Network Security

Network Security Assignment
Higher National Certificate/Diploma in Computing

Assessment Brief
Student Name/ID B.H.K. Janindu Bhanuka / M19981124006
Number
Unit Number and Title 05: Security

Academic Year 2021
Unit Tutor Ms. Dharani Abeysinghe
Assignment Title Security HND B09
Issue Date 1st August 2021
Submission Date 12th September 2021
IV Name & Date Mr. Dhishan Dammetarachchi, 27th July 2021
Unit Learning Outcomes

LO1 Assess risks to IT Security
LO2 Describe IT Security solutions

LO3 Review mechanisms to control organisational IT Security
LO4 Manage organisational security
Unit Learning Outcomes

LO Learning AC
Outcome
In this assessment you will have the Evidence
opportunity to present evidence Task (Page
that shows you are able to: No Number)
LO1 Assess risks to IT 1.1 1
Security Identify types of security risks to
organisations.
1.2 Describe organisational security 1
procedures.
1 HND-B08 B.H.K. Janindu Bhanuka

LO2 Describe IT 2.1 2
Security solutions
Identify the potential impact to IT
security of incorrect configuration of
firewall policies and third party
VPNs.
2.2 Show, using an example for each, 2
how implementing a DMA, status IP
and NAT in a network can improve
Network Security.
LO3 Review 3.1 3
mechanisms to
control Discuss risk assessment procedures.
organisational IT 3.2 Explain data protection processes and 3
Security regulations as applicable to an
organisation.
LO4 Manage 4.1 4
organisational
security Design and implement a security
policy for an organisation.
4.2 List the main components of an 4
organisational disaster recovery plan,
justifying the reasons for inclusion.
Submission Format
The submission is in the form of a single word document. You are required to make use of headings, paragraphs,
subsections and illustrations as appropriate, and all work must be supported with research and referenced using
the Harvard referencing system. Make use the font Times New Roman, size 12, all borders 1 inch, 1.5 line
spacing and justified alignment. No specific word limit given.
Student Assessment Submission and Declaration

When submitting evidence for assessment, each student must sign a declaration confirming that the
work is their own.
Student name: Assessor name:
B.H.K. Janindu Bhanuka Ms. Dharani Abeysinghe

Issue date: Submission date: Submitted on:
01-Aug-2021 12-Sep-2021 12-Sep-2021
Programme: BTEC Pearson HND of Computing
Unit: 05
Assignment number and title:

Security HND B09
Plagiarism
Formative feedback : Assessor to student
Plagiarism is a particular form of cheating. Plagiarism must be avoided at all costs and students who
break the rules, however innocently, may be penalised. It is your responsibility to ensure that you
understand correct referencing practices. As a university level student, you are expected to use
appropriate references throughout and keep carefully detailed notes of all your sources of materials for
material you have used in your work, including any material downloaded from the Internet. Please
consult the relevant unit lecturer or your course tutor if you need any further advice.
Action plan
Student Declaration
Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the
consequences of plagiarism. I understand that making a false declaration is a form of
malpractice.
Student signature: Janindu Bhanuka Date: 12-Sep-2021

Summative feedback
Assignment Feedback
Assessor name
Formative feedback : Student to assessor
Assessor Signature Date

Pearson BTEC 12-Sep-2021
Student Signature Janindu Bhanuka Level 4 HND in Date
Qualification Computing

Unit Number and title Student name B.H.K. Janindu
Unit 5- Security Bhanuka
Criteria To achieve the criteria the evidence must show that the student Achieved? (tick)
Reference is able to:
LO1 Assess risks to IT Security

P1 Identify types of security risks to organisations.
P2 Describe organisational security procedures.
LO2 Describe IT Security solutions
P3 Identify the potential impact to IT security of incorrect
configuration of firewall policies and third party VPNs.
P4 Show, using an example for each, how implementing a DMA,
status IP and NAT in a network can improve Network Security.
P5 Discuss risk assessment procedures.
P6 Explain data protection processes and regulations as applicable to
an organisation.
P7 Design and implement a security policy for an organisation.
P8 List the main components of an organisational disaster recovery
plan, justifying the reasons for inclusion.
Higher Grade achievements (where applicable)

Grade descriptor Achieved? (tick) Grade descriptor Achieved?
(tick)
M1 Propose a method to assess LO1 and LO2
and treat IT security risks D1 Investigate how a 'trusted
M2 Discuss three benefits to network' may be part of an IT
implement network monitoring security solutions
systems with supporting reasons
M3 Summarise the ISO 31000 LO3
risk management methodology D2 Consider how IT security can
and its application in IT Security be aligned with organisational
policy, detailing the security
M4 Discuss possible impacts to
impact of any misalignment
organisational security resulting
from an IT security audit
M5 Discuss the roles of LO4
stakeholder in the organisation D3 Evaluate the suitability of the
to implement security audit tools used in an organisational
recommendations policy

Task 01 (LO1)
1. Define what is a security risk and state 4 examples. (P1)

2. Briefly describe following terms. (P1)
a) Tailgating
b) CIA triad
c) DDoS attack
3. Differentiate an attack and a threat. (P1)

4. Explain what is data theft. ( Include definition, what kind of data can be theft, how it
happens, effects and preventive measures.) (P2, M1)
5. Explain how threats and risks can effect business continuance. Further address how
backups help in this process. (P2, M1)
6. What is an IT audit? Define three types of audits. (P2)
7. Propose a method to assess and treat IT security risks. (P2, D1)
Task 02 (LO2)
1. Define the terms Internet security, Network security, Endpoint Security, and
Vulnerability assessment.(P3)
2. State few techniques to test network security and give examples for network security
testing tools. (P3)
3. Explain how following technologies would benefit facilitating a ‘trusted network’.
(Support your answer with suitable illustrations). (P4, M2, D1)
I. DMZ
II. Firewalls
III. NAT
IV. VPN
4. Explain what is Raid. Describe different levels of Raids (0,1,5,6,10) and describe
comparatively how they can improve security. (Support your answer with suitable
illustrations). (P4, M2, D1)
5. Encrypt following message using Caesar cipher using shift values 3 and 5. Show your
work. And briefly state the need of encryption to enhance security. (P3, M2)
Plain text : IHAVEADOGNAMEDLAILA
6. Differentiate in between data replication and backup. (P3)

7. What is a data centre and why virtualization of a data centre is important. (M2, D1)

Task 03 (LO3)
1. What is a risk assessment and explain the need of a risk assessment to an organization.
(P5)
2. Briefly describe the steps to conduct a risk assessment based on ISO 27001 standards.
(P5, M3)
3. Describe the process of risk management based on ISO 31000 standards. (P5,M3)
4. Briefly differentiate Integrated Risk Management (IRM) and Enterprise Risk
Management (ERM). (P6)
Suppose you are the Chief Information Security Officer (CISO) at a well reputed
organization. Answer the questions below. (State assumptions you made if there are any.)
5. Write a brief description explaining, methods and strategies you will use in order to
conduct a risk analysis and security audit for your organization. (P6, M4, D2)
6. State 5 importance of disaster recovery for an organization. (P6)
7. Explain the how misalignment of organizational policies and physical IT security will
affect your organization. (P6, M4, D2)
Task 04 (LO4)
1. Write 3 organizational policies that can be assumed as measures of organisational

security and role of staff for the cases including system access, access to internet email,
access to internet browser, development or use of software, physical access and
protection, third party access, business continuity and the responsibility matrix. Use a
table in the given below format to write your answers. (P7, M5, D3)

Case Policies Role of staff
System access a) Answer 1

b) Answer 2
c) Answer 3
Access to internet email .............
2. Discuss the need for security standards in business. (P7)

3. Explain how to prepare a disaster recovery plan for an organization. (P8, M5, D3)
4. Briefly analyze the effectiveness of ethical hacking within vulnerability testing. (P8, M5)

Learning Outcomes and Assessment Criteria
Pass Merit Distinction
LO1 Assess risks to IT security
P1 Identify types of security risks M1 Propose a method to assess
to organisations and treat IT security risks LO1 & 2
D1 Investigate how a
'trusted network' may be
P2 Describe organisational security
part of an IT security
procedures
solutions
LO2 Describe IT security solutions
P3 Identify the potential impact to M2 Discuss three benefits to
IT security of incorrect implement network monitoring
configuration of firewall policies systems with supporting reasons
and third party VPNs
P4 Show, using an example for

each, how implementing a DMA,
status IP and NAT in a network can
improve Network Security
P5 Discuss risk assessment M3 Summarise the ISO 31000 D2 Consider how IT
procedures risk management methodology security can be aligned
P6 Explain data protection and its application in IT Security with organisational
processes and regulations as M4 Discuss possible impacts to policy, detailing the
applicable to an organisation organisational security resulting security impact of any
from an IT security audit misalignment
P7 Design and implement a M5 Discuss the roles of D3 Evaluate the
security policy for an organisation stakeholder in the organisation to suitability of the tools
P8 List the main components of implement security audit used in an organisational
an organisational disaster recommendations policy
recovery plan, justifying the
reasons for inclusion
Table of The Contents

Contents
Acknowledgement.............................................................................15
Task 01............................................................................................16

Task 1.1 Security Risk.....................................................................16
Task 1.2 Tailgating, CIA Triad & DDOs Attack.....................................18
Task 1.3 Difference between Attack & Threat......................................19
Task 1.4 Data Theft........................................................................20
Definition....................................................................................20
Types of Data Thefts....................................................................20
Reasons for The Data Theft...........................................................22
Preventing Tricks.........................................................................23
Task 1.5 Impact of the Threats & Risks for a Business..........................24
Data Backup...............................................................................25
Task 1.6 IT Audit............................................................................26
Types of IT Audit.........................................................................27
Task 1.7 IT Security Risk Assessment................................................28
Task 02............................................................................................30
Task 2.1 Internet Security, Network Security, Endpoint Security &
Vulnerability Assessment.................................................................30
Internet Security.........................................................................30
Network Security.........................................................................30
Endpoint Security.........................................................................31
Vulnerability Assessment...............................................................31
Task 2.2 Network Security Testing Techniques & Tools.........................32
Network Security Testing Techniques..............................................32
Network Security Testing Tools......................................................34
Task 2.3 Trusted Networks...............................................................36
DMZ...........................................................................................36
Firewalls.....................................................................................37
NAT...........................................................................................38
VPN...........................................................................................41
Task 2.4 RAID................................................................................42
Versions of RAID..........................................................................43
Task 2.5 Encryption........................................................................45
Caesar Cipher..............................................................................45
Task 2.6 Data Replication & Backup...................................................48
Data Backup...............................................................................48
Data Replication..........................................................................48
Task 2.7 Data Centers & Virtualization...............................................49
Data Centers...............................................................................49
Virtualization...............................................................................50
Importance of Virtualization...........................................................51
Task 03............................................................................................52
Task 3.1 Risk Assessment................................................................52
Task 3.2 Steps of Risk Assessment ISO 27001....................................55
Task 3.3 Steps of Risk Assessment ISO 30001....................................58
Task 3.4 Difference between IRM & ERM............................................60

Task 3.5 Risk Analysis, System Audit Conducting Strategies and Methods
....................................................................................................61
Auditing Techniques & Methods......................................................61
Risk Analyzing Techniques & Methods.............................................62
Task 3.6 Importance of Disaster Recovery Plan...................................64
Task 3.7 Effectiveness of IT Security Policies for an Organization...........66
Task 04............................................................................................68
Task 4.1 Organizational Policies........................................................68
System Access Policies.................................................................68
Internet & Email Policies...............................................................69
Internet Browsing Policies.............................................................70
Software Using Policies.................................................................71
Physical Access Policies.................................................................72
Third Party Access Policies.............................................................73
Other Policies and Responsibilities..................................................74
Task 4.2 Need of Security Standards.................................................75
Network Standards.......................................................................75
Importance of Network Standards..................................................76
Task 4.3 Disaster Recovery Plan.......................................................77
Task 4.4 Effectiveness of Ethical Hacking...........................................79
References.......................................................................................80

