RISK ASSESSMENT OF IT SECURITY

POSSIBLE SOLUTIONS AND MECHANISMS TO

CONTROL IT SECURITY RISK

Unit 8: Security

2022
HND DIGITAL TECHNOLOGIES GBS
Student:
Tutor: David Oyebisi
Jan 2022 Cohort – Group A1 or B1

Word Count: 3176

Table of Contents
Introduction........................................................................................................................................4
LO1 Assessment of IT Security Risks.........................................................................................5
1. Different Types of security, threats, and Vulnerabilities.............................................5
1.1 Security vulnerability...................................................................................................5
1.2 Security Threat..............................................................................................................5
1.3 Security Risk..................................................................................................................5
2. Security Procedures for business continuity................................................................5
3. IT security risks assessment and treatment..................................................................6
3.1 Risks assessment.........................................................................................................6
3.2 Risks treatment.............................................................................................................6
LO2 - IT security solutions.............................................................................................................7
1. Configuration of Firewall policies and third-party VPNs.............................................7
1.1 Configuration of Firewall policies.............................................................................7
1.2 Configuration of third-party VPNs............................................................................7
2. Implementation of network security DMZ, Static IP and NAT....................................7
2.1 Explanation of DMZ implementation........................................................................7
2.2 Configuration static IP and NAT................................................................................8
3. Implementation of a network monitoring system.........................................................8
4. Security measures to ensure the integrity of the JIN Investments Ltd system.....8
4.1 Three physical security measures............................................................................8
4.2 Three virtual security measures................................................................................9
LO3 Review mechanisms to control organisational IT security...........................................9
Introduction:..................................................................................................................................9
Access Control Mechanisms:....................................................................................................9
Security Policies:..........................................................................................................................9
Incident Response Plan:...........................................................................................................10
Security Auditing:.......................................................................................................................10
Employee Training:....................................................................................................................10
LO4 Manage organisational security.........................................................................................10
Conclusion.......................................................................................................................................12
References.......................................................................................................................................13
Appendices......................................................................................................................................13
LO3 and LO4....................................................................................................................................13

pg. 1
STUDENT NAME AND ID
NUMBER
Qualification Pearson BTEC Level 4 Higher National
Certificate in Digital Technologies (General)

Academic Year 2021-2022

Unit Number & Name Unit 8: Security

Unit Leader David Oyebisi

Unit Lecturer David Oyebisi

Assignment Title Risk assessment of IT security, possible

solutions and mechanisms to control IT security
risk
Type of Assignment Report and Security Awareness Handbook
Weighting 100%
Issue Date Week Commencing 27/06/2022

Report Submission Date 24/07/2022 

(24th July at 23.59 using submission link on
Moodle).

Summative Submission Date 25/09/2022

(Report and Handbook) (25th September at 23:59 using Summative
submission link on Moodle).
Assessor David Oyebisi

IV name Kayode Adenuga

pg. 2
 Student Declaration

This is to confirm that this submission is my own work, produced without any

external help except for acceptable support from my lecturer. It has not been

copied from any other person’s work (published or unpublished) and has not

previously been submitted for assessment either at GBS or elsewhere. I confirm

that I have read and understood the ‘GBS Academic Good Practice and Academic

Misconduct: Policy and Procedure’ available on Moodle.

I confirm I have read and understood the above Student Declaration.

Student Name (print)

Signature

Date

pg. 3
Introduction
This report aims to provide an in-depth understanding of IT security risks, possible
solutions, and mechanisms to control IT security risk. The report is divided into two
main parts. The first part, LO1, will discuss the different types of security threats,
vulnerabilities, and procedures that an organization can implement to ensure
business continuity. It will also examine IT security risks assessment and treatment.
The second part, LO2, will focus on IT security solutions, such as the configuration of
Firewall policies and third-party VPNs, implementation of network security DMZ,
static IP, and NAT. This report is essential for IT professionals who want to secure
their IT systems from potential cyber-attacks.

LO1 Assessment of IT Security Risks

pg. 4
1. Different Types of security, threats, and Vulnerabilities

1.1 Security vulnerability

IT vulnerability refers to a weakness in a system that can be exploited by
cybercriminals to gain unauthorized access to the computer system. It could be a
flaw in the software or hardware that attackers can take advantage of to perform
malicious activities. Examples of security vulnerabilities are outdated software, weak
passwords, and unsecured network configurations.

1.2 Security Threat

A security threat is an incident, event, or thing that can harm computer systems. It
refers to any activity that can compromise the confidentiality, integrity, or availability
of an organization's IT resources. Threats can be in the form of social engineering
attacks, malware, phishing, or hacking. Examples of security threats are Distributed
Denial of Service (DDoS) attacks, phishing scams, and SQL injection attacks.

