<span class="text_page_counter">Trang 1</span><div class="page_container" data-page="1">

<b> ASSIGNMENT 2</b>

<b>Unit number and titleUnit 5: Security</b>

</div><span class="text_page_counter">Trang 3</span><div class="page_container" data-page="3">

<b>A. Introduction:B. Body</b>

<b>P5 Discuss risk assessment procedures (slide 13-risk mitigation).I.Definition Security risk and risk assessment</b>

<b>1. Definition Security risk:</b>

A security risk refers to any potential threat or vulnerability that can compromise theconfidentiality, integrity, or availability of information or resources. It involves the likelihoodof an event or action that could result in harm or damage to an organization's assets, such asdata breaches, unauthorized access, malicious software, physical theft, or even human error.Identifying and managing security risks is crucial for organizations to safeguard their systems,networks, and sensitive information from unauthorized access or misuse.

<b>2. Security Risk Assessment:</b>

A security risk assessment identifies, assesses, and implements key security controls inapplications. It also focuses on preventing application security defects and vulnerabilities.Carrying out a risk assessment allows an organization to view the application portfolioholistically—from an attacker’s perspective. It supports managers in making informedresource allocation, tooling, and security control implementation decisions. Thus, conductingan assessment is an integral part of an organization’s risk management process (What isSecurity Risk Assessment and How Does It Work? | Synopsys, no date).

<b>II.Explain Asset, threat and threat identification procedure and example 1. Asset:</b>

</div><span class="text_page_counter">Trang 4</span><div class="page_container" data-page="4">

An asset is anything that has value or importance for an organization, such as data,documents, systems, networks, devices, etc. Identifying assets is the first step in informationsecurity risk assessment, as it helps to determine what needs to be protected and why. Assetscan be identified by observing the information environment, consulting with stakeholders andexperts, reviewing policies and standards, and using checklists or tools.

In the context of security, an asset refers to any valuable resource that requires protectionwithin an organization's IT infrastructure. Assets in IT security are typically related to digital

</div><span class="text_page_counter">Trang 5</span><div class="page_container" data-page="5">

information and technology components. Assets can be categorized into various types,including:

 Digital Information Assets: This includes sensitive and critical information stored andprocessed by an organization's IT systems. It can encompass various types of data suchas customer information, financial records, intellectual property, trade secrets,employee data, or any other confidential or proprietary information.

 Hardware Assets: Hardware assets are the physical devices used in IT infrastructure,including servers, workstations, routers, switches, firewalls, storage devices, or anyother hardware components. These assets support the processing, storage, andtransmission of digital information.

 Software Assets: Software assets refer to the applications, programs, operatingsystems, or any other software components used within the IT infrastructure. Theseassets include commercially licensed software, custom-developed applications, open-source software, or any other software utilized by the organization.

 Network Assets: Network assets involve the various components that constitute theorganization's network infrastructure. This includes routers, switches, firewalls, loadbalancers, wireless access points, and other network devices. It also encompasses theorganization's network topology, network diagrams, IP addressing scheme, andnetwork protocols.

 System Infrastructure Assets: These assets include the core components of the ITinfrastructure, such as servers, storage systems, data centers, backup systems, and

</div><span class="text_page_counter">Trang 6</span><div class="page_container" data-page="6">

virtualization platforms. They serve as the foundation for supporting and maintainingthe organization's digital assets.

 System Infrastructure Assets: These assets include the core components of the ITinfrastructure, such as servers, storage systems, data centers, backup systems, andvirtualization platforms. They serve as the foundation for supporting and maintainingthe organization's digital assets.

 Personnel Assets Human Resources): In IT security, personnel assets are employees, (contractors, or other individuals who have authorized access to the IT systems and

</div><span class="text_page_counter">Trang 7</span><div class="page_container" data-page="7">

resources. Personnel assets play a critical role in maintaining the security of the ITinfrastructure and ensuring the protection of digital assets.

