Đang tải... (xem toàn văn)
ASSIGNMENT 2 Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5 Security Submission date Date Received 1st submission Re submission Date Date Received 2nd submission Stud.
ASSIGNMENT Qualification BTEC Level HND Diploma in Computing Unit number and title Unit 5: Security Submission date Date Received 1st submission Re-submission Date Date Received 2nd submission Student Name Ngo Truong Duy Cong Student ID GCD210309 Class GCD1102 Assessor name Dang Quang Hien Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism I understand that making a false declaration is a form of malpractice Student’s signature Grading grid P5 P6 P7 P8 M3 M4 M5 D2 D3 Duy Cong ❒ Summative Feedback: Grade: Lecturer Signature: ❒ Resubmission Feedback: Assessor Signature: Date: Table of Content CHAPTER DISCUSS RISK ASSESSMENT PROCEDURES (P5) DEFINE A SECURITY RISK AND HOW TO DO RISK ASSESSMENT: _4 RISK ASSESSMENT: _4 ASSETS, THREATS & THREAT IDENTIFICATION PROCEDURE _5 ASSETS AN ASSET IS ANY INFORMATION, DEVICE, OR OTHER COMPONENT OF A COMPANY'S SYSTEMS THAT IS VALUABLE, PRIMARILY BECAUSE IT HOUSES OR ALLOWS ACCESS TO SENSITIVE INFORMATION. _5 THE MOST COMMON TYPE OF COMPANY ASSET IS INFORMATION ASSETS DATABASES AND PHYSICAL FILES ARE BOTH TYPES OF FILES. EXAMPLES OF ITEMS CONTAINING SENSITIVE DATA THAT YOU PRESERVE. THREATS _6 THREAT IDENTIFICATION PROCEDURE: _7 EXAMPLE OF THREATS IDENTIFICATION PROCEDURES: _7 CHAPTER 2: EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN ORGANIZATION (P6) _9 DEFINITION OF DATA PROTECTION _9 EXPLAIN DATA PROTECTION PROCESS IN AN ORGANIZATION THE IMPORTANT OF DATA PROTECTION AND SECURITY REGULATION 11 11 CHAPTER 3: DESIGN AND IMPLEMENT A SECURITY POLICY FOR AN ORGANIZATION(P7) 12 INTRODUCTION TO SECURITY POLICY _12 GIVE AN EXAMPLE FOR EACH OF THE POLICIES _12 GIVE THE MOST AND SHOULD THAT MUST EXIST WHILE CREATING A POLICY _14 SECURITY ELEMENTS 14 THE STEPS TO DESIGN A POLICY _17 CHAPTER 4: LIST THE MAIN COMPONENTS OF AN ORGANIZATIONAL DISASTER RECOVERY PLAN, JUSTIFYING THE REASONS FOR INCLUSION (P8) 19 BUSINESS CONTINUITY 19 COMPONENTS OF DISASTER RECOVERY PLAN _19 20 ALL THE STEPS REQUIRED IN DISASTER RECOVERY PROCESS _20 22 POLICIES AND PROCEDURES THAT REQUIRE FOR BUSINESS CONTINUITY 23 Table of Figures: Figure 1: Risk assessment Figure 2: Assets Figure 3: Cyber security threats Figure 4: What Data Protection is? _9 Figure 5: Business continuity planning (BCP) 19 Figure 6: Disaster recovery process 20 Chapter Discuss risk assessment procedures (P5) Define a security risk and how to risk assessment: Risk: The likelihood that risks and vulnerabilities connected to the use and operation of information systems, as well as the settings in which those systems operate, will have a negative impact on an organization and its stakeholders Risk assessment: Risk assessment is the process of identifying flaws that could jeopardize a company's ability to conduct business These evaluations' tools, methods, and controls aim to characterize these inherent business risks and mitigate their negative consequences on the organization Figure 1: Risk assessment Typically, the risk assessment process consists of multiple steps First, possible sources of injury or damage should be identified This can encompass both physical risks like theft or sabotage and cyber dangers like hacking or viruses Second, determine who or what might be affected by these dangers and how they might be harmed Employees, clients, financial assets, or sensitive data could all be included Third, identify any existing controls or measures in place to prevent or minimize these dangers Finally, the effectiveness of these controls should be evaluated, and any further measures that may be required should be identified The identification of threats and vulnerabilities, as well as the matching of threats and vulnerabilities, is a required activity in risk assessment This is commonly referred to as threatvulnerability (T-V) pairing The T-V pairings can then be used as a baseline to identify risk prior to implementing security controls This baseline can then be compared to continuing risk assessments to determine the success of risk management This stage of risk assessment is known as determining an organization's inherent risk profile After the risks are identified, they may be scored or weighted as a way of prioritizing risk reduction strategies For example, vulnerabilities that are found to have corresponded with multiple threats can receive higher ratings In addition, T-V pairs that map to the greatest institutional impact will also receive higher weightings Assets, Threats & Threat Identification Procedure ASSETS An asset is any information, device, or other component of a company's systems that is valuable, primarily because it houses or allows access to sensitive information The most common type of company asset is information assets Databases and physical files are both types of files Examples of items containing sensitive data that you preserve For example, an employee's desktop computer, laptop, or business phone, as well as the apps on those devices, will be regarded positively The assets also include infrastructure components such as servers and support systems Figure 2: Assets THREATS Basically, a threat is anything that might have a negative effect on an asset Threats are situations that, whether on purpose or accidentally, compromise the availability, credibility, or secrecy of an asset A threat refers to a new or newly discovered incident that has the potential to harm a system or your company overall There are three main types of threats: - Natural threats, such as floods, hurricanes, or tornadoes - Unintentional threats, like an employee