key security concept. ................................................................................................ 20
Confidentiality ........................................................................................................... 20
Integrity ..................................................................................................................... 21
Availability ................................................................................................................ 22
Achieving security ..................................................................................................... 23
When should you use the CIA Triad? ....................................................................... 24
identification of security risks EMC cyber will be faced?........................................... 25
List of security risks .................................................................................................. 25
Computer worms ....................................................................................................... 26
Types of computer worms ......................................................................................... 27
Risk Management and risk Assessment .................................................................... 27
Organizational security .................................................................................................. 28
Protection mechanism................................................................................................ 28
Backup/Restoration of data ....................................................................................... 28
Audits......................................................................................................................... 30
Audit logs .................................................................................................................. 30
IT audits ..................................................................................................................... 30
Testing procedure ...................................................................................................... 30
networks can be tested in a number of way ............................................................... 31
Activity 2 .......................................................................................................................... 31
Describe it security solution ....................................................................................... 31
Network security infrastructure ................................................................................. 31
Network address infrastructure .................................................................................. 31
Network address translation is categorized into the following general types ........... 32
DMZ (Demilitarized zone) ........................................................................................ 33
Firewalls .................................................................................................................... 33
Host based firewall .................................................................................................... 33
Network-based firewall ............................................................................................. 34
Rangika de silva
security assignment
14
Network performance ................................................................................................ 34
Data security solution ................................................................................................ 36
Data Center security solution ..................................................................................... 37
A number of different Risk can affect data center. A few Example include ............. 37
Replica data center..................................................................................................... 37
Secure transport protocols ......................................................................................... 37
Secure sockets layer (SSL) ........................................................................................ 38
Secure socket shell (SSH).......................................................................................... 38
Tor ............................................................................................................................. 38
3 relays ....................................................................................................................... 38
Activity 3 .......................................................................................................................... 39
Review mechanism to control organizational it security .............................................. 39
Risk assessment ......................................................................................................... 39
network change management .................................................................................... 39
Network configuration management ......................................................................... 40
IT audit ...................................................................................................................... 40
Business continuity planning ..................................................................................... 41
Disaster recovery ....................................................................................................... 41
data protection process .............................................................................................. 42
ISO 31000 risk management process ........................................................................ 43
Biometrics .................................................................................................................. 44
IT security policy ....................................................................................................... 45
Organizational security policy ................................................................................... 45
Activity 4 ....................................................................................................................... 46
Manage organizational security ........................................................................................ 46
Security policy ........................................................................................................... 46
Security standards ...................................................................................................... 47
Security procedures ................................................................................................... 47
System access policy ................................................................................................. 47
Physical access policy ............................................................................................... 47
Physical and environmental policy ............................................................................ 47
Human resources security policy ............................................................................... 48
Access control............................................................................................................ 48
What is a disaster recovery plan (DRP)? ................................................................... 48
Rangika de silva
security assignment
15
What are the role of stakeholders in the organization in implementing security audit
recommendations? ..................................................................................................... 49
What are stakeholders? .............................................................................................. 49
Discuss the role of stakeholders in the organization to implement security audit
recommendations ....................................................................................................... 50
References ......................................................................................................................... 51
References ......................................................................................................................... 51
Rangika de silva
security assignment
16
Rangika de silva
security assignment
17
Activity 1
identify the CIA Triad concept and evaluate why and how the CIA Triad could be
utilized in EMC cyber to improve the organization’s security
introduction in to a security
the state of being safe and secure is described as the absence of danger or threat. The
practice of preventing unauthorized access, use, disclosure, disruption, alteration,
inspection, recording, or destruction of information is characterized as information
security. as you can see from that definition, we confront a variety of threats. It’s about
far more than keeping someone from stealing something.
Attacks on security
Any activity that jeopardized the security of an organization’s data is referred to as an
attack. these attacks can be divided into two categories at the highest level = passive and
active attacks
Passive attack
The passive attack is the initial sort of attack. for specific functions, a passive attack can
monitor, observe, or develop the use of the system’s data, however, it has no effect on the
system’s resources, and the data remains unaffected. Because passive attacks are carried
out In stealth, it is difficult for the victim to notice them. The goal of a passive assault is
to obtain data or to search the network for open ports and vulnerability. (bhattacharya,
2021)
For example – passive attacks include eavesdropping or monitoring of networks and
communications. eavesdropping means listening – in on communications and
transmissions. for example, we could use a network monitoring tool to look at the
information that is transmitted via a wi-fi router. If we were to listen – in and record a
telephone conversation (and also possibly release that to the public) that would be an
example of a passive attack.
Rangika de silva
security assignment
18
r
Figure 1 passive attack
Active attack
An active attack could be a network exploit in which the attackers modifier or alter the
content and cause a system’s resources to be impacted. The victims will suffer harm as a
result of it. The attackers can use the passive attack to gather information before
launching for a more aggressive strike. The attackers try to break into the system and
force it to lock. The victims might be altered by the ongoing onslaught. Their integrity
and accessibility may be jeopardized as a result of such an attack. a forceful attack is
more difficult to execute than a quiet attack. (bhattacharya, 2021)
For example- active attacks include masquerading, replaying, modifications, and denial
of service
Rangika de silva
security assignment
19
Figure 2 active attacks
what is the CIA Triad?
Confidentiality, Integrity, and availability are the three letters in the “CIA Trinty”.
The CIA Triad is a well-known model that guides the development of security systems.
They are employed in the search for vulnerability as well as the development of
solutions. The CIA triad separates the three notions of confidentiality, integrity, and
availability of information, which are all critical to the running of a corporation. this
distinction is useful because it aids security teams in determining the many approaches
that can be taken to address each concern. When all three standards are reached, the
organization’s security profile is stronger and better suited to address threat occurrences
Key security concept.
