Network Security

Managing Security for HDLC Bank 2019
Contents
P1 & P2..................................................................................................................................................4
Introduction....................................................................................................................................4
Types of security risks:.................................................................................................................. 5
Organizational Security Procedure................................................................................................8
Risk Assessment Methodology....................................................................................................10
Risk Treatment Methodology......................................................................................................11
Conclusion................................................................................................................................... 12
Part 2....................................................................................................................................................13
Introduction..................................................................................................................................13
Security Appliances.....................................................................................................................13
Conclusion................................................................................................................................... 22
P4......................................................................................................................................................... 23
Introduction..................................................................................................................................23
DMZ.............................................................................................................................................23
NAT............................................................................................................................................. 24
Static IP........................................................................................................................................25
Conclusion................................................................................................................................... 27
P5......................................................................................................................................................... 28
Introduction..................................................................................................................................28
Risk Assessment in ISO 31000....................................................................................................28
Conclusion................................................................................................................................... 31
P6......................................................................................................................................................... 32
Introduction..................................................................................................................................32
Data Protection.............................................................................................................................32
Network Change Management.................................................................................................... 33
1
Anwesh Hada (HND / Second Semester)
Data Protection Processes and Regulation in Nepal....................................................................33
Data protection processes and regulations as applicable to the organization.............................. 33
Conclusion................................................................................................................................... 35
P7......................................................................................................................................................... 36
Introduction..................................................................................................................................36
Security Policy.............................................................................................................................36
Organizational Structure of HDLC Bank.................................................................................... 38
Access Control Policy..................................................................................................................39
ADDS (Active Directory Domain Services)................................................................................40
Access control list (ACL)............................................................................................................ 47
Remote access policy...................................................................................................................48
Virtual Private Networks............................................................................................................. 48
VPN benefits................................................................................................................................49
SSH.............................................................................................................................................. 58
Network Connection Policy.........................................................................................................59
Password Policy...........................................................................................................................60
Information Protection Policy......................................................................................................63
Physical security policy............................................................................................................... 64
Conclusion................................................................................................................................... 65
P8......................................................................................................................................................... 66
introduction..................................................................................................................................66
Disaster Recovery Plan................................................................................................................66
Business Continuance plan..........................................................................................................68
HDLC Bank Business Continuity Program................................................................................. 69
Conclusion................................................................................................................................... 70
References............................................................................................................................................71
Anwesh Hada (HND / Second Semester) 2


P1&P2
Identify types of security risks to organizations.
Introduction
Technology has progressed exponentially from the beginning of the internet age until today where
networked computers are almost ubiquitous. The key issue about bringing computers together is that
this would increase the vulnerability of an information network to threats to the protection of
information. As a result of this disclosure, it is becoming computer viruses, denial of service attacks,
and intruders that hack into organizational information systems. In recent years, society has become
aware of issues related to data security (i.e. cyber security) through reports in the mainstream news
media. Computer viruses, identity theft, denial of service attacks, and information-spying cases have
become big news stories. The company's devices, networks, and information are not secure even
though a company uses firewalls, malware security software, intrusion detection systems and other
advanced technologies. So to manage these, in each and every organizational structure there is a need
for protection similarly in the same way as commercial bank i.e. The HDLC bank, created by
reputable businessmen and operated by the qualified team and experienced bankers, may also face
the security problem in the future.
HDLC Bank,' founded in 2009, is one of Nepal's leading commercial banks. The bank is committed
to providing quality service and preparing to use all technical facilities that improve quality service
with a high degree of enforcement and risk management. The bank has an IT department responsible
for managing and implementing all the required IT infrastructures.
I was appointed as the IT Officer of HDLC Bank Fin. I have to maintain, support and enforce a
stable LAN / WAN banking network infrastructure in the bank. I was therefore assigned to
demonstrate that I am capable of evaluating IT security threats, identifying various possible IT
solutions, reviewing processes for monitoring IT security in the organization and managing
organizational security.
First, in order to ensure the protection of the bank's data and information, we need to consider the
various potential security threats in the bank, bank security vulnerabilities, risk aspects, etc. Then,
after the complete analysis of it, we must include the procedural protection methods and then apply
all possible methods to the bank's framework to preserve the protection

I have reported a portion of the various kinds of risks through the complete analysis of the security
hazards that may happen during the bank's future work here. Possibility of loss, death or other
unfavorable or unwanted circumstances possibility or condition involving such a possibility Danger
is an unpredictable occurrence or situation that has an impact on the level of the organization, if it
happens. Below is a portion of the security risk in the HDLC bank.
Some risks in the departments in the banks are as follows
 Credit Risks
 Liquidity risks
 Market risks
 Interest rate risks
 Foreign exchange risks
 Bank prosperity risks
 Investment Risks
 Strategic risks
 Banking operational risks
Other than these risk following are some major risks that can arise in an system
Types of security risks:
 Physical Risk
 Data Risk
 Environmental Risk
 Application Risk
 Host Risk
 Network Risk
 Unauthorized Access
 Physical risk
The term physical danger can be described as the harm done by the computer or by humans, such
as noises generated from the computer and access to the authorization made to take the bank
files. Let's take an example that when the machine of the bank may not be properly used by the
employee or the machine may be damaged by using it for long periods of time or dust etc. so the
machine may cause physical harm such as crashing, overheating, fire, etc.

 Data risk
Data can be described as information collection, and in bank terms the data is extremely
important as it contains customer information and other valuable data. In terms of bank data risk,
data breaches, data loss, etc., and when there is a loss of hdd or when the bank catches the
valuable document that is called data risk is damaged.
 Environmental risk
Here, the environmental risk can be defined as data loss that appear to occur when natural
disasters such as earthquake, tornado, flood, etc. occur, both risk being the same as physical risk
and environmental risk. So the data may lose during these calamities and the environmental risk
can be named.
There are some environmental threats which are as following:
 Floods
Floods are those which will harm our LAN/WAN environment. If floods come then it will damage
our network infrastructure. So we have to flood recovery plan for environmental risk.
 Fire
Fire can also harm our network infrastructure. If fire comes then all the network system would burn
and it can affect damage of whole system.
 Earthquake
Earthquake is the one of the main risk. If it happens then system can be damage and data flow can be
stopped by destroying server computer. It can also make disturbance in the whole network.
 Dust
Environmental factor such as dust can harm the system of our bank, too. Dust, smoke and spilled
liquids are the ones that can destroy our entire system. When dust is outside our server computer, it
might not cause any harm, but if it goes inside the server computer, it may harm our machine and
disrupt our bank's entire network.

 Application risk
This form of risk can occur due to the software problem such as incorrect coding. Strong examples
of application risk are also due to weak infrastructure and the use of applications which tend to lead
to data breaches. It can also be known as the most dangerous risk in the core banking system in terms
of bank risk.
 Host risk
This type of danger is triggered by the security team's poor management of the database because
there are loads of hackers trying to steal the ransomed information and demand in the present day. In
cloud applications, there is a lot of vulnerability that is caused by bad server management that tends
to lose data.it takes a well-secured team to run the website so host risk is also explained.
 Network risk
In today's cyber world, there are a lot of hackers trying to steal other data through online access and
it has become the top priority for all companies of all sizes to maintain the highly protected website.
Therefore, there must be a high level of protection so that only approved staff are able to enter so
that data breach can be managed in bank terms.
So there are following network risk which can damage my HDLC bank:
 Sniffing and eavesdropping
Sniffing and eavesdropping are the ones that can damage our networks, so monitoring our network
communication is the operation. Hackers now have a number of tools to search, including etheral for
windows and tcpdump or ngrep for UNIX.
 Spoofing
Spoofing is the attack when one person or program successfully masks the data to gain an advantage
by falsifying it. It has certain types like ARP spoofing attack, DNS spoofing attack, IP spoofing
attack, etc. And this can hurt our bank from so many different directions. And this may be one of the
greatest challenges for our bank.

 DNS and ARP poisoning
ARP poisoning is when the attackers are sending out non-authoritative DHCP server ARP messages
to modify the IP / Gateway. When attackers do this our bank will be hacked by IP / Gateway update.
Hackers will hack our system, thereby damaging the system network infrastructure.
 Firewall and IDS attack
IDS stands for device for detection of intrusion. IDS is distinguished from a firewall in that the
firewall searches outwardly for intrusions to prevent them from occurring. It is designed to track all
network activity coming in and going out. If it is attacked it breaks into a system or compromises it.
 Unauthorized Access
Unauthorized access is the unknown person or someone who accesses your programs, website,
server, software or someone who uses unknown individual account without authorization to use an
exact personal account is considered unauthorized access. If anyone knows your account's username
or password and he / she constantly surf your account without your permission, then this is an
example of unauthorized access. Unauthorized access leads to program updates, deletions and
negative changes. Many organizations and businesses are losing their data and confidential
information because of unauthorized access. The organization's reputation and fame could collapse
because data and financial data are thieved.
Organizational Security Procedure
“Security procedures are detailed step by step instructions on how to implement, enable, or enforce
security controls as enumerated from your organization’s policies. Security procedures should cover
the multitude of hardware and software components supporting your processes as well as any
security related business processes themselves” (Dunham, 2018). There are some organization
security procedure which are describing below
 Developing local policy, process and guidance
Policy can be described as a course of action or theory embraced or suggested by an organization or

person. Will entity or the organization must first define the needs to establish the policies. This can
be achieved by monitoring the practices, by monitoring the environment and by making the
employee accountable as the policy-making process. Then the policy must be understood by each
person in the industry and implement the policy, and the head must also be assigned to look after the

finalized policy and to communicate with stakeholders collecting the details and various other tasks.
 Designing network and user authentication strategy
Authentication is the concept that can be considered true or only valid .e.g. only legitimate persons in
a bank are permitted to access the bank's database. Authorization is the term used to allow the
approved person to access the data in order to avoid data theft, etc. so that unified systems are used
for efficient protection in order to protect the system. So, the authentication technique is used to
protect the system. The machine password or codes are created to keep the database safe.
 Identifying network, host, vulnerabilities and threats
Vulnerabilities can be described as a vulnerability that a Threat Actor, such as an attacker, can
exploit in order to carry out unauthorized actions within a computer system. And that threat can be
identified as a person or item that is likely to cause harm or danger. And the method of defining
vulnerabilities in computer systems is an evaluation of vulnerability. So to avoid these, we need to
understand the common attacks, and identify and fix the problem. The organization's well-identified
network plays an significant role in collecting data for the organization.
 Identifying problems and resource requirement
Problems can be found everywhere so that the bank has to use the correct tool to solve the problem
and protect it. There could also be a shortage of resource in the bank's network that contributes to the
problem, and a bank needs to learn and define the problem. Thus, by defining the problem they face,
they can tackle it and handle the problem that secures the banking system.
 Creating plan for identified resource requirement
So, everybody needs a less system issue so preparation is required to cope with the issue. Therefore a
business must have enough supply to solve the problem. The strategy must be made using sufficient
human capital to address the organization's problem by addressing the issue.
 Performing certification and accreditation
Certification is quality recognition which must not be ignored when buying or building the products.
Since certified goods have passed the durability test that is the must to avoid potential problems.

