Keywor
ds to
look at
Firewall
, router
Activity 1
Threat
Threat
number.
1
Threat
title.
Misconfig
ure
firewall.
Probabilit
y.
Likely
Potential
size of
loss /
impact
level.
Moderate
Risk
severity.
Medium
Explanati
on of the
threat in
context.
If the
firewall is
not
configured
and
maintaine
d correctly
the
firewall
will allow
Activity 2
Cyber security plan
1. Security
requirement – To
prevent attacks to
Threat(s) addressed by the protection measure – 1 – misconfigure firewall
the network.
Appropriateness of
Details of action(s) to be taken - Install / activate Firewall if it is not
Protection Measure
already in the router. Configure firewall to allow access via port(s) required Steps must be taken to
by the system.
protect the network
from being used it
Reasons for the actions - Attacks on commonly used ports are frequent
harmful ways, a
and automated. A firewall will block / ignore pings unless the relevant port firewall is the most
has been opened. Open ports invite a further, more targeted attack,
efficient tool that can
probably also automated.
be used on a network
to protect that
Overview of constraints – technical and financial –
network from
undesirable actions.
Technical - Minimal, setup and configuration tasks are simple. User
Alternative Protection
manuals are free available and IT staff can configure them.
Measures that Could
Financial - Minimal, a commercial quality router will almost always include be Used
a firewall.
Employees could be
educated and informed
Overview of legal responsibilities - The data needs to be encrypted and
of the risks of browsing
protected under the Data Protection Act and General Data Protection
the internet, sharing
Regulations.
information, and
correctly securing data.
Overview of usability of the system – Firewalls may block staff from
Policies could be put in
accessing certain websites they may require.
place to restrict
Protection measure 1
1)
2)
3)
4)
5)
6)
Activity 3
Justification
potentially
dangerous
packets to
enter the
network
and could
lead to an
overload
in the
network
and it
crashing.
This will
lead to
financial,
reputation
al and
legal loss
for the
company.
7) Outline cost-benefit – Initially they will be a cost of buying items
(hardware or software firewall) and hiring a company to configure firewall,
if there are no expertise in BCTAA. However, if an attack occurs to the
system that would mean a security company would need to come out and
render the system, therefore costing a company a lot to reconfigure the
security system. So, the initial cost will outweigh the cost that may happen
due to intrusion.
8) Test plan
Test plan
Test Test description
No
Expected outcome
Possible further
action following test
1
Use a port scanner on Shows open ports
the firewall.
Check use of all open
ports, close any that are
not required.
2
Attempt to access
Other services should Recheck / reconfigure
services other than
fail to connect.
software and ports as
browsing and email on
required
the wifi system.
certain behaviour and
actions online.
Employees are still
capable of making
mistakes however, and
without the restriction
from a firewall, this is
very likely.
Rationale for Choice of
Protection Measure
A firewall is the best
way of controlling the
way that a network is
used, since it is able
to meet the
requirements of the
business while still
keeping it safe from
any outside threats.
Connect
using
mobile
devices
Threat
number.
2
Threat
title.
Network
access by
mobile
devices
Probability
.
Likely
Potential
size of loss
/ impact
level.
Major
Risk
severity.
High
Explanatio
n of the
threat in
context.
Mobile
devices
are
granted
access to
the
Protection measures 2
1) Threat(s) addressed by the protection measure – 2 – Network access by
mobile device (malware)
2) Details of action(s) to be taken - Anti-Virus software is to be installed on
all systems to ensure that any form of malware uploaded to the network is
unable to infect either the servers or the workstations, keeping staff,
visitors, freelance trainers and assessors from attack.
3) Reasons for the actions - This preventative measure will actively protect
the network from all known forms of malware, as well as identifying files
or programs that may act in malicious ways and reduce the threat of theft
or destruction.
4) Overview of constraints – technical and financial
Technical – Low as existing company IT staff can be used for installing
the AVS software. Also, software manuals can be used in running
malware tests.
