2640-1665054891113-Unit - 05 - Security

.
HigherNationals
Internalverificationofassessmentdecisions–BTEC(RQF)
INTERNALVERIFICATION–ASSESSMENTDECISIONS
Programmetitle BTEC Higher National Diploma in Computing
.Iresha Jayarathne
Assessor InternalVerifier
Unit 05: Security
Unit(s)
Providing a suitable security solution for METROPOLIS CAPITAL Bank
Assignmenttitle
S.A Hasantha Indrajith Dissanayaka
Student’sname
Listwhichassessmentcriteri Pass Merit Distinction
atheAssessorhasawarded.
INTERNALVERIFIERCHECKLIST
Dotheassessmentcriteriaawardedmatchtho
seshownintheassignmentbrief? Y/N
Isthe Pass/Merit/Distinction
gradeawardedjustifiedbythe assessor’s Y/N
comments on the student work?
Hastheworkbeenassessedaccurate
Y/N
ly?
Isthefeedbacktothestudent:
Givedetails:
• Constructive?
Y/
• Linkedtorelevantassessmentcriteria
? NY/
• Identifyingopportunitiesforimpr N
ovedperformance?
• Agreeingactions? Y/
NY/
Doesthe
Y/N
assessmentdecisionneedamending?
Assessorsignature Date
InternalVerifiersignature Date
Programme Leader
Date
signature(ifrequired)
.
Confirm actioncompleted
Remedialactiontaken
Givedetails:
Assessorsignature Date
InternalVerifiersig
Date
nature
Programme
Date
Leadersignature(ifrequir
ed)
.
Higher Nationals - SummativeAssignmentFeedbackForm

StudentName/ID S.A Hasantha Indrajith Dissanayaka
Unit 05: Security
UnitTitle
AssignmentNumber 1 Assessor
30.11.2022 DateReceived1stsub
SubmissionDate
mission
DateReceived2ndsubmissio
Re-submissionDate
n
AssessorFeedback:
LO1. Assess risks to IT security
Pass, Merit & Distinction P1 P2 M1 D1

Descripts
LO2. Describe IT security solutions.

Descripts
LO3. Review mechanisms to control organisational IT security.

Pass, Merit & Distinction P5 P6 M3 M4 D2
Descripts
LO4. Manage organisational security.

Descripts
Grade: AssessorSignature: Date:
ResubmissionFeedback:
Grade: AssessorSignature: Date:
InternalVerifier’sComments:
Signature&Date:
* Please note that grade decisions are provisional. They are only confirmed once internal and external moderation has taken place and grades decisions have
been agreed at the assessment board.
.
Pearson
Higher Nationals in
Computing
Unit 5 : Security
.
General Guidelines
1. A Cover page or title page – You should always attach a title page to your assignment. Use previous page as your cover
sheet and make sure all the details are accurately filled.
2. Attach this brief as the first section of your assignment.
3. All the assignments should be prepared using a word processing software.
4. All the assignments should be printed on A4 sized papers. Use single side printing.
5. Allow 1” for top, bottom , right margins and 1.25” for the left margin of each page.
Word Processing Rules
1. The font size should be 12 point, and should be in the style of Time New Roman.
2. Use 1.5 line spacing. Left justify all paragraphs.
3. Ensure that all the headings are consistent in terms of the font size and font style.
4. Use footer function in the word processor to insert Your Name, Subject, Assignment No, and Page Number on
each page. This is useful if individual sheets become detached for any reason.
5. Use word processing application spell check and grammar check function to help editing your assignment.
Important Points:
1. It is strictly prohibited to use textboxes to add texts in the assignments, except for the compulsory information. eg:
Figures, tables of comparison etc. Adding text boxes in the body except for the before mentioned compulsory
information will result in rejection of your work.
2. Avoid using page borders in your assignment body.
3. Carefully check the hand in date and the instructions given in the assignment. Late submissions will not be accepted.
4. Ensure that you give yourself enough time to complete the assignment by the due date.
5. Excuses of any nature will not be accepted for failure to hand in the work on time.
6. You must take responsibility for managing your own time effectively.
7. If you are unable to hand in your assignment on time and have valid reasons such as illness, you may apply (in writing)
for an extension.
8. Failure to achieve at least PASS criteria will result in a REFERRAL grade .
9. Non-submission of work without valid reasons will lead to an automatic RE FERRAL. You will then be asked to
complete an alternative assignment.
10. If you use other people’s work or ideas in your assignment, reference them properly using HARVARD referencing
system to avoid plagiarism. You have to provide both in-text citation and a reference list.
11. If you are proven to be guilty of plagiarism or any academic misconduct, your grade could be reduced to A REFERRAL
or at worst you could be expelled from the course
.
Student Declaration
I hereby, declare that I know what plagiarism entails, namely to use another’s work and to present it as my own
without attributing the sources in the correct way. I further understand what it means to copy another’s work.
1. I know that plagiarism is a punishable offence because it constitutes theft.

2. I understand the plagiarism and copying policy of the Edexcel UK.
3. I know what the consequences will be if I plagiaries or copy another’s work in any of the assignments for this
program.
4. I declare therefore that all work presented by me for every aspects of my program, will be my own, and
where I have made use of another’s work, I will attribute the source in the correct way.
5. I acknowledge that the attachment of this document signed or not, constitutes a binding agreement
between myself and Edexcel UK.
6. I understand that my assignment will not be considered as submitted if this document is not attached to the
attached.
hasanthapcnew123@gmail.com 30.11.2022
Student’s Signature: Date:
(Provide E-mail ID) (Provide Submission Date)
.
Assignment Brief
Student Name /ID Number S.A Hasantha Indrajith Dissanayaka
Unit Number and Title Unit 5- Security
Academic Year 2022/23
Unit Tutor
Assignment Title METROPOLIS CAPITAL Bank
Issue Date 07.10.2022
Submission Date 30.11.2022
IV Name & Date
Submission Format:
The submission is in the form of an individual written report. This should be written in a concise, formal business
style using single spacing and font size 12. You are required to make use of headings, paragraphs and subsections
as appropriate, and all work must be supported with research and referenced using the Harvard referencing system.
Please also provide an end list of references using the Harvard referencing system.
Unit Learning Outcomes:

