Management of organizational security Report
Introduction
The term security is the most common issue in present scenarios within the organization. This is related to the protection of the assets based on organization which mainly consists of the data, personal information of a user, networks, or equipment information from the attackers. These assets can be prevented by using appropriate techniques for prevention as in the manner of testing or using security policies as well as using techniques for detection through which effective response has been generated.
This report discusses the threats detection as well as the detection of physical & IT security vulnerabilities and also evaluate the methods through which risk of security get managed. The main topics that are going to discuss in this report are about designing network security which includes the discussion of the firewalls, DMZ, translation of address, AV & VPN.
This report also discusses the remote access concept which tests the vulnerabilities. This report helps in developing the skills of security like literacy of communication, analysis, critical thinking, interpretation, reasoning through which academic competence has been developing. This unit covers the IT security risk as well as appropriate solutions. This also describes the management of organizational security as well as the mechanism to control the risk of security.
LO1
P1
There are plenty of threats for an organization through which they could be harmed. Let us discuss some of those threats as follows:
- Viruses in computer: Programmed software that can transfer through different computers and networks and can perform malicious activities inside the computer or other devices is known as a computer virus. All tasks like corrupting a file, or damage the data, or even formatting all the data, can be performed by a computer virus. A virus in a computer can also spread from installing different applications, by clicking on the advertisement that appears on different websites, it can also be caught by visiting unsecured web services, as already discussed it can transfer from computer to computer with the help of hard drives, etc.
- Computer Worm: A infected software that affects and spreads only in interconnected systems and can automatically copy themselves are called Computer Worm. This type of malicious software doesn’t need any human for seeding it instead it can do it all on its own and can damage the sensitive files and more importantly can give remote access to anyone by downloading a back door to the entire system.
- Rootkit: there are plenty of various kinds of rootkit-like, Firmware, Boot kits, kernel-level rootkits, etc. All these are infected programs that can download themselves automatically without any human interaction and spreads malicious code inside the whole system and attains all the top-level information from the network of an organization or computer.
- Breaching of Data: the threat for security which can get access to all the safe and secret data and all this activity is performed by a system that has no authorization about the owner pf the system. All the data that has been breached by this malware could be secrets of the trade, data of the customers, number of credit cards, etc.
P2
The security procedure of an organization some important steps that must be followed. The steps such as control of access, administrative, configuration, auditing, responses to the incidents, physical procedures, and environmental procedures. For better understanding, given below are some examples:
- In the office premises, if someone has to enter then they must first go through the security guard, even if the work is from reception only.
- Every staff member of the organization should have identity cards provided by the organization so that there would be less difficult for both the security guard and the staff members.
- It is guard's responsibility to check every detail of the id card like, name, photo, a signature of issuer, all this to make sure that whether the employee is from the organization or not.
- After the security check at guard, the employee has to make sure that the electronic machine at the entrance gate gives access to the employee when the employee places their thumb impression at the machine.
- In any case at security check post if any employee's information does not match than the guard has to contact the senior authority or to the department of human resources for clarification.
- All these security steps must be regularly checked by the auditing team for the effectiveness of the process and also if someone tries to access the office parameters forcefully than the guard must take strict action against that person.
M1
For accessing and treating the IT security risk, firstly the risks are supposed to be identified that whether that sort of incident has occurred previously, what was the report on that incidents by security team or by media; are there any incidents related to safety, health or environmental. After identifying the risk type than its time for prioritizing the risk like, what would be the objective and strategy of business; the issues which are faced by the company; all the legal and regulatory point of view; the risk appetite of the company; and lastly what are the needs of the people connected to an organization such as parties, customers, stakeholders, staff members.
