EMC cloud solutions unit 5 security
BTEC Pearson Higher Nationals in Computing
Unit 5: Security
Unit Learning Outcomes: |
LO1 Assess risks to IT security. LO2 Describe IT security solutions. LO3 Review mechanisms to control organizational IT security. LO4 Manage organizational security. |
Assignment Brief and Guidance: |
EMC Cloud Solutions is reputed as the nation’s most reliable Cloud solution provider in Sri Lanka. A number of high-profile businesses in Sri Lanka including Esoft Metro Camps network, SME Bank Sri Lanka and WEEFM are facilitated by EMC Cloud Solutions. EMC Cloud provides nearly 500 of its customers with SaaS, PaaS & IaaS solutions with high capacity compute and storage options. Also, EMC is a selected contractor for Sri Lanka, The Ministry of Defense for hosting government and defense systems. EMC’s central data center facility is located at Colombo Sri Lanka along with its corporate head-office in Bambalapitiya. Their premises at Bambalapitiya is a six-story building with the 1st floor dedicated to sales and customer services equipped with public WIFI facility. Second-floor hosts HR, Finance and Training & Development departments and the third-floor hosts boardroom and offices for senior executives along with the IT and Data center department. Floor 4,5,6 hosts computer servers which make up the data center. With the rapid growth of information technology in Kandy area in recent years, EMC seeks opportunity to extend its services to Kandy, Sri Lanka. As of yet, the organization still considers the nature of such extension with what to implement, where is the suitable location and other essential options such as security are actually being discussed. You are hired by the management of EMC Solutions as a Security Expert to evaluate the security-related specifics of its present system and provide recommendations on security and reliability related improvements of its present system as well as to plan the establishment of the extension on a solid security foundation. Activity 01 Assuming the role of External Security Consultant, you need to compile a report focusing on following elements to the board of EMC Cloud Solutions; 1.1 Identify types of security risks EMC Cloud is subject to, in its present setup and the impact, such issues would create on the business itself. 1.2 Develop and describe security procedures for EMC Cloud to minimize the impact of issues discussed in section (1.1) by assessing and treating the risks. Activity 02 2.1 Discuss how EMC Cloud and its clients will be impacted by improper/ incorrect configurations which are applicable to firewalls and VPN solutions. 2.2 Explain how following technologies would benefit EMC Cloud and its Clients by facilitating a ‘trusted network’. (Support your answer with suitable illustrations). i) DMZ ii) Static IP iii)NAT 2.3 Discuss the benefits of implementing network monitoring systems. Activity 03 3.1 Formulate a suitable risk assessment procedure for EMC Cloud solutions to safeguard itself and its clients. 3.2 Explain the mandatory data protection laws and procedures which will be applied to data storage solutions provided by EMC Cloud. You may also highlight on ISO 3100 risk management methodology. 3.3 Comment on the topic, ‘IT Security & Organizational Policy’ Activity 04 4.1 Develop a security policy for EMC Cloud to minimize exploitations and misuses while evaluating the suitability of the tools used in an organizational policy. 4.2 Develop and present a disaster recovery plan for EMC Cloud for its all venues to ensure maximum uptime for its customers (Student should produce a PowerPoint-based presentation which illustrates the recovery plan within 15 minutes of time including justifications and reasons for decisions and options used). 4.3 ‘Creditors, directors, employees, government and its agencies, owners / shareholders, suppliers, unions, and the other parties the business draws its resources’ are the main branches of any organization. Discuss the role of these groups to implement security audit recommendations for the organization. |
Grading Rubric
Grading Criteria |
Achieved |
Feedback |
LO1 Assess risks to IT security | ||
P1 Identify types of security risks to organizations. | ||
P2 Describe organizational security procedures. | ||
M1 Propose a method to assess and treat IT security risks. | ||
LO2 Describe IT security solutions | ||
P3 Identify the potential impact to IT security of incorrect configuration of firewall policies and triparty VPNs. | ||
P4 Show, using an example for each, how implementing a DMZ, static IP and NAT in a network can improve Network Security. | ||
M2 Discuss three benefits to implement network monitoring systems with supporting reasons. | ||
D1 Investigate how a ‘trusted network’ may be part of an IT security solution. | ||
LO3 Review mechanisms to control organizational IT security | ||
P5 Discuss risk assessment procedures. | ||
P6 Explain data protection processes and regulations as applicable to an organization. | ||
M3 Summarize the ISO 31000 risk management methodology and its application in IT security. | ||
M4 Discuss possible impacts to organizational security resulting from an IT security audit. | ||
D2 Consider how IT security can be aligned with organizational policy, detailing the security impact of any misalignment. | ||
LO4 Manage organizational security | ||
P7 Design and implement a security policy for an organization. | ||
P8 List the main components of an organizational disaster recovery plan, justifying the reasons for inclusion. | ||
M5 Discuss the roles of stakeholders in the organization to implement security audit recommendations. | ||
D3 Evaluate the suitability of the tools used in an organizational policy. |
Executive Summary
To manage a network Security infrastructure, we are supposed to have a basic idea about it. This report will provide the basic idea about the network security systems used in this world. It also shows some common networking security systems. We will be discussing the basic network security types system. This report includes about designing a network security system to EMC company in Bambalapitiya where they carry out their day to day activities. They needed this network security system for a good collaboration of services.
According to the scenario, in the first task, I have mentioned about the vulnerabilities, threats, assets and risks. I had to select the suitable security procedures which was required for the company.
Activity 01
1.0 Introduction
EMC is a well reputed cloud solution provider in Srilanka. Normally EMC is providing their services to SME bank in Srilankan and WEEFM company. EMC cloud solution Company provides SAAS, PAAS, LAAS to their customers. And nearly their Customer rate is five hundred roughly. The head office of EMC company is situated in Bambalapitiya. The building exists with six stories. In this building the first floor is dedicated to customer services, second floor is for the HR and the finance and training department in the third floor. Four, five, six floors are the computer servers. But unfortunately, in this compony there is no proper security system physically wise or computerized. Security system is Highly important feature to a company. Because without a security system the specific company faces to various kinds of risks. According to the current situation of EMC cloud solution company there is no security system at all.