1.3 Security Risk

A security risk is the possibility of damage or loss if a threat has been exploited
through vulnerability. It is the likelihood of a threat agent exploiting a vulnerability and
the resulting impact. Risks are interrelated with vulnerabilities and threats. An
organization needs to identify, analyse and prioritize the risks to develop a
comprehensive risk management plan.

2. Security Procedures for business continuity

Organizations should implement security procedures to ensure business continuity in
the event of security breaches. Here are some security measures and procedures
that an organization can implement to ensure business continuity:
 Disaster recovery plan (DRP): A DRP is a set of procedures that an
organization follows in case of a disaster or security breach. It outlines the
steps to recover the IT infrastructure, systems, and data to ensure that the
organization can continue its operations.
 Regular backups: Backing up data is essential to ensure that the organization
can restore the data in case of a security breach or disaster. The backups
should be stored in a secure location to prevent unauthorized access.
 Business continuity plan (BCP): A BCP is a plan that outlines how an
organization will continue its operations during a security breach or disaster. It
includes procedures for communication, backup and recovery, and crisis
management.

pg. 5
3. IT security risks assessment and treatment

3.1 Risks assessment

IT security risks assessment is the process of identifying, analyzing, and evaluating
the risks to an organization's IT infrastructure, systems, and data. Here are some
ways to assess IT security risks:
 Identify assets: Identify the critical assets of the organization, such as data,
applications, and hardware.
 Identify vulnerabilities: Identify the vulnerabilities that could be exploited to
compromise the assets.
 Identify threats: Identify the potential threats that could exploit the
vulnerabilities.
 Evaluate risks: Evaluate the likelihood and impact of the identified risks.

3.2 Risks treatment

IT security risks treatment is the process of developing and implementing measures
to manage and mitigate the identified risks. Here are some ways to treat IT security
risks:
1. Risk avoidance: This involves avoiding activities or technologies that pose
significant security risks. For example, an organization may avoid using
certain third-party software or cloud services due to their poor security track
record.
2. Risk acceptance: Sometimes, it may not be possible or feasible to completely
eliminate a security risk. In such cases, the organization may choose to
accept the risk and continue with its activities while implementing controls to
mitigate the risk.
3. Risk reduction: This involves implementing controls or countermeasures to
reduce the likelihood or impact of a security incident. This could include
implementing firewalls, intrusion detection systems, encryption, or other
security technologies.
4. Risk transfer: This involves transferring the risk to another party, such as an
insurance company or a third-party vendor. This is commonly done through
cyber insurance policies or by outsourcing certain IT functions to vendors with
stronger security capabilities.
5. Risk mitigation: This involves taking steps to reduce the impact of a security
incident after it has occurred. This could include implementing disaster

pg. 6
 recovery or business continuity plans, conducting incident response
exercises, or improving incident reporting and communication processes.

LO2 - IT security solutions

1. Configuration of Firewall policies and third-party VPNs

1.1 Configuration of Firewall policies

Firewalls are a crucial part of network security and can be configured to
prevent unauthorized access to networks and applications. To implement
firewall policies, it is essential to identify what needs to be protected and
create a set of rules that specify how to control access to that protected
resource. Firewall policies can be set up to block or allow traffic based on IP
addresses, protocols, ports, or applications. The consequences of correctly
configured firewall policies are enhanced network security, reduced risk of
data breaches, and improved regulatory compliance.

1.2 Configuration of third-party VPNs

Virtual Private Networks (VPNs) allow remote workers to securely access

company resources from anywhere in the world. Third-party VPNs are
managed by an external provider and can offer improved security, scalability,
and ease of use. Implementing third-party VPNs involves configuring the VPN
client software on remote devices, establishing secure connections to the
VPN gateway, and verifying the user's identity. If the VPNs are not correctly
configured, it can lead to security vulnerabilities and increase the risk of
unauthorized access to sensitive company resources.
2. Implementation of network security DMZ, Static IP and NAT

2.1 Explanation of DMZ implementation

A Demilitarized Zone (DMZ) is a secure network segment that separates an
organization's internal network from the public Internet. DMZs are used to host
public-facing applications, such as web servers, while keeping them isolated from
the internal network. DMZs can be implemented using a combination of firewalls,

