STUDENT ASSESSMENT SUBMISSION AND DECLARATION

When submitting evidence for assessment, each student must sign a declaration confirming that the work is their
own.

Student name: Assessor name:

Jonathan Mottley Samuel Williams

Issue date: Submission date: Submitted on:

Wednesday 8th July 2020 Tuesday 1st September 2020 Monday 7th September 2020

Programme:

BTEC HND in Computing and Systems Development

Unit: Unit 5 – Security

Assignment number and title: Assignment 1

Plagiarism

Plagiarism is a particular form of cheating. Plagiarism must be avoided at all costs and students who break the
rules, however innocently, may be penalised. It is your responsibility to ensure that you understand correct
referencing practices. As a university level student, you are expected to use appropriate references throughout
and keep carefully detailed notes of all your sources of materials for material you have used in your work,
including any material downloaded from the Internet. Please consult the relevant unit lecturer or your course
tutor if you need any further advice.

Student Declaration

Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of
plagiarism. I understand that making a false declaration is a form of malpractice.

Student signature: Date: 07/09/2020

1|Page
Contents
Introduction...........................................................................................................................................3
Task 1a..................................................................................................................................................4
Task 1b..................................................................................................................................................5
Task 1c..................................................................................................................................................6
Task 2a..................................................................................................................................................9
Task 2b................................................................................................................................................10
Task 2c................................................................................................................................................11
Task 2d................................................................................................................................................12
Task 2e................................................................................................................................................13
Task 3a................................................................................................................................................17
Task 3b................................................................................................................................................19
Task 3c................................................................................................................................................20
Task 3d................................................................................................................................................22
Task 3e................................................................................................................................................23
Task 4a................................................................................................................................................24
Task 4b................................................................................................................................................29
Task 4c................................................................................................................................................31
Task 4d................................................................................................................................................33
Task 4e................................................................................................................................................34
References...........................................................................................................................................35

2|Page
Introduction

Big Umbrella Insurance (BUI) is a company that deals with various insurance from property,
health and even motor. There are branches that reside throughout the region such as Grenada,
Guyana, Barbados and Trinidad & Tobago, where their head office is located. Due to
confidential information on their clients being exposed on the internet. There has been a
catastrophic effect on any new customer acquisitions.

Our Information Security team were hired by BUI insurance to aid in stopping their breaches.
Our first step would be to analyse all aspects of the company’s I.T. infrastructure and security
policies.

The equipment that are utilised within each branch are as follows: -

 1 – Active Directory Server

 1 – DHCP Server
 1 – Fault Tolerant Switch
 1 – Fault Tolerant Router

The equipment that utilised in the head office are as follows: -

 1 – Database Server
 3 – Web Servers
 2 – Application Servers
 1 – Active Directory Server
 1 – DHCP Server
 1 – Email Server
 1 – PBX Server
 1 – Fault Tolerant Switch
 1 – Fault Tolerant Router

3|Page
Task 1a

Upon investigation on the security issues that have risen within the organisation, it clearly
shows the potential risks that are waiting to unfold. We have identified that all restricted areas
have been controlled with the use of a keypad that allows the user to input a 4-digit code that
would grant the individual access to the desired restricted area. The code that is being used is
not unique to the user as there is only one that would be shared amongst the organisation and
it hasn’t been changed in 6 months. With the use of this type of access control, there is a
limitation to the level of control at the respected door. My reasoning for saying this is due to
the simplistic application that is given with these types of controls. There is no way to
monitor the user of the code due to its limitations. Previous workers who may know the code
may still be able to access this restricted area and cause potential harm.

All of their peripherals are located in a closet that can be physically locked, however the key
that is used to lock the door is then placed in a central cabinet that can be accessed by all of
the employees. Even though the networking equipment have been secured in a closet
physically, accessing of the keys for the closet isn’t hard due to the location at which it is
stored. Anyone who desires to get access to the networking closet can easily pick up the keys
from the centralised cabinet and unlock the closet. This is a huge security risk to the
organisation.

All of the physical hard copies are stored away in a filing cabinet which is then locked with a
key. This key is also stored in the centralised key cabinet which is accessible by all
employees.

Upon further inquiries, we discovered that each branch has an Active Directory Server
dedicated to the branch. These ADS servers are used to grant users access to a domain of
their respected branch. With the use of multiple ADSS, it can function, however it should be
practiced as it would now rely on better administrative and maintenance plans. There are
various drawbacks with the use of this type of set up. This being administrative
inconsistencies. The administrator would have to implement and manage security & group
policies in multiple domains which can cause inconsistencies.

4|Page
Task 1b

Based on information gathered previously, it shows that there are no security procedures
implemented in the organisation. The following would illustrate the procedures that should be
implemented in the organisation. Business Continuity, Data Backups and Audits.

Firstly, lets discuss about business continuity. Business Continuity deals with the ability of an
organisation to ensure that their core business functions and business operations isn’t
impacted to severely during an unplanned incident that may potentially bring systems offline.
For BUI to be prepared with a business continuity plan they must first understand what a
BCP is first? and where some of the areas in which a BCP would guards against. A BCP is a
plan that would be implemented by an organization to aid in minimizing the amount of
downtime that may arise. It is created firstly, by identifying what are the possible threats that
may impact the company and creating policies to aid in minimizing these threats and
downtime. Some of the areas that would be guarded against once a proper BCP is
implemented would be from Natural Disasters, Network Disruptions, Cybersecurity and
Human Error.

