1. Trang chủ
  2. » Luận Văn - Báo Cáo

btec level 5 hnd diploma in computing unit 5 security

50 0 0
Tài liệu đã được kiểm tra trùng lặp

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Tiêu đề BTEC Level 5 HND Diploma in Computing Unit 5: Security
Tác giả Hoang Duc Giang
Người hướng dẫn Le Van Thuan
Chuyên ngành Computing
Thể loại Assignment
Năm xuất bản 2023
Định dạng
Số trang 50
Dung lượng 2,77 MB

Nội dung

It involves the likelihoodof an event or action that could result in harm or damage to an organization''''s assets, such asdata breaches, unauthorized access, malicious software, physical t

Trang 1

ASSIGNMENT 2

Unit number and title Unit 5: Security

Trang 3

A Introduction:

B Body

P5 Discuss risk assessment procedures (slide 13-risk mitigation).

I Definition Security risk and risk assessment

1 Definition Security risk:

A security risk refers to any potential threat or vulnerability that can compromise theconfidentiality, integrity, or availability of information or resources It involves the likelihood

of an event or action that could result in harm or damage to an organization's assets, such asdata breaches, unauthorized access, malicious software, physical theft, or even human error.Identifying and managing security risks is crucial for organizations to safeguard their systems,networks, and sensitive information from unauthorized access or misuse

2 Security Risk Assessment:

A security risk assessment identifies, assesses, and implements key security controls inapplications It also focuses on preventing application security defects and vulnerabilities.Carrying out a risk assessment allows an organization to view the application portfolioholistically—from an attacker’s perspective It supports managers in making informedresource allocation, tooling, and security control implementation decisions Thus, conducting

an assessment is an integral part of an organization’s risk management process (What isSecurity Risk Assessment and How Does It Work? | Synopsys, no date)

II Explain Asset, threat and threat identification procedure and example

1 Asset:

Trang 4

An asset is anything that has value or importance for an organization, such as data,documents, systems, networks, devices, etc Identifying assets is the first step in informationsecurity risk assessment, as it helps to determine what needs to be protected and why Assetscan be identified by observing the information environment, consulting with stakeholders andexperts, reviewing policies and standards, and using checklists or tools.

In the context of security, an asset refers to any valuable resource that requires protectionwithin an organization's IT infrastructure Assets in IT security are typically related to digital

Trang 5

information and technology components Assets can be categorized into various types,including:

 Digital Information Assets: This includes sensitive and critical information stored andprocessed by an organization's IT systems It can encompass various types of data such

as customer information, financial records, intellectual property, trade secrets,employee data, or any other confidential or proprietary information

 Hardware Assets: Hardware assets are the physical devices used in IT infrastructure,including servers, workstations, routers, switches, firewalls, storage devices, or anyother hardware components These assets support the processing, storage, andtransmission of digital information

 Software Assets: Software assets refer to the applications, programs, operatingsystems, or any other software components used within the IT infrastructure Theseassets include commercially licensed software, custom-developed applications, open-source software, or any other software utilized by the organization

 Network Assets: Network assets involve the various components that constitute theorganization's network infrastructure This includes routers, switches, firewalls, loadbalancers, wireless access points, and other network devices It also encompasses theorganization's network topology, network diagrams, IP addressing scheme, andnetwork protocols

 System Infrastructure Assets: These assets include the core components of the ITinfrastructure, such as servers, storage systems, data centers, backup systems, and

Trang 6

virtualization platforms They serve as the foundation for supporting and maintainingthe organization's digital assets.

 System Infrastructure Assets: These assets include the core components of the ITinfrastructure, such as servers, storage systems, data centers, backup systems, andvirtualization platforms They serve as the foundation for supporting and maintainingthe organization's digital assets

 Personnel Assets Human Resources): In IT security, personnel assets are employees, (contractors, or other individuals who have authorized access to the IT systems and

Trang 7

resources Personnel assets play a critical role in maintaining the security of the ITinfrastructure and ensuring the protection of digital assets.

