Đang tải... (xem toàn văn)
Khóa học này cung cấp cái nhìn tổng quan về các thách thức bảo mật và chiến lược đối phó trong môi trường hệ thống thông tin. Các chủ đề bao gồm định nghĩa về các thuật ngữ, khái niệm, thành phần và mục tiêu kết hợp các tiêu chuẩn và thực tiễn của ngành với trọng tâm là các khía cạnh sẵn có, dễ bị tổn thương, tính toàn vẹn và bảo mật của hệ thống thông tin.
ASSIGNMENT FRONT SHEET Qualification BTEC Level HND Diploma in Computing Unit number and title Unit 5: Security Submission date Date Received 1st submission Re-submission Date Date Received 2nd submission Student Name Bui Quang Minh Student ID GCD210325 Class GCD1104 Assessor name Tran Thanh Truc Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism I understand that making a false declaration is a form of malpractice Student’s signature Grading grid P5 P6 P7 P8 M3 M4 M5 D2 D3 Summative Feedback: Grade: Lecturer Signature: Resubmission Feedback: Assessor Signature: Date: Contents Task - Discussing risk assessment procedures (P5) I Security Risk II Assets, threats and threat identification procedures 2.1 Assets 2.2 Threats 2.3 Vulnerability 2.4 Threat identification procedures III Risk assessment procedure IV Risk identification steps Task - Explaining data protection processes and regulations as applicable to an organisation (P6) 11 I Data protection 11 II Data protection process in an organization 12 III Importance of data protection and security regulation 13 Task 2.1 - Summarising the ISO 31000 risk management methodology and its application in IT security (M3) 14 I ISO 31000 management methodology definition 14 II Its applications in IT security 15 III Practical examples for above applications 16 Task 2.2 - Discussing possible impacts to organisational security resulting from an IT security audit (M4) 18 I IT security audit definition 18 II Possible impacts to organizatioal security 18 III Practical examples 20 Task 2.2.1 - Considering how IT security can be aligned with organisational policy, detailing the security impact of any misalignment (D2) 21 I Organizational policy and its purposes 21 II Impacts of an organizational policy on IT security 22 III Practical examples 23 Task - Designing and implementing a security policy for an organisation (P7) 24 I Security policy 24 II Most important elements when creating a policy 25 III Elements of a security policy 25 IV Steps to design a policy 26 1.1 Requirement 26 1.2 Idea concept 26 1.3 System model 27 1.4 Implementation 27 Task - Listing the main components of an organisational disaster recovery plan, justifying the reasons for inclusion (P8) 30 I Business continuity 30 II Components of recovery plan 30 III Steps required in disaster recovery process 32 IV Policies and procedures required for business continuity 33 Task 4.1 - Discussing the roles of stakeholders in the organisation to implement security audit recommendations (M5) 35 I Stakeholders definition 35 II Stakeholders’ roles in an organization 36 III Security audit definition and why needs it 36 IV Security audit implementation to stakeholders in an organization 38 Task 4.1.1 - Evaluating the suitability of the tools used in an organisational policy (D3) 40 I Organizational policy definition 40 II Tools are used in organizational policy 41 III Evaluating the suitability of tools in organizational policy 44 REFERENCE LIST 46 Task - Discussing risk assessment procedures (P5) I Security Risk Security risk refers to the potential harm that can happen when digital information is accessed, used, shared, disrupted, changed, or destroyed without permission This danger can come from different places, like cyber threats, data leaks, harmful software, and other security problems that mess up sensitive info's privacy, accuracy, and access This risk can seriously hurt businesses For instance, data leaks can lead to losing private and financial data, causing damage to reputation, legal trouble, and money loss Viruses and online dangers can mess up a company's computer systems and networks, stopping work and causing time when things don't happen This can lead to losing money, doing less work, and upsetting customers To set up a smart risk control plan in your company, you have to start by figuring out what the risks are Even though each risk check might be different based on what's happening for you, a few basic ideas give a good plan: Find the risks: First, find out what could hurt the secret, right, or getting to info Look at the rules, steps, and systems to know what things need safety and what problems might show up Look at the risks: Next, see how likely it is that the risks could happen and what could happen if they did Think about how much they might show up and how bad things could get See how bad the risks are: Then, see how important the risks are by comparing them to what you can handle This helps you choose which ones to worry about the most and what to about them Fix the risks: Finally, try to stop the risks from happening and making things bad Do this by picking the right safety things like rules, steps, and ways of doing things to control the risks Figure Security risk illustration II Assets, threats and threat identification procedures 2.1 Assets An asset is any data, device or other component of an organisation’s systems that is valuable – often because it contains sensitive data or can be used to access such information For example, an employee’s desktop computer, laptop or company phone would be considered an asset, as would applications on those devices Likewise, critical infrastructure, such as servers and support systems, are assets An organisation’s most common assets are information assets These are things such as databases and physical files – i.e the sensitive data that you store A related concept is the ‘information asset container’, which is where that information is kept In the case of databases, this would be the application that was used to create the database For physical files, it would be the filing cabinet where the information resides 2.2 Threats A threat is any incident that could negatively affect an asset – for example, if it’s lost, knocked offline or accessed by an unauthorised party Threats can be categorised as circumstances that compromise the confidentiality, integrity or availability of an asset, and can either be intentional or accidental Intentional threats include things such as criminal hacking or a malicious insider stealing information, whereas accidental threats generally