PROGRAM TITLE: BTEC Higher National Diploma in Computing

UNIT TITLE: Unit 05: Security

ASSIGNMENT NUMBER: 2

ASSIGNMENT NAME: EMC Cloud Solutions

SUBMISSION DATE: 01/05/2021

DATE RECEIVED: 11/05/2021

TUTORIAL LECTURER: Do Quang

WORD COUNT: 3480

STUDENT NAME: Hoang Thi Hien

STUDENT ID: BKC18306

MOBILE NUMBER: 0388334345

1
2
Summative Feedback:

Summative Feedback:
Strengths:

The student understands type of security risk.

The student knows how implement firewall policies, DMZ and NAT.

The student understands security risk assessment procedures.

Weaknesses:

The current state of information security has not been explored much and there is a lack of new
methods in preventing threats.

Recommendations for future works:

The student should read instructions more carefully before starting her work.

She should find more trustworthy sources information to do research on.

Grade: Pass

Assessor Signature: Do Van Quang

Internal verification:

3
 Assignment 2

Contents

Contents ......................................................................................................................................................... 4
Acknowledgement .......................................................................................................................................... 5
Introduction ................................................................................................................................................... 5
LO1. Assess risks to IT security. ........................................................................................................................ 6
1. Identify types of security risks EMC Cloud is subject to, in its present setup, and the impact, such issues
would create on the business itself. ........................................................................................................................ 6
2. Describe organisational security procedures................................................................................................... 8
3. Risk management process ............................................................................................................................... 9
4. Risk treatment related to scenario. ............................................................................................................... 10
LO2 Describe IT security solutions ................................................................................................................. 11
1. Potential impact to the organization when there is an improper firewall system and VPNs. ...................... 11
1.1: The firewall system. ................................................................................................................................... 11
1.2: Virtual private network (VPN)..................................................................................................................... 12
1.3: How improper firewalls and VPNs impact the EMC company? .................................................................. 13
2. How would benefit DMZ, Static IPs, and NAT? .............................................................................................. 14
2.1: DMZ (Demilitarized Zone) ........................................................................................................................... 14
2.2: Static IP ....................................................................................................................................................... 15
2.3 NAT (Network Address Translation)............................................................................................................ 15
2.4 How Static IPs, DMZ, NAT help the EMC company? .................................................................................... 16
3. Trusted Network system ................................................................................................................................ 17
4. Network Monitoring System .......................................................................................................................... 17
L03: Review mechanisms to control organizational IT security. ....................................................................... 18
1.Discuss risk assessment procedures ................................................................................................................... 18
2.Explain data protection processes and regulations as applicable to an organization. ....................................... 19
3. Summarization of ISO 31000 risk management law. ......................................................................................... 20
3.2 Summarization of ISO 31000: 2018 related to EMC company .................................................................... 20
3.3 ISO 31000: 2018 Risk Management ............................................................................................................. 21

4
 3.4 Possible impacts to organizational security resulting from an IT security audit ......................................... 21
3.5 IT security Audit ........................................................................................................................................... 22
3.6 IT security Audits can identify the Vulnerable points and problem areas in the company ......................... 22
3.7 How IT security aligned with organization policy? ...................................................................................... 22
LO4 Manage organizational security .............................................................................................................. 23
1. Suitability of the tools used in the polices ......................................................................................................... 23
2. What is DRP? ...................................................................................................................................................... 23
2.1 Creating disaster recovery plan. .................................................................................................................. 24
3. Role of the stake holders related to the security of the company. ................................................................... 24
3.1 Who is a stake holder? ................................................................................................................................. 24
3.2 Role of a security stake holder related to the company. ............................................................................. 25
References.................................................................................................................................................... 26
TOP CLOUD SECURITY RISKS EVERY COMPANY FACES - WHIZLABS BLOG ....................................... 26

ISO 31000 2018 RISK MANAGEMENT OUTLINE ....................................................................................... 26

Acknowledgement
For this assignment, I had to take the help and direction of some persons, who deserve my deepest
gratitude. As the completion of this assignment gave me much pleasure, I would like to show my
gratitude Mrs. Thamali Dhishan Dammearachchi, Course Instructor, on CINEC Campus for giving me a
good guideline for assignment throughout many discussions. I would also like to expand my gratitude to
all those who have directly and indirectly guided me in writing this assignment.

Introduction
EMC Cloud Solutions is reputed as the nation’s most reliable Cloud solution provider in VietNam. A
number of high profile businesses in VietNam including Esoft Metro Camps network, SME Bank
VietNam and WEEFM are facilitated by EMC Cloud Solutions. EMC Cloud provides nearly 500 of its
customers with SaaS, PaaS & IaaS solutions with high capacity compute and storage options. Also EMC
is a selected contractor for VietNam, The Ministry of Defense for hosting government and defense
systems.