2 Threat

A threat is anything that can compromise or damage an asset, such as hackers, malware,natural disasters, human errors, etc Identifying threats is the second step in informationsecurity risk assessment, as it helps to estimate how likely and severe the potential harm tothe assets would be Threats can be identified by using a threat categorization methodology,such as STRIDE or ASF, which define different types of threats from the attacker’s and thedefender’s perspective Threats can also be identified by analyzing the data flow diagrams(DFDs) of the application, which show the different paths and interactions between the assets

 Malware Attacks: Malware threats encompass various types of malicious softwaredesigned to infiltrate or harm IT systems This includes viruses, worms, trojan horses,ransomware, spyware, adware, or any other malicious programs aiming tocompromise the security of systems and steal or manipulate data

 Social Engineering Attacks: Social engineering threats involve manipulating individuals

to gain unauthorized access to IT systems or sensitive information This can includephishing scams, impersonation, pretexting, baiting, or any other techniques thatexploit human vulnerabilities, such as trust or curiosity

 Unauthorized Access: Unauthorized access refers to threats involving unauthorizedindividuals or entities gaining access to IT systems, networks, or data This can includebrute-force attacks, password guessing, credential theft, privilege escalation, or any

Trang 8

other unauthorized attempts to breach system security.

 Denial-of-Service (DoS) Attacks: DoS attacks aim to disrupt or disable IT services,making them inaccessible to legitimate users This can be achieved throughoverwhelming the system's resources, network congestion, or exploitingvulnerabilities to exhaust system capabilities

 Insider Threats: Insider threats involve individuals with authorized access to IT systemsmisusing their privileges or intentionally causing harm This can include malicious

Trang 9

insiders, disgruntled employees, or individuals inadvertently compromising securitydue to negligence or lack of awareness.

 Physical Threats: Physical threats refer to risks posed by physical factors to IT systems

or infrastructure This includes theft, vandalism, destruction, unauthorized entry,natural disasters, fires, power outages, or any other physical event that can disrupt ordamage IT assets

 Data Breaches: Data breach threats involve unauthorized access to sensitive orconfidential data, leading to its exposure, theft, or loss This can occur due tovulnerabilities in systems, weak security controls, weak cryptographic practices, orhuman errors

 Cyber Espionage: Cyber espionage threats involve targeted attacks by individuals,organizations, or nation-states with the intent to steal sensitive information,intellectual property, or gain unauthorized access to critical systems to gatherstrategic or economic intelligence

3 Threat identification procedure and example

The threat identification procedure is a systematic approach to identifying potential threatsthat could harm an organization's assets It involves a series of steps that help to identify andassess the likelihood and impact of each potential threat There are different methodologiesand procedures for conducting threat identification, depending on the scope, context, andobjectives of the analysis Here are some examples of threat identification procedures:

 Asset Inventory: The first step is to identify and catalog all the assets that need to be

Trang 10

protected This includes physical assets such as equipment, buildings, and inventory,

as well as intangible assets such as customer data, intellectual property, andreputation This step helps to ensure that all assets are accounted for and that theorganization has a clear understanding of what needs to be protected

 Threat Assessment: The second step is to evaluate potential threats to each asset Thisinvolves looking at both the likelihood and potential impact of each threat Threatscan come from a variety of sources, including natural disasters, human error,

Trang 11

malicious attacks, and technological failures The goal of this step is to identify allpotential threats that could harm the organization's assets.