LO1 Assess risks to IT security.
LO2 Describe IT security solutions.
LO3 Review mechanisms to control organizational IT security.
LO4 Manage organizational security.
Assignment Brief and Guidance:
METROPOLIS CAPITAL Bank is one of the leading private banking service providers in Sri Lanka. It operates
over 100 branches and 500 ATM machines across the island as well as 8 Branches overseas. In order to provide
.
their services, METROPOLIS CAPITAL Bank has a primary datacenter located in Colombo and a Secondary
datacenter located in Galle. Each branch and ATM must have connectivity to the core banking system to be able
to operate normally. In order to establish the connectivity between datacenters, branches and ATM machines,
each location has a single ISP link. This link provides VPN services between branches, ATMs and datacenters as
well as MPLS services for the bank and it establishes connectivity between datacenters, ATMs, and branches.
METROPOLIS CAPITAL Banks Head Office is a 5 Story Building in Kollupitiya with the Ground Floor
allocated for Customer Services, the First Floor allocated for HR, the Second Floor allocated for Meeting Rooms
and Senior Executive Staff, the Third Floor is allocated for the Technical Support Team and the Fourth Floor
hosts High Performance Servers running core banking systems. Fifth Floor is for some other outside companies
that are not related with the METROPOLIS CAPITAL Bank. Other than this, METROPOLIS CAPITAL bank
provides a lot of services to customers including online and mobile banking facilities. Therefore, their core
banking system must communicate with several outside systems and all communication between outside systems,
Data centers and the Head Office is protected by a single firewall. In Addition, METROPOLIS CAPITAL Bank
has recently implemented a bring your own device (BYOD) concept for Senior Executive Staff and HR
Departments and to facilitate this, they are providing employee WiFi as well as a guest WiFi Hotspot.
The bank has signed agreements, AMCs, contracts and NDAs with several Local and foreign IT service vendors.
Some local vendors provide services and supports to foreign companies. METROPOLIS CAPITAL Banks
Technical Support Team is a local third-party vendor, contracted by METROPOLIS CAPITAL Bank and
managed by their Supply chain management officer. The Technical Support Team provides onsite and remote
support for their customers.
METROPOLIS CAPITAL bank strictly follows the rules and regulations enforced by the government and the
Central Bank. Therefore, they have obtained the ISO 31000:2009 certification. In addition to this, the areas of
datacenters, branches, ATM and HQ is covered by CCTV and 24x7 monitoring is happening. Other security
functions like VA scanning, internal auditing, and security operation done by the bank employees. They have
purchased a VA scanning tool, Privilege access management (PAM) system, Endpoint detection and respond
(EDR) system, Data loss prevention (DLP) tool, Web application firewall (WAF) and Secure mail gateway which
are managed by the Technical Support Team.
It has been reported that an emergency is likely to occur where a work from home situation may be initiated.
Therefore, you have been employed by METROPOLIS CAPITAL Bank as a Network Security Analyst to
recommend and implement a suitable Security solution to facilitate this situation.
.
Activity 01
Discussand assess the security procedures and types of security risks METROPOLIS CAPITAL Bank
may faceunder its current status and evaluate a range of physical and virtual security measures that
can be employed to ensure the integrity of organizational IT security. You also need to analyze the
benefits of implementing network monitoring systems for METROPOLIS CAPITAL Bank with valid
reasons in order to minimize security risks identified and enhance the organizational security.
Activity 02
2.1 Discuss how an incorrect/improper configuration for network infrastructure such as firewall and VPN could
impact METROPOLIS CAPITAL Bank. Assess IT security risks that may face by the employees of
METROPOLIS CAPITAL Bank and propose how the organization can facilitate their employees with a “Secure
remote working environment”.
2.2. Discuss how following technologies would benefit METROPOLIS CAPITAL Bank and its Clients to increase
network performance. (Support your answer with suitable illustrations).
i) Static IP,
ii) NAT
iii)DMZ
Activity 03
Review risk assessment proceduresfor METROPOLIS CAPITAL Bank to protect itself and its clients. Explain the
mandatory data protection laws and procedures which will be applied to data storage solutions provided by
METROPOLIS CAPITAL Bank. Explain the topic "ISO 31000 risk management methodology" and summarize
the ISO 31000 risk management methodology and its application in IT security.Analyze possible impacts to
organizational security resulting from an IT security audit.Recommend how IT security can be aligned with
organizational Policy, detailing the security impact of any misalignment.
Activity 04
4.1 Design and Implement suitable security policy to prevent misuse and exploitations in line with
.
METROPOLIS CAPITAL Bank using the Organizational policy tools for the given scenario,
While evaluating and justifying the suitability of the tools used in an organizational policy to meet business needs.
Identify the stakeholders who are subject to the METROPOLIS CAPITAL Bank and describe the role of these
stakeholders to build security audit recommendations for the organization.
4.2 Discuss and present a disaster recovery plan for METROPOLIS CAPITAL Bank for all their sites to
guarantee maximum reliability to their clients. (Student mustdevelop a PowerPoint-based presentation which
illustrates the recovery plan within 15 minutes of time including justifications and reasons for decisions and
options used).
.
Grading Rubric
Grading Criteria Achieved Feedback
LO1 Assess risks to IT security
P1 Discuss types of security risks to organizations.

P2 Assess organizational security procedures.
M1 Analyze the benefits of implementing network monitoring systems

with supporting reasons.
D1 Evaluate a range of physical and virtual security measures that can
be employed to ensure the integrity of organizational IT security.
LO2 Describe IT security solutions
P3 Discuss the potential impact to IT security of incorrect

configuration of firewall policies and third- party VPNs.
P4 Discuss, using an example for each, how implementing a DMZ,

static IP and NAT in a network can improve network security.
M2 Propose a method to assess and treat IT security risks.
LO3 Review mechanisms to control organizational IT
Security
P5 Review risk assessment procedures in an organization.
P6 Explain data protection processes and regulations as applicable to

an organization.
.
M3 Summarize the ISO 31000 risk management methodology and its
application in IT security.
M4 Analyze possible impacts to organizational security resulting from
an IT security audit.
D2 Recommend how IT security can be aligned with organizational
Policy, detailing the security impact of any misalignment.
LO4 Manage organizational security
P7 Design a suitable security policy for an organization, including the

main components of an organizational disaster recovery plan.
P8 Discuss the roles of stakeholders in the organization in
implementing security audits.
M5 Justify the security plan developed giving reasons for the elements
selected.
D3 Evaluate the suitability of the tools used in an organizational policy
to meet business needs
.
S.A Hasantha Indrajith Dissanayaka 13

.
Table of Contents
What is the Network Security?.................................................................................................18
What is an organizational security procedure?.........................................................................20
Types of security procedures?......................................................................................................................20
What is the Networking Monitoring System?..........................................................................21
What are network monitoring systems?...................................................................................21
How to Implement Network Monitoring System.....................................................................21
The Benefits of Networking Monitoring..................................................................................22
What is the Physical Security?.................................................................................................23
Examples for Physical Security....................................................................................................................23
 Observing biological security concerning the building:....................................................................23
 Access Control...................................................................................................................................24
 Emergency preparedness and security testing...................................................................................25
 Surveillance tools..............................................................................................................................25
 Log and trail maintenance.................................................................................................................26
What is the Virtual Security?...................................................................................................26
Examples for Virtual Security......................................................................................................................26
What is the Firewall?................................................................................................................28
Why Are Firewalls Important?.....................................................................................................................28
Uses of firewalls...........................................................................................................................................29
How Does a Firewall Work?........................................................................................................................29
What Is a VPN?........................................................................................................................30
A Transaction without Using a VPN............................................................................................................30
A Transaction without Using a VPN............................................................................................................31
A Transaction Using a VPN.........................................................................................................................32
What is a DMZ Network?........................................................................................................33
Why DMZ Networks are Important.............................................................................................................33
Examples of Demilitarized Zone (DMZ).....................................................................................................34
What is a Network Address Translation (NAT).......................................................................35
How Does NAT Work?................................................................................................................................35
NAT Types...................................................................................................................................................36
 Static NAT.........................................................................................................................................36

.
 Dynamic NAT...................................................................................................................................36
 PAT....................................................................................................................................................36
What is a Static IP?..................................................................................................................36
Advantages of Static IP Address..................................................................................................................37
Disadvantages of Static IP Address..............................................................................................................37
What is the Risk Assessment?..................................................................................................38
How does a security risk assessment work?.................................................................................................38
Steps of Security Risk Assessment Model...................................................................................................38
How to perform a security risk assessment?................................................................................................39
What is data protection and why is it important?.....................................................................41
Principles of data protection.........................................................................................................................41
What is ISO31000....................................................................................................................42
The purpose of ISO 31000...........................................................................................................................42
The process for managing risk.....................................................................................................................43
The risk management process from ISO 31000...........................................................................................43
What is IT Security Audit?.......................................................................................................45
Benefits of IT Security Audit.......................................................................................................................45
How to Prepare for an IT Audit?..................................................................................................................45
Impact for IT Security audit for Organization..............................................................................................48
Recommendation of IT Security Improve for Organization....................................................49
What is a disaster recovery plan (DRP)?..................................................................................50
Creating a robust IT disaster recovery process: Before, during, and after...................................................51
Steps to a Successful Disaster Recovery Plan..............................................................................................52
Who Is a Stakeholder?..............................................................................................................54
Types of Stakeholders..................................................................................................................................54
What is Security Policies?........................................................................................................54
References................................................................................................................................55

.
What is the Network Security?
An Organizations’ security of the building, security for employees and financial security are all a priority.
However, the company comprises many other assets that require security and its IT infrastructure. Every
organization’s network is the lifeline that employees rely on to do their jobs and subsequently make money
for the organization. Therefore it’s important to recognize that your IT infrastructure is a must that they
require top security.
Authorized remove/copy/modify of data or password

 Spam
Spam is any kind of unwanted, unsolicited digital communication that gets sent out in bulk. Often spam is
sent via email, but it can also be distributed via text messages, phone calls, or social media.
Unauthorized use of a system