pg. 7
routers, and switches. By implementing DMZ, the finance department can ensure
that its servers and applications are secure from external threats while still providing
access to the public.
2.2 Configuration static IP and NAT
Network Address Translation (NAT) is a technique used to translate private IP
addresses to public IP addresses and vice versa. Static NAT involves mapping a
public IP address to a specific private IP address, ensuring that incoming traffic is
directed to the correct device. Configuring static NAT involves defining the IP
address mapping, the inside local interface, and the inside global interface. This can
be done using router configuration commands. Configuring Static NAT can enhance
network security by allowing only authorized devices to communicate with the public
IP address.
3. Implementation of a network monitoring system
A network monitoring system is a software application that monitors network traffic
and activity, looking for any abnormal behavior that could indicate a security breach
or other issues. Three essential benefits of implementing a network monitoring
system include:
 Detecting security threats: Network monitoring systems can detect and alert
the IT team of any suspicious activities or potential security threats, such as
unauthorized access, malware attacks, or data breaches.
 Improving network performance: Network monitoring systems can help
identify and troubleshoot network performance issues, such as bottlenecks,
congestion, or latency.
 Meeting regulatory compliance requirements: Many regulatory compliance
standards, such as HIPAA, PCI DSS, or GDPR, require organizations to
implement network monitoring systems to ensure data security and privacy.

4. Security measures to ensure the integrity of the JIN Investments Ltd

system

4.1 Three physical security measures

Physical security measures can help protect the JIN Investments Ltd system from
physical threats such as theft, vandalism, or natural disasters. Three physical
security measures that can be employed to ensure the integrity of the system
include:
 Access control: Limiting access to the company's physical facilities by
implementing access control systems, such as biometric scanners, key cards,
or security guards.
 Surveillance: Installing video cameras and other monitoring devices to deter
unauthorized access or detect any suspicious activities.

pg. 8
  Backup power supply: Ensuring that the company's critical systems have
backup power supplies, such as generators or uninterruptible power supplies
(UPS).
4.2 Three virtual security measures
Integrity in information systems refers to the accuracy, completeness, and reliability
of data and information stored and processed within the system. The following are
three virtual security measures that can be employed to ensure the integrity of the
JIN Investments Ltd system:
1. Access Control: Access control mechanisms such as user authentication,
authorization, and access rights management can help ensure that only
authorized personnel have access to the system and its data. This can
prevent unauthorized changes or tampering with critical data that could
compromise the system's integrity.
2. Data Encryption: Data encryption can be used to protect sensitive data from
unauthorized access or manipulation. Encryption algorithms can ensure that
data is encrypted at rest and in transit, making it difficult for hackers to access
or modify the data.
3. Backup and Recovery: Regularly backing up critical data and implementing a
robust disaster recovery plan can help ensure the integrity of the JIN
Investments Ltd system. In the event of a security breach or data loss, having
a reliable backup and recovery plan can help minimize downtime and prevent
data loss.

LO3 Review mechanisms to control organisational IT security

Introduction:
In this section, we will discuss various mechanisms to control organizational IT
security. It is essential to implement these mechanisms to ensure the security and
integrity of the information system of an organization.
Access Control Mechanisms:
Access control mechanisms are used to control access to sensitive information
within an organization. It includes authentication, authorization, and accounting.
These mechanisms ensure that only authorized personnel have access to the
information system. Authentication is the process of verifying the identity of a user,
whereas authorization is the process of granting or denying access to resources
based on the user's identity. Accounting is the process of tracking the use of
resources.
Security Policies:
Security policies are written documents that describe the organization's security
requirements, procedures, and practices. They provide a framework for the
implementation of security controls and ensure that everyone in the organization
follows the same standards. Security policies should be reviewed periodically and

pg. 9
updated as necessary to reflect changes in the organization's needs or the threat
landscape.
Incident Response Plan:
An incident response plan is a documented set of procedures that an organization
follows in the event of a security incident. It includes identifying and containing the
incident, investigating the cause of the incident, and recovering from the incident.
The incident response plan should be tested and updated regularly to ensure its
effectiveness.
Security Auditing:
Security auditing involves reviewing and analyzing the security of an organization's
information system. It includes identifying vulnerabilities and weaknesses in the
system, determining the likelihood and impact of a security breach, and making
recommendations for improvements. Security auditing should be performed regularly
to ensure that the organization's security controls are effective.
Employee Training:
Employee training is essential to ensure that employees are aware of the
organization's security policies and procedures. Training should be provided on a
regular basis to ensure that employees are up-to-date on the latest security threats
and best practices. Training should also be provided to new employees to ensure
that they are aware of the organization's security requirements.
Conclusion:
The implementation of these mechanisms is essential to ensure the security and
integrity of an organization's information system. Access control mechanisms,
security policies, incident response plans, security auditing, and employee training
should be implemented and regularly reviewed to ensure their effectiveness. These
mechanisms should be integrated into the organization's overall security strategy to
provide a comprehensive approach to IT security.