Confidentiality
Rangika de silva
security assignment
20
The efforts of an organization to keep data secret or private are referred to as
confidentiality. access to information must be regulated in order to prevent data sharing
that is not authorized, whether internationally or accidentally. Making sure that anyone
without legal authorization cannot access assets critical to your organization is a vital part
of protecting confidentiality. An effective system, on the other hand, guarantees that
those who require access to you have the required permission. Those who work with an
organization’s finances, for example, should have access to spreadsheets, bank accounts,
and other financial information. However, the great majority of other employees,
including maybe certain executives, may be denied access. To guarantee that these
policies are followed, tight limits on who can see what must be implemented. There are
various methods to undermine confidentiality. This could include direct attacks aimed at
getting access to systems that the attackers have no access to.it could also involve an
attacker attempting to directly infiltrate a program or database in order to steal or change
data.
However, not all breaches of confidentiality are done on purpose. Human error or a lack
of security safeguards could also be to blame. someone might, for example, forget to
secure their password when logging in to a workstation or a location. user can share their
login credentials with others or allow others to see their login as they are entering it.in
other cases, a user may fail to encrypt a conversation successfully allowing an attacker to
intercept their data. A burglar could also steal hardware, such as a computer or a device
involved in the login process, and use it to get access to confidential data.
For example – you’ll be asked for a password when you first log in. if you haven’t
logged in for a while, you could be prompted to enter a code that was emailed to you or
another type of two-factor authentication. (author n. , What is the CIA Triad? Definition
and Examples, 2021)
Integrity
Integrity refers to ensuring that your data is accurate and unaltered. only original accurate
and dependable data maintains the integrity of your data. If your organization posts
information about top executives on its website, for example, that information must be
accurate. if it is incorrect, visitors to your website who are looking for information may
believe your company is untrustworthy. someone with a vested interest in hurting your
Rangika de silva
security assignment
21
company’s reputation might try to hack your website and change the descriptions,
pictures, or titles of the executives to harm their own or the company’s overall reputation.
Integrity is frequently compromised on purpose.to mask the attack, an attacker could
circumvent an intrusion detection system (IDS), change file configuration to allow
unauthorized access or manipulate the system’s log. Integrity can also be harmed by
chance. someone may inadvertently enter the incorrect code or make another careless
error furthermore, if the company’s security policies, controls, and procedures are
insufflations, integrity might be compromised without anyone in the organization being
held responsible.
For example – data integrity is ensured by ensuring that your purchases are represented
in your account and allow you to contact a representative if a discrepancy arises. (author
n. , What is the CIA Triad? Definition and Examples, 2021)
Availability
Even if data is kept secure and its integrity is maintained, it is often useless unless it is
accessible to employees and consumers. This means that systems, networks, and
applications must function properly and at the appropriate times. Also, individuals, with
access to specific information must be able to consume it when they need to, and getting
to the data should not take an inordinate amount of time. if there are is a power outage
and no disaster recovery strategy in place to enable users to restore access to vital
systems, for example, availability will be jeopardized. Furthermore, a natural disaster
such as a flood or even a severe winter may prevent users from going to work, causing
workstations and other devices that offer business-critical information or apps to become
unavailable. Deliberate acts of sabotage, such as the deployment of denial-of-service
(DOS) assaults or ransomware, can also compromise availability.
Organizations can utilize redundant networks, servers, and applications to assure
availability. when the primary systems is disrupted or broken, broken, these can be
designed to become available. You may also improve availability by staying on top of
software and security system upgrades. this reduces the chances of an application
malfunctioning or a relatively new danger infiltrating your system. Backups and
comprehensive disaster recovery plans also aid a company’s recovery from a negative
incident.
Rangika de silva
security assignment
22
For example – you can access your account at any time, and you may even contact
customer service at any hour of the day and night. (author n. , What is the CIA Triad?
Definition and Examples, 2021)
Achieving security
in order to accomplish security, we might adopt a variety of different ways
encryption
the conversion of plain text communications or data into encrypted text. This is
accomplished by encrypting data with a key and a password. The mathematical formula
that is utilized to convert data into ciphertext is known as an encryption algorithm.
Types of Encryption
There are two types of encryption
•
•
symmetric encryption
asymmetric encryption
Figure 3 types of encryption
symmetric encryption
there is just one key with symmetric encryption and all parties involved use the same key
to encrypt and decrypt data. The method is simple when you use a single key, as in the
following example: you encrypt an email with a unique key, send it to your friend tom,
and he will unlock/decrypt it using the same symmetric key.
Asymmetric encryption
Asymmetric encryption, on the other hand, was developed to address symmetric
encryption’s intrinsic flaw: the necessary to share a single encryption key that may be
used to encrypt and decrypt data.
Rangika de silva
security assignment
23
Figure 4 encryption
Digital signature
Users can digitally sign electronic documents and communications in the same way that
they can sign conventional documents like letters. E-commerce – software distribution –
financial transactions and other circumstances that rely on forgery or tampering detection
techniques use digital signatures. An electronic signature is also known as a digital
signature.
Access control
Access control is a method of restricting who has access to a system or certain physical or
virtual resources. Access control is a procedure in which users are provided access to the
system, resources, or information, as well as specific privileges. The most basic technique
of access control is to employ a username and password to ensure that only authorized
users have access to the system.
When should you use the CIA Triad?
The CIA trio should be used in the majority of security scenarios because each
component is crucial.it is very useful when establishing a data classification system and
controlling permissions, and access privileges. When dealing with your company’s cyber
vulnerabilities, you should strictly follow the CIA trinity.it has the potential to be a
formidable tool In disrupting the cyber kill chain, which is the process of identifying,
targeting and executing a cyberattack.
Rangika de silva
security assignment
24
identification of security risks EMC cyber will be faced?
Risks in a corporation are the dark scenarios that are likely to occur in the near future.