Secondly, data backups, these would aid in making the data in BUI kept safe and secure. In
the event if the data that is within the organisation if corrupted or compromised, there would
be a backup to utilise to minimize the amount of downtime. In data back up there are two
different types of approaches. One being onsite and the other is offsite. Onsite data backup is
where data would be backed up locally and possibly stored onsite. These would be done in
various means and measures through external hard drives, tape drives and local network area
storage.

Off site data back up is where data would be backed up externally to a secondary location
through the use of cloud services.

These backups should be done in some predefined scheme or approach such as son-father-
grandfather, or a rotational scheme. These methods of backups would preserve the lifespan of
the hardware as well as make each backup smaller and lighter. However, the negative side to
this would be that it now requires multiple steps for the restoration to be completed. There are
three different types of backups such as full backup, incremental backup and mirror backup.

5|Page
Full backup is where all data would be backed up fully. Incremental backup is where the first
backup would be a full backup, and all backups after would be minor updates. Mirror backup
is where the backup would be as similar as possible to the live data. For instance, if a file is to
be deleted, it to would be deleted from the backup.

Thirdly, I.T. Audits would be enforced more within BUI. The reason for this implementation
is to examine whether or not the organisations security operations are being met. An audit is
normally categorised in three types. These are, One-Off Audits, Tollgate/ Approval Audits
and Portfolio/ Routine Audits.

One-Off Audits are normally carried only to prepare in the event of a major upgrade that may
occur. Tollgate/ Approval Audits are done to determine whether or not specific processes
should be allowed security wise or not. Portfolio/ Routine Audits would be done on a regular
schedule to determine whether or not processes are acceptable. All audit supposedly goes
through these four steps which are define assessment criteria, prepare and plan the audit,
carryout and the audit and verify, complete and disseminate findings.

Throughout an audit, there would be areas that would be focused on such as: -

 Password complexity
 Over permissive ACLs
 Inconsistent ACLs
 Non-Existent or insufficient file activity
 Non-Existent or insufficient review of auditing data
 Only compliant software installed
 Data retention policies
 Disaster recovery plans updated and tested
 Incident response plans updated and tested
 Sensitive data sored and protected correctly with encryption
 Change management procedures followed

The purpose of these audits is to examine and evaluate their infrastructure, operations and
policies. Once implemented, it would determine whether or not the IT controls are protecting
the corporate assets, ensuring that it’s aligned with the business goals as well as an upkeep

6|Page
with data integrity. This audit, once properly implemented, it would examine all physical
security controls, financial and business controls.

Task 1c

To fully understand this risk management flow chart, I would dissect it into the various parts
which make up the flow chart. Before any risk management
Establish the Context: - In order to formulate a risk management flow chart and ensure that
its relevant and current, one would have to liaise with all who would be directly affected.
This being from the stakeholders, service providers and any individuals that have an input in
the decision making. During this process of communicating, it is recommended that the
following should be recorded:

1. Recording of the different audience and stakeholders

2. All objectives and activities such as (what are your achievements, what methods would be
used to achieve the outcome, method of delivery and expectations)
3. Monitoring and review. In all steps of risk management there would have communication
and consultation being implemented in all stages of the risk management.

Identifying the Risk: - In venturing into any risk management, there would always have the
risks that need to be identified. This would create a clear and concise list of all potential risk
and threats. This is understood as the risk register. In preparing the list of potential risks,
certain questions should be addressed in order to gather to most amount of information. The
questions listed below would illustrate what needs to be asked:

1. What could happen?

2. What are the possibilities of the outcome and the impact of the risk being evaluated?
3. How frequently can it happen?
4. Which area can it occur?
5. What may trigger it to occur?
6. Who can be affected as well as involved?

7|Page
Critical Assessment: - This deals with identifying and assigning importance to each
resource, from personnel, physical assets or even processes that aid them. The rating for this
assessment would either be numerical from 1 – 5 or on an importance scale such as:
catastrophic, significant, moderate, low and insignificant.

Evaluate Security Risk: - This involves with decision making on the possible outcomes of
the risk analysis. There are two criteria’s which are acceptable & unacceptable. Acceptable
otherwise known as tolerable, deals with further treatments or risks that are deemed as
tolerable. Unacceptable otherwise known as intolerable deals with the need of treatment.
With this criterion, considerations would be factored in to determine the tolerability.

Risk Treatment Strategies: - Deals with accepting the risk. The following illustrates what
action may be taken into consideration:

1. Any potential risks that may be considered would be based on judgment.

2. Retaining the risk and then monitor until the outcome changes where action would be
taken.
3. Heading into opportunities where the benefits would outweighs the risks

Some considerations that would aid in avoiding risk would be through not starting an activity
that may possibly increase the probability of a risk occurring. Also reducing some acitivies, if
not all activities in particular areas that may create risk.

