Summative Feedback:

Strengths:

The student understands type of security risk.

The student knows how implement firewall policies, DMZ and NAT.

The student understands security risk assessment procedures.

Weaknesses:

The current state of information security has not been explored much and there is a lack of new
methods in preventing threats.

Recommendations for future works:

The student should read instructions more carefully before starting his work.

He should find more trustworthy sources information to do research on.

Grade: Pass

Assessor Signature: Do Van Quang

Internal verification:
Security Policies
Higher Nationals
Assignment Brief – BTEC (RQF)
Higher National Diploma in Computing

Student Name /ID Number

Unit Number and Title Unit 05: Security

Academic Year

Unit Assessor

Assignment Title Assignment 2 – EMC Cloud Solutions

Issue Date

Submission Date

IV Name

Date

Submission Format:

The submission is in the form of an individual written report. This should be written in a concise, formal
business style using single spacing and font size 12. You are required to make use of headings, paragraphs
and subsections as appropriate, and all work must be supported with research and referenced using the Har-
vard referencing system. Please also provide an end list of references using the Harvard referencing system.
Unit Learning Outcomes:

LO1. Assess risks to IT security.

LO2. Describe IT security solutions…
LO3. Review mechanisms to control organisational IT security…
LO4. Manage organisational security
Assignment Brief and Guidance:

EMC Cloud Solutions is reputed as the nation’s most reliable Cloud solution provider in VietNam.
A number of high profile businesses in VietNam including Esoft Metro Camps network, SME Bank Viet-
Nam and WEEFM are facilitated by EMC Cloud Solutions. EMC Cloud provides nearly 500 of its custom-
ers with SaaS, PaaS & IaaS solutions with high capacity compute and storage options. Also EMC is a selec-
ted contractor for VietNam, The Ministry of Defense for hosting government and defense systems.

EMC’s central data center facility is located at VietNam along with its corporate head-office in Hanoi. Their
premises at Hanoi is a six story building with the 1st floor dedicated to sales and customer services equipped
with public wifi facility. Second-floor hosts HR, Finance and Training & Development departments and the
third-floor hosts boardroom and offices for senior executives along with the IT and Data center department.
Floor 4,5,6 hosts computer servers which make up the data center.

With the rapid growth of information technology in Ho Chi Minh city (HCMC) in recent years, EMC seeks
opportunity to extend its services to HCMC. As of yet, the organization still considers the nature of such ex-
tension with what to implement, where is the suitable location and other essential options such as security
are actually being discussed.

You are hired by the management of EMC Solutions as a Security Expert to evaluate the security-related
specifics of its present system and provide recommendations on security and reliability related improve-
ments of its present system as well as to plan the establishment of the extension on a solid security founda-
tion.

Activity 01
Assuming the role of External Security Consultant, you need to compile a report focusing on following
elements to the board of EMC Cloud Solutions;
1.1 Identify types of security risks EMC Cloud is subject to, in its present setup and the impact, such is-
sues would create on the business itself. Explain, vulnerabilities, assets, risk – risk for the company
with impact to EMC
1.2 Develop and describe security procedures for EMC Cloud to minimize the impact of issues discussed
in section (1.1) by assessing and treating the risks. – procedure for identified risks (name the proced-
ure and explain that)
*M - Risk management and treatment and explain risk management process.

Activity 02
2.1 Discuss how EMC Cloud and its clients will be impacted by improper/ incorrect configurations which
are applicable to firewalls and VPN solutions. – Discuss how improper or incorrect firewall configura-
tions, improper or incorrect VPN connections, improper firewall or VPN policies will affect the security
(client) of the EMC.
2.2 Explain how following technologies would benefit EMC Cloud and its Clients by facilitating a
‘trusted network’. (Support your answer with suitable illustrations).
i) DMZ – explain with illustration and impact of this three technologies to EMC
ii) Static IP – explain with illustration and impact of this three technologies to EMC -Also DHCP
iii)NAT– explain with illustration and impact of this three technologies to EMC
How DMZ, NAT, Static IPs helps to a trusted network should be explained

2.3 Discuss the benefits of implementing network monitoring systems.

* Explain about SNMP/Syslog/ NetFlow/ CDP/ Explain about tools use to network monitor.
* Benefits of network monitoring (three or more than that)

Activity 03
3.1 Formulate a suitable risk assessment procedure for EMC Cloud solutions to safeguard itself
and its clients. (Risk Assessment procedure attach to this section)

3.2 Explain the mandatory data protection laws and procedures which will be applied to data storage solu-
tions provided by EMC Cloud. You may also highlight on ISO 31000 risk management methodology.
• Explain about data protection laws and regulations that can be related to EMC
• Explain about ISO 31000 standard

3.3 Comment on the topic, ‘IT Security & Organizational Policy’

Explain how IT security of the organization should be align to the organization policy. (Ex- password
policy/ email policy/ IT security policy etc.…)
 Discuss the impact of any misalignment.

