Professional Documents
Culture Documents
Strengths:
The student knows how implement firewall policies, DMZ and NAT.
Weaknesses:
The current state of information security has not been explored much and there is a lack of new
methods in preventing threats.
The student should read instructions more carefully before starting his work.
Grade: Pass
Internal verification:
Security Policies
Higher Nationals
Assignment Brief – BTEC (RQF)
Higher National Diploma in Computing
Academic Year
Unit Assessor
Issue Date
Submission Date
IV Name
Date
Submission Format:
The submission is in the form of an individual written report. This should be written in a concise, formal
business style using single spacing and font size 12. You are required to make use of headings, paragraphs
and subsections as appropriate, and all work must be supported with research and referenced using the Har-
vard referencing system. Please also provide an end list of references using the Harvard referencing system.
Unit Learning Outcomes:
EMC Cloud Solutions is reputed as the nation’s most reliable Cloud solution provider in VietNam.
A number of high profile businesses in VietNam including Esoft Metro Camps network, SME Bank Viet-
Nam and WEEFM are facilitated by EMC Cloud Solutions. EMC Cloud provides nearly 500 of its custom-
ers with SaaS, PaaS & IaaS solutions with high capacity compute and storage options. Also EMC is a selec-
ted contractor for VietNam, The Ministry of Defense for hosting government and defense systems.
EMC’s central data center facility is located at VietNam along with its corporate head-office in Hanoi. Their
premises at Hanoi is a six story building with the 1st floor dedicated to sales and customer services equipped
with public wifi facility. Second-floor hosts HR, Finance and Training & Development departments and the
third-floor hosts boardroom and offices for senior executives along with the IT and Data center department.
Floor 4,5,6 hosts computer servers which make up the data center.
With the rapid growth of information technology in Ho Chi Minh city (HCMC) in recent years, EMC seeks
opportunity to extend its services to HCMC. As of yet, the organization still considers the nature of such ex-
tension with what to implement, where is the suitable location and other essential options such as security
are actually being discussed.
You are hired by the management of EMC Solutions as a Security Expert to evaluate the security-related
specifics of its present system and provide recommendations on security and reliability related improve-
ments of its present system as well as to plan the establishment of the extension on a solid security founda-
tion.
Activity 01
Assuming the role of External Security Consultant, you need to compile a report focusing on following
elements to the board of EMC Cloud Solutions;
1.1 Identify types of security risks EMC Cloud is subject to, in its present setup and the impact, such is-
sues would create on the business itself. Explain, vulnerabilities, assets, risk – risk for the company
with impact to EMC
1.2 Develop and describe security procedures for EMC Cloud to minimize the impact of issues discussed
in section (1.1) by assessing and treating the risks. – procedure for identified risks (name the proced-
ure and explain that)
*M - Risk management and treatment and explain risk management process.
Activity 02
2.1 Discuss how EMC Cloud and its clients will be impacted by improper/ incorrect configurations which
are applicable to firewalls and VPN solutions. – Discuss how improper or incorrect firewall configura-
tions, improper or incorrect VPN connections, improper firewall or VPN policies will affect the security
(client) of the EMC.
2.2 Explain how following technologies would benefit EMC Cloud and its Clients by facilitating a
‘trusted network’. (Support your answer with suitable illustrations).
i) DMZ – explain with illustration and impact of this three technologies to EMC
ii) Static IP – explain with illustration and impact of this three technologies to EMC -Also DHCP
iii)NAT– explain with illustration and impact of this three technologies to EMC
How DMZ, NAT, Static IPs helps to a trusted network should be explained
Activity 03
3.1 Formulate a suitable risk assessment procedure for EMC Cloud solutions to safeguard itself
and its clients. (Risk Assessment procedure attach to this section)
3.2 Explain the mandatory data protection laws and procedures which will be applied to data storage solu-
tions provided by EMC Cloud. You may also highlight on ISO 31000 risk management methodology.
• Explain about data protection laws and regulations that can be related to EMC
• Explain about ISO 31000 standard
Activity 04
4.1 Develop a security policy for EMC Cloud to minimize exploitations and misuses while
evaluating the suitability of the tools used in an organizational policy.
4.2 Develop and present a disaster recovery plan for EMC Cloud for its all venues to ensure
maximum uptime for its customers (Student should produce a PowerPoint-based presentation
which illustrates the recovery plan within 15 minutes of time including justifications and reasons
for decisions and options used).