Financial – Low – Medium. Freely AVS can be used but in some cases,
effective AVS (anti-virus software) can be expensive and so care must
be taken to choose a program that will keep the network free from
attack.
2. Security
requirement – To
keep the network
secure from
malware
Appropriateness of
Protection Measure
The installation of
software that aims to
locate and remove
harmful software, is a
must for BCTAA.
Antivirus software and
other software that
protect devices from
harm, are very
important when files
are being shared, email
is being used, and
downloads happen
within a business.
network
and may
either be
used by
visitors
to attack
/ explore
the
system
or may
carry
malware
which
attempts
to infect
the
system. A
successfu
l attack
could
allow an
attacker
full
control
of the
system.
5) Overview of legal responsibilities – BCTAA must ensure that they have
paid for the AVS and have the correct licences that prove they are allowed
to use it in a commercial capacity.
6) Overview of usability of the system - The usability of the system should not be
affected by this addition, though it may be that some tasks are flagged as malicious
where they were not before and so steps must be taken to allow them through the
software. Implementing anti-virus scanners on devices running real-time protection
may slow down older devices.
6) Outline cost-benefit - The benefits of this protective measure definitely
outweigh the costs, as it will prevent the infection of systems on the
BCTAA network and prevent the loss of training and assessment data.
8) Test plan
Test plan
Test Test description
No
Expected outcome
3
AVS should flag it as
malicious and
prevent the user
from accessing it.
Attempt to run a
malicious program or
file.
Possible further
action following test
Check critical security
features are tun on in AVS
and update the AVS or call
an expertise.
Alternative Protection
Measures that Could
be Used
EPE can enable
Microsoft's Windows
Defender machines. It
has most features as
third-party internet
security suites.
Rationale for Choice of
Protection Measure
Microsoft's Windows
Defender is not good
enough regarding the
enterprise internet
security. In terms of
malware detection, it
often ranks below the
detection rates offered
by top antivirus
competitors.
4
Attempt to run
AVS should prevent
malware that the AVS the malware from
knows.
executing and
quarantine it.
If AVS preferred to delete
malware rather than
quarantine, the setting
can be changed to be
quarantine.
5
Attempt to run a
AVS should not
If AVS flags the program, it
program necessary for prevent the program should be allowed to run
work.
from running.
through the setting.
Visitors
or staff
need to
access
secure
area
Threat
number.
3
Threat
title.
Keyloggin
g of Staff
PC’s
Probabilit
y.
Unlikely
Potential
size of
loss /
impact
level.
Major
Risk
severity.
High
Explanati
on of the
threat in
context.
Hackers
may use a
program
which
allows
them to
key tag
every key
that a
member
of staff
enters
into their
Protection measures 3
1) Threat(s) addressed by the protection measure – 3 – Keylogging of
Staff PC’s and 10- Attacks via internet connection.
2) Details of action(s) to be taken –
 Install separate Wireless Access Points (WAP) for staff and
guests and assign Service Set Identifiers (SSID).
 Configure both staff and guests WAP with Wi-Fi Protected
Access 2 (WPA2) and strong password.
 MAC whitelist - Create a list of allowed wireless clients for staff
WAP based on the MAC address.
3) Reasons for the actions –
 If staff and guests use the same WAP, guests have the chance
of logging in to the staff network and therefore security must
be enforced through other ways that can be access rights. A
separate, visitor, WAP can be configured so that access to the
WAP only allows access to a restricted area of the BCTAA
network, such as an internet connection.
 The use of complex passwords on Wireless Access Points,
makes it harder to gain access to a network.
 Use of a MAC access whitelist would only allow pre-approved
devices to connect.
 Misconfigured SSID could result in users attempting to connect
to the wrong network, tying up resources and possibly creating
a security alert.