List of Figures
Figure 1 Acknowledgement.................................................................15
Figure 2 Data Backup.........................................................................25
Figure 3 8 Principles of IT Audit...........................................................26
Figure 4 Risk Assessment...................................................................29
Figure 5 Vulnerability Assessment........................................................31
Figure 6 Network Security Techniques..................................................33
Figure 7 Intruder Tool........................................................................34
Figure 8 OWASP................................................................................34
Figure 9 ACUNETIX............................................................................35
Figure 10 Wireshark...........................................................................35
Figure 11 W3AF.................................................................................35
Figure 12 DMZ..................................................................................36
Figure 13 Firewall..............................................................................37
Figure 14 Static NAT..........................................................................38
Figure 15 Dynamic NAT......................................................................39
Figure 16 NAT Overloading.................................................................40
Figure 17 VPN...................................................................................41
Figure 18 RAID 0...............................................................................43
Figure 19 RAID 1...............................................................................43
Figure 20 RAID 5...............................................................................43
Figure 21 RAID 6...............................................................................44
Figure 22 Caesar Ciper Source Code.....................................................47
Figure 23 Virtualization......................................................................50
Figure 24 Risk...................................................................................54
Figure 25 ISO 27001..........................................................................57
Figure 26 ISO 30001..........................................................................59
Figure 27 Network Standards Organizations..........................................76


Acknowledgement
Foremost, I would like to express my sincere gratitude to my Subject Lecturer and my
Assignment Adviser Ms. Dharani Abeysinghe at the CINEC Campus for giving good guidance
and motivation to me.
Also, in preparing for this project, I could not complete it without the support of my batch mates.
They always direct me to create this project successfully.
My sincere thanks also go to my dearest parents for giving me valuable advice and for giving me
their maximum support to complete this project.
Finally, I would like to say Thank you to the unmentioned people who have guided me, directly
and indirectly, to write this project successfully.
Figure 1 Acknowledgement

Task 01
Task 1.1 Security Risk
The likelihood of exposure, loss of key assets and sensitive information, or reputational harm as
a result of a cyber assault or breach within an organization's network is known as security risk.
Security must remain a key priority across industries, and businesses should work to create a
cybersecurity risk management strategy to guard against ever-evolving cyber threats. We can
divide security risks into three main parts.
 Threats
o Social engineering attacks, DDoS attacks, and advanced persistent threats are just
a few examples of threats. Threat actors are often linked to nation-states, insiders,
and criminal businesses, and are driven by monetary gain or political ambitions.
 Vulnerability
o A vulnerability is a weakness, fault, or error in cybersecurity that can be exploited
by attackers to gain unauthorized access. Vulnerabilities can be exploited in a
variety of ways, which is why vulnerability management is so important for
staying one step ahead of thieves.
 Consequence
o The real injury or damages that occur as a result of a network disruption are
referred to as the consequence. In most cases, when a company works to solve the
problem, it will suffer both direct and indirect consequences. The effects of an
attack may have an influence on an organization's finances, operations, reputation,
and regulatory compliance status, depending on the nature of the attack.
[ CITATION Neg21 \l 1033 ]

Examples for the Security Risks

1. Phishing
a. This type of cyber fraud aims to collect personal data such as credit card numbers
and passwords. Phishing assaults take the form of quick phishing e-mails or
messages made to look real, impersonating respected banking institutions,
websites, and personal relationships. You are prompted to provide your bank
details or use your credentials when you visit the URL or reply to the mails,
which sends your data to the malicious source.
2. Computer Viruses
a. These are small pieces of software that can be transferred from one machine to
another. They are usually downloaded from certain websites or provided as e-mail
attachments with the intention of infecting your computer as well as other
computers on your contact list via your network's infrastructure. They have the
ability to disable your security settings, send spam, steal and destroy data from
your computer, and even wipe your hard drive clean.
3. Malware
a. Malware is a type of dangerous software that criminals use to take control of your
computer, steal your personal information, or install harmful apps on your device
without your knowledge. Spyware, Trojans, and worms are propagated via pop-up
advertising, infected files, phony websites, and e-mail communications.
4. Rogue Security Software
a. This is malicious software that deceives users into believing that their security
measures are outdated or that their computer is infected with a virus. They then
offer to assist you in installing or updating the user's security settings by charging
you for a tool or requesting that you download their program to help you remove
the supposed infections. This can result in malware being installed on your
device.[ CITATION 5Mo20 \l 1033 ]

Task 1.2 Tailgating, CIA Triad & DDOs Attack

Task 1.2.1 Tailgating
Tailgating, or the piggybacking, is a physical security violation in which an unauthorized person
such as a hacker enters to a fully secured location after an authorized person. Tailgating is a
social engineering based process of avoiding many security mechanisms that one would consider
secure. Even retina scanners are useless if an employee, out of misguided courtesy, keeps the
door open for an unknown individual behind them. Disgruntled former employees, thieves,
vandals, and those with issues with staff or the company are all possible tailgaters. Any of these
have the potential to cause business disruption, damage, unanticipated costs, and extra safety
concerns.[ CITATION tec17 \l 1033 ]
Task 1.2.2 CIA Triad

The three letters that make up the CIA triad stand for confidentiality, integrity, and availability.
When these three ideas are combined, they constitute the cornerstone of every company's
security architecture. They also act as objectives and goals for any security programs. When data
is spilled, a system is hacked, a user falls for phishing bait, an account is hijacked, a website is
deliberately taken down, or any number of other security issues occur, you can be confident that
one or more of these principles has been breached.[ CITATION Deb19 \l 1033 ]
Task 1.2.3 DDOs Attack

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt a targeted
server's, services, or network's normal traffic by flooding the target or its surrounding
infrastructure with Internet traffic. Websites and online services are the targets of DDos attacks.
The objective is to overload them with traffic that exceeds the capability of the server or
network. The goal is to block access to the website or service. Incoming messages, connection
requests, and bogus packets might all be part of the stream. In other circumstances, the intended
victims are subjected to a DDoS attack or a low-level attack. This might be combined with a
threat of a more serious attack unless the company pays a cryptocurrency ransom.[ CITATION
clo21 \l 1033 ]

Task 1.3 Difference between Attack & Threat

From a security standpoint, threats and attacks are two critical occurrences. From the standpoint
of network security, it is critical to grasp the differences between the two. A threat is a potential
security breach that exploits a system or asset's weakness. Accidental, environmental, human
error, or human failure may be the source of the threat. Interruption, interception, fabrication,
and alteration are all different forms of security threats. A purposeful illegal activity on a system
or object is referred to as an attack. Active and passive attacks are two types of attacks. When the
chance arises, an attack will have a motive and will follow a technique.[ CITATION swe20 \l
1033 ]
Threat Attack
 Can be initiated by system itself as
 Is always initiated by outsider
well as outsider.
 Can be intentional or
  Can be intentional
unintentional
 Comparatively hard to detect  Comparatively easy to detect
 Circumstance that has ability to
 Objective is to cause damage
cause damage
 May or may not be malicious  May be malicious
 Information may or may not  Chance for information alteration and

be altered or damaged damage is very high
 Can be blocked by control of  Cannot be blocked by just controlling
vulnerabilities the vulnerabilities
[ CITATION swe20 \l 1033 ]

Task 1.4 Data Theft

Definition
Data theft is defined as the unauthorized transfer or storage of any secret, personal, or financial
information, such as passwords, software code, or algorithms, proprietary process-oriented
knowledge, or technology. The implications of data theft, which is considered a serious security
and privacy breach, can be severe for both individuals and corporations.
Types of Data Thefts

MITM Attack
A man-in-the-middle attack is a challenging security breach to spot because it includes a
malicious actor infiltrating your system via a trusted "man in the middle." Typically, the hacker
will get access to a customer's system before launching an assault on your server. One of two
methods can be used to accomplish this.
 Taking advantage of a relationship you've already built with your consumer

 Taking a client's IP address and impersonating the customer in order to entice you into
submitting sensitive information or money.
Dos & DDOs Attacks

A denial-of-service (DoS) attack attempts to bring a network or service down by flooding it with
traffic until it becomes unmanageable. A distributed-denial-of-service (DDoS) attack uses
botnets to seize devices and deliver traffic from many sources to bring a network down. A DDoS
attack isn't a data breach in and of itself, and many are employed to cause chaos on the victim's
end and disrupt corporate activities. DDoS attacks, on the other hand, might be used as a
smokescreen for other attacks taking place behind the scenes.

Phishing & Spear Phishing

If you've ever received an email purporting to be from a reputable organization with whom you
have an account—for example, Paypal but something about the email felt odd, you've most
likely been the victim of a phishing scam. Phishing is when a hacker sends an email that appears
to have come from a reputable firm or website. The email will frequently sound obnoxious,
strange, or contain spelling and grammatical mistakes. Phishing emails will try to persuade the
receiver to do something, such as click a link or download an attachment. The link or attachment
generally asks for personal information or includes malware that infects the computer.
Cross Site Scripting Attack

An effort to insert malicious scripts into websites or web apps is known as a cross-site scripting
(XXS) attack. A successful XXS attack necessitates the victim visiting a website and having the
network translate the page with the attacker's HTML. This implies that when the webpage hits
the victim's browser, the malicious script is instantly executed. This attack aims to take
screenshots, log keystrokes, collect network information, steal cookies, and even gain remote
access to the victim's device. This might be one technique of starting a broader attack that results
in a full-fledged data breach.
Eavesdrop Attack
Eavesdropping is a type of attack that involves intercepting network communication. The hacker
uses your network behaviour to monitor things like credit card numbers and other potentially
valuable, sensitive information in eavesdropping assaults. Active and passive eavesdropping
attacks are the two forms of eavesdropping assaults. The hacker will pose as a trustworthy server
and send requests to the transmitters in an active attack. A passive attack, on the other hand,
listens to data transmitted across the network.[ CITATION Nab20 \l 1033 ]

Reasons for The Data Theft
1. Ineffective passwords
a. Password theft is a popular target for attackers since it is a low-cost, easy
approach with high returns.
2. Faulty networks
a. The possibility for data theft is rising as gadgets and technologies become more
sophisticated. The growth of the Internet of Things, in particular, is giving
hackers new ways to attack an increasing number of internet-connected devices
and endpoints. Industrial equipment with network and software sensors, as well as
healthcare systems with sensitive data, have become profitable targets for
corporate theft.
3. Unpatched servers
a. Security processes may constantly be improved, and developers are often
providing solutions to existing problems in server programs. However, it is the
responsibility of administrators to apply these patches: firms who neglect to check
for and deploy server upgrades leave their systems vulnerable to attack.
4. Insider threats
a. Companies face a significant risk from departing users. When employees leave
their company, 69 percent of companies lose data. Customer and prospect
information, as well as proprietary code, are frequently extremely sensitive data.
Disgruntled workers, on the other hand, might be tempted to steal business data
for personal or financial benefit.
5. Publicly available information
a. Hackers don't simply utilize technology to steal from businesses. Cybercriminals
are increasingly using social media and publicly available information to not only
target people, but also to gather the information they need to gain access to
business systems and steal employee data.[ CITATION Swa20 \l 1033 ]