involve employee error, a technical malfunction or an event that causes physical damage, such as a fire or natural disaster 2.3 Vulnerability A vulnerability is an organisational flaw that can be exploited by a threat to destroy, damage or compromise an asset You are most likely to encounter a vulnerability in your software, due to their complexity and the frequency with which they are updated These weaknesses, known as bugs, can be used by criminal hackers to access to sensitive information Vulnerabilities don’t only refer to technological flaws, though They can be physical weaknesses, such as a broken lock that lets unauthorised parties into a restricted part of your premises, or poorly written (or non-existent) processes that could lead to employees exposing information Other vulnerabilities include inherent human weaknesses, such as our susceptibility to phishing emails; structural flaws in the premises, such as a leaky pipe near a power outlet; and communication errors, such as employees’ sending information to the wrong person 2.4 Threat identification procedures Threats come in many forms and through different channels, including: Intentional Threats Accidental Threats Natural Disasters Internal Threats Intentional Threats Threats are often intentional and are done through hacking from an individual or a criminal organization A few intentional external threats include viruses, malware, Denial of Service (DoS) and ransomware attacks Accidental Threats Threats are sometimes accidents due to some internal issue such as a computer malfunction or employee lapse in protocol, judgment or memory Natural Disasters Threats may come in the form of a natural disaster like a flood, lightning strike, earthquake, fire or tornado Any of these threats can slow, debilitate, restrict access to, or completely ruin your data Internal Threats Finally, threats can sometimes strike your assets due to an internal employee’s intentional abuse of rights or policies, or they may be attempting something more serious in the form of occupational fraud Steps to Complete a Successful Threat Assessment Scope Determination: Define the scope of your assessment, specifying what's included and its level of detail Consider sensitivity and assess potential avenues for threats Data Collection: Collaborate with your assessment team to gather necessary data, including company policies, regulations, interview notes, and technical details like system configurations and access permissions Vulnerability Identification: Analyze the collected data to pinpoint vulnerabilities Conduct penetration tests to simulate hacking scenarios and discover potential weak points Threat Analysis: Categorize identified threats based on severity and exposure levels, ranging from minor to high Evaluate their potential impact on the organization Risk Mitigation: Develop a strategy to address threats, including implementing new software, enhancing security measures, refining access controls, and providing staff training to reduce risks III Risk assessment procedure Step 1: Identify Potential Hazards Start by recognizing the risks that could impact your employees and business These may include natural disasters (like floods or fires), biological hazards (such as diseases), workplace accidents, intentional acts, technological issues, chemical exposures, mental stressors, and supply chain disruptions Examine all work aspects, even remote or non-routine activities, and consider past incidents Step 2: Determine Affected Parties and Impact Consider who within your organization could be harmed by these hazards and how For each identified hazard, assess the potential impact on individuals or groups Step 3: Evaluate Risks and Apply Precautions Assess the likelihood of each hazard occurring and the severity of its consequences Based on this evaluation, prioritize risks and decide which ones require immediate attention Implement measures to lower risks where possible Step 4: Document Your Findings If your office has more than five employees, you're legally obligated to create a written record of your risk assessment Detail the hazards, their effects, and the steps you're taking to mitigate them Your documentation should demonstrate that you've thoroughly checked the workspace, identified affected parties, controlled evident dangers, taken precautions, and involved your staff Step 5: Regularly Review and Update Recognize that your workplace is dynamic, introducing new equipment, processes, and personnel With each change, new hazards may arise Continuously review and adjust your risk assessment to address these evolving risks and ensure ongoing safety Figure Risk assessment procedures IV Risk identification steps Risk identification involves the process of recognizing possible threats to your business, ranging from natural disasters that could harm your property to dissatisfied employees who might undermine your systems As a business owner, you consistently encounter risks of varying magnitudes, all with the potential to affect your financial performance Thus, having a structured approach to spotting these risks is vital For any business, risk identification holds significant importance, particularly for small enterprises Small businesses are more susceptible to harm, necessitating heightened vigilance Moreover, limited resources mean fewer safety nets in case of emergencies The benefits of effective risk identification encompass: Enhancing your understanding of potential pitfalls and preventive measures Enabling you to devise strategies for managing emergent risks Facilitating sound decision-making within your business operations The advantages of thorough risk identification encompass: Recognizing potential threats to your business, both internal and external, equipping you to anticipate and counter various challenges Evaluating your business's vulnerabilities, paving the way for reinforcement and defense against potential attacks Augmenting decision-making prowess by comprehending the risks inherent in different scenarios, averting costly errors When it comes to risk identification, a few key steps need to be followed in order to ensure that all possible risks are considered Let’s go over them briefly: Risk Statement The first step is making a risk statement This is a brief, concise description of the risk that you’re looking at Basic Identification In this step, you will list all the relevant facts about the risk Examples include what could happen, who could be affected, and so on