Activity 04
4.1 Develop a security policy for EMC Cloud to minimize exploitations and misuses while
evaluating the suitability of the tools used in an organizational policy.

4.2 Develop and present a disaster recovery plan for EMC Cloud for its all venues to ensure
maximum uptime for its customers (Student should produce a PowerPoint-based presentation
which illustrates the recovery plan within 15 minutes of time including justifications and reasons
for decisions and options used).

4.3 ‘Creditors, directors, employees, government and its agencies, owners /shareholders, suppliers, unions,
and the other parties the business draws its resources’ are the main branches of any organization. Discuss
the role of these groups to implement security audit recommendations for the organization.
 Learning Outcomes and Assessment Criteria

Learning Outcome Pass Merit Distinction

LO1 Assess risks to IT se- P1 Identify types of secur- M1 Propose a method to as-
curity ity risks to organisations. sess and treat IT security LO1 & 2
risks…
D1 Investigate how a
P2 Describe organisa-
‘trusted network’ may be
tional security procedures.
part of an IT security solu-
tion.

LO2 Describe IT security P3 Identify the potential M2 Discuss three benefits

solutions impact to IT security of to implement network
incorrect configuration of monitoring systems with
firewall policies and third- supporting reasons.
party VPNs.

P4 Show, using an ex-

ample for each, how im-
plementing a DMZ, static
IP and NAT in a network
can improve Network Se-
curity.

LO3 Review mechanisms P5 Discuss risk assess- M3 Summarise the ISO D2 Consider how IT se-
to control organisational ment procedures. 31000 risk management curity can be aligned with
IT security methodology and its ap- organisational policy, de-
P6 Explain data protection plication in IT security. tailing the security impact
processes and regulations of any misalignment.
as applicable to an organ- M4 Discuss possible im-
isation. pacts to organisational se-
curity resulting from an IT
security audit

LO4 Manage organisa- M5 Discuss the roles of D3 Evaluate the suitability

P7 Design and implement
tional security stakeholders in the organ- of the tools used in an or-
a security policy for an or-
isation to implement se- ganisational policy.
ganisation.
curity audit recommenda-
tions.
P8 List the main compon-
ents of an organisational
disaster recovery plan, jus-
tifying the reasons for in-
clusion
Contents
I. INTRODUCTION............................................................................................................................5
II. LO1. Assess risks to IT security.......................................................................................................6
1. Identify types of security risks EMC Cloud is subject to, in its present setup, and the impact,
such issues would create on the business itself.....................................................................................6
2. Describe organisational security procedures.................................................................................8
3. Risk management process.............................................................................................................8
III. LO2 Describe IT security solutions..............................................................................................9
1. Potential impact to the organization when there is an improper firewall system and VPNs.........9
1.1. The firewall system...............................................................................................................9
1.2. Virtual private network (VPN)............................................................................................11
1.3. How improper firewalls and VPNs impact the EMC company?.........................................12
2. How would benefit DMZ, Static IPs, and NAT?........................................................................10
2.1. DMZ (Demilitarized Zone).................................................................................................13
2.2. Static IP..............................................................................................................................14
2.3. NAT (Network Address Translation)..................................................................................15
3. Trusted Network system.............................................................................................................17
4. Network Monitoring System.......................................................................................................18
IV. LO3 Review mechanisms to control organizational IT security.................................................20
1. Discuss risk assessment procedures............................................................................................20
2. Explain data protection processes and regulations as applicable to an organization...................20
3. Summarization of ISO 31000 risk management law...................................................................21
3.1 What is the law?..................................................................................................................21
3.2 Summarization of ISO 31000: 2018 related to EMC company...........................................22
3.3 ISO 31000: 2018 Risk Management...................................................................................23
4. Possible impacts to organizational security resulting from an IT security audit.........................23
5. IT security Audit.........................................................................................................................24
6. IT security Audits can identify the Vulnerable points and problem areas in the company..........24
7. How IT security aligned with organization policy?....................................................................25
V. LO4 Manage organizational security..............................................................................................26
1. Suitability of the tools used in the polices...................................................................................26
1.1 SECURITY POLICY................................................................................................................27
2. Develop and present a disaster recovery plan for EMC Cloud for its all venues to ensure
maximum uptime for its customers.....................................................................................................28
VI. References..................................................................................................................................33
I. INTRODUCTION
- EMC Cloud Solutions is reputed as the nation’s most reliable Cloud solution provider
in VietNam.

A number of high-profile businesses in VietNam including Esoft Metro Camps

network, SME Bank VietNam, and WEEFM are facilitated by EMC Cloud Solutions.
EMC Cloud provides nearly 500 of its customers with SaaS, PaaS & IaaS solutions
with high capacity compute and storage options. Also, EMC is a selected contractor for
VietNam, The Ministry of Defense for hosting government and defense systems.