 Misconfigured WPA2 and/or key could restrict functionality of
the network and might provide a point of weakness for an
3. Security
requirement – To
protect internet
connection
Appropriateness of
Protection Measure
Encrypting wireless
communication using
WPA2 in both guests
and staff WAP are very
appropriate
for BCTAA. In order
to prevent attackers
from being able to
intercept and then
read sensitive
information passed via
a wireless
transmission, the data
being sent must be
encrypted. Failure to
ensure encryption
would resort in
untrustworthy wireless
communication.
MAC address filtering
allows you to block
traffic coming from
PC’s such
as
username
s and
password
s. In this
case it is
dangerou
s as it
could be
used to
access
and
modify
confidenti
al
company
data.
Network
should
protecte
d from
internet.
attacker to exploit.
4)
5)
6)
Threat
number.
10
Threat
title.
Attacks
via
internet
connectio
n.
7)
8)
certain known
machines or devices.
Overview of constraints – technical and financial –
Alternative Protection
Measures that Could
Technical - Separate WAP. Minimal, setup and configuration tasks are
be Used
simple and ‘walk through’ are freely available.
Data
MAC whitelist. Medium. The list is simple to set up but would need to
transmission within the
be propagated to all staff WAPs. There will be a physical limit to the
network would be to
size of the list that a WAP will allow, this may not be big enough for all use wired connections
staff devices. Keeping the list accurate and up-to-date might prove
for as much
difficult if there are frequent changes to the device list.
communication as
possible. This would be
Financial - Minimal, WAPs are fairly cheap and a commercial quality WAP will impossible to achieve
almost always include MAC list capabilities.
between the network
and the internet/client,
Overview of legal responsibilities – The data needs to be encrypted
but BCTAA could cut
and protected under the Data Protection Act and & General Data
down on any of the
Protection Regulations.
wireless devices that
are being used and
Overview of usability of the system – Minimal, medium if MAC lists
replace them with
are included, although enforcement of strong passwords may cause
wired connections. For
some logon errors / locked accounts.
example, the staff
mobile devices would
Outline cost-benefit – The possibility of a major system intrusion easily not be allowed to
outweighs the minimal costs involved. The separate WAP and use of
connect to the
WPA2 measures must be implemented. The use of MAC lists is
network.
desirable but should be weighed against the number of devices that
Rationale for Choice of
need access and the frequency with which they are changed
Protection Measure
The protection
Test plan –
measure is
Probabilit
y.
Very likely
Potential
size of
loss /
impact
level.
Major
Risk
severity.
Extreme
Explanati
on of the
threat in
context.
Automate
d
scanning
software
looks for
vulnerable
connectio
ns and
pings can
be
expected
several
times a
day. An
unsecured
connectio
n (ports)
could
allow an
attacker
Test Test description
No
6
Expected outcome
Attempt logon to staff With correct login
WAP
credentials staff would be
able to login to the system.
Once logged in, based on
access rights, staff should be
able to view their own user
area.
7
vital since wireless
communication
Possible further
is essential
action following test
in BCTAA network. Set
up the wired
Repeat the test
connection and to
with each staff
maintain it could
WAP to ensure
be expensive
that WPA2 and
compared to wireless.
SSID has been
configured
correctly on each.
Attempt logon to guest With correct login
Repeat the test
WAP
credentials guests would be with some guests
able to login to the system. WAP to ensure
that WPA2 and
Once logged in, the profile
SSID has been
should not contain trade
configured
secrets of other guests and
correctly.
should also not have access to
other areas of the network such
as staff.
8
If MAC list is used,
Only listed devices will
attempt staff logon to logon.
staff WAP, with listed
and unlisted devices.
Repeat the test
with each staff
WAP to ensure the
list has been
propagated
correctly.
full
control of
the
system.
VPN or
remote
access
Threat
number.
4
Protection measures 4
1) Threat(s) addressed by the protection measure – 4 – Attacks via remote
access.
4. Security
requirement – To
protect attacks via
remote access
Threat
title.
