Đang tải... (xem toàn văn)
Task 1 - Discuss risk assessment procedures P5...2I.Define a security risk and how to do risk assessment...2II.Define assets, threats and threat identification procedures, and give examp
Trang 1ASSIGNMENT 2 FRONT SHEETQualificationBTEC Level 5 HND Diploma in ComputingUnit number and title Unit 5: Security
Trang 3❒Summative Feedback: ❒Resubmission Feedback:
Lecturer Signature:
Trang 5Task 1 - Discuss risk assessment procedures (P5) 2
I.Define a security risk and how to do risk assessment 2
II.Define assets, threats and threat identification procedures, and give examples 4
III.Explain the risk assessment procedure 5
IV.List risk identification steps 7
Task 2 - Explain data protection processes and regulations as applicable to an organisation (P6) 7
I.Define data protection 7
II.Explain data protection process in an organization 7
III.Why are data protection and security regulation important? 9
Task 3 - Design and implement a security policy for an organisation (P7) 9
I.Define a security policy and discuss about it 9
II.Give an example for each of the policies 10
III.Give the most and should that must exist while creating a policy 11
IV.Explain and write down elements of a security policy 11
V.Give the steps to design a policy 12
Task 4 - List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion (P8) 15
I.Discuss with explanation about business continuity 15
II.List the components of recovery plan 16
III.Write down all the steps required in disaster recovery process 17
Trang 6Table of Figures:
Figure 1 Policy must and should statements 11Figure 2 The cycle of security policy 14
Task 1 - Discuss risk assessment procedures (P5)
I.Define a security risk and how to do risk assessment
Trang 71 Definition of security risk
The possibility that a certain threat will be realized against a specific vulnerability is referred to as security risk Most risks result in potential damage or unfavorable outcomes that could harm your firm Not all risks are inherently harmful; in fact, certain risks can result in favorable outcomes The amount of risk is determined by the extent of damage (or even good benefit) caused by a threat.
2 How to do risk assessment
Two Approaches to Risk Assessment: Quantitative and Qualitative
Qualitative risk assessment—Qualitative risk assessment ranks risks based on their
probability of occurrence and impact on business operations Impact is the degree of effect a realized threat would pose Impact is often expressed from low (insignificant) to high (catastrophic) values Qualitative risk assessments can be fairly subjective, but they do help determine the most critical risks This type of assessment requires diverse input from people who work in different departments and encourages the use of relativeterms For example, a qualitative assessment asks which risks are worse than others This allows the business units and technical experts to understand the ripple effects of an event on other departments or operations.
Quantitative risk assessment—This type of risk assessment attempts to describe risk
in financial terms and put a dollar value on each risk It is more objective than a qualitative analysis One drawback to this approach is that many risks have values that are difficult to measure These include reputation and the availability of
countermeasures Exact numbers can be difficult to determine, especially the cost of theimpact of future events On the other hand, quantitative risk assessments are easier to automate than qualitative assessments Quantitative analysis puts a dollar figure on risk.
Trang 8Qualitative analysis defines risks based on the severity of their impact and/or probability.
We can combine the two methods With qualitative risk analysis, you can gain a deeper understanding of the overall impact of a disturbance as its ramifications spread throughout an organization It frequently leads to greater departmental communication about how departments must collaborate to limit damage It lacks all of the accurate financial data that a quantitative risk analysis possesses This cost data is typically required to justify countermeasure pricing As a result, you should consider both techniques.
Trang 9II.Define assets, threats and threat identification procedures, and give examples1 Assets
An asset is any item that has value Although all items in an organization have some value, the term asset generally applies to those items that have substantial value An organization’sassets can include the following.
Customer data—Name, address, phone, Social Security number (SSN), date of birth, cardholder data, protected health care information.
IT assets and network infrastructure—Hardware, software, and services.Intellectual property—Sensitive data such as patents, source code, formulas, or engineering plans.
Finances and financial data—Bank accounts, credit card data, and financial transactiondata.
Service availability and productivity—The ability of computing services and software to support productivity for humans and machinery.
Reputation—Corporate compliance and brand image.
2 Threats
A threat is any action that can damage or compromise an asset Threats can come from an individual, a group of individuals, or an organization A threat to a computing device is any action, either accidental or malicious, that can have a negative effect on the assets and resources of an individual or organization The asset might be hardware, software, databases, files, data, or the physical network itself.
A threat is significant from a security viewpoint The goal of computer security is toprovide insights, methodologies, and techniques that deal with threats You can achieve
Trang 10this goal by developing policies that help computer and network system administrators,designers, developers, and users avoid undesirable system characteristics and weaknesses.You can identify threats and rank them according to their importance and impact You canrank threats by their potential for dollar loss, negative reputation created, monetary liability,or how often they are likely to occur Each organization may rank a threat higher or lower than another organization does based on its impact to that organization.
The most common threats, in no particular order, include the following:Malicious software
Hardware or software failureInternal attacker
Trang 11Equipment theftExternal attackerNatural disasterIndustrial espionageTerrorism
3 Threat identification procedures
Threat identification is the process of identifying potential threats to an organization's assets There are several procedures that can be used to identify threats, including:
Conducting a threat assessment: This involves analyzing the organization's
environment, operations, and assets to identify potential threats and vulnerabilities.
Reviewing historical data: This involves analyzing past security incidents to identify
common threats and attack vectors.
Using threat intelligence: This involves leveraging external sources, such as security
blogs and forums, to stay informed about emerging threats and attack techniques.
Conducting security audits and assessments: This involves analyzing the
organization's security posture to identify potential vulnerabilities and areas of weakness.
Soliciting input from employees and stakeholders: This involves seeking feedback
from employees and stakeholders about potential security risks and threats.
III.Explain the risk assessment procedure1 Calculating Quantified Risk
Trang 12To evaluate quantified risk, you must first determine the value of an asset as well as the likelihood of a loss This is the event's loss probability It is a multistep process to calculate:
Calculate the asset value (AV): Something of value to a company is considered an
asset Buildings are a concrete example of an asset (reputation) Determining all of the organization's assets and their value—that is, the significance of each asset to the organization's capacity to fulfill its mission—is the first stage in the risk assessment process Asset valuation should take into account the cost of replacing any equipment or systems Also, it ought to take into account things like decreased productivity and diminished client confidence.
Trang 13Calculate the exposure factor (EF): This shows the portion of the asset's value that
would be lost in the event of an incident For instance, not all automobile accidents result in total loss Actuaries employed by insurance firms determine the probable percentage loss for each claim They can forecast the exposure factor for each claim and are familiar with the cost of repairs for every make and model Its prediction won'tbe accurate for any one claim (other from through coincidence), but it will be accurate when applied to hundreds or thousands of claims.
Calculate the single loss expectancy (SLE): The two parameters mentioned above
can be used to determine the worth of a single loss Every time an actuary receives a claim, all he has to do is look up the asset value, multiply by the EF, and he will have apretty excellent estimate of the payout For example, if the EF of a modern SUV is calculated to be 20% This lowers the likelihood that the insurance company will experience financial loss and enables the actuary to calculate insurance rates appropriately.
Determine how often a loss is likely to occur every year this is the risk likelihood, or annualized rate of occurrence (ARO): There are certain AROs that exceed one
For instance, snowstorms frequently occur in Buffalo and Berlin each year Others are probably to occur far less frequently A warehouse fire, for instance, might occur once every 20 years It might be challenging to predict how frequently an occurrence will occur Its assessment may occasionally be impacted by internal or external variables Future outcomes are not always predicted by historical data When there is employee unrest or contract negotiations, incidents like the one that resulted from an internal threat are much more frequent than they are at other times
Determine annualized loss expectancy (ALE): The SLE (the loss resulting from an
occurrence) multiplied by the ARO equals the ALE An organization can determine theoverall effect of a risk with the use of the ALE The ALE will be substantially lower than the SLE for rare incidents.
Trang 142 Qualitative Risk Analysis
Probability or likelihood: Some things—for example, the malfunction of a badge
reader on the employee entrance—will seldom happen Other things, such as employees calling in sick, will almost certainly happen.
Impact: Some things—for example, a workstation that fails to boot up—will have a
minor impact on productivity Other things, such as a production system breaking down, will have a major impact.
Trang 15IV.List risk identification steps
The identification of risks is the initial stage in the risk management procedure In order to identify risks, organizations employ a variety of techniques For the same problem, each strategy takes a different approach while identifying as many hazards as feasible The fundamental approach in each case is to assemble a thorough list of hazards using data from numerous sources The following are a few of the more well-liked techniques for risk assessment:
Brainstorming: This technique involves getting unstructured input from members in a
group meeting The facilitator should encourage all members to offer suggestions withoutfear of criticism or ridicule.
Surveys: Organizations that use this technique send lists of prepared questions to
participants for input A variety of people from different areas of the organization should be chosen to get the best input The Delphi method is a specific type of survey in which responses are anonymized, shuffled, and sent back out to participants for comment Keeping input anonymous fosters more open dialogue.
Interviews: Interviews, held in either group settings or one on one, can be an effective
approach to gather details on risks from the interviewee’s perspective.
Working groups: This technique focuses on soliciting feedback from a group of
individuals selected from a specific work area The feedback working groups provide generally helps identify risks in specific areas.
Checklists: Many organizations develop checklists of risks for either their own use or for
general distribution Checklists developed for similar organizations or purposes can be helpful to ensure that you cover the breadth of risks.
Historical information: Unless an organization is brand new, it will have some historical
information at its disposal This information may be a previously encountered risk identification process, or it may be documentation of things that went wrong in the past Either way, historical information can be valuable to identify current risks.
Trang 16Task 2 - Explain data protection processes and regulations as applicable to an organisation (P6)I.Define data protection
Data protection is the process of defending sensitive information against loss, tampering, or corruption.
II.Explain data protection process in an organization
Trang 17Data loss prevention is one method of data security (DLP) Data Loss Prevention (DLP) is a system of security technologies used to detect and recognize data that is essential to the company and make sure it is secured This protection entails keeping an eye on how and by whom the data is accessed DLP’s goal is to protect data from any unauthorized users.
Data can be examined by DLP in one of three states:
Data in-use: Data in-use is data actions being performed by “endpoint devices,” such as
creating a report from a desktop computer.
Data in-transit: Actions that transmit the data across a network, like an email sent across
the Internet, are called data in-transit.
Data at-rest: Data at-rest is data that is stored on electronic media.
Via DLP, data that is deemed essential to the business or needs to be private can be marked as such The user will be prevented from accessing the data in order to reveal it to an additional unauthorized user.
Content inspection is used by most DLP systems A security evaluation of the transaction inside its authorized environment is what is meant by content inspection In addition to the data's security level, content inspection considers who is making the request, where the data iskept, when it was made, and for what purpose Index matching is a further option for DLP systems The DLP system analyzes documents that have been designated as needing security, such as the source code for a new software application, and performs intricate calculations depending on the analysis.The DLP system can then identify the leaked portion of the document as coming from a protected document if even a little portion of it is exposed.DLP begins with an administrator creating DLP rules based on the data (what is to be examined) and the policy (what to check for) DLPs can be configured to look for specific data (such as Social Security and credit card numbers), lines of computer software source code, words in a sequence (to prevent a report from leaving the network), maximum file sizes,
Trang 18and file types Because it can be difficult to distinguish a Social Security number from a mistyped telephone number or a nine-digit online order number, DLP can use fingerprinting tomore closely identify important data Afingerprint may consist of a Social Security number along with a name to trigger an alarm In addition, whitelists and blacklists can be created to prevent specific files from being scanned These rules are then loaded into a DLP server.There are three main types of DLP sensors since data can be leaked in different ways:
DLP network sensors DLP network sensors are installed on the perimeter of the network to protect data in-transit by monitoring all network traffic This includes monitoring email, instant messaging, social media interactions, and other web applications DLP
Trang 19network sensors can even monitor multiple protocols (including HTTP, SMTP, POP, IMAP, FTP, and Telnet).
DLP storage sensors Sensors on network storage devices are designed to protect data atrest These sensors monitor the devices to ensure that the files on the hard drives that store sensitive data are encrypted They also scan the drives to determine where specific data is stored.
DLP agent sensors These sensors are installed on each host device (desktop, laptop, tablet, etc.) and protect data in-use The DLP agent sensors watch for actions such as printing, copying to a USB flash drive, and burning to a CD or DVD They can also read inside compressed (ZIP) files and binary files (such as older Microsoft Office non-XML files)
III.Why are data protection and security regulation important?
Because it protects an organization's information from fraud, hacking, phishing, and identity theft, data protection is essential A data protection plan must be developed by each company that wishes to run effectively and ensure the security of its information As more data is generated and kept, the importance of data protection increases Data leaks and cyberattacks may have disastrous results Businesses need to regularly update their security processes and take proactive measures to protect their data Security regulations are essential because they address the many aspects of how data should be managed within an organization These laws are particularly important for mobile devices because they are portable and make data theft simpler.
Task 3 - Design and implement a security policy for an organisation (P7)I.Define a security policy and discuss about it
Trang 20A security policy is essentially a written declaration of how a company wants to protect its IT assets The policy outlines the measures that must be taken to ensure that the organization's assets are not exposed to unwarranted dangers A security policy, along with the supplementaryprocedures, standards, and guidelines, are crucial for creating information security in a firm An organization has the power to take the required actions to protect its data when it has a security policy in writing.
The purpose of an organization's information security policy might be varied:
Trang 21It can be an overall intention and direction, formally expressed by the organization’s management A security policy is a vehicle for communicating an organization’s information security culture and acceptable information security behavior.
It details specific risks and how to address them, and so provides controls that executives can use to direct employee behavior.
It can help to create a security-aware organizational culture.
It can help to ensure that employee behavior is directed and monitored in compliance with security requirements.
II.Give an example for each of the policies
Reduce your organization's exposure to risks, threats, and vulnerabilities is the main goal of theIT security policy framework It's crucial to connect policy definition and standards with real-world design specifications The best security controls and countermeasures will be adequately implemented by these requirements Statements of policy must include restrictions as well as mentions of requirements, rules, and processes Policies specify how security measures and controls must be used in order to abide by rules and regulations.
Examples of some basic IT security policies include the following:
Acceptable use policy (AUP): The AUP defines the actions that are and are not allowed
with respect to the use of organization-owned IT assets This policy is specific to the UserDomain and mitigates risk between an organization and its employees
Security awareness policy: This policy defines how to ensure that all personnel are
aware of the importance of security and behavioral expectations under the organization’s security policy This policy is specific to the User Domain and is relevant when you need to change organizational security awareness behavior