EMC’s central data center facility is located at VietNam along with its corporate head
office in Hanoi. Their premises at Hanoi is a six-story building with the 1st floor
dedicated to sales and customer services equipped with public wifi facility. Second-
floor hosts the HR, Finance, and Training & Development departments, and the third
floor hosts a boardroom and offices for senior executives along with the IT and Data
Center departments. Floor 4,5,6 hosts computer servers that make up the data center.

With the rapid growth of information technology in Ho Chi Minh City (HCMC) in
recent years, EMC seeks an opportunity to extend its services to HCMC. As of yet, the
organization still considers the nature of such extension with what to implement, where
are the suitable location and other essential options such as security are actually being
discussed.

According to the scenario, in the first task, I have mentioned the vulnerabilities, threats,
assets, and risks. I had to select the suitable security procedures which were required for
the company.
II. LO1. Assess risks to IT security.

1. Identify types of security risks EMC Cloud is subject to, in its present setup, and
the impact, such issues would create on the business itself.
- Vulnerabilities are the reasons that are helping to start risk. Vulnerability is a
function that all the company may face because many users and network personal
trying to protect their computer systems from vulnerabilities by keeping software
security patches up to date.
- Threats can be caused to the company from inside of the company and may be from
outside the company. Normally most of the threats are affected from outside the
company. Threats are potentials for vulnerability to turn into attacks on computer
systems, networks, and more. They can put individual’s computer systems and
business computers at risk.
- Risks are the dark situations that going to happen to that business in the near future.
Basically, the risks are defined as the external and internal vulnerabilities that occur
negatively.

Basically, the risk is defined as the external and internal vulnerabilities that occur
negatively to the business. When we talk about the EMC company there are various
kinds of risks that can occur to the company because there is no proper security system.
- Some common risks:
 Physical damages: Physical damages are basically known as the damages that can
happen to physical properties. There is a loss of physical security system to the
EMC company because of that the possibility of happening security damages is
high to the company. When a company facing to physical damage it will Cost a
huge loss to the company because the properties that used by the company get
damaged after that the company can’t perform well as in the past.
 Equipment malfunction: Equipment malfunction means when there are no virus
guards to the computers or any other electronics it’s get affected by viruses and it
gradually get malfunctioning so without any security, Equipment malfunction is
also a certain type of risk to the EMC company.
 Loss of data: Loss of data is a part of risks that can be affected to the company.
When there is no security. Of the people may doing frauds to the business. This
data loss is any process or event that results in data being corrupted or deleted and
badly unreadable by the user.
2. Describe organisational security procedures.
- The EMC company needs to implement a variety of procedures in order to
minimize the risks faced previously by the procedures and policies. Procedures and
policies are the rules and regulations implemented by every company to its security,
avoid various types of fraud, etc. So, these procedures and policies should obey by
both employees and employers. And the other reason to implement rules and
regulations is to continue the business for the future.
- List of Security procedures:
 Property damage claim procedure:
In order to reduce possible physical damage to property, we should use several
security systems. The best approach is to maintain an asset damage claim process.
We can claim damages using this property damage claim procedure.
 Regular inspection procedure
To minimize the risk of equipment malfunction, we can do it by checking it
regularly. This way we can minimize frequent equipment failures at the beginning
of this process, we create a test schedule under which we have our equipment tested
on a regular basis to minimize trouble.
 Create backup procedures
To reduce the loss of data risk we can create the backup of every data we are
inputting to the computers. By that we can reduce the risk of data loss.

3. Risk management process

- To long-term growth, we need to maintain the protection of the company from
security breaches, data loss, natural disasters ... To manage those risks requires a
management process called a management process. risk management. So, what does
the risk management process mean?
- The risk management process means monitoring and managing potential risks in
order to minimize the negative impact they may have on the organization. From
security breaches, data loss, network attacks, system failures and natural disasters,
an effective risk management process helps identify which risks are the biggest
threats to the organization and out instructions for handling them.
- To have an effective risk management process, there are three steps.
 Risk Assessment and Analysis
The primary step of the risk management process is called as the risk assessment
and analysis stage. A risk assessment assesses an organization experience to
uncertain events that could impact its day-to-day actions and estimates the damage
those events could have on an organization income and status.
 Risk Evaluation
After the risk assessment or analysis has been completed, a risk evaluation should
take place. A risk evaluation compares valued risk against the risk principles that
the organization has already recognized. Risk criteria can include associated costs
and benefits, socio-economic factors, legal requirements and system malfunctions.
 Risk Treatment and Response
The last step in the risk management process is risk treatment and response. Risk
treatment is the Implementation of policies and procedures that will help avoid or
minimize risks. Risk treatment also extends to risk transfer and risk financing.
When something goes wrong with the company. we need to reduce or avoid those
risks, by using strategies - risky treatments. Strategies can be created to address the
specific risks identified. Strategies can vary depending on the risk context.
III. LO2 Describe IT security solutions

1. Potential impact to the organization when there is an improper firewall system

and VPNs.