1.0.1 Relationship between Vulnerabilities, Threats, Assets and Risks.
Vulnerabilities are the reasons that is helping to start risk. Vulnerability is a function that all the company may face because of that many users and network personals trying to protect their computer systems from vulnerabilities by keeping software security patches up to date. (https://www.hq.nasa.gov)
Threats can be caused to the company from inside of the company and may be from the outside the company. Normally most of the threats are affected from the outside the company. Threats are potentials for vulnerability to turn into attacks on computer systems, network and more. They can put individual’s computer system and business computers at risks. According to the Getcybersafe.gc.ca some of the common threats are Hacking, Malware, Spam, Phishing, Botnets etc.(https://www.researchgate.net)
Assets are the physical resources that company has. Normally company measures the profit from the remaining assets. Assets are the resources which has an economic value that an individual, corporation or country owns with the expectation that it will provide a future benefit. (https://www.investopedia.com)
Risks are the darkness situations that going to be happen to that business in near future. Basically, the risks are defined as the external and internal vulnerabilities that occurs negatively.
A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities is known as risks. (https://www.paperdue.com)
1.1 Identification of security risks that EMC company will be faced. (P1)
In a business risks are the darkness situations that going to be happen that business in near future. Basically, the risk is defined as the external and internal vulnerabilities that occurs negatively to the business for an example possibility of occurring damages to the business, Increase of liabilities, loss rea certain kind of risks to a business. When we talk about the EMC company there are various kinds of risks that can occur to the company because there is no proper security system.
1.1.1 List of Risks
- Physical damages
Physical damages basically known as the damages that can happen to the physical properties. There is a loss of physical security system to the EMC company because of that the possibility of happening security damages is high to the company. When a company facing to a physical damage it will Couse huge loss to the company because the properties that used by the company gets damaged after that the company can’t perform well as in the past. (https://warframe.fandom.com)
- Equipment malfunction
Equipment malfunction means when there are no any virus guards to the computers or any other electronics it’s get effected by viruses and it gradually get malfunctioning so without any security, Equipment malfunction is also certain type of risk to the EMC company(http://fixcleanerpc2017.com)
- Misuse of data
Misuse of data is a result of loss of security system. Misusing data is badly Couse to the company. By this rate of assets will get low in the company. Sometimes the company will get bankrupt due to this reason. So, misusing of data is highly affected to the company. (https://blog.ssa.gov/)
- Loss of data
Loss of data is a part of risks that can be affected to company. When there is no security. Of the people may doing frauds to the business. These data loss is any process or event that results in data being corrupted or deleted and badly unreadable by the user. (https://www.investopedia.com)
1.2 Security procedures that developed to avoid the risks. (P2)
Procedures and policies are the rules and regulation that implemented by every company to its security, avoid various types of frauds etc. So, these procedures and polices should obey by the both employees and employers. And the other reason to implement rules and regulation is to continue the business for future. Like that EMC company also implemented various procedures to minimize their risks. As told in the above that are the some of the risk that was faced by the EMC company
1.2.1 List of Security procedures
- Property damage claim procedure
When we talk about the first risk in the list of risks, to reduce the physical damages that can happen to the physical properties we can use a good security system but basically the best method is to maintain a property damage claim procedure. This means when something unfortunately happens to our property, we can claim our loss according to the loss we gain by using this property damage claim procedure(https://www.thebalance.com/)
- Regular inspection procedure
As in the list of risk the second risk that the EMC company is facing to equipment mal function to reduce it, we can implement a new procedure called regular inspection procedure by this we can reduce regular equipment mal functioning when we starting to implement this procedure, we have create an inspection schedule according to that we have inspect our equipment in a regular basis then we can reduce equipment mal function (https://www.osha.gov)
- Monitor user action procedure
The third risk that EMC company is facing to data misuse to avoid that we create a new procedure called Monitor user action procedure it is a one of the best ways to avoid the data mis use It is very important to monitor actions of users working with sensitive information. Misuse of such data can open organization to a very high damage control and huge loss of costs and even potential lawsuits. Users with high privileges also pose additional threat. So, reducing data misusing is very important to the EMC company (https://docs.oracle.com/cd/)
- Create backup procedures
To reduce the loss of data risk we can create the backup of every data we are inputting to the computers. By that we can reduce the risk of data loss. When a specific company reduce their risk of data loss that company can enlarge its business area become that company can get ideas from past situation that company has faced (https://www.investopedia.com)
1.3 What is risk management process?
To continue a company to a long type period we have to maintain our company in a good manner. So, we have to protect our company from security breaches, data losses, cyber-attacks, system failures and natural disasters. To manage those risks there is a risk management process. Risk management process means monitoring and managing potential risks in order to minimize the negative impact they may have on an organization. From the security breaches, data losses, cyber-attacks, system failures and natural disasters the effective risk management process will help identify which risks pose the biggest threat to an organization and provide guidelines for handling them. To possess the risk management process effectively there are three steps. They are
- Risk Assessment and Analysis – The primary step of the risk management process is called as the risk assessment and analysis stage. A risk assessment assesses an organization experience to uncertain events that could impact its day to day actions and estimates the damage those events could have on an organization income and status.
- Risk Evaluation – After the risk assessment or analysis has been completed, a risk evaluation should take place. A risk evaluation compares valued risk against the risk principles that the organization has already recognized. Risk criteria can include associated cost and benefits, socio economic factors, legal requirement and system malfunctions.
(https://www.pmi.org/)
Risk Treatment and Response – The last step in the risk management process is risk treatment and response. Risk treatment is the Implementation of policies and procedures that will help avoid or minimize risks. Risk treatment also extends to risk transfer and risk financing.
1.3.1 What is Risk Treatment?
When there are any risks occurring to the company, we have to minimize those or avoid those kinds of risks, to avoid those or reduce those risks we have to use certain kind of strategies. By using strategies, the avoiding of risks can be known as the risk’s treatments. Specific treatment strategies can be created to treat specific risks which have been identified. Treatment strategies may differ, depending on the risk context.
