Unit 05 – security Shahida Ismath - 520121

Student name & Student ID: Lecturer name:

Shahida Ismath - 520121  Miss. Hiruni Pabasara Kasthuriarachchi

Issue date: Submission date: Submitted on:

27th May 2023 1st July 2023 1st July 2023

Assignment number and title:

Assignment Unit 5 - security

 Student Declaration

  Assignment Brief 
Student Name & Student ID:   Shahida Ismath - 520121

Unit Number and Title: Assignment Unit 5 - security

Date Submitted 1st July 2023

Student Signature: Shahida Ismath

To be completed by lecturer Are extenuating circumstances being claimed? YES / NO

Comments:

If YES, give reference number:

--------------------------------------

1
Unit 05 – security Shahida Ismath - 520121

Grade / Mark

 Indicative: may change when moderated)

 (Indicative: may change when moderat

(Indicative: may change when moderated)

2
Unit 05 – security Shahida Ismath - 520121

Contents
Assignment Brief.........................................................................................................................................1
Task 2..........................................................................................................................................................3
1. Procedures for Conducting Risk Assessments..................................................................................3
Third-party VPNs and the Effects of Incorrect Firewall Policy Configuration...........................................4
The Practical Application of the ISO 31000 Risk Management Methodology in IT Security....................5
Possible Effects on Dowding Federation Security As a result of an IT security audit...............................6
IT Security and Organizational Policy Alignment and the Security Consequences of Misalignment........7
Task 3..........................................................................................................................................................7
Information Security Governance............................................................................................................7
Justification of the DRP's component parts.............................................................................................9
Suitability of Tools Used in Organizational Policies...............................................................................10

Task 2
1. Procedures for Conducting Risk Assessments

Conducting risk assessments entails a methodical process of locating, delving into, and assessing
possible threats to a business. The essential steps for conducting risk assessments are listed below.
• Identify Risks: This step entails locating potential risks by assessing both internal and external
elements, including operating procedures, infrastructure, technology, and outside threats.
Effective risk identification can benefit from stakeholder information gathering, interviewing,
and examining historical data.

• Assess Risks: Once a risk has been identified, it needs to be evaluated to ascertain its likelihood
and potential effects on the company. Analyzing a risk's likelihood of happening and the possible
gravity of its repercussions is the task at hand in this step. You can use a variety of methods,
including risk matrices, risk rating, and qualitative analysis.

• Assess and Prioritize Risks: Risks should be assessed for importance before being given a
ranking. Potential monetary loss, reputational harm, legal requirements, or an impact on

3
Unit 05 – security Shahida Ismath - 520121

corporate goals are all possible evaluation considerations. Prioritization facilitates resource
distribution and prioritizes risk reduction activities.

• Create adequate Risk Mitigation Strategies: After hazards are categorized and given a priority,
adequate risk mitigation plans should be created. This could entail putting controls in place,
beefing up security measures, transferring risks via insurance, or accepting particular risks as
long as they fall within the organization's risk appetite. The plans should be in line with the goals
of the company and be economical.

• Monitor and evaluate: Risk assessments are ongoing processes. To detect new risks, assess the
efficacy of current controls, and update risk mitigation methods, it is imperative to regularly
monitor and examine risks. Continuous observation guarantees that hazards are handled pro-
actively and adaptably.

[1]

Third-party VPNs and the Effects of Incorrect Firewall Policy Configuration

• Unauthorized Access: Misconfigurations can make it possible for someone to get access to
the network, systems, or sensitive data without authorization. This might lead to data
breaches, unauthorized changes, or unauthorized individuals taking over control of vital
resources.

• Inadequate Traffic Filtering: Due to improper setups, the network may not be adequately
protected against harmful or undesired traffic. The vulnerability to various cyberthreats,
such as malware infections, denial-of-service attacks, or unauthorized network breaches,
may rise as a result.
• Operations are disrupted: By blocking legal traffic or generating connectivity problems,
firewall misconfigurations can interfere with regular operations. This may have an effect on
output, communication, and the accessibility of crucial services.

