COMPUTER S PROGRAMMIN BTEC Higher Nationals in Computing Unit 05: Security ASSIGNMENT 2

Document Content and Description Below

Greenwich School of Management COMPUTER S PROGRAMMIN Higher Nationals in Computing Unit 05: Security ASSIGNMENT 2 Table of Contents Table of Contents Unit 05: Security ASSIGNMENT 21 P5. Discus... s risk assessment procedures1 1. Define risk and risk assessment.1 1.1. Risk1 1.2. Risk Assessment.1 2. Risk assessment procedure1 2.1. Risk assessment step1 2.2. The goal of risk assessment2 3. Definition of asset & threat.3 3.1. Asset3 3.2. Threat4 3.2.1. Physical threats.4 3.2.2. Non-physical threat.5 3.2.3. Threat identification procedure.6 4. Risk identification steps.6 P6. Explain data protection processes and regulations as applicable to an organization8 1. What is data protection?.8 2. Why are data protection and regulation important?9 3. Securing the host.9 3.1. Protecting the physical device itself9 3.2. Securing the Operating System Software10 4. Network Security.11 4.1. Definition.11 4.2. How does Network Security work?.12 4.2.1. Physical Network Security.12 4.2.2. Technical Network Security12 4.2.3. Administrative Network Security.12 4.3. Benefits of Network Security12 4.4. Types of Network Security13 4.5. The important of Network Security14 5. Secure network by using network devices, technologies and design elements.14 5.1. Security Through Network Devices.14 5.2. Security Through Network Technologies.17 5.3. Security Through Network Design Elements.18 P7. Design and implement a security policy for an organization21 1. What is security policy?.21 2. Security Policy Cycle21 3. Design a security policy.22 3.1. Designing a policy.22 3.2. Elements of a security policy23 3.3. Types of security policies24 3.4. Examples of security policy.26 3.5. Steps to design a policy26 P8. List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion28 1. Business continuity28 2. Potential Threat for organization.29 2.1. Human-induced accidents30 2.2. Natural.30 2.3. Internal30 2.4. Armed conflict30 2.5. External31 3. List the components of recovery plan31 3.1. Communication plan and role assignments31 3.2. Plan for your equipment.31 3.3. Data continuity system.32 3.4. Backup check32 3.5. Detailed asset inventory.32 3.6. Pictures of the office and equipment (before and after prep).32 3.7. Vendor communication and service restoration plan32 4. Steps required in disaster recovery process.33 M3. Summarise the ISO 31000 risk management methodology and its application in IT security.35 REFERENCES.36 ASSIGNMENT 2 ANSWERS P5. Discuss risk assessment procedures. 1. Define risk and risk assessment. 1.1. Risk  A risk is the chance, high or low, that somebody may be harmed by the hazard. 1.2. Risk Assessment  Risk assessment is the process of evaluating risks to workers' safety and health from workplace hazards. It is a systematic examination of all aspects of work that considers: o what could cause injury or harm; o whether the hazards could be eliminated and, if not; o what preventive or protective measures are, or should be, in place to control the risks. 2. Risk assessment procedure 2.1. Risk assessment step  How a risk assessment is conducted varies widely depending on the risks unique to the type of business, the industry that business is in and the compliance rules applied to that given business or industry. However, there are five general steps that companies can follow regardless of their business type or industry. 1) Step 1: Identify the hazards. The first step in a risk assessment is to identify any potential hazards that, if they were to occur, would negatively influence the organization's ability to conduct business. Potential hazards that could be considered or identified during risk assessment include natural disasters, utility outages, cyberattacks and power failure. 2) Step 2: Determine what, or who, could be harmed. After the hazards are identified, the next step is to determine which business assets would be negatively influenced if the risk came to fruition. Business assets deemed at risk to these hazards can include critical infrastructure, IT systems, business operations, company reputation and even employee safety. 3) Step 3: Evaluate the risks and develop control measures. A risk analysis can help identify P a g e | 1 how hazards will impact business assets and the measures that can be put into place to minimize or eliminate the effect of these hazards on business assets. Potential hazards include property damage, business interruption, financial loss and legal penalties. 4) Step 4: Record the findings. The risk assessment findings should be recorded by the company and filed as easily accessible, official documents. The records should include details on potential hazards, their associated risks and plans to prevent the hazards. 5) Step 5: Review and update the risk assessment regularly. Potential hazards, risks and their resulting controls can change rapidly in a modern business environment. It is important for companies to update their risk assessments regularly to adapt to these changes. Risk assessment tools, such as risk assessment templates, are available for different industries. They might prove useful to companies developing their first risk assessments or updating older assessments. 2.2. The goal of risk assessment  Similar to risk assessment steps, the specific goals of risk assessments will likely vary based on industry, business type and relevant compliance rules. An information security risk assessment, for example, should identify gaps in the organization's IT security architecture, as well as review compliance with infosec-specific laws, mandates and regulations.  Some common goals and objectives for conducting risk assessments across industries and business types include the following:  Developing a risk profile that provides a quantitative analysis of the types of threats the organization faces.  Developing an accurate inventory of IT assets and data assets.  Justifying the cost of security countermeasures to mitigate risks and vulnerabilities.  Developing an accurate inventory of IT assets and data assets.  Identifying, prioritizing and documenting risks, threats and known vulnerabilities to P a g e | 2 the organization's production infrastructure and assets.  Determining budgeting to remediate or mitigate the identified risks, threats and vulnerabilities.  Understanding the return on investment, if funds are invested in infrastructure or other business assets to offset potential risk.  The ultimate goal of the risk assessment process is to evaluate hazards and determine the inherent risk created by those hazards. The assessment should not only identify hazards and their potential effects, but should also identify potential control measures to offset any negative impact on the organization's business processes or assets. 3. Definition of asset & threat 3.1. Asset o In financial accounting, an asset is any resource owned or controlled by a business or an economic entity. It is anything (tangible or intangible) that can be utilized to produce value and that is held by an economic entity and that could produce positive economic value. Simply stated, assets represent value of ownership that can be converted into cash (although cash itself is also considered an asset). The balance sheet of a firm records the monetary value of the assets owned by that firm. It covers money and other valuables belonging to an individual or to a business. o One can classify assets into two major asset classes: tangible assets and intangible assets. Tangible assets contain various subclasses, including current assets and fixed assets. Current assets include inventory, accounts receivable, while fixed assets include buildings and equipment. Intangible assets are non-physical resources and rights that have a value to the firm because they give the firm an advantage in the marketplace. Intangible assets include goodwill, copyrights, trademarks, patents, computer programs, and financial assets, including financial investments, bonds and stocks. 3.2. Threat  Security Threat is defined as a risk that which can potentially harm computer P a g e | 3 systems and organization. The cause could be physical such as someone stealing a computer that contains vital data. The cause could also be non-physical such as a virus attack. In these tutorial series, we will define a threat as a potential attack from a hacker that can allow them to gain unauthorized access to a computer system. 3.2.1. Physical threats o A physical threat is a potential cause of an incident that may result in loss or physical damage to the computer systems. o The following list classifies the physical threats into three (3) main categories;  Internal: The threats include fire, unstable power supply, humidity in the rooms housing the hardware, etc.  External: These threats include Lightning, floods, earthquakes, etc.  Human: These threats include theft, vandalism of the infrastructure and/or hardware, disruption, accidental or intentional errors. o To protect computer systems from the above mentioned physical threats, an organization must have physical security control measures. o The following list shows some of the possible measures that can be taken:  Internal: Fire threats could be prevented by the use of automatic fire detectors and extinguishers that do not use water to put out a fire. The unstable power supply can P a g e | 4 be prevented by the use of voltage controllers. An air conditioner can be used to control the humidity in the computer room.  External: Lightning protection systems can be used to protect computer systems against such attacks. Lightning protection systems are not 100% perfect, but to a certain extent, they reduce the chances of Lightning causing damage. Housing computer systems in high lands are one of the possible ways of protecting systems against floods.  Humans: Threats such as theft can be prevented by use of locked doors and restricted access to computer rooms. 3.2.2. Non-physical th REFERENCES 1. warditsecurity.com.(2020). THREAT IDENTIFICATION [online]. Available at: https://www.google.com/search? P a g e | 35 q=translate&rlz=1C1CHBF_enVN901VN901&oq=tran&aqs=chrome.0.69i59j69i57j0i131i4 33l4j69i61l2.1626j0j7&sourceid=chrome&ie=UTF-8 [Accessed 08 Dev. 2020] 2. oiraproject.eu.(2020).What is a Risk Assessment? [online].Available at: https://oiraproject.eu/en/what-risk-assessment [Accessed 08 Dev. 2020] 3. safetymanagement.eku.edu. (2020). Risk Identification: 7 Essentials [online]. Available at: https://safetymanagement.eku.edu/blog/riskidentification/#:~:text=There%20are%20five%20core%20steps,risk%20treatment%2C%20and%20risk%20monitoring [Accessed 08 Dev. 2020] 4. searchcompliance.techtarget.com. (2020). Risk assessment [online]. Available at: https://searchcompliance.techtarget.com/definition/risk-assessment [Accessed 08 Dev. 2020] 5. searchdatabackup.techtarget.com. (2020). Data protection [online]. Available at: https://searchdatabackup.techtarget.com/definition/data-protection [Accessed 08 Dev. 2020] 6. www2.deloitte.com. (2020). 10 practical steps to data protection [online]. Available at: https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/Risk/2012_10_practical_steps_to_data_protection.pdf [Accessed 08 Dev. 2020] 7. www.techopedia.com. (2020). Security Policy [online]. Available at: https://www.techopedia.com/definition/4099/security-policy [Accessed 08 Dev. 2020] 8. policyvisuals.eu. (2020). Policy Design [online]. Available at: https://policyvisuals.eu/policy-design/ [Accessed 08 Dev. 2020] 9. en.wikipedia.org. (2020). Asset [online]. Available at: https://en.wikipedia.org/wiki/Asset [Accessed 08 Dev. 2020] 10. www.guru99.com. (2020). Potential Security Threats To Your Computer Systems [online]. Available at: https://www.guru99.com/potential-security-threats-to-yourcomputersystems.html#:~:text=Security%20Threat%20is%20defined%20as,such%20as%20a%20virus%20attack [Accessed 08 Dev. 2020] P a g e | 36 11. www.forcepoint.com. (2020). Network security defined [online]. Available at: https://www.forcepoint.com/cyber-edu/network-security [Accessed 08 Dev. 2020] 12. www.lucidchart.com. (2020). The Basics and Benefits of Network Security [online]. Available at: https://www.lucidchart.com/blog/network-security-basics-and-benefits [Accessed 08 Dev. 2020] 13. www.computerworld.com. (2020). 10 steps to a successful security policy [online]. Available at: https://www.computerworld.com/article/2572970/10-steps-to-a-successfulsecurity-policy.html [Accessed 08 Dev. 2020] 14. www.mha-it.com. (2017). What is Business Continuity? – Business Continuity 101 [online]. Available at: https://www.mha-it.com/2017/08/01/what-is-business-continuity/ [Accessed 08 Dev. 2020] 15. en.wikipedia.org. (2020). Natural disaster [online]. Available at: https://en.wikipedia.org/wiki/Natural_disaster [Accessed 08 Dev. 2020] 16. www.slideshare.net. (2012). Disaster preparedness [online]. Available at: https://www.slideshare.net/wcmc/disaster-preparedness-12283601 [Accessed 08 Dev. 2020] 17. www.acaps.org. (2012). Disaster Summary Sheet Armed Conflict [online]. Available at: https://www.acaps.org/sites/acaps/files/resources/files/disaster_summary_sheetarmed_conflict_november_2012.pdf [Accessed 08 Dev. 2020] 18. www.entechus.com. (2018). 7 Key Elements of a Business Disaster Recovery Plan [online]. Available at: https://www.entechus.com/resources/7-key-elements-of-abusiness-disaster-recovery-plan [Accessed 08 Dev. 2020] 19. blog.eccouncil.org. (2020). 8 STEPS TO A SUCCESSFUL DISASTER RECOVERY PLAN [online]. Available at: https://blog.eccouncil.org/8-steps-to-a-successful-disaster-recovery-plan/ [Accessed 08 Dev. 2020] [Show More]

Last updated: 1 year ago

Preview 1 out of 46 pages