Professional Documents
Culture Documents
Details of Assessor
Assessor’s Name
Assessment Outcome
Assessment
Competent Not Yet Competent Marks /60
Result
Feedback to Student
Progressive feedback to students, identifying gaps in competency and comments on positive improvements:
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
1
The purpose of this assessment is to assess the student Competent (C) Not Yet Competent
in the following learning outcomes:
(NYC)
2
Table of Contents
1. Introduction 4
2. Asset register 4
3. Threat and risk assessment of current asset 5
4. Cyber security requirements of current asset 6
5. Current cyber security controls 6
6. Identify cyber security gaps 7
7. New Cyber Security controls to address the gaps 7
8. Feedback on the Cyber Security controls 8
9. Sign off Form for Implementation 9
10. Cyber Security Implementation and Testing 10
11. New Assets 10
12. New Asset threat and risk assessment 11
13. Identify Cyber Security Gaps on new assets 12
14. Implement and document new cyber security controls to address cyber security gap
12
15. Conclusions 12
16. Reference 12
3
1. Introduction
2. Asset Register
Here is the list of all the devices and software platforms that are linked to our network as follow:
Pc’s and laptops: HP 24-F0130A 23, HP Pavilion 590-P0082A, Lenovo Idea Centre
510S-02, Inspiron Small Desktop, Vostro Small Desktop, Lenovo Idea Centre 510,
Lenovo ThinkPad E590, iMac.
Operating system: windows 7, windows 7 pro, windows 10, windows 10 pro, macOS
Catalina.
Ms Office: Office 365, Office 2013, Google Docs.
Antivirus: AVG, Norton, Avast, Scan Guard.
Infrastructure Devices: server01 (Dell) model: PowerEdge T100 II, server02 (HP)
model: ML350 Gen10.
UPS: APC SMC1000I SMART-UPS C 1000VA LCD 230V.
Switches: S3900-48T4S, Stackable Managed Switch with 4 10 GB SFP+ Uplinks, 8-
Port Gigabit PoE+ Managed Switch, 24-Port Gigabit PoE+ Managed Switch.
Router: AC1200 Wireless Dual Band Gigabit Router with speed 5GHz: Up to 867Mbps,
2.4GHz: Up to 300Mbps
Printer, scanner, copier: Multifunctional Printer (Fuji Xerox DocuPrint CM405 df), with
512MB/1024MB memory.
Backup drive: Synology DiskStation 5-Bay 3.5" Diskless 2xGbE NAS, Black, DS1019+
with 4 GB DDR3L Non-ECC SO-DIMM x 2 memory.
Wireless Access Point: AC1200 Wireless Dual Band Gigabit Ceiling Mount Access
Point with interface Gigabit Ethernet (RJ-45) Port *1 ( Support IEEE802.3at PoE)
Console Port *1 and speed 5GHz: Up to 867Mbps, 2.4GHz: Up to 300Mbps.
Smartphone: Samsung Galaxy Note 9, CPU Speed: 2.7GHz, 1.7GHz, CPU Type: Octa-
Core with OS Android 8.1 (Oreo), upgradable to Android 9.0 (Pie); One UI.
Microsoft Surface Tablet: Surface Pro (model), with processor Intel® Core™ 7th-
generation m3, i5 or i7 with 4GB, 8GB or 16GB RAM and software Windows 10 Pro
(i5,i7), Windows 10 Home (m3), Office 30-day trial.
4
Firewall: Cisco RV220W Network Security Firewall Data Sheet (model).
Telephone System: Yealink SIP-T41S (model).
Risk management is closely related to asset management and identification. In fact, there is
some overlap in that some cybersecurity risks, such as unsecured routers or workstations, can
often be found during the asset identification process.
An important component of risk management is running a risk assessment. After risk
assessment following risks was found in the system. There are following techniques that were
used to do risk assessment:
Risk assessment questionnaire (Security Self-Assessment Guide for Information
Technology Systems)
Assessment tools (NMAP, NESSUS, APPSCAN)
Vulnerability sources (SANS Top 20, OWASP Top 10, NIST I-CAT vulnerability
database, Microsoft Security Advisories)
Documentation review
Interviews
Site visit
Now here is the list of risks that were found in Devon Accounting as follow:
5
compromise of security should be
confidentiality & in place that would
integrity of limit the ability to
sensitive data sniff the network to
exploit this
vulnerability.