Essentially, the risk is defined as external and internal vulnerabilities that have a
negative impact on the firm, such as the chance of business damages, increased
liabilities, and loss rea specific types of risks to a corporation. When it comes to EMC
cyber, there are a variety of hazards that the organization may face due to a lack of a
comprehensive security system.
List of security risks
Although EMC cyber has several advantages, there are numerous concerns associated
with data security. For most people, storing data is safe, but there is always a risk that
cannot be avoided. Physical and logical security threats are the two sorts of security
threats.
Vulnerability
A flaw in a computer system that can be exploited by a cyber assault to obtain
unauthorized access to or perform unauthorized acts on it. attackers can exploit
vulnerabilities to run code, gain access to a system’s memory, install malware, and steal,
destroy, or change sensitive data.
Threats
A security threat is a threat that has the potential to harm computer systems and
organizations. There are three main types of threats.
•
Natural threats – floods, storms, and tornadoes are examples of natural disasters
•
Unintentional threats – like if an employee access the incorrect data by accident.
•
Intentional threats - such as spyware, malware, adware firms, or disgruntled
employee acts.
Risk
This is the likelihood that a specific threat will exploit a specific vulnerability.
Rangika de silva
security assignment
25
Countermeasure
An activity or approach used to protect computers, servers, networks, operating systems
(OS), or information systems from potential dangers (IS). Anti-virus software and
firewalls are examples of countermeasure.
Threats
Virus – a computer virus is a dangerous piece of software that spreads from one device to
another. These self – copying threats, which are a subset of malware are usually designed
to harm a device or steal data.
Consider a biological virus that causes you to become ill. It’s constantly unpleasant,
impairs your ability to operate properly, and frequently necessitates the use of a strong
antidote. A computer infection is a lot like a computer working or prevents from working
at all. They are designed to proliferate indefinitely.
A computer virus works in much the same way:
•
a computer virus necessitates the use of a host program.
•
To transfer from one system to another, a computer virus requires user input.
•
A computer virus attaches pieces of its dangerous code to other files or
completely replaces data with copies of itself.
How do computer viruses spread?
•
You can get a computer virus in a constantly connected environment in a variety
of ways, some more visible than others.
•
Viruses can be propagated by email and text message attachments, file downloads
from the internet, and social media fraud links.
Computer worms
A computer worms is a sort of virus that duplicates itself and transmits it from one
machine to another. A worm may replicate itself without the need for human
intervention, and it does not require attachment to a software application to cause harm
(employee, 2019)
Rangika de silva
security assignment
26
Types of computer worms
• Instant Massaging-or in worms sometimes known as IM worms, spread through
instant massaging services and take advantage of the victim’s computer’s contact
lists.
•
Email worms- are typically propagated as malicious executable files attached to
seemingly normal email messages.
•
A trojan horses - often known as a trojan, is malicious malware or software that
appears to be legal yet has the ability to take control of your computer. A trojan is
a computer program that is designed to hurt, disrupt, steal, or otherwise harm your
data or network.
•
Denial of service – the basic goal of a Denial of service attack is to bring down
the targeted network and prevent legitimate users from accessing it.
DOS attacks typically fall in 2 Category
•
Buffer overflow attacks
•
Floods attacks
•
Zero-days attacks, also known as zero-day attacks, occur on the first day that a
vulnerability is discovered.
•
Identity theft – is an attempt to get access to private information by stealing a
user’s login credentials. Criminal, medical, financial, and child identity theft all
are examples of identity theft.
Risk Management and risk Assessment
• Risk Management -The process of detecting, fixing, and preventing security
issues is known as risk management
•
Risk Assessment - risk assessment is an important aspect of an organization’s risk
management strategy since it helps to ensure that its information systems and data
are secure.
Risk management – five principals
•
Assess risk and determine needs.
•
Establish a central management focus.
•
Implement appropriate policies and related controls.
•
Promote awareness.
•
Monitor and evaluate policy and control effectiveness.
Risk analysis
Rangika de silva
security assignment
27
•
it’s a risk migration tool.
•
It is a way of finding vulnerabilities and threats and assessing the potential
damage in order to determine where security safeguards should be implemented
•
Risk analysis assists businesses in prioritizing their risk and demonstrating to
management the appropriate amount of money to spend on mitigating those risks.
Organizational security
An organizational security policy is a set of rules or procedures that a company imposes
on its activities in Oder to secure sensitive information
Protection mechanism
The nest stage is to determine which security procedures are in place and assess their
effectiveness. because a corporation faces so many dangers (not simply computer viruses
and attackers), each one must be addressed and planned for separately.
•
Access control mechanisms used as security safeguards.
•
Fire protection, site construction, power loss, and equipment malfunctions.
•
Telecommunication and networking issues
•
Business continuity and disaster recovery.
•
When evaluating different forms of countermeasures, it is necessary to examine
the greatest qualities as well as various cost scenarios
•
The study of ‘options’ final product should show why the chosen control is the
most beneficial to the firm
Backup/Restoration of data
Backup
The process of producing copies of data or data file utilize in the event that the original
data or data files are lost or destroyed is referred to as a backup. Second, making copies
for historical purposes, such as longitudinal research, statics, or historical records, or to
meet the need of a data retention policy, is referred to as a backup. the BAK file
extension is used by many applications, especially in the context of a window, to create
backup files. (author n. , backup , 2022)
Backup and archive
Backup
Rangika de silva
security assignment
28
•
a backup is a duplicate is an organization’s data that the administrator store for
safety reasons
archive
•
an archive is main data that has been moved to a different location because an
Organization’s doesn’t need it right now but may require it in the future
Types of Backup
Full, differential, and incremental backups are the three most common forms
•
full backup
•
differential backup
•
incremental backup
full backup
a full backup is the most comprehensive sort of backup, in which you clone all of the data
you’ve chosen. Files, folders, SaaS apps, hard disks and other items are included. the
benefit of a full backup is the speed with which data can be restored. However, because
everything is Save up and once, it takes longer to backup methods.