• Weakening of Security Defenses: Security defenses may become less effective as a result of
improper setups, making it harder for them to identify or stop harmful activity. This may
make the company more vulnerable to online threats and raise the possibility of successful
incursions.

Third-party VPN use can have the following effects on a network, according to a business using them:

• Data Privacy and Security: Relying on third-party VPN services places you in a dependent
position with respect to their security infrastructure. The privacy and security of data
transferred through a VPN may be jeopardized if the VPN provider's security measures are
insufficient or if its encryption techniques are insufficient.

4
Unit 05 – security Shahida Ismath - 520121

• Performance and Latency: The encryption and routing techniques used by third-party VPNs
can result in increased network latency. The capacity and infrastructure of the VPN provider
determine how it will affect network performance. Critical applications can suffer and users'
experiences can be impacted by slow data transmission rates or increased latency.

• Trust and Reliability: Using a third-party VPN demands confidence in the provider's security
procedures and guidelines. In order to make sure VPN providers adhere to security
standards and safeguard sensitive data from potential breaches, organizations should
evaluate their reputation and dependability.

• Regulatory Compliance: Companies that operate in regulated sectors or locales need to

make sure that third-party VPNs abide by the necessary data protection and privacy laws.
The organization may be subject to legal and regulatory concerns if the VPN provider's
operations are not in accordance with its compliance responsibilities.

To reduce potential risks and preserve the integrity and confidentiality of their networks and data, it is
essential for enterprises to carefully establish firewall policies and consider the security ramifications of
employing third-party VPNs.

[2]

The Practical Application of the ISO 31000 Risk Management Methodology in IT

Security

An internationally regarded risk management standard is ISO 31000. The methodology offers a
methodical strategy to locating, evaluating, managing, and keeping an eye on hazards. The ISO 31000
risk management methodology's practical applicability in IT security is summarized as follows:

• the goals, scope, and risk management framework for the organization's information technology
security. It entails comprehending elements both inter nal and external, legal and regulatory
requirements, and stakeholder expectations.

• Risk Identification: Identify possible threats to IT security by taking both internal and external
factors into account, including technology, procedures, people, and the threat landscape. This
process entails methodically compiling data and evaluating potential implications, threats, and
vulnerabilities.

• Risk Analysis: Assess identified hazards' propensity to materialize and their repercussions. This
involves evaluating the controls already in place, any vulnerabilities, and any potential effects on
IT systems, data, and operations. Techniques for analysis might be quantitative or qualitative.

5
Unit 05 – security Shahida Ismath - 520121

• Risk Evaluation: Assess the significance of each risk by taking them into account its possible
influence on the organization's goals and risk tolerance. This process aids in prioritizing hazards
and identifying the level of care and resources needed for their treatment.

• Risk Treatment: To address recognized risks, develop and put into practice risk treatment
techniques. This entails picking the right risk-reduction strategies, such as putting in place
security controls, transferring or accepting risks, or creating backup plans. The management of
risks should be in line with corporate goals and cost efficiency.

• Monitoring and Review: Analyze the risk landscape, continuously check the efficacy of risk
management mechanisms, and regularly reevaluate risks. With the help of this phase, the risk
management procedure will continue to be dynamic and flexible in response to evolving threats,
technologies, and business environments.

Maintain open lines of communication with all parties involved, including IT staff, management, and
other departments. Effective communication promotes a culture of risk awareness, provides risk
information, and solicits feedback on risk management tactics.

Adapting the technique to the unique circumstances and needs of the company is a necessary step in
the practical use of ISO 31000 in IT security. It involves incorporating risk management into the
organization's entire governance structure, adhering to pertinent standards and laws, and incorporating
risk management procedures into IT operations and decision-making.

[3]

Possible Effects on Dowding Federation Security As a result of an IT security

audit.

• Identification of Vulnerabilities: An audit can identify weaknesses in the organization's networks,

processes, and IT systems. Because of this identification, there is less chance that bad actors will
take advantage of the vulnerabilities and the Dowding Federation can resolve them right away.
• Enhancements to Security Controls: The audit may identify areas where security controls need
to be strengthened. The ability of the business to avoid, identify, and effectively handle security
issues can be improved by putting the suggested security measures into practice.