Attacks
via
remote
access
Probabilit
y.
Very
Likely
Potential
size of
loss /
impact
level.
Major
Risk
severity.
Extreme
Explanatio
n of the
threat in
context.
Remote
access
software
often
uses
specified
and
known
ports in
the
firewall.
Automate
d
scanning
software
2) Details of action(s) to be taken - Turn on / configure NAT (Network
address translation) for required remote access software.
3) Reasons for the actions - If the NAT is not configured correctly or turned
on, it would prevent staff, freelance trainers and sessors from being able
to access the network away from the premises. This would mean they are
unable to do their job. If the NAT was not configured properly, this would
create a vulnerability in the network, which can be exploited and
infiltrated by attackers who can access the network.
4) Overview of constraints – technical and financial
Technical - Minimal, set up and configuration is easy due to instruction
manuals and tutorials available.
Financial - Minimal, NAT software is built into most modern routers. If it is not
available in the current router, purchasing a new router would come at a cost
for BCTAA. The best VPN’s come at a cost.
5) Overview of legal responsibilities - Must ensure data is protected even remotely,
otherwise it will be a breach of Data Protection Act & General Data Protection
Regulations.
6) Overview of usability of the system - Minimal, Once installed, staff who
access the network from outside are likely to do so via remote access software
/ VPN software which handles the connection process for them.
7) Outline cost-benefit - A small, one-off cost to set up the NAT system is easily
balanced by the practical advantages of having a working remote access method
away from BCTAA premises.
8) Test plan
Appropriateness of
Protection Measure
NAT will be set up on
the router, to allow
remote access to the
server. This is
because BCTAA staff,
freelance trainers and
sessors will need
access to the server
away from the office
premises. This would
allow them the
opportunity to access
the BCTAA network
and server remotely
through a VPN, as
requested in the
scenario plans.
Alternative Protection
Measures that Could
be Used
Disable NAT over
VPN.
Rationale for Choice of
Protection Measure
NAT allows you to use
private IP addresses
looks for
these
ports and
pings can
be
expected
several
times a
day.
Unsecure
d ports /
software
could
allow an
attacker
full
control of
the
system.
Store
staff or
client
data.
Threat
number.
Threat
title.
5
Attack on
client
informatio
n.
Expected outcome
Possible further
Test
No
Test description
9
Attempt login from
Access should be
If access is denied, or
external remote access granted to the remote connects to the wrong
software.
access server.
device, reconfigure and
retry.
action following test
across a public IP
route. Using VPN and
NAT enhance security
for private networks by
keeping internal
addressing private
from the external
network.
Protection measures 5
8) Threat(s) addressed by the protection measure – 5 - Attack on client
information.
9) Details of action(s) to be taken – Client data in the server should be
encrypted and use access rights to limit who has access via the internal
network. Do not allow the database to be queried from the internet, OR, if
this is unavoidable, ensure that queries can only be performed via pre-
5. Security requireme
nt - To keep client
information
secure
Appropriateness of
Protection Measure
Probabili
ty.
Very likely
Potential
size of
loss /
impact
level.
Major
Risk
severity.
Extreme
Explanati
on of the
threat in
context.
If an attack
via remote
access,
internet, or
mobile
device was
successful,
the client
database /
files
contain
payment
informatio
n and
would be a
target. This
could have
financial,
legal, and
PR
made form pages that enforce validation before running a query.