 Providing information assurance training

The term assurance can be described as faith or belief in one's own skill, and if it is called assurance
training, train them to master their ability with complete trust. The organization will have good
preparation for each and every employee, so that they can prevent potential problems. Employees
need to be educated on how to communicate, how to operate computers, how to back up data, etc.
 Penetration testing
Penetration testing is also called pen testing, or ethical hacking, which is the process of checking the
device, network, and web application framework to detect any weaknesses in the framework that
hackers and other viruses might strike. This process involves finding certain vulnerabilities which
attacker can strike, collecting vulnerability information. The main aim of penetration testing is to
locate safety flaws in the system.
Risk Assessment Methodology
Risk evaluation analyzes what can go wrong, the probability of it occurring, the possible
consequences and the tolerability of the perceived danger. The resulting risk assessment can be
expressed in a quantitative or qualitative manner as part of this process. There are various phases and
risk management methodologies that are listed below.
 Acquisition
Risk assessment is an inherent part of an overall risk management strategy which seeks to "introduce
control measures to eliminate or minimize" any possible risk-related consequences after a risk
assessment..
 Identification
Risk detection is the most important as it helps with the research to solve the problem. The risk can
be established by forming a team and assigning a task to identify and report on the issue. And once
the team recognizes the risk and makes the report, the organization can address the issue quickly.

 Analyzing
At this process the team is given the update on the issue they have received and the team is
coordinated to evaluate again. Let us assume, for example, that the organization is facing the loss as
found in the report, so that the team meets and addresses the loss issue and makes a plan for it, fixes
the problem and solves the risk management process for future projects.
 Evaluation
The formed team must reassure the stakeholder and the manager about the strategy that helps to
solve the problem in this process. This is the final Risk Assessment phase. After risk analyzes and
risk evaluations, and so on. That is also regarded as a crucial move.
 Records the Findings
The results of the risk assessment are to be reported for future accessibility. The record will provide
details of the possible hazards and associated plans and strategies for reducing such risks.
 Reviewing and the updating the Risks Assessment
The different risks could appear in the coming days. We need therefore to upgrade our security
framework and study the framework we have in the current world and adapt the new system.
Risk Treatment Methodology
The term treatment can be defined as fixing something, and risk management can be defined as the
steps taken to resolve the factors that appear to cause the problem. This method involves measures
for identifying, evaluating and then managing risks. Thus, here are risk management methodologies
and are listed below:
 Security audit
This approach recognizes, organizes, and defines security vulnerabilities that may occur in data
breaches. This process mainly aims to isolate and secure data. During the first phase the data is
segregated and during the second phase the data is organized and the third phase identifies the
main danger causing data infringement and the fourth phase guarantees the security of each and
every data.

 Vulnerability Assessment
The term vulnerability itself states that it is essential to damage. This can be understood by
weakness or vital device problems which could lead to other threats.
 Penetration testing
This is an essential phase, because the computer system is being checked in this process to find
the vulnerabilities an attacker could exploit. This process involves collecting, trying to break in,
and recording information about the insecure target until the check determines potential entry
points. It is a good test because it allows us to recognize and solve the vulnerabilities.
Conclusion
I have reported a portion of the different types of risks through the complete investigation of the
security hazards that can happen during the bank's future work here in the given mission. The risk of
loss, injury or some other unexpected or adverse situation. I have identified the security measures
and helped secure the system in the given task.

Part 2
Introduction
In this mission, I will implement some of the organization's security appliances and IT protection
technologies such as firewall, access control lists, VPN, DMZ, NAT, and static IP routing etc. and I
will also critically examine its implementation within the organization. I will also go over the
advantages and drawbacks of these protection equipment and technologies in this task.
Security Appliances
Security devices are any type of server appliances designed to project unwanted traffic on computer
networks. Security appliances literally mean the piece of equipment designed to protect the computer
networks from unwanted traffic. The equipment used for protection appliances is called security
equipment. The following are some security technology appliances used in HDLC banks:

Firewall

Virtual Private Network (VPN)

Static IP routing

Demilitarized Zone (DMZ)

Network Address Translation (NAT)
Firewall
Firewall is one of network's most common and most-used devices. Firewall can be based on software
and hardware, or may have both software and hardware. Firewall is primarily used to efficiently and
reliably control and govern network traffic. Firewall does this on the basis of certain protocols which
the network engineer / admin determines or sets. A firewall organizes security framework that
screens and monitors both approaching and active device movement in light of the security
collection that is defined by cutting edge. Firewall can be used as a tool for improving the protection
of connected PCs over a network, and is also responsible for preventing unauthorized access. There
are numerous firewalls which control different activities at different locations. But we are able to
break them into two different firewalls. These are firewall based on a computer, and firewall based
on a network. On each individual server a computer-based firewall is installed, which tracks and
controls incoming and outgoing traffic. A network based firewall may be a virtual service or is built
on the infrastructure of the cloud and prevents unauthorized access.

The use of the firewall in the HDLC bank will assist in secure indoors much like the external attacks,
all network traffic will pass through the firewall with the intention that it can channel the network,
and it must also maintain the association's access policy. HDLC Bank uses firewall to protect it from
external malicious attacks.
Firewalls strengths / capabilities
 They are excellent at enforcing corporate security policies

 They are used to restrict access to specify services
 The majority of firewalls can even provide selective access via authentication functionality
 Firewalls are singular in purpose and do not need to be made between security and usability
 They are excellent auditors
 Firewalls are very good at altering appropriate people of specified events.
Firewalls weakness / limitations
 Firewalls cannot protect against what has been authorized

 It cannot stop social engineering attacks or an unauthorized user intentionally using
their access for unwanted purposes
 Firewalls cannot fix poor administrative practices or poorly designed security policies
 It cannot stop attacks if the traffic does not pass through them
 They are only as effective as the rules they are configured to enforce.
There are usually two types of firewalls: Host-based and Network-based. Every host-based firewall
that controls every incoming and outgoing packet is mounted on each network node. This is a
software application, or application suite, that comes as part of the operating system. It requires host-
based firewalls because network firewalls cannot provide security within a trusted network. Server
firewall protects every network against attacks and unauthorized access.
On network level network firewall feature. In other words, such firewalls process all incoming and
outgoing network-wide traffic. It protects the internal network with the use of rules specified on the
firewall to filter traffic. There may be two or more network interface cards (NICs) in a network
firewall. A network-based firewall is typically a dedicated device with proprietary built applications.

Virtual Private Network (VPN)
A VPN is a private virtual network, which is a dedicated, encrypted link to a secure server between
the host computers. A VPN links your personal computer to your organization’s proxy server.
Effectively, if linked via a VPN, anything you do online will send the encrypted request to a proxy
server. The proxy then sends the question to the internet and returns the encrypted response to you.
Since the HDLC Bank has a large number of networks, the information and data protection that is
transmitted over the network is also at risk. This has been solved to some extent by the use of VPN.
In banking, Virtual Private Network uses advanced encryption and tunneling to allow computers to
create secure, end-to-end private network connections over insecure networks, such as the Internet or
wireless networks. VPN services can impact your computing performance and network efficiency.
Diagram: Use of VPN
If an company has a main office with one or more remote offices it is important to create a wide area
network (WAN) connection between the locations. Use the established Internet link at each location
and creating a safe tunnel between the two sites is one typical low cost approach. In this scenario the
router / VPN servers at each location provide a safe link between them rather than the end user
creating a secure connection back to the main office. The connection may be a dedicated link, or
dial-up kind. Once it hits the VPN server LAN traffic is not encrypted. When traffic passes through
the VPN tunnel, it is encrypted so that the contents of the payload are not exposed to the public
Internet. As data travels through the VPN tunnel it is encrypted in such a way that the payload
contents are not revealed to the public Web. If the encrypted data emanates from the other end of the
tunnel, it is unencrypted and sent to the local area network.

Virtual Private Network (VPN) is basically of 2 types:
1. Remote Access VPN

Remote Access VPN allows a user to connect to a private network, and remotely access all of its
services and resources. The internet communication exists between the user and the private network,
and the link is secure and confidential. Remote Access VPN is beneficial to home and business users
alike.
2. Site to Site VPN

Often known as Router-to-Router VPN, a Site-to-Site VPN is widely used in large corporations.
Companies or organizations with branches at various locations use Site-to-Site VPN to connect the
network from one office location to another office location.
 Intranet based VPN: When several offices of the same company are connected using
Site-to-Site VPN type, it is called as Intranet based VPN.
 Extranet based VPN: When companies use Site-to-site VPN type to connect to the
office of another company, it is called as Extranet based VPN.
Advantages of VPN
1. We can hide our IP address from external network.

2. We can also change IP address in this virtual network.
3. We can also encrypt our data while transfer for better security.
4. From VPN we can mask our location and get access to other location.
5. We know that we can easily access the websites which is blocked by governments with a
VPN.
6. It increases online security.
Disadvantages of VPN
1. Most reliable VPNs are costly.