 Viruses
A virus can duplicate itself and taint different machines without the client notwithstanding realizing that
the machine has been contaminated until debacle strikes. On the off chance that a virus hits the system, at
that point, it’s probably going to proliferate to documents on different machines that are associated with the
system. Viruses can likewise spread by means of email, texting, an intranet and other shared systems
making systems and machines over-burden or crash. They can likewise catch keystrokes which are the
place the issue of security lies since passwords and banking subtleties can be uncovered as such.
Damage to or destruction of software systems

 Malware
Malware involves an assortment of noxious programming types, for example, Trojans, worms, and
Spyware which will penetrate your machine without you notwithstanding figuring it out. When your
machine is tainted it could without much of a stretch spread to executable documents on different machines
that are associated with the system along these lines causing an IT scourge. While some malware is made
basically to upset a framework, other malware is utilized for monetary benefit. Spyware, botnets and

.
keystroke lumberjacks all have vindictive goals as they assume responsibility for tainted machines and use
them to keep multiplying the assault; they additionally track client’s login subtleties for the destinations
that they utilize hence abusing their protection, just as observing charge card subtleties if the client
purchases something over the Internet.
Damage or destruction of hardware systems

 Network monitoring
Networks, servers, workstations – they all need to work flawlessly together for an association to run its
everyday errands. On the off chance that a server crashes, at that point the workstations are influenced and
individuals can’t continue with their work. On the off chance that the network bombs the repercussions
will influence the whole association, and thus influence generation levels. So observing the network and
servers routinely is the principal task for any IT administrator; utilizing network and server checking
programming this undertaking can be robotized with reports being produced all the time. Server personal
time approaches business vacation which prompts lost benefits – which all associations need to keep away
from.
Naturally occurring risks
 Vulnerability scanning and patch management
Vulnerability scanning, Patch management, and Network auditing are all security include should be tended
to when managing systems. Leaving ports open is one of the most widely recognized security liabilities
and aggressors know about this. Examining your system for open ports, machines that are powerless
against disease is the initial step to security. When the output is finished, patches must be sent on all
machines that are in danger of contamination. By evaluating your system and staying up with the latest
with all patches you extraordinarily diminish the danger of security assaults happening.

.
What is an organizational security procedure?

A security procedure is a set sequence of necessary activities that performs a specific security task or
function. Procedures provide a starting point for implementing the consistency needed to decrease
variation in security processes, which increases control of security within the organization.
Types of security procedures?
 Acceptable Use Policy (AUP)

An AUP stipulates the constraints and practices that an employee using organizational IT assets must agree
to access the corporate network or the internet. It is a standard onboarding policy for new employees. They
are given an AUP to read and sign before being granted a network ID. It is recommended that
organizations’ IT, security, legal, and HR departments discuss what is included in this policy (Ninja, 2020)
 Access Control Policy (ACP)
The ACP outlines the access available to employees in regards to an organization’s data and information
systems. Some topics that are typically included in the policy are access control standards such as NIST’s
Access Control and Implementation Guides. Other items covered in this policy are standards for user
access, network access controls, operating system software controls, and corporate passwords’ complexity.
Additional supplementary items often outlined include methods for monitoring how corporate systems are
accessed and used, how unattended workstations should be secured, and how access is removed when an
employee leaves the organization (Ninja, 2020)
 Change Management Policy.
A change management policy refers to a formal process for making changes to IT, software development,
and security services/operations. A change management program aims to increase the awareness and
understanding of proposed changes across an organization and ensure that all changes are conducted
methodically to minimize any adverse impact on services and customers. (Ninja, 2020)
 Information Security Policy.
An organization’s information security policies are typically high-level policies that can cover a large
number of security controls. The company issues the primary information security policy to ensure that all
employees who use information technology assets within the organization’s breadth or its networks comply
with its stated rules and guidelines. I have seen organizations ask employees to sign this document to

.
acknowledge that they have read it (which is generally done with signing the AUP policy). This policy is
designed for employees to recognize that there are rules that they will be held accountable to with regard to
the sensitivity of the corporate information and IT assets. (Ninja, 2020)
 Disaster Recovery Policy.
An organization’s disaster recovery plan will generally include both cyber security and IT teams’ input and
will be developed as part of the larger business continuity plan. The CISO and teams will manage an
incident through the incident response policy. If the event has a significant business impact, the Business
Continuity Plan will be activated. (Ninja, 2020)
What is the Networking Monitoring System?
Network monitoring provides the information that network administrators need to determine, in real time,
whether a network is running optimally. With tools such as networking monitoring software,
administrators can proactively identify deficiencies, optimize efficiency, and more.
What are network monitoring systems?
Network monitoring systems include software and hardware tools that can track various aspects of a
network and its operation, such as traffic, bandwidth utilization, and uptime. These systems can detect
devices and other elements that comprise or touch the network, as well as provide status updates. Network
administrators rely on network monitoring systems to help them quickly detect device or connection
failures or issues such as traffic bottlenecks that limit data flow. The ability to detect issues extends to parts
of the network traditionally beyond their demarcation boundaries. These systems can alert administrators to
issues by email or text and deliver reports using network analytics.
How to Implement Network Monitoring System
Effective network monitoring is important to help ensure that your IT infrastructure is up and running for
the users that depend you. Network monitoring software like the Spice works Monitor can help you
quickly spot and fix issues on servers, switches, VoIP phones, security cameras, and more
i. Identify the critical devices on your network
Effective monitoring starts with identifying these types of devices – the ones you just can’t live without –
and setting up network monitoring software to keep a close eye on them. Look for devices that support
vital business functions or run applications that are heavily utilized.

.
ii. Define your network monitoring policies
iii. Configure WMI and SSH on Windows and Linux servers

iv. Configure SNMP on network devices
v. Set a baseline for network performance
vi. Set up alerts and customize thresholds levels
vii. Create a plan for when you receive alerts
viii. Keep an eye on your devices
The Benefits of Networking Monitoring

 Network Visibility
You need to be able to monitor every aspect of your network. That includes all of the devices attached to
your network and the traffic that travels through the network. It’s the best way to keep an eye on the health
of your network and identify lags in performance. Just keep tracking of everything on your network can be
a challenge. Automated network mapping tools, as part of your network monitoring, can provide a
complete view of even the most complex ecosystems.
 Capacity Planning
User needs are constantly evolving as well. This can make it difficult to predict how and where users will
consume network resources in the future. As utilization increases, it’s essential to plan for additional
infrastructure and capacity to meet this demand. When you are actively tracking and monitoring
performance and utilization, network monitoring software will help you see when utilization is spiking. By
benchmarking current performance, you can more accurately anticipate future capacity and upgrade the
network.
 Finding and Fixing Problems Quickly
Network monitoring helps you isolate the issue more quickly. Whether it’s a traffic fluctuation, a
configuration error, or something more serious, network maps can help you quickly find the origin of the
problem. Network automation tools, as part of your monitoring solution, can fix many problems
automatically. Reducing your Mean Time to Repair (MTTR) reduces the impact of downtime or poor
network performance

.
 Uncovering Security Threats

Network monitoring is primarily used to monitor performance, but it can also help uncover security threats
within your system. By continuously monitoring for unusual or suspicious activity, you may be able to
detect even small threats before they become big ones. For example, malware or viruses may be
undetectable at a glance, but your network monitoring solution can flag unusual activity, such as suspicious
use of network resources.
 Deploying New Technologies
Network monitoring is also important when it’s time to deploy new technologies. It can help determine if
the network can handle additional resources and proactively detect potential performance issues. After
deployment, you’ll be able to monitor the network to ensure performance doesn’t suffer.
What is the Physical Security?