Monitoring and review performance: - This requires constant monitoring in order to ensure
that the entity would be able to adapt or respond accordingly to the incidents or changes in
their threats. When factoring monitoring, there are some questions that would need to be
taken into consideration as they would help in the monitoring steps. These questions are: -

1. How would these improvements be made?

2. Are all control measures efficient and cost-effective?
3. How are the assumptions made?

8|Page
Image 1: - Risk Management Flow Chart

9|Page
Task 2a

A firewall can either be software or physical hardware, which is integrated into the network.
A hardware-based firewall sits between the network and the devices on the local network. A
software-based firewall would be installed on the desired computers on the network. Finally,
there can be a combination of both the hardware and software firewall. With this type of set
up, it would pose as a defence on the network without any compatibility issues. The purpose
of the firewall is to monitor all incoming and outgoing traffic through the network and grants
or denies permission to data packets through some set security policies. Its primary purpose is
to create an intangible barrier that would screen all internal sources from all external sources,
in order to obstruct malicious traffic. They can come in different types such as Proxy
Firewalls, Stateful Inspection Firewalls, Unified Threat Management Firewalls, Next
Generation Firewalls and Threat Focused Next Generation Firewalls.

Upon further investigation on BUI, it shows that they have limited usage with firewalls. My
report shows how the organisation can be negatively impacted by not configuring a firewall
properly.

With the limited use of the firewall, there may have unwanted traffic flowing through the
network which would ultimately slow the transmission of data. Due to the unwanted traffic
flow, it may also cause data packets to not be able to successfully reach their intended
destinations. Based on the crucial data that was stolen from BUI server on their clients. It
shows that an external entity hacked there into the network through intrusion and collected
data. This was due to a firewall not being implemented properly. Another issue that’s at the
mercy of a poorly designed firewall would be network efficiency degradation. There are
various symptoms that this can cause from the network slowing down, disconnections to even
outages.

10 | P a g e
Task 2b

A VPN stands for Virtual Private Network, this would be implemented to give its users the
ability to connect to a virtual network. This network would be considered safe and secure, the
goal of this is to keep your private information private. It works by using a router to route the
internet connection to your desired VPN server instead of an ISP. In other words, the VPN
would create a tunnel that would be private, and would hide all vital data through the use of
encryption.

With the implementation of a poorly configured VPN, it would supply addresses to various
users from one single pool which would be set by the admin. Once the IP address is allotted
to the user, the firewall would view the address as a single subnet. If the policies for the
firewall isn’t create properly it may not grant access to the network or any of the resources.
Allotment of IP Addresses by pools should be implemented so that each pool would be in
reflection of each desired department of the organization.

Also, the firewall and VPN should be updated and the proper patches applied where
necessary. Once that is sorted the antivirus as well as the endpoint protection should also be
updated where its necessary. If these crucial pieces of hardware and software aren’t linked
properly or even omitted, it can increase the risk of harm being done to the network. The
reason for implementing an updated firewall as well as endpoint protection, is to protect the
network from devices on the VPN that aren’t secured properly.

If a blind eye is turned on these crucial pieces of software and hardware, it will possibly open
up a can of worms on you network. Allowing all types of viruses, malware and rootkits to
gain access.

11 | P a g e
Task 2c

A DMZ or Demilitarized Zone is a network that is commonly used as an exposed point to

untrusted networks such as the internet. The main objective of the DMZ is to allow access to
resources externally from the internal network while still giving an extra layer of security.
Once implemented, it would improve in access control. What this means is that there would
now have 2 firewalls in the network which would create a separation between both internal
and external networks.

A Static IP Address is an address that is manually configured by an administrator to be

applied to a device of some sort. It’s called a Static IP Address because this address doesn’t
change as compared to a Dynamic IP Address. This type of address would be applied to
organization that have devices that mustn’t get their addresses changed such as an NVR, a
Server or even a network printer. Also, with the use of a VPN, static IP addresses would be
applied to the devices that needs to gain access to the organizations network externally.

A NAT or Network Address Translation operates on a router and it processes the private IP
addresses and translates them to an external IP address to be able to use an external network
such as the internet. Some benefits of using a NAT on a network would be the possibility of
reusing private IP addresses and also enhancing security for the internal network by securing
and monitoring all internal addresses from the external network.

12 | P a g e
Task 2d

Network Monitoring is the process where all elements on the network would be monitored on
performance as well as for consistencies throughout the network. What this means is that the
system would oversee all components such as firewalls, routers and servers and if there are
any inconsistencies, the software would notify the administrators so that there would not have
any possible outages or bottlenecking.

There are various tools for network monitoring systems. Logging is the recording of all
events that have transpired on the network. The data can then be saved as a text file or even in
an encrypted format. This form of monitoring would allow administrators to see trends and
patterns on the network for numerous things such as multiple password attempts, memory
issues or even rule violations.

Tracing is used by reviewing data that is generated by an application or even a process. It

entails analysing raw data that would be provided by a server or from a group of devices to
pin point any possible issues. With this type of network monitoring once implemented
properly, it would allow the administrators to be able to view any inconsistencies in the
network from any compromised devices.

Honeypot as the name implies is used to lure all possible threats or attacks to the designated
port on the network. An environment with an intentional weakened environment with poor
security is applied with a server that has false data. This type of system once implemented,
would aid in showing the administrators where the vulnerable areas of the network reside.