2. We may find VPN to be more complex than we’d like.
3. Third party VPNs might not be trusted

Types of Virtual Private Network (VPN) Protocols

1. Internet Protocol Security (IPSec)
Internet Protocol Protection, known as IPSec, is used by an IP network to protect Internet
communication. IPSec secures contact with the Internet Protocol by checking the connection and
encrypting each data packet when connecting.
IPSec runs in 2 modes:
 (i) Transport mode

 (ii) Tunneling mode
Transport mode operates by encrypting the message into the data packet, and the tunneling mode
encrypts the entire data packet. With other authentication protocols IPSec can also be used to boost
the authentication framework.
2. Layer 2 Tunneling Protocol (L2TP)

L2TP or Layer 2 Tunneling Protocol is a tunneling protocol that is mostly combined to establish a
highly secure VPN link with another VPN security protocol such as IPSec. L2TP creates a tunnel
between two L2TP link points and IPSec protocol encrypts the data and maintains secure tunnel
communication.
3. Point to Point Tunneling Protocol (PPTP)
PPTP or Point-to-Point Tunneling Protocol creates a tunnel and the data packet is confined. Point-to-
Point Protocol (PPP) is used to encrypt the link between the data. PPTP is one of the most commonly
used VPN protocols, and has been in use since Windows was first released. Aside from Windows
PPTP is also used on Mac and Linux.
4. SSL and TLS:
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) create a VPN connection where the
web browser acts as a client and the user's access to particular applications is forbidden rather than
the entire network. Online shopping websites commonly use the protocol SSL and TLS. Web
browsers can easily switch to SSL, and as web browsers come integrated with SSL and TLS, almost
no action is needed from the user. SSL links have "ssl" instead of "http" in the URL original.
5. Open VPN
Open VPN is an open source VPN, widely used to create Point-to-Point and Site-to-Site connections.
It uses a standard, SSL-and TLS-based security protocol.

6. SSH
Safe Shell or SSH creates the VPN tunnel in which the transmission of data takes place and also
guarantees the tunnel is encrypted. SSH connections are created by an SSH client and data is
transferred through the encrypted tunnel from a local port to the remote server.
Static IP routing
Static IP Address is a device-configured IP Address manually against one allocated can DHCP
Server. It's static because its Username doesn't shift and the dynamic IP address is just the opposite.
Different devices like routers, phones, tablets, desktops and laptops may use static IP address.
Through introducing the Static IP Address, we will host servers, data containing the data accessed by
other computers through the internet, which is to host the website. We can find the servers from
anywhere in the world, too. The machine which allows remote network access works best with the IP
Address static. The network will be stable when applying the static IP address and in the case of the
dynamic IP address, they will never change. Through using the dynamic IP Address, the device will
be assigning IP Address during its initialization, thus dynamic IP Address will hamper the device
through system instability.
For the network administrators, it is very easier to track internet traffic and assigned access to certain
users based on the IP Address identification. In this way, it can improve its network security by
hardening the system. (Hartman, 2019)
Static IP routing occurs when a router uses a manually configured routing entry. In DHCP server we
use dynamic routing. Except DHCP, we use static IP routing. There three types of routing:
1. Default routing
2. Static routing
3. Dynamic routing
Advantages of static IP routing
1. Provides ease of routing for smaller networks that are expected to grow significantly.
2. It is easy to implement in smaller network.

3. It is stay the same so it is easy to troubleshoot.

4. No routing algorithm or update mechanisms are required.
Disadvantages of static IP routing
1. It is not easy to implement for large network.

2. Managing the static configuration can become the time consuming.
3. If it is failed to ping or connect then static route cannot reroute traffic again.
Demilitarized Zone (DMZ)
“Stands for "Demilitarized Zone." In computing, a DMZ is a section of a networkthat exists between
the internet and a public network, such as the internet. It may contain a single host or multiple
computer systems.” (TechTerms, 2019)
A DMZ has the function of defending an intranet against external access. By separating the intranet
from hosts that can be reached outside of a local network (LAN), internal networks are shielded
outside of the network from unauthorized access. For example, a company may have an intranet
consisting of workstations for its employees. Public servers of the business, such as the web server
and mail server, may be located in a DMZ so they are separate from the workstations. If an external
attack infected the servers, the internal systems will be unaffected.
Advantages of DMZ
1. It is important for network security.

2. It can be used to isolate and keep potential target systems separate from internal networks.
3. It is used to reduce and control access to those systems from outside of the organization.
4. It is the long solution for hosting corporate resources to make at least some of them available
to authorized users.
Disadvantages of DMZ
1. If hackers are able to penetrate our firewall, then they will easily get access to our DMZ.
2. Union of DMZ resources.
The DMZ Network operates to protect the most vulnerable hosts from attack. Such hosts typically
provide resources that extend to users beyond the local area network, with email, web servers and
DNS servers being the most common examples. Due to the increased attack potential they are put in
the controlled subnetwork to help protect the rest of the network if they are compromised

Hosts in the DMZ have tightly managed access permissions inside the internal network to other
services because the data transmitted through the DMZ is not as protected. Additionally, contact
between hosts in the DMZ and the external network is also restricted to help increase the secure
border area. It allows hosts to communicate with the internal and external networks within the secure
network, while the firewall removes and handles all traffic exchanged between the DMZ and the
internal network. Usually, an additional firewall would secure the DMZ from access to anything in
the external network.
Network Address Translation (NAT)
Network address translation (NAT) is a way of mapping several local private addresses before
moving the information to a public one. Organizations wishing to use a single IP address on different
devices use NAT. NAT's key usage is to restrict the number of public IP addresses that an individual
or corporation may use, both for economic and security purposes.
Internet requests involving Network Address Translation (NAT) are very complex, but occur so
rapidly that the end user rarely knows it has happened. A workstation inside a network is making a
request on the Internet to a computer. Network routers know the request is not for a resource inside
the network so they submit the request to the firewall. With the internal IP the firewall sees the
request from the user. Instead, using its own public address, it makes the same request to the Internet
and returns the response from the Internet tool to the device within the private network. From the
resource perspective on the Internet it sends details to the firewall address. Through the workstation's
viewpoint, contact with the website tends to be directly on the Internet. If NAT is used in this
manner, if accessing the Internet all users inside the private Internet access network use the same
public IP address. That means that hundreds or even thousands of users need only one public
address.
NAT Types
There are three different types of NATs. People use them for different reasons, but they all still work
as a NAT.
1. Static NAT
When the local address is converted to a public one, this NAT chooses the same one. This means

there will be a consistent public IP address associated with that router or NAT device.
2. Dynamic NAT
Rather than selecting the same IP address each time, this NAT is going through a pool of public IP
addresses. This leads to a different address for the router or NAT system each time the router
converts the local address to a public address.
3. PAT
PAT stands for translation of port addresses. It's a kind of dynamic NAT because it connects
multiple local IP addresses to a single public address. Organizations who choose to use a single IP
address for all their workers use a PAT, mostly under the control of a network administrator.
Advantages of NAT

You help in conserving the IPv4 address space (when you use NAT Overload).

The flexibility and the reliability of connections to the public network can be increased by
implementing multiple pools, backup pools and load-balancing pools to.

Extra layer of network security. Hosts inside a NAT network are not reachable by hosts on
other networks unless you want to.
Disadvantages of NAT

If a guest requests remote access, it will double-check the NAT belongs to the connections
from the router. But some guests have formed the link from another host if the user does not
respond to the appropriate host then the request will be received, another host.
This criterion will lead to degrading in the performance of the network

When several systems and protocols are focused on end-to-end functionality, other users
cannot access the user's network. Since the host is embedded into the NAT network which is
difficult to access as discussed above

If there is any need to troubleshoot the network from remote areas, then troubleshooting will
be tough and leads to loss of end to end traceability.

The implementation of tunneling protocols makes it more difficult due to NAT translated
values in IP headers and also prevents the integrity tests of ipsec and left tunneling protocols

• Services needing global UDP or TCP deployment connections may be affected and may
not be available at times.

Conclusion
In the above mission, I implemented some organizational IT security appliances and technologies
such as Firewall, Access control lists, VPN, DMZ, NAT, and Static IP routing etc. and also critically
evaluated its implementation in the organization. In the above mission, I also addressed the benefits
and drawbacks of these safety appliances and technologies.

P4
Show through an example in simulated environment, how implementing a DMZ, Static IP and
NAT in a network can improve network security.
Introduction
Protection can be generated in today's networks through a combination of separate, independent

safety layers. This is so that someone who tries to hack or attack a network needs to bypass many
different security measures in order to achieve their target, making a breach less likely. This is also a
precautionary redundancy measure that prevents compromising the network if one layer is weak or
ineffective.
Some of the security tools or technologies used in the company include DMZ, Static IP, and NAT
etc. I'll also be addressing how DMZ, Static IP, and NAT can boost network protection in this
mission. I'll also give an example of how to implement DMZ, static IP and NAT.
DMZ
“DMZ Stands for "Demilitarized Zone." In computing, a DMZ is a section of a network that exists
between the intranet and a public network, such as the Internet. It may contain a single host or
multiple computer systems.” (TechTerms, 2019)
In my network, there are there routers

router0, router1 and router3. First
router is considering as outer network.
And other two have their own
networks. All routers are connected
through straight through cable like
se2/0 or se3/0. Switch and server are
connected in router1 and PCs are
connected to router2. So this is why I
implemented DMZ in my machine.