1.1. The firewall system.

- Many companies install firewalls on each server because it is like a security system
used to protect important information. A firewall is a software program used to
prevent unauthorized access. When there is unauthorized access or from another
private network, the company is at risk because they may obtain all internal
information. So to prevent most companies from using firewall systems. Firewalls
are tools that can be used to increase the security of computers connected to the
network. By installing a firewall system. Firewalls have many different possibilities.
The main ability it has is that it can enhance security by allowing for detailed
control of system functionality.
 Defend resources
 Validate access
 Manage and control network traffic
 Record and report on events
 Act as an intermediary
- The firewall Policy
Firewall policy is a set of rules that includes how to use this software so it’s easy to
handle the software. This an application that is designed to control the flow of internet
protocol (IP). And the firewall policy has contained the types of firewalls and Firewall
Architectures. When we talk about the types of firewalls there are various kinds types,
they are
 Packet filters
 Proxy servers
 Application gateways
Packet Filters: A packet filter is a firewall that reviews each packet for user-defined
filtering rules to control whether to pass or block it. For example, the filtering rule
might need all Telnet requests to be dropped. Using this information, the firewall will
block all packets that have a port number 23 (the default port number for Telnet) in
their header. Filtering rules can be built on source IP address, destination IP address,
Layer 4 (that is, TCP/ UDP) source port, and Layer 4 destination port. Thus, a packet
filter makes decisions based on the network layer and the transport layer.

Proxy Servers: A proxy service is an application that redirects users’ requests to the
real services based on an organization’s security policy. All message between a user
and the actual server occurs through the proxy server. Thus, a proxy server performs as
a communications broker between clients and the real application servers. Because it
performs as a checkpoint where requests are validated against specific applications, a
proxy server is usually processing intensive and can become a bottleneck under heavy
traffic conditions

Application Gateways: An application gateway is a proxy server that offers access

control at the application layer. It performs as an application-layer gateway between the
protected network and the untrusted network. Because it works at the application layer,
it is talented to examine traffic in detail and, therefore, is considered the most secure
type of firewall. It can stop certain applications, such as FTP, from incoming the
protected network. It can also log all network actions according to applications for both
accounting and security audit purposes.
1.2. Virtual private network (VPN)
- VPN is a secure tunnel between two or more devices to prevent web traffic,
snooping, interference, and censorship. A VPN uses data encryption and other
security mechanisms to prevent unauthorized users from accessing data and to
ensure that data cannot be modified without detection as it flows through the
Internet. It then uses the tunnel process to transport the encrypted data across the
Internet. Tunnel is a mechanism for encapsulating one protocol in another protocol.
In the context of the Internet, tunnel allows such protocols as IPX, AppleTalk, and
IP to be encrypted and then encapsulated in IP. Similarly, in the context of VPNs,
tunnel disguises the original network layer protocol by encrypting the packet and
enclosing the encrypted packet in an IP envelope. This IP envelope, which is an IP
packet, can then be transported securely across the Internet. At the receiving side,
the envelope is removed and the data it contains is decrypted and delivered to the
appropriate access device, such as a router.
- The VPN policy
VPN policy is a set of rules that includes how to use this secure tunnel so it’s easy to
handle this tunnel. This is an application that is designed to control web traffic from
snooping, interference, and censorship. And the VPN policy has contained the types of
VPNs and VPN Architectures
- When we talk about the types of VPN there are various kinds types, they are:
 Access VPNs provide remote users such as road warriors (or mobile users),
telecommuters, and branch offices with reliable access to corporate networks.
 Intranet VPNs allow branch offices to be linked to corporate headquarters in a
secure manner.
1.3. How improper firewalls and VPNs impact the EMC company?

- EMC is a well-reputed cloud solution provider. EMC cloud solution Company

provides SAAS, PAAS, LAAS to their customers. EMC company is doing
transactions with external countries when doing those transactions firewalls and
VPNs are the two software that is very important to install. Because when doing
transactions through networks some unauthorized accesses can be attacked to the
network system, not only that some other private networks also can attack the
network system. When it gets attacked by other accesses, they can get important
information about EMC company, especially by the competitors. If the competitors
EMC company get the details about the company it’s a huge risk to the company to
prevent these kinds of risks the firewalls are very important to install. And if there
are improper firewalls also, we have to face these risks
- The other reason was the existence of improper VPNs it’s the other problem that
arises when doing online transactions because when we doing online transactions
without using proper VPNs sometimes there might have web traffic, snooping and
interference by these web traffics transaction can’t do properly it may buffer. From
the improper VPNs the reputation of the EMC company might get damaged because
of that we have to install proper VPNs
2. How would benefit DMZ, Static IPs, and NAT?

2.1. DMZ (Demilitarized Zone)

- A demilitarized zone (DMZ) is a perimeter network that protects an organization’s

internal local area network (LAN) from untrusted traffic.