5
 EMC’s central data center facility is located at VietNam along with its corporate head-office in Hanoi.
Their premises at Hanoi is a six story building with the 1 st floor dedicated to sales and customer
services equipped with public wifi facility. Second- floor hosts HR, Finance and Training &
Development departments and the third-floor hosts boardroom and offices for senior executives
along with the IT and Data center department. Floor 4,5,6 hosts computer servers which make up the
data center.

With the rapid growth of information technology in Ho Chi Minh city(HCMC) in recent years, EMC
seeks opportunity to extend its services to HCMC, VietNam. As of yet, the organization still considers
the nature of such extension with what to implement, where is the suitable location and other
essential options such as security are actually being discussed.

You are hired by the management of EMC Solutions as a Security Expert to evaluate the security-
related specifics of its present system and provide recommendations on security and reliability related
improvements of its present system as well as to plan the establishment of the extension on a solid
security foundation.

Assignment 2

LO1. Assess risks to IT security.

1. Identify types of security risks EMC Cloud is subject to, in its present setup, and the impact,
such issues would create on the business itself.

Threat, vulnerability and risk are terms that are commonly mixed up. However, their
understanding is crucial for building effective cybersecurity policies and keeping your company
safe from various cyber attacks.

6
• Threat

A threat is any type of danger, which can damage or steal data, create a disruption or cause a
harm in general. Common examples of threats include malware, phishing, data breaches and
even rogue employees.

Threats are manifested by threat actors, who are either individuals or groups with various
backgrounds and motivations. Understanding threats is critical for building effective mitigations
and helps to make the right decisions in cybersecurity. Information about threats and threat
actors is called threat intelligence.

• Vulnerability

A vulnerability is a weakness in hardware, software, personnel or procedures, which may be

exploited by threat actors in order to achieve their goals.

Vulnerabilities can be physical, such as a publicly exposed networking device, software-based,

like a buffer overflow vulnerability in a browser, or even human, which includes an employee
susceptible to phishing attacks.

The process of discovering, reporting and fixing vulnerabilities is called vulnerability

management. A vulnerability, to which fix is not yet available, is called a zero-day vulnerability.

• Risk

Risk is a combination of the threat probability and the impact of a vulnerability. In other words,
risk is the probability of a threat agent successfully exploiting a vulnerability, which can also be
defined by the following formula:

Risk = Threat Probability * Vulnerability Impact.

7
 Identifying all potential risks, analyzing their impact and evaluating appropriate response is
called risk management. It is a never-ending process, which constantly evaluates newly found
threats and vulnerabilities. Based on a chosen response, risks can be avoided, mitigated,
accepted, or transferred to a third-party.

Basically, the risk is defined as the external and internal vulnerabilities that occur negatively to the
business. When we talk about the EMC company there are various kinds of risks that can occur to the
company because there is no proper security system.

Some common risks:

• Physical damages: Physical damages basically known as the damages that can happen
to the physical properties. There is a loss of physical security system to the EMC company
because of that the possibility of happening security damages is high to the company.
When a company facing to a physical damage it will Couse huge loss to the company
because the properties that used by the company gets damaged after that the company
can’t perform well as in the past.
• Equipment malfunction: Equipment malfunction means when there are no any virus
guards to the computers or any other electronics it’s get effected by viruses and it
gradually get malfunctioning so without any security, Equipment malfunction is also
certain type of risk to the EMC company
• Misuse of data: Misuse of data is a result of loss of security system. Misusing data is
badly Couse to the company. By this rate of assets will get low in the company.
Sometimes the company will get bankrupt due to this reason. So, misusing of data is
highly affected to the company.
• Loss of data: Loss of data is a part of risks that can be affected to the company.
When there is no security. Of the people may doing frauds to the business. This
data loss is any process or event that results in data being corrupted or deleted
and badly unreadable by the user.