<b>2. Threat</b>

A threat is anything that can compromise or damage an asset, such as hackers, malware,natural disasters, human errors, etc. Identifying threats is the second step in informationsecurity risk assessment, as it helps to estimate how likely and severe the potential harm tothe assets would be. Threats can be identified by using a threat categorization methodology,such as STRIDE or ASF, which define different types of threats from the attacker’s and thedefender’s perspective. Threats can also be identified by analyzing the data flow diagrams(DFDs) of the application, which show the different paths and interactions between the assets Malware Attacks: Malware threats encompass various types of malicious softwaredesigned to infiltrate or harm IT systems. This includes viruses, worms, trojan horses,ransomware, spyware, adware, or any other malicious programs aiming tocompromise the security of systems and steal or manipulate data.

 Social Engineering Attacks: Social engineering threats involve manipulating individualsto gain unauthorized access to IT systems or sensitive information. This can includephishing scams, impersonation, pretexting, baiting, or any other techniques thatexploit human vulnerabilities, such as trust or curiosity.

 Unauthorized Access: Unauthorized access refers to threats involving unauthorizedindividuals or entities gaining access to IT systems, networks, or data. This can includebrute-force attacks, password guessing, credential theft, privilege escalation, or any

</div><span class="text_page_counter">Trang 8</span><div class="page_container" data-page="8">

other unauthorized attempts to breach system security.

 Denial-of-Service (DoS) Attacks: DoS attacks aim to disrupt or disable IT services,making them inaccessible to legitimate users. This can be achieved throughoverwhelming the system's resources, network congestion, or exploitingvulnerabilities to exhaust system capabilities.

 Insider Threats: Insider threats involve individuals with authorized access to IT systemsmisusing their privileges or intentionally causing harm. This can include malicious

</div><span class="text_page_counter">Trang 9</span><div class="page_container" data-page="9">

insiders, disgruntled employees, or individuals inadvertently compromising securitydue to negligence or lack of awareness.

 Physical Threats: Physical threats refer to risks posed by physical factors to IT systemsor infrastructure. This includes theft, vandalism, destruction, unauthorized entry,natural disasters, fires, power outages, or any other physical event that can disrupt ordamage IT assets.

 Data Breaches: Data breach threats involve unauthorized access to sensitive orconfidential data, leading to its exposure, theft, or loss. This can occur due tovulnerabilities in systems, weak security controls, weak cryptographic practices, orhuman errors.

 Cyber Espionage: Cyber espionage threats involve targeted attacks by individuals,organizations, or nation-states with the intent to steal sensitive information,intellectual property, or gain unauthorized access to critical systems to gatherstrategic or economic intelligence.

<b>3. Threat identification procedure and example</b>

The threat identification procedure is a systematic approach to identifying potential threatsthat could harm an organization's assets. It involves a series of steps that help to identify andassess the likelihood and impact of each potential threat. There are different methodologiesand procedures for conducting threat identification, depending on the scope, context, andobjectives of the analysis. Here are some examples of threat identification procedures:

 Asset Inventory: The first step is to identify and catalog all the assets that need to be

</div><span class="text_page_counter">Trang 10</span><div class="page_container" data-page="10">

protected. This includes physical assets such as equipment, buildings, and inventory,as well as intangible assets such as customer data, intellectual property, andreputation. This step helps to ensure that all assets are accounted for and that theorganization has a clear understanding of what needs to be protected.

 Threat Assessment: The second step is to evaluate potential threats to each asset. Thisinvolves looking at both the likelihood and potential impact of each threat. Threatscan come from a variety of sources, including natural disasters, human error,

</div><span class="text_page_counter">Trang 11</span><div class="page_container" data-page="11">

malicious attacks, and technological failures. The goal of this step is to identify allpotential threats that could harm the organization's assets.

 Vulnerability Assessment: The third step is to identify any weaknesses orvulnerabilities in the organization's security infrastructure that could be exploited by athreat. This could include outdated software, weak passwords, or inadequate physicalsecurity measures. This step helps to identify areas where the organization is mostvulnerable and where security measures need to be strengthened.

 Risk Analysis: The fourth step is to combine the information from the threatassessment and vulnerability assessment to determine the overall level of risk to eachasset. This involves assigning a risk score to each asset based on the likelihood andpotential impact of the threats identified, as well as the vulnerabilities identified. Thisstep helps to prioritize which assets require the most attention and resources toprotect.

 Risk Management: The final step is to develop a plan to address the most significantrisks. This plan may include implementing new security measures, improving existingmeasures, or transferring or accepting risk through insurance or other means. The goalof this step is to reduce the overall level of risk to an acceptable level and to ensurethat the organization's assets are adequately protected.

