1623 assignment 2 (pass)
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.06 MB, 51 trang )
ASSIGNMENT 2 FRONT SHEET
Qualification
BTEC Level 5 HND Diploma in Computing
Unit number and title
Unit 5: Security
Submission date
Date Received 1st submission
Re-submission Date
Date Received 2nd submission
Student Name
Đào Vĩnh Khang
Student ID
GCS200222
Class
GCS0905B
Assessor name
SAMNX
Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand
that making a false declaration is a form of malpractice.
Student’s signature
KHANG
Grading grid
P5
P6
P7
P8
M3
M4
M5
D2
D3
Summative Feedback:
Grade:
Lecturer Signature:
Resubmission Feedback:
Assessor Signature:
Date:
asda
ASSIGNMENT 2
Security Presentation
Acknowledgement
First, I would like to thank the curators of the University of Greenwich, who
make these courses available to students. I would like to thank all the
authors and
researchers who have studied the Security program. In addition, I would like
thank speaker Dang Quang Hien for his very good and professional lectures and
tutorials.
Finally, I would like to thank the teachers and responsible staff of our university.
Table of Contents
Task 1 – Discuss risk assessment procedures (P5) ........................................................................................................ 7
Define a security risk and how to do risk assessment .......................................................................................
7
I.
1.
Definition of Security Risk Assessment ........................................................................................................ 7
2.
How does a security risk assessment work? .................................................................................................. 8
3.
How to do risk assessment? ........................................................................................................................... 8
Define assets, threats, and threat identification procedures, and give examples ...............................................
8
II.
1.
What’s an asset? ............................................................................................................................................ 8
2.
What’s a threat? ............................................................................................................................................. 9
3.
Definition of Risk/Threat Identification ........................................................................................................ 9
4.
Risk Identification Procedures ...................................................................................................................... 9
5.
Common Risk Identification Methods ........................................................................................................ 10
III.
List risk identification steps .........................................................................................................................
10
Task 2 – Explain data protection processes and regulations as applicable to an organization (P6) ............................
11
I.
Define data protection .....................................................................................................................................
11
II.
Explain data protection process in an organization .........................................................................................
12
1.
Media failure ............................................................................................................................................... 12
2.
Data corruption ............................................................................................................................................
12
3.
Storage system failure ................................................................................................................................. 13
4.
Full-on data center failure ........................................................................................................................... 13
III.
Why are data protection and security regulation important? ....................................................................... 13
Task 2.1 – Summarize the ISO 31000 risk management methodology and its application in IT security (M3) .........
13
Briefly define ISO 31000 management methodology ..................................................................................... 13
I.
1.
What is ISO 31000?..................................................................................................................................... 13
2.
Why do we use it? ....................................................................................................................................... 14
3.
What are the benefits of ISO 31000? .......................................................................................................... 14
How does it work? .......................................................................................................................................
14hat are its applications in IT security? ......................................................................................................... 15
II.
Task 2.2 – Discuss possible impacts to organizational security resulting from an IT security audit (M4) .................
15
Define IT security audit ...................................................................................................................................
15
I.
.....................................................................................................................................................
1.
Definition
15
2.
Why your company needs regular IT security audits .................................................................................. 15
3.
The steps in an IT security audit .................................................................................................................. 16
4.
How to Ensure Successful Security Auditing .............................................................................................. 17
II.
What possible impacts to organizational security resulting from an IT security audit? ..................................
17
III.
When is a security audit needed? ................................................................................................................ 18
Task 3 – Design and implement a security policy for an organization (P7) ................................................................ 18
I. Define a security policy and discuss about it .................................................................................................. 18
II.
Types of the security policies ..........................................................................................................................
19
III.
Give the most and that should exist while creating a policy ....................................................................... 20
1.
Purpose – Explain the reasons for having this policy ..................................................................................
20
2.
Scope ...........................................................................................................................................................
20
3.
Policy – State all policy requirements .........................................................................................................
20
4.
Technical Guidelines – Identify all technological controls required to give data access ............................
21
5.
Reporting Requirements – Explain the standards for incident reporting.....................................................
22
6.
Ownership and Responsibilities – Specify who owns what and who is accountable for certain actions and
controls
22
................................................................................................................................................................
7.
Enforcement – Specify the penalty for unauthorized access .......................................................................