2. Describe organisational security procedures.

• Property damage claim procedure

When we talk about the first risk in the list of risks, to reduce the physical damages that can
happen to the physical properties we can use a good security system but basically the best method
is to maintain a property damage claim procedure. This means when something unfortunately

8
 happens to our property, we can claim our loss according to the loss we gain by using this property
damage claim procedure

• Regular inspection procedure

As in the list of risk the second risk that the EMC company is facing to equipment mal function to
reduce it, we can implement a new procedure called regular inspection procedure by this we can
reduce regular equipment mal functioning when we starting to implement this procedure, we
have create an inspection schedule according to that we have inspect our equipment in a regular
basis then we can reduce equipment mal function

• Monitor user action procedure

The third risk that EMC company is facing to data misuse to avoid that we create a new procedure
called Monitor user action procedure it is a one of the best ways to avoid the data mis use It is
very important to monitor actions of users working with sensitive information. Misuse of such
data can open organization to a very high damage control and huge loss of costs and even
potential lawsuits. Users with high privileges also pose additional threat. So, reducing data
misusing is very important to the EMC company

• Create backup procedures

To reduce the loss of data risk we can create the backup of every data we are inputting to the
computers. By that we can reduce the risk of data loss. When a specific company reduce their risk
of data loss that company can enlarge its business area become that company can get ideas from
past situation that company has faced

3. Risk management process

• To long-term growth, we need to maintain the protection of the company from security
breaches, data loss, natural disasters ... To manage those risks requires a management
process called a management process. risk management. So what does the risk management
process mean?
• The risk management process means monitoring and managing potential risks in order to
minimize the negative impact they may have on the organization. From security breaches,
data loss, network attacks, system failures and natural disasters, an effective risk

9
 management process helps identify which risks are the biggest threats to the organization
and out instructions for handling them.

To continue a company to a long type period we have to maintain our company in a good
manner. So, we have to protect our company from security breaches, data losses, cyber-
attacks, system failures and natural disasters. To manage those risks there is a risk
management process. Risk management process means monitoring and managing potential
risks in order to minimize the negative impact they may have on an organization. From the
security breaches, data losses, cyber-attacks, system failures and natural disasters the
effective risk management process will help identify which risks pose the biggest threat to an
organization and provide guidelines for handling them. To possess the risk management
process effectively there are three steps. They are

• Risk Assessment and Analysis – The primary step of the risk management process is called as
the risk assessment and analysis stage. A risk assessment assesses an organization
experience to uncertain events that could impact its day to day actions and estimates the
damage those events could have on an organization income and status.
• Risk Evaluation – After the risk assessment or analysis has been completed, a risk evaluation
should take place. A risk evaluation compares valued risk against the risk principles that the
organization has already recognized. Risk criteria can include associated cost and benefits,
socio economic factors, legal requirement and system malfunctions.
• Risk Treatment and Response – The last step in the risk management process is risk
treatment and response. Risk treatment is the Implementation of policies and procedures
that will help avoid or minimize risks. Risk treatment also extends to risk transfer and risk
financing.

4. Risk treatment related to scenario.

When there are any risks occurring to the company, we have to minimize those or avoid those
kinds of risks, to avoid those or reduce those risks we have to use certain kind of strategies. By
using strategies, the avoiding of risks can be known as the risk’s treatments. To the EMC
company also there are many risks that can be affected they are physical damages that can be
occurred to the EMC company, Equipment malfunctioning, data misusing and data losing for
these kinds of risks there are many treatment or procedures that can implemented to overcome
those risks they are property damage claim procedure, regular inspection procedure, Monitor

10
 user action procedure, creating backup procedures by using these kinds of strategies EMC
company can treat the risk and can overcome those risks

LO2 Describe IT security solutions

1. Potential impact to the organization when there is an improper firewall system and VPNs.

1.1: The firewall system.

• Many companies install firewalls on each server because it is like a security system used to
protect important information. A firewall is a software program used to prevent
unauthorized access. When there is unauthorized access or from another private network,
the company is at risk because they may obtain all internal information. So to prevent most
companies from using firewall systems. Firewalls are tools that can be used to increase the
security of computers connected to the network. By installing a firewall system. Firewalls
have many different possibilities. The main ability it has is that it can enhance security by
allowing for detailed control of system functionality.
o Defend resources
o Validate access
o Manage and control network traffic
o Record and report on events
o Act as an intermediary
• The firewall Policy
Firewall policy is a set of rules that includes how to use this software so it’s easy to handle
the software. This an application that is designed to control the flow of internet protocol (IP).
And the firewall policy has contained the types of firewalls and Firewall Architectures. When
we talk about the types of firewalls there are various kinds types, they are
o Packet filters
o Proxy servers
o Application gateways
Packet Filters: A packet filter is a firewall that reviews each packet for user-defined filtering
rules to control whether to pass or block it. For example, the filtering rule might need all
Telnet requests to be dropped. Using this information, the firewall will block all packets
that have a port number 23 (the default port number for Telnet) in their header. Filtering
rules can be built on source IP address, destination IP address, Layer 4 (that is, TCP/ UDP)

11
 source port, and Layer 4 destination port. Thus, a packet filter makes decisions based on
the network layer and the transport layer.
Proxy Servers: A proxy service is an application that redirects users’ requests to the real
services based on an organization’s security policy. All message between a user and the
actual server occurs through the proxy server. Thus, a proxy server performs as a
communications broker between clients and the real application servers. Because it
performs as a checkpoint where requests are validated against specific applications, a
proxy server is usually processing intensive and can become a bottleneck under heavy
traffic conditions
Application Gateways: An application gateway is a proxy server that offers access control
at the application layer. It performs as an application-layer gateway between the protected
network and the untrusted network. Because it works at the application layer, it is talented
to examine traffic in detail and, therefore, is considered the most secure type of firewall.
It can stop certain applications, such as FTP, from incoming the protected network. It can
also log all network actions according to applications for both accounting and security audit
purposes.