4.3 ‘Creditors, directors, employees, government and its agencies, owners /shareholders, suppliers, unions,
and the other parties the business draws its resources’ are the main branches of any organization. Discuss
the role of these groups to implement security audit recommendations for the organization.
Learning Outcomes and Assessment Criteria
LO3 Review mechanisms P5 Discuss risk assess- M3 Summarise the ISO D2 Consider how IT se-
to control organisational ment procedures. 31000 risk management curity can be aligned with
IT security methodology and its ap- organisational policy, de-
P6 Explain data protection plication in IT security. tailing the security impact
processes and regulations of any misalignment.
as applicable to an organ- M4 Discuss possible im-
isation. pacts to organisational se-
curity resulting from an IT
security audit
EMC’s central data center facility is located at VietNam along with its corporate head
office in Hanoi. Their premises at Hanoi is a six-story building with the 1st floor
dedicated to sales and customer services equipped with public wifi facility. Second-
floor hosts the HR, Finance, and Training & Development departments, and the third
floor hosts a boardroom and offices for senior executives along with the IT and Data
Center departments. Floor 4,5,6 hosts computer servers that make up the data center.
With the rapid growth of information technology in Ho Chi Minh City (HCMC) in
recent years, EMC seeks an opportunity to extend its services to HCMC. As of yet, the
organization still considers the nature of such extension with what to implement, where
are the suitable location and other essential options such as security are actually being
discussed.
According to the scenario, in the first task, I have mentioned the vulnerabilities, threats,
assets, and risks. I had to select the suitable security procedures which were required for
the company.
II. LO1. Assess risks to IT security.
1. Identify types of security risks EMC Cloud is subject to, in its present setup, and
the impact, such issues would create on the business itself.
- Vulnerabilities are the reasons that are helping to start risk. Vulnerability is a
function that all the company may face because many users and network personal
trying to protect their computer systems from vulnerabilities by keeping software
security patches up to date.
- Threats can be caused to the company from inside of the company and may be from
outside the company. Normally most of the threats are affected from outside the
company. Threats are potentials for vulnerability to turn into attacks on computer
systems, networks, and more. They can put individual’s computer systems and
business computers at risk.
- Risks are the dark situations that going to happen to that business in the near future.
Basically, the risks are defined as the external and internal vulnerabilities that occur
negatively.
Basically, the risk is defined as the external and internal vulnerabilities that occur
negatively to the business. When we talk about the EMC company there are various
kinds of risks that can occur to the company because there is no proper security system.
- Some common risks:
Physical damages: Physical damages are basically known as the damages that can
happen to physical properties. There is a loss of physical security system to the
EMC company because of that the possibility of happening security damages is
high to the company. When a company facing to physical damage it will Cost a
huge loss to the company because the properties that used by the company get
damaged after that the company can’t perform well as in the past.
Equipment malfunction: Equipment malfunction means when there are no virus
guards to the computers or any other electronics it’s get affected by viruses and it
gradually get malfunctioning so without any security, Equipment malfunction is
also a certain type of risk to the EMC company.
Loss of data: Loss of data is a part of risks that can be affected to the company.
When there is no security. Of the people may doing frauds to the business. This
data loss is any process or event that results in data being corrupted or deleted and
badly unreadable by the user.
2. Describe organisational security procedures.
- The EMC company needs to implement a variety of procedures in order to
minimize the risks faced previously by the procedures and policies. Procedures and
policies are the rules and regulations implemented by every company to its security,
avoid various types of fraud, etc. So, these procedures and policies should obey by
both employees and employers. And the other reason to implement rules and
regulations is to continue the business for the future.
- List of Security procedures:
Property damage claim procedure:
In order to reduce possible physical damage to property, we should use several
security systems. The best approach is to maintain an asset damage claim process.
We can claim damages using this property damage claim procedure.
Regular inspection procedure
To minimize the risk of equipment malfunction, we can do it by checking it
regularly. This way we can minimize frequent equipment failures at the beginning
of this process, we create a test schedule under which we have our equipment tested
on a regular basis to minimize trouble.
Create backup procedures
To reduce the loss of data risk we can create the backup of every data we are
inputting to the computers. By that we can reduce the risk of data loss.
Proxy Servers: A proxy service is an application that redirects users’ requests to the
real services based on an organization’s security policy. All message between a user
and the actual server occurs through the proxy server. Thus, a proxy server performs as
a communications broker between clients and the real application servers. Because it
performs as a checkpoint where requests are validated against specific applications, a
proxy server is usually processing intensive and can become a bottleneck under heavy
traffic conditions
- A common DMZ meaning is a subnetwork that sits between the public internet and
private networks. It exposes external-facing services to untrusted networks and adds
an extra layer of security to protect the sensitive data stored on internal networks,
using firewalls to filter traffic.
