Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

IT Security Audit: A Comprehensive Guide to Protecting Your Organization

Verified

Added on 2024/05/30

AI Summary

This comprehensive guide explores the critical aspects of IT security audits, providing a detailed understanding of their purpose, methodology, and impact on organizational security. From identifying and assessing risks to implementing effective mitigation strategies, this document delves into the key components of a successful security audit. It examines the roles of stakeholders, including auditors, management, and employees, in ensuring the successful implementation of audit recommendations. The guide also highlights the importance of data protection processes and regulations, emphasizing the need for robust security measures to safeguard sensitive information. By understanding the principles and practices outlined in this document, organizations can strengthen their security posture, mitigate vulnerabilities, and protect their valuable assets.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

SECURITY

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

TABLE OF CONTENTS
Introduction......................................................................................................................................1
LO1..................................................................................................................................................2
P1 Identify types of security risks to organizations.....................................................................2
P2 Describe organizational security procedures..........................................................................4
M1 Propose a method to assess and treat IT security risks.........................................................6
LO2..................................................................................................................................................7
P3 Identify the potential impact to IT security of incorrect configuration of firewall policies
and third-party VPNs...................................................................................................................7
P4 Show, using an example for each, how implementing a DMZ, static IP and NAT in a
network can improve Network Security......................................................................................9
M2 Discuss three benefits to implement network monitoring systems with supporting reasons.
...................................................................................................................................................11
LO3................................................................................................................................................13
P5 Discuss risk assessment procedures.....................................................................................13
P6 Explain data protection processes and regulations as applicable to an organization...........15
M3 Summaries the ISO 31000 risk management methodology and its application in IT
security.......................................................................................................................................17
LO4................................................................................................................................................18
P7 Design and implement a security policy for an organisation...............................................18
P8 List the main components of an organizational disaster recovery plan, justifying the reasons
for inclusion...............................................................................................................................20
M4 Discuss possible impacts to organization security resulting from an IT security audit......22
M5 Discuss the roles of stakeholder in the organization to implement security audit
recommendations.......................................................................................................................23
Conclusion.....................................................................................................................................24

References......................................................................................................................................25
LIST OF TABLES
Table 1: Potential benefits of network monitoring tools..............................................................11
Table 2: Types of risks..................................................................................................................21

LIST OF FIGURES
Figure 1: Different types of security test.........................................................................................5
Figure 2: NAT interfaces.................................................................................................................9
Figure 3: DMZ in network.............................................................................................................10
Figure 5: Components of security policies....................................................................................18

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Introduction
Organization applies IT solution in the network for improving it functionality and performance
which also introduce various challenges in the network. Therefore, the organization must
maintain network security which consist of various policies, standards and methods which are
used for monitoring and preventing the organization from unwanted and unauthorized access of
data and resources. In these report fundamentals of network security will be studied along with
understanding various risk associated with the organizational network. Any kind of network gaps
will result in loss and unavailability of data and resources to the users. Various policies and
strategies used in an organization for minimizing and protecting the network against the risk will
be studied. The report discusses about procedure that is required for risk assessment in the
network. Lastly the current report will illustrate a design for upholding network security that is
implemented along with implementation of several security policies. The report will also discuss
about a plan for disaster recovery if the organization faces damages.
1

LO1
P1 Identify types of security risks to organizations
Some of the common risk faced by organization are discussed below:
Unauthorized use of a system:
Access is said to be unauthorized when somebody has the admission to a system, website, server,
programs. Unauthorized access is when a user tries to enter a system are where they are not
permitted. Common types of unauthorized access are Tailgating, Door Propping, Levering
Doors, Keys, Access Cards. Accessing the system Illegally will result in generation of dangerous
situations for the organizational business hence for combating this type access control
technologies must be applied. System administrators must set up alerts if any attempts of
unauthorized access attempt, along with application of user ID and passwords for securing the
systems.
Unauthorized removal or copying of data:
Unauthorized removal or copying of data is commonly called as Data thefts. Here a person or
hacker intestinally tries to steal or copy confidential organizational information to cause harm.
Common mode of data theft includes using memory cards, hard drives, emails, remote access.
These tools are used for stealing data of the organization which has some value for example,
customer details, algorithm or source code used in the system and network, network credentials,
personal information etc.
Damage of physical system assets and environment:
The hardware theft or damage occur even if the network is under the controls of administration
and technical support. Safeguarding the physical and environment are generally ignored.
However, it is most important technique to protect data and information of the organization. The
rooms and buildings that are used for storing the information and the system should be protected
appropriately so that physical damage is avoided.
Naturally occurring risks:
2