LO2
P3
Many of the users change the pre-shared key, because of that, the VPN gets changed (many people do this on purpose) which becomes the reason for a security breach. There is a need for an exact value that everyone does not know and fails to change the VPN and lost the connection. The whole infrastructure of IT has been compromised in a way and this because of the firewall. Firewalls do its work from the very basic policies of security of an organization and the work done by it is so perfect that the implementations of various firewalls have been created. If there is a pre-assessment of such activity then it would show the actual impact, in which the report will show financial losses, as well as attacks on data as well. However, the policies of firewalls are discussed before the implementation of the infrastructure which means that it is a very important factor for an organization. Also, it is shared among a given scenario and strategic variables. Various factors occur because of firewall which is poorly configured, following are two among those:
- The traffic which was needed does not arrive at the destination it was supposed to be.
- Unwanted traffic gets to a place where it was not intended to be reached.
P4
DMZ (Demilitarized Zone) is a secure network perimeter which is made by the organization of large sizes for implanting firewall in their system. A small sized organization can simply with the help of server and clients install it. For putting on the DMZ there should be a web server that has public information, a server of e-commerce transaction so that the payment could be done, also a server for mail that could relay the external mails to the internal emails, endpoints of VPN, gateway applications, servers for staging and test (Taylor, 2001).
The IP addresses are internally stored in the form of numbers. Whereas the human prefers names and the computers prefer numbers. Humans can use for searching something, DNS (domain name system) has been introduced which converts the name inserted by the user to numbers so that the computer can understand it then computer answer back in form of numbers and then again, the DNS converts the numbers into names.
Given below are some benefits of NAT:
- Private IP addresses can be reused.
- By keeping the external network away from the internal network in terms of addressing for increasing the security of private networks.
- For saving some space for IP addresses, a vast number of hosts are connected using a small number of outside IP addresses to the global internet.
M2
Three benefits of implementing network systems are:
- Analysis of network traffic: Packet data has been sending to the solution of network monitoring by router & switches for analysis. This will use the overall ports of the switch and make an appropriate communication set as well as protocol set.
- Helps in managing the technical issues: Network monitoring saves a high amount of time and money of the consumer with provides satisfaction ton services. As it can provide appropriate help of technical support.
- Evaluate the threats of security: As day by day attacks at sites become more sophisticated & it seems to be difficult to evaluate the trace, the network system helps detect or migrate the threats of security (Payne, 2018).
LO3
P5
For a better understanding of the process of risk management, the following steps should be followed:
- Knowing the Danger: the dangers like biological hazard, natural disasters, intentional acts, workplace accidents, chemical hazards, technological hazards, the blockage of the supply chain, mental hazards, all these risks are the main considerations of an organization. Nearby a workplace, it depends a lot that what kind of environment is there because an unsafe environment and unwanted activities could affect an organization a lot.
- Knowing about who could get harmed: according to the above-discussed hazards, an organization needs to find out that how from one of those hazards could affect their employee whether it's my activity of the business or by external factors. Also, which particular department employees could get harmed by which one of the hazards.
- After getting the list of that hazard which could affect the organization and the employees of it, it is time to know that what are the particular chances of happening of a hazard and also what will be the consequences because of it. All these lists and knowledge about the hazard will help an organization to know which hazard should they be prioritizing and also what percent of damage a particular hazard could create.
- If an organization has a total number of employees more than five than they are supposed to make the risk assessment process which will have the data about how a hazard is going to affect and what is the possibility of occurring. The assessment plan should contain details like, checking of the workplace, the people who could get affected, etc.
- In many of the organizations, the workplace keeps on changing and so will the risk of hazard. So, there should be regular risk assessment processing in every organization.
