ASM 2 Security 1623 FPT Greenwich (Merit Super Sale)
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.73 MB, 48 trang )
ASSIGNMENT 2 FRONT SHEET
Qualification
BTEC Level 5 HND Diploma in Computing
Unit number and title
Unit 5: Security
Submission date
Date Received 1st submission
Re-submission Date
Date Received 2nd submission
Student Name
Student ID
Class
Assessor name
Michael Omar
Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature
Grading grid
P5
P6
P7
P8
M3
M4
M5
D2
D3
1
Summative Feedback:
Grade:
Lecturer Signature:
Resubmission Feedback:
Assessor Signature:
Date:
1
Table of Contents
Table of Contents ............................................................................................................................................................ 2
List of Figures.................................................................................................................................................................. 4
List of Tables ................................................................................................................................................................... 4
INTRODUCTION ........................................................................................................................................................... 5
TASK 1 - DISCUSS RISK ASSESSMENT PROCEDURES (P5) ................................................................................ 6
I.
DEFINE A SECURITY RISK AND HOW TO DO RISK ASSESSMENT ....................................................... 6
1.
Definition Of Security Risks............................................................................................................................. 6
2.
Risk Assessment Procedures ............................................................................................................................ 6
II.
DEFINE ASSETS, THREATS, AND THREAT IDENTIFICATION PROCEDURES, AND GIVE
EXAMPLES ................................................................................................................................................................ 9
1.
Definition of Assets .......................................................................................................................................... 9
2.
Definition of Threats ......................................................................................................................................... 9
3.
Threat Identification Process ............................................................................................................................ 9
4.
Examples of Threats Identification procedures .............................................................................................. 10
III.
EXPLAIN THE RISK ASSESSMENT PROCEDURE ................................................................................. 10
a)
Asset Identification ......................................................................................................................................... 11
b)
Threat identification ........................................................................................................................................ 11
c)
Assessment of Vulnerability ........................................................................................................................... 11
d)
Risk assessment .............................................................................................................................................. 11
IV.
LIST RISK IDENTIFICATION STEPS ........................................................................................................ 12
V. SUMMARISE THE ISO 31000 RISK MANAGEMENT METHODOLOGY AND ITS APPLICATION IN
IT SECURITY(M3) ................................................................................................................................................... 13
1.
Definition ........................................................................................................................................................ 13
2.
Contents of ISO 31000 ................................................................................................................................... 13
3.
Who Should use ISO 31000............................................................................................................................ 15
4.
Applications of ISO 31000 in IT Security ...................................................................................................... 16
TASK 2 - EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN
ORGANIZATION (P6) ................................................................................................................................................. 18
I.
DEFINITION OF DATA PROTECTION ......................................................................................................... 18
2
II.
EXPLAIN THE DATA PROTECTION PROCESS IN AN ORGANIZATION ........................................... 18
III.
WHY ARE DATA PROTECTION AND SECURITY REGULATION IMPORTANT? ............................. 19
IV. DISCUSS POSSIBLE IMPACTS ON ORGANISATIONAL SECURITY RESULTING FROM AN IT
SECURITY AUDIT (M4) ......................................................................................................................................... 20
1.
Definition of IT Security Audit ...................................................................................................................... 20
2.
Systems That An IT Security Audit covers .................................................................................................... 21
3.
The Possible Impacts To Organisational Security Resulting From An IT Security Audit ............................. 21
TASK 3 - DESIGN AND IMPLEMENT A SECURITY POLICY FOR AN ORGANIZATION (P7) ....................... 23
I.
DEFINE A SECURITY POLICY AND DISCUSS IT ...................................................................................... 23
1.
Define Security Policy: ................................................................................................................................... 23
2.
Discussion on policies: ................................................................................................................................... 24
II.
GIVE AN EXAMPLE FOR EACH OF THE POLICIES .............................................................................. 28
III.
GIVE THE MOST AND SHOULD THAT MUST EXIST WHILE CREATING A POLICY..................... 31
IV.
EXPLAIN AND WRITE DOWN ELEMENTS OF A SECURITY POLICY ............................................... 32
V. GIVE THE STEPS TO DESIGN A SECURITY POLICY ............................................................................... 35
TASK 4 - LIST THE MAIN COMPONENTS OF AN ORGANIZATIONAL DISASTER RECOVERY PLAN,
JUSTIFYING THE REASONS FOR INCLUSION (P8) ............................................................................................. 37
I.