Naturally occurring risk are unavoidable. Natural disaster such as hurricane, earthquakes, floods,
fire lightning can result in causing unembellished impairment to computer systems connected in
an organization. Damage of systems will cause loss of Information, reduction in productivity,
hardware damage and various other vital services will be disturbed. Natural risk also includes
war, riots, terrorist attacks and other human activity, that cannot protect the computer system
even by applying controls and policies of computer security. There are only limited safeguards
that can be applied in case of natural disasters. Best practice the organization can apply is to have
contingency and disaster-recovery plans which will be effective in restoring the loss data for
continuation of the business operation.
3

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

P2 Describe organizational security procedures
Organizational security:
Proper security measures and practices must be undertaken in an organization for protection of
the various information present in the network systems. Main purpose of the organizational
security procedure is to protect the network and information from unauthorized access,
corruption, destruction my minimal technical, physical and administrative involvement.
Description of security procedure that organization follows is provided below:
Business continuity
Continuity of business refers to a capability of the organization to continuing or preserving all
the important functions even after or during the occurrence of a disaster. Risk
management processes is included in business continuity method which are for avoiding
disruptions in the service which are very crucial and also to regenerate all the organizational
function effectively and fully as fast as possible. For planning a proper business continuity
plan all the unpredictable events, like natural disasters, outbreaks, fires, cyber attacks are taken
into consideration (White et al 2017). Key element of the business continuity plan includes
recovery, resilience and contingency.
Data backup and restoration
Data protection is the top priority on an organization. any kind of data loss will encourage surge
of customer complaints. Various protective methods are applied in the organization with an aim
to minimize chances of loss of data or system damage. The organization implements strict policy
of maintaining backups of data. Advance technologies like coping data to disks and clouds are
maintained which are relatively quicker and easy way of storing and retrieving data.
IT security Audits
Security audit is referred to an evaluation of organizational security in a systematic manner. It
studies and understands the information system of the organization by measuring and calculating
the performance of the network. In the process of auditing security of the network is assessed
characteristically in regarding to its environment, physical configuration, software used, process
used for information handling etc. mainly an organization opt to follow security audits for
determining the supervisory obedience.
4

Testing procedures
The organization undergo various Security Testing, these are kind of Software Testing that are
helpful in guaranteeing that the network, system and data in the organizational network do not
have any loopholes or breaches. Tests are conducted for identifying and classifying all the
probable and possible gaps and network loopholes that may be are a reason for weakening
system leading to gateway for unauthorized access and data loss.
Figure 1: Different types of security test
Various security tests are applied for identifying the treats and vulnerabilities that in turn will be
helpful in calculating risk, through which proper measures and techniques can be implemented
for protection of the entire network.
5
SECURITY
TEST
VULNERABILITY
TEST
SECURITY
SCANNING
PENETRATION
TEST
RISK ASSESMNT
SECURITY
AUDITING
ETHICAL
HACKING
POSTURE
ASSESSMENT:

M1 Propose a method to assess and treat IT security risks
A number of Information Security (InfoSec) Risk Assessment techniques are present and
implement in different organization. The method of ISRA is chosen for an organization
according to the desired output result it achieves for the organizational network. One of the most
commonly used methods is using ISO/IEC 27005:2011x standard. The International
Organization for Standardization or ISO and the International Electro technical Commission
(IEC) are two organizations that helps in providing global standardization. ISO/IEC 27005:2011
is a subset of ISO27000 standard series which is capable of offering information security risk
management guidelines. And is designed for assisting the application of information security
which is according to risk management approach (ISO 27005, 2018)
Irrespective of size and structure ISO/IEC 27005 can be applied for attaining guidance and
advice in any organizations. Contents and benefit of ISO/IEC 27005 are as follows:
 ISO/IEC 27005 offers guidelines that can be helpful for IT security risk management for
the organization.
 This standard at present is completely associated with the risk management according to
International Standard, ISO31000. Along with ISO/IEC 27005, ISO31000 can be
implemented combined for managing the risk more accurately.
 Combined concepts of ISO27001 and ISO27002 are used in ISO27005, providing better
and successful framework to the organization for managing their information security
efficiently.
6