Physical security measures are designed to protect buildings, and safeguard the equipment inside. In short,
they keep unwanted people out, and give access to authorized individuals. While network and
cybersecurity are important, preventing physical security breaches and threats is key to keeping your
technology and data safe, as well as any staff or faculty that have access to the building. Without physical
security plans in place, your office or building is left open to criminal activity, and liable for types of
physical security threats including theft, vandalism, fraud, and even accidents.
Examples for Physical Security
 Observing biological security concerning the building:
Figure 1 Example for Physical Security
An important example of physical security is providing adequate facilities to build a secure building. To
do this, you should prefer to use strong locks, anti-theft doors for the building as well as strong and anti-

.
theft doors for the room where the computer is located, ensuring the reliability of windows, use of warning
signs, having a fire extinguisher for emergencies, use safe locks for doors, etc., all of which, ultimately
help maintain information and system security (DotNek, n.d.)
 Access Control
Figure 2 Example for Access Control
Securing your entries keeps unwanted people out, and lets authorized users in. A modern keyless entry
system is your first line of defense, so having the best technology is essential. There are a few different
types of systems available; this guide to the best access control systems will help you select the best system
for your building. The main things to consider in terms of your physical security are the types of
credentials you choose, if the system is on-premises or cloud-based, and if the technology meets all your
unique needs. When it comes to access methods, the most common are keycards and fob entry systems,
and mobile credentials. Some access control systems allow you to use multiple types of credentials on the
same system, too. Access control that uses cloud-based software is recommended over on-premises servers
for physical security control plans, as maintenance and system updates can be done remotely, rather than
requiring someone to come on-site (which usually results in downtime for your security system). Cloud-
based technology also offers great flexibility when it comes to adding entries and users, plus makes
integrating with your other security systems much easier. (Openpath, 2022)

.
 Emergency preparedness and security testing
Education is a key component of successful physical security control for offices. If employees, tenants, and
administrators don’t understand the new physical security policy changes, your system will be less
effective at preventing intrusions and breaches. Once your system is set up, plan on rigorous testing for all
the various types of physical security threats your building may encounter. You should run security and
emergency drills with your on-site teams, and also test any remote features of your physical security
controls to make sure administrators have the access they need to activate lockdown plans, trigger unlock
requests, and add or revoke user access. Communicating physical security control procedures with staff
and daily end users will not only help employees feel safer at work, it can also deter types of physical
security threats like collusion, employee theft, or fraudulent behavior if they know there are systems in
place designed to detect criminal activity.
 Surveillance tools
Figure 3 Example for Surveillance System
Surveillance is crucial to physical security control for buildings with multiple points of entry. The most
common type of surveillance for physical security control is video cameras. Video management systems
(VMS) are a great tool for surveillance, giving you visual insight into activity across your property.
Exterior doors will need outdoor cameras that can withstand the elements. Another consideration for video
surveillance systems is reporting and data. To get the most out of your video surveillance, you’ll want to be
able to see both real-time footage, as well as previously recorded activity. In physical security control,

.
examples of video surveillance data use cases include running audits on your system, providing video
footage as evidence after a breach, using data logs in emergency situations, and applying usage analytics to
improve the function and management of your system. (Openpath, 2022)
 Log and trail maintenance

Keeping a record of what is accessed -- and what people attempt to access -- is a reliable way to not only
discourage unauthorized users, but create a forensic-friendly data environment. Multiple failed login
attempts and attempted access using a lost card are both physical security tools that organizations can use
to reliably track their asset activity. In the case of a security breach, these records can prove incredibly
valuable for identifying security weaknesses.
What is the Virtual Security?

Virtual security is the process of protecting computer networks and data from unauthorized access or
attack. It includes hardware and software technologies, policies, and procedures designed to protect
network resources from unauthorized users. Standard measures used to achieve virtual security include
firewalls, intrusion detection systems, and encryption.
Virtual Network Security Measures
Many different virtual network security measures can be taken to protect your network and data. Some of
the most common include:
Implementing a firewall:
A firewall can help block unauthorized access to your network, control traffic flows, and protect against
malware.
Using encryption:
Encryption can help to protect data in transit as well as at rest.
Creating user accounts and permissions:
You can control who has access to which parts of your network by creating user accounts and assigning
permissions.
Monitoring activity:
Monitoring activity on your network can help you to detect suspicious activity and take appropriate action.

.
What is the Firewall?

Firewalls prevent unauthorized access to networks through software or firmware. By utilizing a set of rules,
the firewall examines and blocks incoming and outgoing traffic. Fencing your property protects your house
and keeps trespassers at bay; similarly, firewalls are used to secure a computer network. Firewalls are
network security systems that prevent unauthorized access to a network. It can be a hardware or software
unit that filters the incoming and outgoing traffic within a private network, according to a set of rules to spot
and prevent cyberattacks. Firewalls are used in enterprise and personal settings. They are a vital component
of network security. Most operating systems have a basic built-in firewall. However, using a third-party
firewall application provides better protection. (Deshpande, 2022)
Figure 4 Firewall
Why Are Firewalls Important?

Firewalls are designed with modern security techniques that are used in a wide range of applications. In the
early days of the internet, networks needed to be built with new security techniques, especially in the
client-server model, a central architecture of modern computing. That's where firewalls have started to
build the security for networks with varying complexities. Firewalls are known to inspect traffic and
mitigate threats to the devices. (Deshpande, 2022)

.
Uses of firewalls
 Firewalls can incorporate a security information and event management strategy (SIEM) into
cybersecurity devices concerning modern organizations and are installed at the network perimeter
of organizations to guard against external threats as well as insider threats.
 Firewalls can perform logging and audit functions by identifying patterns and improving rules by
updating them to defend the immediate threats.
 They are also used for antivirus applications.
 Firewalls can be used for a home network, Digital Subscriber Line (DSL), or cable modem having
static IP addresses. Firewalls can easily filter traffic and can signal the user about intrusions.
 In-home devices, we can set the restrictions using Hardware/firmware firewalls.
How Does a Firewall Work?
A firewall welcomes only those incoming traffic that has been configured to accept. It distinguishes
between good and malicious traffic and either allows or blocks specific data packets on pre-established
security rules. These rules are based on several aspects indicated by the packet data, like their source,
destination, content, and so on. They block traffic coming from suspicious sources to prevent cyberattacks.
(Deshpande, 2022)
Figure 5Firewall allowing Good Traffic

.
Figure 6Firewall blocking Bad Traffic
What Is a VPN?
A Virtual Private Network (VPN) is a connection between a VPN server and a VPN client. It is a secure
tunnel-like connection across the internet. The VPN client connects to the internet by interacting with the
VPN server through an encrypted tunnel. Since the communication between the client and the server
happens through this tunnel, attackers cannot hack the information.
A Transaction without Using a VPN
First, your computer connects to the Internet Service Provider - ISP, which provides access to the internet.
You then send your bank details to the bank's server using your IP address. Internet Protocol address or IP
address is a unique address that recognizes a particular device, be it a laptop or a smartphone on the
internet. When these details pass through the public network, the hacker who passively watches the
network traffic intercepts it. This is a passive cyber-attack where the hacker collects your bank details
without being detected. More often or not, in such an attack, payment information is likely to be stolen.
The targeted data here are the victims' usernames, passwords, and other personal information. Such an
Unsecured connection exposes your IP address and bank details to the hacker when it passes through the
public network. This way, your information gets stolen.

.
Figure 7 Example for VPN
A Transaction without Using a VPN
 First, your computer connects to the Internet Service Provider - ISP, which provides access to the
internet.
 You then send your bank details to the bank's server using your IP address. Internet Protocol
address or IP address is a unique address that recognizes a particular device, be it a laptop or a
smartphone on the internet.
 When these details pass through the public network, the hacker who passively watches the network
traffic intercepts it. This is a passive cyber-attack where the hacker collects your bank details
without being detected. More often or not, in such an attack, payment information is likely to be
stolen. The targeted data here are the victims' usernames, passwords, and other personal
information.
 Such an unsecured connection exposes your IP address and bank details to the hacker when it
passes through the public network. This way, your information gets stolen. (Duggal, 2022)

.
A Transaction Using a VPN
 Picture your bank transaction to be happening in a tunnel that is invisible to the hacker. In such a
case, the hacker will not be able to spot your transaction. And that is precisely what a VPN does. A
Virtual Private Network, more often known as VPN, creates a secure tunnel between your device
and the internet.
 For using a VPN, your first step would be to install a software-based technology known as the VPN
client on your laptop or smartphone that would let you establish a secure connection.
 The VPN client connects to the Wi-Fi and then to the ISP. Here, the VPN client encrypts your
information using VPN protocols. Data is encrypted to make sure it is secure. Next, the VPN client
establishes a VPN tunnel that connects to the VPN server within the public network.
 The VPN tunnel protects your information from being intercepted by the hacker. Your IP address
and location are changed at the VPN server to enable a private and secure connection. Finally, the
VPN server connects to your bank's server in the last step, where the encrypted message is
decrypted.
 This way, your original IP address is hidden by the VPN, and the VPN tunnel protects your data
from being hacked. This explains how VPN makes your data anonymous and secure when it passes
through the public network and the difference between a regular connection and a VPN connection.
(Duggal, 2022)