DISCUSS WITH AN EXPLANATION ABOUT BUSINESS CONTINUITY ................................................ 37
1.
Definition: ....................................................................................................................................................... 37
2.
The Importance of Business Continuity ......................................................................................................... 38
II.
LIST THE COMPONENTS OF THE RECOVERY PLAN .......................................................................... 39
III.
ALL THE STEPS REQUIRED IN THE DISASTER RECOVERY PROCESS ........................................... 41
IV. EXPLAIN SOME OF THE POLICIES AND PROCEDURES THAT ARE REQUIRED FOR BUSINESS
CONTINUITY ........................................................................................................................................................... 43
V. DISCUSS THE ROLES OF STAKEHOLDERS IN THE ORGANISATION TO IMPLEMENT SECURITY
AUDIT RECOMMENDATIONS (M7) .................................................................................................................... 45
CONCLUSION ............................................................................................................................................................. 46
References ..................................................................................................................................................................... 46
3
List of Figures
Figure 1: Security Risk .................................................................................................................................................... 6
Figure 2: Risk assessment Procedures ............................................................................................................................. 7
Figure 3:Security Threats ................................................................................................................................................ 9
Figure 4: ISO 31000 ...................................................................................................................................................... 13
Figure 5: ISO 31000 Principles ..................................................................................................................................... 14
Figure 6: Data Protection............................................................................................................................................... 18
Figure 7: IT security audit ............................................................................................................................................. 20
Figure 8: Security Policy ............................................................................................................................................... 23
Figure 9: business continuity ......................................................................................................................................... 38
List of Tables
Table 1: ROLES OF STAKEHOLDERS IN THE ORGANISATION TO IMPLEMENT SECURITY AUDIT RECOMMENDATIONS ............... 46
4
INTRODUCTION
In today's data-driven and internationally networked culture, data routinely moves freely between individuals,
organizations, and businesses. Cybercriminals are fully aware that data has a high monetary value. As a result of the
continuous growth in cybercrime, the demand for security specialists to safeguard and defend a business is expanding.
To help me get deeper knowledge in this field, this report will discuss some fundamentally basic theories of security
including discussing Risk assessment procedures; explaining data protection processes and regulations as applicable
to an organization and designing a security policy for an organization. Additionally, it also discusses list the main
components of an organizational disaster recovery plan, justifying the reasons for inclusion.
5
TASK 1 - DISCUSS RISK ASSESSMENT PROCEDURES (P5)
I.
DEFINE A SECURITY RISK AND HOW TO DO RISK ASSESSMENT
1. Definition Of Security Risks
The likelihood of exposure, loss of key assets and sensitive information, or reputational harm as a result
of a cyber assault or breach within an organization's network is known as security risks. Cybersecurity
must remain a key priority across industries, and businesses should endeavour to create a cybersecurity
risk management plan to guard against ever-evolving cyber threats.
Figure 1: Security Risk
2. Risk Assessment Procedures
2.1. Definition:
A security risk assessment finds, evaluates, and applies important application security measures. It
also focuses on preventing security flaws and vulnerabilities in applications. An enterprise may see
its application portfolio holistically—from the standpoint of an attacker—by conducting a risk
assessment. It aids managers in making well-informed decisions about resource allocation, tools,
and security control implementation. As a result, completing an evaluation is an important aspect
of a company's risk management strategy.
6
Figure 2: Risk assessment Procedures
2.2. How Does Risk Assessment Works:
The depth of risk assessment models is affected by factors like size, growth rate, resources, and
asset portfolio. When faced with money or time restrictions, organizations might conduct generic
evaluations. Generalized evaluations, on the other hand, may not always include precise mappings
of assets, related threats, recognized risks, effects, and mitigation mechanisms. A more in-depth
evaluation is required if the findings of the generalized assessment do not offer enough of a link
between these areas.
2.3. Risk Assessment Steps
Step 1: Determine the dangers. The first stage of a risk assessment is to identify any possible
risks that would have a negative impact on the organization's capacity to do business if they
occurred. Natural catastrophes, utility outages, cyberattacks, and power outages are all
potential dangers that might be evaluated or discovered during a risk assessment.
Step 2: Figure out what or who could be damaged. After the risks have been determined, the
following stage is to assess which business assets would be harmed if the risk materialized.
Critical infrastructure, IT systems, business operations, company reputation, and even
employee safety are all considered to be in danger from these threats (Cole, 2021).