Purpose of the Risk treatment – The purpose of the risk treatment is to reduce, remove or transfer risk from the company. It is often better for a company to plan ahead and prevent a risk from occurring than it is for them to take the chance and face that risk. Planning ahead can help to save a company a lot of time and money because some risks may prove to be very damaging to a business. When we talk about the risk treatments there two main types of risk treatments, they are
- Avoidance strategies – These tactics seek to totally stop a potential risk from happening or impacting on a company at all. Main subdivisions of the avoidance strategies group contain transfer and changings.
- Minimize strategies – These tactics seek to reduce the influence of risk on a product or organization, so that as little as possible damage is done. Reduce tactics are frequently used when avoidance strategies are not possible, or have already unsuccessful
(https://www.investopedia.com)
1.3.2 Risk treatment related to scenario. (M1)
When there are any risks occurring to the company, we have to minimize those or avoid those kinds of risks, to avoid those or reduce those risks we have to use certain kind of strategies. By using strategies, the avoiding of risks can be known as the risk’s treatments. To the EMC company also there are many risks that can be affected they are physical damages that can be occurred to the EMC company, Equipment malfunctioning, data misusing and data losing for these kinds of risks there are many treatment or procedures that can implemented to overcome those risks they are property damage claim procedure, regular inspection procedure, Monitor user action procedure, creating backup procedures by using these kinds of strategies EMC company can treat the risk and can overcome those risks
Activity 02
2.1 Potential impact to the organization when there is an improper firewall system and VPNs. (P3)
2.1.1 What is Firewalls
Many of the reputed It companies is used to install a firewall system to the servers because it like security system that using to protect the important information’s. When we broadly talk about the firewall it’s a software program that used prevents unauthorized access to or from a private network. When there is a access from a unauthorized network or from a another private network it’s a risks to the company because they can take all the internal information through that so to prevent those stuffs most companies are using firewall system. Firewalls are the tools that can be used to enhance the security of the computers connected to a network. By installing a firewall system, it makes the computer unique in other words the firewall absolutely isolates our computer from internet using a Wall of cod. Firewalls has various abilities the main ability it has was it can enhance the security by enabling granular control over what type of system functions. Some people think that the firewall is a system that is used to controls the traffic that passes through the network system but it’s actually software that is used to prevent unauthorized access of network systems. Normally these are the things that is done by the firewall system (https://www.fieldengineer.com/)
- Defend resources
- Validate access
- Manage and control network traffic
- Record and report on events
Act as an intermediary
2.1.2 What is a firewall Policy?
Firewall policy is a set of rules that includes how to use this software so it’s easy to handle the software. This an application that is designed to control the flow of internet protocol (IP). And the firewall policy is contained the types of firewalls and Firewall Architectures. When we talk about the types of firewalls there are various kinds types, they are
- Packet filters
- Proxy servers
- Application gateways
Packet Filters: A packet filter is a firewall that reviews each packet for user-defined filtering rules to control whether to pass or block it. For example, the filtering rule might need all Telnet requests to be dropped. Using this information, the firewall will block all packets that have a port number 23 (the default port number for Telnet) in their header. Filtering rules can be built on source IP address, destination IP address, Layer 4 (that is, TCP/ UDP) source port, and Layer 4 destination port. Thus, a packet filter makes decisions based on the network layer and the transport layer.
Proxy Servers: A proxy service is an application that redirects users’ requests to the real services based on an organization’s security policy. All message between a user and the actual server occurs through the proxy server. Thus, a proxy server performs as a communications broker between clients and the real application servers. Because it performs as a checkpoint where requests are validated against specific applications, a proxy server is usually processing intensive and can become a bottleneck under heavy traffic conditions
Application Gateways: An application gateway is a proxy server that offers access control at the application layer. It performs as an application-layer gateway between the protected network and the untrusted network. Because it works at the application layer, it is talented to examine traffic in detail and, therefore, is considered the most secure type of firewall. It can stop certain applications, such as FTP, from incoming the protected network. It can also log all network actions according to applications for both accounting and security audit purposes. (https://docs.microsoft.com/)
2.1.3 What is Virtual private network (VPN)?
When we browse something or search something from network system their web traffic from snooping, interfaces, and censorship to avoid this we can use VPN (Virtual private networks). VPN is a Secure tunnel between two or more devises to prevent from web traffic, snooping, interference, and censorship. A VPN uses data encryption and other security mechanisms to prevent unauthorized users from accessing data, and to ensure that data cannot be modified without detection as it flows through the Internet. It then uses the tunneling process to transport the encrypted data across the Internet. Tunneling is a mechanism for encapsulating one protocol in another protocol. In the context of the Internet, tunneling allows such protocols as IPX, AppleTalk, and IP to be encrypted and then encapsulated in IP. Similarly, in the context of VPNs, tunneling disguises the original network layer protocol by encrypting the packet and enclosing the encrypted packet in an IP envelope. This IP envelope, which is an IP packet, can then be transported securely across the Internet. At the receiving side, the envelope is removed and the data it contains is decrypted and delivered to the appropriate access device, such as a router. (https://www.vpnsecure.me/)
2.1.4 What is VPN policy?
VPN policy is a set of rules that includes how to use this secure tunnel so it’s easy to handle this tunnel. This is an application that is designed to control the web traffic from snooping, interference and censorship. And the VPN policy is contained the types of VPNs and VPN Architectures. When we talk about the types of VPN there are various kinds types, they are
- Access VPNs provide remote users such as road warriors (or mobile users), telecommuters, and branch offices with reliable access to corporate networks.
- Intranet VPNs allow branch offices to be linked to corporate headquarters in a secure manner.