13 | P a g e
 Task 2e

The table below illustrates what is the different types of security measures that can be utilised in an organisation from being a virtual or a
physical device.
-Measure Type Description Advantages Disadvantages How it will ensure the integrity of
organizational IT security
CCTV Physical A system that It acts as a If the respected Once properly implemented the CCTV system
would have psychological area doesn’t have would record all necessary areas and ensure
cameras installed deterrent, as well proper signage recordings of all possible high traffic areas or area
in areas deemed as captures about have CCTV deemed as high risk
high risk or high recording for monitoring, there
traffic areas to accountability can be legal
capture repercussions
recordings
where’s necessary
Physical Access Physical This entails the It aids The areas that are Once properly implemented security doors and
Restriction use of security dramatically in physically locked walls can be very helpful as it would slow or deter
doors and walls in the fight against by security doors, any possible tampering to any of the IT assets.
areas to not allow premeditated if the keys are
access to destruction or misplaced or lost,
particular areas to even sabotage it would slow
users down the process

14 | P a g e
 in getting access
to the areas for
the user who have
permission to
these particular
areas
Access Control Physical This type of Heightened The user must Once someone attempts to enter into a restricted
systems is monitoring ensure that the area the software would monitor and flag the
electronic based through the use of software is always individual notifying administrators of what has
and has numerous software, which updated to gain transpired
possibilities from would allow the the most out of
control measures user to be able to the software. In
such as RFID, answer the most cases this
keypad, following who, require internet
Biometrics and when, where and access to the
even Iris why. desire system to
scanners. update
Firewalls Virtual A firewall can Monitor all traffic If policies are not Once configured properly, the system would
either be software transmissions and properly notify the administrators about the inconsistencies
or hardware ensure all data configured, it can on the network as well as monitor all users who
which would packets are sent allow external have access and doesn’t have access, making it
monitor all traffic and received entities to gain difficult for external parties to enter in the

15 | P a g e
 on the network, without any unauthorised network
with additional losses. access to sensitive
features to data
monitor any
unauthorised
access to the
network.
DMZ Virtual A DMZ is It improves the If not configured Once the DMZ is properly configured it would
commonly used access control, properly it may allow users of the organization to be able to
as a system in which means it allow external remote access into the work network, as well as
between the would ultimately entities gain minimise the amount of information that may be
internal network have 2 firewalls access into the accessed from the external network
and the external monitoring all internal network
network without traffic without much
compromising the transmissions in effort as well as
private addresses. the network they may also see
This also adds an the internal
extra layer of addresses
security to the
network.
Antivirus Virtual This is a software Some advantages Some Once this is properly configured, it would add an
Protection that is created to of implementing disadvantages of extra layer of protection at a smaller level. This

16 | P a g e
monitor, search, an antivirus having an would monitor all web browser, as well as all
prevent and would be virus antivirus would attachments that would be passing through the
remove any protection, be the slowing network.
potential viruses spyware down of the
or malicious protection, web system and
software. protection, spam Limited Detection
protection and Techniques,
firewall features

17 | P a g e
Task 3a

Due to the history of the organisation and the issues that arose within them. A risk assessment
would be required to be in order to understand the what are the potential risks and hazards at
hand and how to mitigate against them if they occur. First and foremost, we have to
understand what a risk assessment is before we talk about the different procedures that would
be required in the organisation.

A risk assessment is a complexed review of information on the organisation which would

help in assessing and managing their objectives and flaws, which can potentially cause
damages to sensitive data.

Four risk assessment procedures that would need to be executed in BUI would be Network
Change Management, Audit Control, Business Continuance/ Disaster Recovery and Loss of
Data & Business.

Network change management is the process through which organizations standardize the way
they implement network changes. The goal is to create an approach where making necessary
changes to network devices causes as little disturbance to the existing systems as possible. 

Network changes may be proactive efforts to improve the network or reactive responses to
problems within the system. The network change management process is meant to ensure
standardized approaches and reduce the frequency and impact of related incidents caused by
the change, so changes are both prompt and efficient.

Audit Control can be defined as a process of evaluating all IT infrastructure, operations and
policies of the organisation. In this audit, there would be a section with suggested
improvement to the organisation. There are various types of IT audits that would have to be
taken into consideration such as Systems & Applications, Information Processing Facilities,
System Development, Management of IT and Enterprise Architecture and Client/ Server,
Telecom, Extranets and Intranets. Once implemented, there are some key factors that most be
taken into consideration. These factors are as follows:

 Scope
 Outside Resources
 Implementation
 Feedback
18 | P a g e
  Repeat

Business Continuance is the procedure or process to ensure that the organisation can function
or carry on even in the event of an operational interruption. A Business Continuity Plan is a
developed plan that would be implemented to ensure that it would prevent any possible
business interruptions and/or disaster from happening as well as aid in getting to organisation
to returning at a state of regular business conditions.

Loss of Data & Business pertains to the analysing of various means and methods where data
and information is lost in the organisation. This is an inconvenience that would affect the
function of the organisations day to day processes. There are numerous ways in which data
can be loss, such as Hackers, Hard Drive Formatting, Software Corruption, Disasters, Liquid
Damages, Theft, Viruses & Malware or even Human Error. There are numerous factors that
would be able to mitigate against loss of data such as Hard Drive Partitioning, Scheduling
Disk Defragmentation, Proper implementation of Anti Viruses, Control all Employees access.
These steps would minimise the potential data loss that can occur in the organisation.

19 | P a g e
Task 3b

Data Protection Processes is the various methods in which information would be secured
from any forms of corruption, loss or even compromise. These methods are crucial as more
voluminous information is stored the higher the risk factor. Three factors that should be
adopted throughout the organisation would be VPN Usage, Password Rotations and Access
Privileges for sensitive Data. These factors are deemed important as they play an important
roll securing data in BUI.

