Đang tải... (xem toàn văn)
ASSIGNMENT 2 Security (Quillbot lại là đc M) Twitch is one of the largest streaming platforms in the world for people that want to go on to play games, and chat with other people. On October 7th,2021 Twitch put out a tweet from Twitter that their data has been hacked due to server configuration changes. The hackers also leak out every information such as username, and password from a streamer the most important is that the hackers leak how much money Twitch or all the top streamers on the platform made from streaming, this is very personal and when they leak out all of that information, everyone socks, and question twitch a lot
ASSIGNMENT FRONT SHEET Qualification BTEC Level HND Diploma in Computing Unit number and title Unit 5: Security Submission date Date Received 1st submission Re-submission Date Date Received 2nd submission Student Name Student ID Class GCH1006 Assessor name Ha Trong Thang Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism I understand that making a false declaration is a form of malpractice Student’s signature Grading grid P5 P6 P7 P8 M3 M4 M5 D2 D3 ❒ Summative Feedback: ❒ Resubmission Feedback: 2.1 Grade: Lecturer Signature: Assessor Signature: Date: Table of Contents Introduction Task Discuss risk assessment procedures (P5) Risk Risk assessment 3.Define assets, threats and threat identification procedures, and give example 4.Explain the risk assessment procedure 11 List risk identification steps .13 Task Explain data protection processes and regulations as applicable to an organization (P6) 15 Define data protection .15 Explain data protection process in an organization 16 Why are data protection and security regulation important? 17 Task 2.1 Summaries the ISO 31000 risk management methodology and its application in IT security (M3) 19 Definition ISO 31000 19 What was in ISO 31000 19 2.4.Process 21 2.5.When ISO 31000 will be use? .22 2.6.Applications of ISO 31000 in IT 22 Task 2.2 Discuss possible impacts to organizational security resulting from an IT security audit(M4) 27 Define IT security audit 27 What possible impacts to organizational security resulting from an IT security audit .29 Provide a practical example for each of these impact 31 Task Design and implement a security policy for an (P7) 32 Define a security policy and discuss about it 32 2.Discuss about security policy 33 Give an example for each of the policies 36 Give the most and should that must exist while creating a policy 37 4.1 The most must exist while creating a policy .37 4.2 The most should exist while creating a policy 37 4.3 Example some of a few policy 37 Explain and write down elements of a security policy .38 Give the steps to design a security policy 39 Task List the main components of an organizational disaster recovery plan, justifying the reason for inclusion (P8) 40 1.Discuss with explanation about business continuity 40 2.List the components of disaster recovery plan 41 3.Write down all the step required in disaster recovery process 42 Explain some of the polices and procedures that are required for business continuity .44 Task 4.1 Discuss the roles of stakeholders in the organization to implement security audit recommendations(M5) 46 Define stakeholders 46 What are their roles in an organization? 47 Define security audit and state why you need it .48 Recommend the implementation of security audit to stakeholders in an organization .50 Conclusion .52 References 53 Introduction - Data frequently circulates freely between individuals, organizations, and enterprises in today's data driven and globally networked world Data has a great monetary value, and cybercriminals are fully aware of this Due to the ongoing rise in cybercrime, there is an increasing need for security experts to protect and defend businesses This report will go over some essentially core ideas of security, including examining risk assessment techniques, outlining data protection procedures and laws as they apply to a business, and creating a security policy for an organization It also examines and justifies the inclusion of a list of the primary organizational disaster recovery plan components Task Discuss risk assessment procedures (P5) Risk 1.1 Definition Risk in cybersecurity refers to the possibility of asset or data loss, damage, or destruction A threat is a bad thing that happens, such as when a vulnerability is exploited A vulnerability is a flaw that makes you vulnerable to danger and raises the possibility of unfavorable outcomes Therefore, your assets, data, or company may be in danger when a threat attacks a weakness in your IT infrastructure, network, or apps Risk is the possibility that an asset will suffer a loss The degree of exposure to an event is what affects an asset A computer, a database, or a piece of information can all be considered assets in the context of IT security Here are some instances of risk: + Losing data + Losing business because a disaster has destroyed your building + Failing to comply with laws and regulations Vulnerability management (VM) solutions' role is to assist enterprises in managing cybersecurity risk The "everything is a risk" mentality that permeates traditional VM forces security and IT teams to prioritize and fix an ever-growing list of vulnerabilities, many of which don't truly endanger the enterprise This wastes time, money, and resources and frequently causes a wedge between IT and DevOps teams, who must remediate without context or meaningful priority, and Security teams, who must struggle to prioritize what is most critical in a meaningful way Teams are ultimately unable to produce thorough or accurate reports of their efforts, and risk is not reduced 1.2 Negative school + Risk is unpleasant, undesirable, and unforeseen + Risk is the potential to experience discomfort or danger + Risks are unknown uncertainties that occur in a company's activities and production procedures and have a detrimental effect on the capacity of the firm to continue operating and expanding + According to popular knowledge, risk is simply described as "damage, loss, danger, or elements related with danger, difficulty, or uncertainty that can happen to a person." 