7
Step 3: Assess the threats and devise countermeasures. Risk analysis may assist in determining
how risks will affect company assets, as well as the steps that can be implemented to reduce or
eliminate the effects of these hazards on business assets. Property damage, company
interruption, financial loss, and legal fines are all possible risks.
Step 4: Keep a record of your results. The company's risk assessment results should be
documented and filed as formal records that are easily accessible. Details on possible dangers,
their related risks, and measures to avoid the hazards should be included in the records.
Step 5: Regularly review and update the risk assessment. In today's corporate world, potential
dangers, risks, and the controls that go along with them can alter quickly. It is critical for
businesses to update their risk assessments on a frequent basis in order to keep up with these
developments (Cole, 2021).
2.4. The goals of Risk Assessment
Creating a risk profile that includes a quantitative examination of the hazards that the company
confronts.
Creating a comprehensive inventory of IT and data assets.
Justifying the expense of risk and vulnerability mitigation security remedies.
Creating a comprehensive inventory of IT and data assets.
Risks, threats, and known vulnerabilities to the organization's production infrastructure and
assets are identified, prioritized, and documented.
Creating a budget to address or reduce the risks, hazards, and vulnerabilities that have been
identified.
If money is invested in infrastructure or other corporate assets to mitigate possible risk, it's
important to understand the return on investment.
8
II.
DEFINE ASSETS, THREATS, AND THREAT IDENTIFICATION PROCEDURES, AND GIVE
EXAMPLES
1. Definition of Assets
Any data, gadget, or another component of the framework that supports information-related actions is
an asset in information security, computer security, and network security. Hardware (such as servers
and switches), software (such as mission-critical applications and support systems), and secret
information are all examples of assets. Assets must be protected from unauthorized access, use,
disclosure, alteration, destruction, and/or theft, which might result in a financial loss (Haldenby, 2016).
2. Definition of Threats
Software assaults, loss of intellectual property, identity theft, theft of equipment or information,
sabotage, and information extortion are all examples of information security threats.
Anything that can exploit a vulnerability to breach security and negatively change, delete, or injure an
item or object of interest is considered a threat. In this tutorial series, we'll define a threat as a potential
hacker attack that allows someone to obtain unauthorized access to a computer system
Figure 3:Security Threats
3. Threat Identification Process
Pre-work meetings should be held to discuss the daily tasks to be completed.
Encourage employees to be aware of potential dangers and to report them.
Conduct workplace audits and safety inspections
Perform a JSA
HAZOPS should be used.
9
Any novel procedures, materials, or buildings should be evaluated.
Examine the product's safety information.
Examine data that is freely available.
Look for the previous incident and near-miss reports.
4. Examples of Threats Identification procedures
Identification threat in Asset: digital document/data:
Threat identification: storage data failure and there is no document backup (possible availability
loss)
Threat identification: Virus, caused vulnerability is when the anti-virus software is not up to date
or contains many security holes(possible confidentiality, integrity and availability loss)
Threat identification: Unauthenticated access from an unidentified site; the access control strategy
isn't adequately established is a vulnerability, SQL injection from an unidentifiable party(possible
confidentiality, integrity and availability loss)
Threat identification: Unauthorized access is a threat. Access was granted to far too many persons,
which created a vulnerability (possible confidentiality, integrity and availability loss)
Identification threat of Asset: physical document:
Threat identification: Fire, hurricanes; the vulnerability is that the document is not housed in a
fire-proof safety box(the threat is that the availability of the document will be lost).
Threat identification: Earthquakes, fire, etc.. and there is no backup of these document paper
(possible availability loss)
Threat identification: Unauthorized access; the important document is not locked and assured in
a safety box (possible confidentiality loss) is a weakness.
III.
EXPLAIN THE RISK ASSESSMENT PROCEDURE
A risk assessment procedure should be carried out by a competent person or group of people who have a
thorough understanding of the subject under investigation. Supervisors and workers who work with the
10
process under evaluation should be included on the team or used as sources of information because they
are the most familiar with it. Here are procedures of risk assessment:
a) Asset Identification
The assets inventory
Completed objects, components, or raw materials that an organization intends to sell are referred
to as inventory assets. In accounting, inventory is documented as a current asset on a company's
balance sheet. Manufacturing inventory assets serve as a buffer in the case of an increase in
demand (Cole, 2021).