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

LO2
P3 Identify the potential impact to IT security of incorrect configuration of firewall policies and
third-party VPNs
Incorrect firewall configuration
Firewall plays a significant role in providing network security therefore it must be configured
properly. But is the configuration of the firewall being not proper it may result various network
breaches. If the configuration of firewall policies is not proper it will encourage unauthorised
user to enter the organisation and access important information and resources of the network.
Organisational data and files can be misused for various reasons like rivalry and personal use,
affecting the overall functionality of the organisation. Hackers can easily interfere using open
ports which will mainly result in data loss and they are even capable of misleading the
authenticate network users by altering or blocking their access to the stored data and available
resources of the organisation. Wrong configuration of firewall will lead to generation of network
breach that will in turn disturb security, accuracy and consistency (Stallings, 2000).
Firewall policies having, Shadowed rules, Unused rules, Unattached objects, Expired rules , and
Rules t are not optimally ordered should be discarded as soon as possible as it may leads in the
generation of issues such as, poor accountability, lack of visibility and undetected network
breaches.
Incorrect VPN configuration
Virtual private network operates through binary mode. If the connection of the VPN is not secure
then in most cases traffic sent does not reach a secured resource causing security breaches.
Common issues of VPN if not configured effectively are stated below:
Mismatch of Shared Key: This is one of the most commonly occurring errors that is found if
the configuration of the VPN connection is not proper. Shared key mismatches are listed as psk
mismatch errors. Hence it is recommended to verify the value of Shared Key for a VPN
connection.
Isolated Networks: The connection of VPN will fail in case of remote vDC/vApp network.
7

Unsupported VPN Types: There are some types of VPNs which do not supported VPN
connections between the Data Centres and n-premise networks.
NAT Traversal, on-premise (peer site) network does not support is placed behind a NAT device.
Source for the encryption domain must not be placed in NAT address but is behind NaviCloud
Director Firewall.
8

P4 Show, using an example for each, how implementing a DMZ, static IP and NAT in a network
can improve Network Security.
NAT
Network Address Translation or NAT method is used for translating IP or Internet Protocol
addresses from a group to another which is see-through to users end. NAT usually interprets
addresses of the source and destination and Internet Protocol datagram ports in the systems.
Installation of doe not require any changes in hosts or the routers, here routable addresses can be
reused globally that is effective in adding new networks or easy migration. Using NAT private
networks addresses can be kept hidden (Pierson, et al 2015).
x
Figure 2: NAT interfaces
NAT is a method which basically runs on networking device which is capable of linking two
different networks. One of the networks is assigned as inside, here the systems are addressed
using obsolete or private addresses which need to be changed to universally routable IP
addresses formerly to forwarding the data packets to outside network. NAT functions along with
routing.
DMZ
Demilitarized zone or DMZ is the network or host which is implemented for securing the
organizational network; it is an intermediate network or can be referred as track between internal
network of the organization and non-propriety or external network such as internet. DMZ can be
stated as front-line of a network which directly intermingles with external networks even being
logically separated.
9

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Systems of the network placed in DMZ provide various services to public, for example, DNS
(domain name services), Web services, FTP services etc.
Figure 3: DMZ in network
DMZ is implemented in an organizational network for protecting the internal network from
being exploited by unauthorized access. DMZ is basically a logical sub-network or can be a
physical network that is secure bridge created between the external and internal network. Limited
accessed is provided to internal network in DMZ. Here all the network communication or traffic
is scanned by the firewall before internal transmission. DMZ is a more secure approach in
comparison to firewall, and in a network, it can function as proxy server.
Static IP
Static IP address or fixed IP address is IP or Internet Protocol address, which is a set of numbers
allocated to a device in the network usually by the network administrator. Static IP addresses
never change unlike dynamic IPs. IP recognizes a device in the network that is linked with
internet. Routing of information and data to a destination is possible using Static IP (Perlman, et
al 20016). Static IP addressing in the business offers more network security in comparison to
DHCP address assignment.
10