Advantage – everything is backed up at the same time
Disadvantage – it takes longer to perform because everything is backed up at once
Differential backup
a differential backup sits in the middle of a full and incremental backup. This backup type
entails backing up data that has been created or modified since the last full backup. To
put it another way, a full backup is performed first, followed by a backup that includes all
changes made to the files and folders.
Advantage – restoring is faster than incremental backups since just the most recent
complete backup and differential are required.
Disadvantage – restoring slow slower than full Backup since it requires both the last full
backup and the most recent differential backup.
Incremental backup
Rangika de silva
security assignment
29
A complete backup is the first backup in an incremental backup. Only the modification
made to the previous backup will be saved in subsequent backups. Businesses have more
freedom is spinning up these backups as often as they wish, storing only the most recent
changes.
advantage – only data that has changed since the last backup is needed, therefor backup
time is reduced.
Disadvantage – when conducting a complete restore, the most recent full backup, as well
as any future incremental backups, are required, lengthening the time it takes to restore.
Audits
Auditing is the on – site verification activity of a process or quality systems, such as
inspection or examination, to guarantee compliance with regulations. A security audit for
IT systems would be a manual or systematic review to ensure that suitable procedures
and policies are in place and that personnel are adequately taught how to respond to the
various situation that could jeopardize the system’s security
Audit logs
• system-level – event
•
system performance
•
logon id
•
date and time of each logon attempt
•
devices used
•
error massages
•
security violations
IT audits
• review IT organizational structure
•
review IT policies and procedure
•
review IT standards
•
review IT documentation
•
interview the appropriate personnel
•
observe the process and employee performance
Testing procedure
Rangika de silva
security assignment
30
security testing is a sort of software testing that identifies vulnerabilities hazards, and
dangers in a software program and guards against intruder attacks. The goal of security
tests is to find any possible flows and weaknesses in the software system that could lead
to a loss of data, revenue or reputation at the hands of workers or outsiders. (hamilton,
2022)
networks can be tested in a number of way
•
vulnerability scanning – this is accomplished through the use of automated
software that scans a system for known vulnerability signatures.
•
Security scanning – it entail discovering network and system flaws and then
proposing remedies to mitigate these risk. The scanning can be done in two ways :
manually and automatically.
Activity 2
Describe it security solution
Network security infrastructure
•
•
•
Network address translation (NAT)
Demilitarized zone (DMZ)
Firewalls
Network address infrastructure
Network address translation (NAT) allows private Ip networks with unregistered IP
addresses to connect to the internet, conserving IP addresses. NAT coverts private
internal network addresses into legal, globally unique addresses before forwarding
packets between the networks it connects. A single network device, such as a router or
firewall, can function as an intermediary between the public and private networks spaces
via NAT.
Rangika de silva
security assignment
31
The NAT – enabled agent allows you to represent a whole group of networked computers
with a single IP address. Many Networks managers benefits from this technology since it
saves time and money when dealing with network IP addresses. Because NAT allows
administrators to segregate the private and public address spaces. It aids network
administrator in managing the private and public areas of their networks. The address
separation refers to NAT’s ability to make a physical device in a private network
independent of its IP addresses.
Figure 5 network address translation (NAT)
Network address translation is categorized into the following general types
•
Static NAT- the one – to – one translation of a private IP address to a public IP
address is known as static NAT (network address translation). When a network
device inside a private network has to be accessible from the internet, static NAT
(network address translation) is useful.
•
Dynamic NAT – a private address is mapped to a public IP address from a group
of public IP address known as a NAT pool in dynamic NAT. a one-to-one
mapping between a private IP address and a public IP address is establishing
through dynamic NAT. the public IP address is selected from the pool of IP
addresses defined on the NAT routers end. The public to private mapping may
differ depending on the public IP address accessible in the NAT pool.
Rangika de silva
security assignment
32
•
Pat (port address translation) – another sort of dynamic NAT is port address
translations (PAT), which uses a technology called port address translation to
transfer numerous private IP addresses to a single public IP address.
DMZ (Demilitarized zone)
DMZ network is a perimeter network that protects an organization’s internal local area
network from untrusted traffic and adds an extra degree of security. A DMZ is a
subnetwork that connects the public internet to a private network. The purpose of a DMZ
is to allow an organization to connect to untrusted networks, such as the internet while
maintaining the security of its private network or LAN. External-facing service and
resources as well as servicers for the domain name system (DMS), file transfer protocol
(FTP), mail, proxy, voice over internet protocol (VOIP), and web servers, are often stored
in the DMZ.
A secure and intermediate network or path between an organization’s internal network
and the external, or non – property, network is provided by a host or network.
Firewalls
A firewall is a system designed to prevent unauthorized access to or from a private
network. Unauthorized internet users are prevented from accessing private networks
connected to the internet, particular intranets, using firewalls. Firewall can either be
hardware and/or software based. Firewall can also be host- based or network – based.
Through the execution of a security policy and connection model based on the least
privilege principle and separation of roles, the ultimate goal is to provide controlled
interfaces across zones of varying trust level.
Host based firewall
A host-based firewall is a software that runs on a single computer or device that is
connected to a network. These firewall provide a granular level of protection for
individual hosts against viruses and, malware as well as the ability to restrict the
propagation of these destructive infections across the network (author n. , 2017)
For example – the Microsoft firewall that comes with a window-based computer
Rangika de silva
security assignment
33
Network-based firewall
A network-based firewall is one that is incorporated into the cloud or network
infrastructure (for example, amazon’s firewall in AWS environment) or a virtual firewall
service such as those provided by cisco, VMware, and check point.