Figure 1: Steps for risk assessment
P6
The process of protecting crucial data from various threats, compromises, and corruption is known as data processing. The increase in the creation and storing of data leads towards its security because it is known that if data is increased than the normal protection system isn't enough for it. There are few strategies of data protection that can bring back i.e. restore all the data and information that was compromised. Data protection brings a promise with it that at any condition id-data has been attacked then it will bring the all data back. Also, data protection is a term that is used for protecting the data and as well as restoring the hacked data. data management and data availability are two terms around which the whole strategy of data protection is there. Data management refers that, in an organization to safely store the data and provide the backup for it online and offline but safely, and also to create all the necessary strategies regarding that. Data availability refers to that, if in any organization some small amount of data is lost then at any cost it is the responsibility of the data processing team to get that data back. There are plenty of new storage technologies that allow the user to backup the essential files in the first place so that the risk of getting hacked could be reduced. Also, there is a new technology called mirroring which allows the user to create an exact copy of the files on copied websites. Whenever there is a change in the organization than backs up can help in restoring all the data easily and safely. Another data protection technique and the most used one is transferring the data through cloud services because it provides the option of encryption and it is the safest word in the online world (Rouse, 2017).
Figure 2: Steps for data protection
M3
ISO 31000
This is a methodology of security analysis or a type of process of risk management is mainly used the solve several risk associated programs within a company. This will help in steps standardization through which risk management has been evaluated to leave out a formal workflow (Lashin, 2016).
Application of the ISO 31000:
- This will help in creating as well as protects a value.
- This seems to be the most important part of the security process.
- It helps in decision making.
- This will help to address several uncertainties.
- It provides timely or systematic workflow.
- It helps in evaluates the vulnerabilities.
- Improve control over management.
- It helps in minimizing the losses.
M4
Impacts of organizational security resulting from an IT security audit:
It will help to evaluate the areas of problem and effective points of vulnerabilities. This will also help in evaluates the security policies as well as the standards. This will help in generating a recommendation for leverage technology of information within the security concept of business. This aspect also helps in delivers the analysis that will be based on the external as well as internal practices of IT or several systems (PATTERSON, 2017).
LO4
P7
Security policy is of two types, the first one tackles with all the threats from outside so that the network could work effectively without any disturbance, and the second one tackles with all the threats from inside by telling the proper network resource usage. Pointing out the threats outside is oriented by technology. Antivirus software, firewall, email filters, malicious activity detector, and many others are some technologies that help in reducing the threats from an external network. All the technologies mentioned above can only be implemented by the staff of the IT department and not by the users. After al this the main issue is the use of the network from inside the organization can create issues of management. There is a policy for such activity that regularly notes the activity of the employee, called AUP (Acceptable Use Policy). This policy is useful as it can protect an organization when there is inappropriate activity according to the policy and the main source from which the activity is done can be panelized and also there would be proof that if there is any breach then an organization can show that it didn't happen from internal side. In the end, an organization must identify their risks, every organization should take a lesson from other organization who have gone through that situation, the policy implemented in an organization must be conforming the legal requirements, an organization must understand that the level of security is equal to the level of risk, organization heads should not make the policy alone instead they should include some of the staff members as well or if possible then all of them, organizations must also train every employee about the policy and use of it, and mainly while implementing the policy everyone must be told about the penalty and the other actions that will be taken (Duigan, 2003).
Figure 3: Security policy
P8
There are a few important elements for a better understanding of the Business Recovery Plan of Organization. Given below are those elements:
- Whenever there is a situation of a disaster, communication plays a very important role. There is a plan created and that states the role of every employee and also outlines all the main points. A document is made which states the information of each employee and that also updated information so that no confusion would be there, and with that employees should understand exactly what are their roles and perform them.
- The second factor is about saving all the equipment that is owned by the organization. Everything must be checked and there should be a team assigned to protect those as well. It is better to disconnect each equipment and store them in one place so that losses could be less.
- When an organization is under disaster than they must take care of some crucial points under the recovery plan and that is to maintain data of what the organization would be needing operationally, and also financially, should check for the supplies and the communication sources. A plan is a must for every organization and if it's a large-sized organization that has many customers and suppliers and a vast number of employees as well then it is mandatory to create backup data that could help in the future to the organization. Every important data of the company should be cross-checked by the IT department and make sure no attack would happen at that time by making backups using appropriate techniques (Entech, 2018).