 Vulnerability Assessment: The third step is to identify any weaknesses orvulnerabilities in the organization's security infrastructure that could be exploited by athreat This could include outdated software, weak passwords, or inadequate physicalsecurity measures This step helps to identify areas where the organization is mostvulnerable and where security measures need to be strengthened

 Risk Analysis: The fourth step is to combine the information from the threatassessment and vulnerability assessment to determine the overall level of risk to eachasset This involves assigning a risk score to each asset based on the likelihood andpotential impact of the threats identified, as well as the vulnerabilities identified Thisstep helps to prioritize which assets require the most attention and resources toprotect

 Risk Management: The final step is to develop a plan to address the most significantrisks This plan may include implementing new security measures, improving existingmeasures, or transferring or accepting risk through insurance or other means The goal

of this step is to reduce the overall level of risk to an acceptable level and to ensurethat the organization's assets are adequately protected

Example: a small e-commerce store that sells handmade crafts.

Asset Inventory: You identify your website, inventory of handmade crafts, and customer data

Trang 12

as your primary assets.

Threat Assessment: You identify potential threats to your assets, including:

 Cyberattacks: Malicious actors could target your website to steal customer data ordisrupt your operations

 Natural disasters: Your inventory could be damaged by floods, fires, or other naturaldisasters

 Human error: Employees could accidentally delete or mishandle customer data ordamage your inventory

Trang 13

Vulnerability Assessment: You identify weaknesses in your security infrastructure and supplychain, including:

 Your website software is outdated and not regularly updated

 Your employees don't receive regular cybersecurity training

Risk Analysis: You assign a risk score to each asset based on the likelihood and potentialimpact of the identified threats You determine that cyberattacks pose the greatest risk toyour customer data and website

Risk Management: You develop a plan to address the most significant risks, including:

 Updating your website software and implementing regular software updates

 Providing regular cybersecurity training to your employees

III Risk assessment procedure

A risk assessment procedure in information security is a systematic process of identifying,analyzing, and controlling potential hazards and risks that may affect the confidentiality, integrity,and availability of information and information systems It aims to prevent or reduce thelikelihood and severity of harm to information assets, as well as to comply with legal and ethicalobligations, improve security performance and quality, and avoid losses and liabilities

The 5 steps of a successful security risk assessment model:

Step 1 Establish the Context:

The first step is to establish the context of the risk assessment, which includes identifyingthe scope, objectives, and stakeholders of the assessment This step helps to ensure that theassessment is focused and relevant to the organization

Trang 14

Step 2 Identify Risks:

The second step is to identify potential risks to the organization's assets This involvesidentifying internal and external factors that could pose a threat to the organization's assets, such

as natural disasters, cyberattacks, or human error

Step 3 Analyze Risks:

The third step is to analyze the likelihood and impact of each identified risk This involvesassessing the probability of the risk occurring and the potential consequences if it does occur.Step 4 Evaluate Risks:

Trang 15

The fourth step is to evaluate the risks to determine their significance This involvescomparing the likelihood and impact of each risk to determine which risks require the mostattention.

Step 5 Develop Risk Management Strategies:

The final step is to develop strategies to manage or mitigate the identified risks This caninclude implementing new security measures, improving existing measures, or transferring oraccepting risk through insurance or other means

IV List risk identification steps

The risk identification steps are part of the risk assessment process and involve identifyingpotential risks to an organization's assets The main purpose of the risk identification steps is toidentify risks that could negatively impact an organization's ability to achieve its objectives.The following are the main steps in the risk identification process:

Step 1 Identify Assets:

The first step is to identify the assets that need to be protected This includes physicalassets like buildings and equipment, as well as intangible assets like data and intellectualproperty

Step 2 Identify Threats:

The second step is to identify potential threats to the organization's assets This includesnatural disasters, cyberattacks, human error, and other threats that could harm theorganization's assets

Step 3 Identify Vulnerabilities:

Trang 16

The third step is to identify vulnerabilities in the organization's security infrastructure thatcould be exploited by a threat This includes weaknesses in hardware, software, and humanprocesses that could be targeted by a threat.

Step 4 Assess Risks:

The fourth step is to assess the risks associated with each identified threat andvulnerability This involves analyzing the likelihood and impact of each risk to determine itssignificance

Trang 17

P6 Explain data protection processes and regulations as applicable to an organisation.