- A common DMZ meaning is a subnetwork that sits between the public internet and
private networks. It exposes external-facing services to untrusted networks and adds
an extra layer of security to protect the sensitive data stored on internal networks,
using firewalls to filter traffic.

- The end goal of a DMZ is to allow an organization to access untrusted networks,

such as the internet while ensuring its private network or LAN remains secure.
Organizations typically store external-facing services and resources, as well as
servers for the Domain Name System (DNS), File Transfer Protocol (FTP), mail,
proxy, Voice over Internet Protocol (VoIP), and web servers, in the DMZ.
2.2. Static IP

- A static Internet Protocol (IP) address (static IP address) is a permanent number

assigned to a computer by an Internet service provider (ISP). IP addresses are useful
for gaming services, website hosting, or Voice over Internet Protocol (VoIP). Speed
and reliability are key advantages. According to a static address is constant, systems
with static IP addresses are vulnerable to data extraction and higher security risks.

- Advantages of Static IPs

 It’s good for creating Computer servers
 It makes it easier for geolocation
 It’s also better for dedicated services
 Disadvantages of static IPs

- The static IP address could be a security risk

 Static IPs are preferred for hosting servers
 The process to set a static IP is complex
2.3. NAT (Network Address Translation)

- Network Address Translation (NAT) is designed for IP address conservation. It

enables private IP networks that use unregistered IP addresses to connect to the
Internet. NAT operates on a router, usually connecting two networks together, and
translates the private (not globally unique) addresses in the internal network into
legal addresses before packets are forwarded to another network.
- As part of this capability, NAT can be configured to advertise only one address for
the entire network to the outside world. This provides additional security by
effectively hiding the entire internal network behind that address. NAT offers the
dual functions of security and address conservation and is typically implemented in
remote-access environments.
- Internet needs that require Network Address Translation (NAT) are quite compound
but happen so quickly that the end-user hardly knows it has occurred. A workstation
inside a network makes a request to a computer on the internet. Routers within the
network identify that the request is not for a resource inside the network, so they
send the request to the firewall. The firewall sees the request from the computer
with the internal IP. IT then makes the same request to the internet using its own
public address and returns the response from the internet resource to the computer
inside the private network. From the outlook of the workstation, it appears that
communication is direct with the site on the internet. When NAT is used in this
way, all users inside the private network access the internet have the same public IP
address when they use the internet.
 - Benefits of Network Address Translation (NAT)
 Reuse of private IP addresses
 Enhance security for private networks by keeping internal address private from the
external network
 Connecting a large number of hosts to the global internet using a smaller number
of public (external) IP addresses, thereby conserving IP address space.

- How Static IPs, DMZ, NAT help the EMC company?

DMZ – This refers to host or another network system that exists as a secure and
intermediate network system, in other words we can define it as a path between two or
more organizations internal network and the external. When EMC company dealing with
their clients some external network system might be attacked to the EMCs network work
system. To prevent these kinds of attacks the EMC company can use DMZ network
systems
Static IPs – It is a permanent number assigned to a computer through internet service
provider. Static IPs are useful to web hosting or voice over internet protocol (VOIP). The
main advantage of using static IPs is speed and reliability. So, when EMC company is
doing transaction with external countries it needs a fast internet connection for these kinds
of activities the static IPs are highly help full to the EMC company.
NAT – Network address translation is used to the limits the number of public IP address
that EMC company must use, for both economically and security purposes. When there is
public IP address the network system of the EMS company is used to reply to the requests
that comes through unknown IP address. To prevent these activities NAT is highly help
full to the EMC company.
3. Trusted Network system
- A trusted network is a network of devices that are connected to each other, open
only to authorized users, and allows for only secure data to be transmitted.

- Components of the trusted network system

 Authentication: the network should require users to login so that only authenticated
users are allowed to use the network
 Encryption: the data should be encrypted so that secure data cannot be intercepted and
transmitted to unauthorized users
 Firewall: the computers and servers on the trusted network should include hardware
like a firewall, which is a software program or piece of hardware that helps screen for
security
 Private Network: the computers and servers on the trusted network should be equipped
with software like virtual private network (VPN), which allows for remote work with
secure data transmission
4. Network Monitoring System

-  Network monitoring is a critical IT process where all networking components like

routers, switches, firewalls, servers, and VMs are monitored for fault and
performance and evaluated continuously to maintain and optimize their availability.
One important aspect of network monitoring is that it should be proactive. Finding
performance issues and bottlenecks proactively helps in identifying issues at the
initial stage. Efficient proactive monitoring can prevent network downtime or
failures. 