<b>Example: a small e-commerce store that sells handmade crafts.</b>

Asset Inventory: You identify your website, inventory of handmade crafts, and customer data

</div><span class="text_page_counter">Trang 12</span><div class="page_container" data-page="12">

as your primary assets.

Threat Assessment: You identify potential threats to your assets, including:

 Cyberattacks: Malicious actors could target your website to steal customer data ordisrupt your operations.

 Natural disasters: Your inventory could be damaged by floods, fires, or other naturaldisasters.

 Human error: Employees could accidentally delete or mishandle customer data ordamage your inventory.

</div><span class="text_page_counter">Trang 13</span><div class="page_container" data-page="13">

Vulnerability Assessment: You identify weaknesses in your security infrastructure and supplychain, including:

 Your website software is outdated and not regularly updated. Your employees don't receive regular cybersecurity training.

Risk Analysis: You assign a risk score to each asset based on the likelihood and potentialimpact of the identified threats. You determine that cyberattacks pose the greatest risk toyour customer data and website.

Risk Management: You develop a plan to address the most significant risks, including: Updating your website software and implementing regular software updates. Providing regular cybersecurity training to your employees.

<b>III.Risk assessment procedure</b>

A risk assessment procedure in information security is a systematic process of identifying,analyzing, and controlling potential hazards and risks that may affect the confidentiality, integrity,and availability of information and information systems. It aims to prevent or reduce thelikelihood and severity of harm to information assets, as well as to comply with legal and ethicalobligations, improve security performance and quality, and avoid losses and liabilities.

<b>The 5 steps of a successful security risk assessment model:</b>

Step 1 Establish the Context:

The first step is to establish the context of the risk assessment, which includes identifyingthe scope, objectives, and stakeholders of the assessment. This step helps to ensure that theassessment is focused and relevant to the organization.

</div><span class="text_page_counter">Trang 14</span><div class="page_container" data-page="14">

Step 2 Identify Risks:

The second step is to identify potential risks to the organization's assets. This involvesidentifying internal and external factors that could pose a threat to the organization's assets, suchas natural disasters, cyberattacks, or human error.

Step 3 Analyze Risks:

The third step is to analyze the likelihood and impact of each identified risk. This involvesassessing the probability of the risk occurring and the potential consequences if it does occur.Step 4 Evaluate Risks:

</div><span class="text_page_counter">Trang 15</span><div class="page_container" data-page="15">

The fourth step is to evaluate the risks to determine their significance. This involvescomparing the likelihood and impact of each risk to determine which risks require the mostattention.

Step 5 Develop Risk Management Strategies:

The final step is to develop strategies to manage or mitigate the identified risks. This caninclude implementing new security measures, improving existing measures, or transferring oraccepting risk through insurance or other means.

<b>IV.List risk identification steps</b>

The risk identification steps are part of the risk assessment process and involve identifyingpotential risks to an organization's assets. The main purpose of the risk identification steps is toidentify risks that could negatively impact an organization's ability to achieve its objectives.The following are the main steps in the risk identification process:

Step 1 Identify Assets:

The first step is to identify the assets that need to be protected. This includes physicalassets like buildings and equipment, as well as intangible assets like data and intellectualproperty.

Step 2 Identify Threats:

The second step is to identify potential threats to the organization's assets. This includesnatural disasters, cyberattacks, human error, and other threats that could harm theorganization's assets.

Step 3 Identify Vulnerabilities:

</div><span class="text_page_counter">Trang 16</span><div class="page_container" data-page="16">

The third step is to identify vulnerabilities in the organization's security infrastructure thatcould be exploited by a threat. This includes weaknesses in hardware, software, and humanprocesses that could be targeted by a threat.

Step 4 Assess Risks:

The fourth step is to assess the risks associated with each identified threat andvulnerability. This involves analyzing the likelihood and impact of each risk to determine itssignificance.

</div><span class="text_page_counter">Trang 17</span><div class="page_container" data-page="17">

<b>P6 Explain data protection processes and regulations as applicable to an organisation.I.Define data protection </b>

Data protection refers to the practices and measures taken to safeguard data from unauthorizedaccess, corruption, loss, or disclosure. It involves the implementation of policies, procedures, andsecurity controls to ensure the confidentiality, integrity, and availability of sensitive information.