DMZ – This refers to host or another network system that exists as a secure and
intermediate network system, in other words we can define it as a path between two or
more organizations internal network and the external. When EMC company dealing with
their clients some external network system might be attacked to the EMCs network work
system. To prevent these kinds of attacks the EMC company can use DMZ network
systems
Static IPs – It is a permanent number assigned to a computer through internet service
provider. Static IPs are useful to web hosting or voice over internet protocol (VOIP). The
main advantage of using static IPs is speed and reliability. So, when EMC company is
doing transaction with external countries it needs a fast internet connection for these kinds
of activities the static IPs are highly help full to the EMC company.
NAT – Network address translation is used to the limits the number of public IP address
that EMC company must use, for both economically and security purposes. When there is
public IP address the network system of the EMS company is used to reply to the requests
that comes through unknown IP address. To prevent these activities NAT is highly help
full to the EMC company.
3. Trusted Network system
- A trusted network is a network of devices that are connected to each other, open
only to authorized users, and allows for only secure data to be transmitted.
Authentication: the network should require users to login so that only authenticated
users are allowed to use the network
Encryption: the data should be encrypted so that secure data cannot be intercepted and
transmitted to unauthorized users
Firewall: the computers and servers on the trusted network should include hardware
like a firewall, which is a software program or piece of hardware that helps screen for
security
Private Network: the computers and servers on the trusted network should be equipped
with software like virtual private network (VPN), which allows for remote work with
secure data transmission
4. Network Monitoring System
- Risk means a dark situation that we will face in the future. These risks may occur
due to the results of mankind. Most of the risks can happen to the organization due
to the faults of the workers in the organization so as an owner of the organization
the owner should assess the risks
- Risk assessment means the term used to the overall process for identity and analysis
the hazards and risk that going to occur to the company or organization, Analysis
and evaluate the risk associated with that hazard. So, by identifying and analyzing
the risk we have to determine the appropriate or control the risk when the hazards
cannot be eliminated. We can identify certain kinds of risks through looking at our
workplace by identify the things, situation, process, etc. That may Couse harm to
the people. After we identify the risk to avoid this risk from the organization when
this determination is made, we can next decide what measures should be there or in
the organization to effectively eliminate or control the harm happening to the
organization.
- Any company or organization has a lot of important data. So when that data is
leaked to a competitor, it is possible that the company or organization will
inevitably be attacked. So, data protection a must in every organization.
- These are some of the used full information that reputed companies have:
The type of customers they have
Number of customers they have
Banking information
Information about the assets
- So, these kinds of information got leaked from the business or organization that may
occur a huge risk to that organization. So, there are many ways to protect these
kinds of important data they are:
Fixing CCTV cameras
Employee monitoring system
3. Summarization of ISO 31000 risk management law.
- If the EMC company is affected by the risks the EMC company can have
consequences in terms of economic performance and professional reputation as well
as the environment safely and social outcomes. If the threats or risks get effected to
the economic performance of the EMC company it a huge loss for the company
because customers will reject the company and the banks who give loans to the
company may be rejected and finally, the employees who are dependent on the
EMC company get affected. After the economic performance, it gets affected the
professional reputation. If the EMC company is dealing or doing transactions with
foreign countries the professional reputation is highly important. If it gets damaged
due to the threats or risks attacks those countries also starting to reject the company.
Because of these reasons managing risks effectively helps the EMC company to
perform well in an environment full of uncertainty
- In some companies, there are security audits, which means this audit is there to
check whether the security system is working in a proper manner. If there is no
audit system to examine the security system also might get corrupted by the above
things and points, we can tell that there is a huge impact to the organization's
security from the IT security audits.
5. IT security Audit
6. IT security Audits can identify the Vulnerable points and problem areas in the
company
- The special feature of IT security audits system has, it can identify the vulnerable
points and problem areas easily. The IT system is a vast one with several
components including hardware, software, data and procedures but the IT security
system can find out the vulnerable areas easily. From the IT security system, we can
check weather our hardware or software tools are configured properly and working
properly. And security audits are retracing the security incidents or the dangerous
situation that company faced in the past from the previous that might have exposed
our security weak points. The other main thing that is done by the audit was the
focus on the carrying out tests in terms of network weaknesses, operating system,
access control and security applications
7. How IT security aligned with organization policy?
- Company policies and procedures are the basis of a strong security plan. Once the
company policies and procedures have been advanced or updated with the company
staff's help, your organization’s security basis will be more current, sound, and in
compliance.