1.2: Virtual private network (VPN)

• VPN is a secure tunnel between two or more devices to prevent web traffic, snooping,
interference, and censorship. A VPN uses data encryption and other security mechanisms to
prevent unauthorized users from accessing data and to ensure that data cannot be modified
without detection as it flows through the Internet. It then uses the tunnel process to
transport the encrypted data across the Internet. Tunnel is a mechanism for encapsulating
one protocol in another protocol. In the context of the Internet, tunnel allows such protocols
as IPX, AppleTalk, and IP to be encrypted and then encapsulated in IP. Similarly, in the
context of VPNs, tunnel disguises the original network layer protocol by encrypting the
packet and enclosing the encrypted packet in an IP envelope. This IP envelope, which is an IP
packet, can then be transported securely across the Internet. At the receiving side, the
envelope is removed and the data it contains is decrypted and delivered to the appropriate
access device, such as a router.
• The VPN policy

12
 - VPN policy is a set of rules that
includes how to use this secure tunnel
so it’s easy to handle this tunnel. This
is an application that is designed to
control web traffic from snooping,
interference, and censorship. And the
VPN policy has contained the types of
VPNs and VPN Architectures
- When we talk about the types of VPN there are various kinds types, they are:
Access VPNs provide remote users such as road warriors (or mobile users),
telecommuters, and branch offices with reliable access to corporate networks.
Intranet VPNs allow branch offices to be linked to corporate headquarters in a secure
manner.

1.3: How improper firewalls and VPNs impact the EMC company?
• EMC is a well-reputed cloud solution provider. EMC cloud solution Company provides SAAS,
PAAS, LAAS to their customers. EMC company is doing transactions with external countries
when doing those transactions firewalls and VPNs are the two software that is very
important to install. Because when doing transactions through networks some unauthorized
accesses can be attacked to the network system, not only that some other private networks
also can attack the network system. When it gets attacked by other accesses, they can get
important information about EMC company, especially by the competitors. If the
competitors EMC company get the details about the company it’s a huge risk to the company
to prevent these kinds of risks the firewalls are very important to install. And if there are
improper firewalls also, we have to face these risks
• The other reason was the existence of improper VPNs it’s the other problem that arises
when doing online transactions because when we doing online transactions without using
proper VPNs sometimes there might have web traffic, snooping and interference by these
web traffics transaction can’t do properly it may buffer. From the improper VPNs the
reputation of the EMC company might get damaged because of that we have to install
proper VPNs

13
2. How would benefit DMZ, Static IPs, and NAT?

2.1: DMZ (Demilitarized Zone)

• A demilitarized zone (DMZ) is a perimeter network that protects an organization’s internal

local area network (LAN) from untrusted traffic.

• A common DMZ meaning is a subnetwork that sits between the public internet and private
networks. It exposes external-facing services to untrusted networks and adds an extra layer
of security to protect the sensitive data stored on internal networks, using firewalls to filter
traffic.

• The end goal of a DMZ is to allow an organization to access untrusted networks, such as the
internet while ensuring its private network or LAN remains secure. Organizations typically
store external-facing services and resources, as well as servers for the Domain Name System
(DNS), File Transfer Protocol (FTP), mail, proxy, Voice over Internet Protocol (VoIP), and web
servers, in the DMZ.

• These servers and resources are isolated and given limited access to the LAN to ensure they
can be accessed via the internet but the internal LAN cannot. As a result, a DMZ approach
makes it more difficult for a hacker to gain direct access to an organization’s data and
internal servers via the internet.