.
What is a DMZ Network?
In computer security, a DMZ Network functions as a subnetwork containing an organization's exposed,
outward-facing services. It acts as the exposed point to an untrusted networks, commonly the Internet. The
goal of a DMZ is to add an extra layer of security to an organization's local area network. A protected and
monitored network node that faces outside the internal network can access what is exposed in the DMZ,
while the rest of the organization's network is safe behind a firewall. When implemented properly, a DMZ
Network gives organizations extra protection in detecting and mitigating security breaches before they
reach the internal network, where valuable assets are stored.
Figure 8 Demilitarized Zone
Why DMZ Networks are Important
On many home networks, internet enabled devices are built around a local area network which accesses the
internet from a broadband router. However, the router serves as both a connection point and a firewall,
automating traffic filtering to ensure only safe messages enter the local area network. So, on a home
network, a DMZ can built by adding a dedicated firewall, between the local area network and the router.
While more expensive, this structure can help to protect internal devices from sophisticated attacks better
protects the inside devices from possible attacks by the outside.DMZ’s are an essential part of network
security for both individual users and large organizations. They provides an extra layer of security to the
computer network by restricting remote access to internal servers and information, which can be very
damaging if breached. (barracuda, 2022)

.
Examples of Demilitarized Zone (DMZ)
Typically, one should locate all services involving an external network in the demilitarized zone if a DMZ
is implemented. Six examples of the systems deployed within a DMZ include
 Web servers
It’s possible for web servers communicating with internal database servers to be deployed in a DMZ. This
makes internal databases more secure, as these are the repositories responsible for storing sensitive
information. Web servers can connect with the internal database server directly or through application
firewalls, even though the DMZ continues to provide protection.
 FTP servers
FTP, which stands for file transfer protocol, is a method of transferring data to any computer connected to
the internet anywhere in the world. It is a standard network protocol used to transfer files between a client
and a server on a computer network. An FTP server can host important content on a company’s website
and allow direct file engagement. As a result, it should always be isolated from crucial internal systems.
 Email servers
A mail server, also known as a mail transfer agent, refers to a program that accepts incoming emails from
local users and remote senders and transmits outgoing messages for delivery. It is common practice to store
individual emails and the user database that maintains a record of login credentials on servers that cannot
directly access the internet. As a result, an email server is developed or deployed within the DMZ to
communicate with and access the email database while avoiding direct exposure to potentially dangerous
traffic.
 DNS servers
A DNS server stores a database of public IP addresses and their associated hostnames. It usually resolves
or converts those names to IP addresses when applicable. DNS servers use specialized software and
communicate with one another using dedicated protocols. Placing a DNS server within the DMZ prevents
external DNS requests from gaining access to the internal network. Installing a second DNS server on the
internal network can also serve as additional security.

.
 Proxy servers
A proxy server is often paired with a firewall. Other computers use it to view Web pages. When another
computer requests a Web page, the proxy server retrieves it and delivers it to the appropriate requesting
machine. Proxy servers establish connections on behalf of clients, shielding them from direct
communication with a server. They also isolate internal networks from external networks and save
bandwidth by caching web content.
 VoIP servers
Although voice over internet protocol (VoIP) servers may connect with both the internal network and the
Internet, internal network access is restricted, and firewalls are configured to analyze all traffic entering the
internal LAN.
What is a Network Address Translation (NAT)

NAT stands for network address translation. It’s a way to map multiple local private addresses to a public
one before transferring the information. Organizations that want multiple devices to employ a single IP
address use NAT, as do most home routers.
How Does NAT Work?

Let’s say that there is a laptop connected to a home router. Someone uses the laptop to search for directions
to their favorite restaurant. The laptop sends this request in a packet to the router, which passes it along to
the web. But first, the router changes the outgoing IP address from a private local address to a public
address. If the packet keeps a private address, the receiving server won’t know where to send the
information back to this is akin to sending physical mail and requesting return service but providing a
return address of anonymous. By using NAT, the information will make it back to the laptop using the
router’s public address, not the laptop’s private one.

.
NAT Types
There are three different types of NATs. People use them for different reasons, but they all still work as a
NAT.
 Static NAT
When the local address is converted to a public one, this NAT chooses the same one. This means there will
be a consistent public IP address associated with that router or NAT device.
 Dynamic NAT
Instead of choosing the same IP address every time, this NAT goes through a pool of public IP addresses.
This results in the router or NAT device getting a different address each time the router translates the local
address to a public address.
 PAT
PAT stands for port address translation. It’s a type of dynamic NAT, but it bands several local IP addresses
to a singular public one. Organizations that want all their employees’ activity to use a singular IP address
use a PAT, often under the supervision of a network administrator.
What is a Static IP?

A static IP address is a 32 bit number assigned to a computer as an address on the internet. This number is
in the form of a dotted quad and is typically provided by an internet service provider (ISP).
An IP address (internet protocol address) acts as a unique identifier for a device that connects to the
internet. Computers use IP addresses to locate and talk to each other on the internet, much the same way
people use phone numbers to locate and talk to one another on the telephone. An IP address can provide
information such as the hosting provider and geographic location data.
As an example, when a user wants to visit google.com, their computer asks a domain name system (DNS)
server -- analogous to a telephone information operator -- for the correct dotted quad number. The DNS
maps the domain name to the IP address, which is needed to identify a device with a network protocol. In
this case, the DNS server will link the quad number -- analogous to a phone number -- for google.com, and
your computer uses the answer it receives to connect to the WhatIs.com server.

.
Advantages of Static IP Address
 Businesses that rely on IP addresses for mail, FTP and web servers can have one, unchanging
address.
 Static IP addresses are preferred for hosting voice over IP, VPNs and games.
 They can be more stable in the case of an interruption in connectivity -- meaning packet exchanges
won't be lost.
 They allow for file servers to have faster file uploads and downloads.
 A static IP will make it easier for any geolocation services to access where a device is.
 Static IPs are better for remote access to a computer
Disadvantages of Static IP Address
 Most people do not need a static IP address now.

 Because the IP address is constant and cannot easily be changed, a static IP address is more
susceptible to hackers or follow-up attacks.
 It can be complicated to set up a static IP manually.
 It may be difficult to transfer server settings from a static IP device to a new one if the original
device becomes obsolete.
 Devices with a static IP are easier to track.

.
What is the Risk Assessment?
A security risk assessment identifies, assesses, and implements key security controls in applications. It also
focuses on preventing application security defects and vulnerabilities. Carrying out a risk assessment
allows an organization to view the application portfolio holistically—from an attacker’s perspective. It
supports managers in making informed resource allocation, tooling, and security control implementation
decisions. Thus, conducting an assessment is an integral part of an organization’s risk management
process.
How does a security risk assessment work?
Factors such as size, growth rate, resources, and asset portfolio affect the depth of risk assessment models.
Organizations can carry out generalized assessments when experiencing budget or time constraints.
However, generalized assessments don’t necessarily provide the detailed mappings between assets,
associated threats, identified risks, impact, and mitigating controls.
If generalized assessment results don’t provide enough of a correlation between these areas, a more in-
depth assessment is necessary.
Steps of Security Risk Assessment Model
 Identification
Determine all critical assets of the technology infrastructure. Next, diagnose sensitive data that is created,
stored, or transmitted by these assets. Create a risk profile for each.
 Assessment
Administer an approach to assess the identified security risks for critical assets. After careful evaluation
and assessment, determine how to effectively and efficiently allocate time and resources towards risk
mitigation. The assessment approach or methodology must analyze the correlation between assets, threats,
vulnerabilities, and mitigating controls.
 Mitigation
Define a mitigation approach and enforce security controls for each risk.
 Prevention
Implement tools and processes to minimize threats and vulnerabilities from occurring in your firm’s
resources.