• Compliance Assurance: An IT security audit determines if the company complies with applicable
laws and standards. The risk of fines or other legal repercussions is decreased by addressing any
compliance gaps found during the audit, which assures compliance with legal standards.

• Enhanced Incident Response: The audit procedure assesses how well the organization is able to
respond to incidents. The Dowding Federation can increase its capacity to quickly recognize,

6
Unit 05 – security Shahida Ismath - 520121

respond to, and recover from security issues by identifying areas for improvement and making
the appropriate changes.

• Cultural Awareness and Training: The auditing process makes staff more aware of potential
dangers and appropriate practices for IT security. As a result of this raised awareness, the
company is becoming more security-conscious, and staff members are better equipped to
protect critical data.

The total effect of an IT security audit on the Dowding Federation depends on how thoroughly the audit
is conducted, how committed the organization is to resolving concerns that are found, and how well the
recommended security measures are put into practice.

[4]

IT Security and Organizational Policy Alignment and the Security Consequences

of Misalignment
Maintaining a strong security posture requires that IT Security and Organizational Policy Alignment. In
the case mentioned above, misalignment could have serious security ramifications for the client:

 Policy-Driven Approach: Organizational policies and procedures that specify acceptable security
practices, access controls, data management, incident response, and compliance requirements
should be aligned with IT security. Misalignment can lead to security procedures that do not
sufficiently safeguard crucial assets or adhere to legal requirements.

 Risk Management: To help with IT security decisions, organizational rules should include risk
management principles. Misalignment could result in the failure to recognize and handle serious
hazards or the inefficient use of resources to reduce them.

 Compliance and Legal Risks: Failure to adhere to organizational policy may result in a violation of
legal and regulatory obligations. As a result, the company runs the danger of facing legal
repercussions, reputational harm, and possible financial penalties.

Employee awareness and training are important factors in encouraging employee compliance with IT
security procedures.

[5]

Task 3
Information Security Governance

It Specifies the responsibilities of the people and departments involved in information security.

1. Comprehensive Security Policy for Wargrave College.

• Creates a transparent organizational structure for handling security.

7
Unit 05 – security Shahida Ismath - 520121

2. Risk Assessment and Management: Describes how to identify, evaluate, and manage risks to the
assets of the college.

• Contains instructions for performing routine risk analyses and putting into action suitable risk
reduction techniques.

3. Access Control: Specifies the guidelines and processes for giving and revoked access to physical
facilities, networks, and information systems.

• Outlines the application of robust authentication techniques, password restrictions, and access control
lists.

4. Data Classification and Handling: Outlines the data classification scheme and the associated security
measures for each classification level.

• Outlines procedures for managing, storing, transmitting, and discarding sensitive data in a secure
manner.

5. Incident Response and Management: Develops protocols for immediately identifying, notifying, and
responding to security incidents.

• Specifies who will be in charge of what during an event, along with communication rules and
escalation techniques.

6. Physical Security: Deals with the physical defense of buildings, machinery, and valuables.

• Contains precautions including access limits, video surveillance, and employee security awareness
programs.

7. Network Security: Describes the security measures to protect the college's network infrastructure,
such as firewalls, intrusion detection systems, and network segmentation.

• Establishes standards for vulnerability management, wireless network security, and secure remote
access.

8. Security Awareness and Training: Stresses the significance of staff, professor, and student security
awareness.

• Offers recommendations for security training initiatives, such as continual education and frequent
awareness campaigns.

9. Compliance and Legal Requirements: Ensures that the college complies with all applicable laws, rules,
and professional standards.

• Contains guidelines for handling security incidents as well as monitoring and reporting compliance.

10. Incident Reporting and Investigation: Creates a procedure for filing reports of security incidents and
carrying out inquiries.

• Specifies how to gather, examine, and report on evidence.

8
Unit 05 – security Shahida Ismath - 520121

11. Business Continuity and Disaster Recovery: This section describes the college's strategy for
sustaining critical operations during and after a disaster.