2.1.5 How improper firewalls and VPNs impact to the EMC company?
EMC is a well reputed cloud solution provider in Srilankan. Normally EMC is providing their services to SME bank in Srilankan and WEEFM company. EMC cloud solution Company provides SAAS, PAAS, LAAS to their customers. Not only in srilanka EMC company is doing transactions with external countries when doing those transactions firewalls and VPNs are the two software that is very important to install. Because when doing transaction through networks some unauthorized accesses can be attacked to the network system, not only that some other private networks also can attack to the network system. When it gets attacked by other accesses, they can get important information of EMC company, specially by the competitors. If the competitors EMC company get the details about the company it’s a huge risk to the company to prevent these kinds of risks the firewalls are very important to install. And if there are improper firewalls also, we have to face these risks
The other reason was the existing of improper VPNs it’s the other problem that arise when doing online transactions because when we doing online transactions without using a proper VPNs sometimes there might have web traffic, snooping and interference by these webs traffics transaction can’t do properly it may buffer. From the improper VPNs the reputation of the EMC company might get damaged because of that we have to install proper VPNs (https://www.vpnsecure.me/)
2.2 Static IPs, DMZ and NAT. (P4)
2.2.1 What is static IPs?
A static Internet Protocol (IP) address (static IP address) is a permanent number assigned to a computer by an Internet service provider (ISP). IP addresses are useful for gaming services, website hosting or Voice over Internet Protocol (VoIP). Speed and reliability are key advantages. According to a static address is constant, systems with static IP addresses are vulnerable to data extraction and higher security risks.
Advantages of Static IPs
- It’s good for creating Computer servers
- It makes it easier for geolocation
- It’s also better for dedicated services
Disadvantages of static IPs
- Static IP address could be security risk
- Static IPs are preferred for hosting servers
- The process to set a static IP is complex
(https://www.techopedia.com/)
What is DHCP IPs?
A DHCP server is used to import other IP addresses and automatically configure another network information. In most homes and small businesses, the router works as the DHCP server. In large networks, a single computer may act as the DHCP server.
In short, the process goes like this: A device (the client) requests an IP address from a router (the host), after which the host assigns an available IP address to allow the client to communicate on the network. A bit more detail below ...
Advantages of DHCP IPs
- Easy to manages DHCP IPs
- We can create a tailored configuration for clients
- Clients can use DHCPs to obtain the information needed
Disadvantages of DHCP IPs
- There are many security issues in DHCP IPs
- It’s gets failure when there is single DHCP server
- There are problems in DHCP server if we are using older Microsoft Servers.
2.2.2 What is DMZ?
DMZ means demilitarized zone this refers to host or another network system that exists as a secure and intermediate network system in other words we define it as path between two or more organizations internal network and the external. DMZ is mainly realized to safe an internal network from communication with and exploitation and access by external nodes and networks. DMZ can be a logical sub-network, or a physical network substitute as a safe bridge between an interior and exterior network. A DMZ network has restricted access to the internal network, and all of its communication is scanned on a firewall before being transported internally. If an attacker plans to breach or attack an organization’s network, a successful attempt will only result in the compromise of the DMZ network - not the core network behind it. DMZ is considered more secure, safer than a firewall, and can also work as a proxy server. (https://searchsecurity.techtarget.com/)
2.2.3 Real function of the DMZ
The over-all idea is that you put your public faced servers in the "DMZ network" so that you can separate them from your private, trusted network. The use case is that because your server has a public face, it can be greatly rooted. If that happens, and a hateful party gains access to your server, he should be lonely in the DMZ network and not have direct access to the private hosts (https://searchsecurity.techtarget.com/)
2.2.4 Architecture of DMZs network
There are many ways to plan a network with a DMZ. The two basic approaches are to use either one or two firewalls, though most modem DMZs are planned with two firewalls. The basic method can be prolonged on to create complex constructions, depending on the network requirements. A solo firewall with at least three network interfaces can be used to make a network architecture containing a DMZ. The outside network is formed by joining the public internet. Different sets of firewalls rules for traffic among the internet and the DMZ, the LAN and the DMZ, and the LAN and the internet firmly control which ports and types of traffic are permitted into the DMZ from the internet, limit connectivity to specific hosts in the inside network and prevent unrequested connections either to the internet or the inside LAN from the DMZ (https://searchsecurity.techtarget.com/)
2.2.5 What is NAT (Network Address Translation)
Network Address Translation is the procedure where a network device, usually a firewall, allocates a public address to a computer inside an isolated network. The key use of NAT is to limit the number of public IP addresses an organization or company must use, for both economy and security purpose. However, to access resources outside the network, like the internet, these computers have to have a public address in order for replies to their requests to return to them. This is where NAT comes into play
Internet needs that require Network Address Translation (NAT) are quite compound but happen so quickly that the end user hardly knows it has occurred. A workstation inside a network makes a request to a computer on the internet. Routers within the network identify that the request is not for a resource inside the network, so they send the request to the firewall. The firewall sees the request from the computer with the internal IP. IT then makes the same request to the internet using its own public address, and returns the response from the internet resource to the computer inside the private network. From outlook of the workstation, it appears that communication is directly with the site on the internet. When NAT is used in this way, all users inside the private network access the internet have the same public IP address when they use the internet. There are many Benefits we can get from the Network Address Translation (NAT). they are
- Reuse of private IP addresses
- Enhance security for private networks by keeping internal address private from the external network
- Connecting a large number of hosts to the global internet using a smaller number of public (external) IP address, there by conserving IP address space.
(http://nokitel.im/index.php)
2.2.6 How Static IPs, DMZ, NAT helps to the EMC company?
- Static IPs – It is a permanent number assigned to a computer through internet service provider. Static IPs are useful to web hosting or voice over internet protocol (VOIP). The main advantage of using static IPs is speed and reliability. So, when EMC company is doing transaction with external countries it needs a fast internet connection for these kinds of activities the static IPs are highly help full to the EMC company.
- DMZ – This refers to host or another network system that exists as a secure and intermediate network system, in other words we can define it as a path between two or more organizations internal network and the external. When EMC company dealing with their clients some external network system might be attacked to the EMCs network work system. To prevent these kinds of attacks the EMC company can use DMZ network systems
- NAT – Network address translation is used to the limits the number of public IP address that EMC company must use, for both economically and security purposes. When there is public IP address the network system of the EMS company is used to reply to the requests that comes through unknown IP address. To prevent these activities NAT is highly help full to the EMC company.