Network performance
The examination and review of collective network information to describe the quality of
services delivered by the underlying computer networking is known as network
performance. it is a qualitative and quantitative procedure that assesses and defines a
network’s performance level. It assists a network administrator or reviewing evaluating,
and improving network service. (author N. , 2015)
It's tough to maintain network performance, dependability, and connectivity while
lowering network latency.as a result, organization must put in place systems to prevent
failures.
•
Raid storage
•
Dual Lan’s
•
Load balancer
Raid storge
Raid, which stands for redundant array of independent disks, is a storage technology that
employs several disks to provide fault tolerance, improve overall performance, and
expand storage capacity in a computer system. Raid in contrast to earlier storage
technologies, allows customers to store the same data over several disks, lowering costs
and boosting overall performance. Data backup should not be confused with raid. Despite
the fact that various RAID levels provide redundancy, experts recommend using a
separate storage device for backup and disaster recovery. (Beal, 1996)
RAID 0
Raid 0 is a common raid (redundant array of independent disk) level or configuration that
handles data via striping instead of mirroring and parity. Raid 0 is typically used to boost
the speed of the systems that heavily rely on RAID to function. it’s also used to combine
numerous sets of smaller capacity physical drives into few large logical volumes.
Because the configuration accomplishes nothing else, raid 0 is sometimes known as a
striped volume or a striped set (author n. , RAID 0 , 2017)
Rangika de silva
security assignment
34
A single file is read from several disks, giving is access to all of their speed and capacity.
Advantage – raid 0 is extremely fast in both read and write operations.
Parity controls do not add any overhead.
Disadvantage - raid 0 isn’t designed to be fault – tolerant. if one of the drives in the raid
0 array fails, the entire array’s data is lost. It should not be used in systems that are
mission – critical.
Raid 1
Data is written to both the data drive (or collection of data drives) and a mirror drive
twice (or set of drives) if a drive fails, the controller utilizes the data drive or the mirror
drive to retrieve data and keep the system running. a raid array requires at least two
desks.
Advantage -raid 1 has a read speed that rivals that of a single drive and a write speed
that is comparable to that of a signal drive.
data does not need to be rebuilt if a drive fails ; it only has to be copied to
the replacement drive .
disadvantage – the biggest disadvantage is that because all data is written twice , the
effective storage capacity is just half of the entire drive capacity
Raid 5
Rangika de silva
security assignment
35
Like raid 0, raid 5 striped data blocks over many drives , but it also maintains parity
information that can be utilized to recover data in the event of a disk failure. the level
provides both speed (many drives are accessible) and redundancy (party data is kept
across all disks)
Raid 10
Raid 10 combined RAID 1’mirroring with raid 0’s striping.it combines RAID 1’s
redundancy with RAID 0’s increased performance. it Is ideally suited to environments
that demand both great performance and security.
Dual Lan’s
There may be two LAN ports on a mother board having twin LAN ports. There are
various setup choices available to the user. if the purpose is to improve performance, and
users can achieve this by connecting to a local area network (LAN) teamwork, which
essentially offers you twice a much as you normally would bandwidth.
Load balancing
numerous servers to increase the performance and stability of web sites, applications,
databases, and other services. The load balancing algorithm or method is used by the load
balancer to follow a specified pattern.
Data security solution
An asset any data, device, or other component of the environment that supports
information- related activities in information security, computer security, and network
security.
Asset generally include:
•
•
Hardware – servers and switches
Software – mission critical applications
Information
Rangika de silva
security assignment
36
Data Center security solution
data Center
data center are an important aspect of any business, as they are meant to support
corporate applications and provide services such as backup and recovery.
•
•
•
•
Data storage, management, backup and recovery.
Productivity applications, such as email
High-volume e-commerce transactions
Powering online gaming communities
A number of different Risk can affect data center. A few Example include
• Server failure
•
Undetected smoke that can lead to fire incidents
•
Networks connections failures
•
Externel hackers
Replica data center
When working with numerous data centers, its critical to ensure that if one goes down,
another is fully capable of picking up the load and data. Data center replication is meant
to solve exactly this problem.
Secure transport protocols
There are a number of protocols that can be used on networks to securely transport data.
Some of these include,
•
SSL
•
SSH
•
TOR
Rangika de silva
security assignment
37
Secure sockets layer (SSL)
SSL(secure sockets layer) is an internet security technology based on encryption.
Netscape introduced it in 1995 as a way to provide privacy, authentication, and data
integrity in internet interactions. SSL is the forerunner of today’s TLS encryption
standard.
SSL, or secure sockets layer, is an encryption – based internet security protocol.
HTTPS (Hyper text transfer protocol secure) appears in the URL when a website is
secured by an SSL certificate.
Secure socket shell (SSH)
SSH, or secure socket shell, is a network protocol that allows administrators to access a
remote computer in a secure manner. SSH can also be used to refer to the set of tools for
the protocol.
Tor
Dark website
The technology that open the way for what is now known as the dark web was developed
in the mid -1990s by military researchers in the united states and was used by intelligence
personnel to transmit information surreptitiously.’ Tor’ which stands for the ‘the onion
router’ was the name of the first platform.
3 relays
Tor bouses connections through 3 relays. Each of these has a specific role to play.
•
Entry guard relay – this is the entry point to the Tor network
•
Middle relay – middle relays are exactly that-middle nodes used to transport
traffic from the guard relay to the exit relay.
•
Exit relay – these relays are the exit point at the edge of the Tor network. These
relays send traffic to the final destination intended by the client.
MPLS (Multi-protocol label switching)
Multi (Multi-system label switching) is a developing protocol that identifies static IP
paths and is based on IETF standards. It manages the flow of traffic. Engineering
expertise is required for QoS regulation and management. VPMs are built on the
foundation of network optimization.
Rangika de silva
security assignment
38
Activity 3
Review mechanism to control organizational it security
Risk assessment
A process of locating, evaluating, and methodically controlling hazards and risks
assessment. a competent individual determines which safety precautions are now in place
or ought to be to reduce or eliminate risk at work in any particular situation.