Figure 4: Disaster recovery plan
M5
Stakeholders play a key role in internal audit. They have a piece of specific knowledge about the network audit. But they are facing some lack of knowledge issue and that can be solved by Co-sourcing. This will helps to gain the prevalent model of an audit. One more alternate model exists name as programs of guest auditor which also work on a similar concept. Stakeholders develop a program of inducting for new audits along with organizing a meeting for secure management in which new information has been provided to other staff. Stakeholder design a plan for solves out the audit issues that related to different services.
Conclusion
This report helps in understanding the main concept of security within an IT organization. The main of this report is to evaluate the information of security that will associate with security breaches and risk influence over the continuity of business. This involves the authorization access, use regulation, contingency plan implementation as well as discussion of policies or different procedures that relate to the security. This report commonly divides into four parts, in which the first part discusses the IT security risks, The next part relates to solutions of IT security, the third one is a mechanism for IT Security control and the last one is the management of security within an organization.
References
Hayslip, G., 2018. 9 policies and procedures you need to know about if you’re starting a new security program. [online] CSO Online. Available at: https://www.csoonline.com/article/3263738/9-policies-and-procedures-you-need-to-know-about-if-youre-starting-a-new-security-program.html [Accessed 16 May 2020].
Lucidchart., 2018. A Complete Guide to the Risk Assessment Process | Lucidchart Blog. [online] Available at: https://www.lucidchart.com/blog/risk-assessment-process [Accessed 16 May 2020].
Rouse, M., 2017. data protection. [online] SearchDataBackup. Available at: https://searchdatabackup.techtarget.com/definition/data-protection [Accessed 16 May 2020].
Duigan, A., 2003. 10 steps to a successful security policy. [online] Computerworld. Available at: https://www.computerworld.com/article/2572970/10-steps-to-a-successful-security-policy.html [Accessed 16 May 2020].
Touhid, 2019. Common Types of Security Threats to Organizations | Cyber Security Portal. [online] Cyber Security Portal. Available at: https://cyberthreatportal.com/types-of-security-threats-to-organizations/ [Accessed 16 May 2020].
Cambridge., 2016. Information Security Risk Assessment and Treatment. [online] Available at: https://www.cambridge-risk.com/information-security-risk-assessment-and-treatment/ [Accessed 16 May 2020].
CCSI., 2017. 10 Common IT Security Risks in the Workplace. [online] Available at: https://www.ccsinet.com/blog/common-security-risks-workplace/ [Accessed 16 May 2020].
Entech, 2018. 7 Key Elements of a Business Disaster Recovery Plan - Entech. [online] Entech. Available at: https://entechus.com/7-key-elements-of-a-business-disaster-recovery-plan/ [Accessed 16 May 2020].
Payne, C. (2018). 10 Reasons why Network Monitoring Software is a Must Have. [online] Advancedcyber.co.uk. Available at: https://www.advancedcyber.co.uk/it-security-blog/network-monitoring-software-is-a-must-have [Accessed 16 May 2020].
Doug (2018). Risk Management Process: Security Analysis Methodology. [online] RiskWatch. Available at: https://riskwatch.com/2018/03/19/risk-management-process/ [Accessed 16 May 2020].
Lashin, D.M. (2016). Application of ISO 31000 principles. [online] Linkedin.com. Available at: https://www.linkedin.com/pulse/application-iso-31000-principles-dr-mohamed-lashin [Accessed 16 May 2020].
Berkman, O. (2016). Stakeholders Play Important Role in Internal Audit Impact. [online] Financialexecutives.org. Available at: https://daily.financialexecutives.org/stakeholders-play-important-role-internal-audit-impact/ [Accessed 16 May 2020].
PATTERSON, J. (2017). transcosmos. [online] transcosmos. Available at: http://transcosmos.co.uk/blog/it-security-audit-business-process/ [Accessed 16 May 2020].
dbyler (2018). The Importance of Regular IT Security... [online] Spectrum IT Solutions, LLC. Available at: https://www.itbyspectrum.com/the-importance-of-regular-it-security-audits/ [Accessed 16 May 2020].