22
8.
Definitions – Defines any technical words used in this policy ....................................................................
23
9.
Related Documents – Listings and links to all policy-related papers ..........................................................
23
10.
Revision History – Record policy revision .............................................................................................. 23
IV.
Explain and write down elements of a security policy ................................................................................ 24
1.
Purpose ........................................................................................................................................................
24
2.
Audience and Scope ....................................................................................................................................
24
3.
Information security objectives ...................................................................................................................
24
4.
Authority and access control policy ............................................................................................................
25
5.
Data classification .......................................................................................................................................
25
Data support and operations ........................................................................................................................
26
6.
7.
Security awareness and behavior .................................................................................................................
26
8.
Responsibilities, rights, and duties of personnel .........................................................................................
27
V.
Give the steps to design a policy .....................................................................................................................
27
1.
Identify need ................................................................................................................................................
27
2.
Identify who will take lead responsibility ...................................................................................................
27
3.
Gather information ......................................................................................................................................
27
4.
Draft policy ..................................................................................................................................................
27
5.
Consult with appropriate stakeholders ........................................................................................................
27
6.
Finalize / approve policy .............................................................................................................................
28
7.
Consider whether procedures ......................................................................................................................
28
8.
Implement ....................................................................................................................................................
28
9.
Monitor, review, revise ................................................................................................................................
28
Task 4 – List the main components of an organizational disaster recovery plan, justifying the reasons for inclusions
..............................................................................................................................................................................
(P8)
28
Discuss with explanation about business continuity .......................................................................................
28
I.
1.
Definition .....................................................................................................................................................
28
2.
Why is business continuity important? ........................................................................................................
29
3.
What does business continuity include? ......................................................................................................
29
4.
Three key components of a business continuity plan ..................................................................................
30
II.
List the components of recovery plan..............................................................................................................
30
1.
Take Inventory of IT Assets ........................................................................................................................
30
2.
Sort Assets According to Criticality and Context .......................................................................................
31
3.
Assess Potential Risks .................................................................................................................................
31
4.
Define Your RTO and RPO ........................................................................................................................
31
5.
Select A Disaster Recovery Setup ...............................................................................................................
31
6.
Propose A Budget ........................................................................................................................................
31
7.
Test and Review ..........................................................................................................................................
32
Write down all the steps required in disaster recovery process ................................................................... 32
III.
1.
2.
Create an inventory......................................................................................................................................
32
Establish a recovery timeline .......................................................................................................................
32
3.
Communicate, communicate, and communicate .........................................................................................
32
4.
Back up your data ........................................................................................................................................
33
5.
Consider physical damages .........................................................................................................................
33
6.
Consider the human factor ...........................................................................................................................
33
7.
Consider insurance ......................................................................................................................................
33
8.
Test your disaster recovery plan ..................................................................................................................
33
9.
Combine DR and BC ...................................................................................................................................
33
10.
Find the right partner ............................................................................................................................... 34
Explain some of the policies and procedures that are required for business continuity .............................. 34
IV.
1.
Business Continuity Plan (BCP) .................................................................................................................
34
2.
Business Continuity Planning ......................................................................................................................
34
3.
Business Impact Analysis (BIA) .................................................................................................................
34
4.
Comprehensive Emergency Management Plan (CEMP) ............................................................................
34
5.
Continuity of Operations Plan (COOP) .......................................................................................................
34
6.
Critical Functions ........................................................................................................................................
35
7.
Emergency Operations Plan (EOP) .............................................................................................................
35
8.
Mission Essential Functions (MEFs) ...........................................................................................................
35
9.
Recovery Time Objective (RTO) ................................................................................................................
35
10.
Risk Assessment (RA) ............................................................................................................................. 35
Task 4.1 – Discuss the roles of stakeholders in the organization to implement security audit recommendations (M5)
.....................................................................................................................................................................................
35
I.
Define stakeholders ......................................................................................................................................... 35
.....................................................................................................................................................
1.
Definition
35
2.
Problems With Stakeholders ....................................................................................................................... 36
3.
Why Are Stakeholders Important? .............................................................................................................. 36
II.
What are their roles in an organization? .......................................................................................................... 36
1.
What Is the Role of a Stakeholder? ............................................................................................................. 36
2.