Risk assessment is one of a risk analysis’s most crucial components. The multi-step risk
analysis process aims to identify and evaluate all potential risks and issues that could be
detrimental to the business. The process is ongoing and is updated as necessary. Although
they are related, these concepts can also be used alone.
Why is risk management important?
You might use the assessment method to find potential dangers and guarantee the
wellbeing of your employees and customers. There are different guidelines for various
enterprises because there are various threats that could arise nowadays.
Risk assessment type
•
large scale assessment
•
specific assessment required
•
general assessment
risk assessment in 5 step
•
identify the danger
•
evaluate the risk
•
decide on control measures to implement
•
document your finding
•
review your assessment and update If necessary
network change management
network change management is the procedure used by businesses to standardize how
network changes are carried out. The goal is to modify network devices as necessary to
provide a technique that disrupts existing systems as little as possible. As the system’s
business requirements increases several configuration changes take place every day.
Rangika de silva
security assignment
39
Network configuration management
Every device on the network is subject to network configuration management throughout
its lifetime. Device detection, inventory management, management configuration backup,
configuration modification and compliance monitoring user activity tracking, and
troubleshooting using appropriate network operations all included.
Network configuration management features
•
network device discovery
•
configuration backup
•
configuration change management
•
executing complex network operations
IT audit
An audit, in general, is an examination of a current system, report, or institution. An IT
audit examines the administration, applications, operations data use and other associated
procedures of an organization it systems. (calvello, 2020)
It audits the main step
•
gather information and plan
•
gain an understanding of the existing internal control structure
It audit objectives
•
assessing the procedures and systems in the place now for data security in the
workplace
•
identifying any potential threats to the company information asset and working to
reduce such threats.
•
Checking the accuracy and integrity of the information
•
Preserving all resources
Rangika de silva
security assignment
40
•
Confirming those information management procedures adhere to IT-specific
rules, and regulations. And guidelines.
•
Identifying the management and IT system inefficiency that exit. (calvello, 2020)
Audit control
Audit control comprises putting security audit measures in place to ensure that the
security procedures in place are effective. Examples of these measures include great
record, keeping auditing who has access to personal data, logging that access, and
auditing of security procedure compliance.
Business continuity planning
Business continuity planning is the act of creating a framework for averting and resolving
potential risks to an organization (BCP). The crisis plan ensures the personnel and
property and protects that business may resume quickly.
Disaster recovery
Information technology disaster recovery is a component of security planning and is
created in tandem with a business continuity plan. In the event of a bad occurrence such
as a cyberattack, a natural disaster, or the failure of a facility or device an organization is
protected by a set of policies and procedures called disaster recovery aids in the creation
of the plan for the speedy restoration of hardware, software and data for business
continuity.
Data lose
When sensitive or valuable information on a computer is compromised by theft. Human
mistake, malware, virus or power outages, and data loss happens. It might also happen as
a result of an edifice’s physical harm, mechanical malfunctions, or other equipment.
(frankenfield, 2020)
Type of data use
•
human error
•
file corruption
Rangika de silva
security assignment
41
•
hardware error
•
site related
data protection process
data protection involves securing important data against loss, compromises corruption,
and the capacity to restore data to a usable state if it becomes. Unavailable in
inaccessible. Data protection ensures that information is retained in accordance with all
relevant legal and regulatory requirements. That is, it is not harmed and it is only
accessible for allowed purposes. When security information is required, it should be
easily accessible and usable for that reason. On the other hand, data protection goes
beyond the concepts of usage covering data retrieval, data protection goes beyond the
concepts of usage to cover data retrieval, data retention, data perseveration and data
deletion/ destruction.
Data security techniques
•
risk assessment
•
backup
•
encryption
•
access control
•
destruction
data protection principal
data protection aims to safeguard and make data available is any circumstance by using
processes and technology. when using storage technologies like disk tape or cloud
backup to keep copies of the data that may be used in the event of data loss or
interruption, data can be secured. Additional software approaches (such as cloning,
mirroring, replication, snapshots, change block tracking, and so on) ad on an extra layer
of data security on top of basic backup. Due to advancements in technologies. It is not the
usual procedure to offer continuous data protection, which backup data whenever a
change is made and enables almost immediate recovery.
Rangika de silva
security assignment
42
ISO 31000 risk management process
Introduction of iso
A standard is just a group of requirements that have been established and accepted by
numerous people. The formulation of the standard, in this case, is supervised by the
international organization for standardization, a standard-setting body with headquarters
in Geneva, Switzerland. before it can be published and ISO standard must be approved by
a number of members from various standardized groups
What is ISO risk management?
The international organization for standardization (ISO) published for international
standard ISO 31000 in 2009 with the goal of serving as a manual for the development,
implementation, and upkeep of risk management.
The risk management process outlined the ISO 31000 standards including the following
activities.
•
Risk identification
•
Risk analysis
•
Risk evaluation
•
Risk treatment
•
Establishing the context
•
Monitoring and review
•
Communication and consultation
ISO 31000 advantage
•
ISO 31000 is a methodical and rational approach to risk management. It is a
straightforward template for implementation in your firm. A method that focuses
on the company’s vision, mission, and goals.
•
It is an all-inclusive framework any organization, regardless of size or sector, can
implement the principles.
•
High–quality standards: ISO is known around the world for certifying high
standards
•
They are easily applicable:
they may be applied to many elements of an
organization and employee’s basic vocabulary.
Rangika de silva
security assignment
43
Biometrics
What is biometrics?
Biometrics is the most appropriate method for reliably and quickly identifying and
verifying individuals based on unique biological traits. (author n. , What is biometrics ,
2022)
Three main types of biometrics security
•
Biological biometrics
•
Morphological biometrics
•
Behavioral biometrics
Biological biometrics
Biological biometrics makes use of genetic and molecular characteristics. These could
include your DNA or blood, which could be tested using a sample of your biological
fluids.