2.2.7 What is Trustered Network system? (D1)
A Trusted network system is a network of plans that are linked to each other, and it can expose only to official users, and allows for only protected data to be transmitted. A Trusted Network System architecture uses current standards, protocols and hardware plans to implement “trust.” Trusted Network System deliver vital security services such as user authentication, complete network device admission control, end-device status checks, policy-based access control, traffic filtering, automated remediation of non-compliant devices and auditing. The Trusted Computing Group has broadcast industry standards for Trusted Network System. Several profitable Trusted Network System technologies have been advanced, including Cisco Trust Sec, Cisco Clean Access (formerly known as Cisco Network Admission Control, and Microsoft Network Access Protection.
Components of the trusted network system
- Network Access Device: All connectivity to a Trusted Network System is implemented via a network admission device, which applies policy. NAD functionality may exist in devices such as switches, routers, VPN concentrators and wireless access points.
- Posture Remediation Servers: These servers deliver remediation choices to a client device in case of non-compliance. For example, a server may keep the latest virus signatures and need a non-compliant client device to load the signatures before joining a Trusted Network System.
- Directory Server: This server validates client devices based on their identities or roles.
- Posture Validation Servers: Posture validation servers assess the compliance of a client before it can join a TN. A PVS is typically a specialization for one client attribute
e.g., operating system version and patch or virus signature release.
- Other Servers: These contain trusted versions of Audit, DNS, DHCP and VPN servers.
- Client Device: Every client device must be assessed prior to admission to a Trusted Network System.
- Authorization and Access Control Server: The authorization and access control server upholds the policy and provides rules to NADs based on the results of authentication and posture validation.
(https://support.norton.com/)
2.3 What is Network Monitoring System. (M2)
Network monitoring is a computer network's systematic effort to detect slow or failing network mechanisms, such as overloaded or stopped/frozen servers, failing routers, failed switches or other difficult devices. In the event of a network disappointment or similar outage, the network monitoring system alerts the network administrator. Network monitoring is a subset of network management.
Network monitoring is generally carried out through software applications and tools. Network monitoring services are broadly used to detect whether a given Web server is operative and connected properly to networks worldwide. Many servers that make this job provide a more complete visualization of both the Internet and networks. And there many benefits in Network monitoring system the main three benefits are
- Protecting your network against attackers – Network monitoring system is able to identify distrustful traffic, there by authorizing owners to act fast. A network monitoring service is able to provide a broad overview of an SMB’s entire IT infrastructure, so that nothing is misused. Today, exploits are more sophisticated and advanced, and are able to target a system in a diversity of ways. Monitoring antivirus and firewall solutions separately firewalls solutions separately may leave security gaps
- Keeping Informed without inhouse staff – A network monitoring service will send warnings and information to an SMB owner as issues arise. Otherwise, an SMB may need to either effort to monitoring their network security themselves or hire a full-time IT employee- Which could be very costly. Data breaches can be More harmful and more expensive the longer they go without being noticed.
- Optimizing and monitoring your network – Many small business owners are expected towards rapid growth. This growth cannot be possible if parts of their IT infrastructure are over- loaded or slowed. Network monitoring services will map out the infrastructure of a small business, showing an SMB owner area of development and any issues that currently need to be addressed.
(https://indesignsecrets.com/)
Activity 03
3.1 Risk Assessment Procedures. (P5)
3.1.1 What is a risk?
Risk means a darkness situation that we will face in future. IT occurring over a relatively short time. These risks may occur due to the results of mankind. Most of the risks can happen to the organization due to the faults of the workers in the organization so as an owner of the organization the owner should assess the risks (https://www.thesaurus.com/)
What is Risk Assessment?
So, as we talk above risks are common thing to various big organization communities, companies ETC. So, risk assessment means the term used to the overall process for identify and analysis the hazards and risk that going to occur to the company or organization, Analysis and evaluate the risk associated with that hazard. So, by identify and analysis the risk we have to determine the appropriate or control the risk when the hazards cannot be eliminated. We can identify certain kinds of risks through looking our work place by identify the things, situation, process etc. That may Couse harm to the people. After we identify the risk to avoid this risk from the organization when this determination is mad, we can next decide what measures should be there or in the organization to effectively eliminate or control the harm happening to the organization. (https://www.investopedia.com)
3.2 Data protection process that applicable to an organization. (P6)
Data protection is very useful things to do in an organization because in any organization or in big companies there many useful data in it so when those data got leaked to their competitors the organization or the company will get bank rapt for sure. These are some of the use full information that reputed companies have
- The type of the customers they have
- Number of costumers they have
- Banking information
- Information about the assets
So, these kinds of information got leaked from the business or organization that may occur a huge risk to that organization. So, there are many ways to protect these kinds of important data they are
- Fixing CCTV cameras
- Employee monitoring system
Fixing of CCTV cameras
As an owner in big organization Fixing of CCTV cameras is knowledgeable decision that taking by him because use of CCTV cameras must comply with state criminal’s eave dropping status which require posting signs where video monitoring is taking place and another useful that we get from the CCTV cameras are when some stealers or robbers attacked to the organization, we can monitor it from the cameras and we can take necessary decisions
Employee monitoring
This is also a method of data protection because some of the workers or employees may do Froud activities to the company So as an owner we have to aware about that So frequently monitoring the employees or workers is an important task to do. But there are limits to monitor the employees. Because their privacy things that employee also protecting so monitoring of the employees is permitted where the monitoring of
the employees make a clear disclosure regarding the type of the scope of the monitoring in which its
engaged (https://searchdatabackup.techtarget.com)
3.3 Summarization of ISO 31000 risk management law. (M3)
3.3.1 What is Law?
For everything there must be lows and regulations that we should fallow. If not that organization or company can’t do it for continuously. First, we have to see what is the meaning of law. Low means a certain kind of order that is implemented by the head of the organization to minimize the mistakes, frauds, faverations among the workers who are working in the organization
Implementing lows is a difficult task that is done by the CEO of the company because he should know how to implement the suitable laws for the workers. When the low gets high some employee might not work properly or when there is less laws also the worker might not properly. Forget the work done by the workers the CEO must think from his perspective, the company’s perspective and employee’s perspective then he can continue his organization or the company peacefully without any mistakes, frauds and faverations
Every CEO is looking for reduce the risks that coming towards his organization for that he should implement lows and regulations continuously but there are guidelines when implementing lows for the risks, that guidelines when are in ISO 31000 – 2018
3.3.2 Summarization of ISO 31000: 2018 related to EMC company
When we talk about the ISO 31000: 2018 this is consisting of risk management guidelines, providing principles and frame works to manage risks in EMC company. When the CEO of the EMC company is following those ISO 31000: 2018 low it easy to handle the EMC company. Because all the guidelines and frameworks are in it. Any business-like small scale and large-scale business or companies can use this ISO 31000: 2018 low.