Preventing Tricks
 Protect access to your networks

o To secure your company's and customers' data, make sure that only the
appropriate individuals have access to the appropriate resources at the appropriate
times. Robust authentication rules and context-aware multi-factor authentication,
which analyses every login request to confirm your users' identities, can help you
meet the Zero Trust mandate.
 Monitor employee activity
o It will be easier to figure out what happened after a cybersecurity issue if you
have consolidated visibility over user access rights and activity records. Advanced
techniques like automated incident response and user entity behaviour analytics
(UEBA) can also be used to safeguard sensitive data against insider data theft.
 Limit privileged access
o Users with the most access to corporate resources should be constantly watched
since they are an attacker's most valuable path into your company's sensitive,
mission-critical data. Only the knowledge and resources that each employee
requires to perform their job should be granted access. Furthermore, admin
accounts should not be utilized for everyday duties; access permissions should be
readily reduced or fully deleted as necessary.
 Protect your access points
o Verifying a user's identity every time they try to access sensitive information is
critical to maintaining the security of business data. Enhanced data protection
methods and technologies are required to protect business-critical resources.
 Implement policy procedures
o Data theft is the responsibility of every employee. To assist them, businesses
should establish clear and unambiguous data security rules that make everyone
responsible for data security. Data privacy, email usage, password protection, and
mobile device usage should all be addressed.[ CITATION Swa20 \l 1033 ]

Task 1.5 Impact of the Threats & Risks for a

Business
A successful cyber assault may be devastating to your company. It may have an impact on your
financial line, as well as your company's reputation and consumer trust. A security breach may
be classified into three types of consequences. They are financial, reputational, and legal.
Financial Impact
Cyber assaults frequently result in significant financial damage as a result of,
1. Information theft from a company

2. Financial information theft such as bank details or payment card details)
3. Money theft causes commerce to be disrupted such as inability to carry out transactions
online)
4. Business or contract loss
Businesses that have had a cyber breach will almost always have to pay to restore the damaged
systems, networks, and devices.
Reputational Impact
Customer relationships require a high level of trust. Cyber assaults may harm your company's
brand and destroy your consumers' faith in you. As a result, following can happen. They are,
1. Customers are leaving.

2. Profits are reduced due to a decrease in sales.
Reputational harm may have an influence on your suppliers, as well as your relationships with
partners, investors, and other stakeholders in your company.

Legal Impact
Data protection and privacy regulations require you to keep track of the security of any personal
information you have about your employees or clients. You might face penalties and regulatory
consequences if sensitive data is unintentionally or intentionally compromised, and you failed to
implement sufficient security measures.
Data Backup
The act of putting up a security system to back up data in the case of a loss and recover the data
as backup data is known as data backup and recovery. You must copy and back up your
computer data while backing up your data so that you may retrieve it in the event of data damage
or destruction. You can only get data back if you back it up from time to time. Data backup is
one type of disaster recovery and is an essential component of a well-thought-out disaster
recovery strategy. When you back up your data, it's not always possible to restore all of your
system's data and settings. Computer clusters, database servers, and active directory servers, for
example, require extra catastrophe recovery since backup and recovery have not entirely
reorganized them. Large quantities of data may now be backed up using cloud storage. As a
result, no data backup to the local system hard drive or external storage is required. Cloud
computing may also be used to process mobile devices and enable automatic data recovery.
Figure 2 Data Backup

Task 1.6 IT Audit

An IT audit examines and evaluates an
organization's information technology
infrastructure, applications, data use
and management, rules, procedures,
and operational processes against
recognized standards or norms. Audits
determine if the procedures in place to
safeguard information technology
assets are effective and consistent with
Figure 3 8 Principles of IT Audit
the organization's goals and
objectives.[ CITATION har20 \l 1033 ] A financial statement audit is not the same as an
IT audit. While the goal of a financial audit is to determine whether the financial statements
accurately reflect an entity's financial position, results of operations, and cash flows in all
material respects in accordance with generally accepted accounting principles, the goal of an IT
audit is to determine the system's internal control design and effectiveness. Efficiency and
security procedures, development processes, and IT governance or supervision are all examples
of this. Installing controls is important, but it isn't enough to provide appropriate security. People
in charge of security must examine if the controls have been established correctly, whether they
are effective, and if a security breach has happened, and if so, what steps may be taken to avoid
future breaches. Independent and unbiased observers must respond to these questions. The work
of information system auditing is being carried out by these observers. An audit of information
systems, their inputs, outputs, and processing takes place in an Information Systems context.
There are main 5 process to conduct an IT audit.[ CITATION Wik21 \l 1033 ]
 Planning
 Studying and Evaluating Controls
 Testing and Evaluating Controls
 Reporting
 Follow-up

Types of IT Audit
Technology Innovation Audit
Technology innovation audit, as a new field in management audit, broadens the scope of
traditional financial auditing and applies it to oversee, guide, and assess a company's
technological innovation operations. The use of a technological innovation audit can improve not
only the success rate of technological innovation operations, but also the capacity of businesses
to recognize and fix errors in this area. The structure of technological innovation audit may be
split into three components based on the features of information asymmetry in technological
innovation management.
 The audit of the professional and technical innovation capacity of staff, as well as the
incentive mechanism, may be used to address information imbalance between employees
and management.
 The audit of an enterprise's credit database, as well as technical and technological
innovation initiatives, can help to resolve information imbalance between shareholders
and creditors.
 The audit of market adaption of technical innovation initiatives helps address information
imbalance between businesses and external stakeholders.[ CITATION Yiy12 \l 1033 ]
Innovative Comparison Audit

This audit is a comparison of the audited company's inventive capabilities to those of its rivals.
This necessitates a review of the company's R&D facilities as well as its track record of actually
generating new goods.
Technological Position Audit

A technology audit is a comprehensive examination of a company's overall IT infrastructure, as
well as how it is presently used, including operations and rules. A thorough audit will reveal if
those procedures and rules make the greatest use of the organization's assets and whether the data
it interacts with is maintained securely. Any security vulnerabilities should be identified
throughout the audit. It should also be able to determine whether the company is abiding by any
IT-related industry regulations.[ CITATION get21 \l 1033 ]

Task 1.7 IT Security Risk Assessment

In a nutshell, a risk assessment is an analysis of a specific activity that you perform at work that
has the potential to damage others. The objective is to comprehend any potential dangers before
detailing and taking appropriate precautions to avoid injury. As a result, a risk assessment can
assist you in comprehending and preparing for such events. Mainly, there are five steps to
conduct a successful risk assessment.
 Identify the Hazards

o To detect risks, you must first comprehend the distinction between a hazard and a
risk. A hazard is defined as anything that has the potential to cause harm, while a
risk is defined as the chance of that potential harm occurring. Physical, emotional,
chemical, and biological dangers, to mention a few, may all be found in the
workplace. Hazards may be detected using a variety of methods, but one of the
most popular is to go around the workplace and observe any procedures,
activities, or chemicals that could damage or harm people first-hand.
 Determine who may be harmed and how they could be harmed.
o Full-time and part-time workers, contract personnel, visitors, clients, and other
members of the public in the workplace can all be identified as being at risk.
Employees working night shifts, for example, and lone workers are examples of
persons who may not be at the office all of the time or at different hours. You'll
need to know who could be injured for each danger; this, in turn, will assist you
develop preventative actions for reducing the risk.
 Assess the hazards and make a decision on control strategies.
o Once hazards have been identified, the next logical step is to eliminate all related
risks; however, if this is not practicable, control measures should be implemented.
If a person works as a cleaner, for example, they will unavoidably come into
touch with chemicals. Although a hazard of this magnitude is unlikely to be
removed, control measures such as providing protective gloves, mops, and even
training on how to safely store and use cleaning chemicals may and should be
adopted.

 Record your findings
o The HSE advises that you keep track of any important results. These results will
contain the dangers, how they may damage individuals, and, most importantly,
the control mechanisms you have put in place. It's worth noting that only
businesses with five or more employees are required to record the results of a risk
assessment in writing; nonetheless, having a reference is still a good idea.
 Review the risk assessment
o Remember that few workplaces remain the same over time, thus this risk
assessment should be evaluated and modified as needed.[ CITATION ros15 \l
1033 ]
Figure 4 Risk Assessment

Task 02
Task 2.1 Internet Security, Network Security,
Endpoint Security & Vulnerability Assessment
Internet Security
The protection of data transferred over the Internet is based on particular resources and
standards. Various types of encryption, such as Pretty Good Privacy, are included in this
category (PGP). Firewalls, which block undesirable traffic, and anti-malware, anti-spyware, and
anti-virus applications, which monitor Internet traffic for harmful attachments and work from
particular networks or devices, are also part of a safe Web setup. Both companies and
governments are increasingly placing a premium on internet security. Financial information and
much more is protected by good Internet security on the servers and network infrastructure of a
business or agency. Inadequate Internet security can put an e-commerce firm or any other
organization that sends data over the Internet at risk of going bankrupt.
Network Security
Your network and data are protected by network security against breaches, invasions, and other
dangers. This is a broad word that encompasses hardware and software, as well as procedures,
regulations, and settings pertaining to network use, accessibility, and overall threat prevention.
Access control, virus and antivirus software, application security, network analytics, several
forms of network-related security (endpoint, online, wireless), firewalls, VPN encryption, and
more are all part of network security. Client data and information must be protected, shared data
must be kept safe, and access and network performance must be dependable, as well as security
from cyber-attacks. A well-designed network security solution lowers operating costs and
protects businesses from costly data breaches and other security incidents. Having lawful access
to systems, apps, and data allows companies to run their businesses and provide services and
goods to their consumers.

Endpoint Security
Endpoint security is the act of preventing cyberattacks on devices such as PCs, laptops, mobile
phones, and tablets. Endpoint security software allows organizations to secure devices that
workers use for work reasons against cyber threats, whether they are on a network or in the
cloud. Cybersecurity risks from more sophisticated cyber thieves are becoming more prevalent in
today's corporate scene. Every 39 seconds, hackers conduct a cyberattack, totaling 2,244 assaults
each day. Given the vast number of endpoints used to connect to networks, they are one of the
most popular targets. According to Strategy Analytics, there were 22 billion connected devices in
2018, with that number expected to increase to 38.6 billion by 2025 and 50 billion by 2030. As a
result, according to Verizon's threat assessment, malware was installed on endpoints in up to
30% of data breaches.
Vulnerability Assessment
The process of defining, detecting, categorizing, and prioritizing vulnerabilities in computer
systems, applications, and network infrastructures is known as vulnerability assessment.
Vulnerability assessments also offer the information, awareness, and risk backgrounds that a
business needs to comprehend and respond to dangers in its environment. A vulnerability
assessment informs an organization about the security flaws that exist in its environment. It also
instructs on how to evaluate the dangers connected with certain flaws. This approach gives the
company a greater knowledge of its assets, security vulnerabilities, and overall risk, lowering the
chances of a cybercriminal breaking into its systems and catching the company off guard.
Figure 5 Vulnerability Assessment

Task 2.2 Network Security Testing Techniques &

Tools
Security testing is a form of software testing that identifies vulnerabilities, hazards, and risks in
software applications and guards against hostile intruder assaults. The goal of security tests is to
find any software system flaws that might lead to a loss of data, income, or reputation at the
hands of the organization's workers or outsiders. The basic objective of security testing is to
discover and assess possible vulnerabilities in a system so that attacks can be faced and the
system does not cease working or be exploited. It also aids in the detection of any potential
security concerns in the system, as well as assisting developers in the resolution of issues through
code.
Network Security Testing Techniques

Cross Site Scripting
In addition, the tester should look for XSS in the online application (Cross site scripting). The
program should not allow any HTML, such as HTML, or any script, such as SCRIPT. If it is, the
application may be vulnerable to a Cross Site Scripting attack. This approach may be used by
attackers to run malicious scripts or URLs in a victim's browser. Cross-site scripting allows
attackers to steal user cookies and information contained in the cookies by using scripts such as
JavaScript.
Ethical Hacking
Ethical hacking is when a corporation or a person uses hacking to assist detect possible dangers
on a computer or network. An ethical hacker tries to go beyond the system's security and look for
any flaws that criminal hackers, often known as black hats, may exploit. White hats may
recommend system modifications that make them less vulnerable to black hat attacks.