The goal of data protection is to protect data throughout its lifecycle, from the point of creationor collection, storage, processing, transmission, and eventual destruction. It involves safeguardingdata against both intentional and unintentional threats or breaches, regardless of the data format(electronic or physical) or storage location (local or cloud-based).

In information security, data protection focuses on safeguarding digital information and sensitivedata assets from various threats, including cyberattacks, data breaches, insider threats, andaccidental loss.

<b>II.Explain data protection process with relations to organization</b>

Data protection is essential for any organization that handles sensitive or confidentialinformation. The data protection process involves a series of steps that help to ensure theconfidentiality, integrity, and availability of an organization's data. The following are the mainsteps in the data protection process with relation to an organization:

Step 1 Data Classification:

The first step is to classify the organization's data according to its sensitivity andimportance. This helps to identify which data requires the highest level of protection. Data

</div><span class="text_page_counter">Trang 18</span><div class="page_container" data-page="18">

classification can be based on various factors, such as legal requirements, privacy regulations, andbusiness needs.

Step 2 Risk Assessment:

The second step is to conduct a risk assessment to identify potential risks to theorganization's data. This involves identifying threats and vulnerabilities that could compromisethe confidentiality, integrity, or availability of the organization's data. Risk assessment techniquesmay include vulnerability scanning, penetration testing, and threat modeling.

Step 3 Data Security Controls:

</div><span class="text_page_counter">Trang 19</span><div class="page_container" data-page="19">

The third step is to implement data security controls to protect the organization's data.This includes technical controls like access controls, encryption, and data backup, as well asadministrative controls like policies, procedures, and training. Data security controls should bedesigned to mitigate the risks identified in the risk assessment.

Step 4 Monitoring and Response:

The fourth step is to monitor the organization's data security controls and respond to anyincidents or breaches. This includes monitoring for unusual activity, conducting regular securityaudits, and having an incident response plan in place.

Step 5 Review and Update:

The final step is to review and update the organization's data protection process on aregular basis. This includes reviewing data classification, risk assessment, data security controls,and monitoring and response procedures to ensure that they are up-to-date and effective.

<b>III.Why are data protection and regulation important?1. Why data protection important?</b>

Data protection is important for several reasons: Safeguarding Confidentiality, Integrity,Availability, Compliance, and Reputation.

 Confidentiality: Data protection helps to ensure the confidentiality of sensitiveinformation. Confidential information, such as personal identifying information, financialdata, and trade secrets, can be targeted by cybercriminals and other malicious actors.Data protection measures like encryption and access controls can help to preventunauthorized access to confidential data.

</div><span class="text_page_counter">Trang 20</span><div class="page_container" data-page="20">

 Integrity: Data protection helps to ensure the integrity of information. Data can be alteredor modified by cybercriminals and other malicious actors, which can compromise theaccuracy and reliability of the information. Data protection measures like data backup andvalidation can help to ensure the integrity of data.

 Availability: Data protection helps to ensure the availability of information. Cyberattacksand other security incidents can disrupt the availability of critical information, which canimpact business operations and customer trust. Data protection measures like databackup and disaster recovery planning can help to ensure the availability of data.

</div><span class="text_page_counter">Trang 21</span><div class="page_container" data-page="21">

 Compliance: Data protection is often required by regulatory and legal frameworks.Organizations may be required to comply with data protection regulations, such as theGeneral Data Protection Regulation (GDPR) or the Health Insurance Portability andAccountability Act (HIPAA), to avoid legal and financial penalties.

 Reputation: Data breaches and other security incidents can damage an organization'sreputation. Customers and partners may lose trust in an organization that fails to protecttheir sensitive information. Data protection measures can help to maintain trust andprotect an organization's reputation.

<b>2. Why data regulation protection important?</b>

Data regulation protection is important for several reasons, including:

 Protecting Personal Information: Data protection regulations help to protect personalinformation, such as names, addresses, and other identifying information, from beingmisused or exploited. This information can be used for identity theft, fraud, and othermalicious activities. Data protection regulations, such as the General Data ProtectionRegulation (GDPR) and the California Consumer Privacy Act (CCPA), require organizationsto obtain consent before collecting or using personal information and to implementmeasures to protect this information from unauthorized access or disclosure.