With the use of VPNs in the organisation, it would make all your devices on the network
more secure as there would be an extra layer of added security. Implementing Password
Rotation would be beneficial as it would entail the user’s password to have various
characteristics such as having both lowercase and uppercase letters, inclusive of special
characters and must exceed 8+ characters in length. Granting authorisation to only users that
would require access to sensitive data. With this implemented, there should also have a log
which should also be maintained for auditing purposes.

20 | P a g e
Task 3c

ISO 31000 is a standard that was published n the year 2009 which gives effective principles
and guidelines for risk management. Its approach is more of a generic one which allows it to
be adaptable to many different risks, and be utilised by different types of organisations. This
would provide principles that would aid in undertaking any critical reviews of the company’s
risk management process.

There aren’t any instructions on managing any specific risks nor any advice, it remains on a
generic level. Relative to standards that are older on risk management, ISO 31000 innovates
various areas: -

 It explains what a risk management framework is with different organisational roles and
responsibilities in the management of risks.
 It states where a management philosophy is seen as an important part of strategic
decision-making.

The activities that are outlined by ISO 3100 would be listed as follows: -

 Risk Identification deals with what can obstruct the company from achieving our goals
and/ or objectives.
 Risk Analysis deals with understanding and identifying the different risks, and studying
the probabilities behind these risks as well as their consequences, to identify the different
levels of residual risk.
 Risk Evaluation deals with comparing the results from the risk analysis with the risk
criteria, this would then determine the tolerability of the residual risk.
 Risk Treatment deals with the possible changes towards the likelihood of the
consequences, both positive as well as negative, to ensure that a net increase is to be
achieved.
 Establishing the Context which isn’t included in the previous versions of the risk
management process description, defining the scope, defining the company’s objectives and
organise the risk evaluation criteria. The context contains both external elements such as
market and internal elements
 Monitoring and Review deals with measuring the indicators against the risk
management performance, which would be reviewed periodically. It deals with reviewing the
deviations from the risk management plan, checking the appropriateness of the risk
21 | P a g e
management framework, policy and plans. The progress with the risk management plan and
how well is the policy being adhered to.
 Communication and Consultation deals with understanding the various stakeholders
and their interests, and ensuring that the process is being properly applied and focusing on the
rationale decisions

22 | P a g e
Task 3d

Venturing into security audits, BUI would be required to outline the potential key areas that
would possibly have to be changed. Some key areas are Modification of Internal Security,
Changes to Backup Practices and Disaster Recovery and Changes to the Organisations IT
Security Policy.

Modification of Internal Security – With the use of custom/ unique software, the use of
patches may be needed to be applied in order to rectify some if not all the potential
problematic areas that would be deemed vulnerable in its security. An approach that may
need to be implemented would be Logging. This once enabled, it would offer more
information for auditors to analyse for future audits.

Changes to Backup Practices and Disaster Recovery – In the event of an audit is exercised
and a lack of recovery practices is in place, a recommendation to remedy this issue with
immediate effect would be carried out to protect the data of the organisation and ensure
business continuity. Exploring other means of off site back up would have to be considered
such as cloud storage.

Changes to the organisations IT Security Policy – in an audit if it reveals any possible

weaknesses in an organisations IT Security Policies, it’s inevitable that the policies would
have to be revised and then remedied right after. In most cases, the policies would be
governed around the usage of IT resources such as, access control, limiting exposure,
resource restriction and many more.

Once an audit has been concluded, the report that would be generated on all IT security
would show what are the issues at hand and possible recommendations to remedy the
problems at hand.

23 | P a g e
Task 3e

In an organisation, its policies as well as IT security must go together otherwise there may be
some form of negative effects towards the IT security. With IT security it predominantly
deals with IT within the organisation. This circles around Data, Hardware, Systems and
Software. To enforce the IT security, it would be combined with the method of
implementation as well as the organisations policies. Each rule and regulation would have to
be formulated in such a manner to uphold security and then be enforced. This is understood
as an Organisational Policy.

Two ways in which IT security policies and Organisational Policy go hand in hand would be
through Awareness and Accountability.

Awareness would deal directly with gently notifying people from the organisation about the
policies that are in place. Also make it easily available to them through the company’s
website. For example, the purpose of awareness is to give employees the accessibility
towards the policies and knowing what they are. This would go hand in hand with
Accountability.

Accountability deals with ensuring that employees are responsible for his/ her own actions.
For example, the purpose of this would be to ensure that individuals would be penalised for
his/ her actions. This would go in hand with awareness, once the employees have access to
the policy easily, there would be provisions for individuals that don’t adhere to them.

24 | P a g e
Task 4a

A security policy is a document that would outline measures in order to protect the
organisation from all possible threats. A policy must identify all the assets of the organisation
and the potential threats towards those assets.