Password Cracking
When it comes to system testing, password cracking is the most important aspect. Hackers can
use a password cracking tool or guess a common username or password to get access to an
application's secret parts. Common usernames and passwords, as well as open source password
cracking software, are readily available online. It is easy to break the login and password until a
web application requires a complicated password for example a lengthy password with a
combination of digits, letters, and special characters. If the username or password is saved
without encryption, another method of breaking the password is to target cookies.
Penetration Test
A penetration test is an attack on a computer system with the goal of uncovering security flaws
and gaining access to the system's functionality and data.
Risk Assessment
This is the process of evaluating and deciding on the risk associated with the type of loss and the
likelihood of vulnerability. Various interviews, conversations, and analyses are used to ascertain
this inside the company.
Security Auditing
A security audit is a systematic assessment of a company's information system's security by
determining how well it complies with a set of predetermined criteria.
Figure 6 Network Security Techniques

Network Security Testing Tools

Intruder
Intruder is a user-friendly enterprise-
grade vulnerability scanner. It performs
over 10,000 high-quality security checks
throughout your IT infrastructure,
including, but not limited to,
configuration flaws, application flaws
such as SQL injection and cross-site
scripting, and updates that are missing.
Intruder saves time and keeps
Figure 7 Intruder Tool
organizations of all sizes secure from
hackers by providing intelligently prioritized results as well as proactive scans for the latest
threats.
OWASP
The Open Web Application Security
Project is a non-profit organization
dedicated to enhancing software
security throughout the world. As
part of the project, many tools are
Figure 8 OWASP
provided for pen testing various
software environments and protocols.

Acunetix
Acunetix by Invicta is a simple and easy-to-use tool that helps small and medium-
sized businesses protect their online applications against costly data breaches.
It accomplishes this by identifying a wide range of online security
vulnerabilities and assisting security and development experts in resolving
them quickly.
Figure 9 ACUNETIX
Wireshark
Wireshark, formerly known as Ethereal, is a
network analysis tool. It collects packets in
real time and displays them in a way that is
understandable to humans. It's essentially
a network packet analyzer that gives you
minute data about your network protocols,
decryption, packet information, and so on.
Figure 10 Wireshark
It's free and open source, and it works with Linux, Windows, OS X, Solaris, NetBSD, FreeBSD,
and a variety of other operating systems. The information collected by this utility may be
examined using a GUI or the TShark Utility in TTY mode.
W3AF
W3af is a framework for web application attack and
auditing. It contains three sorts of plugins: discovery,
audit, and attack, all of which communicate with one
another to detect any site vulnerabilities.. For
example, a discovery plugin in w3af looks for
different urls to test for vulnerabilities and forwards
Figure 11 W3AF them to the audit plugin, which then searches for
vulnerabilities using these URLs.[ CITATION gur15
\l 1033 ]

Task 2.3 Trusted Networks

DMZ
De-Militarized Zone is a physical or logical network that separate a LAN from other untrusted
networks such as the internet. The "Perimeter Network" or "Screened Subnetwork" is another
name for the DMZ. It acts as a neutral zone because it is implemented between the company
private network and the outside public network and it prevents the organizational network from
unauthorized users such as hackers. There are some resources and services in this DMZ such as
external-facing servers like proxy servers, mail servers, DNS servers, and FTP servers. So, these
resources and services only can access the internet. It cannot access the LAN. We can implement
the DMZ in two methods.
Single Firewall DMZ

The single firewall method is used one firewall with minimum of three network interfaces. So,
the external network device is connected to the internet service provider and it provides the
connection through the 1st network interface. The LAN is connected to the firewall through the
2nd network interface. Also, the DMZ is connected to the firewall through the 3 rd network
interface.
Dual Firewall DMZ

The dual firewall method it is used two firewalls. The first firewall is used to allow traffic which
are assigned to the DMZ. This firewall is also called the “Frontend Firewall”. The second
firewall is used to allow traffic to the LAN from the DMZ. This firewall is also called the
“Backend Firewall”.
Figure 12 DMZ

Firewalls
A firewall is a network
security device that
monitors and regulates
incoming and outgoing
traffic and chooses whether
to allow or prohibit certain
types of traffic based on a
set of security rules. These
security rules are based on
Figure 13 Firewall the policies of an
organization or a company.
So, it acts as a filter between the trusted local area network and the untrusted public network
(internet). The Firewall accepts the permitted traffic. It rejects the deny traffic with an error
message “unreachable error”. In some cases, it drops some traffics without any error message. A
Firewall can be software, hardware, or a cloud-based system. Firewalls can divide into 6 main
categories by considering the firewall generation.
1. First Generation Firewall

First-generation firewall is a packet filtering firewall. It permits or denies the traffic
by considering the filtering table which is assigned to the firewall. The filtering table is
based on the source IP, source port, destination IP, destination port, and the action. The
filtering procedure consists of these filtering rules. This type of firewall act as a
checkpoint between a trusted and untrusted network.
2. Second Generation Firewall
Second-generation firewall is a stateful inspection firewall. It ensures the state of the
data packet’s connection. Also, it keeps a record of the state of the data packet’s
connection which is across the firewall.
3. Third Generation Firewall
Third-generation firewall is an application layer firewall. It also can be used as a
network address translator in network security.
4. Proxy Firewall
Proxy firewalls filter the network traffic at the level of an application. So, the client
must send a request to the firewall, and the firewall checks this particular request is an
authorized request from a trusted client or an unauthorized request from an untrusted
client. Then the firewall action will be deny or allow the client request.
5. Software Firewall
6. Hardware Firewall

NAT
Network Address Translation is a translation procedure or a technology where a router or a
similar network device translates one IP address to another IP address. A router translates the
private IP addresses of an internal host into its public IP address for outgoing traffic. Also, the
router translates its public IP address to an internal private address for incoming traffic. NAT is
normally used to restrict the number of public IP addresses which use in an organization or a
company for both security and financial purposes. So, NAT gives access for the unregistered
private network address to connect the internet by translating the private network addresses into
a legalized addresses. Also, NAT translates the port address of each host by generating a port
mask for each port. Generally, NAT operates in a firewall or a router. We can divide NAT into
three main types.
Static NAT
In Static Network Address Translation, a single private IP address is converted and mapped with
a single public IP address. So, this is one to one network address translation process. Static NAT
is normally used for web hosting. Static NAT deals more with incoming traffic.
Ex-:
Private Pub lic

Ne twork Ne twork
Web Server
192.168.100.2
Internet
FTP Server Router

192.168.100.3
Private Network Public Network
192.168.100.2 1.2.3.4
Mail Server
192.168.100.4
192.168.100.3 1.2.3.5
192.168.100.4 1.2.3.6
Figure 14 Static NAT

Dynamic NAT
In Dynamic Network Address Translation, a single private IP address is converted and mapped
with a single public IP address which is in a public address pool. If the IP addresses of the pool
are over, the translation process will be finished. So, we should take the same number of public
addresses as the number of private addresses. Dynamic NAT also defines as “IP masquerading”
because it masks the internal hosts and makes it difficult for external hackers to monitor a
specific host.
Ex-:
Assume there is a public address pool with the following IP addresses only.
1.2.3.4, 1.2.3.5, 1.2.3.6
Private Pub lic

Ne twork Ne twork
Web Server
192.168.100.2
Internet
FTP Server Router

192.168.100.3
192.168.100.2 1.2.3.4
192.168.100.3 1.2.3.5
Mail Server
192.168.100.4
192.168.100.4 1.2.3.6
Computer 192.168.100.6
192.168.100.6
Figure 15 Dynamic NAT

NAT Overloading
In NAT Overloading or Port Address Translation, a single private IP address is converted and
mapped with a single public IP address by using different source ports.
Ex-:
Private Pub lic

Ne twork Network
Computer
192.168.100.2
Computer Internet
192.168.100.3
Router
192.168.100.2:80 1.2.3.4:8000
Computer
192.168.100.4
192.168.100.3:80 1.2.3.5:8001
192.168.100.4:80 1.2.3.6:8002
Computer
192.168.100.6
192.168.100.6:80 1.2.3.7:8003
Figure 16 NAT Overloading
Advantages Disadvantages
 Increase flexibility when connecting  End-to-end IP traceability is lost.
to the internet.
 Provide security by hiding internal IP  Certain applications such as VoIP will
address not function well with NAT
 Conserves the registered addresses  Translation introduces the switching
path delays
Table 1 NAT Overloading Pros & Cons

VPN
A virtual private network links two private networks over a public network such as the Internet.
A VPN is formed by using dedicated connections, virtual tunneling technologies, or traffic
encryption to create a virtual point-to-point connection. Users can transmit and receive data via
shared or public networks as if they were directly linked to the private network, taking advantage
of the private network's functionality, security, and management policies. Traditional VPNs have
a point-to-point architecture, and they don't usually support or link broadcast domains. As a
result, communication, software, and networking dependent on OSI layer 2 and broadcast
packets, such as NetBIOS used in Windows networking, may not be completely supported or
function as expected over a wide-area network. This restriction is addressed by VPN variations
such as Virtual Private LAN Service (VPLS) and layer 2 tunneling technologies. Employees may
safely access the business intranet when away from the office using VPNs. Similarly, VPNs may
securely link an organization's remote offices in different areas of the world, establishing a single
interconnected network via which they can interact safely. In addition, individual internet users
utilize VPN technology to protect their IP addresses and financial activities, as well as to bypass
national and censorship-imposed international internet limitations. [ CITATION Ess15 \l 1033 ]
Figure 17 VPN

Task 2.4 RAID

Definition of RAID is Redundant Array of Independent Disks, and it's a virtual disk technology
for combining several physical drives into a single unit. RAID can provide redundancy, boost
performance, or accomplish both at the same time. RAID should not be regarded a substitute for
data backup. If you're putting important data on a RAID array, make sure you back it up to
another physical disk or logical group of drives. RAID use different types of technologies.
 Spanning & Software Stripping
o Information is split and written over many physical disk devices. RAID 0 makes
use of this method.
 Mirroring
o Data is duplicated from one disk drive to another.
 Duplexing
o The disk drive and the disk controller are duplicated.
 Deferred
o When the disk drive becomes accessible, data is stored in cache memory and
written to the hard drive.
 Hot Swapping
o While the rest of the system is operational, failed disk drives can be replaced and
data transferred back to the disk drive.
 Hot Sparing
o When one of the disk drives breaks, the array is automatically initialized.