1.3 The neutral school + Risk is measurable uncertainty that could be linked to the occurrence of unforeseen events; both the risk's current value, as well as its outcome, as well as its outcome are uncertain Risk assessment 2.1 Define : - The word "risk assessment" refers to the whole procedure or approach where you: + Determine the dangers and risk factors that might lead to injury + Analyze and assess the risk brought on by the hazard (risk analysis, and risk evaluation) + Find suitable strategies to reduce the risk or, if the danger cannot be reduced, remove it (risk control) - A risk assessment is a detailed examination of your workplace to find any elements, circumstances, procedures, etc that might be harmful, especially to humans Following identification, you assess the risk's likelihood and seriousness You can then decide what steps need to be taken to successfully remove or control the harm after this assessment has been reached 2.2 How does risk assessment works : + Size, growth rate, resources, and asset portfolio are some of the variables that impact how in-depth risk assessment models are Organizations could carry out generic reviews when faced with financial or time constraints On the other side, generalized evaluations could not necessarily contain exact mappings of assets, linked threats, known risks, consequences, and mitigation strategies If the results of the broad assessment not sufficiently connect these areas, a more in-depth study is necessary 2.3 The goal of risk assessment is to : + Analyzing potential dangers; + Preventing diseases or injuries; + Adhering to legal obligations; + Analyzing potential dangers; + Making a thorough inventory of the resources that are accessible + Defining the budget for risk mitigation + Justifying the expenses of risk management + Defining the budget for risk mitigation + The production infrastructure and assets of the organization are subject to defined, prioritized, and documented risks, threats, and known vulnerabilities putting up a budget to deal with or lessen the risks, dangers, and vulnerabilities that have been identified + It's crucial to comprehend the return on investment if funds are put in business assets such as infrastructure or other assets to reduce potential risk 2.4 steps in the risk assessment process : - Step 1: Identify the hazards + Is to identify the risks that your staff and business face, such as: + Natural disasters (flooding, tornadoes, hurricanes, earthquakes, fire, etc.) + Biological hazards (pandemic diseases, foodborne illnesses, etc.) + Workplace accidents (slips and trips, transportation accidents, structural failure, mechanical breakdowns, etc.) + Chemical hazards (asbestos, cleaning fluids, etc.) - Step : Determine who might be harmed and how + Consider how business operations or outside influences may hurt your staff when you take a look around your company Consider who will be injured if each of the hazards you identified in step one comes to pass - Step : Evaluate the risks and take precautions + You must take into account both the probability that the hazard will occur and the severity of the repercussions if it does This assessment will assist you in deciding where risk should be reduced and where dangers should be given priority - Step : Record your findings + The rules require you to document your risk assessment procedure The risks you've identified, the individuals they affect, and your mitigation strategy should all be included in your plan The document, or the risk assessment plan, should attest to the following: + Thoroughly examined your workspace + Ascertained who would be impacted + Handled any evident problems + Started taking actions to minimize risks + Maintain employee involvement throughout the process - Step : Review your assessment + Because your workplace is always evolving, so the threats to your business Each time new tools, procedures, or personnel are used, there is a chance that a new danger may arise To keep up with these emerging risks, you should evaluate and update your risk assessment procedure often 2.5 How to risk assessment? - IT agent can approach risk assessment in two ways : - Qualitative : + Risks are ranked according to their likelihood of happening and effect on company operations in qualitative risk assessment Impact is the level of danger that a true threat might represent Impact is sometimes stated as a range of values, from low (insignificant) to high (catastrophic) Although qualitative risk analyses can be rather subjective, they aid in identifying the most important threats This kind of evaluation encourages the use of relative words and calls for varied feedback from individuals who work in various areas A qualitative evaluation could inquire as to which dangers are more dangerous than others This enables the technical specialists and business units to comprehend how an occurrence may affect various operations or departments - Quantitative : + By assigning a monetary value to each risk, this kind of risk assessment aims to define risk in financial terms Unlike a qualitative analysis, it is more impartial Numerous hazards have values that are hard to quantify, which is a downside of this strategy The availability of countermeasures and reputation are a couple of these Particularly when estimating the cost of the impact of upcoming events, exact figures might be challenging to calculate As opposed to qualitative evaluations, quantitative risk assessments are simpler to automate 3.Define assets, threats and threat identification procedures, and give example 3.1 Definition of Assets - An asset is a resource that belongs to a person or business and has economic worth This comprises money, tools, things, rights, or anything else that enables a business to make money or save costs Because assets are what businesses rely on to run and turn a profit, they are crucial Along with liabilities and equity, it is one of the three ideas that make up the basic accounting equation - In information security, computer security, and network security, any information, gadget, or another framework element that facilitates information-related operations is a benefit A few examples of assets include hardware (such as servers and switches), software (such as mission-critical applications and support systems), and confidential data Assets must be safeguarded against unauthorized use, disclosure, alteration, destruction, and/or theft that might cause a loss of funds 3.2 Definition of Threats - Any situation or event that may have the potential to negatively affect an organization's operations (including its mission, functions, image, or reputation), assets, or people through the use of an information system, whether through unauthorized access, information destruction, disclosure, modification, or denial of service A threat source's capability to successfully exploit a certain information system vulnerability is another consideration A threat is anything that has the potential to seriously harm a computer system, networks, or other digital assets of an organization or person 3.3 Threats Identification Process - To discuss the daily activities to be accomplished, pre-work meetings should be organized Employees should be urged to be aware of potential hazards and to report them - Audit workplaces and examine for safety - Perform a JSA and employ hazops, if possible Any unique techniques, components, or structures must to be assessed - Examine the product's safety information, as well as any publicly accessible data Look for reports on the prior event and close calls 3.4 Example of Threats Identification Procedures - Threat identification in document