M2 Discuss three benefits to implement network monitoring systems with supporting reasons.
In big organisational network having multiple devices and users the manual practices fail to
manage and control it. Therefore, the network must be introduced to software tools or application
by the deployed network administrators; these tools are capable off monitoring the network and
other service associate with it automatically (Aki, et al 2008). Monitoring tools maintain network
security and minimises the time needed for the management purposes. Significant aids that an
organisational network achieve after the implementing a network monitoring system is explained
here:
Table 1: Potential benefits of network monitoring tools
Benefits Description
Improving security and cost cutting A single network monitoring system is effective
in managing the entire network by appointing
many administrators.
Human resources required for monitoring the
network will be required less therefore there will
be reduction of cost.
network security is enhanced by using network
monitoring system as it offers quicker data packet
analysis, generating automatic report, tracking
application etc.
Reporting issues and Remediate disasters The network monitoring system is capable of
offering auto recovery to the network in case of
disaster without any manual support.
The entire organisational network is controlled
and managed by various policies, standards and
rule assigned by the network administrator.
The monitoring system generating various reports
is an issue is found in the network and the report
is then sent to the respective user for his attention
(Kizza, 2017).
Robust administration The organisation must apply a network
monitoring system in its network for identifying
11

and recognising any kind of unwanted activities
resulting in network breakdown or lowing
capacity.
The network monitoring tools can perform its
routine function without any manual help.
The network can receive real time notification and
fast reporting in case of any malicious activity is
performed in the organisation with the monitoring
tools.
12

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

LO3
P5 Discuss risk assessment procedures.
Risk assessment
Risk assessment is a common term which is used for defining all the methods and process for
identification of risks and factors in a network that can harm the organization in terms of
functionality, security and performance. The risks are then analyses and evaluated for
determination of suitable methods for elimination and controlling the possible and probable risk.
For risk assessment organization follow proper Enterprise risk management. Some of the
procedures of risk assessment are discussed below:
Enterprise risk management
Enterprise risk management or ERM is referred to a business strategy which is plan based. These
are applied in an organization for identification, assessing and preparing the network and users
against any physical or logical dangers that can hamper the organizational function maintaining
its objective and aims. ERM includes generation of an effective plan for performing various
actions with concerns of all the associated stakeholders.
Network change management
For attaining more service quality, the network demands changes to satisfy the needs of the
customers and clients associate with the network. Changes are made mostly by re-examining all
the ongoing procedures and processes. Hence the organization must follow a proper network
change management that ensure that the organization is following standardized methods for
handling the changes promptly. In a configured management system all the changes in the
network are recoded. These network change management in the organization helps in
minimizing and minimizing risk. In a network changes are opted to be managed mostly for
reducing the impact severity (Gamundani and Joseph, 2016).
13

Audit control
IT audit in an organization is defined as an audit procedure that involves evaluating and
reviewing of an automated system that helps in information processing. IT audit in the network
includes two main steps. One is gathering of information and second is to understanding the
present internal control structure. Once all the evidence of risk or gaps in the network is
understood by the auditor, he is responsible in determining whether the operation which is
audited are effective and controlled or not.
Business continuance/disaster recovery plan
These are considered one of the most important procedures that an organization must undertake
for preparing the organization for all the unexpected risks for continuing its processes. The plan
for business continuance comprises of various other processes like analyzing the risks,
contingency plan, and a plan for disaster recovery. Disaster recovery is effective as it helps in
resuming business even after an unsettling event.
14