Versions of RAID
RAID 0
Block interleave and software stripping (minimum 2 drives).
For a quicker operation and less possibility of overloading,
data is written to each drive in order, with each block moving
to the next available drive (striping). Of fact, the total volume
might be considerably bigger than any one drive. Because
Figure 18 RAID 0
there is no redundancy, a single drive failure brings the
system to a halt. RAID 0 is the most economical and quickest array type, however it has no fault
tolerance.
RAID 1
Mirroring and duplexing of disks (minimum 2 drives). Drives are used
in pairs, and all data is written to both drives in the same way. By
connecting each drive to its own interface controller, each drive may
be duplexed. The failure of a single drive does not put the system to a
halt. The other drive, on the other hand, continues to work. Of course,
two drives are now used to provide the same amount of storage as one
Figure 19 RAID 1 drive. This level provides no benefit in terms of performance. A wide
range of options for high-performance, fault-tolerant settings.
Furthermore, if just two disks are required for fault tolerance, RAID 1 is the sole option.
RAID 5
Data striping, block interleave, and distributed check
data on all drives For NetWare, this is the one to use.
Data concerning parity may be found on each of the
disks of a hard drive. As the number of drives in a
RAID 5 array grows, so does its efficiency. Hot
spares can be used to repair a failing drive on the fly.
Figure 20 RAID 5
The best option in multi-user settings when write speed

isn't a concern. RAID 5 arrays, on the other hand, require at least three and, in most cases, five
drives.
RAID 6
Additional file system that links the physical sectors of a disk
drive to their logical representation in RAID 5 log structured.
Sequentially, information is stored on physical disk sectors.
Figure 21 RAID 6
RAID 10
RAID Description Operation Advantages Disadvantages Recovery
mode
RAID 0 Disks with There are two Large size and No redundancy. In the event that
stripes or more disks the fastest speed. one or more
where the data disks fail, the
is equally array will fail.
distributed.
RAID 1 Disks that are Identical data Even if a single The slowest and In order to
mirrored is stored on disk fails, no smallest disk is recover, only
two or more data will be lost. the one that limits one drive is
hard disks. speed and size. required.
RAID 3 With As well as two Intuitive For numerous In the event of a
committed or more disks, sequential read simultaneous single drive
parity, stripes there is a parity and write commands, there failure, the
drive. operations at is a lack of entire system
high speeds performance. will be re-built
RAID 5 The use of On three or Infinite size and Parity reduces the In the event of a
distributed more drives, power with size of the array as single drive
parity on data is equally redundancy. a whole failure, the
striped disks distributed. entire system
There is a will be re-built
break in parity
between disks.
RAID mirroring It is possible to Larger and faster No parity. In a mirror set,
10 subset striped combine up to than RAID-1, only one drive
four drives into and with more may fail.
a pair of redundancy than
mirrors that are RAID-0,
striped. respectively.
Stripped array with the same fault tolerance as RAID 1 and ssegments that are RAID 1 arrays.
Striping RAID 1 segments allows for high I/O speeds. Excellent option for people contemplating

RAID 1, since it delivers decent write performance at a reasonable price. [ CITATION
Com21 \l 1033 ]
Table 2 Comparison of RAID Levels
Task 2.5 Encryption

Encryption is the process of encoding data in such a way that it is incomprehensible to anybody
who does not have access to it. Only authorized persons with a "key" may read or use data that
has been encrypted. That is, if the encryption mechanism is strong enough, data should be totally
safe from unwanted access. Encryption is a fundamental, but critical, aspect of data privacy and
security. Online, a lot of private information is exchanged, including financial data and Social
Security numbers, and it's critical to keep that data safe. To enable access to vital data, many
applications and websites rely on user passwords and password verification software. Apart from
knowing how to establish a safe password, customers have few options for encrypting their
passwords besides utilizing a password manager, which must utilize high-quality encryption to
protect what is effectively a gold mine of information. Businesses and government agencies with
consumer and employee data must utilize AES encryption, as well as other tools and procedures
like two-factor authentication, to guarantee that only authorized individuals have access to this
information. Organizations should do everything possible to secure their customers' personal
information online.[ CITATION Ana191 \l 1033 ]
Caesar Cipher
Ciphers such as the Caesar Cipher are among the earliest and simplest encryption techniques
available. What we have here is an algorithm that replaces each letter of the text with one from
the alphabet at a specific number of positions along the alphabet. With a shift of one, for
example, A would be replaced by B, B by C, and so on. Julius Caesar is said to have called the
technique after himself, as he used it to communicate with his officials. To encrypt a given text,
we require an integer value called shift, which specifies how far down each letter of the text has
been shifted. The encryption may be expressed using modular arithmetic by converting the
letters to integers using the A = 0, B = 1,.. Z = 25 method. A letter can be encrypted using the
following mathematical formula:
C = (P + k) mod 26 C = Convert Text

P = Plain Text
k = Shift Value
A B C D E F G H I J K L M N O P Q R S T U V W X
Table 3 Key Table 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
Shift 3 Value
C = (P + k) mod 26
C = (0 + 3) mod 26
C = 3 mod 26
C=3
So, the key table is rearrange as follows.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Plain Text Key - I H A V E A D O G N A M E D L A I L A
Convert Text – L K D Y H D G R J Q D P H G O D L O D

Shift 5 Value
C = (P + k) mod 26
C = (0 + 5) mod 26
C = 5 mod 26
C=5
So, the key table is rearrange as follows.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
Plain Text Key - I H A V E A D O G N A M E D L A I L A
Convert Text – N M F A J F I T L S F R J I Q F N Q F
Figure 22 Caesar Ciper Source Code

Task 2.6 Data Replication & Backup

Data Backup
Simply defined, a backup is a copy of computer data that is made and saved somewhere else so
that it may be recovered in the event of a data loss. A backup is essentially a duplicate of your
files, directories, programs, and unstructured data. Backup solutions cover a wide range of
technologies, even though we're all familiar with the word. Tapes, floppy disks, CDs, and USB
sticks, which were previously commonplace, have now become obsolete. Your backups are most
likely to be stored on a server, in the cloud, or a combination of the two these days. Which one
you select is determined on your specific requirements, which we'll discuss later. The most
important message here is that you need a backup plan that works for your company, especially
in today's work-from-home environment.
Data Replication
Data replication is also defined in a straightforward manner. It's the process of storing data in
several locations or nodes, which is most likely a server, cloud, or hybrid storage solution.
Backups should be replicated to at least one distant server or cloud, as insurance against losing
data due to a successful ransomware or malware attack, or other data calamity. Hybrid backup
solutions take your security to the next level by duplicating your backups to a distant server as
well as the cloud.

Backup Replication
Compared to replication, it's a lot Inexpensive in comparison to Backup
Cost cheaper. Doesn't require a lot of Commercially available platforms and
personnel or infrastructure. solutions can minimize expenses.
An on-site disk, a virtual tape Investing in new business processes,
library, or an internet backup hiring more people as well as upgrading
Requirement
service are all options. the infrastructure.
s
The ability to save archived
material at will.
Compliant criteria and long-term Constant access to apps that are
Ideal for
data storage. mission-critical and customer-facing.
Simplicity of use Concentrate on catastrophe recovery.
Insularity in the face of possible Availability is high.
Benefits
dangers Resuming company activities as
Inexpensive. quickly as possible following a failure
It takes a long time to restore a Costly to keep up with (especially for
backup. long-term storage).
Shortcomings
The data recovery process is Data can be replicated by malicious
lengthy. software.
Table 4 Backup vs Replication
Task 2.7 Data Centers &

Virtualization
Data Centers
A data center is a location where many servers with a big service capacity are housed for the
purpose of hosting third-party people or corporate clients for the goal of making money. Server
redundancy, power redundancy, network redundancy, cooling system, disaster recovery, cooling
system availability for server performance, Internet redundancy, and 24/365 connectivity to
servers are all available in data centers. The virtualization of services by data centers has pushed
cloud computing architecture to the next level, meeting contemporary IT needs for client
redundancy, data redundancy, removing clients from client hardware maintenance, and balancing
server loads.

Database owners keep several databases in various geographic areas to guarantee that data is
available on host servers and servers in the case of a single data center failure or failure due to an
unanticipated reason, such as a natural catastrophe. To ensure this approach, data is converted
across various data centers. Through stored data clusters, data may be transferred between
various data centers. Syncing of clusters to guarantee that data is continually reversed between
many different data centers, data centers employ a variety of techniques.
Virtualization
The construction of a non-virtual virtual component that provides the necessary services as a
virtual component is referred to as virtualization. Virtualization creates virtual components on
physical resources using monitoring software. Supervisors split and use physical resources to
build a multi-virtual environment. Virtual machines are used for all activities and processes, and
data is saved to a single file. This allows you to backup and restore your data at any moment. It
even works when the virtual machine's data file is backed up or relocated from one location to
another. As a result, this approach is utilized to host customers in the head office and provide
backup as needed. Virtualization allows us to get the most out of our physical equipment while
lowering our capital and operational expenditures. Rather than having one advanced server for
each service, it is feasible to operate numerous virtual servers with various services.
Figure 23 Virtualization

Importance of Virtualization
Virtualization has been in use in datacenters for more than a decade. Virtualization is a method
of provisioning and sharing resources in datacenters that makes management easier.
Virtualization is used because it allows for the efficient use of resources. Consolidated resources
make it easier to satisfy corporate expectations. IT firms can better adapt to business demands
thanks to virtualization. For example, virtualization leverages a single asset to make it run as if it
were several assets in the case of servers or networks. Virtualization improves asset use and
efficiency, resulting in fewer physical assets. It is not a product, but rather a method for
managing servers, storage, and networks in IT businesses. Virtualization is an abstracted view of
underlying physical components in the case of storage or networks. Several physical disks are
merged in storage and displayed to servers and applications as a single big asset. The server and
application architectures are much simplified as a result. In the case of desktops, virtualization is
utilized to centralize data and application administration while lowering technical labor costs.
Because of its capacity to consolidate resources and manage diverse applications and systems,
virtualization is a popular topic in datacenters. Enterprise systems such as ERP, CRM, and sales
force automation may reap the most benefits from virtualization. Datacenters are designed to
improve service delivery, increase revenues, and lower the risk of new business ventures.
Separating data and workloads from physical infrastructure is done from a functional standpoint
in order to gain efficiency from a variety of perspectives. Companies strive to achieve long-term
company goals at a lower cost and without sacrificing business productivity. Virtualization
allows you to save a lot of money by allowing you to do more with the computer resources you
already have.

Task 03
Task 3.1 Risk Assessment
A security risk assessment finds, evaluates, and applies essential application security measures. It
also emphasizes the prevention of application security faults and vulnerabilities. An enterprise
may evaluate its application portfolio holistically from the standpoint of an attacker by
conducting a risk assessment. It assists managers in making well-informed decisions on resource
allocation, tools, and the implementation of security controls. As a result, completing an
evaluation is an important element of a company's risk management strategy. The depth of risk
assessment models is influenced by factors like as size, growth rate, resources, and asset
portfolio. When faced with financial or time restrictions, organizations might conduct generic
evaluations. Generalized evaluations, on the other hand, may not always include thorough
mappings of assets, related threats, recognized risks, effects, and mitigation mechanisms.