I Define data protection

Data protection refers to the practices and measures taken to safeguard data from unauthorizedaccess, corruption, loss, or disclosure It involves the implementation of policies, procedures, andsecurity controls to ensure the confidentiality, integrity, and availability of sensitive information

The goal of data protection is to protect data throughout its lifecycle, from the point of creation

or collection, storage, processing, transmission, and eventual destruction It involves safeguardingdata against both intentional and unintentional threats or breaches, regardless of the data format(electronic or physical) or storage location (local or cloud-based)

In information security, data protection focuses on safeguarding digital information and sensitivedata assets from various threats, including cyberattacks, data breaches, insider threats, andaccidental loss

II Explain data protection process with relations to organization

Data protection is essential for any organization that handles sensitive or confidentialinformation The data protection process involves a series of steps that help to ensure theconfidentiality, integrity, and availability of an organization's data The following are the mainsteps in the data protection process with relation to an organization:

Step 1 Data Classification:

The first step is to classify the organization's data according to its sensitivity andimportance This helps to identify which data requires the highest level of protection Data

Trang 18

classification can be based on various factors, such as legal requirements, privacy regulations, andbusiness needs.

Step 2 Risk Assessment:

The second step is to conduct a risk assessment to identify potential risks to theorganization's data This involves identifying threats and vulnerabilities that could compromisethe confidentiality, integrity, or availability of the organization's data Risk assessment techniquesmay include vulnerability scanning, penetration testing, and threat modeling

Step 3 Data Security Controls:

Trang 19

The third step is to implement data security controls to protect the organization's data.This includes technical controls like access controls, encryption, and data backup, as well asadministrative controls like policies, procedures, and training Data security controls should bedesigned to mitigate the risks identified in the risk assessment.

Step 4 Monitoring and Response:

The fourth step is to monitor the organization's data security controls and respond to anyincidents or breaches This includes monitoring for unusual activity, conducting regular securityaudits, and having an incident response plan in place

Step 5 Review and Update:

The final step is to review and update the organization's data protection process on aregular basis This includes reviewing data classification, risk assessment, data security controls,and monitoring and response procedures to ensure that they are up-to-date and effective

III Why are data protection and regulation important?

1 Why data protection important?

Data protection is important for several reasons: Safeguarding Confidentiality, Integrity,Availability, Compliance, and Reputation

 Confidentiality: Data protection helps to ensure the confidentiality of sensitiveinformation Confidential information, such as personal identifying information, financialdata, and trade secrets, can be targeted by cybercriminals and other malicious actors.Data protection measures like encryption and access controls can help to preventunauthorized access to confidential data

Trang 20

 Integrity: Data protection helps to ensure the integrity of information Data can be altered

or modified by cybercriminals and other malicious actors, which can compromise theaccuracy and reliability of the information Data protection measures like data backup andvalidation can help to ensure the integrity of data

 Availability: Data protection helps to ensure the availability of information Cyberattacksand other security incidents can disrupt the availability of critical information, which canimpact business operations and customer trust Data protection measures like databackup and disaster recovery planning can help to ensure the availability of data

Trang 21

 Compliance: Data protection is often required by regulatory and legal frameworks.Organizations may be required to comply with data protection regulations, such as theGeneral Data Protection Regulation (GDPR) or the Health Insurance Portability andAccountability Act (HIPAA), to avoid legal and financial penalties.