.
How to perform a security risk assessment?
Step 1: Identify and Prioritize Assets

Assets include servers, client contact information, sensitive partner documents, trade secrets and so on.
Remember, what you as a technician think is valuable might not be what is actually most valuable for the
business. Therefore, you need to work with business users and management to create a list of all valuable
assets. For each asset, gather the following information, as applicable:
 Software
 Hardware
 Data
Step 2: Identify Threats
A threat is anything that could cause harm to your organization. While hackers and malware probably leap
to mind, there are many other types of threats:
 Natural disasters.
Floods, hurricanes, earthquakes, fire and other natural disasters can destroy not just data, but servers and
appliances as well. When deciding where to house your servers, think about the chances of different types
of natural disasters. For instance, your area might have a high risk of floods but a low likelihood of
tornadoes.
 Hardware failure.
The likelihood of hardware failure depends on the quality and age of the server or other machine. For
relatively new, high-quality equipment, the chance of failure is low. But if the equipment is old or from a
“no-name” vendor, the chance of failure is much higher. This threat should be on your list, no matter what
business you are in. People can accidentally delete important files, click on a malicious link in an email or
spill coffee on a piece of equipment that hosts critical systems.
 Malicious behavior.
There are three types of malicious behavior:
Interference is when somebody causes damage to your business by deleting data, engineering a distributed
denial of service (DDOS) against your website, physically stealing a computer or server, and so on.
Interception is theft of your data.
Impersonation is misuse of someone else’s credentials, which are often acquired through social engineering
attacks or brute-force attacks, or purchased on the dark web.

.
Step 3: Assess the Impact a Threat Could Have
 The mission of the asset and any processes that depend upon it
 The value of the asset to the organization
 The sensitivity of the asset
To get this information, start with a business impact analysis (BIA) or mission impact analysis report. This
document uses either quantitative or qualitative means to determine the impact of harm to the
organization’s information assets, such as loss of confidentiality, integrity and availability. The impact on
the system can be qualitatively assessed as high, medium or low.
Step 4: Recommend Controls
Using the risk level as a basis, determine the actions needed to mitigate the risk. Here are some general
guidelines for each level of risk:
High — a plan for corrective measures should be developed as soon as possible.
Medium — a plan for corrective measures should be developed within a reasonable period of time.
Low — the team must decide whether to accept the risk or implement corrective actions.
Step 5: Document the Results
The final step in the risk assessment process is to develop a risk assessment report to support management
in making appropriate decisions on budget, policies, and procedures and so on. For each threat, the report
should describe the corresponding vulnerabilities, the assets at risk, the impact to your IT infrastructure,
the likelihood of occurrence and the control recommendations.

.
What is data protection and why is it important?
Data protection is the process of safeguarding important information from corruption, compromise or loss.
The importance of data protection increases as the amount of data created and stored continues to grow at
unprecedented rates. There is also little tolerance for downtime that can make it impossible to access
important information. Consequently, a large part of a data protection strategy is ensuring that data can be
restored quickly after any corruption or loss. Protecting data from compromise and ensuring data privacy
are other key components of data protection.
Principles of data protection

The key principles of data protection are to safeguard and make available data under all circumstances. The
term data protection describes both the operational backup of data as well as business continuity/disaster
recovery (BCDR). Data protection strategies are evolving along two lines: data availability and data
management.
Data availability ensures users have the data they need to conduct business even if the data is damaged or
lost
The two key areas of data management used in data protection are data lifecycle management and
information lifecycle management. Data lifecycle management is the process of automating the movement
of critical data to online and offline storage. Information lifecycle management is a comprehensive strategy
for valuing, cataloging and protecting information assets from application and user errors, malware and
virus attacks, machine failure or facility outages and disruptions.

.
What is ISO31000
ISO 31000 is an international standard published in 2009 (and updated in 2018) that provides principles
and guidelines for effective risk management. It outlines a generic approach to risk management, which
can be applied to different types of risks (financial, safety, project risks) and used by any type of
organization. The standard provides a uniform vocabulary and concepts for discussing risk management. It
provides guidelines and principles that can help to undertake a critical review of your organization’s risk
management process. The standard does not provide detailed instructions or requirements on how to
manage specific risks, nor any advice related to a specific application domain; it remains at a generic level.
The risk management process outlined in the ISO 31000 standard includes the following activities:
 Risk identification
 Risk analysis
 Risk evaluation
 Risk treatment
 Establishing the context
 Monitoring and review
The purpose of ISO 31000
While people working in the many different forms of risk management always have the same goal, to
provide a sound basis for decisions on whether risks are acceptable and, if necessary, obtain reliable
information how they can be dealt with, there are many different definitions of risk and of the risk
management process elements and many different versions of the process to be followed. These have all
developed for good historical reasons but individuals and organizations, whether they are for profit or not,
regulated or regulator, need to make confident and balanced decisions about all risks they have to deal
with, on a consistent and reliable basis. Decision makers are uncomfortable about resolving pieces of
apparently similar but fundamentally different information, obtained from different processes and with
different assumptions, that are described using the same words but that have different meanings.

.
The process for managing risk
After considering numerous options and variants, ISO 31000:2009 largely adopted the same broad process
as AS/NZS 4360:2004 for managing risk. While the process is essentially step like, in practice there is
considerably iteration between the steps and between the continuously applied elements of communication
and consultation and monitoring and review. Drawing a picture of this is obviously difficult and for this
reason, the diagram used in the standard was deliberately not shown as a flow chart. Its purpose is to show
the relationship between clauses of the standard that describe the process.
Figure 9The risk management process from ISO 31000
The risk management process from ISO 31000
 Communication and consultation

It allows to promote risk awareness and understanding of appropriate internal and external stakeholders at
each and every step of the risk management process.
 Scope, context and criteria

It enables the overall risk management process to be adapted in order to ensure effective risk assessment
and treatment.

.
 Risk assessment
It involves the risk identification, analysis and assessment in a systematic, iterative and collaborative
manner.
 Risk treatment
It allows to select and implement options to deal with the risk, also in an iterative way, which implies:
formulate and select risk treatment options, plan and implement treatment, evaluate efficacy, decide
whether residual risk is acceptable, otherwise perform additional treatment.
 Monitoring and review

It makes it possible to ensure and improve the design quality and efficiency.
 Recording and reporting

The activities, results as well as decision making of the risk management process should be documented,
among others, to further improve risk management activities.

.
What is IT Security Audit?
An IT security audit is a comprehensive assessment of an organization’s security posture and IT
infrastructure. Conducting an IT security audit helps organizations find and assess the vulnerabilities
existing within their IT networks, connected devices, and applications. It gives you the opportunity to fix
security loopholes, and achieve compliance. This includes things like vulnerability scans to find out
security loopholes in the IT systems. Or conducting penetration tests to gain unauthorized access to the
systems, applications, and networks. Finally, the penetration testing reports generated after performing all
the necessary procedures are then submitted to the organization for further analysis and action.
Benefits of IT Security Audit
 Weighs your current security structure and protocols and helps you define a standard for your
organization with the audit results.
 Mitigates hacker-risks by discovering potential hacker entry points and security flaws well in
advance.
 Verifies how compliant your IT infrastructure is with top regulatory bodies and helps you conform
in accordance.
 Finds lag in your organization’s security training and awareness and helps you make informed
decisions towards its betterment.

How to Prepare for an IT Audit?
Step 1: Create an IT Asset Inventory

An IT audit is all about IT assets and securing them. Creating an Inventory of all IT assets in your
organization can put everything into perspective. The IT assets include both hardware and software
resources that are used in everyday operations. Along with IT assets inventory, you should also keep the
access linked list handy. It should be easier for auditors to have immediate access to your system. To make
this work, create a list of login credentials for all software and hardware resources involved in the audit
process. Also, in terms of physical access in the building, auditors should be able to freely visit various
parts of the property.