- Network monitoring is generally carried out through software applications and

tools. Network monitoring services are broadly used to detect whether a given Web
server is operative and connected properly to networks worldwide. Many servers
that make this job provide a more complete visualization of both the Internet and
networks.
- And there many benefits to Network monitoring system the main three benefits are:
 Protecting your network against attackers: The network monitoring system
identifies distrustful traffic, thereby authorizing owners to act fast. A network
monitoring service is able to provide a broad overview of an SMB’s entire IT
infrastructure so that nothing is misused. Today, exploits are more sophisticated
and advanced and are able to target a system in a diversity of ways. Monitoring
antivirus and firewall solutions separately firewalls solutions separately may leave
security gaps.
 Keeping Informed without in house staff: A network monitoring service will
send warnings and information to an SMB owner as issues arise. Otherwise, an
SMB may need to either effort to their network security themselves or hire a full-
time IT employee- Which could be very costly. Data breaches can be more
harmful and more expensive the longer they go without being noticed.
 Optimizing and monitoring your network: Many small business owners are
expected to rapid growth. This growth cannot be possible if parts of their IT
infrastructure are over-loaded or slowed. Network monitoring services will map
out the infrastructure of a small business, showing an SMB owner area of
development and any issues that currently need to be addressed.
IV. LO3 Review mechanisms to control organizational IT security.

1. Discuss risk assessment procedures

- Risk means a dark situation that we will face in the future. These risks may occur
due to the results of mankind. Most of the risks can happen to the organization due
to the faults of the workers in the organization so as an owner of the organization
the owner should assess the risks
- Risk assessment means the term used to the overall process for identity and analysis
the hazards and risk that going to occur to the company or organization, Analysis
and evaluate the risk associated with that hazard. So, by identifying and analyzing
the risk we have to determine the appropriate or control the risk when the hazards
cannot be eliminated. We can identify certain kinds of risks through looking at our
workplace by identify the things, situation, process, etc. That may Couse harm to
the people. After we identify the risk to avoid this risk from the organization when
this determination is made, we can next decide what measures should be there or in
the organization to effectively eliminate or control the harm happening to the
organization.

2. Explain data protection processes and regulations as applicable to an

organization.

- Any company or organization has a lot of important data. So when that data is
leaked to a competitor, it is possible that the company or organization will
inevitably be attacked. So, data protection a must in every organization.
- These are some of the used full information that reputed companies have:
 The type of customers they have
 Number of customers they have
 Banking information
 Information about the assets
- So, these kinds of information got leaked from the business or organization that may
occur a huge risk to that organization. So, there are many ways to protect these
kinds of important data they are:
 Fixing CCTV cameras
 Employee monitoring system
3. Summarization of ISO 31000 risk management law.

3.1 What is the law?

- An organization or company to maintain operations needs to comply with the

regulations and laws. So what is the law? Law means a certain kind of imperative
to be taken by the head of the organization to minimize errors, frauds, and related
problems among employees working in the organization.
- Implementing laws is a difficult task that is done by the CEO of the company
because he should know how to implement suitable laws for the workers. When the
low get high some employee might not work properly or when there are fewer laws
also the worker might not properly. Forget the work done by the workers the CEO
must think from his perspective, the company’s perspective, and the employee’s
perspective then he can continue his organization or the company peacefully
without any mistakes, frauds, and federations.
- Every CEO is looking to reduce the risks that coming towards his organization for
that he should implement lows and regulations continuously but there are guidelines
when implementing lows for the risks, that guidelines when are in ISO 31000 –
2018

3.2 Summarization of ISO 31000: 2018 related to EMC company

- The ISO 31000: 2018 is consisting of risk management guidelines, providing

principles and frameworks to manage risks in EMC company. When the CEO of the
EMC company is following those ISO 31000: 2018 law it easy to handle the EMC
company. Because all the guidelines and frameworks are in it. Any business-like
small scale and large-scale business or companies can use this ISO 31000: 2018
law.
- By using this ISO 31000: 2018 law can help the EMC company to increase the
likely hood of achieving objectives. And can easily identify the strength and
weaknesses of the EMC company. These things are involved in the vision and
mission of the EMC company. However, ISO 31000: 2018 act cannot be used for
certification purposes. But it provides guidance for internal and external audit
programs
 - By maintaining or following this ISO 31000: 2018 law the owner of the EMC
company can compare the risks, Threats that come towards the EMC company. In
other words, the CEO of the EMC company can compare the threats that he faced in
the past with the new threats that come towards. And another benefit the owner of
the EMC company has was it can compare its risk management practices with an
internationally recognized Benchmark providing sound principles for effective
management and corporate governance. Another benefit It has was the Owner of the
EMC company can identify the risks before they effected to the company. From
these benefits, EMC company can move forward without any threats and risks. And
the owner of the EMC company can take decisions before there is a risk attack or
threatened attack.