Encrypting data in the
server, can enhance
10) Reasons for the actions - Encrypting files and enforcing access rights will
the security of
limit any damage if an attacker does penetrate the network. Requiring
communication
queries to run from a validated form will prevent SQL injection attacks.
between client and
servers. Access
11) Overview of constraints – technical and financial –
Rights enables the
permissions an
Technical - Encryption and access rights, minimal, setup and configuration individual BCTAA user
tasks are simple, the ‘walk throughs’ are freely available. Creating
to read, write,
database query forms. Medium, Some work will be required by the
modify, delete or
database administrator, or possibly an external consultant, to create and
otherwise access a
test the forms and validation scripts. New forms and/or scripts may need
computer file. Using
to be developed and tested if the structure of the database is altered or
pre-made quires can
new types of query are required in the future.
stop attackers get into
the database using SQL
Financial - Encryption and access rights, minimal, this type of access and
injection.
encryption management is built into modern network operating system
Alternative Protection
software. Creating database query forms, medium, with possible ongoing
Measures that Could
costs. External consultants are likely to be expensive, using internal staff is be Used
cheaper but this would be an additional task to their existing work. More
Server data could
staff / overtime might need to be paid.
be backed up with
third party so that it
12) Overview of legal responsibilities – There is a requirement for maintaining cannot be stolen if
security of clients’ confidential information (Data Protection Act & General access is gained to
Data Protection Regulations). BCTAA could be liable if data were stolen.
the main server.
Rationale for Choice of
13) Overview of usability of the system –Encryption should be transparent to Protection Measure
those with the correct access rights. This could slow staff in performing
Backing data with third
tasks by limiting functions.
party would be useful
Staff may need to familiarise with new systems / way of accessing admin
server when running the SQL queries.
consequen
ces.
14) Outline cost-benefit – The possibility of a data breach, followed by
prosecution or civil action easily outweighs the costs involved.
8) Test plan
Test plan
Expected outcome
in terms of data and
information protection
but would be
impractical in some
ways,
since BCTAA would be
relying on a third party
to keep the data
safe and will cost
them.
Possible further
Test
No
Test description
10
Login to Admin and
attempt to access data
files with insufficient
access rights.
Access should be denied
Repeat the test with
sufficient rights,
access should be
granted.
11
Attempt to enter SQL
injection code on
database query forms.
Code should fail validation and
produce an error message.
Repeat the test with
each field to ensure
they have all been
validated correctly.
action following test
Use of
IPv4
assresse
s.
Threat
number.
6
Threat
title.
Network
address
not
organised
to fit the
requireme
nt.
Probabili
ty.
Likely
Potential
size of
loss /
impact
level.
Major
Risk
severity.
High
Explanati
on of the
threat in
context.
Unless
specifically
set up,
network
addresses
with
probably
Protection measures 6
Threat(s) addressed by the protection measure – 6 - Network address not organised
to fit the requirement and 9 - WiFi must not connect to IoT devices.
2) Details of action(s) to be taken - Set devices to obtain an IP address via DHCP
server with correct subnet.
3) Reasons for the actions - DHCP can be used to split the network into
sectors (subnet) which do not talk to each other unless permissions are set up
for that to happen. IoT devices IP addresses can be on a different subnet and
other network devices (staff PC) can be allocated static or dynamic addresses
according to a network plan. Also, DHCP minimizes configuration errors
caused by manual IP address configuration.
4) Overview of constraints – technical and financial
Technical - Low, DHCP configuration tasks are simple, and manuals are freely
available.
Financial - Low, DHCP is part of the server operating system.
5) Overview of legal responsibilities - None, as long as data is protected by other
means such as encryption.
6) Overview of usability of the system - Minimal, correct addressing should be
transparent to users, who will normally use share names, device icons, etc to make
connections.
7) Outline cost-benefit – None as most routers have the ability to provide DHCP
server support.
6. Security
requirement
– Configure networ
k address
for devices.
Appropriateness of
Protection Measure
DHCP can be used to
split the network into
sectors (subnet) which
do not talk to each
other unless
permissions are set up
for that to happen. IoT
devices IP addresses
can be on a different
subnet and other
network devices (staff
PC) can be allocated
static or dynamic
addresses according to
a network plan. Also,
DHCP minimizes
configuration errors
caused by manual IP
address configuration.
be
assigned
as dynamic
addresses
by the
DHCP
(Dynamic
Host
Configurati
on
Protocol)
server
using
default
settings.