Benefits of Security Risk Assessment

 Identifies the vulnerabilities
o The risk assessment will assist you in identifying internal and external hazards
and threats to your system. This will assist the organization in understanding the
inadequacies and flaws in the security policies in place, as well as provide a list of
threats and dangers, allowing them to better understand how to enhance and raise
the risk assessment for security.
 Identifies the security requirements
o When you conduct an analysis and create a list of threats and hazards for your
organization based on a cyber risk assessment study, you will come across new
security needs that you must organize and keep track of in order to have stronger
and more secure policies for your company.
 Document Security
o When you operate a business, you have a lot of paperwork to deal with, such as
insurance papers, partner agreements, bank documents, organizational documents,
and so on. This type of document requires a good and safe security policy since it
can be used as evidence. This is how you'll take a step toward securing and
protecting your data and network.
 Educate Employees
o When you have a group of people working for you, you want to make sure they
are comfortable in their work environment and adhere to the culture you have
established. When you explain cyber security risk assessment to your employees
and show them the value of risk assessment, they will want to work on it for the
good of the company, and this is how they will learn about cyber security and be
more careful when new data is released. [ CITATION Ana19 \l 1033 ]

Drawbacks of Security Risk Assessment

 A lack of risk assessment and gap analysis on a regular basis
o A regular and thorough risk assessment is a prerequisite for identifying and
repairing security flaws. Risk assessments should be performed on a regular basis
to detect, prioritize, and address security flaws.
 Incomplete cybersecurity scope
o The cybersecurity scope must be established before risk assessments can be
carried out. Critical systems and data, for example, must be recognized, and the
cybersecurity scope must extend beyond information systems. Not all businesses
can easily list the systems and providers that handle various sorts of commercial
or personal information.
o Policies and procedures aren't well-documented or conveyed.
 Some businesses either don't have a comprehensive set of cybersecurity
policies and procedures that are aligned with best practices and worldwide
standards, or they don't update them frequently enough to keep up with
changing threats. Once these cybersecurity policies and procedures have
been written, they must be disseminated to all relevant parties in order for

everyone to work together to keep the systems and data safe.[ CITATION
Blo15 \l 1033 ]
Figure 24 Risk
Task 3.2 Steps of Risk Assessment ISO 27001

There are mainly seven steps. They are describe as follows.
Define your risk assessment methodology

There is no standard risk assessment process in ISO 27001. Instead, you should customize your
strategy to your company's demands. To do so, you'll need to go over a few things again. To
begin, consider the context of your organization. This includes your legal, regulatory, and
contractual duties, as well as your information security and business-wide objectives, as well as
the demands and expectations of your stakeholders. After that, you should examine the risk
criteria. This is a common method of assessing risks, which is generally done in terms of the
impact they will have and the chance of their occurring.
Compile a list of your information assets

Organizations can evaluate using either an asset-based approach or a scenario-based approach
under ISO 27001. Although each has advantages and disadvantages, we advocate using an asset-

based strategy since you can start from a pre-existing collection of information assets. This
comprises tangibles like intellectual property, as well as hard copies of information, electronic
files, portable media, mobile devices, and intangibles like hard copies of information.
Identify threats and vulnerabilities

After you've compiled your inventory of data assets, it's time to assess the risks that come with
them. When analyzing work-issued computers, for example, one of the hazards you'll point out is
the likelihood of their being stolen. Another possibility is that employees may utilize an
unsecured Internet connection in a public area, or that someone will view important information
on their screen.
Evaluate Risks
Some dangers are more serious than others, so you'll need to figure out which ones are the most
pressing at this point. Your risk criteria will come in helpful at this point. It serves as a tool for
comparing risks by providing a score to the chance of occurrence and the potential damage. You
receive a consistent and comparative evaluation of the hazards your organizations face by
analyzing the risks this manner. ISO 27001 does not specify how risks should be rated, whether
from high to low, 1 to 5, 1 to 100, or any other method. It doesn't matter as long as everyone in
charge of risk assessment takes the same approach.
Mitigate the Risks

Risks may be managed in four ways by businesses.
 Reduce the chance of the risk occurring and the harm it will cause by implementing
security controls.
 Accept that the risk falls within previously defined risk acceptance criteria or make
special actions to keep the risk.

 Change the factors that are producing the danger to avoid it.
 Share the risk with a partner who is better prepared to manage the risk, such as an
insurance company or a third party.
All risks must have an owner who approves any risk treatment plans and accepts the degree of
residual risk, according to ISO 27001. Risk treatment activities may be owned by someone other
than the asset owner.
Compile Risk Reports

The documentation procedure follows, which is required for auditing and certification purposes.
The most significant papers are the Risk Treatment Plan (RTP) and the Statement of
Applicability (SoA), which describe the risk treatment decisions you've made.
Review, Monitor & Audit

It's a requirement of ISO 27001 for your business to constantly examine the ISMS, update it, and
make improvements so it works as intended. Your organization's operating model and threat
environment will evolve over time, therefore the assessment procedure will need to be repeated
yearly. Take advantage of the chance to upgrade your ISMS. An alternative risk control method
or a different risk treatment option might be used in this case as well. [ CITATION Chl20 \l 1033
]

Figure 25 ISO 27001
Task 3.3 Steps of Risk Assessment ISO 30001

ISO 31000 is an international standard that offers concepts and recommendations for effective
risk management. It was issued in 2009. It offers a general approach to risk management that can
be adopted by any type of company and applied to many sorts of hazards. Standardizes risk
management conversations by establishing similar vocabulary and concepts. It contains
recommendations and concepts that might assist you in conducting a critical evaluation of your
company's risk management approach.
Risk Identification
Identifying the obstacles that may hinder us from accomplishing our goals.

Risk Analysis
Understanding the sources and causes of the identified risks; analyzing probability and
implications in light of current controls to determine the residual risk level.
Risk Evaluation
Evaluate if the residual risk is manageable, risk analysis findings are compared to risk criteria.
Risk Treatment
Changing the size and likelihood of both good and negative outcomes in order to produce a net
gain in benefit.
Establishing the Context

The scope of the risk management process, the organization's objectives, and the risk evaluation
criteria are all defined in this activity, which was not mentioned in previous risk management
process descriptions. There are both external and internal factors in the situation.
Monitoring & Review

This duty entails evaluating risk management performance against indicators that are assessed
for appropriateness on a regular basis. Errors in the risk management plan must be identified; the
risk management framework's efficacy must be evaluated in light of the external and internal
contexts. Communication & Consultation

This activity aids in understanding stakeholders' concerns and interests, as well as ensuring that
the risk management process is focused on the correct aspects and explaining the reasoning for
choices and risk treatment alternatives.[ CITATION Ano17 \l 1033 ]
Figure 26 ISO 30001
Task 3.4 Difference between IRM & ERM

Enterprise risk management is concerned with the planning, organizing, directing, and regulating
of operations inside a company. ERM functions as an audit of the organization. You examine
your strategic company objectives and then the information technology risks that they entail.
IRM is a collection of techniques and procedures that enhance decision-making and performance
by providing an integrated picture of how well an organization manages its specific set of risks.
It is supported by a risk-aware culture and supporting technology. IRM is concerned with how

you make risk-based decisions regarding integrating technology into essential business
operations.
ERM examines strategic business choices and the risks that your technology poses to those
decisions. A retail store, for example, may maintain a website that gives product information but
concentrates sales in their physical location. If they wish to broaden their reach and size, they
should start selling their items online as well. ERM entails examining the additional risks to the
company that occur as a result of the change, such as selecting a vendor, managing the vendor,
and new IT compliance needs.
IRM focuses on identifying and assessing the risks associated with your company's technology.
Immediate Risk Management refers to a study and assessment of the retailer's unique
technologies, such as ecommerce or tag management systems, that are connected to their website
for customers' tracking and payment, as well as how these new technologies influence their old
technologies. In this case, the online payment application might connect to an inventory app on a
warehouse employee's smartphone, posing Internet of Things security concerns. IRM is
responsible for integrating the technologies. [ CITATION Kar19 \l 1033 ]

Task 3.5 Risk Analysis, System Audit Conducting

Strategies and Methods
Auditing Techniques & Methods
Rapid Assurance
Rapid Assurance, which is designed to alleviate audit fatigue in processes with solid
documentation, entails executing all phases of a typical assurance engagement in a shorter time
period with only one week of fieldwork effort. Rapid Assurance is usually broken down into
three stages.
1. Auditor Planning & Research
a. Reviewing past audit work papers and public documentation, establishing the
work program, sending the request list, gaining view access to document
repositories, and testing are all part of auditor preparation and research.
2. On site Fieldwork
a. The auditor interviews customers, does testing, receives follow-up requests, has
"End of Day" status meetings, and presents draft results to customers in a "soft"
exit meeting while on-site fieldwork.
3. Finalizing & Report Writing
a. The completion of testing, the finalization of work documents and the report, and
the documentation of agreed-upon activities, owners, and target dates in the report
are all covered by final testing and report writing.

Project Assurance
The auditor examines the project team's governance, risk management, and control skills to
identify and manage project-related hazards in real time during a Project Assurance. They also
serve as a facilitator, encouraging risk and control discussions throughout the project.
Facilitated Self-Assessment
Working in workshops, a department can examine a process or function's management of risk as
well as internal controls and commit to improving them. Whoever actively recognizes an issue
will be more driven to fix it.
Maturity Models
A Maturity Models approach allows auditors and audit customers to assess the current
effectiveness of a process while also identifying the capabilities required to improve the process
to meet objectives, using standard maturity models such as the Capability Maturity Model
Integration or creating customized models.[ CITATION aud18 \l 1033 ]
Risk Analyzing Techniques & Methods
Fault Tree Analysis

Fault Tree Assessments is a tool that may be used for both qualitative and quantitative risk
analysis. It is mostly used to analyses large-scale, complex systems for dependability and safety.
It's also a good way to analyze dependability and safety through hardware, software, the
environment, and human factors. According to the tree structure, fault tree analysis draws a
range of failure possibilities in system failure analysis, from whole to part. The system of fault
tree analysis in tree form.

Event Tree Analysis

Another significant approach of risk analysis is event tree analysis, often known as decision tree
analysis. It is the occurrences of a particular system, the study of which may result in a sequence
of results, and therefore the system's capability. Every element of the event tree events are the
application of specific functions of measures to prevent accidents, and all have binary outcomes,
and given an initial event, all potential methods and means of development are presented. While
the accident sequence group's event tree depicts the different incident causes.
Cause-Consequence Analysis
Fault tree analysis and event tree analysis are combined in cause and consequence analysis. It
employs cause and effect analysis, with the goal of identifying the chain of events that leads to
unexpected outcomes. Based on the probability of different events occurring from the CCA
diagram, the probability of different outcomes can be calculated, and the system's risk level can
be determined.
Preliminary Risk Analysis

Preliminary risk analysis, also known as hazard analysis, is a qualitative approach that entails a
systematic examination of the events that might turn a prospective danger into an accident. In
this method, potential negative occurrences are first discovered and then assessed independently.
Possible improvements or preventative actions are then proposed for each unpleasant occurrence
or danger. This technique serves as a foundation for establishing danger categories and the most
appropriate analytical methodologies. It has proven useful in the workplace, where actions
lacking in safety precautions may be quickly recognized.
UKEssays. November 2018. Methods of Risk Analysis and Management. [online]. Available
from: https://www.ukessays.com/essays/statistics/risk-analysis-methods.php?vref=1 [Accessed 3
September 2021].

Task 3.6 Importance of Disaster Recovery Plan

As well as a disaster recovery implementation plan, a business IT disaster recovery plan is a
written strategy and/or procedure that assists a company in establishing recovery operations in
the case of a disaster. A disaster recovery plan's goal is to thoroughly describe the steps that must
be followed before, during, and after a natural or man-made disaster so that everyone on the team
can follow them. A disaster recovery plan should include both deliberate and unintentional man-
made disasters, such as terrorist attacks and hacking, as well as unintentional disasters, such as
equipment failure.
 Increase the employee productivity
o A disaster recovery plan must be carried out by the appropriate personnel.