- Security policy is a set of rules and procedures the employees have to follow
regarding the security of assets and resources of the organization
(Paloaltonetworks.com, 2019). Appropriate security policy allows maintaining tight
security within the organization. The purpose of a security policy is the
conservation of confidentiality, integrity, and availability of systems and
information used by an organization’s members.
- General
- Approved Staff
Systems Manager should present writing in advance with the consultation of IT staff in
forming and managing accounts which are both system and user.
Authorized persons are only allowed to access and maintain application systems,
network devices (routers, firewalls, servers and etc.), operating systems, and other
information objects.
The network manager must approve the creation of user and privilege accounts like
system administrator or security administrator.
After 60 days or less, if the user and privilege accounts are inactive, they will be
disabled.
- Creating passwords
Password should not include guessable words or personal data like birthdays,
phone numbers and etc.
- Login conditions
If the login credentials are repeated five times to login will be considered as
unauthorized access and the login portal will be locked for an hour or until the IT
staff resets the password.
All the user name and passwords related to user accounts and privilege accounts
should be changed in every 90 days period of time. If not, the portal will be
locked.
When an employee leaves the organization the IT staff must change the password
or disable the account.
- Firewalls
Unnecessary service and application should be prohibited using the firewall. The
organization should use 'hardened' systems for firewall platforms, or appliances.
Modifications to firewall rules must be recorded and the records must identify
the administrator performing the modification and when the modification
occurred.
Files and folders should be designated and confidential using password when
sharing on drives.
- Physical security
All the server rooms of the organization should be guarded with a security guard
and 24hour surveillance cameras should be used to monitor them.
Smart cards are used for the entry into server rooms and special access rooms.
All the smart cards should be renewed every year.
Finger print access is used when the staff enters to the organization.
IT resources, such as network servers and routers, often contain sensitive data about the
Organization's network infrastructures. When such assets are withdrawn, the following
guidelines must be followed:
Any asset tags or stickers that identify the organization must be removed before
discarding.
Electronic media (e.g., tapes, disk drives, multifunction devices, copiers, etc.)
will be destroyed by physical demolition.
- Disaster recovery plan is a plan which includes how to continue their organizational
processes even after a disastrous situation. Any organization has to face a disastrous
situation at a point of their business lifetime so to successfully face the situation the
organization should have a plan. Disasters can be natural disasters, technological
defects and human involvements. Disaster recovery plan should include following
details
If a system drop down or data loss how long the operations of the business will
have to be halted and how can we recover should be planned. This allows the
organization to be ready for any disaster condition.
Communication plan
Firstly, the auditor has to list out the assets of the organization which mostly
comprise of computer equipment, customer data and other important documents.
After listing the security parameters should be defined which allows to differentiate
assets into two sectors as assets which need audit and which do not. Because it is
not very reasonable to audit all assets.
Next the list of threats should be defined. Threats can be of negligent human errors,
malware and logical attack, password insecurities and natural disasters. Along with
considering the threats the auditor has to look for how these can affect the
organization’s performance.
Evaluate Existing Security Performance
Now the auditor must look into the present security structure and evaluate it. Here
the security structure must be tested with simulating conditions and check for loop
holes. It is better to allow an external company to do this task because the internal
staff can sometimes pretend that there’s no any issues.
In this step all the threats are ranked according to their priority. the risks with higher
threats are ranked in upper levels whereas minor threats are ranked in lower levels.
Also when ranking some factors like history of the organization, current trends in
security sector and rules and regulations should be considered.
Finally, after observation done in the previous steps the auditor can suggest and
formulate security measures. Such measures that can be taken are educating the
employees regarding the security threats the organization is facing and will face in
future, tighten passwords, provide access controls like fingerprint and smartcard,
email related protection, more improved backup plans and constant monitoring of
the network.
VI. References
https://www.fortinet.com/resources/cyberglossary/what-is-dmz
https://study.com/academy/lesson/trusted-network-solutions-environment-
technologies.html
https://www.manageengine.com/network-monitoring/basics-of-network-monitoring.html
https://cheekymunkey.co.uk/what-is-an-it-security-audit/
https://www.myassignmenthelp.net/sample-assignment/unit-5-security
https://www.urgenthomework.com/sample-homework/emc-cloud-solutions-unit-5-
security