Professional Documents
Culture Documents
ASSIGNMENT NUMBER: 2
1
2
Summative Feedback:
Summative Feedback:
Strengths:
The student knows how implement firewall policies, DMZ and NAT.
Weaknesses:
The current state of information security has not been explored much and there is a lack of new
methods in preventing threats.
The student should read instructions more carefully before starting her work.
Grade: Pass
Internal verification:
3
Assignment 2
Contents
Contents ......................................................................................................................................................... 4
Acknowledgement .......................................................................................................................................... 5
Introduction ................................................................................................................................................... 5
LO1. Assess risks to IT security. ........................................................................................................................ 6
1. Identify types of security risks EMC Cloud is subject to, in its present setup, and the impact, such issues
would create on the business itself. ........................................................................................................................ 6
2. Describe organisational security procedures................................................................................................... 8
3. Risk management process ............................................................................................................................... 9
4. Risk treatment related to scenario. ............................................................................................................... 10
LO2 Describe IT security solutions ................................................................................................................. 11
1. Potential impact to the organization when there is an improper firewall system and VPNs. ...................... 11
1.1: The firewall system. ................................................................................................................................... 11
1.2: Virtual private network (VPN)..................................................................................................................... 12
1.3: How improper firewalls and VPNs impact the EMC company? .................................................................. 13
2. How would benefit DMZ, Static IPs, and NAT? .............................................................................................. 14
2.1: DMZ (Demilitarized Zone) ........................................................................................................................... 14
2.2: Static IP ....................................................................................................................................................... 15
2.3 NAT (Network Address Translation)............................................................................................................ 15
2.4 How Static IPs, DMZ, NAT help the EMC company? .................................................................................... 16
3. Trusted Network system ................................................................................................................................ 17
4. Network Monitoring System .......................................................................................................................... 17
L03: Review mechanisms to control organizational IT security. ....................................................................... 18
1.Discuss risk assessment procedures ................................................................................................................... 18
2.Explain data protection processes and regulations as applicable to an organization. ....................................... 19
3. Summarization of ISO 31000 risk management law. ......................................................................................... 20
3.2 Summarization of ISO 31000: 2018 related to EMC company .................................................................... 20
3.3 ISO 31000: 2018 Risk Management ............................................................................................................. 21
4
3.4 Possible impacts to organizational security resulting from an IT security audit ......................................... 21
3.5 IT security Audit ........................................................................................................................................... 22
3.6 IT security Audits can identify the Vulnerable points and problem areas in the company ......................... 22
3.7 How IT security aligned with organization policy? ...................................................................................... 22
LO4 Manage organizational security .............................................................................................................. 23
1. Suitability of the tools used in the polices ......................................................................................................... 23
2. What is DRP? ...................................................................................................................................................... 23
2.1 Creating disaster recovery plan. .................................................................................................................. 24
3. Role of the stake holders related to the security of the company. ................................................................... 24
3.1 Who is a stake holder? ................................................................................................................................. 24
3.2 Role of a security stake holder related to the company. ............................................................................. 25
References.................................................................................................................................................... 26
TOP CLOUD SECURITY RISKS EVERY COMPANY FACES - WHIZLABS BLOG ....................................... 26
Acknowledgement
For this assignment, I had to take the help and direction of some persons, who deserve my deepest
gratitude. As the completion of this assignment gave me much pleasure, I would like to show my
gratitude Mrs. Thamali Dhishan Dammearachchi, Course Instructor, on CINEC Campus for giving me a
good guideline for assignment throughout many discussions. I would also like to expand my gratitude to
all those who have directly and indirectly guided me in writing this assignment.
Introduction
EMC Cloud Solutions is reputed as the nation’s most reliable Cloud solution provider in VietNam. A
number of high profile businesses in VietNam including Esoft Metro Camps network, SME Bank
VietNam and WEEFM are facilitated by EMC Cloud Solutions. EMC Cloud provides nearly 500 of its
customers with SaaS, PaaS & IaaS solutions with high capacity compute and storage options. Also EMC
is a selected contractor for VietNam, The Ministry of Defense for hosting government and defense
systems.
5
EMC’s central data center facility is located at VietNam along with its corporate head-office in Hanoi.