Effectiveness and productivity both rise when clear roles and duties are
established in advance. In certain cases, disaster recovery planning necessitates
the presence of at least two persons who are capable of doing the same activity. In
the long term, redundancies like this can be quite advantageous. When many
personnel are capable of completing a task, companies may have peace of mind
about the network's overall integrity.
 Greater Customer Retention
o Clients nowadays want nothing less than excellence and dependability. There is
no tolerance for faults or downtime. Clients will simply walk on to another
service provider if a company fails to satisfy their expectations. Businesses can
maintain a high level of service quality regardless of the conditions thanks to
disaster recovery planning. In the aftermath of an IT disaster, regaining an old
client may be virtually impossible a catastrophic impact that many organizations
have witnessed personally.
 A better understanding of scalability

o Identifying creative ideas is one of the most important aspects of disaster recovery
planning. Cloud-based data storage and backups, for example, make archive
management easier, improve backup efficacy, and lower the cost of disaster
recovery. Cloud solutions provide more flexibility than maintaining an onsite or
offshore data center since they are easily expandable. A switch may be
accomplished long before a crisis occurs, and the storage system used will adapt
as the company's technological demands change.
 Reduced restoration times and reduced RTO and RPO
o With a Disaster Recovery solution, you can be certain that your systems, services,
and applications will be restored in a timely manner, with considerably lower
RTO and RPO. You may dramatically decrease restoration timeframes based on
your demands utilizing the parameters established in the DR plan, which would
be impossible without the use of a Disaster Recovery solution.
 Predict an orderly restart of activities by developing simpler procedures of action to deal

with unforeseen scenarios
o Thanks to a thorough Disaster Recovery plan, any intervention in the event of an

emergency may be prepared ahead of time, allowing for a quick restoration that
can be monitored at all stages.[ CITATION Evo14 \l 1033 ]

Task 3.7 Effectiveness of IT Security Policies for

an Organization
To assure the success of their cyber security goals and efforts, most small and medium-sized
businesses lack well-designed IT security rules. The lack of a cyber security policy can be due to
a variety of factors, including a lack of resources to help with policy development, leadership
and management delayed adoption, or just a lack of understanding of the need of having an
efficient online security program in place. A cyber security policy establishes the rules and
procedures that must be followed by everyone who accesses and uses an organization's IT assets
and resources. These network security policies are intended to address security risks and execute
methods to reduce IT security vulnerabilities, as well as to define how to recover from a network
incursion. Employees are also given guidance on what they should and should not do as a result
of the policies. They also specify who has access to what and what the penalties are if the rules
are not followed.
Begin by examining your organization's present IT risks and network vulnerabilities as a first
step toward developing an IT security policy. Do they entail squandering of resources? Is there a
risk of private information being leaked? Regulatory compliance, for example. Having an outside
expert do a vulnerability assessment for your business is an excellent approach to identify your
threats. Internally, this may be accomplished through a combination of monitoring and reporting
technologies as well as talks with important members of each department.
Why recreate the wheel when you can benefit from the experiences of others in your field?
There's a good chance that other companies have previously gone down this road and created IT
security rules. If you work for a nonprofit or an association, the ASAE and NTEN networks are
excellent places to connect with others in your field. There are many resources accessible online
for commercial companies that give information, recommendations, and even templates. For
industry resources, NIST provides excellent materials such as their Cyber Security Framework.
More technical tools and best practices, such as the CIS Controls, are available from the Center
for Internet Security. These controls provide you a prioritized list of steps to take to safeguard
your company and data against known cyber-attacks. Finally, SANS is an excellent resource for
security research, training, and other services.

There may be minimal requirements that you must apply to protect the privacy of your network
and the integrity of your data, depending on the sorts of data you manage, your organization's
location and jurisdiction, and the industry you operate in. This is especially true for businesses
that store sensitive personal information like credit card and social security numbers.
Provide a series of in-person employee training sessions, either in an all-hands style or by each
department, prior to implementing new security rules. This will provide employees the chance to
understand what the rules are, why they are being adopted, and what the cyber security program's
consequences are for the company. This will also give them ample time before the policies go
into effect to absorb everything and ask any questions or address any issues they may have.
Ensure that all workers have reviewed and signed the new network security policies prior to the
effective date when it comes time to implement them. In addition, make sure that these rules are
signed as part of the new recruit onboarding process. Finally, devise a mechanism for providing
yearly policy refreshers to all employees. This would assist guarantee compliance while also
providing a chance to brief personnel on policy changes.
Your capacity to monitor compliance with security regulations is only as good as your ability to
enforce them. Make sure your IT department or vendor has the tools they need to correctly
monitor the network environment. Consider using monitoring software to keep an eye on
Internet/email content, installed apps, and illegal devices. An effective IT security program has
the necessary technologies in place to correctly monitor security setups.[ CITATION Pay21 \l
1033 ]

Task 04
Task 4.1 Organizational Policies
System Access Policies
Policies
1. Users should have a unique identifier (user ID) for their personal use only, and a suitable
authentication technique should be chosen to substantiate the claimed identify of a user.
Email addresses should not be used as user IDs.
2. Users should be authenticated, either by using user IDs and passwords or by a stronger
authentication mechanism such as proof of possession of private key, knowledge based
authentication solutions or by some other form of secret key solution.
3. Initial temporary passwords shall not be easily associated with the user’s personal
information and it should consists with minimum of 8 characters in length comprised of
letters, numbers, and special characters.
Role of Staff
All login credentials, tokes and rights are confidential and not transferable. Users must
immediately inform the service desk or IT security team on the information system and security
breach or of foul play with regard to IT systems. Users must not circumvent or attempt to
circumvent system protection features. Users shall not knowingly use any system to produce
system failure or degraded performance. Users shall not use computer resources for private
purposes, including but not limited to the use or computer resources for profit making or illegal
purposes.

Internet & Email Policies

Policies
1. Internet is intended to be used for business purposes. However limited personal use of
this facility shall be permitted whilst it does not interface with official work and
operations of the services.
2. The company may provide internet access to specific branches or locations on isolated
computers, which may not go through a filtering process and restrictions on accessing
sites. Therefore users must always abide by this document and any addendum to it when
using these facilities.
3. External Email facility will be only allowed to Executive level and above staff members
and levels below executive will be restricted to internet access with provision of external
incoming email facility.
4. The email system is not to use for the creation or distribution of any offensive messages
containing offensive comments about race, gender, age, sexual orientation, national
origin or disability.
Staff Role
Staff grades below Assistant Vice President should submit the request to It department through
the respective head of department with the approval from head or HR prior to granting the
facility. The management has the authority to determine what constitutes appropriate use and
may deny, revoke, suspend or terminate any employee’s internet access bases upon its
determination of inappropriate use. Users should exercise caution in using email to communicate
confidential or sensitive matters and are expected to conduct themselves professionally when
using company email system. Users shall refrain from copying emails containing sensitive
information to group of people other than intended recipients.

Internet Browsing Policies
Policies
1. Abusive, unethical or inappropriate use of internet is considered grounds for disciplinary,
legal and punitive action including termination or employment.
2. Users shall refrain from using public cloud storage services, file sharing and web mail
facilities through company IT infrastructure. The only internet based storage service can
be used by company employees to store official data is the G-suite service provided by
the company.
3. Employees shall not deviate from using web browsers other than company provided
browsers.
Staff Role
Employees should not use the internet to gambling, playing games, audio video streaming,
download and install any form of software without approval from IT department. Staff shall not
attempt to bypass the monitoring system by installing or using software that bypasses the internet
filtering system or through any other method. Users shall not install any personal devices such as
but not limited to wireless broadband modems to directly access the internet. Staff shall not use
the internet to make offers to sell or buy products from fraudulent websites or to advance any
type of financial scams and unregistered sales or securities.

Software Using Policies
Policies
1. Only software authorized by the company may be purchased, installed, or used on
company issued computers.
2. Personal software, or software that an employee has acquired for non-business purposes,
may not be installed on company issued computers. The only software that can be
installed on corporate computers is licensed software.
3. To purchase, install, and/or use only software that has been authorized for use on
company computers.
Staff Role
Users should obtain a proper documentation for all work-related software purchases. Users are
prohibited from reproducing or duplicating software in any form, except as permitted under the
licensing agreement between the firm and the software provider. A copy of the software license
must be provided to the department for completion of registration and inventory requirements.
Licenses must be registered in the name of company and not in the name of an individual end-
user.

Physical Access Policies

Policies
1. Only company staff and contractors that need access to IT facilities will be allowed access.
2. The Director of Information Technology Systems must approve the procedure of giving card
and/or key access to IT facilities. It is forbidden to share or lend access cards and/or keys with
others.
3. No longer needed access cards and/or keys must be surrendered to Public Safety.
Reassigning cards to another individual without going through the return process is not
permissible.
Staff Role
A facility's emergency protocols must be taught to anybody who is allowed access privileges,
and they must sign the necessary access and non-disclosure agreements. Sharing or lending
access cards and/or keys is strictly prohibited. Anyone who no longer need access cards and/or
keys to the information resources and technology facility must return them to them. To avoid the
return procedure, cards may not be transferred to another individual.

Third Party Access Policies

Policies
1. Third parties and their representatives must agree to and sign the Third Party Agreement
for any new connection requests with XXX. This agreement must be signed by both the
IT Manager and a third-party representative who is legally authorized to sign on behalf of
the third-party.
2. All contractual authorities that want to give a third party network resource access must
submit an Extranet connection request to the IT Manager, along with a "Third Party
Agreement" third party person, organization, or authorized designee.
3. All access modifications require a legitimate business rationale and are subject to security
assessment.
4. When a material change in the information provided by the third party person or
organization or the IT Manager occurs, the sponsoring contracting authority is
responsible for notifying the third party person or organization and the IT Manager so
that security and connectivity can be updated accordingly.
Staff Role
The company and designated staff are responsible for implementing this policy. The executive
steering committee and human resources fully endorse this policy. This policy is a dynamic
document that the IT manager, human resources, or the executive steering committee may
change at any moment. This policy is overseen by the Chief Information Officer, who has overall
accountability and authority. This policy's execution is the responsibility of the Business
Manager ICT. This policy, as well as the accompanying agreements, standards, and guidelines,
will be familiarized and followed by all third-party users of Council information assets.

Other Policies and Responsibilities

1. Do not accept any calls or massages from any unknown number. An attacker can
generate a fake spam call or a massage. If he send that spam to us and we accept it,
automatically the attacker gets the access your device.
2. Change your device password regularly. The password must be a strong one. It can be
consists with lowercase letters, upper case letters, symbols, and numbers. By adding these
things as a mixture, user can create a strong password for their device.
3. User can always update our firewall to the latest version. As a result, user able to
establish a powerful firewall for their devices in our organization.
4. User can use Wi-Fi Protected Access protocol to protect their passwords on the main
router of the organization.
5. User can use a Virtual Private Network and SSL certificates. It helps you to establish a
secure encrypted link between the web browser and the web server. Also, some VPN
services have the ability to disconnect the hardware from the main network, when the
secure connection is lost.
6. User can use a proxy server for the organization. When user connects to the websites
through this proxy server, user is using the IP address of the proxy server. So, our IP
address will hide.
7. User can implement an Active Directory to our organization network. Active Directory is
a solution for organizational level network security that is developed by the Microsoft
Corporation. This directory manage a database which is consist with the all users and
resources of the organization network. It means that database show what employees can
see, which resources can access by within the employee levels, what they can do….etc.
This directory is manage by an Administrator of the organization.
8. User can disable or turn off our unused port at the network. Also, they can established a
multifactor authentication to the system access. For example, when a user accessing a
system which contains sensitive data of the organization, the user must type 8 character
password and if the password is correct user must give a biometric authentication again,
such as fingerprint, eye scan, voice recognition…

Task 4.2 Need of Security Standards

Network Standards
Network standards are the rules that ensure the interconnection of networking technologies by
recognizing the rules of connection of the network devices published by network standards
institutes such as International Telecommunication Union (ITU), The American National
Standards Institute (ANSI), and Institute of Electrical and Electronic Engineers (IEEE). There
are different types of standards used in network layers in network architectures.
 Transport Layer – TCP, SPX
 Network Layer – IP, IPX
 Data Link Layer – Ethernet IEEE 802.3, X.25, Frame Relay
 Physical Layer – RS-232C, V.92
Also, there are two types of standards in networking.
1. De Facto = De Facto standards are the standards that are followed without any approval
by any standards organization.
2. De Jure = De Jure standards are the standards that are build up by any officially
recognized standards organization. Currently, the majority of communication standards in
use are de jure standards.
Importance of Network Standards

By defining uniform norms that can be universally understood and implemented, standards serve
as the foundation for product development. This aids in product compatibility and

interoperability, as well as simplifying product development and shortening time-to-market. It's
also easy to comprehend and compare rival items because to standards. Standards are fuelling
international trade since they are internationally adopted and used in various places. A standard,
for example, gives precise information to manufacturers that saves them time and money when
producing goods. They don't have to build that framework from the ground up, troubleshoot and
improve it, or persuade other manufacturers to use it. They are both joining and utilizing an
ecosystem of like-minded firms and other organizations by adopting a standard. Meanwhile,
consumers and companies are considerably more inclined to purchase items if they are
convinced that they will perform as promised. They may also mix and match items from various
manufacturers thanks to standards-based interoperability. It's also easy to comprehend and
compare rival items because to standards. Standards are fueling international trade since they are
internationally adopted and used in various places.[ CITATION IEE21 \l 1033 ]
Task 4.3 Disaster Recovery Plan

1. Create a Contingency Statement

Begin by formalizing a set of rules or standards that allows for the development
and implementation of a DRP in your company. This is the DRP's mission
statement, which establishes the DRP's limits and requirements. It might be a
reflection of your corporate service-level agreement, which specifies that mission-
critical components will be redundant to a particular degree within a specific
length of time.
2. Conduct a Detailed Business Impact Analysis

Your mission-critical IT applications and components are identified and
prioritized using the BIA. Documenting these components in a layered way
should be a joint effort by the infrastructure, web, and product management
teams. In terms of the value your company has on keeping and securing sensitive
customer data, personal data should be discussed as well. Business owners
articulating the largest revenue losses, application owners demonstrating how
apps would behave during a shutdown, and operations and infrastructure team
members who would be responsible for executing the DRP are all contributing to
the BIA's collaborative effort.
3. Draft the Contingency Plan

The contingency plan specifies "who does what," designating people who are in
charge of carrying out the different DR procedures.