What Are the Main Types of Stakeholders? ................................................................................................ 36
3. Examples of Stakeholders ........................................................................................................................... 37
References ...................................................................................................................................................................
38
Table of Figures
Figure 1: Security Risk Assessment................................................................................................................................ 7
Figure 2: Asset ...............................................................................................................................................................
8
Figure 3: Threats ............................................................................................................................................................
9
Figure 4: Data Protection ............................................................................................................................................ 11
Figure 5: Data Protection Process ............................................................................................................................... 12
Figure 6: ISO 31000 Process ........................................................................................................................................ 14
Figure 7: Security Policy............................................................................................................................................... 19
Figure 8: Information security policy framework ........................................................................................................ 25
Figure 9: Business Continuity ...................................................................................................................................... 29
Task 1 – Discuss risk assessment procedures (P5)
I.
Define a security risk and how to do risk assessment
1. Definition of Security Risk Assessment
A security risk assessment finds, evaluates, and applies important security measures in software. It
also focuses on preventing application security flaws. A risk assessment enables a company to
examine its application portfolio holistically—from the standpoint of an adversary. It helps
managers make educated decisions about resource allocation, tools, and security control
implementation. As a result, completing an assessment is an essential component of a company's
risk management approach.
Figure 1: Security Risk Assessment
2. How does a security risk assessment work?
When a company's money or time is limited, it might do broad evaluations. However, broad
evaluations may not often give thorough mappings between assets, related threats, recognized risks,
effects, and mitigation controls. The depth of risk assessment models is influenced by factors like as
size, growth rate, resources, and asset portfolio.
3. How to do risk assessment?
Identification: Determine all the technological infrastructure's important assets. Next, examine the
sensitive data generated, held, or sent by these assets. Make a risk profile for each one.
Assessment: Evaluate essential assets and identify how to dedicate time and resources to risk
mitigation in an effective and efficient manner. The assessment technique or methodology must
examine the relationship between assets, threats, vulnerabilities, and mitigating controls. Administer
a strategy for assessing the identified security threats for key assets.
Mitigation: Define a risk mitigation strategy and put security measures in place for each risk.
Prevention: Implement tools and practices to reduce the likelihood of threats and vulnerabilities
occurring in your firm's resources.
II.
Define assets, threats, and threat identification procedures, and give
examples
1. What’s an asset?
An asset is any important data, equipment, or other component of an organization's systems, generally
because it includes sensitive data. An employee's desktop computer, laptop, or corporate phone, as
well as the software on such devices, would be deemed assets. Critical infrastructure, such as servers
and support systems, is also an asset.
Figure 2: Asset
The most prevalent assets of an organization are information assets, which are the sensitive data
that you hold. The 'information asset container,' which is where the information is maintained, is a
similar idea. This is the program that was used to construct the database in the case of databases.
For physical files, the information would be kept in a filing cabinet.
2. What’s a threat?
A threat is any occurrence that might have a negative impact on an asset, such as if it is lost,
knocked offline, or accessed by an unauthorized person. Threats might be deliberate or
unintentional, and they can involve illegal hacking or insider stealing. Employee mistake,
technology malfunction, or physical damage, such as a fire or natural disaster, are examples of
accidental risks.
Figure 3: Threats
3. Definition of Risk/Threat Identification
Risk identification is a constant and continuing operation that occurs during the Risk Management
Process and throughout the project's life cycle. Every stage of the Risk Management Process should
contain some amount of risk identification. Project activities such as programmatic and technical
meetings, risk analysis, risk planning, telecons, and reviews identify new and existing project risks.
Databases of lessons learnt are also useful for spotting prospective hazards. When this happens, it
should be documented and examined in a database.
4. Risk Identification Procedures
The Risk Integrated Product Team (IPT) compiles a list of potential risk issues. There are several
approaches for identifying dangers. Risk can be detected by:
•
Lessons Learned
•
Subject Matter Experts (SME)
•
•
Prior Experiences
Technology Readiness Level (TRL) determination
•
•
Programmatic Constraints
Brain Storming
•
Work Breakdown Structure (WBS)
Accepted risks should be documented and included into a Risk Register.
Determine the root causes of each disk that has been detected.