14
2.2: Static IP
• A static Internet Protocol (IP) address (static IP address) is a permanent number assigned to a
computer by an Internet service provider (ISP). IP addresses are useful for gaming services,
website hosting, or Voice over Internet Protocol (VoIP). Speed and reliability are key
advantages. According to a static address is constant, systems with static IP addresses are
vulnerable to data extraction and higher security risks.
Advantages of Static IPs :
▪ It’s good for creating Computer servers
▪ It makes it easier for geolocation
▪ It’s also better for dedicated services
▪ Disadvantages of static IPs

The static IP address could be a security risk

▪ Static IPs are preferred for hosting servers
▪ The process to set a static IP is complex

2.3 NAT (Network Address Translation)

• Network Address Translation (NAT) is designed for IP address conservation. It enables private
IP networks that use unregistered IP addresses to connect to the Internet. NAT operates on a
router, usually connecting two networks together, and translates the private (not globally
unique) addresses in the internal network into legal addresses before packets are forwarded
to another network.
• As part of this capability, NAT can be configured to advertise only one address for the entire
network to the outside world. This provides additional security by effectively hiding the

15
 entire internal network behind that address. NAT offers the dual functions of security and
address conservation and is typically implemented in remote-access environments.
• Internet needs that require Network Address Translation (NAT) are quite compound but
happen so quickly that the end-user hardly knows it has occurred. A workstation inside a
network makes a request to a computer on the internet. Routers within the network identify
that the request is not for a resource inside the network, so they send the request to the
firewall. The firewall sees the request from the computer with the internal IP. IT then makes
the same request to the internet using its own public address and returns the response from
the internet resource to the computer inside the private network. From the outlook of the
workstation, it appears that communication is direct with the site on the internet. When NAT
is used in this way, all users inside the private network access the internet have the same
public IP address when they use the internet.

• Benefits of Network Address Translation (NAT)

o Reuse of private IP addresses
o Enhance security for private networks by keeping internal address private from the
external network
o Connecting a large number of hosts to the global internet using a smaller number of
public (external) IP addresses, thereby conserving IP address space.

2.4 How Static IPs, DMZ, NAT help the EMC company?

DMZ : This refers to host or another network system that exists as a secure and intermediate
network system, in other words we can define it as a path between two or more organizations
internal network and the external. When EMC company dealing with their clients some external
network system might be attacked to the EMCs network work system. To prevent these kinds of
attacks the EMC company can use DMZ network systems
Static Ips: It is a permanent number assigned to a computer through internet service provider.
Static IPs are useful to web hosting or voice over internet protocol (VOIP). The main advantage of
using static IPs is speed and reliability. So, when EMC company is doing transaction with external
countries it needs a fast internet connection for these kinds of activities the static IPs are highly
help full to the EMC company.

16
 NAT: Network address translation is used to the limits the number of public IP address that EMC
company must use, for both economically and security purposes. When there is public IP address
the network system of the EMS company is used to reply to the requests that comes through
unknown IP address. To prevent these activities NAT is highly help full to the EMC company.

3. Trusted Network system

A Trusted Network of a company is a network that the company uses to conduct its internal
business. In many cases, the Trusted Network is by default defined in the organization as
'Secure'. The Trusted Network typically supports the backend systems, internal-only intranet
web pages, data processing, messaging, and in some cases, internal instant messaging. In many
companies the Trusted Network is allowed to interact between systems directly, without
encryption. The problem with the definition above is that many assumptions are being made
at these companies.

A Trusted Network is not always a secure network. In fact, in many cases the Trusted Network
cannot be trusted. The reason is that an internal network comprises many different networks.
These include new acquisitions, old acquisitions, international access points, and even several
access points to the outside world. A common practice is to define the Trusted Network as the
network that internal employees use when at the office or via a secure controlled dial-in
mechanism. A single access point is established to the outside world via a mechanism called
the Demilitarized Zone (DMZ) .

4. Network Monitoring System

Network monitoring is a computer network's systematic effort to detect slow or failing network
mechanisms, such as overloaded or stopped/frozen servers, failing routers, failed switches or
other difficult devices. In the event of a network disappointment or similar outage, the network
monitoring system alerts the network administrator. Network monitoring is a subset of network
management.

17
 Network monitoring is generally carried out through software applications and tools. Network
monitoring services are broadly used to detect whether a given Web server is operative and
connected properly to networks worldwide. Many servers that make this job provide a more
complete visualization of both the Internet and networks. And there many benefits in Network
monitoring system the main three benefits are

• Protecting your network against attackers – Network monitoring system is able to

identify distrustful traffic, there by authorizing owners to act fast. A network monitoring
service is able to provide a broad overview of an SMB’s entire IT infrastructure, so that
nothing is misused. Today, exploits are more sophisticated and advanced, and are able to
target a system in a diversity of ways. Monitoring antivirus and firewall solutions
separately firewalls solutions separately may leave security gaps
• Keeping Informed without inhouse staff – A network monitoring service will send
warnings and information to an SMB owner as issues arise. Otherwise, an SMB may need
to either effort to monitoring their network security themselves or hire a full-time IT
employee- Which could be very costly. Data breaches can be More harmful and more
expensive the longer they go without being noticed.
• Optimizing and monitoring your network – Many small business owners are expected
towards rapid growth. This growth cannot be possible if parts of their IT infrastructure
are over- loaded or slowed. Network monitoring services will map out the infrastructure
of a small business, showing an SMB owner area of development and any issues that
currently need to be addressed.