By using this ISO 31000: 2018 low it can help the EMC company to increase the likely hood of achieving objectives. And can easily identify the strength and weakness of the EMC company. These things are involved to the vision and mission of the EMC company. However, ISO 31000: 2018 act cannot be used for certification purposes. But it provides guidance for internal and external audit programs
By maintain or following this ISO 31000: 2018 low the owner of the EMC company can compare the risks, Threats that comes towards the EMC company. In other words, the CEO of the EMC company can compare the threats that he faced in the past with the new threats that comes towards. And other benefit the owner of the EMC company has was it can compare their risk management practices with an internationally recognized Benchmark providing sound principals for effective management and corporate governance. Another benefit It has was the Owner of the EMC company can identify the risks before it effected to the company. From these benefits EMC company can move forward without any threats and risks. And owner of the EMC company can take decisions before there is risks attack or threat attack.
3.3.3 ISO 31000: 2018 Risk Management
If the EMC company is affected with the risks the EMC company can have consequences in terms of economic performance and professional reputation as well as the environment safely and social out comes. If the threats or risks get effected to the economic performance of the EMC company it a huge loss for the company because customers will reject the company and the banks who giving loans to the company may rejected and the finally the employees who are depend from the EMC company get affected. After the economic performances it get affected to the professional reputation. If the EMC company is dealing or doing transaction with the foreign countries the professional reputation is highly important. If it gets damaged due to the threats or risks attacks those countries also starting to reject the company. Because of these reasons managing risks effectively helps the EMC company to perform well in an environment full of uncertainty (https://securityintelligence.com)
3.4 What is Audit? (M4)
In Every huge scale company, there is Audit firm to examine the current situation of the company. If the employees did any frauds, illegal business they get caught in this situation. That is the benefit of an audit firm. If there no any department called audit firm the company must get bank rapt because no one is there to find out the frauds and other wrong things that is happening in the company. In some companies there are security audits, that means this audit is there to check weather security system is working in proper manner. If there is no audit system to examine the security system the security system also might get corrupted by the above things and points, we can tell that there is a huge impact to the organization security from the IT security audits.
3.4.1 What is IT security Audit?
An IT security Audit involves an IT specialist examining an organization existing IT infrastructure to identify the strength of its current arrangements and any potential vulnerabilities. IT security is very important to the EMC company because by handling or maintain IT security audits it ensures the cyber defenses are up to date as they can be effectively detecting or giving response to any kind of threats possess by the hackers and other criminals who manipulate IT systems for their own ends. When the EMC company is dealing with external countries cyber defenses are very important, if it fails, very dangerous hackers attacked to the servers and take all the important information but if the cyber defenses are up to date there is no risk.
3.4.2 What an IT security Audit does for the company.
When all the IT services connected with the IT security audit the organization can have more formidable IT system in place. There are many departments in the company when the IT security audit connect to each department the function of the IT security audit may range from database management to resource planning as a chain network. For a company data is the one of the key assets that requires top security control. If the data get released or hacked by the competitors or other firm it is a main reason to the company get bank rapt or the company get a bad reputation, because of these reasons we have to protect our data. IT security auditors determine the type of information we have. How it flows in and out of organization and who has access to the information. (https://cheekymunkey.co.uk)
3.4.3 IT security Audits can identify the Vulnerable points and problem areas in the company.
The special feature of IT security audits system has, it can identify the vulnerable points and problem areas easily. The IT system is a vast one with several components including hardware, software, data and procedures but the IT security system can find out the vulnerable areas easily. From the IT security system, we can check weather our hardware or software tools are configured properly and working properly. And security audits are retracing the security incidents or the dangerous situation that company faced in the past from the previous that might have exposed our security weak points. The other main thing that is done by the audit was the focus on the carrying out tests in terms of network weaknesses, operating system, access control and security applications (https://cheekymunkey.co.uk)
3.5 How IT security aligned with organization policy? (D2)
Security purposes aligned with the company’s goals and documented in company policies and procedures. company policies and procedures are not just paperwork—they are the basis of a strong security plan. Once the company policies and procedures have been advanced or updated with the company staffs help, your organization’s security basis will be more current, sound and in compliance.
Companies cybersecurity experts:
- Cooperate with your organization to grow the strategies for successfully communicating policies, standards and procedures for measuring good security practices and agreements
- Provide current management of the company policies, procedures and standards to safeguard those documents are kept current and relevant
3.4.4 Aligning Security with company objectives
Aligning security with the organization’s greater business needs is becoming gradually important, but how do you really do it? What it comes down to is being talented to map security to business purposes. Done right, security can be a main business driver. Today, everyone from finance to Develops to sales and engineering has security top of mind, at least if they know what’s good for them.