Attribute of assets to be recorded
Calculate the asset's relative worth.
b) Threat identification
Sort threats into categories.
A security threat is a malicious act undertaken to steal or damage data or disrupt an organization's
systems or the entire enterprise.
c) Assessment of Vulnerability
Determine the asset's present weakness.
Organizations employ internal controls to protect themselves and maintain compliance with
industry norms and regulations when it comes to managing financial risks.
Effective controls help ensure that financial reporting is accurate and that investment, capital, and
credit requirements are satisfied.
Vulnerability scanners should be used on both hardware and software.
A vulnerability scanner is a software that detects security problems in computers, networks,
operating systems, and other software applications. It's important to note that the same technology
may be utilized both proactively by system administrators and maliciously by cybercriminals.
d) Risk assessment
Calculate the organization's vulnerability impact
Due to a variety of hazards, all facilities are in some danger. These dangers might arise as a result
of natural disasters, accidents, or deliberate operations meant to cause harm. Regardless of the
11
nature of the danger, facility owners must limit or control the risks caused by these hazards as
much as possible.
Determine the expectancy of a loss.
Calculate the probability that the vulnerability will be exploited.
We observed that using probability in more traditional risk analysis has sparked a lot of curiosity.
This section teaches some basic concepts in probability and illustrates how to apply them to
perform 7 operations (Cole, 2021).
Make a decision about what to do with the risk.
It's crucial to note that the evaluation must consider not just the existing status of the workplace, but also
any possible circumstances.
The employer and the health and safety committee (where applicable) can determine if and to what extent
a control program is necessary by evaluating the degree of risk associated with the hazard.
IV.
LIST RISK IDENTIFICATION STEPS
Step 1 - Template specification: This is a risk statement based on information provided concerning
causes, consequences, impacts, risk regions, and occurrences. A well-structured template can assist
you in capturing this information in a consistent manner.
Step 2 - Basic Identification: Answering two questions regarding prospective risks: why or why not
us, and whether or not they have previously been encountered. The former may be acquired through a
SWOT analysis process, whereas the latter is a statement that should be sourced from a project
postmortem or lessons learned library.
Step 3 - Detailed identification: This stage takes longer than the others, but it provides the information
you need to correctly analyze risk. PMI recommends the following five tools for use:
o Interviewing
o Analysis of Assumptions
o Examining documents
o The Delphi method
o Brainstorming
12
Step 5 - Internal Cross-check: At this step, begin to build an opinion on which project parts are riskier
than others, as well as what mitigation methods to use.
Step 6 - Statement Finalization: compiles results into a set of graphics that include dangerous
locations, causes, and consequences.
V.
SUMMARISE THE ISO 31000 RISK MANAGEMENT METHODOLOGY AND ITS
APPLICATION IN IT SECURITY(M3)
1. Definition
ISO 31000 is a security analysis technique (also known as a risk management process) that is utilized
in a variety of risk management programs in a variety of sectors. It aids in the standardization of the
procedures users take to assess and manage risk, resulting in a formal and consistent process (Anon.,
2016).
Figure 4: ISO 31000
Risk management may be applied to a full company, as well as individual departments, projects, and
activities, at any time and at various levels.
2. Contents of ISO 31000
a) Scope
ISO 31000 is an international risk management standard that may be implemented by any business,
regardless of size or industry (Lashin, n.d.).
13
At all levels and departments of a company, ISO 31000 may be used to achieve any and all sorts of
objectives.
It may be applied to all sorts of operations and can be utilized at a strategic or organizational level
to aid decision-making.
It may be used to assist manage processes, operations, functions, projects, programs, goods,
services, and assets; however, how an organization applies ISO 31000 is up to them and will be
determined by their goals, objectives, and problems, and should represent what they do and how
they operate.
b) Terms and Definitions
c) Principles
Figure 5: ISO 31000 Principles
d) Frameworks
The efficacy of the management framework provides the foundations and arrangements that will
integrate risk management across the business at all levels, according to ISO 31000.
The framework is as follows:
Guarantees that information concerning risk obtained from the risk management process is
appropriately reported;
Ensures that this information is utilized as a foundation for decision making and
accountability at all relevant organizational levels.
14
This section defines the framework for risk management's required components and how they
interact in an iterative manner:
Mandate and commitment
Design of framework for managing risk
Implementing risk management
Monitoring and review of the framework
Continual improvement of the framework
Risk assessment
Risk treatment
Monitoring and review
Recording the risk management process:
e) Process
According to ISO 31000, the success of risk management is determined by the management's
efficacy.