 Preventing Data Breaches: Data breaches can have serious consequences for individualsand organizations. Data protection regulations require organizations to implementmeasures to prevent and detect data breaches, such as encryption, access controls, andmonitoring. In the event of a data breach, regulations require organizations to notify

</div><span class="text_page_counter">Trang 22</span><div class="page_container" data-page="22">

affected individuals and take steps to mitigate the impact of the breach.

 Ensuring Data Accuracy: Data protection regulations help to ensure the accuracy of databy requiring organizations to maintain accurate records and provide individuals with theability to correct inaccurate information. This is especially important for financial andhealthcare data, where inaccurate information can have serious consequences.

 Protecting Sensitive Data: Data protection regulations help to protect sensitive data, suchas financial and healthcare information, from being misused or exploited. Regulations likethe Health Insurance Portability and Accountability Act (HIPAA) require healthcare

</div><span class="text_page_counter">Trang 23</span><div class="page_container" data-page="23">

organizations to implement measures to protect sensitive patient information, whileregulations like the Payment Card Industry Data Security Standard (PCI DSS) requireorganizations to protect credit card information.

 Maintaining Trust: Data protection regulations help to maintain trust between individualsand organizations by demonstrating a commitment to protecting personal information.Organizations that comply with data protection regulations are more likely to earn thetrust of their customers and partners, which can lead to increased loyalty and revenue.

<b>P7 Design and implement a security policy for an organisation.I.Define and discuss what is security policy</b>

A security policy is a documented set of rules, guidelines, and procedures that an organizationestablishes to protect its assets, resources, and information from unauthorized access, disclosure,alteration, or destruction. It serves as a roadmap for implementing and maintaining a secureenvironment, defining the organization's overall approach to security and providing guidance foremployees, users, and administrators.

The primary goal of a security policy is to provide a framework for safeguarding sensitive andvaluable information from unauthorized access, alteration, loss, or disclosure. It serves as a guidefor employees, contractors, and other stakeholders, outlining their responsibilities andexpectations in maintaining the security posture of the organization.

<b>II.Give examples of policies </b>

 <b>Password Policy: This policy defines requirements for creating strong and secure</b>

</div><span class="text_page_counter">Trang 24</span><div class="page_container" data-page="24">

<b>passwords. It may specify minimum password length, complexity (e.g., includinguppercase letters, numbers, and special characters), password expiration periods, andrestrictions on password reuse.</b>

 <b>Acceptable Use Policy: This policy outlines acceptable and unacceptable behaviors whenusing organization resources, such as computers, networks, and internet access. It mayaddress prohibited activities (e.g., unauthorized software installation, accessinginappropriate websites), guidelines for personal device usage, and consequences forpolicy violations.</b>

</div><span class="text_page_counter">Trang 25</span><div class="page_container" data-page="25">

 <b>Remote Access Policy: This policy establishes guidelines for secure remote access tointernal networks and systems. It may include requirements for virtual private network(VPN) usage, multi-factor authentication, and encryption of data transmitted overremote connections.</b>

 <b>Data Classification Policy: This policy defines how sensitive data should be classifiedbased on its level of confidentiality, integrity, and availability. It may provide guidelineson handling and protecting different data classifications, access controls, and dataretention periods.</b>

 <b>Incident Response Policy: This policy outlines the organization's procedures forresponding to security incidents, such as data breaches or cyber attacks. It may includeincident reporting channels, roles and responsibilities of incident response teammembers, and steps for containment, investigation, and recovery.</b>

 <b>Bring Your Own Device (BYOD) Policy: This policy addresses the use of personal devices(e.g., smartphones, tablets) in the workplace. It may specify security requirements forpersonal devices connecting to the organization's network, such as device encryption,remote wiping capabilities, and acceptable use restrictions.</b>

 <b>Physical Security Policy: This policy focuses on securing physical assets and facilities. Itmay cover measures such as access control systems, video surveillance, visitormanagement, and guidelines for securing equipment and sensitive documents.</b>

 <b>Social Media Policy: This policy provides guidelines for employees' use of social mediaplatforms while representing the organization. It may include rules for protecting</b>

</div>