DMZ In Security
The DMZ Network operates to protect the most vulnerable hosts from attack. Such hosts typically
provide resources that extend to users beyond the local area network, with email, web servers and
DNS servers being the most common examples. Due to the increased attack potential they are put in
the controlled sub network to help protect the rest of the network if they are compromised.
Hosts in the DMZ have tightly managed access permissions inside the internal network to other
services because the data transmitted through the DMZ is not as protected. Additionally, contact
between hosts in the DMZ and the external network is also restricted to help increase the secure
border area. It allows hosts to communicate with the internal and external networks within the secure
network, while the firewall removes and handles all traffic exchanged between the DMZ and the
internal network. Usually, an additional firewall would secure the DMZ from access to anything in
the external network.
DMZ's are a critical part of network security for individual users as well as large organizations. They
provide the computer network with an extra layer of protection by restricting remote access to
internal servers and information, which can be very damaging if breached.
NAT
Network address translation (NAT) is a way of mapping several local private addresses before
moving the information to a public one. Organizations wishing to use a single IP address on different
devices use NAT. NAT's key usage is to restrict the number of public IP addresses that an individual
or corporation may use, both for economic and security purposes.
“Network Address Translation (NAT) is the process where a network device, usually a firewall,
assigns a public address to a computer (or group of computers) inside a private network. The main
use of NAT is to limit the number of public IP addresses an organization or company must use, for
both economy and security purposes” (Whatismyipaddress, 2019)

Diagram: NAT Implementation
NAT IN Security
Simplify network management by introducing NAT by allowing the administrator to accept the
internal addressing at no charge. For example, if a organization has a public addressing program and
changes the ISPs, the address of all terminals that make up the networks must be changed. By
enforcing the NAT, the public IP Address number is saved. The IP Address used in these days is
version 4 of the IP Address, which has a major disadvantage as the number of IP Addresses available
is limited compared to the terminal. It also stops the IPv4 Addresses from decaying. NAT makes use
of the proprietary IPv4 addressing scheme and avoids changes in the internal address if we can
change the Internet service provider.
Static IP
Static IP Address is a device-IP Address manually against one allocated can DHCP Server. It's static
because its Username doesn't shift and the dynamic IP address is just the opposite. Different devices
like routers, phones, tablets, desktops and laptops may use static IP address.
For devices which require constant access, static IP addresses are required. For example, if your
computer is configured as a server, such as an FTP server or web server, they're basically needed.
This is a good thing, because if you want to make sure that people can still access your computer to
download files, then you need to force the machine to use a static IP address that never changes.

Alternatively, if the server were assigned a dynamic IP address, it would change occasionally which
would prevent your router from knowing which computer on the network is the server.
Diagram: giving static IP
Diagram: pinging to test connection
SAT in Security
By introducing the Static IP Address, we can host data from servers that hold data accessed by other
computers through the internet, which is to host the website. We can find the servers from anywhere
in the world, too. The machine which allows remote network access works best with the IP Address
static. The network will be stable by enforcing the static IP address, which will never change in the
dynamic IP address cases. The system would need to allocate IP Address during its activation by
using the dynamic IP Address, hence dynamic IP Address will hamper the system by system
instability. Static IP Address can help to prevent future device problems.

Conclusion
In this job, I discussed tools for network appliances such as DMZ, static IP routing, and NAT
showing them in Cisco packet tracer, in a simulated environment. I also enforce them and define the
DMZ, static IP and NAT configuration.

P5
Discuss risk assessment procedures.
Introduction
Safety risk assessment can be identified as the process that is undertaken to determine security risks
determines the security measures needed. The assessment is carried out at the very early stages of
system growth as well as when changes to the information asset or its environment occur. The
process involves evaluating and reviewing all system-related assets and processes to identify the
danger and weaknesses that could impact system security, integrity or availability, and setting the
control needed to manage the risk. Risk assessment is an integral aspect of risk management and the
risk assessment must be an ongoing process in order to be successful.
Risk Assessment in ISO 31000
ISO 31000:2018, Risk Management-Guidelines set out concepts, structure and risk management
mechanism. Any company may use it, irrespective of scale, operation or sector.
The use of ISO 31000 will help organizations increase the probability of achieving targets, enhance
the recognition of opportunities and risks and efficiently assign and leverage risk management
resources.
ISO 31000 cannot, however, be used for certification purposes, but offers guidelines for internal or
external audit programs. Organizations using it will align their risk management strategies with a
globally accepted benchmark, offering clear guidelines for good corporate governance and
management.
Type of Security Risk Assessment
Security risk assessment can be classified into various categories, depending on the intent and scope
of the assessment. The exact timing depends on what your machine needs and resources are.
 High-level Assessment:
This review emphasizes, in a more pragmatic and systematic approach, the study of departmental
security posture as well as overall infrastructure or system architecture. B / Ds of many information
systems are looking for a high-level risk analysis of their information systems in such an evaluation,
rather than a thorough and technical review of control. It can also be used in the planning process to

define threats or to review general security checks before developing the program.
 Comprehensive Assessment
Usually, this evaluation is conducted annually for security monitoring of a B / D information

systems. It can be used to determine the risks of a specific program in a B / D, and to provide
improvement recommendations. General control analysis, device analysis, and detection of
vulnerability will be carried out during the information gathering process. A review procedure
should be followed to ensure proper follow-up of all the prescribed remedies.
 Pre-production Assessment
Similar to the works done in a "Comprehensive Assessment," this test is usually carried out on a new
information system before it is rolled out or after a significant functional change occurs. B / Ds will
perform security review in the design stage of the system for a new information system, which acts
as a checklist to ensure that required security specifications are correctly defined and implemented in
the design stage of the system or in other phases. The pre-production safety risk assessment will
check the security review follow-up actions to ensure that appropriate security measures and controls
are properly enforced in the system before production is deployed.
Benefits of Security Risk Assessment
 To provide a complete and systematic view to management on existing IT security

risk and on the necessary security safeguards.
 To provide a reasonably objective approach for IT security expenditure budgeting and cost
estimation.
 To enable a strategic approach to information security management by providing

alternative solutions for decision making and consideration.
 To provide a basis for future comparisons of changes made in IT security measures.

Risk Assessment Procedure
There are no specific guidelines on how to carry out a risk evaluation, but there are a number of
general standards to follow.
Five steps to risk assessment can be followed to ensure that your risk assessment is carried out
correctly, these five steps are:
1. Identify the hazards

2. Decide who might be harmed and how
3. Evaluate the risks and decide on control measures
4. Record your findings and implement them
5. Monitor and review
Diagram: Risk assessment Process
1. Identify the hazards
You need to understand the difference between a' danger' and' risk' to recognize hazards. A danger is'
something with the potential to cause damage' and a chance is' the possibility of discovering the
potential harm. A variety of different methods may be used to locate risks, such as looking around
the office or questioning the employees.

2. Decide who might be harmed and how
If you've identified a variety of hazards you need to consider who might be affected and how,
including staff working in the factory, or members of the public. Establish groups that are affected in
your search by the risks and hazards that you found. Understand that there are classes outside the
workplace that may be affected if corrective steps are not taken.
3. Evaluate the risks and decide on control measures
After' identifying the hazards' and' deciding who may be affected and how' you are then expected to
protect the people against harm. The hazards can be either completely avoided or the risks
monitored, so that the accident is unlikely.
4. Record your findings
It is a legal requirement that the results will be recorded down if there are 5 or more employees; and
by documenting the results it demonstrates that you have defined the dangers, determined who might
be affected and how, and also demonstrates how you intend to remove the risks and dangers.
5. Review your assessment and update as and when necessary
You should never forget that few workplaces remain the same and this risk assessment should be
checked and revised whenever appropriate. Changes are often taking place in the workforce so that
the policies and practices stay intact. As these improvements take place, these areas should be tested
when introduced in the workplace to reduce risk.
Conclusion
Risk assessment is very important for any company regardless of its scope and reputation in the
sector. Every business requires it so they can prevent cybercrime threats and implement security
methods there. Risk evaluation has all of the related advantages and challenges. The safety risk
assessment will provide a full overview of the current security risk and help provide potential
approaches and improvements to the security measures and controls.

P6
Explain data protection processes and regulations as applicable to an organization.
Introduction
Data security in the digital era is important for successful and good practice at both the
organizational and individual levels. But despite that recognition and understanding of data security
and the right to privacy worldwide, there is still a lack of legal and institutional systems, procedures,
and resources to promote data protection and privacy rights. At the same time, the growing amount
and usage of personal data, together with the advent of innovations that allow new ways of storing
and using it, make it more necessary than ever to enforce an effective data protection system.
Since HDLC is one of Nepal Banks ' leading banks and another, it has to handle a large volume of
confidential customer information, and infringing such data can have dire consequences. So it is my
job as an IT officer at HDLC Bank to protect those important pieces of data.
Data Protection
Data security refers to the procedures, protections and contractual guidelines that are placed in place
to secure and ensure that you remain in charge of your personal information. In short, you will be
able to determine whether or not you want to share certain information, who has access to it, how
long, when, and how any of this information can be updated, and more.
“Data protection is also known as data privacy or information privacy. Data protection is the process
of protecting data and involves the relationship between the collection and dissemination of data and
technology, the public perception and expectation of privacy and the political and legal
underpinnings surrounding that data. It aims to strike a balance between individual privacy rights
while still allowing data to be used for business purposes.” (Techopedia, 2019)
Data security will also extend to all data types, be they personal or corporate. It deals with both data
honesty, abuse or error protection and data privacy, being open only to those who have access to it.

Network Change Management
“Network change and configuration management is a strategic approach to minimizing the impact of
change on a network or IT ecosystem. The goal is to create a company-wide standardized method to
implementing both self-motivated, internal change, such as upgrades and troubleshooting; as well as
externally required change such as government regulations on data.” (techtarget, 2019)
Configuration management plays a vital role in the management of network change, as certain tools
enable networking teams to use software to build detailed position maps and configure part or
connectivity between them. Mapping software and apps for tracking the network allows companies
to make sure that any improvements made in the network do not breach requirements for government
data. Many of the organizations use network change management as a way to automate changes,
reduce network downtime and meet government requirements and also backup and restore network
system configuration.
Data Protection Processes and Regulation in Nepal
The key way in Nepal's organization of data protection process is backup and restore, virus
prevention, time-to-time security analysis, risk assessment, and treatment etc. All the above-
mentioned considerations should be enforced to save consumer data from hacking or other damage
to the company. While Nepal is slightly slower in information technology than other countries, and
digital technology laws have been enforced late but it has numerous regulations and acts to protect
our data from criminals. There is Electronic Transaction Act2063 BS (2006) which has made
various provisions concerning electronic data security. This act has prohibited unauthorized access to
computer materials and guarantees that electronic records, documents are legally legitimate in
exactly the same formats as originally created or transferred. This law also states that if any person
accesses the software or data of the computer of any other organization without the permission of an
organization then that person is liable to the penalty as specified in the act.
Data protection processes and regulations as applicable to the organization.
The method of securing personal and confidential information from any breach and catastrophe is
data security. With the growing amount of sensitive data stored and generated, the importance of data
security is rising day by day. Most of the data security policy allows the data to be recovered easily
after any failure or misuse occurs. The data security is used to define the organizational data backup
and the continuity of business.