3.3 ISO 31000: 2018 Risk Management

- If the EMC company is affected by the risks the EMC company can have
consequences in terms of economic performance and professional reputation as well
as the environment safely and social outcomes. If the threats or risks get effected to
the economic performance of the EMC company it a huge loss for the company
because customers will reject the company and the banks who give loans to the
company may be rejected and finally, the employees who are dependent on the
EMC company get affected. After the economic performance, it gets affected the
professional reputation. If the EMC company is dealing or doing transactions with
foreign countries the professional reputation is highly important. If it gets damaged
due to the threats or risks attacks those countries also starting to reject the company.
Because of these reasons managing risks effectively helps the EMC company to
perform well in an environment full of uncertainty

4. Possible impacts to organizational security resulting from an IT security audit

- In some companies, there are security audits, which means this audit is there to
check whether the security system is working in a proper manner. If there is no
audit system to examine the security system also might get corrupted by the above
things and points, we can tell that there is a huge impact to the organization's
security from the IT security audits.
5. IT security Audit

- An IT security audit involves an IT specialist examining an organization’s existing

IT infrastructure to identify the strength of its current security arrangements and
pinpoint any potential vulnerabilities.
- IT security is very important to the EMC company because handling or maintain IT
security audits ensures the cyber defences are up to date as they can be effectively
detecting or giving response to any kind of threats possess by the hackers and other
criminals who manipulate IT systems for their own ends. When the EMC company
is dealing with external countries cyber defences are very important, if it fails, very
dangerous hackers attacked the servers and take all the important information but if
the cyber defences are up to date there is no risk.

6. IT security Audits can identify the Vulnerable points and problem areas in the
company

- The special feature of IT security audits system has, it can identify the vulnerable
points and problem areas easily. The IT system is a vast one with several
components including hardware, software, data and procedures but the IT security
system can find out the vulnerable areas easily. From the IT security system, we can
check weather our hardware or software tools are configured properly and working
properly. And security audits are retracing the security incidents or the dangerous
situation that company faced in the past from the previous that might have exposed
our security weak points. The other main thing that is done by the audit was the
focus on the carrying out tests in terms of network weaknesses, operating system,
access control and security applications
7. How IT security aligned with organization policy?

- Company policies and procedures are the basis of a strong security plan. Once the
company policies and procedures have been advanced or updated with the company
staff's help, your organization’s security basis will be more current, sound, and in
compliance.

- Companies cybersecurity experts:

 Cooperate with your organization to grow the strategies for successfully
communicating policies, standards, and procedures for measuring good
security practices and agreements
 Provide current management of the company policies, procedures, and
standards to safeguard those documents are kept current and relevant.
V. LO4 Manage organizational security

1. Suitability of the tools used in the polices

- Security policy is a set of rules and procedures the employees have to follow
regarding the security of assets and resources of the organization
(Paloaltonetworks.com, 2019). Appropriate security policy allows maintaining tight
security within the organization. The purpose of a security policy is the
conservation of confidentiality, integrity, and availability of systems and
information used by an organization’s members.

This is based on the CIA triad,

 Confidentiality contains the safety of resources from unauthorized units.

 Integrity guarantees the alteration of resources is handled in a definite and
authorized manner
 Availability is a state of the system where approved users have constant access
to said resources.
 1.1 SECURITY POLICY

- General

The organization preserves a secure network infrastructure through the following

reckoned policies in order to protect the integrity and confidentiality of customer and
organization data and moderate the risk of a security problem. The persistence of this
policy is to create the rules for IT security and to communicate the controls necessary
for a secure network infrastructure. The network security policy will provide the
practical mechanisms to support the Organization's complete set of security policies.

- Approved Staff

Systems Manager should present writing in advance with the consultation of IT staff in
forming and managing accounts which are both system and user.

Authorized persons are only allowed to access and maintain application systems,
network devices (routers, firewalls, servers and etc.), operating systems, and other
information objects.

The network manager must approve the creation of user and privilege accounts like
system administrator or security administrator.

A quarterly basis review should be done on Privilege accounts.

After 60 days or less, if the user and privilege accounts are inactive, they will be
disabled.

- Creating passwords

When creating a password following guidelines should be considered,

 Password must include at least 8 characters.

 Password should be consisting of letters, numbers, special characters and upper

or lowercase characters.

 Password should not include guessable words or personal data like birthdays,
phone numbers and etc.
- Login conditions

 If the login credentials are repeated five times to login will be considered as
unauthorized access and the login portal will be locked for an hour or until the IT
staff resets the password.

 All the user name and passwords related to user accounts and privilege accounts
should be changed in every 90 days period of time. If not, the portal will be
locked.

 When an employee leaves the organization the IT staff must change the password
or disable the account.

- Firewalls

 Firewalls are one of the most significant mechanisms of the Organization’s

security strategy. Internet networks and other unsafe networks must be separated
from the organization network with the use of a firewall.

 Firewalls should provide secure administrative access with administration access

limited, if probable, to only networks where administration connections would be
likely to initiate.

 Unnecessary service and application should be prohibited using the firewall. The
organization should use 'hardened' systems for firewall platforms, or appliances.

 Modifications to firewall rules must be recorded and the records must identify
the administrator performing the modification and when the modification
occurred.