This may
make it
harder to
keep track
of which
address
belongs to
which
device and
may
expose
devices
which
should be
hidden if
their IP
8) Test plan
Test Test description
No
Expected
outcome
Possible further
12
Log on to wifi and
using network device
discovery tools,
attempt to locate a
IoT device that is not
connected to the
network.
The device
should not
appear on the
network list
If the device appears, check
and amend DHCP settings
and repeat the test.
13
Attempt to find all
Devices should
static address devices be locatable
by entering their IP
address
If a device cannot be
located, check settings on
DHCP and check that the
device is using DHCP to
obtain an address. Try to
connect again.
14
Attempt to connect
to dynamic address
devices by name,
icon, ect.
If a device cannot be
located, check settings on
DHCP and check that the
device is using DHCP to
obtain an address. Try to
connect again.
Devices should
be locatable
action following test
Alternative Protection
Measures that Could
be Used
Manually configure
and assign IP address
for both
staff, guests and IoT
devices.
Rationale for Choice
of Protection Measure
DHCP server allocates
dynamic IP address
that keeps on
changing to all devices
connected to the
network. Since it is
done automatically, th
ere will
be fewer human
errors and
duplications, unlike
manual
configurations.
address
changes.
Wifi
connecti
on to
IoT
devices.
Threat
number.
9
Threat
title.
WiFi
must not
connect
to IoT
devices.
Probability Likely
.
Potential
size of loss
/ impact
level.
Major
Risk
severity.
High
Explanatio
n of the
threat in
context.
Unless
specificall
y hidden,
IoT
devices
will
appear
on the
network
and will
be more
vulnerabl
e to
attack.
Protection measures 7
Use of
CAT6 or
RJ45.
Threat
number.
7
Threat
title.
Unauthoris
ed use of
CAT6 data
outlet
Probabili
ty.
Unlikely
Potential
size of
loss /
impact
level.
Moderate
Risk
severity.
Low
7. Security
requirement – To p
rotect CAT6 data
outlets
2) Details of action(s) to be taken - Install protective CAT6 port blockers
Appropriateness of
/lockable faceplate to each port, if not in use.
Protection Measure
Installing port blockers
3) Reasons for the actions - Access to an CAT6 port could allow a device to be or lockable
attached to the network, either active, trying to access files, or passive, trying faceplate can be used
to capture network traffic.
to easily block open
The ports are also physically vulnerable/damage on everyday dust and dirt. Covers network ports and
would prevent such damage.
prevent users from
connecting cables,
4) Overview of constraints – technical and financial
devices or inserting
Technical - Minimal, installing port blockers to ports and on devices such as
foreign objects without
computers require minimal technical knowledge and ability.
permission. Also, it
Financial. - Minimal, Port blockers and faceplates are relatively cheap. They will
prevents physical
probably pay for themselves by reducing the requirement to replace damaged ports.
damage and everyday
dust and dirt.
1) 1) Threat(s) addressed by the protection measure – 7 - Unauthorised use
of CAT6 data outlet.
Door
controll
ed.
Explanati
on of the
threat in
context.
An
attacker
can swap
the Cat6
cable for
another
cable and
gain direct
unauthoris
ed access
to the
network
and will be
able to
have full
control of
the
network.
5) Overview of legal responsibilities - If data is secured and protected, then BCTAA
are complying with legal responsibilities such as data protection act and computer
misuse act.
Threat
number.
8
Protection measures 8
Threat
title.
Misconfigu
red
Alternative Protection
Measures that Could
be Used
Manually
6) Overview of usability of the system - Minimal, Once installed, staff who
disable unused CAT6
need to move CAT6 cables would need to use a key.
ports at the
switch/hub/routers.
7) Outline cost-benefit - The minimal costs associated with buying the port blockers
Rationale for Choice of
are a positive advantage. It is cheaper to protect the ports, and they provide a greater
Protection Measure
sense of security.