Risk analysis should be performed on each identified risk to improve the risk's description, isolate
the source, quantify the impacts, and assist in determining risk mitigation priorities. (Risk Reporting
Matrix)
Risk Mitigation Planning should address each risk with action items and due dates.
The Risk Integrated Product Team (IPT) meets on a regular basis (every two weeks) to analyze
risks and, if necessary, to add new risk items.
Risks are closed when all necessary steps to close the risk have been done. Some high-risk products
are closed fast, while others remain open for an extended period. Some are classified watch items,
and the action plan does not take effect until specific unfavorable circumstances occur. Risks that
have been closed remain in the database for future reference.
5. Common Risk Identification Methods
Objectives-based risk identification: Organizations and project teams have goals. Risk is defined
as any incident that may jeopardize the achievement of a purpose, in part or whole.
Scenario-based risk identification: Various situations are developed during scenario analysis. The
scenarios might represent various paths to achieving a goal or an examination of the interaction of
forces in, say, a market or conflict. Risk is defined as any incident that causes an unfavorable
scenario option to occur.
Taxonomy-based risk identification: The taxonomy in taxonomy-based risk identification is a
categorization of potential risk sources. A questionnaire is developed based on the taxonomy and
knowledge of best practices. The answers to the questions highlight dangers.
Common risk checking: Lists of recognized dangers are accessible in numerous sectors. Each
danger on the list may be tested to see if it applies to a specific circumstance.
III. List risk identification steps
Risk Identification: The goal of risk identification is to determine what, where, when, why, and
how something can impact a company's capacity to function. A company in central California, for
example, would list "the likelihood of wildfire" as an event that could disrupt business operations.
Risk Analysis: This stage entails determining the likelihood of a risk event occurring as well as the
probable outcomes of each occurrence. Using the California wildfire as an example, safety
managers may examine how much rain has fallen in the last 12 months and the level of damage the
organization
could suffer if a fire breaks out.
Risk Evaluation: It compares the scale of each event and ranks them by prominence and
significance. Whichever event is assessed to have a larger likelihood of occurring and causing harm
will be ranked higher.
Risk Treatment: Risk managers may decide to house additional network servers offshore so that
business activities may continue if an onsite server fails. Employee evacuation plans may also be
developed.
Risk Monitoring: Risk management is a never-ending activity that evolves and develops over time.
Repeating and continuously monitoring the procedures can assist ensure that all known and
unknown hazards are covered.
Task 2 – Explain data protection processes and regulations as
applicable to an organization (P6)
I.
Define data protection
Data protection is the process of preventing critical information from being corrupted,
compromised, or lost.
Figure 4: Data Protection
As the quantity of data generated and saved continues to expand at unprecedented rates, the need
of data protection grows. There is limited tolerance for downtime that makes access to critical
information difficult. A big aspect of a data security plan is making sure that data can be recovered
rapidly after it has been corrupted or lost.
II.
Explain data protection process in an organization
1. Media failure
Synchronous mirroring is one way in which data is simultaneously written to a local disk and a
distant location. The write is not deemed complete until a confirmation is received from the distant
site, ensuring that the two sites are always identical. Mirroring necessitates a 100 percent capacity
overhead and may result in data loss.
RAID protection is a less expensive option that requires less overhead capacity. RAID stores the
same data on many drives in separate locations. Therefore, I/O activities overlap in a balanced
manner, boosting performance and security. To restore data, advanced RAID controllers do not need
to read a whole disk.
Erasure coding is a popular alternative to sophisticated RAID in scale-out storage settings. Erasure
coding allows all nodes in a storage cluster to take part in the replacement of a failing node.
Replication is another method of data security in which data is duplicated from one node to another
or from numerous nodes. It occupies at least twice as much space as the protected data.
2. Data corruption
Most storage systems nowadays can track hundreds of snapshots without affecting performance
much. This method allows for regular photographs that may be saved for lengthy periods of time.
With this technology, just a little amount of data is lost, and recovery time is nearly quick. When
data becomes damaged or is destroyed by accident, a snapshot can be mounted, and the contents
copied back.
Figure 5: Data Protection Process
3. Storage system failure
Only updated data blocks are replicated from the primary storage system to an off-site secondary
storage system with snapshot replication. Data centers rely on replication technologies built on
snapshots to defend themselves against repeated disk failures or other severe events. Snapshot
replication is also used to duplicate data to secondary storage for recovery if the primary storage
system fails.