Their premises at Hanoi is a six story building with the 1 st floor dedicated to sales and customer
services equipped with public wifi facility. Second- floor hosts HR, Finance and Training &
Development departments and the third-floor hosts boardroom and offices for senior executives
along with the IT and Data center department. Floor 4,5,6 hosts computer servers which make up the
data center.
With the rapid growth of information technology in Ho Chi Minh city(HCMC) in recent years, EMC
seeks opportunity to extend its services to HCMC, VietNam. As of yet, the organization still considers
the nature of such extension with what to implement, where is the suitable location and other
essential options such as security are actually being discussed.
You are hired by the management of EMC Solutions as a Security Expert to evaluate the security-
related specifics of its present system and provide recommendations on security and reliability related
improvements of its present system as well as to plan the establishment of the extension on a solid
security foundation.
Assignment 2
1. Identify types of security risks EMC Cloud is subject to, in its present setup, and the impact,
such issues would create on the business itself.
Threat, vulnerability and risk are terms that are commonly mixed up. However, their
understanding is crucial for building effective cybersecurity policies and keeping your company
safe from various cyber attacks.
6
• Threat
A threat is any type of danger, which can damage or steal data, create a disruption or cause a
harm in general. Common examples of threats include malware, phishing, data breaches and
even rogue employees.
Threats are manifested by threat actors, who are either individuals or groups with various
backgrounds and motivations. Understanding threats is critical for building effective mitigations
and helps to make the right decisions in cybersecurity. Information about threats and threat
actors is called threat intelligence.
• Vulnerability
• Risk
Risk is a combination of the threat probability and the impact of a vulnerability. In other words,
risk is the probability of a threat agent successfully exploiting a vulnerability, which can also be
defined by the following formula:
7
Identifying all potential risks, analyzing their impact and evaluating appropriate response is
called risk management. It is a never-ending process, which constantly evaluates newly found
threats and vulnerabilities. Based on a chosen response, risks can be avoided, mitigated,
accepted, or transferred to a third-party.
Basically, the risk is defined as the external and internal vulnerabilities that occur negatively to the
business. When we talk about the EMC company there are various kinds of risks that can occur to the
company because there is no proper security system.
When we talk about the first risk in the list of risks, to reduce the physical damages that can
happen to the physical properties we can use a good security system but basically the best method
is to maintain a property damage claim procedure. This means when something unfortunately
8
happens to our property, we can claim our loss according to the loss we gain by using this property
damage claim procedure
As in the list of risk the second risk that the EMC company is facing to equipment mal function to
reduce it, we can implement a new procedure called regular inspection procedure by this we can
reduce regular equipment mal functioning when we starting to implement this procedure, we
have create an inspection schedule according to that we have inspect our equipment in a regular
basis then we can reduce equipment mal function
The third risk that EMC company is facing to data misuse to avoid that we create a new procedure
called Monitor user action procedure it is a one of the best ways to avoid the data mis use It is
very important to monitor actions of users working with sensitive information. Misuse of such
data can open organization to a very high damage control and huge loss of costs and even
potential lawsuits. Users with high privileges also pose additional threat. So, reducing data
misusing is very important to the EMC company
To reduce the loss of data risk we can create the backup of every data we are inputting to the
computers. By that we can reduce the risk of data loss. When a specific company reduce their risk
of data loss that company can enlarge its business area become that company can get ideas from
past situation that company has faced
9
management process helps identify which risks are the biggest threats to the organization
and out instructions for handling them.
To continue a company to a long type period we have to maintain our company in a good
manner. So, we have to protect our company from security breaches, data losses, cyber-
attacks, system failures and natural disasters. To manage those risks there is a risk
management process. Risk management process means monitoring and managing potential
risks in order to minimize the negative impact they may have on an organization. From the
security breaches, data losses, cyber-attacks, system failures and natural disasters the
effective risk management process will help identify which risks pose the biggest threat to an
organization and provide guidelines for handling them. To possess the risk management
process effectively there are three steps. They are
• Risk Assessment and Analysis – The primary step of the risk management process is called as
the risk assessment and analysis stage. A risk assessment assesses an organization
experience to uncertain events that could impact its day to day actions and estimates the
damage those events could have on an organization income and status.