Morphological biometrics
Morphological biometrics takes into account your body’s structure. More body features,
such as your eye, fingerprint, or facial shape, can be mapped for use with security
scanners.
Behavioral biometrics
Behavioral biometrics are based on patterns that are unique to each individual. If your
walking, speaking or typing habits are tracked, they may reveal information about your
identity.
Some examples of biometrics protection
•
Recognition of speech
•
Scanning of fingerprint
•
Recognition of people’s faces
Biometric authentication methods
•
Fingerprint scanner
Rangika de silva
security assignment
44
•
Retina scanner
•
Iris scanner
•
Speaker recognition
•
Facial recognition systems
•
Hand and finger geometry
•
Vein geometry
•
DNA based
IT security policy
If the aim, scope, policy and procedures are not stated separately, they should always be
incorporated In it security policies. They should explain out the rules for user and IT
worker behavior, as well as the consequence for breaking them. Policies should identify
the key risk facing the organization and provide direction on how to mitigate them.
Policies should be adapted to the organization’s most valuable assets and major risks. The
most significant policies apply to all users of the organization’s information system.
These policies safeguard the confidentiality, integrity, and availability of systems and
data. While rules can be amended lowered or amalgamated with others the following
policies should be followed by all firms.
7 key IT security policies
•
Employee awareness and training policies
•
Password management policy
•
Remote access policy
•
Bring your device policy
•
Acceptable user policy
•
Regular backup
•
Recovery policy
Organizational security policy
The organizational security policy Is the document that specifies the scope of a utility’s
cybersecurity initiative. It serves as a both a repository for knowledge and decisions
generated by other building blocks and a blueprint for future cybersecurity decisions. The
Rangika de silva
security assignment
45
organizational security policy should outline the organization’s goals, responsibilities,
security program structure, compliance amd risk management approach.
Activity 4
Manage organizational security
Security policy
A security policy is a written document that describes how a company wants to protect its
physical and information technology assets. Security policies are living documents that’s
change as technology, vulnerabilities, and security requirements change. Acceptable
usage policies are occasionally included in a company’s security policy. These describe
how the organization plans to educate its employees about assets protection. They also
include a description of how to security measures will be implemented and enforced, as
well as a method for assessing the effectiveness of the policy and making any necessary
modifications.
What are security policies important?
Security policies are critical because they protect the company’s physical and digital
assets. The consists of all of the company’s assets as well as possible threats to those
assets. Physical security policies are intended to protect a company’s physical assets.
Such as its facilities and equipment, such as computer and other information technology.
Data security polices protect intellectual property form costly occurrences such as data
breaches and leaks.
Type of security policies
Organizational
Reflecting the organization’s overall security goals and commitment to information
security it is the fundamental document from which all other security policies are formed.
It also frequently informs the organization’s compliance objectives.
System-specific
A system-specific governs security measures for an information system or network.
Issue-specific
Rangika de silva
security assignment
46
These policies concentrate on specific aspects of the organizations overarching policy.
some examples of issue–related security policies are provided below.
Security standards
Standards are required courses of action or laws that support and guide official policies.
Obtaining company-wide agreement on what standard should be implemented is one of
the most difficult components of developing standards for an information security
program, this is a lengthy task, but your information security program must be successful.
Security procedures
Security procedures are detailed instructions for implementing, enabling, or enforcing
security measures stated in your organization’s security policies. Security protocols
should cover the multitude of hardware and software components that enable your
company’s activities. as well as any security-related business processes.
System access policy
Employees, volunteers, business associates, contractual suppliers, and consultants, among
others, have limited access to visionist systems and apps. Any other entity is only granted
access on a need-to-know basis. All users must report any illegal use or access to the
organization’s information system. These measures were implemented to meet HIPAA
security rules and they include the following.
Physical access policy
The physical access policy governs who has physical access to information system
facilities information systems stored within those facilities and/or displayed techniques
associated with those information systems. The policy defines guidelines for both
employee and visitor facility access. If this policy does not include physical access
controls, information systems may be illegally physically accessed.
Physical and environmental policy
This sample policy is designed to help organizations prevent unauthorized access,
damage, and interference with their facilities and data. Security perimeters must be used
to protect areas containing information processing facilities secure areas must be
protected by appropriate entry control to ensure that only authorized personnel has
Rangika de silva
security assignment
47
access; secure area must be created to protect offices, rooms, and facilities with special
security requirement: and additional controls and guidelines for working in secure areas
must be used to enhance the security provided by the PHY.
Human resources security policy
All employees must pass a background check, which includes identification verification
with a passport or other picture ID and at least two appropriate professional references,
before being hired. employees in positions of trust must go through additional screening.
All workers must specially embrace a binding confidentially or non-disclosure agreement
with regard to personal information supplied to or develop by them throughout the course
of their work. Every new employee must a background check. The screening must be
carried out in accordance with applicable legislation and government human resource
policy.
Access control
Access control is a type of security measure used in computers. Physical and logical
access control are the two types of access control. The two types of access control are
physical and logical control. Physical access control restricts access to campuses,
buildings, rooms, and physical it assets. Logical access control restricts access to
computer networks, system files and data.
Two types of access control policy
Physical access control
Access to campuses, building, rooms and physical it asset is restricted via physical access
control.
Logical access control
Connection to the computer network, system file and data are all restricted by logical
access control
What is a disaster recovery plan (DRP)?