P6 Explain data protection processes and regulations as applicable to an organization.
Data protection process:
Data protection process is followed in an organization for securing all the significant information
and data present and processing in the network from any kind of loss, damage or corruptions.
Data protection strategies are implemented in an organization for confirming that data in the
network can easily be restored even after any loss. Process of data protection includes two
significant procedure like operational data backup and disaster recovery plan and business
continuity. The strategy of data protection is applied for managing data and data availability.
For the data protection storage technologies are used, presently clouds and hard disks are used
for data backup so that data can be stored safely. These backups can be restored easily in
minimum time.
Organizational regulations:
These regulations are applied for protecting the employees and offer essential information
regarding work-related safety and methods for preventing against occurrence of hazards.
Regulations are listing of rules that help in protection and prevention of risk in the organization,
helping management systems.
Access control
The organization chooses to implement techniques and methods for controlling the access of data
and systems in the network for maintaining security in the organization. In access control, user
and their activities regarding interaction or communication between other resource and system
are controlled.
Logical security:
Passwords: for identification of the user using system and devices in the network of the
organization proper authentication is required which can be maintained by using unique user
names and passwords.
15

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Physical security types:
Biometrics: the organization chooses to implement biometric system that is capable of
identifying and verifying a user by analyzing their personal and unique attributes like voice,
facial scan, finger prints, retina scan etc. although it is very expensive but provide accurate
verifications.
Swipe cards: This method for access control uses a physical card which holds various
information of the user.
16

M3 Summaries the ISO 31000 risk management methodology and its application in IT security.
The performance and functionality of a network decline with the existence of risk and damages
in organizational. Therefore, proper management in od network security is required for
controlling and managing all the probable and possible risk in the network.
ISO 31000 is referred to a collection of several standards that are coded mainly by International
Organization Standardization which is mainly used for risk management. ISO 31000 standards
are expected international for the purpose of risk management in any organization irrespective of
size and structure of the organization. Risks of an organization can be managed and controlled
effectively with the help of various guidelines, framework and principles. This standard
provides basic guidelines to the organization that concerns mostly about the design,
implementation process and risk maintenance by understanding opportunities and risk associated
with the network.
Risk management by application of ISO31000
 Risk is avoided by determining that no same risk will occur again.
 The source of the risk is removed
 Likelihood of risk occurrence is changed
 By altering the consequences
 Risk and its occurrence should be shared among various associated stakeholders.
Guideline of ISO31000
 It provides various guidelines for risk management for an organization. however, the
guideline’s application can be modified according to the organizational need.
 These standards offer an approach that is common for all organization for risk
management.
 These standards can be used in an organization throughout its life and any activities and
function can apply this standard for maintaining its operation.
17

LO4
P7 Design and implement a security policy for an organisation.
Organizational security policies
Security policies applied in an organization forms the first line of defence against risk,
vulnerabilities and unauthorized access. The format for the policy is the living document which
should be designed in such as way that it can be understood by all the stuff, stakeholders, third
party auditors, suppliers etc. the policies must be written and update frequently so that it is
capable of resolving issued in the organizational network due to some kind of gaps.
Policies in most of small organization are generated locally by using common sense and
experience as their guideline. But, in big or medium size organization special software’s are
used like Penta safe that has the ability to generate policies for the organization automatically.
for managing the policies, security policies are often implemented using a firewall server.
one of the important point that need to be considered while designing security policies is its
flexibility allow flow of information (Cherdantseva and Hilton, 2013). Presently organizations
ask for strong security policies so that transmission of information and IP intellectual property is
effectively done.
The security policies in an organization is designed and Implemented according to the suggestion
provided by standards bodies. Security policies are applied for data and resources availability in
the network. Different policies in an organization are applied on the basis of nature, size and
structure the organization poses with an objective to uphold CIA (confidentiality, integrity, and
availability).
Figure 4: Components of security policies
18

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Governing policy: High-level treatment of security ideas is included in this type of policies
which are very important to organization. These governing policies are responsible for
controlling interaction related to security between the business unit of the organization and their
supporting departments. Governing policy answers the question “what” in a security policy.
End-user policies: The document shelters security topics which are very important in
prospective of the end users. End-user policies answers question like ‘who’, ‘what’, ‘when’,
‘where’ in details to the end users
Technical policies: Technical policies are mostly used by the security staff members so that role
and responsibilities regarding sustaining the network security can be understood. These types of
policies are more detailed in comparison to than the governing policy and are very specific to the
system or issues. Along with what, where, who, when the policy also explains why factor.
19