L03: Review mechanisms to control organizational IT security.

1.Discuss risk assessment procedures

• Risk means a dark situation that we will face in the future. These risks may occur due to the
results of mankind. Most of the risks can happen to the organization due to the faults of the
workers in the organization so as an owner of the organization the owner should assess the risks
• Risk assessment means the term used to the overall process for identity and analysis the hazards
and risk that going to occur to the company or organization, Analysis and evaluate the risk
associated with that hazard. So, by identifying and analyzing the risk we have to determine the
appropriate or control the risk when the hazards cannot be eliminated. We can identify certain

18
 kinds of risks through looking at our workplace by identify the things, situation, process, etc.
That may Couse harm to the people. After we identify the risk to avoid this risk from the
organization when this determination is made, we can next decide what measures should be
there or in the organization to effectively eliminate or control the harm happening to the
organization.

2.Explain data protection processes and regulations as applicable to an organization.

Data protection is very useful things to do in an organization because in any organization or in big
companies there many useful data in it so when those data got leaked to their competitors the
organization or the company will get bank rapt for sure. These are some of the use full information that
reputed companies have

• The type of the customers they have

• Number of costumers they have
• Banking information
• Information about the assets

So, these kinds of information got leaked from the business or organization that may occur a huge risk to
that organization. So, there are many ways to protect these kinds of important data they are

• Fixing CCTV cameras

• Employee monitoring system

Fixing of CCTV cameras

As an owner in big organization Fixing of CCTV cameras is knowledgeable decision that taking by him
because use of CCTV cameras must comply with state criminal’s eave dropping status which require
posting signs where video monitoring is taking place and another useful that we get from the CCTV
cameras are when some stealers or robbers attacked to the organization, we can monitor it from the
cameras and we can take necessary decisions

Employee monitoring

This is also a method of data protection because some of the workers or employees may do Froud
activities to the company So as an owner we have to aware about that So frequently monitoring the

19
employees or workers is an important task to do. But there are limits to monitor the employees. Because
their privacy things that employee also protecting so monitoring of the employees is permitted where the
monitoring of

the employees make a clear disclosure regarding the type of the scope of the monitoring in which its
engaged

3. Summarization of ISO 31000 risk management law.

3.1 What is the law?
• An organization or company to maintain operations needs to comply with the regulations and
laws. So what is the law? Law means a certain kind of imperative to be taken by the head of the
organization to minimize errors, frauds, and related problems among employees working in the
organization.
• Implementing laws is a difficult task that is done by the CEO of the company because he should
know how to implement suitable laws for the workers. When the low get high some employee
might not work properly or when there are fewer laws also the worker might not properly.
Forget the work done by the workers the CEO must think from his perspective, the company’s
perspective, and the employee’s perspective then he can continue his organization or the
company peacefully without any mistakes, frauds, and federations.
• Every CEO is looking to reduce the risks that coming towards his organization for that he should
implement lows and regulations continuously but there are guidelines when implementing lows
for the risks, that guidelines when are in ISO 31000 – 2018

3.2 Summarization of ISO 31000: 2018 related to EMC company

• The ISO 31000: 2018 is consisting of risk management guidelines, providing principles and
frameworks to manage risks in EMC company. When the CEO of the EMC company is following
those ISO 31000: 2018 law it easy to handle the EMC company. Because all the guidelines and
frameworks are in it. Any business-like small scale and large-scale business or companies can use
this ISO 31000: 2018 law.
• By using this ISO 31000: 2018 law can help the EMC company to increase the likely hood of
achieving objectives. And can easily identify the strength and weaknesses of the EMC company.
These things are involved in the vision and mission of the EMC company. However, ISO 31000:
2018 act cannot be used for certification purposes. But it provides guidance for internal and
external audit programs

20
• By maintaining or following this ISO 31000: 2018 law the owner of the EMC company can
compare the risks, Threats that come towards the EMC company. In other words, the CEO of the
EMC company can compare the threats that he faced in the past with the new threats that come
towards. And another benefit the owner of the EMC company has was it can compare its risk
management practices with an internationally recognized Benchmark providing sound principles
for effective management and corporate governance. Another benefit It has was the Owner of
the EMC company can identify the risks before they effected to the company. From these
benefits, EMC company can move forward without any threats and risks. And the owner of the
EMC company can take decisions before there is a risk attack or threatened attack.