In this post, we’ll offer numerous ways to tie the gap between security and the rest of the company, allowing you to successfully bring it into the organization in order to meet any number of business purposes. (https://cheekymunkey.co.uk)
3.4.5 How IT security Misaligned with organization policy?
Misalignment rises when the future purposes or plan is somewhat conflicting with the actual result. The idea of alignment in IS has been travelled specially in IT business alignment. The idea of alignment has also been examined in software expansion to address issues around alignment between growth and testing. The concept of alignment particularly in IT is complex as it is quite disjointed and relates to different surfaces. Hence in order to achieve suitable alignment, it is important to safeguard focused is on specific components of alignment rather than on the general alignment. For this reason, the lack of alignment which is mentioned to in this study as misalignment, is discussed in the setting of firstly, Outside entities such as customers, standards, and guidelines, regulations and third-party software, the different roles involved in the software growth process, the current and mandatory skills for integrating security requirements and lastly the general system reequipments. All the recognized forms of misalignment pose as challenges to the integration of security supplies in mobile application development. The section that follows gives an impression of the different form’s alignment. (https://cheekymunkey.co.uk)
Activity 4
4.1 suitability of the tools used in the polices
Organizational design is measured in policy works as a forceful policy tool to put policy to action. However, earlier research has not examined the project organization as an exact form of organizational design and, hence, has not given much care to such organizations as a planned choice when choosing policy tools. The purpose of the article is to examine the project as a policy tool; how do such impermanent organizations function as a specific form of organization when public policy is applied? The article is based on a framework of policy operation and is demonstrated with two welfare reforms in the Swedish public sector, which were prepared and applied as project organizations. The case studies and the examination show that it is vital that a project organization fits into the overall governance structure when used as a policy tool. If not, the project will remain summarized and will not have sufficient influence on the permanent organizational structure. The concept of encapsulation indicates a need to defend the project from a potential hostile environment. The implication of this is that organizational design as a policy tool is a matter that rates more attention in the planned discussion on implementing public policies and on the suitability of using certain policy tools. (http://infosectoday.com)
4.2 What is DRP?
A disaster recovery plan (DRP) is a documented, structured method with commands for replying to accidental incidents. This step-by-step plan consists of the defenses to minimize the effects of a disaster so the organization can continue to operate or quickly restart mission-critical functions. Classically, disaster recovery planning includes an analysis of business processes and continuity needs. Before making a detailed plan, an organization often performs a business influence examination and risk analysis, and it establishes the recovery time objective and recovery point objective. In other words, disaster recovery plan mean Disaster recovery planning is just part of business steadiness planning and applied to aspects of an organization that trust on an IT infrastructure to function.
The overall idea is to develop a plan that will allow the IT department to recover enough data and system functionality to allow a business or organization to operate. (https://resources.infosecinstitute.com)
4.2.1 Creating disaster recovery plan.
An organization can start its DRP plan with an instant of vital action steps and a list of important contacts, so the most vital information is quickly and easily available. The plan should describe the roles and tasks of disaster recovery team members and outline the criteria to launch the plan into action. The plan then specifies, in detail, the incident response and recovery activities. (https://resources.infosecinstitute.com)
4.3 Role of the stake holders related to the security of the company.
4.3.1 Who is a stake holder?
Definition of the term "stakeholder": "A person, group or organization that has attention or concern in an organization. Stakeholders can affect or be affected by the organizationapos;s actions, objectives and policies. Some examples of key stakeholders are creditors, directors, employees, government (and its agencies), owners (shareholders), suppliers, unions, and the community from which the company’s attractions its resources. Not all stakeholders are equivalent. A company's customers are permitted to fair trading practices but they are not allowed to the same consideration as the company's employees. The stakeholders in a corporation are the individuals and constituencies that contribute, either willingly or unwillingly, to its wealth-creating volume and activities, and that are therefore its potential receivers and or risk bearers.
Types of the Stake Holders
- Primary Stakeholders – Usually interior stakeholders, are those that involve in financial dealings with the business (for example stockholders, customers, suppliers, creditors, and employees).
- Secondary stake holders – Usually outside stakeholders, are those who although they do not engage in direct financial conversation with the business – are affected by or can affect its activities (for example the general public, communities, activist groups, business support groups, and the media).
- Excluded stake holders – Those such as children or the unbiassed public, initially as they had no financial impact on the company. Now as the concept takes an anthropocentric viewpoint, while some groups like the general public may be documented as stakeholders’ others remain excluded. Such a viewpoint does not give plants, animals or even geology a voice as stakeholders, but only an active value in relation to human groups or individuals. (http://www.businessdictionary.com)
4.3.2 Role of a security stake holder related to the company.
We can view Security’s customers from two viewpoints: the roles and tasks that they have, and the security assistances they obtain. The roles and tasks aspect is vital because it controls how we should interconnect to our various security customers, based on allowing and swaying them to perform their roles in security, even if that role is a humble one, such as using an access card to gain admission to the facility. It is also vital because fulfilling their roles and tasks as employees, managers, contractors or partners is the way that security’s customers “pay for” the security that they obtain. If they do not see or understand the value of security or are not joyful about how much they have to pay for it (i.e. how much trouble they have to go through for security), they may select to bypass security, such as by following to enter the ability.
While some individuals in our company or organization pay for security by assigning or approving security project funding, the popular of individuals pay for security by fulfilling their roles and tasks, and that is dangerous to establishing sound security throughout the organization or company. Due to the importance of the roles that our workers play in security as well as the assistances security provides to them, we refer to the security’s customers as stakeholders. (http://www.businessdictionary.com)
Security Stakeholders Exercise
In last month’s column we started with making of a personal Lean Journal, and a first exercise of identifying the security stakeholders. Why performs this exercise? There are many assistances for security staff and majors as well as for security managers and directors who perform it. It helps to start with a small group first and then enlarge out using the results of the first workout to refine your efforts. Begin at the uppermost level of security and work down, such as the headquarters or local level for large organizations, and security manager, staff, managers and officers at the site level. Here are some of the benefits of this exercise:
- Transfers knowledge and insights from more experienced personnel.
- Shares knowledge between shifts and functions.
- Can reveal security value not immediately apparent to security personnel.
- Expands security personnel awareness of the value of their jobs.
- Increases sensitivity of security personnel to security stakeholders’ concerns.
- Provides a check on the effectiveness and scope of security personnel training.
- Helps to reinforce the common purpose and build camaraderie.
(https://www.executestrategy.net)
Conclusion
EMC is a well reputed cloud solution provider in Srilanka. Normally EMC is providing their services to SME bank in Srilankan and WEEFM company. EMC cloud solution Company provides SAAS, PAAS, LAAS to their customers. And nearly their Customer rate is five hundred roughly. The head office of EMC company is situated in Bambalapitiya. But in the EMC company there is a poor security system as physically and networkcally. So, by Implanting new security procedures we can make new system for EMC company and by using firewalls, VPNs, DMZ, NAT we can make a good network security system to the EMC company. So, from the things we learn above we know how to maintain the company without any risks and if there are any risks, we know how to overcome those. Other than that, finally we know about audit, importance about audit, who are stakeholder and role of the stakeholders.