In the sense of the scenario, I am an IT Officer at the HDLC Bank, and in our organization we also
have the data protection strategy, processes and regulations below.
 A process to create and maintaining a register over a personal data processing

operation: Our organization has a mechanism for creating and maintaining the registry for
the processing of personal data. The register contains intent, design, etc. information and
shows what kind of personal data is being processed.
 A process to ensure information security: Our Company has a mechanism to ensure the
confidentiality of information to prevent unauthorized access to and release of personal
information. It is the part it mitigates the risk. Having a plan for how to handle third parties
such as vendors, partners and other relevant entities that can exchange personal data in a
location is very successful. The data protection policy is the best mechanism for protecting
privacy between two interconnected organizations.
 A process to ensure data portability: Our bank has a method of fulfilling the data
portability criterion. The reported data will be versatile to view and access where appropriate
and in a readable form.
 A process of ensuring the privacy by design: Our IT department has the responsibility of
maintaining the IT infrastructure where personal data is stored or not, and by necessity it
includes some privacy standards and design. This program should have limited access to
personal data and should have a privacy specification and other regulations.
 A process of performing and solving the risk and sensitivity assessments: When
analyzing and storing large data, it is time to combat such vulnerabilities such as data loss,
data manipulation and various threats such as DOS threats, various viruses, and security tests
should be carried out to ensure proper data protection.
 A process of how to report the data security incidents: “The Company should informed
the national supervisor authority and possible that company and the individual that are
registered, should be informed within the 72 hours after a security breach. Therefore, we have
a smooth, secure, and effective process for the reporting.” (Anon., 2019)

Conclusion
I addressed data security in this mission, which is of great significance because it offers guidelines
and best practice standards for companies to adopt on how to use data from other individuals. Such
activities include controlling the processing of personal data, maintaining legal responses to fines in
case of violation of laws, allowing data protection authorities to implement rules etc. in the above
task I have addressed the mechanism and regulation of data protection specific to organizations.

P7
Design and implement a security policy for an organization.
Introduction
Security threats are, as we know, continuously changing, and enforcement standards are increasingly
complex. Large and small companies need to develop a robust security system to address both
challenges. Absent a security policy, a security system can't be organized and implemented through
an enterprise, nor can compliance measures be communicated to third parties and external auditors.
Keeping these issues in mind, I will address security policy in this task and how it helps protect the
network, and I will also establish and enforce security policies for HDLC Bank.
Security Policy
A security policy is an organization's written document detailing how to defend the organization
from threats like computer security threats and how to deal with circumstances when they arise.
“A security policy is a document that outlines the rules, laws and practices for computer network
access. This document regulates how an organization will manage, protect and distribute its sensitive
information (both corporate and client information) and lays the framework for the computer-
network-oriented security of the organization.” (Webopedia, 2019)
A security policy will describe the key things which need to be secured within an organization. This
may include the network of the organization, its physical build, and more. The possible risks to these
things need to be listed too. If the document focuses on cyber security, risks may include those from
inside, such as the possibility of disgruntled workers stealing sensitive information or launching an
internal virus on the network of the organization. Conversely, a hacker from outside the firm may
infiltrate the system and cause data loss, alter data, or steal it. Finally, it may cause physical harm to
computer systems.
When the risks are established it is important to assess the probability that they will actually occur. A
organization also needs to decide how to prevent such risks. A few protections may be the
implementation of some workplace rules, as well as good physical and network security. There must
always be a strategy of what to do if a threat actually materializes. The security policy should be
distributed to everyone in the business and the data protection process needs to be frequently
checked and revised as new people come into the business

Purpose of bank security policy
The primary purpose of HDLC bank’s security policy is to ensure that make the Bank, the Board of
Directors and Management:
 The risks and the threats to which the banks information system are exposed should be
understand.
 Should test the affiance of the information security system.
 The potential exposures of the risks should be evaluated.
 Implementing the appropriate information security system and administrative of technical
and physical security controls to mitigate such identified risks, threats and exposures.
Objectives of bank security policy
The specific objectives for designing and implementing security policy in HDLC is to:
 Protect bank system against unauthorized access to our use of client information that might
result in substantial harm or inconvenience to any customer.
 Provide timely and comprehensive identification and assessment of threats and risks that may
threaten security of customer and bank information.
 Document policy standard for management and control of identified risks.
 Ensure the confidentiality, integrity, security and accuracy of customer information received,
processed and maintained by bank.
 Ensure that customer and bank information is protected against threats to its security.
 Specify various categories of information system data, equipment and process subjected to
information security procedures.
 Protection of software and hardware components that comprise the bank’s information
systems.

 Provide standard for testing policy and adjust on continuing basis to account for changes in
technology, sensitivity of customer information and internal of external threats.
 Ensure that bank complies with all relevant regulations, common law (Data Protection Act,
Computer Misuse Act, Electronic Transaction Act 2063 B.S etc.) agreements, or conventions
that mandate security and confidentiality of customer information.
Organizational Structure of HDLC Bank
“An organization chart is a graphical representation of relationships between an organization’s

departments, functions and people. It can also indicate the flow of data, responsibility and reporting
from bottom-up or top-down. Its usage across the globe is a testament to its effectiveness. Below are
some rules for drawing organizational charts and org chart best practices to make your org chart
more meaningful and useful.” (Creately, 2019)
A good organization, when providing a range of financial services, will help a bank succeed.
Banking's aim is to provide a secure forum to perform financial transactions on. Organizational
structure types to play these different tasks and provide the services requested by their customers.
Organizational structures and the organization of a bank, basically organizing staff and divisions
within a bank to create and provide their services. This briefly presented lecture on the
organizational structure of banks and their industries.
Below is the organizational Structure of HDLC Bank:

Diagram: Organizational Structure of HDLC Bank
Access Control Policy
Network access control is a method of improving the protection of a private organizational network
by limiting the availability of network resources to endpoints that adhere to the security policy of the
organization.
Proper protection of information and computer systems is a basic duty of management. Nearly all
applications dealing with economy, privacy, protection or defense have some form of control over
access (authorization). Access control is about deciding the authorized activities of permissible users,

mediating any attempt by a user to access a resource inside the program. Full access is allowed in
some systems after effective user authentication but most systems need more complicated and
complex control. Beyond the security method (such as a password), access control is about how
authorizations are organized. For certain situations, the authorization can reflect the organization's
structure, whereas in others, it may be focused on the sensitivity level of specific documents and the
clearance level of the person accessing such documents. In certain instances, the authorization may
match the organization's structure, whereas in others it may be focused on the sensitivity level of
different documents and the clearance level of us.
As an IT officer at HDLC Bank, I need to find out how access control is handled during the planning
process to enforce access control policy, and who can access system information under what
circumstances. For example, I have to plan where the information policies are to be enforced I have
enforced a file authorization policy in the finance department and then I have to state how the
company's business department can access those files. I will use two separate reasons for enforcing
access control policies in HDLC banks, namely ADDS (Active Directory Domain Services) and
Access Control Lists.
ADDS (Active Directory Domain Services)
Active Directory (AD) is a technology used by Microsoft to control computers and other devices
within a network. It is a primary feature of Windows Server, an operating system which runs servers
based on both the local and the Internet. Active Directory enables network administrators within a
network to build and control domains, users, and objects. For example, an admin may build a group
of users and grant them unique rights on access to certain server folders. As a network expands,
Active Directory offers a way to organize a large number of users into logical groups and subgroups,
thus maintaining control of access at-level.
In context of HDLC bank, domain has been created. In the domain of HDLC bank various
Organizational units (OU) has been created.

ADDS LAB REPORT
Step 1: Open server and go to run and type “ncpa.cpl”. Step 2: Then right click on LAN card and there select
this will take you network window. properties and select advance properties.
Step 3: Then assign static IP address in LAN card. Step 4: Go to server manager and click manage and then
click add roles and features.

Step 5: After that click next, next two times. Step 6: Then this box will appear just click on Active
Directory Domain Services and click add features and then
next
Step 7: Then click on restart the destination server if Step 8: After installation is finished then go to server
required and click on install and after installation click manager and click flag (yellow) sign and click promote
close. this server to a domain controller.

Step 9: Click on add a new forest and type domain name Step 10: Type password you want to give and then click
hdlcbankltd.org and click next. next three times and it will restart automatically.
After that computer will restart.
Step 11: After the computer restarts it will show the Step 12: now go to run and type dsa.msc, then you see the
domain name in it and you have to provide password. domain name. Here you the installation of domain completes

Step 13: Then go to domain name and create right click a Step 14: Now give the name of organizational unit as
dialog box like this appears then click new and select required and click ok.
organizational unit.
Step 15: Then newly added OUs will be shown below Step 16: As shown in the figure right click on account
domain as shown in this screenshot. department OUs then click new and select user for creating
user in OUs.

Step 17: Now provide the description for creating user. Step 18: Then provide the password for user and
select the credentials as you want to provide to that
user.
Step 19: Now again click on OUs and click on new then Step 20: Now, provide the group name i.e. Finance
select group. Group.

Step 21: Then click on user and select add to group Step 22: Then double click group and click members
and type Finance Group there and click next. there we can see name of group members and whom it is
managed by.
Step 23: Here in managed by we can choose manager to

manager our group. For our bank finance group, I have choose
aayan Acharya as manager. Likewise, this we can create OUs for
all department of our bank and then create group and user inside
them.
As I have shown above we have choose the manager for managing group and provide it
to department head so that manage all the user and group inside that Organizational Units.

Access control list (ACL)
Access control list is a table that tells a computer or the operating system, which allows the right user
to access the certain files and other information or accessing the particular object. The list has an
entry for each system user with some system privileges. The most common privileges are to read
files, write in files and to execute the files. (Anon., 2018).
ACLs is also known as simple access lists allowing or permitting future processing of the data
packets based on the packet information. Implementing the ACLs should preserve the system's
protection in compliance with the data configuration method to be entered into the system or rejected
in the system. ACLs are of various kinds but the main purpose is to preserve protection by restricting
the access of the unused IP address within the internal network from the external network. That
means it is used to filter internal network traffic.
We do have other access control procedures in our Commercial Enterprise Bank network, in which
we have customers, administrators and other employees. They have the right to access the files and
their own jobs. User have certain access control requirements and law. Employees have some rules
and generally the administrator monitors the user and employee's access to the different files and
folders.
Below I have provided the command line on how we are going to implement access control list on
our system to allow and deny user accessing system information.