.
Step 2: Ask Your Auditor for a Document Checklist

During the IT audit, the auditors will request various documents at different stages. keeping a list of all
important documents in your organization will come in handy. Ask your auditors to provide a list of all
documents that they may need and get your documentation right. Having all important documents in a
central location can save both you and your auditor a lot of time and trouble. The documentation entails all
contracts with third-party service providers and external vendors. The list should also include purchase
and warranty documents of your IT infrastructure. Knowing how old your equipment is
crucial in several ways.
Step 3: Prepare Your Financial Statements

A primary reason why most organizations conduct an IT audit is to reduce the operational cost of their IT
infrastructure. To reduce costs, you must create a financial statement covering all expenditures related to
the ITsetup.When the auditors have a complete picture of your finances and expenditures, they can make
suggestions about reducing operating costs and increase profit.
Step 4: IT Policies and Procedures

Before conducting an IT audit you need well-documented IT policies and procedures. A softcopy and
hardcopy of the policies and procedures ready for the auditors to review. This will save you time and
trouble that would otherwise be spent scrambling through the policies and procedures looking for
something specific.
Step 5: Ensure a Written Information Security Plan

Next to the IT policies and procedures, you should also have a written information security plan in place.
All firms that are registered with the Security Exchange Commission (SEC) are required to have a written
information security plan. A written ISP (Information Security Plan) can help prepare the organization for
IT-related risks and measures to handle it.Regarding an information security plan, a lot of organizations
have no idea where to start. This leads to unnecessary and time-consuming work. Automated tools and
processes should be used to make the process effortless. You can also hire an expert auditor to help you
through the process.

.
Step 6: Create a List of Controls and Safeguards
Whether big or small, in an IT infrastructure, controls and safeguards are one of the most important
aspects. You must have proper controls at strategic points to keep the applications and software secure.
And create a list of all controls and save that you have in place for the IT system
Step 7: Conduct a Gap Assessment

Being aware of the gaps in your IT infrastructure can make the IT audit go more smoothly. You should
also have a grasp on apps and services to better understand and secure them.
No system is entirely fool-proof, and as a user, you’re best-equipped to find vulnerabilities in your system.
Step 8: Perform a Self-assessment

Auditors are definitely the best for an audit but no one knows the system better than you. A self-assessment
of your system will help you get a better understanding of your organization. A self-assessment will also
give you confidence about your system’s performance and help you understand the audit results better
Step 9: Findings from Previous Audits

If this is your first IT audit, then you can skip this step. However, if it's not, Then make sure to present the
auditors with the findings from the previous Audit. Any issues found in the previous audits that were not
addressed before should also be mentioned.
Step 10: Schedule Tests or Deliverables

Starting an IT audit with all your test and deliverables scheduled for after the audit can show in a negative
light. Perform some basic tests and have deliverables beforehand

.
Impact for IT Security audit for Organization
 It evaluates the flow of data

Data is one of your key assets that requires top security controls. IT security auditors determine the type of
information you have, how it flows in and out of your organization, and who has access to that
information.
 It identifies vulnerable points and problem areas
The IT system is a vast one with several components including hardware, software, data, and procedures.
Expert outsourcing IT services can pinpoint if there’s any potential problem area in your system through a
number of ways. They can check if your hardware or software tools are configured and working properly.
They may also retrace security incidents from the past that might have exposed your security’s weak
points. An on-site audit may focus on carrying out tests in terms of network vulnerability, operating
system, access controls, and security application.
 It determines whether you must alter security policies and standards or not
The auditing process starts with the pre-audit, where auditors obtain relevant documentation about previous
audits, as well as copies of current policies and procedures. Afterward, they analyze and test your entire
system on-site. Throughout the auditing process, the auditors are documenting everything they have
discovered regarding the safety and effectiveness of your IT system. By the time they complete the audit,
they would have had a clear assessment if you have adequate security measures that are consistently
implemented within your organization. For example, they might discover instances of unauthorized
wireless networks that could pose risks beyond acceptable levels.
 It delivers an in-depth analysis of your internal and external IT practices and system.
Your IT security audit report contains a detailed list of the findings of the auditing team, complete with an
executive summary, supporting data, and appendices. It highlights problem areas and proposed solutions
regarding risk areas, compliance with industry standards, security policies, and the like.

.
Recommendation of IT Security Improve for Organization
 Limit Employee Access To Data

Even with intensive employee training, you possibly can't be totally protected against human error. In fact,
human error is the cause of most breaches and compliance failures. Whether your employees are unaware
of proper procedures or just careless, it's implausible to completely avoid compliance risks whenever
there's a human factor involved. You can make the effort to teach your staff and make sure that your
employees are trustworthy, but you need to take it even further if you want to minimize the risk of
mistakes. Limiting employee access to data is an effective way to take your security and compliance efforts
a step further. Ask yourself which of your staff really needs access to sensitive data and who monitors that
access. Your workers ought to only have access to data that is absolutely essential for doing their jobs. The
fewer employees have access to sensitive data, the lower the risk of mishandling.
 Delete Redundant Data

Many companies cope with sensitive information as an essential part of their daily work; especially
companies in finance, healthcare, education and the public sector. Ensuring information disposal
mechanisms are in place helps prevent stale data from being forgotten about and stolen at a later date.
Having a system for erasing, shredding or otherwise modifying redundant data to be indecipherable will go
a long way to ensuring your employees don't stash it away.
 Back-up Your Data Regularly

Always be prepared for the worst scenario. Even the most secure cyber security systems can be infiltrated
so always have a plan in place to deal with a breach and test it. Implement early alerting – set up firewalls
and security software to alert you when something unusual is happening.
 Don't Forget Physical Security

However, cyber threats are not the only threats you should worry about. You additionally need to protect
your hardware. Physical theft, hardware damage, and device failure can all compromise sensitive data, so
you need to take all the necessary steps to prevent them. You may think that physical safety doesn't apply
to cyber security, but when somebody can get physical access to a laptop computer or desktop then they

.
can provide access to others on-line or set up Trojan software. Install restricted door access such as
assigned key fobs to observe who enters the office. This includes external suppliers of services such as
cleaning and maintenance.
 Establish Strong Passwords

Many organizations are still using relaxed password policies, resulting in simple, generic and easy-to-hack
passwords for critical accounts, which have access to the valuable and sensitive data. Implementing robust
passwords is the first step you can take to strengthen your security in this area. Use reasonably complex
passwords and change them at least every 60-90 days. Never use passwords like “Admin1” or “12345”.
Don't ever write down your passwords somewhere and leave them on your workstation for other folks to
find.
What is a disaster recovery plan (DRP)?
A disaster recovery plan (DRP) is a documented, structured approach that describes how an organization
can quickly resume work after an unplanned incident. A DRP is an essential part of a business continuity
plan (BCP). It is applied to the aspects of an organization that depend on a functioning information
technology (IT) infrastructure. A DRP aims to help an organization resolve data loss and recover system
functionality so that it can perform in the aftermath of an incident, even if it operates at a minimal level.
The plan consists of steps to minimize the effects of a disaster so the organization can continue to operate
or quickly resume mission-critical functions. Typically, a DRP involves an analysis of business processes
and continuity needs. Before generating a detailed plan, an organization often performs a business impact
analysis (BIA) and risk analysis (RA), and it establishes recovery objectives.
Some types of disasters that organizations can plan for include the following:
 Application failure
 Communication failure
 Power outage
 Natural disaster
 Malware or other cyber attack
 Data center disaster

.
Creating a robust IT disaster recovery process: Before, during, and after
Your IT disaster recovery strategy should incorporate procedures and policies for pre-disaster, mid-
disaster, and post-disaster. Here are some factors to keep in mind when forming your IT disaster recovery
procedures:
 Pre-disaster
A bit of preparation can go a long way when forming a disaster recovery plan For example, it helps to
know exactly which humans and machines have access to your critical applications, servers, privileged
credentials, and system admin rights. It’s important to test the resiliency of your systems and outline a
secondary line of command for admins. That way, if something happens to an admin—like injury, illness,
or account compromise—someone else can step in and take command. While you’re at it, it’s also a good
idea to outline a secondary line of access to mission-critical data and customer-facing systems.
 Mid-disaster
People can act unpredictably during an emergency, so it’s important to have clear instructions in place to
walk them through a disaster. Team members also need to know where to go for access while the disaster
is taking place and how to engage secondary lines of command. To this end, you should clearly outline
how to get to your backup servers and access your admin credentials. Forming clear instructions will
eliminate confusion and expedite the recovery process—making sure productivity and services are largely
unscathed.
 Post-disaster
After the disaster ends, team members need to know when to return to normal workflows and move off
backup systems. Once the disaster is in the rear-view mirror, you should continue replication to make sure
you are still syncing to backup systems. At the end of the process, it’s critical to debrief the mission.
Analyze what worked, what did not, and any gaps that arose during the process. Use those findings to
iterate and build a more resilient plan for the next incident.