3.3 ISO 31000: 2018 Risk Management

• If the EMC company is affected by the risks the

EMC company can have consequences in terms of
economic performance and professional
reputation as well as the environment safely and
social outcomes. If the threats or risks get effected
to the economic performance of the EMC
company it a huge loss for the company because
customers will reject the company and the banks
who give loans to the company may be rejected
and finally, the employees who are dependent on the EMC company get affected. After the
economic performance, it gets affected the professional reputation. If the EMC company is
dealing or doing transactions with foreign countries the professional reputation is highly
important. If it gets damaged due to the threats or risks attacks those countries also starting to
reject the company. Because of these reasons managing risks effectively helps the EMC company
to perform well in an environment full of uncertainty

3.4 Possible impacts to organizational security resulting from an IT security audit

• In some companies, there are security audits, which means this audit is there to check whether
the security system is working in a proper manner. If there is no audit system to examine the
security system also might get corrupted by the above things and points, we can tell that there is
a huge impact to the organization's security from the IT security audits.

21
3.5 IT security Audit
• An IT security audit involves an IT specialist examining an organization’s existing IT infrastructure
to identify the strength of its current security arrangements and pinpoint any potential
vulnerabilities.
• IT security is very important to the EMC company because handling or maintain IT security audits
ensures the cyber defenses are up to date as they can be effectively detecting or giving response
to any kind of threats possess by the hackers and other criminals who manipulate IT systems for
their own ends. When the EMC company is dealing with external countries cyber defenses are
very important, if it fails, very dangerous hackers attacked the servers and take all the important
information but if the cyber defenses are up to date there is no risk.

3.6 IT security Audits can identify the Vulnerable points and problem areas in the company

• The special feature of IT security audits system has, it can identify the vulnerable points and
problem areas easily. The IT system is a vast one with several components including hardware,
software, data and procedures but the IT security system can find out the vulnerable areas
easily. From the IT security system, we can check weather our hardware or software tools are
configured properly and working properly. And security audits are retracing the security
incidents or the dangerous situation that company faced in the past from the previous that
might have exposed our security weak points. The other main thing that is done by the audit was
the focus on the carrying out tests in terms of network weaknesses, operating system, access
control and security applications

3.7 How IT security aligned with organization policy?

Security purposes aligned with the company’s goals and documented in company policies and
procedures. company policies and procedures are not just paperwork—they are the basis of a
strong security plan. Once the company policies and procedures have been advanced or updated
with the company staffs help, your organization’s security basis will be more current, sound and
in compliance.

Companies cybersecurity experts:

22
 • Cooperate with your organization to grow the strategies for successfully communicating
policies, standards and procedures for measuring good security practices and agreements
• Provide current management of the company policies, procedures and standards to
safeguard those documents are kept current and relevant

LO4 Manage organizational security

1. Suitability of the tools used in the polices

• Organizational design is measured in policy works as a forceful policy tool to put policy to action.
However, earlier research has not examined the project organization as an exact form of
organizational design and, hence, has not given much care to such organizations as a planned
choice when choosing policy tools.
• The purpose of the article is to examine the project as a policy tool; how do such impermanent
organizations function as a specific form of organization when public policy is applied? The article
is based on a framework of policy operation and is demonstrated with two welfare reforms in the
Swedish public sector, which were prepared and applied as project organizations. The case studies
and the examination show that it is vital that a project organization fits into the overall governance
structure when used as a policy tool. If not, the project will remain summarized and will not have
sufficient influence on the permanent organizational structure. The concept of encapsulation
indicates a need to defend the project from a potential hostile environment. The implication of
this is that organizational design as a policy tool is a matter that rates more attention in the
planned discussion on implementing public policies and on the suitability of using certain policy
tools.

2. What is DRP?

A disaster recovery plan (DRP) is a documented, structured method with commands for replying to
accidental incidents. This step-by-step plan consists of the defenses to minimize the effects of a disaster
so the organization can continue to operate or quickly restart mission-critical functions. Classically,
disaster recovery planning includes an analysis of business processes and continuity needs. Before making
a detailed plan, an organization often performs a business influence examination and risk analysis, and it
establishes the recovery time objective and recovery point objective. In other words, disaster recovery

23
plan mean Disaster recovery planning is just part of business steadiness planning and applied to aspects
of an organization that trust on an IT infrastructure to function.

The overall idea is to develop a plan that will allow the IT department to recover enough data and system
functionality to allow a business or organization to operate.

2.1 Creating disaster recovery plan.

An organization can start its DRP plan with an instant of vital action steps and a list of important contacts,
so the most vital information is quickly and easily available. The plan should describe the roles and tasks
of disaster recovery team members and outline the criteria to launch the plan into action. The plan then
specifies, in detail, the incident response and recovery activities.

3. Role of the stake holders related to the security of the company.

3.1 Who is a stake holder?

Definition of the term "stakeholder": "A person, group or organization that has attention or concern in an
organization. Stakeholders can affect or be affected by the organization's actions, objectives and policies.
Some examples of key stakeholders are creditors, directors, employees, government (and its agencies),
owners (shareholders), suppliers, unions, and the community from which the company’s attractions its
resources. Not all stakeholders are equivalent. A company's customers are permitted to fair trading
practices but they are not allowed to the same consideration as the company's employees. The
stakeholders in a corporation are the individuals and constituencies that contribute, either willingly or
unwillingly, to its wealth-creating volume and activities, and that are therefore its potential receivers and
or risk bearers.

Types of the Stake Holders

• Primary Stakeholders – Usually interior stakeholders, are those that involve in financial dealings
with the business (for example stockholders, customers, suppliers, creditors, and employees).
• Secondary stake holders – Usually outside stakeholders, are those who although they do not
engage in direct financial conversation with the business – are affected by or can affect its
activities (for example the general public, communities, activist groups, business support groups,
and the media).

24
 • Excluded stake holders – Those such as children or the unbiassed public, initially as they had no
financial impact on the company. Now as the concept takes an anthropocentric viewpoint, while
some groups like the general public may be documented as stakeholders’ others remain
excluded. Such a viewpoint does not give plants, animals or even geology a voice as
stakeholders, but only an active value in relation to human groups or individuals.

3.2 Role of a security stake holder related to the company.

We can view Security’s customers from two viewpoints: the roles and tasks that they have, and the
security assistances they obtain. The roles and tasks aspect is vital because it controls how we should
interconnect to our various security customers, based on allowing and swaying them to perform their
roles in security, even if that role is a humble one, such as using an access card to gain admission to the
facility. It is also vital because fulfilling their roles and tasks as employees, managers, contractors or
partners is the way that security’s customers “pay for” the security that they obtain. If they do not see or
understand the value of security or are not joyful about how much they have to pay for it (i.e. how much
trouble they have to go through for security), they may select to bypass security, such as by following to
enter the ability.

While some individuals in our company or organization pay for security by assigning or approving security
project funding, the popular of individuals pay for security by fulfilling their roles and tasks, and that is
dangerous to establishing sound security throughout the organization or company. Due to the importance
of the roles that our workers play in security as well as the assistances security provides to them, we refer
to the security’s customers as stakeholders.

Security Stakeholders Exercise

In last month’s column we started with making of a personal Lean Journal, and a first exercise of
identifying the security stakeholders. Why performs this exercise? There are many assistances for security
staff and majors as well as for security managers and directors who perform it. It helps to start with a
small group first and then enlarge out using the results of the first workout to refine your efforts. Begin
at the uppermost level of security and work down, such as the headquarters or local level for large
organizations, and security manager, staff, managers and officers at the site level. Here are some of the
benefits of this exercise:

25
 • Transfers knowledge and insights from more experienced personnel.
• Shares knowledge between shifts and functions.
• Can reveal security value not immediately apparent to security personnel.
• Expands security personnel awareness of the value of their jobs.
• Increases sensitivity of security personnel to security stakeholders’ concerns.
• Provides a check on the effectiveness and scope of security personnel training.
• Helps to reinforce the common purpose and build camaraderie.

References
TOP CLOUD SECURITY RISKS EVERY COMPANY FACES - WHIZLABS BLOG

(Top Cloud Security Risks Every Company Faces - Whizlabs Blog, 2021)
Whizlabs Blog. 2021. Top Cloud Security Risks Every Company Faces - Whizlabs Blog. [online] Available at:

<https://www.whizlabs.com/blog/cloud-security-risks/> [Accessed 16 May 2021].

WHAT IS DISTRIBUTION REQUIREMENTS PLANNING (DRP)? - DEFINITION FROM WHATIS.COM

(What is distribution requirements planning (DRP)? - Definition from WhatIs.com, 2021)

SearchERP. 2021. What is distribution requirements planning (DRP)? - Definition from WhatIs.com. [online]

Available at: <https://searcherp.techtarget.com/definition/distribution-requirements-planning-DRP>

[Accessed 16 May 2021].

ISO 31000 2018 RISK MANAGEMENT OUTLINE

(ISO 31000 2018 Risk Management Outline, 2021)

Praxiom.com. 2021. ISO 31000 2018 Risk Management Outline. [online] Available at:
<https://www.praxiom.com/iso-31000-outline.htm> [Accessed 16 May 2021].

26