System Access Policy

1. Scope: - This policy deals with systems and employees that are granted with access to
accounts and various information systems.
2. Objectives: - This policy aims at having appropriate access control enabled in the right
place as well as information for the right people at the right time.
3. Responsibilities: - All persons are to abide to the relevant instructions that are stated on
the Security and Access Control Policy and Procedures.
4. Access Control Implementation: - The following illustrates the principles around how
access control is implemented.
4.1 Identity Management: - A formal user registration process would be in place to allow
placement of identities and accounts on a single basis. This would ensure that all
would be accountable for their actions.
4.2 Authentication Management: - All accounts would be serviced and monitored through
a secure control.
4.3 Privileged Account Management: - Accounts that are privileged must be purpose
driven and always ensure to stick to the principle of least privilege.
4.4 Adjustment or Removal of Access Rights: - All personnel that are terminated,
contracted or under some agreement is to be adjusted and to have their accounts
removed or adjusted.

25 | P a g e
Email Access Policy

The following document illustrates BUI emails access policy. All staff members who uses the
works email would be required to comply to this policy statement.

1. Business Use: - All our company emails are to be solely used for the purpose of the
company and not to be used for personal use.
2. Ownership: - All email messages that transit through the company’s server is consider to
be sole property of the organisation.
3. Email Review: - All emails are subjected to the company to monitor, read, and use such
emails without any notice to either parties of such emails.
4. Prohibited Content: - Emails shouldn’t contain content that are derogatory, offensive,
illegal and/or inappropriate such as sexual, religious and racial are prohibited.
5. Security: - Emails are to only be used by authorised personnel and a password would be
issued to the employees. Personnel shouldn’t disclose their credentials to anyone else and
allow someone else to use his/ her email without an authorised letter being issued by the
company.
6. No Presumptions of Privacy: - Employees shall not assume communication through
emails are private and security isn’t guaranteed.
7. Viruses: - All files that are downloaded from messages that are received from a source
outside of the company would be subject to being scanned with the company’s antivirus
software. Any viruses should be reported to the system administrators immediately.
8. Consequences of Violations: - Anyone in violation of the organisations policy would be
disciplined, suspended or even terminated from employment.

26 | P a g e
 Browser & Internet Usage

Browser & Internet Usage Policy – applies to all personnel of the organisation who would
have access to the company’s computers and internet. Internet activity is permitted only if its
use would benefit the business goals and objectives.

Computer, Email and Internet Usage

1. All employees are to be responsible and productive with the internet access. Internet access is
limited to work related activities as well as on personal agendas
2. All data/ information that would be transmitted or received on the company’s email would be
considered as the sole property of the organisation
3. The equipment used to access the internet are the sole property of the organisation and the
process of monitoring traffic.
4. All sites & downloads can possibly be monitored and be blocked by the Systems
Administrator

The following illustrate what is unacceptable by employees, but not limited to: -

1. Using the computer to phish or perpetrate in any form

2. Downloading or pirating any electronic files without the right authorisation
3. Making confidential information, trade secrets or even proprietary data public

27 | P a g e
Physical access to server and key networking infrastructure

1. Physical access must be given to authorised personnel, which would then be managed and
monitored to protect information technology resources from unauthorized access and
environmental threats.
2. The goal of this policy is to ensure that there is an establish standard for granting,
managing and/ or monitoring physical access to areas that contain network infrastructure
to protect them from unauthorized access and environmental factors.
3. All access to areas with networking infrastructure show be document and managed by the
IT Services. Granting keys, key cards or a combination would require approval from the
IT Services. This key mustn’t be sharded or loaned to users who don’t have access.
4. Any keys, key cards or combination are misplaced would need to report it to the Public
Safety immediately. All network infrastructure should be properly secured and kept in a
locked environment.
5. All physical access controlled environmental systems and must comply to all regulations
such as building & fire prevention, power irregularity protection, fire detection, humidity
and air condition as well as other environmental factors. Air Conditioning must be
installed to minimise the exposure to long term equipment failure and heat damage. All
network equipment must be connected to a UPS in order to aid in minimising power spike
and subsequent damage to data and hardware.

28 | P a g e
System Software Usage Policy

1. All Employees are to use any software in accordance to the licenses agreement and the
organisations policy. Users mustn’t make any additional copies of the software unless its
for archival purpose only.
2. The use of unauthorised software would not be tolerated. Anyone found with reproducing
software can be subjected to criminal penalties inclusive of fines and imprisonment.
3. No users are to give any software to any outsiders inclusive of customers, clients, and
others. Under no circumstances shall any pirated software be brought in from any sources
such as the internet, friends, home, colleagues, etc.
4. Any employees who determines that they may be in use of a pirated software is to notify
the department manager.
5. All software’s that are used on the company’s computers are to be purchased through all
necessary channels.