The risk management process should be:
An important component of management;
Embedded in the organization's culture and practices;
Tailored to the organization's business operations.
The following activities are included in the risk management process:
Consultation and communication: All stages of the risk management process should include
communication and interaction with external and internal stakeholders.
Creating the context: The organization articulates its objectives, identifies the external and
internal elements to be considered when managing risk, and establishes the scope and risk
criteria for the remaining process by establishing the context.
3. Who Should use ISO 31000
ISO 31000 can be utilized by a variety of persons, including those who need to:
Create a risk management policy (top management).
Review risk management procedures and practices (assessors).
15
Managing and controlling risk within a company (managers).
Describe the methods for managing and controlling risk (trainers - consultants).
Create risk management policies and procedures (implementers).
Develop related standards and norms of conduct (experts).
4. Applications of ISO 31000 in IT Security
a) Risk management creates and protects the value
Risk management helps to accomplish measurable goals and enhance performance in areas such as
human health and safety, security, legal and regulatory compliance, public acceptance,
environmental protection, product quality, project management, operational efficiency, governance,
and reputation (Lashin, 2016).
b) Risk management is an integral part of all organizational processes
Risk management is not a stand-alone activity distinct from the organization's major operations and
procedures. Risk management is an element of management's duties and an essential component of
all organizational operations, such as strategic planning and project and change management.
c) Risk management is part of decision making
Risk management aids decision-makers in making well-informed decisions, prioritizing activities,
and distinguishing between different options.
d) Risk management explicitly addresses uncertainty
Uncertainty, the nature of that uncertainty, and how it might be managed are all addressed directly
in risk management.
e) Risk management is systematic, structured and timely
Risk management that is systematic, timely, and organized leads to efficiency as well as consistent,
comparable, and trustworthy results.
16
f) Risk management is based on the best available information
The information sources used in the risk management process include historical data, experience,
stakeholder feedback, observation, projections, and expert judgment. However, decision-makers
should be aware of and consider any limits of the data or modelling employed, as well as the
likelihood of expert divergence.
g) Risk management takes human and cultural factors into account
Risk management is based on the organization's external and internal contexts, as well as its risk
profile.
h) Risk management is transparent and inclusive
Risk management takes into account the capabilities, attitudes, and intentions of external and
internal stakeholders who might help or impede the organization's goals.
i) Risk management is transparent and inclusive
Risk management stays relevant and up-to-date with appropriate and timely participation of
stakeholders and, in particular, decision-makers at all levels of the organization. Stakeholder
involvement also ensures that they are adequately represented and that their opinions are taken into
consideration when setting risk criteria.
j) Risk management is dynamic, iterative and responsive to change.
Change is constantly sensed and responded to by risk management. As external and internal events
occur, context and knowledge shift, risks are monitored and reviewed, new hazards develop, some
shift, and others vanish.
k) Risk management facilitates continual improvement of the organization.
Along with all other parts of their business, organizations should design and implement methods to
improve their risk management maturity.
17
TASK 2 - EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN
ORGANIZATION (P6)
I.
DEFINITION OF DATA PROTECTION
"Data protection" is the process of protecting data and involves the relationship between the collection and
dissemination of data and technology, the public perception and expectation of privacy and the political
and legal underpinnings surrounding that data. It aims to strike a balance between individual privacy rights
while still allowing data to be used for business purposes (Crocetti, 2021).
Figure 6: Data Protection
Data protection is also known as data privacy or information privacy.
II.
EXPLAIN THE DATA PROTECTION PROCESS IN AN ORGANIZATION
1) Assessing Risks
The riskier the data get, the more the security required. Sensitive data should be protected as much as
possible, whereas low-risk data can be granted less security. The main rationale for these evaluations is
the financial benefit since stronger data security means higher costs.
2) Backup Data
18
Backup is always a way of preventing data loss, which can occur as a result of user mistakes or
technological failure. Low-importance data does not need to be backed up as frequently as sensitive
data. Tape storage technologies are still (by two-thirds) less expensive than hard drives.
3) Data Encryption
High-risk data is the ideal choice for encryption at every stage of the process. Data that has been
adequately encrypted is inherently secure; even if a data breach occurs, attackers will render the data
useless and unrecoverable. Encryption is particularly mentioned in the GDPR as a data security
measure.