4. Outline the Control Measures

Infrastructure as Code (IaC) techniques for network infrastructure, application,
and data layers must be established for utilizing the secondary production
environment to have a successful and achievable DRP. Cloud formation templates
for Amazon AWS and ARM (Azure Resource Management) templates for
Microsoft Azure both transform infrastructure into software that can be versioned
and backed up. Google Cloud's IaC solution is still being tested.
5. Implement Testing and Training

If a DRP isn't tested and true, it's a waste of time. Quarterly or biannually, review
and, if feasible, test all stages in the DRP to ensure the failover process is fail-
safe. Senior management and every staff must be taught on their respective parts
of the DR procedures to guarantee that they fully comprehend how to carry them
out. You can run the tests in your development environment if it is similar in
scope to your production environment. Keep in mind that the demands of a certain
department within your company may vary over time, and frequent testing can
assist in identifying those needs. Following each testing phase, these
modifications should be taken into account.
6. Plan for Maintenance

To stay current with system upgrades, the maintenance plan should be a living
document that is updated on a regular basis. Any time routine testing is
conducted, this document should be updated. Keep in mind that AWS and Azure
are constantly releasing new capabilities that may have an influence on your DRP
and may help to automate some functions that presently require manual attention.
As part of their DR strategy, businesses must have a defined backup and
restoration mechanism in addition to the DRP. It's amazing how many businesses
don't have a solid model in place. The model should be detailed in terms of the
data that is backed up, the procedure for restoring it if necessary, and how
frequently the process is checked.[ CITATION aim18 \l 1033 ]

Task 4.4 Effectiveness of Ethical Hacking

We've heard that major corporations and big systems have been hacked. A hacker recently
attacked the Uber website. As a result, the personal information of about 50 million people was
made public. Many large corporations, such as Google, Yahoo, Instagram, Facebook, and Uber,
employ hackers. Hackers attempt to get access to their systems. They reveal all the locations
where they identified the flaw after hacking the system so that the firm may repair it. Bug bounty
programs are also used by a lot of firms. In this program, all hackers from across the world
attempt to hack the company's website or web. The firm will give the hacker a prize if the hacker
discovers a flaw. In order to secure sensitive information from unauthorized access, ethical
hacking is employed to hack into computers. Protection against extortion by those seeking to
exploit a vulnerability. Ethical hacking can be used by a company or organization to discover
security flaws and threats. Government-sponsored hacking is used by governments to prevent
intelligence information on influencing politics, a hostile state, and other topics from reaching
the public. By avoiding cyber-terrorism and terrorist assaults, ethical hacking helps safeguard the
nation's safety. Before any assaults, hackers might think like an attacker and discover potential
entry points and patch them. Ethical hacking allows us to gain new abilities that may be used to a
variety of jobs, including software development, risk management, quality assurance testing, and
network defense. The fundamental strength of a firm is qualified ethical hackers. Ethical hackers
can do fast security tests under extreme and typical settings to guarantee that software operates
properly.[ CITATION Jav15 \l 1033 ]

References
aimconsulting, 2018. 6 Steps for Building Your Enterprise Disaster Recovery
Plan. [Online]
Available at: https://aimconsulting.com/insights/6-steps-for-building-your-
enterprise-disaster-recovery-plan/
[Accessed 04 September 2021].
Aminian, N., 2021. securityscorecard. [Online]

Available at: https://securityscorecard.com/blog/what-is-cybersecurity-risk-
factors-to-consider
[Accessed 26 August 2021].
Anastasia, 2019. spinbackup.com. [Online]

Available at: https://spinbackup.com/blog/what-is-data-encryption-and-
why-is-it-so-important/
Anonymous, 2017. risk-engineering. [Online]

Available at: https://risk-engineering.org/ISO-31000-risk-management/
auditboard, 2018. 5 Risk-Based Audit Approaches with Tips & Techniques

You Need. [Online]
Available at: https://www.auditboard.com/blog/5-Approaches-to-Risk-
Based-Auditing/
Biscoe, C., 2020. 7 steps to a successful ISO 27001 risk assessment.

itgovernance, 1(18-jun-2020), p. 2.
Blog, 2015. Shortcomings in Cybersecurity Risk Management. [Online]

Available at: https://identitymanagementinstitute.org/shortcomings-in-
cybersecurity-risk-management/
cloudflare, 2021. What is a DDoS attack?. [Online]

Available at: https://www.cloudflare.com/learning/ddos/what-is-a-ddos-

attack/
D'mello, A., 2019. Five benefits of cyber security risk assessment. [Online]
Available at: https://www.iot-now.com/2019/07/08/97141-five-benefits-
cyber-security-risk-assessment/
Fan, Y., 2012. www.sciedu.ca. [Online]

Available at: file:///C:/Users/janidu/AppData/Local/Temp/812-2518-1-
SM.pdf
getanp, 2021. What is a technology audit and why does your business need
one?. [Online]
Available at: https://www.getanp.com/blog/45/what-is-a-technology-audit-
and-why-does-your-business-need-one.php
guru99., 2015. What is Security Testing? Types with Example. [Online]

Available at: https://www.guru99.com/what-is-security-testing.html#5
Hope, C., 2021. RAID. [Online]

Available at: https://www.computerhope.com/jargon/r/raid.htm
IP, E., 2014. evolveip.net. [Online]

Available at: https://www.evolveip.net/blog/4-benefits-disaster-recovery-
planning
JavaPoint, 2015. Importance of Ethical hacking. [Online]

Available at: https://www.javatpoint.com/importance-of-ethical-hacking
N-able, 2020. Seven Common Types of Security Breaches and How to

Prevent Them. [Online]
Available at: https://www.n-able.com/blog/types-of-security-breaches-and-
how-to-prevent-them

Payam Pourkhomami, 2021. osibeyond.. [Online]
Available at: https://www.osibeyond.com/blog/it-security-policies-every-
organization-must-have-them/
Risks, 5. M. C. N. S., 2020. essentialtech.com. [Online]

Available at: https://www.essentialtech.com.au/blog/5-most-common-
network-security-risks
SA, I. S. A. (., 2021. IEEE Standards Association (IEEE SA. [Online]

Available at: https://beyondstandards.ieee.org/what-are-standards-why-
are-they-important/
Sauce, E., 2015. Virtual Private Network (VPN) Security. [Online]

Available at: https://www.essaysauce.com/information-technology-
essays/virtual-private-network-vpn-security/
Sham, S., 2020. What Is Data Theft?. [Online]

Available at: https://www.okta.com/blog/2020/07/data-theft/
swetha_vazhakkat, 2020. geeksforgeeks. [Online]

Available at: https://www.geeksforgeeks.org/difference-between-threat-
and-attack/
techtarget, 2017. tailgating (piggybacking). [Online]

Available at: https://whatis.techtarget.com/definition/tailgating-
piggybacking
university, h., 2020. Risk Management & Audit Services. [Online]

Available at: https://rmas.fad.harvard.edu/faq/what-does-information-
systems-audit-entail
Walkowski, D., 2019. .f5.com. [Online]

Available at: https://www.f5.com/labs/articles/education/what-is-the-cia-

triad
Walsh, K., 2019. zeguro.com. [Online]

Available at: https://www.zeguro.com/blog/enterprise-risk-management-
versus-integrated-risk-management
Wikipedia, 2021. Information technology audit. [Online]

Available at: https://en.wikipedia.org/wiki/Information_technology_audit

Network Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Security

Uploaded by

Copyright:

Available Formats

Network Security Assignment

Higher National Certificate/Diploma in Computing

Unit Number and Title 05: Security

Unit Learning Outcomes

LO2 Describe IT Security solutions

Unit Learning Outcomes

1 HND-B08 B.H.K. Janindu Bhanuka

Student Assessment Submission and Declaration

B.H.K. Janindu Bhanuka Ms. Dharani Abeysinghe

01-Aug-2021 12-Sep-2021 12-Sep-2021

Programme: BTEC Pearson HND of Computing

Assignment number and title:

2 HND-B08 B.H.K. Janindu Bhanuka

Student signature: Janindu Bhanuka Date: 12-Sep-2021

Formative feedback : Student to assessor

Assessor Signature Date

3 HND-B08 B.H.K. Janindu Bhanuka

LO1 Assess risks to IT Security

Higher Grade achievements (where applicable)

4 HND-B08 B.H.K. Janindu Bhanuka

1. Define what is a security risk and state 4 examples. (P1)

3. Differentiate an attack and a threat. (P1)

Plain text : IHAVEADOGNAMEDLAILA

6. Differentiate in between data replication and backup. (P3)

5 HND-B08 B.H.K. Janindu Bhanuka

1. Write 3 organizational policies that can be assumed as measures of organisational

6 HND-B08 B.H.K. Janindu Bhanuka

System access a) Answer 1

Access to internet email .............

2. Discuss the need for security standards in business. (P7)

7 HND-B08 B.H.K. Janindu Bhanuka

P4 Show, using an example for

Table of The Contents

8 HND-B08 B.H.K. Janindu Bhanuka

9 HND-B08 B.H.K. Janindu Bhanuka

10 HND-B08 B.H.K. Janindu Bhanuka

11 HND-B08 B.H.K. Janindu Bhanuka

12 HND-B08 B.H.K. Janindu Bhanuka

13 HND-B08 B.H.K. Janindu Bhanuka

14 HND-B08 B.H.K. Janindu Bhanuka

Examples for the Security Risks

15 HND-B08 B.H.K. Janindu Bhanuka

Task 1.2 Tailgating, CIA Triad & DDOs Attack

Task 1.2.2 CIA Triad

Task 1.2.3 DDOs Attack

16 HND-B08 B.H.K. Janindu Bhanuka

Task 1.3 Difference between Attack & Threat

[ CITATION swe20 \l 1033 ]

17 HND-B08 B.H.K. Janindu Bhanuka

Task 1.4 Data Theft

Types of Data Thefts

 Taking advantage of a relationship you've already built with your consumer

Dos & DDOs Attacks

18 HND-B08 B.H.K. Janindu Bhanuka

Phishing & Spear Phishing

Cross Site Scripting Attack

19 HND-B08 B.H.K. Janindu Bhanuka

Reasons for The Data Theft

20 HND-B08 B.H.K. Janindu Bhanuka

 Protect access to your networks

21 HND-B08 B.H.K. Janindu Bhanuka

Task 1.5 Impact of the Threats & Risks for a

1. Information theft from a company

1. Customers are leaving.