• Contains processes for resuming crucial functions, offshore storage, and backup and recovery
techniques.

[6]

Justification of the DRP's component parts.

1. Business Impact Analysis (BIA): This technique finds the relationships between key business activities.

• Analyzes the potential effects of interruptions on the college's resources and operations.

2. Sets goals for the most tolerable downtime and data loss in the event of a disaster.

• Aids in resource allocation and prioritization of recovery operations.

3. Data backup frequency, location, and technique are specified in the backup and restore procedures.

• Outlines steps for evaluating and restoring backups to guarantee data availability and integrity.

4. Alternative Worksite and Infrastructure: Determines backup sites and alternative infrastructure for
supporting crucial activities.

• Contains designs for data centers, telecommunications networks, and power supplies.

5. Communication Plan: Specifies channels and procedures for contacting stakeholders in the event of a
disaster.

• Assures the fast and correct flow of information to reduce confusion and enable coordinated response
activities.

Stakeholders' Responsibilities for Implementing Security Audit Recommendations:

1. Management: Is in charge of overall implementation of security audit recommendations.

• Determines priorities, allocates resources, and makes that the required adjustments are done.

2. IT Department: Puts into practice technological configurations and controls in accordance with audit
recommendations.

• Checks for vulnerabilities in systems, applies patches, and updates software as necessary.

3. Follow security policies, procedures, and industry best practices.

• Promptly report security breaches, vulnerabilities, and incidents.

4. Internal audit: Keeps track of adherence to security guidelines and protocols.

• Performs routine audits to evaluate the performance of implemented controls.

5. Security Team: Offers knowledge and direction in putting audit recommendations into practice.

9
Unit 05 – security Shahida Ismath - 520121

• Performs penetration testing, vulnerability assessments, and risk assessments.

[7]

Suitability of Tools Used in Organizational Policies.

The appropriateness of tools used in organizational policies depends on a number of variables,

including:

1. Alignment with Policy Objectives: Tools should support the implementation of policy requirements
and be in line with the organization's security objectives.

2. Effectiveness: Tools should have a track record of successfully reducing risks and delivering the
required security objectives. They should be reliable and proven to be able to solve specific security
demands.

3. Scalability: Tools must be flexible enough to adapt to the organization's expanding needs and shifting
security requirements.

• They ought to support growing user bases, data quantities, and technological improvements.

4. Integration: Systems and infrastructure should be seamlessly integrated with the tools.

• They ought to facilitate data sharing and interoperability between various security solutions.

5. User-Friendliness: Tools should have a user-friendly interface, offer straightforward functions, and be
simple to configure, manage, and monitor without the need for extensive training.

6. Vendor assistance and Updates: Tools should be purchased from dependable vendors who offer
recurring updates, security patches, and technical assistance. They should be steadfast in fixing
vulnerabilities and preserving the tool's efficacy.

A mixture of these elements should be taken into consideration when evaluating and choosing tools to
make sure they are appropriate for organizational policy and can successfully support Wargrave
College's security goals.

[8]

References

[1] S. M. Radack, "NIST," Shirley M. Radack, 2020.

[2] TechTarget, "Networking," TechTarget, 2020.

[3] "ISO 31000:2018," https://www.iso.org/standard/65694.html, 2023.

[4] "ISACA," https://www.isaca.org/resources/isaca-journal/issues/2016/volume-2/application-security-

10
Unit 05 – security Shahida Ismath - 520121

risk-assessment-and-modeling, 2023.

[5] C. Insights, "NetApp BlueXP," https://bluexp.netapp.com/blog/blg-it-security-policy-7-policy-types-

and-4-best-practices, 2023.

[6] "InformIT," https://www.informit.com/articles/article.aspx?p=2931571&seqNum=2, 2023.

[7] Radhika, "Accrets International | Accrets International,"

https://www.accrets.com/backupanddr/disaster-recovery-the-5-integral-components-of-a-disaster-
recovery-plan/, 2021.

[8] O. S. Matters, "Open Source Matters Inc.,"

https://www.opensourcematters.org/organisation/directors/policies/267-policy-tools.html, 2022.

11