mistakenly accessing the wrong information - Intentional threats, such as spyware, malware, adware companies, or the actions of a disgruntled employee Figure 3: Cyber security threats Threat Identification Procedure: The threat detection approach assesses IT flaws and determines if they have the ability to compromise your system It is a key component of the organization's risk management program Threat identification enables the firm to take preventative action You get the information you require to prevent device breaches and prohibit unauthorized users Each environment for an IT system is distinct All organizations with public-facing online portals will face a shared set of dangers, some of which will overlap Some vulnerabilities may only apply to your company Threat Identification should be included the following task: - Analyzing and recognizing the unique threat portfolio specific to your company and its service - Effectively prioritize the assessment of the device vulnerabilities - Determining how these vulnerabilities can be exploited by a particular threat actor or behavior - Providing a summary of results with accurate details that will help your organization to take preventive risk management action Example of threats identification procedures: You are then equipped to make choices about how to secure your business once you have recognized the risks that might potentially endanger it and calculated the potential damage from an occurrence When doing a risk assessment, a user may uncover a sizable number of potential hazards that might harm the business For instance, a server may be affected by a number of threats Only a few threats include fire, vibrations, viruses, hackers, and others Installing security software (such firewalls and antivirus programs) and making the space earthquake- and fire-proof are both feasible ways to safeguard the server However, the price of doing so will soon surpass the asset's worth It would be better to install a firewall and anti-virus software, back up your data, and take the chance that other threats won't materialize Decide which risks are acceptable as a general rule You must choose the most affordable ways to defend yourself after estimating the potential loss a danger might cause You must decide which dangers will be handled and how in order to accomplish this Based on the risk information you've gathered management will need to decide how to go forward Typically, this entails coming up with strategies to defend the asset from dangers To secure the asset, this can entail putting rules and procedures into place, deploying security software, or adding further security measures According to ISO 31000, the risk management process at includes: - Establish the backdrop for the objectives and actions of the program - Determine the hazards (including identifying the likelihood and consequences associated with each risk) - Prioritize and evaluate the risks - Risk management, which includes a cost-benefit analysis of potential treatments, as well as ongoing monitoring and assessment of risks and countermeasures Risk identification is a critical process in risk management that involves identifying and documenting potential risks to a project, organization, or system Here are some common steps in the risk identification process: Risk Statement: The first step is to create a brief and concise description of the risk, known as the risk statement This statement should clearly define the potential risk and its impact on the project, organization, or system Basic Identification: In this step, you will list all the relevant facts about the risk Examples of these facts include what could cause the risk to occur, who might be affected, and what the consequences would be if the risk were to happen Detailed Identification: This step involves identifying and documenting the root causes, events, conditions, and contributing factors that may lead to the risk This can be done by analyzing the basic identification information to identify all possible scenarios that could lead to the risk Risk Assessment: After identifying the risks, the next step is to assess the likelihood and impact of each risk This involves analyzing the probability of the risk occurring and the impact it would have if it were to happen Risk Prioritization: Prioritizing risks is an essential step in the risk identification process It involves ranking the risks based on their likelihood and impact, and then focusing on the risks with the highest priority first Risk Register: The final step is to document all identified risks in a risk register The register should include all relevant information about each risk, including the risk statement, basic and detailed identification, likelihood, impact, and risk priority - To keep sensitive information safe and secure, as well as to avoid being exposed to unnecessary security dangers, a proper physical and technical protection plan must be created It is critical that the company's employees receive cyber security and data protection training Furthermore, the information security plan should be critical to the core of your organization and the customer data that you keep - International Transfers: Transferring data to nations without the same degree of data protection is not advisable The important of data protection and security regulation General Data Protection Regulation The General Data Protection Regulation (GDPR) harmonizes data protection regulations in the EU that are appropriate for use in the digital age By adopting a single rule, the EU claims that it will bring greater clarity to support the rights of citizens and the development of the digital economy The GDPR is perhaps the greatest set of data