LO4 Manage organisational security

LO4 focuses on managing organizational security, and it involves the identification,
assessment, and management of risks to ensure the confidentiality, integrity, and availability
of information. This includes the development and implementation of security policies,
procedures, and standards to address identified risks and threats.
Some of the key tasks involved in managing organizational security include:
1. Conducting risk assessments: This involves identifying potential threats to the
organization's IT infrastructure and assessing the likelihood and potential impact of
those threats. This information is then used to develop strategies for managing those
risks.

pg. 10
 2. Developing security policies and procedures: Organizations must develop
comprehensive security policies and procedures that address potential risks and
threats. These policies and procedures should cover everything from access controls
to incident response.
3. Implementing security controls: Once security policies and procedures have been
developed, organizations must implement appropriate security controls to protect
their IT infrastructure. This can include firewalls, intrusion detection systems,
antivirus software, and encryption.
4. Conducting security awareness training: Organizations must provide regular security
awareness training to employees to ensure that they understand the risks and their
role in protecting the organization's IT infrastructure.
5. Monitoring and reporting security incidents: Organizations must have systems in
place to monitor for security incidents and report them to appropriate personnel. This
allows the organization to respond quickly to incidents and prevent further damage.
6. Conducting regular security audits: Regular security audits are necessary to identify
potential weaknesses in the organization's security posture and address them before
they can be exploited.
By effectively managing organizational security, organizations can minimize the risk of
cyber-attacks and data breaches and protect their sensitive information from unauthorized
access or disclosure.

Conclusion
In conclusion, IT security is a critical aspect of any organization that deals with
sensitive data, such as financial institutions. This report has explored various IT
security solutions that can be implemented to secure the JIN Investments Ltd
system. These solutions include configuring firewall policies, implementing DMZ,

pg. 11
static IP, and NAT, implementing a network monitoring system, and employing
physical and virtual security measures to ensure the integrity of the system.
Furthermore, the report has discussed the importance of reviewing mechanisms to
control organizational IT security and the significance of managing organizational
security. It is crucial to recognize the potential risks and vulnerabilities that the
system may face and take proactive steps to mitigate them. This can be achieved by
implementing a robust IT security policy, conducting regular risk assessments, and
providing ongoing training and awareness to employees.
Overall, by implementing the recommended IT security solutions and best practices,
JIN Investments Ltd can improve the security of their system, protect sensitive
information, and maintain the trust and confidence of their clients.

pg. 12
References
National Institute of Standards and Technology (NIST). (2018). Framework for
Improving Critical Infrastructure Cybersecurity. Retrieved from
https://www.nist.gov/system/files/documents/cyberframework/cybersecurity-
framework-021214.pdf
European Union Agency for Cybersecurity. (2021). Cybersecurity risk management.
Retrieved from https://www.enisa.europa.eu/topics/risk-management/cybersecurity-
risk-management
Information Systems Audit and Control Association (ISACA). (2012). Risk IT
Framework. Retrieved from https://www.isaca.org/Portals/0/images/Risk-IT-
Framework.pdf
United States Computer Emergency Readiness Team (US-CERT). (2018). Best
Practices for Mitigating Risks in Virtualized Environments. Retrieved from https://us-
cert.cisa.gov/sites/default/files/publications/virtualization-security-15aug2018-508.pdf
National Cyber Security Centre (NCSC). (2018). Risk management process.
Retrieved from https://www.ncsc.gov.uk/guidance/risk-management-process
Cisco. (2021). Firewall Best Practices. Retrieved from
https://www.cisco.com/c/en/us/support/docs/firewall/asa-5500-x-series-next-
generation-firewalls/138740-configure-firewall-best-practices-00.html
Microsoft. (2021). Best practices for securing remote access. Retrieved from
https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/
securing-vpn-best-practices

Appendices

LO3 and LO4

Security Awareness Handbook: mechanisms to control and manage

organisational security

Security awareness is the process of educating and training employees on the

importance of security, the potential risks and threats, and the best practices to
follow to mitigate those risks. It helps to create a culture of security within the
organization and ensures that employees are equipped with the knowledge and skills
required to protect the organization's information assets.

Implementing a security awareness program involves developing policies and

procedures, conducting training sessions and workshops, and regularly
communicating with employees to reinforce the importance of security. The program

pg. 13
should be customized to the specific needs of the organization, taking into account
its size, industry, and risk profile.

Effective security awareness programs can help prevent security incidents and
breaches caused by human error or intentional actions, reduce the impact of security
incidents, and improve compliance with regulatory requirements. It is important to
regularly evaluate the effectiveness of the program and make necessary
adjustments to ensure that it continues to meet the organization's security needs.

In terms of mechanisms to control organizational security, there are several tools

and techniques that can be employed, such as access controls, encryption, intrusion
detection and prevention systems, vulnerability assessments and penetration testing,
and incident response plans. It is important to have a comprehensive security
strategy that incorporates a range of controls to mitigate risks and protect the
organization's assets.

pg. 14