29 | P a g e
Task 4b
A responsibility matrix deals with all high-level staff on this table to illustrate what needs to
established, communicated or enforced.
Board of Directors
Chief Executive Officer
Chief Technical Officer
Chief Operations Officer
Chief Security Officer
Enforce
Establish: - N/A
Communicate: - The board would have a discussion
amongst each other who would then notify the CEO about
the Policies to implement
Enforce: - N/A
Establish: - N/A
Communicate: - The CEO would communicate with all
high-level staff about implementing new Policies
Enforce: - The CEO would penalise any high-level staff
that would go against implementing these policies
Establish: - Liaise with all high-level members of staff to
ensure that the policies are developed in conjunction with
the organisational policy
Communicate: - The CTO would liaise with all staff
members from the Information Technology Department on
the policies that are to be adhered to
Enforce: - The CTO would penalise any low-level staff
members that doesn’t comply to the policies
Establish: -
Communicate: - The COO would liaise with all staff
members from the Administration Department and ensure
that they adhere to the policies
Enforce: - The COO would penalise any low-level staff
members that doesn’t comply to the policies
Establish: -
Communicate: - The CSO would liaise with all staff
members from the Corporate Security Department and
ensure that they adhere to the policies
30 | P a g e
 Enforce: - The CSO would penalise any low-level staff
members that doesn’t comply to the policies
Chief Auditor Establish: -
Communicate: - The CA would liaise with all staff
members from the Corporate Security Department and
ensure that they adhere to the policies
Enforce: - The CA would penalise any low-level staff
members that doesn’t comply to the policies
Chief Risk Officer Establish: -
Communicate: - The CRO would liaise with all staff
members from the Corporate Security Department and
ensure that they adhere to the policies
Enforce: - The CRO would penalise any low-level staff
members that doesn’t comply to the policies
Corporate Security Establish: -
Communicate: - The CS would liaise with all staff
members from the Corporate Security Department and
ensure that they adhere to the policies
Enforce: - The CS would penalise any low-level staff
members that doesn’t comply to the policies
Human Resource Manager Establish: -
Communicate: - The HRM would liaise with all staff
members from the Corporate Security Department and
ensure that they adhere to the policies
Enforce: - The HRM would penalise any low-level staff
members that doesn’t comply to the policies

Task 4c

31 | P a g e
The main components of a disaster recovery plan for BUI would be listed below: -

1. Prioritized Business Functions and Business Activities

2. Defined Timeframes for Recovery
3. Recorded Hardware, Data and Software at Secondary Location
4. Documented Responsibilities for Reestablishment
5. Outlined Communication Channels and Personnel
6. Procedures for Handling Sensitive Data
7. Adequate Plan Testing

1. Disaster recovery is a subclass of a BCP. It shows that prioritization is in fact the most
important element. It is crucial to identify and prioritize what are the most important
business elements which must be taken into consideration in coming online first. A list
with all items that are prioritized with the necessary functional areas should be fabricated,
so that all the recovery staff would know which areas are to be targeted first.
2. The next step would be to set realistic timeframes to these prioritized items. They would
be none-date dependant which shows all areas from the beginning to the end. These
timeframes would enforce the prioritization efforts.
3. A secondary location should be factored for secondary storage. This would be considered
as a place of refuge for the organisation to reestablishment. This location can be solely
cloud based or even on a rental agreement. A record of all hardware, software and data
should be recorded for archival purposes to ensure that all effort to recover are
unhindered. Beside recording all hardware, software and data, a file should also be kept
on all updated vendors. This is to facilitate the sourcing of necessary hardware, software,
in the event if stockpiling wasn’t established.
4. All personnel that are taking part in the recovery process should be documented with all
their responsibilities as well as their communication channels. All necessary employees
should be well informed on the necessary roles and responsibilities. All roles aren’t
limited to only one employee as a role can be shared amongst several employees. This
would aid in cutting the recovery time.
5. All measures that would be used to establish contact with personnel would be through
phone numbers, physical addresses and/ or email addresses. The person formulating the

32 | P a g e
 contact listing should ensure that all personnel information should be updated in a timely
fashion so that there wouldn’t have any outdated information.
6. A clear guideline should be established to illustrate how sensitive data is to be handled
throughout the recovery process. In most cases the recovery process would be placed in a
heavy time sensitive constraint which would tend to lead data being left unprotected from
time to time. An established guideline would aid in showing persons which hardware and
software must be implemented first. In the guideline, it must clearly identify when certain
hardware and software requires to be in place as well as what point in which the sensitive
data should be introduced. Once properly orchestrated these guidelines would ultimately
aid in any reestablishments.
7. The organisations disaster recovery plan is something that should be annually tested at a
minimum to ensure that all elements of the organisation are still functioning. The reason
for this is to monitor and record if there would have any potential weaknesses or non-
functioning areas that would need improvement. During this test an update of all vendors
information as well as personnel communication channels should be updated as well. If
there is a failure to test the disaster recovery plan, it would inevitably lead to possible
non-functioning elements and would further delay the recovery process.

33 | P a g e
Task 4d

The four stakeholders that I have chosen would be listed below: -

Chief Security Officer (CSO)

Chief Operations Officer (COO)

Chief Technical Officer (CTO)

Chief Risk Officer (CRO)

During the process of implementing the security audit recommendations these four
stakeholders would all have crucial parts to play within the organisation.

The CSO would have to ensure that all recommendations are met based on the physical
access aspect of the policy. If the recommendations required physical access controls to be
implemented to secure these areas. He/ She would have to make the necessary arrangements
with contractors in order to meet the recommendations.

The COO would liaise with all the necessary administrative staff as well as the Chief
Technical Officer to ensure that whatever necessary recommendations mentioned in the
audits findings are met and that all parties affected by the policies and ensure that all
recommendations that are stated in the findings are achieved.

The CTO would adhere to all recommendations given by the auditors and ensure that he/ she
would liaise with the various departments managers to seek their assistance in getting these
tasks completed. The CTO would have to keep in close communication with the auditors to
ensure that these recommendations have be met so that the auditors can make the necessary
changes to the report.

The CRO would liaise with all head personnel of each department to list all the potential risks
that may be raised from the policies and then liaise with the CTO to ensure that these risks
are address throughout the policies.