security rules in the world since it improves how people can access information about them and places limitations on what businesses can with that data Importance of Data Protection & Regulation Given the growth of user-generated data and the exponential industrial value of data, government agencies must take the appropriate actions to protect their citizens' data rights Data protection rules maintain the security of people's personal information and govern how it is collected, used, transferred, and disclosed Furthermore, they impose transparency requirements on firms that process personal data, enable access to such data, and provide remedy for unlawful or harmful processing The purpose of personal data protection is to preserve an individual's fundamental rights and liberties as well as their personal information While keeping personal data, it is possible to ensure that human rights and freedoms are not compromised For example, incorrect management of personal data may result in a person being passed over for a job opportunity or, worse, losing his current work Situations might get even more difficult if the rules for the security of personal data are not followed Data protection regulations are required to ensure honest and consumer-friendly services and trade Personal data protection legislation creates scenarios in which, for example, personal information cannot be sold openly, guaranteeing that individuals have more control over who offers it and what types of deals come from it Chapter 3: Design and implement a security policy for an organization(P7) Introduction to Security Policy A security policy is a document that an organization provides to describe the rules and procedures for all individuals who access and use its assets and resources It explains how to defend the company from dangers, especially those linked to computer security, and how to deal with problems when they develop - - Types of Network Security Policies: Program Policies: to focus on the organization's network security goals in order to guarantee service availability and confidentiality The policy should support the organizational structure and mission statement of the business while adhering to all applicable laws, regulations, and state and federal rules System-Specific Policies: To solve system-related challenges at all levels of security, from access control policies to permissions within employee groups Issue-Specific Polices: Address specific security vulnerabilities including Internet access, unauthorized software or hardware installation, sending and receiving email, and email attachments Issue-specific policies are created once you've recognized the problems you need to solve Give an example for each of the policies 2.1 Business continuity policy Lightning struck an office building in Mount Pleasant, South Carolina, in 2013, sparking a fire Cantey Technology, an IT firm that hosts servers for over 200 clients, called the offices home However, Cantey's clientele never knew the difference As part of its operations Cantey had already migrated its client servers to a separate data center, where continuous backups were stored, as part of its continuity policy Despite the fact that Cantey's personnel was obliged to relocate to a temporary location, its clients were never inconvenienced 2.2 Acceptable use policy (AUP) The majority of AUP clauses detail the consequences of breaching the regulations Such violations are sanctioned based on the user's relationship with the organization Withdrawing services from violators is a regular sanction used by schools and institutions If the acts are illegal, the organization may contact the appropriate authorities, such as the local police Although it is more common to terminate employment when infractions endanger the organization or compromise security, employers will withhold services from their employees on occasion Earthlink, an American Internet service provider has a very clear policy relating to violations of its policy The company identifies six levels of response to violations: - Issue warnings are written or verbal - Suspend the Member's newsgroup posting privileges - Suspend the Member's account - Terminate the Member's account - Till the Member for administrative costs and/or reactivation charges - Bring legal action to enjoin violations and/or to collect damages, if any, caused by violations 2.3 Human resources policy A few examples of deliberate organizational activities used to boost staff productivity and administration are recruitment, salary, performance, assessment, training, record-keeping, and compliance Key HR management policies should be developed for the eight commonly recognized roles listed below: - Compensation and benefits Labor management relations. Employment practices and placement Employment practices and placement Workplace diversity Health, safety, and security Human resources information systems Human resource research Training and development 2.4 Security policy Physical security regulations protect a company's physical assets, which include its premises and equipment, including computers and other IT hardware Data security standards protect intellectual property from costly incidents such as data breaches and data leaks Physical security policies include the following information: - Sensitive buildings, rooms, and other areas of an organization - Who is authorized to access, handle, and move physical assets? - Procedures and other rules for accessing, monitoring, and handling these assets - Responsibilities of individuals for the physical assets they access and handle Give the most and should that must exist while creating a policy Ensure that the policy is in accordance with all applicable laws It is, in my opinion, the most crucial and must be present when developing policies Depending on the data retention, classification, and location, the organization may be required to meet key standards to ensure consultation and data integrity Designing and implementing a security privacy policy is one technique to reduce the amount of security that would be required in the event of a security breach Furthermore, formulation is the second stage of the policy process, in which policymakers propose solutions to problems In this level, policymakers include lobbyists and activists Policymakers must debate and put out answers to issues that have been identified in order for policies to be formed Selecting one of many feasible options is sometimes necessary Security Elements Depending on how a company wants it to be from everything linked to IT security and the protection of associated physical assets, each organization can have a distinct IT security policy that is enforceable in its entirety Anyhow, the following components have to form the foundation for a security policy: > Purpose There are various purposes of Security Policy, common reasons are: - Establish an overall approach to security of information - Detect and prevent breaches of information security, such as abuse of networks, data, applications and computer systems. Employment practices and placement Maintain the integrity of the company and maintain ethical and legal obligations - Respect consumer interests, including how to respond to inquiries and concerns regarding noncompliance > Scope ISP should address all data, programs, systems, facilities, other tech infrastructure, users of technology and third parties in a given organization, without exception > Objectives Well-defined security and strategy objectives are required for any firm attempting to develop a working security policy Information Security Policy must have three key goals: - Confidentiality: Only authorized personnel can access and use data and assets - Integrity: Maintain data integrity, accuracy, and completeness It systems must also remain operational - Availability: a goal showing that information or a system is available to authorized users when needed > Authority and Access Control Policy The majority of security policies have a hierarchical structure Junior employees are frequently expected to keep their limited expertise to themselves unless specifically informed otherwise On the other side, top management may have the authority to decide what information can be shared and with whom, implying that they are not bound by the same constraints as the information security policy As a result, the information security policy should include every significant job function inside the firm, as well as any conditions that would clarify their authorization Hierarchical pattern—a senior manager may have the authority to decide what data can be shared and with whom The security policy may have different terms for a senior manager vs a junior employee The policy should outline the level of authority over data and IT systems for each organizational role Network security policy—users are only able to access company networks and servers via unique logins that demand authentication, including passwords, biometrics, ID cards, or tokens You should monitor all systems and record all login attempts > Data Classification Data may have several values For value index gradings, differentiation and distinct handling regimes/procedures for each type may be required An information categorization system will thus aid in data security, which is critical to the company, as well as excluding unneeded information that might otherwise strain the firm's resources The data classification method illustrates several organizational components After taking into account all forms of data that belong to the entity, the data is next classed based on storage and authorization rights These pieces of information can be classified as private, sensitive, public, or confidential The data classification policy should take into account any specific categorization level or categories of data specified by industry regulations or standards Organizations can reduce their overall risk by applying the appropriate level of protection to data through data categorization policies A data classification policy may arrange the entire set of information as follows: - Public data: The whole public, including all employees and corporate personnel, has free access to this kind of information There are no restrictions on its usage, reuse, or distribution - Internal-only data: Only authorized internal corporate personnel and workers have access to this kind of information This might contain memoranda or other messages that are only for internal use, business strategies, etc - Confidential data: Access to sensitive information requires a particular clearance or authorization Social Security numbers, cardholder information, M&A agreements, and other examples of private data may be used Ordinarily, rules like HIPAA and the PCI DSS are in place to protect private information - Restricted data: Data that, if hacked or accessed without authority, might result in criminal charges, hefty penalties, or irreparable harm to the business is considered restricted data > Data Support & Operations Data Protection Regulations—systems that store personal data or other sensitive data—must be covered in accordance with operational standards, best practices, industry enforcement standards and applicable regulations Most security requirements include, at the very least, encryption, firewall and anti-malware defense Data Backup—encrypts data backup according to industry best practices Securely store backup media, or transfer backups to safe cloud storage Data Movement—only data transfer via secure protocols Encrypt any information that has been copied to handheld devices or distributed over a public network > Responsibilities, Rights, and Duties of Personnel In this sector, the responsibilities of those assigned to carry out implementation, education, incident response, user access assessments, and regular modifications to the information security policy are critical considerations to consider The decision to use an information security plan to protect a company's digital assets and intellectual property is typically attributed to worries about fraud, data knowledge, and competitively valuable trade secrets Employers should be chosen to handle user access evaluations, training, change management, incident management, implementation, and recurring security policy updates Roles have to be precisely specified as part of the security policy > Security Awareness and Behavior A significant step forward is communicating the IT security strategy with the workforce It's not a guarantee that someone has read and agreed to the new policies just because they read and accepted the text Staff will participate in a training session, on the other hand, to guarantee that they are aware of the procedures and security measures in place to secure the data The steps to design a policy To create a network policy, there are numbers of method to implement and ensure network security In general, a organization should go through phases to design network including: > Step 1: Preparation Create Usage Policy Statements Before you can begin developing security policies, you must first construct a framework for the user's roles and responsibilities in preserving network security It is also essential to have someone You have been assigned as a partner Create a partner-approved use statement and advise them of the information that is only strictly available to them In addition, provide a proper use statement that the administrator will use to define how to manage user accounts, enforce policies, and assess rights The training initiatives and performance evaluations must be reported to the administrator of choice Risk Analysis Study Finding weaknesses and risks to your network, network resources, and data is the goal of a risk analysis The benefit of a risk analysis is that it allows for the application of an appropriate level of protection to identified vulnerabilities in order to maintain a safe network Core network, access network, distribution network, network monitoring, network security, email systems, network file servers, network application servers, data application servers, desktop PCs, and other devices that might be vulnerable to intrusion should all be given a risk level Form a Security Team Foundation Every organization should have a Security Manager in charge of their security staff Each operation or departmental region should have a cross-functional security team, it is advised It may be expected of team members to take additional network security training The three primary responsibilities of this team are also policy development, practice, and response - Step 2: Prevention Approving Security Changes The security team might establish distinct requirements for a particular network setup Review security rules once again after making network configuration adjustments to properly enforce them and look for information that may be dangerous All the modifications that are being examined should be monitored by a member of the security team Security Monitoring This approach is influenced mostly by the risk analysis report and the approval stage of security upgrades One of these criteria will be a clear understanding of what the team wishes to monitor Following the implementation of the changes, a monitoring policy should be prepared or revised for each area identified by the risk analysis According to Cisco, low-risk equipment is reviewed once a week, medium-risk equipment once a day, and high-risk equipment once an hour Monitoring can be completed in less time for faster detection > Step 3: Response - Security Violations When a sensible choice has been made in advance, a reaction is easier to regulate Making timely decisions increases the possibility of securing network gear, determining the scope of the assault, and restoring regular operations The security team's notification could be used to detect an intrusion Because the amount of power within a security team changes, access to network devices may alter depending on who is in control - Restoration Restoration is the last prerequisite for any security response In order to restore regular network functioning, this is required For each system, it is required to specify how to routine backups and make them accessible, and those steps should be documented as well The requirements for the backup and the approval process for the restoration should all be specified in detail in the security conditions The procedure to get access should be specified as well if the backup is only available to certain roles - Review The process of establishing and putting network security rules into action must culminate with reviewing The policy, stance, and practice should all be examined as a whole It is important to regularly network security training to make sure that the support staff is fully aware of what to if a network security threat enters the company Usually, the posture exam should be combined with the unannounced drill So that additional steps may be taken in the event that such situations occur in the future, it is important to document the review's findings and identify the gaps in addressing these risks