 Reputation: Data breaches and other security incidents can damage an organization'sreputation Customers and partners may lose trust in an organization that fails to protecttheir sensitive information Data protection measures can help to maintain trust andprotect an organization's reputation

2 Why data regulation protection important?

Data regulation protection is important for several reasons, including:

 Protecting Personal Information: Data protection regulations help to protect personalinformation, such as names, addresses, and other identifying information, from beingmisused or exploited This information can be used for identity theft, fraud, and othermalicious activities Data protection regulations, such as the General Data ProtectionRegulation (GDPR) and the California Consumer Privacy Act (CCPA), require organizations

to obtain consent before collecting or using personal information and to implementmeasures to protect this information from unauthorized access or disclosure

 Preventing Data Breaches: Data breaches can have serious consequences for individualsand organizations Data protection regulations require organizations to implementmeasures to prevent and detect data breaches, such as encryption, access controls, andmonitoring In the event of a data breach, regulations require organizations to notify

Trang 22

affected individuals and take steps to mitigate the impact of the breach.

 Ensuring Data Accuracy: Data protection regulations help to ensure the accuracy of data

by requiring organizations to maintain accurate records and provide individuals with theability to correct inaccurate information This is especially important for financial andhealthcare data, where inaccurate information can have serious consequences

 Protecting Sensitive Data: Data protection regulations help to protect sensitive data, such

as financial and healthcare information, from being misused or exploited Regulations likethe Health Insurance Portability and Accountability Act (HIPAA) require healthcare

Trang 23

organizations to implement measures to protect sensitive patient information, whileregulations like the Payment Card Industry Data Security Standard (PCI DSS) requireorganizations to protect credit card information.

 Maintaining Trust: Data protection regulations help to maintain trust between individualsand organizations by demonstrating a commitment to protecting personal information.Organizations that comply with data protection regulations are more likely to earn thetrust of their customers and partners, which can lead to increased loyalty and revenue

P7 Design and implement a security policy for an organisation.

I Define and discuss what is security policy

A security policy is a documented set of rules, guidelines, and procedures that an organizationestablishes to protect its assets, resources, and information from unauthorized access, disclosure,alteration, or destruction It serves as a roadmap for implementing and maintaining a secureenvironment, defining the organization's overall approach to security and providing guidance foremployees, users, and administrators

The primary goal of a security policy is to provide a framework for safeguarding sensitive andvaluable information from unauthorized access, alteration, loss, or disclosure It serves as a guidefor employees, contractors, and other stakeholders, outlining their responsibilities andexpectations in maintaining the security posture of the organization

II Give examples of policies

 Password Policy: This policy defines requirements for creating strong and secure

Trang 24

passwords It may specify minimum password length, complexity (e.g., including uppercase letters, numbers, and special characters), password expiration periods, and restrictions on password reuse.

 Acceptable Use Policy: This policy outlines acceptable and unacceptable behaviors when using organization resources, such as computers, networks, and internet access It may address prohibited activities (e.g., unauthorized software installation, accessing inappropriate websites), guidelines for personal device usage, and consequences for policy violations.

Trang 25

 Remote Access Policy: This policy establishes guidelines for secure remote access to internal networks and systems It may include requirements for virtual private network (VPN) usage, multi-factor authentication, and encryption of data transmitted over remote connections.

 Data Classification Policy: This policy defines how sensitive data should be classified based on its level of confidentiality, integrity, and availability It may provide guidelines

on handling and protecting different data classifications, access controls, and data retention periods.

 Incident Response Policy: This policy outlines the organization's procedures for responding to security incidents, such as data breaches or cyber attacks It may include incident reporting channels, roles and responsibilities of incident response team members, and steps for containment, investigation, and recovery.

 Bring Your Own Device (BYOD) Policy: This policy addresses the use of personal devices (e.g., smartphones, tablets) in the workplace It may specify security requirements for personal devices connecting to the organization's network, such as device encryption, remote wiping capabilities, and acceptable use restrictions.

 Physical Security Policy: This policy focuses on securing physical assets and facilities It may cover measures such as access control systems, video surveillance, visitor management, and guidelines for securing equipment and sensitive documents.

 Social Media Policy: This policy provides guidelines for employees' use of social media platforms while representing the organization It may include rules for protecting

Ngày đăng: 08/05/2024, 12:45