4) Pseudonymization
Another method recommended by the GDPR for improving data security and individual privacy is
pseudonymization. It works well with larger data sets and involves deleting personally-identifying
information from data snippets. The notification duties in the event of pseudonymized data breaches
have been greatly reduced.
5) Access Controls
The fewer people who have access to the data, the smaller the risk of (inadvertent) data leak or loss.
Keep track of previous data handling education courses and refreshers on a regular basis. Create a clear
and explicit data protection policy.
6) Destruction
On-site data destruction is recommended for sensitive data. The most frequent method for damaged
hard drives is degaussing. Paper, CDs, and tape drives are all shredded into minute pieces. By deleting
the decryption keys, encrypted data may be easily wiped.
III.
WHY ARE DATA PROTECTION AND SECURITY REGULATION IMPORTANT?
Data exists in every company and organization, including personnel files, customer data, product
information, financial transactions, and so on. This data is used to inform management decisions as well as
employee work procedures in order to produce high-quality products and services. In fact, data is one of a
company's most valuable assets. Data security should be a top concern for every firm for this reason alone.
This involves safeguarding the data's accessibility to personnel who require it, its integrity (keeping it
correct and up-to-date), and its confidentiality (the assurance that it is available only to people who are
authorized).
19
Customers will expect firms they do business with or invest money in to keep their data protected. Data
governance that is adequate fosters confidence. It protects your company's image by establishing you as a
brand that customers can trust with their personal information.
The data protection and security regulation elevated data security to a new level of importance, making it
not just a business but a legal need. A controller must 'take suitable technological and organizational means
to guarantee and be able to show that processing is carried out in compliance with the Regulation,' according
to the GDPR. Security awareness training is an important aspect of such measures: employees must
understand the need of adhering to data security rules and processes. Headlines about, and bad responses
to, a data breach, for example, may erode confidence built up over a decade in a matter of days (Besemer,
2011).
IV.
DISCUSS POSSIBLE IMPACTS ON ORGANISATIONAL SECURITY RESULTING FROM AN
IT SECURITY AUDIT (M4)
1. Definition of IT Security Audit
A security audit is a systematic assessment of a company's information system's security by determining
how well it complies with a set of criteria. The security of the system's physical setup and environment,
software, information handling processes, and user habits are normally assessed during a complete audit
(Gillis, 2021).
Figure 7: IT security audit
20
Security audits are often used to determine compliance with regulations such as the Health Insurance
Portability and Accountability Act, the Sarbanes-Oxley Act and the California Security Breach
Information Act that specify how organizations must deal with information.
2. Systems That An IT Security Audit covers
a) Network vulnerabilities: Security Audit searches for flaws in any network component that an
attacker may use to gain access to systems or information or inflict harm. Information is more
susceptible when it moves between two sites. Network traffic, including emails, instant messaging,
files, and other communications, is tracked through security audits and frequent network
monitoring.
b) Security controls: The auditor examines the effectiveness of a company's security controls in this
section of the audit. This involves assessing how well a company has executed the rules and
procedures it has put in place to protect its data and systems. An auditor, for example, may look to
verify if the firm still has administrative control over its mobile devices. The auditor examines the
company's controls to ensure that they are working properly and that it is adhering to its own rules
and procedures.
c) Encryption: This section of the audit ensures that a company's data encryption methods are under
control.
d) System software: Software systems are evaluated here to ensure that they are functioning correctly
and giving reliable data. They're also reviewed to see whether there are any restrictions in place to
prevent unauthorized people from accessing private information. Data processing, software
development, and computer systems are among the fields investigated.
e) Architecture management capabilities: Auditors check that IT management has put in place
organizational structures and processes to provide a regulated and efficient information processing
environment.
f) Telecommunications controls: Telecommunications controls are tested on both the client and server
sides, as well as the network that links them, by auditors.
g) Systems development audit: Audits in this area ensure that any systems in development fulfil the
organization's security objectives. This component of the audit is also carried out to check that
systems in development adhere to established guidelines.
h) Information processing: These audits ensure that security mechanisms for data processing are in
place.
3. The Possible Impacts To Organisational Security Resulting From An IT Security Audit
An IT security audit shows the organization's IT assets' underlying vulnerabilities and security threats.