4. Full-on data center failure
In the case of a data center collapse, businesses have many choices for protecting their data. Snapshot
replication, which duplicates data to a secondary server, is one method, but the cost might be
exorbitant. To keep the most recent copies of critical data, a business can employ replication in
conjunction with cloud backup products and services.
III. Why are data protection and security regulation important?
A disk or tape backup is a data storage technology that transfers specified information to a diskbased
storage array or a tape cartridge. Tape backup is an excellent choice for data security against cyber
threats. Although access to tapes might be sluggish, they are portable and intrinsically offline when
not put onto a drive, making them safe from network attacks.
Mirroring allows businesses to produce an exact clone of a website or files so that they are accessible
from many locations.
Storage snapshots can automatically produce a collection of pointers to information saved on tape
or disk, allowing for speedier data recovery, whereas continuous data protection (CDP) backs up all
data in a business anytime a change is made.
Task 2.1 – Summarize the ISO 31000 risk management
methodology and its application in IT security (M3)
I.
Briefly define ISO 31000 management methodology
1. What is ISO 31000?
ISO 31000 is a security analysis technique or risk management procedure that is utilized in a variety
of risk programs across a wide range of sectors. It aids in standardizing
the procedures you take to analyze and manage risk, resulting in a formal and consistent workflow.
2. Why do we use it?
RiskWatch created SecureWatch, our proprietary risk assessment software, to assist our clients in
assessing and managing risk in accordance with ISO requirements. Continue reading to see how we
employ ISO 31000 in SecureWatch and how our methodology differentiates us from the
competition. In our 25 years of expertise, we've discovered that methodology must be adaptable
enough to manage a variety of business activities.
3. What are the benefits of ISO 31000?
ISO 31000 provides a structure, or framework, for your company to identify and manage risks. It
provides firms with procedures to take to predict most problems and develop mitigation methods.
When effectively executed, the risk management process may assist a company in the following
ways:
•
•
Determine potential threats and opportunities.
Reduce your losses.
•
Increase operational effectiveness and efficiency.
•
Encourage employees to detect and treat hazards.
•
Enhanced risk management controls
4. How does it work?
Any business, regardless of size, activity, or industry, can adopt the ISO 31000 risk management
approach. The procedure may be completed correctly if the business adheres to the standards and
concepts. The technique provides a foundation for risk management, but it is adaptable:
Figure 6: ISO 31000 Process
II.
What are its applications in IT security?
ISO 31000 may be essential in preparing a firm for all possibilities; by comprehending the worstcase
scenario, a business is better positioned to make the most of the resources and opportunities already
available to them.
•
Giving you a competitive advantage because ISO is a globally recognized quality standard
sign
•
Increasing employee awareness of organizational risks by incorporating them into the
management framework and delegating responsibility for the processes they often utilize
•
Reduce the frequency of, and ultimately eliminate risks by informing employees and
stakeholders about potential hazards
•
Improve trust of stakeholders by remaining open and disclosing hazards (and demonstrating
risk responsibility and mitigation)
•
Foster forward-thinking mentalities by pushing employees to consider every possible result
of a particular event
•
Improve company culture by bringing separate departments together to exchange new
viewpoints and examine how they may operate more successfully together
•
Improve success rate across all corporate activities by concentrating on the process, looking
forward rather than reacting, and giving workers ownership of their job duties
ISO 31000 is one of the most important papers for individuals who wish to get started with risk
management quickly without losing quality or integrity. One of its most notable features is its
condensed structure; it's difficult to find a more thorough paper that succeeds in compressing so
much information.
Task 2.2 – Discuss possible impacts to organizational security
resulting from an IT security audit (M4)
I.
Define IT security audit
1. Definition
An IT security audit is a thorough inspection and assessment of your company's information security
infrastructure. Regular audits may help you uncover weak points and vulnerabilities in your IT
infrastructure, validate your security procedures, maintain regulatory compliance, and more.
2. Why your company needs regular IT security audits
First and foremost, a complete IT security audit allows you to validate the security of your whole
company's infrastructure, including hardware, software, services, networks, and data centers.
An audit can help you answer the following critical questions:
•
•
Are there any weak spots and vulnerabilities in your current security?