Remote access policy
“Remote access policy is a document which outlines and defines acceptable methods of remotely
connecting to the internal network. It is essential in large organization where networks are
geographically dispersed and extend into insecure network locations such as public networks or
unmanaged home networks. It defines standards for connecting to the organizational network and
security standards for computers that are allowed to connect to the organizational network.”(Walters,
2014)
The Remote Access Policy defines how remote users can interact until they are permitted to interact
to the main organizational network and the specifications for and of their systems. Link is made by a
client or host in remote access to the internal network and infrastructure of our bank from an external
source. From employee's home to off-site offices, hotels and cafes, etc., remote locations can be
almost anywhere in the world.
Some of the advantages of remote access include:
 Remote workers can save employers costs on travel and office space.
 Employees can have constant, up-to-date access to details of their company's
products, services and inventory.
 Branch offices can be in contact with head office.
 Provides the appropriate access that allows remote workers to be productive and also
protect the information assets and system from accidental or malicious losses.
 Provides the guidelines to prevent data misuse or mishandling of the data.
 Prevents the use of unauthorized devices and people including the family members
and housemates with the implementation of the password protection and firewalls.
When a company wants to provide remote access to its network to employees or third parties, a range
of solutions are available. In this task I will address the most common remote access approaches,
such as VPN AND SSH.
Virtual Private Networks
A VPN is a private virtual network, which is a dedicated, encrypted link to a secure server between
the host computers. A VPN links your personal computer to your organisation's proxy server.
Effectively, if linked via a VPN, anything you do online will send the encrypted request to a proxy
server. The proxy then sends the question to the internet and returns the encrypted response to you.

A VPN provides added protection to everyone who uses a public network, including the Internet.
Using a number of security mechanisms, such as encryption, the VPN will safeguard any data
transmitted across the network which could be at risk because it merely uses the underlying
infrastructure of the public network. VPNs are sometimes used when the use of a physical private
network will not be feasible, typically for financial purposes. When businesses accept mobile work
and face growing pressure to protect confidential information, many employ virtual private networks
to improve network security.
VPN benefits
 Security
The key factor businesses opt for virtual private networks. It is vitally important to have
encrypted data, particularly when it is sensitive. Infringements of data not only lead to
penalties and regulatory fines but may also cause permanent reputational harm.
 Mobility
VPNs offer companies the ability to share their resources with employees and associates who are not
permanently rooted in the workplace. It will offer an important boost to productivity by ensuring that
workers are not tied to conventional working hours and positions in the workplace. Organizations
have also started using VPNs to outsource their jobs, enabling them to reduce internal staff costs.
 Cost
Digital private networks will prove substantially more economical than a private physical network.
Companies use the current public network to promote their VPN rather than having to lease long
distance network connections to ensure safe data transfer.

LAB REPROT OF VPN
Step 1: In server add two LAN card. Then in ethernet0 Step 2: Give the IP address for Ethernet.
give the IP address.
Step 3: Go to manage and click add roles and features Step 4: Here select role based and click next twice.
or directly click in add roles and features in dashboard.

Step 5: Click on remote access and then next. Step 6: Then click next thrice and then select add
features.
Step 7: Then put tick mark on restart the destination and Step 8: After installation go to manage and select remote
select yes and click install access management.

Step 9: Then you will see this dialog box click Direct Step 10: Then click on run the getting started wizard.
Access and VPN.
Step 11: Then click on deploy VPN only. Step 12: This will open routing and remote access.

Step 13: After clicking in name right click on Step 14: Then click on remote access(dial-up or VPN.
configure and enable routing and remote access.
Step 15: Now select VPN and click next. Step 16: Now select the NIC Card which contains
public ip then select next.

Step 17: Now give the starting and ending IP address. Step 18: After that go to run and type dsa.msc and click
ok.
Step 19: Then, right click on domain name and select Step 20: Then create a new group then name it and
new then create a new group. leave it as it is there.

Step 21: Now go to domain click new and then select user. Step 22: Here give the first name, user logon name and
click next.
Step 23: Here you have to give your password according Step 24: Now go to user right click it and select add to
to your need, and you can choose any options, click next. group.

Step 25: Now type the name of group check it and click Step 26: After that go to user properties then go to dial-in
ok and click Allow access.
Step 27: Now open client computer go to control panel and Step 28: Open network and sharing center and then
click on Network and internet. click on setup new connection.

Step 29: Now select connect to a workplace then click Step 30: Choose on use my Internet Connection(VPN).
next.
Step 31: Then after connection is successful click on Step 32: We can see a VPN logo that we created recently.
change adapter setting. Now right click on logo>>create a shortcut (because while
connection we need not have to access from control panel
always and can directly access from desktop).

Step 33: A shortcut VPN is created on desktop just

open it and type username and password then click
connect Now our employee can have the remote
access from any part of world to our system.
(Now the VPN is created successfully)
SSH
The SSH (also known as Safe Shell) protocol is a mechanism for safe remote access from one device
to another. It offers many alternative possibilities for strong authentication, and with strong
encryption, it preserves information protection and integrity. This is a free alternative to vulnerable
login protocols (such as telnet, rlogin) and unreliable methods of file transfer (such as FTP).
The protocol operates in the client-server model which means that the SSH client connecting to the
SSH server establishes the link. The SSH client drives the setup process for the connection and uses
public key cryptography to check the SSH server identity. After the setup phase the SSH protocol
uses strong symmetric encryption and hashing algorithms to ensure the privacy and integrity of the
data that is exchanged between the client and server.

Diagram: SSH Flow
SSH is used in organizational networks for:
 providing secure access for users and automated processes

 interactive and automated file transfers
 issuing remote commands
 managing network infrastructure and other mission-critical system components.
The protocol is used today to control more than half of the world's web servers, and nearly any Unix
or Linux machine, on site and in the cloud. It is used by information security professionals and
system administrators to install, administer, maintain, and run most firewalls, routers, switches, and
servers within our modern world's millions of mission-critical networks and environments. This is
also included into several file transfer and device management solutions
Network Connection Policy
Network policies are collections of requirements, restrictions, and settings that help you to determine
who is allowed to link to the network, and the circumstances in which they may or cannot link. The
network access policy is structured to safeguard the bank network and members ' ability to use it.
The aim of this policy is to establish the standards for connecting computing devices to the network
of the bank. We must develop standards to mitigate possible exposure to HDLC banks and our
clients from threats and risks that could arise from unconfirmed or poorly maintained computing
devices. This design also allows us to ensure that no actions are taken by computing devices or users
on the bank network that could adversely affect our performance on the bank network. We need to
provide our customers with a stable network, with financial and administrative needs and services.
An unsecured computing device on the network may enable denial of service attacks, viruses and
other components to access the bank network thus affecting other computing devices, as well as the
integrity of the network. Damage from such exploits may include loss of sensitive and confidential
data from banks, loss of credibility on the market, disruption of the network and damage to vital
internal HDLC banking systems. All persons connecting computing devices to the HDLC network
must therefore obey certain guidelines and take appropriate measures as specified by this policy. This
policy for network connections extends to all bank or customer employees and visitors who have any
computer linked to the HDLC banking network. The regulation also extends to users who have
computing devices that access the campus network and services remotely outside of the bank
network. The policy extends to all computer devices operated by banks and operated by themselves
that link to the banking network

Users can connect devices to the network of banks at appropriate points of connection. There will be
no improvements or enhancements to the banking network, as this can cause unintended
consequences, including lack of connectivity. Extension and alteration of the banking network can
only be performed by Bank IT department or guidance. Network users in our bank would need to
register a computer before logging in. We may also make it as to enable software agent to be enabled
on their computer before it is permitted on our network. Doing this role should ensure that the
networked system follows current standards. We must ensure that all linked users computing devices
follow all applicable safety requirements and maintain the protection of the equipment and services
running on them. Some department would delegate the information security and maintenance
responsibility to committed departmental staff. We must ensure all machines in our network have
installed and run properly licensed anti-virus software. As directed by the IT department of the bank
we will install the latest security patches on the system and where computers cannot be patched we
will take further steps to protect our network computers and other devices properly. We also ensure
all of our network users have password, pin code access allowed on their devices. For example, the
computer of employees who frequently handle sensitive information from the bank and customers
will be encrypted so criminals cannot access this information.
Our bank's IT department will be responsible for providing reliable network services across the
entire banking network. Secure and fast internet connectivity is required for the 24-hour connectivity
of bank ATM machines and for other data sharing and receiving. For example, we can use two
internet access service providers in our bank so that if one of them fails another one will provide us
with internet access on a daily basis and banking activities do not stop. The IT department will use
various methods to secure the HDLC banking network including external intrusion control, network
inspection of hosts, blocking harmful traffic etc. In this way we are going to design and implement
network connection policy in our bank.
Password Policy
“A password policy is a set of rules which were created to improve computer security by motivating
users to create dependable, secure passwords and then store and utilize them properly. Normally, a
password policy is a part of the official regulations of organization and might be employed as a
section of the security awareness training. A password policy is a set of rules designed to enhance

computer security by encouraging users to employ strong passwords and use them properly. A
password policy is often part of an organization's official regulations and may be taught as part of
security awareness training. ” (Martin, 2014)
Customer accounts and all the computations within the network require strong passwords to secure
them. Through handling passwords carefully, account holders and administrators can maintain the
protection of those passwords.
Our bank's employees must have access to numerous IT tools, including computers and other
hardware equipment, data storage systems, and other accounts. Passwords are a vital part of ourIT
strategy to ensure that all services and data can only be accessed by the approved person. All
employees who have access to all of these services are responsible for choosing strong passwords
and protecting their login details from unauthorized persons. The main aim of this policy is to ensure
that all bank services and data are properly secured by passwords. This policy would include all
employees of the bank who are responsible for one or more accounts or who have access to any
resources.
In developing a written password policy for our bank, it is necessary to reflect on the password's
entire life cycle, including how passwords are picked, how frequently they are updated, and what we
can do to prevent passwords from being stolen by external hackers and malicious insiders. This point
is especially important for our bank to bear in mind when designing password policies because it is
more likely that data breaches begin with a phishing attack or an insider threat than with a brute-
force password cracking attempt. For e.g. after some number of failed log-in attempts, we will
encrypt all passwords that are stored on the bank's network and will enforce compulsory lockouts.
We will use various applications, such as Identity Service Engine, RADIUS and TACOS Server for
the best implementation of password policy in our bank.
Managing Domain Password Policy in the Active Directory
By default the group policy settings (GPO) are used to set specific criteria for a user password in the
AD domain. In the Default Domain Policy, the password policy for the domain user accounts is set.
 To configure the AD account password policy, open the Group Policy Management
console (gpmc.msc);