References
Hq.nasa.gov. (2019). [online] Available at: https://www.hq.nasa.gov [Accessed 13 Feb. 2019].
Anon, (2019). [online] Available at: https://www.researchgate.net/publication/266686928_Classification_of_Security_Threats_in_Information_Systems [Accessed 13 Feb. 2019].
Investopedia. (2019). Return on Assets - ROA. [online] Available at: https://www.investopedia.com/terms/r/returnonassets.asp [Accessed 13 Feb. 2019].
Paperdue.com. (2019). Business Risk Essays: Examples, Topics, Titles, & Outlines | Page 11. [online] Available at: https://www.paperdue.com /topic/business-risk-essays/11 [Accessed 13 Feb. 2019].
WARFRAME Wiki. (2019). Damage. [online] Available at: https://warframe.fandom.com /wiki/Damage [Accessed 13 Feb. 2019].
Fixcleanerpc2017.com. (2019). ## Fixcleaner Softpedia - 2017 (FIX) 5 Star Rating - My Faster PC Windows 10 Download. [online] Available at: http://fixcleanerpc2017.com /Fixcleaner Softpedia=p9619/ [Accessed 13 Feb. 2019].
Phil Gambino, C. and View all posts Phil Gambino, C. (2019). Social Security Takes Fraud Seriously | Social Security Matters. [online] Blog.ssa.gov. Available at: https://blog.ssa.gov/
social-security-takes-fraud-seriously/ [Accessed 13 Feb. 2019].
The Balance. (2019). Do You Need Help Filing a Property Damage Claim? [online] Available at: https://www.thebalance.com/what-is-a-property-damage-claim-527109 [Accessed 15 Feb. 2019].
Osha.gov. (2019). Section 6 - Chapter II. Inspection Procedures. [online] Available at: https://www.osha.gov/Firm_osha_data/100006.html [Accessed 15 Feb. 2019].
Docs.oracle.com. (2019). DBMS_MONITOR. [online] Available at: https://docs.oracle.com/cd/
B19306_01/appdev.102/b14258/d_monitor.htm [Accessed 15 Feb. 2019].
Pmi.org. (2019). Risk analysis and management. [online] Available at: https://www.pmi.org/
learning/library/risk-analysis-project-management-7070 [Accessed 15 Feb. 2019].
Fieldengineer.com. (2019). What Is a Firewall and Why Is It Important for Network Security? [online] Available at: https://www.fieldengineer.com/blogs/what-is-firewall-important-network-security [Accessed 15 Feb. 2019].
Docs.microsoft.com. (2019). Set-NetFirewallRule (net security). [online] Available at: https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallrule [Accessed 15 Feb. 2019].
VPNSecure.me. (2019). How VPN Works. [online] Available at: https://www.vpnsecure.me/
how-vpn-works/ [Accessed 15 Feb. 2019].
Techopedia.com. (2019). What is a Static IP Address? - Definition from Techopedia. [online] Available at: https://www.techopedia.com/
definition/9544/static-internet-protocol-ip-address-static-ip-address [Accessed 15 Feb. 2019].
Search Security. (2019). What is DMZ (networking)? - Definition from WhatIs.com. [online] Available at: https://searchsecurity.techtarget.com/
definition/DMZ [Accessed 15 Feb. 2019].
Nokitel.im. (2019). Interview Questions – nokitel. [online] Available at: http://nokitel.im/index.php/interview-questions/ [Accessed 15 Feb. 2019].
Support.norton.com. (2019). Change the trust level of your network and devices. [online] Available at: https://support.norton.com/sp/en/us/home/current/solutions/v9802264_ns_retail_en_us [Accessed 15 Feb. 2019].
InDesign Secrets. (2019). network monitoring - InDesign Secrets. [online] Available at: https://indesignsecrets.com/topic/network-monitoring [Accessed 15 Feb. 2019].
www.thesaurus.com. (2019). I found great synonyms for "risk" on the new Thesaurus.com! [online] Available at: https://www.thesaurus.com/browse/risk [Accessed 15 Feb. 2019].
Investopedia. (2019). Risk Assessment. [online] Available at: https://www.investopedia.com/terms/r/risk-assessment.asp [Accessed 15 Feb. 2019].
SearchDataBackup. (2019). What is data protection? - Definition from WhatIs.com. [online] Available at: https://searchdatabackup.techtarget.com/definition/data-protection [Accessed 15 Feb. 2019].
31000:2018, I. (2019). ISO 31000:2018. [
Security Intelligence. (2019). 10 Takeaways from the ISO 31000:2018 Risk Management Guidelines. [online] Available at: https://securityintelligence.com/10-takeaways-from-the-iso-310002018-risk-management-guidelines/ [Accessed 15 Feb. 2019].
Cheeky Munkey. (2019). What is an IT security audit? - Cheeky Munkey. [online] Available at: https://cheekymunkey.co.uk/what-is-an-it-security-audit/ [Accessed 15 Feb. 2019].
Infosectoday.com. (2019). Why Information Security Training and Awareness Are Important. [online] Available at: http://infosectoday.com/Articles/Security_Awareness_Training.htm [Accessed 15 Feb. 2019].
InfoSec Resources. (2019). Improving SCADA System Security. [online] Available at: https://resources.infosecinstitute.com/improving-Scada-system-security/ [Accessed 15 Feb. 2019].
BusinessDictionary.com. (2019). What comes after those ellipses? [online] Available at: http://www.businessdictionary.com/definition/stakeholder.html [Accessed 15 Feb. 2019].
BusinessDictionary.com. (2019). The Role of Stakeholders in Your Business. [online] Available at: http://www.businessdictionary.com/article/601/the-role-of-stakeholders-in-your-business/ [Accessed 15 Feb. 2019].
Cascade Strategy. (2019). The Benefits of Applying the Stakeholder Theory - Cascade Strategy. [online] Available at: https://www.executestrategy.net/blog/stakeholder-theory/ [Accessed 15 Feb. 2019].