Are there any extraneous tools or processes that don’t perform a useful security function?
•
Are you equipped to fend off security threats and recover business capabilities in the event of a
system outage or data breach?
• If you have discovered security flaws, what concrete actions can you take to address them?
An IT security audit may assist you in ensuring that your organization's information systems fulfill
the rules for collecting, using, retaining, and destroying sensitive or personal data. A compliance
audit is usually carried out by a qualified security auditor from a regulatory body or an independent
third-party vendor. However, in some situations, your company's workers may conduct an internal
audit to ensure regulatory compliance.
3. The steps in an IT security audit
Define the Objectives
•
Outline the objectives that the auditing team hopes to achieve by performing the IT security
audit. Make careful to establish the business value of each aim so that the audit's particular goals
correspond with your company's wider goals.
•
Use this collection of questions as a jumping-off point for brainstorming and developing your
own audit goals.
-
Which systems and services do you want to test and evaluate?
-
Do you want to audit your digital IT infrastructure, your physical equipment, and facilities, or
both?
-
Is disaster recovery on your list of concerns? What specific risks are involved?
-
Does the audit need to be geared towards proving compliance with a particular regulation?
Plan the Audit
•
A well-thought-out and well-organized plan is essential for a successful IT security assessment.
•
You should establish the roles and duties of the management team and the IT system
administrators tasked with audits. Identify any monitoring, reporting, and data categorization
technologies that will be used by the team, as well as any logistical challenges that may arise.
Before the audit begins, document and distribute the plan to ensure that all staff members have
a shared knowledge of the process. Perform the Auditing Work
•
The auditing team should perform security scans on several IT resources to evaluate network
security, data access levels, and other system configurations. As part of a disaster recovery
examination, it's also a good idea to physically check the data center
for resistance to fires, floods, and power outages. To assess workers' understanding of security
risks and adherence to business security policy, conduct interviews with people who aren't on
the IT team.
•
Make a record of all findings discovered throughout the audit. Report the Results
•
Compile all audit-related material into a formal report that can be distributed to management
stakeholders or a regulatory body. The report should contain a summary of any security risks
and vulnerabilities discovered in your systems, as well as any mitigation steps that IT personnel
recommends.
Take Necessary Action
•
Executing repair methods to address a specific security fault or weak area.
•
Employees are being trained on data security compliance and security awareness.
•
Adopting extra best practices for handling sensitive data and detecting symptoms of malware
and phishing attempts.
•
Purchasing new technology to protect current systems and routinely monitoring your
infrastructure for security risks
4. How to Ensure Successful Security Auditing
Establish Clear Objectives – Clearly identifying your goals and scope ensures that the audit is
quantifiable, actionable, and successful. Furthermore, when all members of your auditing team
adhere to the specified objectives, they may stay focused on vital duties while avoiding spending
valuable time and resources on irrelevant or unneeded concerns.
Obtain Buy-in from Key Stakeholders – A security audit requires the support and advocacy of
your organization's senior leaders, including the chief security officer and chief information officer,
to be effective. This level of management support will assist guarantee that the audit receives the
necessary time and resources.
Define Clear Action Items Based on the Audit Results – It is not sufficient to just produce a
report on your results. The audit should help your organization's security by offering clear and
realistic advice for implementing cybersecurity enhancements. Create a plan on how to address any
system vulnerabilities. If a file or data system is not in conformity with regulations, take the
appropriate steps to get it into compliance.
Security Audit Solutions – IT security auditing is most beneficial and successful when performed
on a regular basis. Create a schedule for auditing your complete system portfolio on a regular basis
to ensure compliance with data requirements and operational readiness for intrusions.
II.
What possible impacts to organizational security resulting from an
IT security audit?
Security audits will aid in the protection of vital data, the identification of security flaws, the
development of new security policies, and the monitoring of the efficacy of security methods.
Regular audits can assist ensure that staff follow security best practices and detect new
vulnerabilities.
•
Identify security flaws and holes, as well as system vulnerabilities.
•
Establish a security baseline against which subsequent audits may be evaluated.
•
Comply with internal company security policies.
•
Comply with external regulatory standards.
•
Check to see whether your security training is acceptable.
•
Remove any superfluous resources.
III. When is a security audit needed?