• Risk Evaluation – After the risk assessment or analysis has been completed, a risk evaluation
should take place. A risk evaluation compares valued risk against the risk principles that the
organization has already recognized. Risk criteria can include associated cost and benefits,
socio economic factors, legal requirement and system malfunctions.
• Risk Treatment and Response – The last step in the risk management process is risk
treatment and response. Risk treatment is the Implementation of policies and procedures
that will help avoid or minimize risks. Risk treatment also extends to risk transfer and risk
financing.
10
user action procedure, creating backup procedures by using these kinds of strategies EMC
company can treat the risk and can overcome those risks
1. Potential impact to the organization when there is an improper firewall system and VPNs.
11
source port, and Layer 4 destination port. Thus, a packet filter makes decisions based on
the network layer and the transport layer.
Proxy Servers: A proxy service is an application that redirects users’ requests to the real
services based on an organization’s security policy. All message between a user and the
actual server occurs through the proxy server. Thus, a proxy server performs as a
communications broker between clients and the real application servers. Because it
performs as a checkpoint where requests are validated against specific applications, a
proxy server is usually processing intensive and can become a bottleneck under heavy
traffic conditions
Application Gateways: An application gateway is a proxy server that offers access control
at the application layer. It performs as an application-layer gateway between the protected
network and the untrusted network. Because it works at the application layer, it is talented
to examine traffic in detail and, therefore, is considered the most secure type of firewall.
It can stop certain applications, such as FTP, from incoming the protected network. It can
also log all network actions according to applications for both accounting and security audit
purposes.
12
- VPN policy is a set of rules that
includes how to use this secure tunnel
so it’s easy to handle this tunnel. This
is an application that is designed to
control web traffic from snooping,
interference, and censorship. And the
VPN policy has contained the types of
VPNs and VPN Architectures
- When we talk about the types of VPN there are various kinds types, they are:
Access VPNs provide remote users such as road warriors (or mobile users),
telecommuters, and branch offices with reliable access to corporate networks.
Intranet VPNs allow branch offices to be linked to corporate headquarters in a secure
manner.
1.3: How improper firewalls and VPNs impact the EMC company?
• EMC is a well-reputed cloud solution provider. EMC cloud solution Company provides SAAS,
PAAS, LAAS to their customers. EMC company is doing transactions with external countries
when doing those transactions firewalls and VPNs are the two software that is very
important to install. Because when doing transactions through networks some unauthorized
accesses can be attacked to the network system, not only that some other private networks
also can attack the network system. When it gets attacked by other accesses, they can get
important information about EMC company, especially by the competitors. If the
competitors EMC company get the details about the company it’s a huge risk to the company
to prevent these kinds of risks the firewalls are very important to install. And if there are
improper firewalls also, we have to face these risks
• The other reason was the existence of improper VPNs it’s the other problem that arises
when doing online transactions because when we doing online transactions without using
proper VPNs sometimes there might have web traffic, snooping and interference by these
web traffics transaction can’t do properly it may buffer. From the improper VPNs the
reputation of the EMC company might get damaged because of that we have to install
proper VPNs
13
2. How would benefit DMZ, Static IPs, and NAT?
• A common DMZ meaning is a subnetwork that sits between the public internet and private
networks. It exposes external-facing services to untrusted networks and adds an extra layer
of security to protect the sensitive data stored on internal networks, using firewalls to filter
traffic.
• The end goal of a DMZ is to allow an organization to access untrusted networks, such as the
internet while ensuring its private network or LAN remains secure. Organizations typically
store external-facing services and resources, as well as servers for the Domain Name System
(DNS), File Transfer Protocol (FTP), mail, proxy, Voice over Internet Protocol (VoIP), and web
servers, in the DMZ.
• These servers and resources are isolated and given limited access to the LAN to ensure they
can be accessed via the internet but the internal LAN cannot. As a result, a DMZ approach
makes it more difficult for a hacker to gain direct access to an organization’s data and
internal servers via the internet.