In information technology, disaster recovery is part of security planning and is created in
tandem with a business continuity plan. Disaster recovery is a set of policies and
procedures aimed at protecting an organization from any severe consequence of a bad
occurrence, such as cyberattacks, natural disasters, r building or device failures disaster
Rangika de silva
security assignment
48
recovery aids in the development of solutions for the rapid restoration of hardware,
application and data for business continuity. (author n. , disaster recovery, 2019)
Types of disaster recovery plan
Virtualized disaster recovery plan
Disaster recovery may now be carried out more effectively and simply thank to
virtualization. A virtualized system can swiftly spin up new virtual machine instances and
provide high availability for application recovery. Although testing is simplified, the
strategy must verify that applications can be operated In DR mode and returned to regular
operations withing the RPO and RTO limitations.
Network disaster recovery plan
Virtualization allows for more efficient and straightforward disaster recovery. A
virtualized system can instantly spin up new virtual machine instances and provide
application recovery through high availability. Testing is also simpler, but the strategy
must ensure that the application can be operated in DR mode and returned to regular
operations within the RPO and RTO limitations.
Cloud disaster recovery plan
cloud disaster recovery can range from simple file backup to comprehensive replication
cloud disaster recovery can save space, time, and money. but it required proper
administration to maintain the disaster recovery strategy operational. The real and virtual
server location must be known to management. The approach must address security a
common concern in the cloud that may be minimized through testing.
What are the role of stakeholders in the organization in implementing security audit
recommendations?
What are stakeholders?
A stakeholder is a person, group or organization who is impacted by the outcome of a
project or business initiative. People with a vested interest in the project’s success are
known as stakeholders and they might originate from within or outstand the sponsoring
organization. Stakeholders are important because their decision might have an impact on
Rangika de silva
security assignment
49
the project, either positively or negatively. They are also essential stakeholders who must
support the project in order for it to flourish.
Type of stakeholders
•
Internal stakeholders
Internal stakeholders are employees of the company. Because they serve and are recruited
by the body in control, they are immediately influenced by the project. Internal
stakeholders include employees, owners the board of directors, project managers,
investors, and others
•
External stakeholders
External stakeholders are those who are not affiliated with the organization but are
affected by the project in some way. They are inspired by the actions of the
organizations, but they are not employees. These persons include suppliers, consumers,
creditors, clients middlemen, competitors, society, government and others.
Stakeholders example
Investors – these are shareholders and debtholders who are searching for a financial
return. They have invested money in the company and expect a return on that investment.
Employees – these stakeholders rely On their jobs and their job security. they have a
direct stake in the organizations since it supports and benefits them.
Customers - these stakeholders want the project’s product or service and then expect it to
be of high quality and value. (landau, 2022)
Discuss the role of stakeholders in the organization to implement security audit
recommendations
What individuals (job titles) are engaged in putting the security audit recommendations
into action? A stakeholder in someone who is invested in their own business, IT service
or project. Stakeholder include employees, suppliers, and any business partner linked
with the cooperation. Stakeholders can be investors in a company and their activities play
an important role in modeling the firms performance and defining (or choosing) the
future since the whole engagement of the company’s stakeholders is critical.
Rangika de silva
security assignment
50
What are organizational tool?
Organizational tools are resources, methodologies and software that aid In the
optimization in workflows. they help with project on time management, file storing and
sharing, taking notes, and progress tracking. Although a notepad and a pen might help
you stay organized, it is often necessary to use easy digital tools that allows you to track
progress, exchange data and engage with others on your team.
Organizational tools
•
Microsoft one note
•
Google docs
•
Canva
•
Momentum
How to choose the right organizational tools for you
Choosing the right organizational tools for your business might be tough but there are
several factors to consider. Consider your goals, the budget team need, and existing
systems. If your CRM includes note-taking software, you nay not require nimble or onenote If you have a calendar but no scheduler. Or if you having trouble keeping up with
appointments without overburdening your calendar, try Calendly.
References
References
author, N. (2015, april 8). network performance . Retrieved from techopedia:
https://www.techopedia.com/definition/30022/network-performance
author, n. (2017, december 6). host-based firewall . Retrieved from techopedia:
https://www.techopedia.com/definition/33097/host-based-firewall
author, n. (2017, january 19). RAID 0 . Retrieved from techopedia :
https://www.techopedia.com/definition/17277/raid-0
author, n. (2019, june 13 ). disaster recovery. Retrieved from techopedia :
https://www.techopedia.com/definition/31989/disaster-recovery
Rangika de silva
security assignment
51
author, n. (2021, september 1). What is the CIA Triad? Definition and Examples.
Retrieved from security scorcard : https://securityscorecard.com/blog/what-is-thecia-triad
author, n. (2022, april 7). backup . Retrieved from techopedia :
https://www.techopedia.com/definition/1056/backup
author, n. (2022, janawary 27). What is biometrics . Retrieved from thalesgroup:
https://www.thalesgroup.com/en/markets/digital-identity-andsecurity/government/inspired/biometrics
Beal, V. (1996, november 20). RAID-Redundant Array of independent Disks. Retrieved
from webopedia: https://www.webopedia.com/definitions/raid/
bhattacharya, a. (2021, march 6). Active and Passive Attacks. Retrieved from encryption
consulting : https://www.encryptionconsulting.com/active-and-passive-attacks/
calvello, M. (2020, May 20). What is an IT audit . Retrieved from track.g2:
https://track.g2.com/resources/it-audit
employee, n. (2019, augost 28). What is a computer worm, and how does it work?
Retrieved from us.norton: https://us.norton.com/internetsecurity-malware-what-isa-computer-worm.html
frankenfield, J. (2020, november 4). Data loss . Retrieved from investopedia :
https://www.investopedia.com/terms/d/data-loss.asp
hamilton, T. (2022, april 9). What is Security Testing? Types with Example. Retrieved
from guru99: https://www.guru99.com/what-is-security-testing.html
landau, p. (2022, march 22). what is a stakeholder? definitons types and examples .
Retrieved from projectmanager : https://www.projectmanager.com/blog/what-isa-stakeholder
Rangika de silva
security assignment
52
Rangika de silva
security assignment
53