 Firewall must keep records of rejected traffic.

- Data breach measures

 Files and folders should be designated and confidential using password when
sharing on drives.

 Without the administration approval no removable drives, CD or DVD are

allowed to insert into computers and devices of the organization.

- Physical security

 All the server rooms of the organization should be guarded with a security guard
and 24hour surveillance cameras should be used to monitor them.

 The whole organization is inspected with the use of 24-hour surveillance

cameras.

 Smart cards are used for the entry into server rooms and special access rooms.
All the smart cards should be renewed every year.

 Finger print access is used when the staff enters to the organization.

- Discarding of Information Technology Properties

IT resources, such as network servers and routers, often contain sensitive data about the
Organization's network infrastructures.  When such assets are withdrawn, the following
guidelines must be followed:

 Any asset tags or stickers that identify the organization must be removed before
discarding.

 Electronic media (e.g., tapes, disk drives, multifunction devices, copiers, etc.)
will be destroyed by physical demolition.

 Demolition will be noted in records.

2. Develop and present a disaster recovery plan for EMC Cloud for its all venues
to ensure maximum uptime for its customers.

- Disaster recovery plan is a plan which includes how to continue their organizational
processes even after a disastrous situation. Any organization has to face a disastrous
situation at a point of their business lifetime so to successfully face the situation the
organization should have a plan. Disasters can be natural disasters, technological
defects and human involvements. Disaster recovery plan should include following
details

 Prioritized list of assets and inventory.

Assets, inventory should be prioritized according to their value for the

organization and should be listed. So, at a disaster stage what assets should be
preserved the most can be understood.

 How long a data loss or system drop down can be tolerated.

If a system drop down or data loss how long the operations of the business will
have to be halted and how can we recover should be planned. This allows the
organization to be ready for any disaster condition.

 Responsibilities should be shared.

Responsibilities should be shared so that only one or two won’t be responsible

for the whole organization. Like daily backups in each sector should be assigned
to persons from those sectors. If so after a system outage if the data cannot be
recovered he will be responsible not the whole team.

 Communication plan

Proper communication plan should be created. During a disastrous situation

communication is a vital part. If the phone and email services dropdown some
other communication methodology should be implemented so the staff can know
about the ongoing situation.
  Backup plan

Backup plan of the organization should be a very effective one. Employees

should be trained for daily, monthly or weekly backup procedures. Apart from
the server in the work site there should backup server in a geographical location
which has less tendency for destruction due to natural disasters.

 Handling sensitive information

Sensitive information should be handled carefully. If demolishing them they

should be in such a manner that they can’t be recovered. And they should be
stored with password protection

- ‘Creditors, directors, employees, government and its agencies, owners /

shareholders, suppliers, unions, and the other parties the business draws its
resources’ are the main branches of any organization. Discuss the role of these
groups to implement security audit recommendations for the organization.

Security audit is understanding the vulnerabilities in the current security plan to

create a much better plan than the present one. Performing a proper security audit
can improve the defense system of the organization. According to Eitan Katz
(2017), security audit can be performed in 5 steps.

 Outline Your Audit

Firstly, the auditor has to list out the assets of the organization which mostly
comprise of computer equipment, customer data and other important documents.
After listing the security parameters should be defined which allows to differentiate
assets into two sectors as assets which need audit and which do not. Because it is
not very reasonable to audit all assets.

 Outline Your Threats

Next the list of threats should be defined. Threats can be of negligent human errors,
malware and logical attack, password insecurities and natural disasters. Along with
considering the threats the auditor has to look for how these can affect the
organization’s performance.
 Evaluate Existing Security Performance

Now the auditor must look into the present security structure and evaluate it. Here
the security structure must be tested with simulating conditions and check for loop
holes. It is better to allow an external company to do this task because the internal
staff can sometimes pretend that there’s no any issues.

 Ranking (Risk Scoring)

In this step all the threats are ranked according to their priority. the risks with higher
threats are ranked in upper levels whereas minor threats are ranked in lower levels.
Also when ranking some factors like history of the organization, current trends in
security sector and rules and regulations should be considered.

 Prepare Security measures

Finally, after observation done in the previous steps the auditor can suggest and
formulate security measures. Such measures that can be taken are educating the
employees regarding the security threats the organization is facing and will face in
future, tighten passwords, provide access controls like fingerprint and smartcard,
email related protection, more improved backup plans and constant monitoring of
the network.
VI. References

https://www.fortinet.com/resources/cyberglossary/what-is-dmz

https://study.com/academy/lesson/trusted-network-solutions-environment-
technologies.html
https://www.manageengine.com/network-monitoring/basics-of-network-monitoring.html

https://cheekymunkey.co.uk/what-is-an-it-security-audit/

https://www.myassignmenthelp.net/sample-assignment/unit-5-security
https://www.urgenthomework.com/sample-homework/emc-cloud-solutions-unit-5-
security