Security controls that are to be implemented needs to be analysed first. Some of the examples
could be:
6
structure, or at which any malevolent activities
can occur. It by then assesses how the ailment
or the activities become possible.
Assessment of known Vulnerabilities and Based on the analysis of ambush vectors, a
Penetration Tests lack of protection analysis and invasion tests
are performed to recognize the vindictive
activities that can deal the goal structure.
These are some ways in which security controls can be analysed [2].
A cybersecurity gap analysis has a strong potential for helping companies of any size with their
vulnerability management. There are some cyber security gaps as follows:
Unknown threats
Hacking
Lack of monitoring
Failure of equipments
Open to fraud
Device’s security
Third party
Internet of things
Malicious softwares
No encryption
People risks
Controls Description
Management controls It can be done through proper guidance, rules
and implementation procedures.
Physical controls It is the security of information and hardware
devices that can be controlled by
authentications, regular scanning, encryption
and restricted access to system.
Operational controls It includes controlling access, authentication
and secure network topologies.
7
Assets Threats Current Security New Cyber Feedback
Identified and Risk Cyber Gaps Security from
Security controls supervisor
controls on new
controls
Server Hacking User Open to check
authentication/ fraud credential
Locked door policies,
proper
monitoring
Back up Data Current No Run backup
drive deletion Backup encryption restore tests
solution on regular
basis
Data software policy for Lack of Training and
leaks software monitoring consequence
informatio development, s of illegal
n which is training, actions in
sensitive advice on policy/
choosing Anomalous
software behaviour
must be
flagged
Hardware Equipment Only locked Device’s Implement
devices Failure or doors security physical
theft security and
CCTV
cameras,
Alarm
systems
Malicious viruses or Anti-virus Third Update to
Code worms party latest Anit-
may be Virus. Update
introduced virus
to the definition.
system Update
Firewall.
Security
policy
Remote Remote None Lack of Remote
Access OS monitoring Access
authentic monitoring
ation is software
enabled
but not
monitored.
Login No login None No Require
encryption encryption encryption encryption of
setting not passwords
8
configured. Physical
security
should be in
place that
would limit the
ability to sniff
the network to
exploit this
vulnerability.
This document has been approved as the Final Report for the Risk Assessment of Devon
Accounting and accurately reflects the current understanding of the project.
Prepared by:
Approved by:
Supervisor name
Date
Designation (supervisor post)
Institute name
9
10. Cyber Security Implementation and Testing
Here are the few new assets that can be added in Devon Accounting:
Anti-virus:
10
Pack 1, or equivalent version 10 or
Windows 8, processor higher
Windows 8.1,
and Windows
10
Kaspersky Windows 7 to 6 GB 2 GH Core i3- 34.1 GB files No specific
security cloud windows 10 5005U and 500GB requirement
free drive
11
13. Identify Cyber Security Gaps on new assets
14. Implement and document new cyber security controls to address cyber security gaps
Cyber security controls to address new cyber security gaps are as follows:
Determine security levels of assets
Maintain incidence response plan
Apply anti-virus solutions
Implement premier defense
Secure devices and systems
These are some of the ways that can control our security gaps raised in new assets.
15. Conclusions
From the above research and report it is concluded that having control on risks arise in system
or company can lead towards success. If we did not control the risks then our system will lead
towards failure. Risks and security gaps can be controlled by following proper techniques and
methods. Proper planning before risk assessment is very much important. The overall company
should be able to follows those controls given by high management to them.
16. Reference
[1]
Benefits Of Cyber Security For Your Business. (n.d.). Retrieved from nouveau.:
"https://www.nouveau.co.uk/content-hub/benefits-of-cyber-security"
[2] E-GU SONG, J.-W. L.-Y.-C.-Y.-K. (2013). AN ANALYSIS OF TECHNICAL SECURITY CONTROL
REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS. Korea Atomic Energy Research
Institute, 989-111 Daedeok-daero, Yuseong-gu, Daejeon 305-353, Republic of Korea.
[3] LBMC. (2020, January 10). Three Categories of Security Controls. Retrieved from lbmc.com:
"https://www.lbmc.com/blog/three-categories-of-security-controls/"
12