Port blockers
and/lockable faceplate
8) Test plan
keep the ports safe
from physical
Possible furtherdamage.
Test
Test description
Expected outcome
When a staff member
No
action following
test to use a port, it
needs
is easy to unplug a port
15
Install port blocker When attempting to remove the
If the port blocker
is easily
blocker
or unlock a
onto unused ports
port blocker, it should not budge removable without
the key,
faceplate
thanaenabling
on devices.
and should only be able to be
more expensive
port
blocker
the ports manually.
removed with the port blocker
should be considered, to limit
removal key.
physical, unauthorised access
to the network.
1) Threat(s) addressed by the protection measure – 8 – Misconfigures
controlled doors.
8. Security
requirement – To
protect paintball
Appropriateness of
Protection Measure
controlled
doors
Probabili
ty.
Likely
Potential
size of
loss /
impact
level.
Major
Risk
severity.
High
Explanati
on of the
threat in
context.
As the
manageme
nt of the
office
building
provide
the key
cards and
the
software
to run the
controlled
door, the
admin
officer may
not keep
updated
2) Details of action(s) to be taken –
Protecting the door which can only be accessed via the card reader. So,
if the door is accessed by any method other than the card reader, an
alert is sent to security and the main system therefore locking all
information into an area protected by firewalls, passwords and other
security.
CCTV cameras fitted into the area to record anyone breaking into the
room.
3) Reasons for the actions –
Card reader door control is efficient and securely grant or restrict
access to a certain area.
CCTV is a countermeasure, as, even though they won’t prevent an
accident, they can discourage one by recording everything that
happens.
4) Overview of constraints – technical and financial –
Technical - Minimal, setup and configuration CCTV is simple, and
manuals are freely available.
Financial - High, as fitting alarm would cost getting someone to
installed buying the alarm, programming it to link to the security room
and the maintenance of it. CCTV installation and cost of CCTV is
expensive
5) Overview of legal responsibilities – There is a requirement for
maintaining a safe workplace, both for staff, guests, trainers and
assessors. BCTAA could liable if an outsider gain access to private areas
and hacked data/office equipment.
Use of CCTV has impact on Data Protection Act and & General Data
Protection Regulations.
Card reader door control
is efficient and securely
grant or restrict access to
a certain area.
CCTV is a
countermeasure, as,
even though they won’t
prevent an accident, they
can discourage one by
recording everything that
happens.
Alternative Protection
Measures that Could
be Used
Improving physical
security by having
alarms, iris scanners,
fingerprint readers,
security keycode or
having security guards
on duty in the entrance
/public areas to
prevent unauthorized
access.
Rationale for Choice of
Protection Measure
Having card reader
door control and CCTV
enable initial
protection to the
private area of the
on
maintainin
g the door,
another
possibility
is that
members
of the
public or
other
companies
may act as
an
employee
of BCTAA
to get a
key card to
gain
unauthoris
ed access.
6) Overview of usability of the system – Medium, CCTV should be
monitored and stored in secure place for future use, so more staff
needed or extra work for existing staff.
7) Outline cost-benefit –The benefit of security of the office overweighs
the cost of installation of the cost of set up of surveillance and alarm
e.g. even though it is expensive the safety and security of data and
equipment is more important.
8) Test plan –
Test Test description
No
Expected outcome
Possible further
action following
test
16
Record all activities in Sessions should be
the door control
captured.
system within a
certain time frame.
Check CCTV is
enabled and all
cabelling are in
position.
17
Access the system
CCTV surveillance accruing
attempt of hacking or the video footage recording
bypassing the control and announcing intrusion.
door system.
If access is denied
or connects to the
wrong device
reconfigure and
retry.
company. Having
alternative
measures increases cap
ital expenses (buying
scanners) as well as
the operational
expenses in maintainin
g them / paying salary
for guards.