P8 List the main components of an organizational disaster recovery plan, justifying the reasons
for inclusion
DRP or disaster recovery plan is basically a documented and structured method that includes
various instructions for retorting towards an accidental event. This a stepwise plan that contains
some precautions which are helpful in reducing the impacts of disaster in an organization so that
important functions and operation can be resume as soon as possible. In general, the disaster
recovery plan includes analyzing business procedures and need for its continuity.
Before a detailed plan is generated for disaster recovery, the organization firstly need to perform
BIA or business impact analysis along with risk analysis, so that recovery time objective and
recovery point objective can be established efficiently.
Most significant components of a disaster recovery plan for an organization is discussed below:
1. Analyzing Disasters, Risk and Threats
The very first phase of the disaster recovery plan is to identify and analyze all the
possible disasters, threats and risk within the organization (Recovery plan, 2018). These
risk analyses include assessment of the physical security systems, environmental, control
systems and evaluating the network performance in case of disaster. Risks are of five 5
types:
20
A n aly sisin g D isa ste rs, R isk a n d T h re a ts
Cre ati n g a D isa ste r R e co very P la n b y T h rea ts cla sifi cati o n w ith a S crip te d A cti o n s
Cre ati n g a su ita ble C o m m u n icati o n C h an ne ls
C u rren t n e tw o rk d iagra m an d d ire cti o n fo r re co very p la n n in

Table 2: Types of risks
Types Caused by
External Risks human inflicted, nature etc.
Facility Risks Disturbance in facility like fire, electricity,
water, telephone lines and internet etc.
Data System Risks Sudden disturbance in data
communication network, virus attack,
failure of data storage systems, bugs.
Departmental Risks Physical damage like catching fire, flood.
Desk Level Risks When a system is not used for long time
2. Creating a Disaster Recovery Plan by Threats classification with a scripted action
After the identification of potential risks, a detailed plan for disaster recovery is generated
on the basis of the threats. Here, recovery steps used in the organization is documented in
simple and understandable language so that the entire network user can easily understand
the plan. Bullet points are used for listing so that complication is avoided when actual
disaster strikes.
3. Create suitable Communication Channel
Due to lack of a proper communication system in the organization disaster recovery plans
may fail. Hence it is recommended that proper communication must be maintained
between authorities and the employees. In some case, organizations also opt for
incorporating with products provided by third-party vendors and strategies of
communications are applied for eliminating lack of communication issue. Roles and
responsibilities of stuff members are listed down in case any disaster occurs.
4. Current network diagram and direction for recovery planning
Network diagram is created for the organization. Info graphic are used for writing easy
and operative recovery planning.
21

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Implementation of the disaster recovery plan will be successful only when all the documents are
kept updated and by educating the stuff members in the organization regarding the plan s and
disaster that can occur in the organization by conducting meetings and seminars.
M4 Discuss possible impacts to organization security resulting from an IT security audit
IT security audits in an organization is performed specially by well trained and skilled personals
who are appointed as an auditor. The process of auditing is very essential and is effective in
identifying and categorizing network breach is caused in an organization. These breaches in
network that will be a gateway for unauthorized user to access different and significant files, data
and resources of the organization unlawfully (Herath, and Herath, 2014.)
The process of conducting the IT security audit is very helpful for an organizational as all the
vulnerabilities, threats or any kind of malicious activities in the network can be identified for
knowing the level of risk and its impact in the organization in terms of function, performance or
security. The Auditor need to follow an appropriate audit process for calculating the risk and it
likelihood
The auditor after accessing the risk provide various recommendation for using suitable methods
and tools for protection of the network by managing and controlling the risk that has or can
happen. After the recognition of risk and the tool for its mitigation next step the auditor must
take is creating proper documents, this document can be used for referral purpose.
22