.
Steps to a Successful Disaster Recovery Plan
1. Create your disaster recovery contingency planning team

Your first step is to select the employees who will form your contingency planning team You’ll need a
good mix here, so consider choosing people who can bring a variety of perspectives on the company’s
vulnerabilities to the table. Make sure you include representatives from all the main departments within
your business, including HR, facilities and high-level managers.
.
2. List all names and contact details
Next, create a list of all employees’ names with all methods of communication for each one, ensuring that
this is regularly updated. You may need to access this info quickly, so it needs to be accurate.
Communication should include personal and work contact details.
3. Determine a chain of command

A system disaster is a high stress event. This means that a clear chain of command and authority needs to
be put in place well in advance to determine who’s in charge if and when any key personnel are missing.
During a critical incident, this will help your whole team understand who’s in charge in the chaos that may
ensue after a disaster has taken place.
4. Consider your risk assessment

When creating your disaster recovery plan, preparation is everything. So review as many potential disaster
scenarios as you can, and create a checklist of things that might possibly go wrong. Then consider how
each one of those situations would affect your core business, your revenue streams, your customer service
and your employees.
5. Do you have a ‘Plan B’?

Your ‘Plan B’ planning is when you think about what’ll happen if your primary disaster recovery plan is
not actionable For example, if you’re usual premises are unavailable, you’ll need to consider if employees
can work from home or if you can share the facilities of another company temporarily. Your top priority

.
may well be keeping your revenue flowing, in which case you’ll need to consider what people, equipment,
space, supplies, or services are needed to avoid any downtime?
6. Protect your company data

Data loss can have a huge impact on your business. Data protection and recovery is a key aspect of all
disaster recovery planning, so getting on top of them will result in good business continuity. Bare Machine
Recovery (BMR) provides a complete protection solution, assisting in the rapid recovery of machines to a
pre-disaster state. Replication software can also help you quickly clone your systems to another
environment, for example a virtual network or into the cloud.
7. Test, test and test again!

We suggest that you run a regular testing drill to make sure your new disaster recovery plan actually
works. And scheduling regular recovery simulations ensures that your systems are up and running before
the CEO – and your customers – even notice!

.
Who Is a Stakeholder?
A stakeholder is either an individual, group or organization that’s impacted by the outcome of a project or
a business venture. Stakeholders have an interest in the success of the project and can be within or outside
the organization that’s sponsoring the project. Stakeholders are important because they can have a positive
or negative influence on the project with their decisions. There are also critical or key stakeholders, whose
support is needed for the project to exist. A stakeholder is a person, like any other member of the project,
and some are easier to manage than others. You’ll have to learn to use stakeholder mapping techniques to
identify who your key stakeholders are and make sure you meet their requirements.
Types of Stakeholders
Stakeholders can be anyone with influence or anyone who can be influenced by the project. We’ve already
seen that there can be many stakeholders, something that we’ll discuss below. All stakeholders can be
broken into two groups: internal stakeholders and external stakeholders. Let’s take a look at both.
1. Internal Stakeholders
Internal stakeholders are within the organization. The project directly impacts them as they serve and are
employed by the organization managing it. Internal stakeholders can include employees, owners, the board
of directors, project managers, investors and more.
2. External Stakeholders
External stakeholders are outside of the organization and are indirectly impacted by the project. They’re
influenced by the organization’s work but are not employees of the organization. These people can be
suppliers, customers, creditors, clients, intermediaries, competitors, society, government and more.
What is Security Policies?

A security policy is a document that states in writing how a company plans to protect its physical and
information technology (IT) assets. Security policies are living documents that are continuously updated
and changing as technologies, vulnerabilities and security requirements change. A company's security
policy may include an acceptable use policy. These describe how the company plans to educate its
employees about protecting the company's assets. They also include an explanation of how security

.
measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the
policy to ensure that necessary corrections are made.
References
barracuda, 2022. DMZ Network. [Online]

Available at: https://www.barracuda.com/glossary/dmz-network#:~:text=About%20DMZ
%20Networks-,What%20is%20a%20DMZ%20Network%3F,untrusted%20networks%2C%20commonly
%20the%20Internet.
Deshpande, C., 2022. simplilearn. [Online]
Available at: https://www.simplilearn.com/tutorials/cyber-security-tutorial/what-is-firewall
[Accessed 18 November 2022].
DotNek, n.d. Examples for Physical Security. [Online]
Available at: https://www.dotnek.com/Blog/Security/what-are-the-examples-of-physical-security
Duggal, N., 2022. simplilearn.. [Online]
Available at: https://www.simplilearn.com/tutorials/cyber-security-tutorial/what-is-a-
vpn#importance_of_using_a_vpn
[Accessed 7 November 2022].
Ninja, P., 2020. 9 Policies For Security Procedures Examples. [Online]
Available at: https://www.privacy.com.sg/resources/9-rules-security-procedures-examples/
Openpath, 2022. Openpath. [Online]
Available at: https://www.openpath.com/physical-security-guide

2640-1665054891113-Unit - 05 - Security

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

2640-1665054891113-Unit - 05 - Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2640-1665054891113-Unit - 05 - Security

Uploaded by

Copyright:

Available Formats

.

Higher Nationals - SummativeAssignmentFeedbackForm

LO1. Assess risks to IT security

Pass, Merit & Distinction P1 P2 M1 D1

Pass, Merit & Distinction P3 P4 M2 D1

LO3. Review mechanisms to control organisational IT security.

LO4. Manage organisational security.

Grade: AssessorSignature: Date:

Grade: AssessorSignature: Date:

Word Processing Rules

1. I know that plagiarism is a punishable offence because it constitutes theft.

Unit Number and Title Unit 5- Security

Academic Year 2022/23

Assignment Title METROPOLIS CAPITAL Bank

Issue Date 07.10.2022

Submission Date 30.11.2022

IV Name & Date

Unit Learning Outcomes:

LO2 Describe IT security solutions.

LO3 Review mechanisms to control organizational IT security.

LO4 Manage organizational security.

Assignment Brief and Guidance:

LO1 Assess risks to IT security

P1 Discuss types of security risks to organizations.

M1 Analyze the benefits of implementing network monitoring systems

P3 Discuss the potential impact to IT security of incorrect

P4 Discuss, using an example for each, how implementing a DMZ,

P5 Review risk assessment procedures in an organization.

P6 Explain data protection processes and regulations as applicable to

P7 Design a suitable security policy for an organization, including the

S.A Hasantha Indrajith Dissanayaka 13

S.A Hasantha Indrajith Dissanayaka 14

S.A Hasantha Indrajith Dissanayaka 15

What is the Network Security?

Authorized remove/copy/modify of data or password

Unauthorized use of a system

Damage to or destruction of software systems

S.A Hasantha Indrajith Dissanayaka 16

Damage or destruction of hardware systems

S.A Hasantha Indrajith Dissanayaka 17

What is an organizational security procedure?

 Acceptable Use Policy (AUP)

S.A Hasantha Indrajith Dissanayaka 18

S.A Hasantha Indrajith Dissanayaka 19

ii. Define your network monitoring policies

iii. Configure WMI and SSH on Windows and Linux servers

The Benefits of Networking Monitoring

S.A Hasantha Indrajith Dissanayaka 20

 Uncovering Security Threats

What is the Physical Security?

 Observing biological security concerning the building:

Figure 1 Example for Physical Security

S.A Hasantha Indrajith Dissanayaka 21

Figure 2 Example for Access Control

S.A Hasantha Indrajith Dissanayaka 22

 Emergency preparedness and security testing

Figure 3 Example for Surveillance System

S.A Hasantha Indrajith Dissanayaka 23