 Expand your domain and find the GPO named Default Domain Policy. Right-click it
and select Edit;
 Password policies are located in the following GPO section: Computer configuration-
> Windows Settings->Security Settings -> Account Policies -> Password Policy;
 Double-click a policy setting to edit it. To enable a specific policy setting, check the
Define this policy setting and specify the necessary value (on the screenshot below, I have set
the minimum password length to 8 characters). Save the changes.
 The new password policy settings will be applied to all domain computers in the
background in some time (90 minutes), during computer boot, or you can apply the policy
immediately by running the “gpupdate/force” command.
Password Construction
 Minimum Password Length
Passwords must have at least 8 characters with a mixture of alphanumeric and special characters; if a
specific system does not accept 8 character passwords, the maximum number of characters allowed
by that program will be used.
 Password Composition
Passwords shall not consist of well-known or publicly posted identification information. Like
Names, usernames.

Password Management
 Password Storage
Passwords must be memorized and never written or registered along with the appropriate account
information or usernames.
Unencrypted computer programs such as email, do not recall passwords. Use of an encrypted
application for password storage is appropriate, but strict care must be taken to secure access to that
application.
 Password History
Users will be prohibited from re-using the last 5 previously used passwords.
 Password Reuse
Care shall be taken to prevent compromising the protection of multiple systems or resources with
one username / password. You will never use the username andpassword(s) used for your UGA
accounts for any other non-UGA accounts and services.
 Password Sharing and Transfer
Passwords shall not be transferred or shared with others unless the user obtains appropriate
authorization to do so.
Where passwords need to be disseminated in writing, appropriate steps must be taken to protect the
password against unauthorized access. For example, one must delete the written record after
memorizing the password.
Information Protection Policy
“Information security policy is a set of policies issued by an organization to ensure that all
information technology users within the domain of the organization or its networks comply with
rules and guidelines related to the security of the information stored digitally at any point in the
network or within the organization's boundaries of authority.” (Techopedia, 2019)
Every organization must protect its data and also monitor how it can be distributed within and
without the boundaries of the organizations. This may mean that information may need to be
encrypted, approved through a third party or entity and may have limitations on its dissemination in
relation to a classification scheme laid down in the information security policy

The Information Security Policy offers an comprehensive collection of protections that must be
implemented uniformly across HDLC Bank to ensure a stable operating environment for its business
operations. HDLC Bank's valuable assets are customer information, organizational information,
supporting IT systems, processes and people that produce, store, and retrieve information. Data
quality, honesty and confidentiality are important if we are to develop and sustain our competitive
advantage, cash flow, competitiveness, legal enforcement and valued company identity.
This Information Security Policy addresses the information security requirements of:
i. Confidentiality: Protecting sensitive information from disclosure to

unauthorized individuals or systems.
ii. ii. Integrity: Safeguarding the accuracy, completeness, and timeliness of
information.
iii. iii. Availability: Ensuring that information and vital services are accessible
to authorized users when required.
Other principles and security requirements such as Authenticity, Non-repudiation, Identification,

Authorization, Accountability and audit ability is also addressed in this policy.
Physical security policy
“Physical security is often a second thought when it comes to information security. Since physical
security has technical and administrative elements, it is often overlooked because most organizations
focus on “technology-oriented security countermeasures To prevent hacking attacks.” (Harris, 2019)
Hacking into network infrastructure is not the only way to steal or use confidential information
against an organization. To keep criminals from obtaining physical access and taking what they want,
physical protection needs to be implemented correctly. If that were to happen, all of the firewalls,
encryption and other security measures would be useless. The complexities of enforcing physical
protection are now much more challenging than in decades past. Laptops, USB drives, laptops, flash
Organizations have the challenging task of trying to protect data, equipment, staff, services, systems
and properties from corporations. The business may face civil or criminal liability for negligence for
failure to use proper security checks. Physical safety is aimed at safeguarding staff, documents,
equipment, IT services, facilities and all other properties of the organization.

To order to protect physical data systems and information resources adequately from physical
damage or unauthorized access and release, adequate safeguards must be in place with regard to
access control, environment and security. Such tools include non-computer based knowledge
properties. Both staff, suppliers, contractors and partners are responsible for maintaining sufficient
and appropriate physical protection for the information infrastructure and computer systems. Access
to the office must be logged either electronically or on log sheets. The person who gets access must
be required to log in, and the requirement for logging in must not be voluntary. Where authentication
devices or data storage facilities exist, access logs must be held to records.
In HDLC Bank following measures have been compulsory

Removal or addition of computer equipment belonging to the company must be logged and
accounted for within the office.

All those who have access to where organizational computer systems are must pass a security
background check or be escorted by a staff member who has passed a security background
check.

In rooms with proper physical access controls, computer equipment that allows access to
systems without password controls such as account login must be secured. These checks must
include compulsory recording of access and proper room construction to prevent unwanted
break-ins.

Office premises must be secured in the absence of an authorized employee, with all physical
locks on entryway doors engaged.
The Physical Security Policy has been applied HDLC Bank computer systems and information,
including printed copies of information which may be sensitive.
Conclusion
Security policies form the basis of a strong security program. With specified security policies,
individuals should understand who can be mitigated, when, and why about the security system of
their company, and the organizational danger. In this mission, I discussed the various security
policies, such as ACL, Remote Access Policy, Physical Security Policy, etc., and how they help
protect the network, as well as developing and implementing security policies for HDLC Bank.

P8
List the main components of an organizational disaster recovery plan, justifying the reasons
for inclusion.
introduction
With the increasing reliance on information technology (IT) and the business process to help
business growth and improvements associated with their complexities, the complexities of evolving
technology are exacerbated. It is very important to restore critical business operations quickly and
effectively in the event of an unscheduled interruption. The disaster recovery plan is very important
for each and every organization to this end. I will go through the organizational disaster recovery
plan and discuss the key components in this role.
Disaster Recovery Plan
“A disaster recovery plan (DRP) is a documented, structured approach that describes how an
organization can quickly resume work after an unplanned incident. A DRP is an essential part of a
business continuity plan. It is applied to the aspects of an organization that depend on a functioning
IT infrastructure. A DRP aims to help an organization resolve data loss and recover system
functionality so that it can perform in the aftermath of an incident, even if it operates at a minimal
level.” (TechTarget, 2019)
A Disaster Recovery Plan (DRP) is a business strategy outlining how to efficiently and effectively
restart work following a disaster. Disaster recovery planning forms only part of business continuity
planning and extends to areas of an enterprise that depend on an IT infrastructure to operate.
The overall idea is to develop a plan that will allow the IT department to recover enough data and system
functionality to allow a business or organization to operate - even possibly at a minimal level.
Types of disaster recovery plans
DRPs can be specifically tailored for a given environment. Some environment-specific plans include:
Virtualized disaster recovery plan
Virtualisation offers incentives for more effective and easier delivery of disaster recovery. A
virtualized system will spin up new virtual machine instances in a matter of minutes, and provide
high availability for device recovery. Testing can also be easier to carry out, but the program must

provide the ability to verify the applications can run in a disaster recovery mode and return to normal
operations within the RPO and RTO.
Network disaster recovery plan
Developing a network recovery plan is becoming more difficult as the network size increases. It's
necessary to detail the recovery process step-by-step, check it properly and keep it updated. The data
in this plan will be Network-specific, such as its efficiency and networking staff.
For our system's network recovery we must save the configuration files for the network. If our
network is down somewhere and we can't trouble shooting it then we can use the preceding secure
configuration files. We will also use redundancy policy and enforce several vendor policies which
will assist us in this process. We would also be using two service providers in our bank for our
internet connectivity so that if one of the crashes then another one will provide the continuous service
to us. When we buy the server for our bank, there will be an uptime of 99.99 percent, which means
that there is a risk that the server will be shut down for 54 hours in one year, and we will look at its
uptime, consistency and fluctuation when restoring so that it does not cause any more problems.
Cloud disaster recovery plan
Cloud disaster recovery plan (web DR) will range from web file backups to full replication. Cloud
DR can be space, time and cost-effective but careful management is needed to sustain the disaster
recovery plan. The manager needs to know where the physical and virtual devices are located. The
strategy must tackle stability, which is a common cloud problem that can be alleviated by testing.
When we use cloud storage in our enterprise then we will be using local cloud storage hosting
service. Cloud storage provides companies with flexibility and security benefits; good data backup
safety, archival and disaster recovery purposes; and lower total storage costs by not needing to buy
costly hardware; Cloud storage has our bank's security capacity and regulatory issues that aren't
connected to other storage systems. We can access the file stored in the cloud from anywhere at any
time as long as we have access to the internet and it also provides us with off-site data backups that.
the costs associated with organizational disaster recovery.