M5 Discuss the roles of stakeholder in the organization to implement security audit
recommendations.
The internal security audits in an organization is done mostly by a technically sound and skilled
Auditor. These expert persons are specially appointed for the process of network auditing. For an
effective auditing process, the auditor initially needs to identify and classify various stakeholders
associated with the organization directly or indirectly. After identification of the stakeholders of
the organization, the auditor then needs to accomplish the IT auditing process with the help of
various methods (It-security-audit, 2018). The network must apply different tools and techniques
for securing and protecting the data and information present or stored in the organizational
systems and network. The stakeholders must be informed about the occurrence of risk and their
level of likelihood, and thus they will be proving with appropriate recommendation about the
tool to be used in the network for managing and controlling the risk in the organization.
The proper network and risk management in any organization, the Stakeholders must have
dynamic participation in the entire auditing process for IT security of the organizational network.
The auditor gains more suggestions and recommendation regarding the tools and techniques that
can be used in the network for maintain security and overall performance of the network. The
management of the organization need to assume occurrence of all possible and probable risk and
vulnerabilities so that suitable conclusion can be taken by applying proper tools and techniques
in the network. The process of auditing helps in improving the network in terms of performance
and security, availability and reliability by mitigating the risk. Senior manager of the
organization is also stakeholder together with the owners and shareholders who are generally
accountable for approving the tools which are appropriate for providing and maintaining network
security in the organization.
23

Conclusion
The above report has discussed about different type of security risk that an organization come
across while implementing IT solution in its network for transmission of data and
communication. If the organizational network faces various risk the organization must undertake
various procedures for the purpose of maintaining security in the network so that no
unauthorized user can enter the network and access data and resources unlawfully. The report
has discussed about potential impact that the network of the organization can face due to wrong
configuration of firewall and VPNs. The report has also evaluated the network security
improvement by implementing NAT, DMZ and static IP. In the next task the report has
discussed about procedure of risk assessment that the organization undertake along with data
protection and regulation process. Lastly the report discusses about various security policies
implemented in the network and a disaster recovery plan for improving network security.
24

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

References
Books and Journals
Aki, Y. and Saito, H., Fujitsu Ltd, 2008. Network monitoring system. U.S. Patent 7,353,269.
Gamundani, A.M. and Joseph, A., 2016. An Analysis of Network Defensive Techniques
Towards Organisational Security.
Kizza, J.M., 2017. Guide to computer network security. Springer.
Herath, H.S. and Herath, T.C., 2014. IT security auditing: A performance evaluation decision
model. Decision Support Systems, 57, pp.54-63.
Perlman, R., Kaufman, C. and Speciner, M., 2016. Network security: private communication in a
public world. Pearson Education India.
Pierson, G. and DeHaan, J., iovation Inc, 2015. Network security and fraud detection system and
method. U.S. Patent 9,203,837.
Stallings, W., 2000. Network Security Essentials: Applications and Standards, 4/e. Pearson
Education India.
White, G.B., Fisch, E.A. and Pooch, U.W., 2017. Computer system and network security. CRC
press.
Cherdantseva, Y. and Hilton, J., 2013, September. A reference model of information assurance &
security. In Availability, reliability and security (ares), 2013 eighth international conference
on (pp. 546-555). IEEE..
Online references
ISO 27005, 2018 [Online][Accessed through ]
<https://www.itgovernance.co.uk/shop/product/iso27005-iso-27005-isrm> [accessed on: 17th
may 2018]
Recovery plan, 2018 [Online][Accessed through ]
<https://www.cisco.com/c/en/us/products/collateral/services/high-availability/white_paper_c11-
453495.html>[accessed on: 17th may 2018]
25

IT security audit, 2018[Online][Accessed through ] <https://www.optiv.com/it-security-audit>
[accessed on: 17th may 2018]
ISO 31000, 2018[Online][Accessed through ]
<https://www.iso.org/standard/56742.html>[accessed on: 17th may 2018]
26

1 out of 30

+13062052269

info@desklib.com

IT Security Audit: A Comprehensive Guide to Protecting Your Organization

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Network Security: A Comprehensive Guide to Protecting Your Organization

Security / BTEC-L5c Assessment 2022

IT Security Management: A Comprehensive Guide for Organizations

IT Security: A Comprehensive Guide to Protecting Your Organization

Assessing Security Risks to Organisation

Understanding IT Security Risks, Audit, and Policies towards Organizational Information Security