Identifying hazards, on the other hand, has a positive ripple impact on the security of the company as a
whole. Here are some possible impacts of an IT security audit on organizational security resulting:
21
a) Identification of vulnerable areas and components of IT infrastructure and system
Networks, PCs, and servers are examples of IT infrastructure in organizations that may be hacked
or compromised. An IT security audit exposes vulnerable areas that can be readily exploited by
threats such as hackers.
Fraud and other accounting irregularities may be prevented and detected by the frequent study of
an organization’s operations and the deployment of stringent internal control systems. Internal
control systems, which are intended to prevent fraud, are designed and modified with the help of
auditing specialists.
Deterrence is an important part of prevention. A organization's reputation may discourage an
employee or supplier from attempting to cheat it if it is regarded to have an active and rigorous audit
system.
b) Reduction of threats and risks
Computer assaults or system flaws that may be exploited by hostile individuals such as hackers are
examples of threats. The identification of susceptible places in the system by an IT audit necessitates
improved security solutions.
Risk reduction may be achieved by implementing a stronger disaster management strategy, which
tries to reduce or avoid hazards to an IT system.
Following the assessment of the risks, the IT team is given a clear organizational vision on how to
eliminate, mitigate, or accept those risks as part of the working environment through the
implementation of IT audit controls.
Furthermore, without an audit system or internal controls, an organization would be unable to
allocate resources and determine which product lines are lucrative and which are not.
c) Implementation and enforcement of better security policies
Security policies assist to prevent unneeded dangers by enacting recommended laws, such as a
password policy that requires a password to be longer than eight characters and not include a user
name.
d) Outsourcing of security cyber security services
If security concerns necessitate additional expertise, an organization might choose to outsource
security management to a third party.
e) Better strategies of compliance with programs like HIPAA
Compliance seeks to ensure that specified security policies are followed in order to better secure an
organization's assets. Regulatory authorities, which might be state-run, are in charge of ensuring
compliance.
22
f) Enhances Communication in an Organization
An IT audit can help the organization's business and technology management communicate more
effectively. The conclusion of a computer audit necessitates immediate communication between
businesses and their IT departments. The internal or external auditor has the chance to test what is
occurring in an organization and check whether there is a large gap between computer theory and
what is happening while interviewing with the auditor.
The auditor's final step will be to prepare a thorough report for his superiors explaining the problems
with the company's computer system. This not only improves communication across departments,
but also fosters trust, boosts responsibility, and allows departments to track their goals.
As a result, it's critical to recognize that IT auditing is the most important aspect of management's
technological supervision. Technology is used to assist the company's roles, strategy, and
operations. Business and supporting technology alignment is critical, and IT auditing ensures that
alignment.
TASK 3 - DESIGN AND IMPLEMENT A SECURITY POLICY FOR AN ORGANIZATION (P7)
I.
DEFINE A SECURITY POLICY AND DISCUSS IT
1. Define Security Policy:
A security policy is a written statement of how a corporation intends to safeguard its physical and
information technology (IT) assets. Security policies are dynamic documents that are updated and
revised when new technologies, vulnerabilities, and security needs emerge.
Figure 8: Security Policy
23
An acceptable usage policy may be included in a company's security policy. These outline how the
organization intends to educate its staff about the importance of safeguarding the company's assets.
They also contain a description of how security measures will be implemented and enforced and a
method for assessing the policy's efficacy and making required modifications (Duigan, 2013).
2. Discussion on policies:
a) Discussion on HR policy:
HR policies are particular standards that a business follows while managing its people resources.
These are explicit guidelines for hiring, evaluating, training, and rewarding employees. These
are the structure and guiding forces that aid in making consistent judgments for the
organization's and its employees' wellbeing.
HR policies are an important aspect of every business since they serve to provide clear
guidelines for how the firm operates. It's a strategy to safeguard an organization’s business and
avoid future misunderstandings.
The importance of HR policy:
It guarantees that the organization's employees' requirements are acknowledged and met.
It guarantees that suitable benefits are offered to workers for their work; it assists in the
resolution of employee problems, complaints, and grievances; and it ensures that proper
training and development opportunities are presented to employees to fulfil the
organization's needs.
It provides employees with protection from anybody in the corporation.
They are necessary because they ensure that eligible employees are given paid vacations
and holidays when they are due.
It is regarded as crucial since it aids in the organization's discipline.
It guarantees that employees are compensated fairly.
b) Discussion on Incidence response Policy:
Incident Response (IR) Procedure: Provide the necessary procedures for incident
management, reporting, and monitoring, as well as incident response training, testing, and
24