14
2.2: Static IP
• A static Internet Protocol (IP) address (static IP address) is a permanent number assigned to a
computer by an Internet service provider (ISP). IP addresses are useful for gaming services,
website hosting, or Voice over Internet Protocol (VoIP). Speed and reliability are key
advantages. According to a static address is constant, systems with static IP addresses are
vulnerable to data extraction and higher security risks.
Advantages of Static IPs :
▪ It’s good for creating Computer servers
▪ It makes it easier for geolocation
▪ It’s also better for dedicated services
▪ Disadvantages of static IPs
• Network Address Translation (NAT) is designed for IP address conservation. It enables private
IP networks that use unregistered IP addresses to connect to the Internet. NAT operates on a
router, usually connecting two networks together, and translates the private (not globally
unique) addresses in the internal network into legal addresses before packets are forwarded
to another network.
• As part of this capability, NAT can be configured to advertise only one address for the entire
network to the outside world. This provides additional security by effectively hiding the
15
entire internal network behind that address. NAT offers the dual functions of security and
address conservation and is typically implemented in remote-access environments.
• Internet needs that require Network Address Translation (NAT) are quite compound but
happen so quickly that the end-user hardly knows it has occurred. A workstation inside a
network makes a request to a computer on the internet. Routers within the network identify
that the request is not for a resource inside the network, so they send the request to the
firewall. The firewall sees the request from the computer with the internal IP. IT then makes
the same request to the internet using its own public address and returns the response from
the internet resource to the computer inside the private network. From the outlook of the
workstation, it appears that communication is direct with the site on the internet. When NAT
is used in this way, all users inside the private network access the internet have the same
public IP address when they use the internet.
2.4 How Static IPs, DMZ, NAT help the EMC company?
DMZ : This refers to host or another network system that exists as a secure and intermediate
network system, in other words we can define it as a path between two or more organizations
internal network and the external. When EMC company dealing with their clients some external
network system might be attacked to the EMCs network work system. To prevent these kinds of
attacks the EMC company can use DMZ network systems
Static Ips: It is a permanent number assigned to a computer through internet service provider.
Static IPs are useful to web hosting or voice over internet protocol (VOIP). The main advantage of
using static IPs is speed and reliability. So, when EMC company is doing transaction with external
countries it needs a fast internet connection for these kinds of activities the static IPs are highly
help full to the EMC company.
16
NAT: Network address translation is used to the limits the number of public IP address that EMC
company must use, for both economically and security purposes. When there is public IP address
the network system of the EMS company is used to reply to the requests that comes through
unknown IP address. To prevent these activities NAT is highly help full to the EMC company.
A Trusted Network is not always a secure network. In fact, in many cases the Trusted Network
cannot be trusted. The reason is that an internal network comprises many different networks.
These include new acquisitions, old acquisitions, international access points, and even several
access points to the outside world. A common practice is to define the Trusted Network as the
network that internal employees use when at the office or via a secure controlled dial-in
mechanism. A single access point is established to the outside world via a mechanism called
the Demilitarized Zone (DMZ) .
Network monitoring is a computer network's systematic effort to detect slow or failing network
mechanisms, such as overloaded or stopped/frozen servers, failing routers, failed switches or
other difficult devices. In the event of a network disappointment or similar outage, the network
monitoring system alerts the network administrator. Network monitoring is a subset of network
management.
17
Network monitoring is generally carried out through software applications and tools. Network
monitoring services are broadly used to detect whether a given Web server is operative and
connected properly to networks worldwide. Many servers that make this job provide a more
complete visualization of both the Internet and networks. And there many benefits in Network
monitoring system the main three benefits are
18
kinds of risks through looking at our workplace by identify the things, situation, process, etc.
That may Couse harm to the people. After we identify the risk to avoid this risk from the
organization when this determination is made, we can next decide what measures should be
there or in the organization to effectively eliminate or control the harm happening to the
organization.
Data protection is very useful things to do in an organization because in any organization or in big
companies there many useful data in it so when those data got leaked to their competitors the
organization or the company will get bank rapt for sure. These are some of the use full information that
reputed companies have
So, these kinds of information got leaked from the business or organization that may occur a huge risk to
that organization. So, there are many ways to protect these kinds of important data they are
As an owner in big organization Fixing of CCTV cameras is knowledgeable decision that taking by him
because use of CCTV cameras must comply with state criminal’s eave dropping status which require
posting signs where video monitoring is taking place and another useful that we get from the CCTV
cameras are when some stealers or robbers attacked to the organization, we can monitor it from the
cameras and we can take necessary decisions
Employee monitoring
This is also a method of data protection because some of the workers or employees may do Froud
activities to the company So as an owner we have to aware about that So frequently monitoring the
19
employees or workers is an important task to do. But there are limits to monitor the employees. Because
their privacy things that employee also protecting so monitoring of the employees is permitted where the
monitoring of
the employees make a clear disclosure regarding the type of the scope of the monitoring in which its
engaged
20
• By maintaining or following this ISO 31000: 2018 law the owner of the EMC company can
compare the risks, Threats that come towards the EMC company. In other words, the CEO of the
EMC company can compare the threats that he faced in the past with the new threats that come
towards. And another benefit the owner of the EMC company has was it can compare its risk
management practices with an internationally recognized Benchmark providing sound principles
for effective management and corporate governance. Another benefit It has was the Owner of
the EMC company can identify the risks before they effected to the company. From these
benefits, EMC company can move forward without any threats and risks. And the owner of the
EMC company can take decisions before there is a risk attack or threatened attack.
21
3.5 IT security Audit
• An IT security audit involves an IT specialist examining an organization’s existing IT infrastructure
to identify the strength of its current security arrangements and pinpoint any potential
vulnerabilities.
• IT security is very important to the EMC company because handling or maintain IT security audits
ensures the cyber defenses are up to date as they can be effectively detecting or giving response
to any kind of threats possess by the hackers and other criminals who manipulate IT systems for
their own ends. When the EMC company is dealing with external countries cyber defenses are
very important, if it fails, very dangerous hackers attacked the servers and take all the important
information but if the cyber defenses are up to date there is no risk.
3.6 IT security Audits can identify the Vulnerable points and problem areas in the company
• The special feature of IT security audits system has, it can identify the vulnerable points and
problem areas easily. The IT system is a vast one with several components including hardware,
software, data and procedures but the IT security system can find out the vulnerable areas
easily. From the IT security system, we can check weather our hardware or software tools are
configured properly and working properly. And security audits are retracing the security
incidents or the dangerous situation that company faced in the past from the previous that
might have exposed our security weak points. The other main thing that is done by the audit was
the focus on the carrying out tests in terms of network weaknesses, operating system, access
control and security applications
Security purposes aligned with the company’s goals and documented in company policies and
procedures. company policies and procedures are not just paperwork—they are the basis of a
strong security plan. Once the company policies and procedures have been advanced or updated
with the company staffs help, your organization’s security basis will be more current, sound and
in compliance.
22
• Cooperate with your organization to grow the strategies for successfully communicating
policies, standards and procedures for measuring good security practices and agreements
• Provide current management of the company policies, procedures and standards to
safeguard those documents are kept current and relevant
• Organizational design is measured in policy works as a forceful policy tool to put policy to action.
However, earlier research has not examined the project organization as an exact form of
organizational design and, hence, has not given much care to such organizations as a planned
choice when choosing policy tools.
• The purpose of the article is to examine the project as a policy tool; how do such impermanent
organizations function as a specific form of organization when public policy is applied? The article
is based on a framework of policy operation and is demonstrated with two welfare reforms in the
Swedish public sector, which were prepared and applied as project organizations. The case studies
and the examination show that it is vital that a project organization fits into the overall governance
structure when used as a policy tool. If not, the project will remain summarized and will not have
sufficient influence on the permanent organizational structure. The concept of encapsulation
indicates a need to defend the project from a potential hostile environment. The implication of
this is that organizational design as a policy tool is a matter that rates more attention in the
planned discussion on implementing public policies and on the suitability of using certain policy
tools.
2. What is DRP?
A disaster recovery plan (DRP) is a documented, structured method with commands for replying to
accidental incidents. This step-by-step plan consists of the defenses to minimize the effects of a disaster
so the organization can continue to operate or quickly restart mission-critical functions. Classically,
disaster recovery planning includes an analysis of business processes and continuity needs. Before making
a detailed plan, an organization often performs a business influence examination and risk analysis, and it
establishes the recovery time objective and recovery point objective. In other words, disaster recovery
23
plan mean Disaster recovery planning is just part of business steadiness planning and applied to aspects
of an organization that trust on an IT infrastructure to function.
The overall idea is to develop a plan that will allow the IT department to recover enough data and system
functionality to allow a business or organization to operate.
An organization can start its DRP plan with an instant of vital action steps and a list of important contacts,
so the most vital information is quickly and easily available. The plan should describe the roles and tasks
of disaster recovery team members and outline the criteria to launch the plan into action. The plan then
specifies, in detail, the incident response and recovery activities.
Definition of the term "stakeholder": "A person, group or organization that has attention or concern in an
organization. Stakeholders can affect or be affected by the organization's actions, objectives and policies.
Some examples of key stakeholders are creditors, directors, employees, government (and its agencies),
owners (shareholders), suppliers, unions, and the community from which the company’s attractions its
resources. Not all stakeholders are equivalent. A company's customers are permitted to fair trading
practices but they are not allowed to the same consideration as the company's employees. The
stakeholders in a corporation are the individuals and constituencies that contribute, either willingly or
unwillingly, to its wealth-creating volume and activities, and that are therefore its potential receivers and
or risk bearers.
• Primary Stakeholders – Usually interior stakeholders, are those that involve in financial dealings
with the business (for example stockholders, customers, suppliers, creditors, and employees).
• Secondary stake holders – Usually outside stakeholders, are those who although they do not
engage in direct financial conversation with the business – are affected by or can affect its
activities (for example the general public, communities, activist groups, business support groups,
and the media).
24
• Excluded stake holders – Those such as children or the unbiassed public, initially as they had no
financial impact on the company. Now as the concept takes an anthropocentric viewpoint, while
some groups like the general public may be documented as stakeholders’ others remain
excluded. Such a viewpoint does not give plants, animals or even geology a voice as
stakeholders, but only an active value in relation to human groups or individuals.
We can view Security’s customers from two viewpoints: the roles and tasks that they have, and the
security assistances they obtain. The roles and tasks aspect is vital because it controls how we should
interconnect to our various security customers, based on allowing and swaying them to perform their
roles in security, even if that role is a humble one, such as using an access card to gain admission to the
facility. It is also vital because fulfilling their roles and tasks as employees, managers, contractors or
partners is the way that security’s customers “pay for” the security that they obtain. If they do not see or
understand the value of security or are not joyful about how much they have to pay for it (i.e. how much
trouble they have to go through for security), they may select to bypass security, such as by following to
enter the ability.
While some individuals in our company or organization pay for security by assigning or approving security
project funding, the popular of individuals pay for security by fulfilling their roles and tasks, and that is
dangerous to establishing sound security throughout the organization or company. Due to the importance
of the roles that our workers play in security as well as the assistances security provides to them, we refer
to the security’s customers as stakeholders.
In last month’s column we started with making of a personal Lean Journal, and a first exercise of
identifying the security stakeholders. Why performs this exercise? There are many assistances for security
staff and majors as well as for security managers and directors who perform it. It helps to start with a
small group first and then enlarge out using the results of the first workout to refine your efforts. Begin
at the uppermost level of security and work down, such as the headquarters or local level for large
organizations, and security manager, staff, managers and officers at the site level. Here are some of the
benefits of this exercise:
25
• Transfers knowledge and insights from more experienced personnel.
• Shares knowledge between shifts and functions.
• Can reveal security value not immediately apparent to security personnel.
• Expands security personnel awareness of the value of their jobs.
• Increases sensitivity of security personnel to security stakeholders’ concerns.
• Provides a check on the effectiveness and scope of security personnel training.
• Helps to reinforce the common purpose and build camaraderie.
References
TOP CLOUD SECURITY RISKS EVERY COMPANY FACES - WHIZLABS BLOG
(Top Cloud Security Risks Every Company Faces - Whizlabs Blog, 2021)
Whizlabs Blog. 2021. Top Cloud Security Risks Every Company Faces - Whizlabs Blog. [online] Available at:
SearchERP. 2021. What is distribution requirements planning (DRP)? - Definition from WhatIs.com. [online]
26