34 | P a g e
Task 4e

The company’s team lead has decided to venture into the use of two particular tools to aid in
the security policy. These tools are Ethical Hacking and Penetration Testing.

Ethical Hacking deals with a series of attempts in trying to uncover vulnerabilities within the
organisations. This would be implemented through the use of software as well as other forms
such as social engineering. It is devised as being ethical as it is carried out only with the
permission of the company and the findings isn’t used with the intentions to harm the
company but to help improve it. Once implemented properly, the findings from the Ethical
Hacking would aid in hardening the company’s security. This method usually aims to answer
a series of various questions.

Penetration Testing is done under ethical hacking. It deals with one specific area with the
company. This method is on the offensive side as it deals mostly attempting to gain access to
one area, the findings would then be recorded and uploaded into the Ethical Hacking
Framework. There are various methods in which penetration testing is caried out, these being
from Wireless Security Test, Client-Side Test, Network Services Test, Physical Penetration
Test and various others. Any forms of penetration test should take into consideration the
internal and external components of the IT infrastructure.

These 2 methods or tools would aid the company in exposing all potential vulnerabilities
within the organisation. With the findings from both methods, we can now formulate a plan
of action in how to rectify any potential issues and implement them as soon as possible.

35 | P a g e
References

Accedian. n.d. The Top 10 Causes Of Network Performance Degradations. [online]

Available at: <https://accedian.com/blog/top-10-causes-network-performance-
degradations/> [Accessed 6 September 2020].

App.business-in-a-box.com. n.d. Business-In-A-Box. [online] Available at:

<https://app.business-in-a-box.com/doc/email-policy-strict-D710> [Accessed 5
September 2020].

Barracuda.com. n.d. What Is A DMZ (Networking)? | Barracuda Networks. [online]

Available at: <https://www.barracuda.com/glossary/dmz-network> [Accessed 27 August
2020].

Biscoe, C., n.d. ISO 27001 Risk Assessment: 7 Step Guide. [online] IT Governance UK Blog.
Available at: <https://www.itgovernance.co.uk/blog/7-steps-to-a-successful-iso-27001-
risk-assessment> [Accessed 8 September 2020].

Blog.netwrix.com. n.d. The Purpose Of IT Risk Assessment. Why Bother?. [online] Available

at: <https://blog.netwrix.com/2020/05/08/purpose-it-risk-assessment/> [Accessed 29
August 2020].

Forcepoint. n.d. What Is A Firewall?. [online] Available at:

<https://www.forcepoint.com/cyber-edu/firewall> [Accessed 1 September 2020].

Gfi.com. n.d. Sample Internet Usage Policy. [online] Available at:

<https://www.gfi.com/pages/sample-internet-usage-policy#:~:text=This%20Sample
%20Internet%20Usage%20Policy,and%20objectives%20of%20the%20business.>
[Accessed 5 September 2020].

IT Governance UK Blog. 2020. ISO 27001 Risk Assessment: 7 Step Guide. [online] Available
at: <https://www.itgovernance.co.uk/blog/7-steps-to-a-successful-iso-27001-risk-
assessment> [Accessed 7 September 2020].

Lifewire. n.d. Static IP Addresses: Everything You Need To Know. [online] Available at:
<https://www.lifewire.com/what-is-a-static-ip-address-2626012> [Accessed 28 August
2020].

36 | P a g e
Motadata. n.d. What Is Network Monitoring? Basics Of Network Monitoring Tools. [online]
Available at: <https://www.motadata.com/what-is-network-monitoring/> [Accessed 4
September 2020].

n.d. [online] Available at: <https://www.cisco.com/c/en/us/support/docs/ip/network-address-

translation-nat/26704-nat-faq-> [Accessed 30 August 2020].

Sciencedirect.com. n.d. Rootkits - An Overview | Sciencedirect Topics. [online] Available at:

<https://www.sciencedirect.com/topics/computer-science/rootkits> [Accessed 2
September 2020].

SearchNetworking. n.d. What Is Network Monitoring? - Definition From Whatis.Com.

[online] Available at: <https://searchnetworking.techtarget.com/definition/network-
monitoring> [Accessed 6 September 2020].

Sheffield.ac.uk. 2020. Access Control Policy - Policies - IT Services - The University Of

Sheffield. [online] Available at: <https://www.sheffield.ac.uk/it-services/policies/access-
control> [Accessed 4 September 2020].

Solarwinds MSP. n.d. Types Of Penetration Techniques And Methods. [online] Available at:
<https://www.solarwindsmsp.com/blog/penetration-testing-methods#:~:text=Industry
%20experts%20generally%20divide%20penetration,with%20a%20brute%2Dforce
%20attack.> [Accessed 18 September 2020].

Stevevincent.info. n.d. Chapter 6, IT Security Policy Frameworks Chapter 7, How To

Design, Organize, Implement, And Maintain Security Policies. [online] Available at:
<https://stevevincent.info/ITS305_2016_3.htm> [Accessed 3 September 2020].

Techopedia.com. n.d. What Is Security Policy? - Definition From Techopedia. [online]

Available at: <https://www.techopedia.com/definition/4099/security-policy> [Accessed
4 September 2020].

Workforce.com. 2019. [online] Available at: <https://www.workforce.com/news/short-

sample-policy-for-employee-software-usage> [Accessed 3 September 2020].

37 | P a g e