Data center disaster recovery plan
This form of strategy is tailored specifically to the facility and infrastructure of the data center. An
operational risk evaluation is a core component of the DRPs data center. It analyzes key components,
such as location of buildings, power systems, defense, security, and office space. The strategy will
tackle a wide variety of potential scenarios.
As for our bank, we have our own data center at HDLC bank and we also have third party storage
provider where we have kept our data secure. So we have third-party backup which is cloud service
in the event of a failure in the data center. We should get back up from there
Business Continuance plan
“A business continuance plan (BCP) is a document that outlines how a business will continue
operating during an unplanned disruption in service. It’s more comprehensive than a disaster
recovery plan and contains contingencies for business processes, assets, human resources and
business partners – every aspect of the business that might be affected. Plans typically contain a
checklist that includes supplies and equipment, data backups and backup site locations. Plans can
also identify plan administrators and include contact information for emergency responders, key
personnel and backup site providers. Plans may provide detailed strategies on how business
operations can be maintained for both short-term and long-term outages.” (IBM, 2019)
Business Continuity Planning (BCP) is the mechanism and technique by which a company plans for
events beyond regular operations and handles them. BCP is part of an organization’s overall risk
management strategy. This helps a company to identify and then reduce risks that otherwise would
impair the ability of an entity to sustain stable, routine operations. BCP includes identifying any and
all risks that can impact the activities of the organization, making it an integral part of the risk
management policy of the organization. Risks may involve fire, flood, or weather-related incidents
and attacks from natural disasters. The strategy will also include, once the threats are established:
 Determining how those risks will affect operations

 Implementing safeguards and procedures to mitigate the risks
 Testing procedures to ensure they work
 Reviewing the process to make sure that it is up to date

The BCP process consists of the following steps:
Diagram: BCP Lifecycle

Initiation: Planning and preparation of Business Continuity Process and activities

Requirements: Gathering and understanding the needs of the organization in relationship to
BCP. Includes conducting Business Impact Analysis and Risk Analysis

Implementation: Activation of Business Continuity Plans

Operations: Ongoing testing, preparedness, and maintenance of BCP plans and facilities
HDLC Bank Business Continuity Program
For any business organization effective business continuity measures are important. HDLC Bank is
committed to protecting its staff and ensuring the sustainability of essential businesses and operations
with a view to preserving the franchise, reducing risk, safeguarding revenue and maintaining both a
healthy financial environment and consumer trust. Sustaining these objectives includes the creation,
implementation, testing and maintenance of an efficient global business continuity and disaster
recovery program.

In order to continue our involvement in the event of a major business interruption and to satisfy all
regulatory requirements, Deutsche Bank's infrastructure involves a Business Continuity Management
("BCM") department that is an integral part of regular business operations of HDLC Bank. BCM plans,
checks and handles the company emergencies and the relocation and recovery functions.
Some of the key areas that our HDLC Bank BCM ensures are as follows:

Data back-up and recovery (hard copy and electronic)
Place of primary books and records (hard and electronic) and place of back-up books and records
(hard and electronic). Therefore, businesses must be prepared to explain how they store data and how
they can retrieve data in the event of a significant business disruption.
 All mission critical systems
Systems that are required, depending on the nature of a member's business, to ensure timely and
correct processing of securities transactions including, but not limited to, order receipt, order entry,
execution, comparison, allocation, clearance and settlement of securities transactions, customer
account management, access to customer accounts and the supply of funds and securities.
 Providing customers prompt access to their funds and securities
Measures a corporation should use to make customer funds and assets available to consumers in the
event of a major interruption to business.
Conclusion
I addressed disaster recovery plan in the aforementioned mission. I also outlined the consequences of
the Business Continuity Plan for all activities needed to maintain a company going during times of
disruption or interruption of regular operations. I have identified the key elements of an
organizational disaster recovery plan as well as the reasons for inclusion.

References
Anon., 2006. citwiki.oberlin.edu. [Online]

Available at: http://citwiki.oberlin.edu
[Accessed 03 2018].
Anon., 2018. Tech-Faq. [Online]

Available at: http://www.tech-faq.com/print-server.html
[Accessed 03 2018].
Anon., 2018. Technopedia. [Online]

Available at: https://searchsoftwarequality.techtarget.com/definition/access-control-list
[Accessed 01 Jan 2018].
Anon., 2018. Techopedia. [Online]

Available at: https://www.techopedia.com/definition/8465/multilayer-switch
[Accessed 03 2018].

Available at: https://www.techopedia.com/definition/12826/host-based-intrusion-detection-system-
hids
[Accessed 03 2018].
Anon., 2018. techtarget. [Online]

Available at: https://whatis.techtarget.com/definition/server
[Accessed 03 2018].
Anon., 2018. webopedia. [Online]

Available at: https://www.webopedia.com/quick_ref/topologies.asp
[Accessed 03 2018].
Anon., 2019. Creately. [Online]

Available at: creately.com/blog/diagrams/organizational-chart-best-
practices/?utm_source=pinterest&utm_medium=social&utm_campaign=pindiausage
Anon., 2019. data protection. [Online]

Available at: https://www.linkedin.com/pulse/data-protection-7-internal-processes-keep-your-sofia-
gunnarsson

[Accessed 8 Feb 2019].
Anon., 2019. IBM. [Online]

Available at: https://www.ibm.com/services/business-continuity/plan

Available at: techopedia.com/definition/29406/data-protection

Available at: https://www.techopedia.com/definition/24838/information-security-policy
Anon., 2019. techtarget. [Online]

Available at: https://searchnetworking.techtarget.com/Network-change-and-configuration-
management-primer
[Accessed 04 September 2018].
Anon., 2019. TechTarget. [Online]

Available at: https://searchdisasterrecovery.techtarget.com/definition/disaster-recovery-plan
Anon., 2019. TechTerms. [Online]

Available at: https://techterms.com/definition/dmz
Anon., 2019. Webopedia. [Online]

Available at: https://www.webopedia.com/TERM/S/security_policy.html
Anon., 2019. Whatismyipaddress. [Online]

Available at: https://whatismyipaddress.com/nat
Dunham, R., 2018. Linford&co llp. [Online]

Available at: https://linfordco.com/blog/security-procedures/
[Accessed 14 03 2018].
EzTalks, 2018. EzTalks. [Online]

Available at: https://www.eztalks.com/cloud/types-of-cloud-services.html
[Accessed 03 2018].
Harris, 2019. s.l.: s.n.
Hartman, D., 2019. Techwalla. [Online]

Available at: https://www.techwalla.com/articles/the-advantages-disadvantages-to-a-static-ip-address

[Accessed 7 Feb 2019].
Martin, F., 2014. digicert. [Online]

Available at: https://www.digicert.com/blog/creating-password-policy-best-practices/
opennetworking, 2018. onf. [Online]

Available at: https://www.opennetworking.org/sdn-definition/
[Accessed 05 2018].
Sadhukha, R., 2018. www.slideshare.net. [Online]

Available at: http://www.slideshare.net
skfdjskdfjs, n.d. sdfsdf. [Online]

[Accessed 2014].
technopedia, 2018. technopedia. [Online]

Available at: https://www.techopedia.com/definition/5140/workstation-ws
[Accessed 05 2018].
Walters, L., 2014. smartsheet. [Online]

Available at: https://www.smartsheet.com/effective-remote-access-policy
Webopedia, 2018. webopedia. [Online]

Available at: https://www.webopedia.com/TERM/C/cloud_computing.html
[Accessed 03 2018].
Webopedia, 2018. Webopedia. [Online]

Available at: https://www.webopedia.com/TERM/H/hub.html
[Accessed 03 2018].
World, N., 2018. Network World. [Online]

Available at: https://www.networkworld.com/article/3234795/virtualization/what-is-virtualization-
definition-virtual-machine-hypervisor.html
[Accessed 03 2018].

xgxdfd, n.d. xxfdxd. [Online]

[Accessed 2010].

Network Security

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Security

Uploaded by

Copyright:

Available Formats

Managing Security for HDLC Bank 2019

Types of security risks:.................................................................................................................. 5

Organizational Security Procedure................................................................................................8

Risk Assessment Methodology....................................................................................................10

Risk Treatment Methodology......................................................................................................11

Risk Assessment in ISO 31000....................................................................................................28

Network Change Management.................................................................................................... 33

Data Protection Processes and Regulation in Nepal....................................................................33

Data protection processes and regulations as applicable to the organization.............................. 33

Organizational Structure of HDLC Bank.................................................................................... 38

Access Control Policy..................................................................................................................39

ADDS (Active Directory Domain Services)................................................................................40

Access control list (ACL)............................................................................................................ 47

Remote access policy...................................................................................................................48

Virtual Private Networks............................................................................................................. 48

Network Connection Policy.........................................................................................................59

Information Protection Policy......................................................................................................63

Physical security policy............................................................................................................... 64

Disaster Recovery Plan................................................................................................................66

Business Continuance plan..........................................................................................................68

HDLC Bank Business Continuity Program................................................................................. 69

Anwesh Hada (HND / Second Semester) 2

Anwesh Hada (HND / Second Semester) 3

Identify types of security risks to organizations.

Anwesh Hada (HND / Second Semester) 4

Some risks in the departments in the banks are as follows

Types of security risks:

Anwesh Hada (HND / Second Semester) 5

There are some environmental threats which are as following:

Anwesh Hada (HND / Second Semester) 6

 Sniffing and eavesdropping

Anwesh Hada (HND / Second Semester) 7

 DNS and ARP poisoning

 Firewall and IDS attack

Organizational Security Procedure

 Developing local policy, process and guidance

Policy can be described as a course of action or theory embraced or suggested by an organization or

Anwesh Hada (HND / Second Semester) 8

 Designing network and user authentication strategy

 Identifying network, host, vulnerabilities and threats

 Identifying problems and resource requirement

 Creating plan for identified resource requirement

 Performing certification and accreditation

Anwesh Hada (HND / Second Semester) 9

 Providing information assurance training

Risk Assessment Methodology

Anwesh Hada (HND / Second Semester) 10

 Records the Findings

 Reviewing and the updating the Risks Assessment

Risk Treatment Methodology

Anwesh Hada (HND / Second Semester) 11

Anwesh Hada (HND / Second Semester) 12

Anwesh Hada (HND / Second Semester) 13

Firewalls strengths / capabilities

 They are excellent at enforcing corporate security policies

Firewalls weakness / limitations

 Firewalls cannot protect against what has been authorized

Anwesh Hada (HND / Second Semester) 14

Virtual Private Network (VPN)

Diagram: Use of VPN

Anwesh Hada (HND / Second Semester) 15

Virtual Private Network (VPN) is basically of 2 types: