Đang tải... (xem toàn văn)
Data protection...172.1 Assessment of network security risks...172.2 Raise awareness about data security for employees...172.3 Data security management...182.4 Troubleshooting and proble
Trang 1ASSIGNMENT 2 FRONT SHEET
QualificationBTEC Level 5 HND Diploma in ComputingUnit number and title Unit 5: Security
Submission date Date Received 1st submission
Re-submission DateDate Received 2nd submission
Student Name Phan Nguyen Dinh Trong Student ID GCD201526
Trang 21
Trang 3❒Summative Feedback: ❒Resubmission Feedback:
Lecturer Signature:
Trang 41
Trang 5Table of Contents
P5 Discuss risk assessment procedures 7
1 Risk 7
1.1 Negative school: risk is considered unlucky,loss, danger 7
1.2 The neutral school 7
2 Risk assetment 7
3 Asset 8
4 Vulnerability 10
5 Threat 11
6 Risk Identification Procedures 12
7 Risk assetment procedures 14
P6 Explain data protection processes and regulations as applicable to an organisation 16
1 Data protection 17
2 Data protection 17
2.1 Assessment of network security risks 17
2.2 Raise awareness about data security for employees 17
2.3 Data security management 18
2.4 Troubleshooting and problem management 18
2.5 Configure the system securely 19
2.6 Ensure the network is divided into separate areas 19
2.7 Secure DN data by monitoring network security 19
Trang 62.8 Access control 19
2.9 Increased malware protection 20
2.10 Update patches regularly 20
2.11 Perform encryption 20
3 The important of data protection regulations 20
P7 Design and implement a security policy for an organisation 21
1.Security policy 21
2.Example of policy 22
2
Trang 73.The most and should that must exist while creating policy 25
3.1 Ensure that there is a policy on policies 25
3.2 Identify any overlap with existing policies 25
3.3 Don't develop the policy in a vacuum 25
3.4 Step back and consider the need 25
3.5 Use the right words so there is no misunderstanding intent 26
3.6 When possible, include an exceptions process 26
3.7 Allow some shades of gray 26
3.8 Define policy maintenance responsibility 27
3.9 Keep senior executives out of the routine when possible 27
3.10 Establish a policy library with versioning 27
4.The element of security policy 27
4.1 Introduction 27
4.2 Security Policy Document 28
4.3 Introductory Elements 28
4.4 Purpose 28
Trang 94.19 Physical Security Policies 31
4.20 Network Security Policies 31
4.21 Host Security Policies 31
4.22 User Security Policies 32
4.23 Document Security Policies 32
4.24 Documentation Policies 32
4.25 Incident Handling Policies 32
4.26 Audit Policies 32
4.27 Conclusion 33
5 The steps to design a policy 33
6 Step in policy development 35
P8 List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion 37
1.Business continuity 37
2 The components of recovery plan 37
3 Steps to Building a Disaster Recovery Plan 39
Trang 103.1 Conduct an asset inventory 39
3.2 Perform a risk assessment 39
3.3 Define criticality of applications and data 40
3.4 Define recovery objectives 40
3.5 Determine the right tools and techniques 42
3.6 Get stakeholder buy-in 42
3.7 Document and communicate your plan 43
4
Trang 113.8 Test and practice your DR plan 43
3.9 Evaluate and update your plan 43
4 The policies and procedures that are required for business continuity 44
References 47
Trang 125
Trang 13Figure 1 Risk 7
Figure 2 Vulnerability 11
Figure 3 Type of Threats 12
Figure 4 Risk assessment steps 16
Figure 5 illustration 18
Figure 6 Control of access 19
Figure 7 conduct an asset inventory 37
Figure 8 Perform a risk assessment 38
Figure 9 Define criticality of applications and data 38
Figure 10 Test and practice your DR plan 41
Figure 11 life cycle 42
Trang 146
Trang 15P5 Discuss risk assessment procedures
1 Risk
1.1 Negative school: risk is considered unlucky,loss, danger
Risk is unhealthy, bad, and unexpected.Risk (synonymous with risk) is unfortunate.
Risk is the ability to be in danger or suffer from pain
Risks are unforeseen uncertainties that develop in a company's business and production processes and have a negative impact on the company's ability to exist and grow.
Briefly put, risk is defined by conventional wisdom as "damage, loss, danger, or factors linked with danger, difficulty, or uncertainty that can happen to a person."
Figure 1 Risk
Trang 161.2 The neutral school
Risk is uncertainty that can be quantified and is potentially linked to the occurrence of unanticipated events.
The risk's current value and outcome are uncertain.
2 Risk assetment
The process or procedure where you: +Identify hazards and risk factors that have the potential to cause harm is known as risk assessment (hazard identification).
7
Trang 17+Examine and assess the risk connected to that danger (risk analysis, and risk evaluation).
Determine the best strategies to remove the risk or, if that is not possible, to control the risk (risk control).- A risk assessment is a detailed examination of your workplace to find any elements, circumstances, procedures, etc that could be harmful, especially to humans Following identification, you assess the risk'slikelihood and seriousness You can then decide what steps need to be taken to successfully eliminate or control the harm once this assessment has been made.
The following phrases are used in the CSA Standard Z1002 "Occupational health and safety - Hazard identification and elimination and risk assessment and control":
Risk assessment: The total procedure of risk analysis, risk assessment, and hazard identification.
Risk assessment: The entire process of hazard identification, risk analysis, and risk assessment.Risk analysis: A process for comprehending the nature of hazards and determining the level of risk.Risk evaluation: The process of comparing an estimated risk against given risk criteria to determine the
significance of the risk.
Risk control: The process of comparing an es琀椀mated risk against given risk criteria to determine thesigni昀椀cance of the risk.
3 Asset
A resource having economic worth that a person, business, or nation possesses or controls with the hope that it would someday be useful is referred to as an asset In order to raise a company's value or benefit its operations, assets are acquired and recorded on the balance sheet of the company Whether it's
manufacturing equipment or a patent, an asset can be viewed of as anything that, in the future, can generate cash flow, lower expenses, or increase sales.
Trang 18An asset is a resource having economic worth that a person, organization, or nation owns or manages with the hope that it may someday be useful.
Assets are disclosed on a company's balance sheet and are acquired or produced in order to raise a company's value or improve the operations of a company.
An asset can be anything that, in the future, can increase sales, lower costs, or generate cash flow, whether it's a patent or manufacturing equipment.
Understanding Assets:
8
Trang 19An asset represents a financial resource for a business or access that other people or companies do not have A right or other access is legally enforceable, so it can be used however the corporation sees fit and its usage can be restricted or prohibited by the owner.
A corporation must have a right to an asset as of the date of the financial statements in order for it to be present A scarce resource with the capacity to increase financial inflows or decrease cash outflows is considered an economic resource.
Short-term (or current) assets, fixed assets, financial investments, and intangible assets are some basic categories for assets.
Real estate, including any building permanently affixed to it.
Personal property includes boats, collectibles, furniture, jewelry, and automobiles.
Investments include equities, bonds, mutual funds, annuities, pensions, and life insurance policy cash values.
By deducting your liabilities from your assets, you may determine your net worth In essence, your liabilities are all of your debts, and your assets are everything you own If you have a positive net worth, your assets are worth more than your liabilities; if you have a negative net worth, your liabilities are more than your assets (in other words, you are in debt)
Business Assets:
Assets are valuable items for businesses that support production and expansion Assets for a firm might
Trang 20include tangibles like machinery, real estate, raw materials, and inventory as well as intangibles like royalties, patents, and other forms of intellectual property.
The balance sheet outlines the assets of a firm and details how those assets are financed, including whetherdebt or stock issuance is used A company's balance sheet gives a quick overview of how effectively its management is managing its resources The two categories of assets that typically appear on a balance sheet are.
Current Assets:
9
Trang 21Assets that can be turned into cash within one fiscal year or one operating cycle are referred to as current assets Expenses and investments related to daily operations are made possible by current assets.Examples of current assets include:
Cash and cash equivalents: Cash, certificates of deposit, and Treasury bills.Marketable securities: debt-related securities or liquid equity.
Accounts receivables: Customer debt that needs to be settled soon.Inventory: Raw resources or marketed products.
Fixed Assets:
Non-current assets, or fixed assets, are those that a business utilizes to produce goods and services and have a longer useful life Fixed assets are shown as property, plant, and equipment on the balance sheet (PP&E) Fixed assets are long-term investments that are categorized as tangible (i.e., touchable) assets because they are.
Examples of fixed assets include:Vehicles (such as company trucks)Office furniture
Non-current assets (like fixed assets) cannot be easily converted to cash to cover immediate operational costs or investments, which is one of the two main contrasts between personal assets and corporate assets In contrast, it is anticipated that present assets will be liquidated within one fiscal year or one operating cycle.
Trang 224 Vulnerability
A vulnerability is a gap or a weak point in the application—it could be an implementation error or a designflaw—that allows an attacker to harm the application's stakeholders The owner of the application, application users, and other organizations that rely on the application are stakeholders.
10
Trang 23Types of threats
According to the NIST definition above, a threat might be an occurrence or a state of affairs Natural disasters, fires, and power outages are all considered events in this context It is a pretty broad idea In the field of cybersecurity, dangers including viruses, Trojan horses, and denial-of-service attacks are more frequently discussed.
Phishing emails provide a social engineering risk that may result in the loss of sensitive data such as passwords, credit card numbers, and other personal information Data loss in terms of confidentiality, integrity, or availability can result from threats to information assets The CIA triumvirate is another name
Figure 2 Vulnerability
Trang 24for this.
The STRIDE threat model is built on the CIA triad and three additional well-known security ideas It is convenient to start with an established classification when listing potential dangers The most well-known categorization is STRIDE, which was suggested by Microsoft in 1999 Because the name is derived from the first letters of the several categories, it is also simpler to recall them.
11
Trang 351 Data protection
Data protection is the process of defending sensitive information against loss, tampering, or corruption.As data is created and stored at previously unheard-of rates, the significance of data protection grows Additionally, there is limited tolerance for downtime that can prevent access to crucial information.As a result, a key component of a data protection plan is making sure that data can be swiftly restored afterany loss or damage Other essential elements of data protection include safeguarding data privacy and preventing data breach.
2 Data protection
You must specify precisely the data your company needs to secure before investing in data security Businesses frequently only partially or incorrectly understand what data has to be safeguarded.
2.1 Assessment of network security risks
Once your organization has all the data it needs, you must examine the threats that your corporate data may face:
- In case of a network security problem.
- In case of incidents of natural natural disasters such as fires, earthquakes, etc.
You must implement security measures for your organization's network system after performing risk identification for the data that must be protected This will enable you to precisely identify the security dangers that the overall organizational network and the data security of organizations in particular are currently experiencing Since then, deploying security solutions fit for models, finances, and organizational requirements or protecting the system by deploying patching methods.
Trang 362.2 Raise awareness about data security for employees
- The people element is one of the biggest potential threats to business data security Therefore, one of the best and most successful ways to secure data security in Your Business is to establish measures to educate and create awareness among agency personnel about data security.
- Businesses must regularly plan initiatives to raise awareness and train employees on network security and data security The most effective way to reduce company data breaches and avoid spending money on outside security services Enterprises (enterprises) need to have documents on data security policies and work procedures at the same time since they use data in their operations to implement management standards and guarantee safety.
17
Trang 372.3 Data security management
There are always security dangers to company data Because of this, implementing security measures quickly is not viable; instead, it must be done often and continuously Each company should, if at all feasible, have a dedicated leader or employee who is knowledgeable about corporate data security and confidentiality and who is in charge of overseeing the application of security procedures and controls security of data This will assist in lowering the dangers of network security for companies and commercial data
2.4 Troubleshooting and problem management
Figure 5 illustration
Trang 38In order to lessen the harm that network security incidents to the business cause, documentation of the process of responding to security incidents to the network and corporate data is crucial.
As an alternative, you can consider engaging specialized ANM assessment and troubleshooting units When accidents happen, these units will be in charge of consulting the reaction procedure and organizing troubleshooting This will assist your organization limit damage.
g
Trang 392.5 Configure the system securely
All internal components (including software and hardware) are set up to comply with security policy requirements and to take appropriate steps to protect your company's data.
2.6 Ensure the network is divided into separate areas
Separate network regions will aid in isolating and minimizing the harms brought on by network security concerns such as enterprise data leakage and ode infection poison The DMZ also aids in regulating accessbetween various network regions by employing more firewalls between untrusted external network areas (internet zones) and intranet zones To make sure that access policies between network areas are always followed, conduct frequent intrusion testing assessments.
2.7 Secure DN data by monitoring network security
To regulate and identify network data abnormalities early and maximize detection and prevention, technologies to monitor network traffic both inside and outside the network are necessary early attacks blocking IDS (intrusion detection system), IPS (intrusion prevention system), and SIEM are the solutions that are frequently employed by enterprises nowadays (Network Security Surveillance System).
2.8 Access control
Trang 40Figure 6 Control of access