Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Assessing Security Risks to Organisation

Verified

Added on 2023/01/19

AI Summary

This document discusses the various types of security risks that organizations face, such as computer viruses, botnets, spam, worms, hackers, adware, phishing, rootkits, and spyware. It also explores the security procedures of an organization, including risk assessment and data protection. Additionally, it provides insights into how IT security can be aligned with organizational policy and the roles of stakeholders in implementing security audit recommendations. The document concludes with information on designing and implementing a security policy, key elements of a disaster recovery plan, and the tools used by organizations.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Coursework
Unit 5: Security

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Table of Contents
Introduction ..........................................................................................................................................4
Assessing security risks to organisation................................................................................................5
Computer viruses...........................................................................................................................5
Botnets...........................................................................................................................................5
Spam .............................................................................................................................................6
Worms ..........................................................................................................................................6
Hackers .........................................................................................................................................6
Adware .........................................................................................................................................7
Phishing.........................................................................................................................................7
Rootkits.........................................................................................................................................7
Spyware ........................................................................................................................................7
Security procedures of the Organisation............................................................................................8
A method to assess and treat IT security risks...............................................................................9
Trusted network becomes a part of an IT security how?................................................................9
Incorrect configuration of firewall policies.....................................................................................10
Incorrect configuration of third-party VPNs....................................................................................10
Implementing a DMZ, static IP and NAT ......................................................................................10
Benefits of the Networking monitoring.......................................................................................12
Risk assessment procedures............................................................................................................13
Data protection plan and procedures ..............................................................................................13
Methodology of ISO 31000 risk management.............................................................................14
Influence on the organizational security resulting audit of IT security........................................14
Consider how IT security can be aligned with organisational policy, detailing the security impact
of any misalignment........................................................................................................................15
Design and implement a security policy for a firm.........................................................................15
Key elements of disaster recovery plan...........................................................................................15
Tools that are used by an organization.........................................................................................16
Conclusion ..........................................................................................................................................17
REFERENCES....................................................................................................................................18
Appendix ............................................................................................................................................20
Presentation ....................................................................................................................................20

·Introduction
Security can be defined as a way in which resilience against potential harm caused by
others is provided. There are various kinds of security risk that an organization need to be
aware of such as: phishing, malware, data loss, network vulnerabilities, ransomware etc. IT
security is considered as the set of the cyber security strategies that able to prevent the
unauthorized access to the firm assets such as Network, data and computer (Backes, Bugiel
and Derr, 2016). As it maintains the confidentiality as well as integrity of the sensitive
information that blocks the access of hackers. As in today's world, Hackers becomes smarter
day by day, there is a requirement of protection the digital assets as well as networks devices
that is even greater. Present Report lay emphasis on the Tesco that established in London. It
distributes the food across the many town within the country. It focuses on identifying types
of risks, security procedures and also propose a method to treat the I.T security risks, after
that it describes the solution regarding security such as benefits to implement network
systems. It also focuses on the mechanism that control security of Tesco such as risk
assessments data protection process, possible influence to the security of the Tesco.
Furthermore, it also manages the firm's security such as focuses on the main components of
the Organizational disaster as well as implement a security policy plan .It also discusses the
role of the stakeholder's within the firm to apply the security audit recommendations.
Discuss the roles of stakeholders in the organization to implement security audit
recommendations and it highlights on the tools used within an organizational policy.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

·Assessing security risks to organisation
Risk can be defined as a chance or possibility of data loss, damage, unauthorised
access etc. that can be a threat to one’s business, systems or processes. There are many ways
through which risk can be assessed such as: first is to identify any kind of hazard the can be a
threat to business. Then the risk or hazard is assessed and individual, data or processes that
would be affected is identified. Then actions that are required to be taken is accessed or
decided. There are different types of risks that can affect an organization. Some of them have
been explained below.
l壱Computer viruses
Computer viruses are the pieces of the software that able to design so that it can be spread
from one computer to other computer (Bertino and Islam, 2017). As per the statistics 33% of
household computers overelaborate with some kinds of malware, more than half of them are
viruses. They can sent through email attachments or it can download from the various other
specific sites to infect the computer as well as other computers on the list through using
systems regarding network. Viruses are known for sending spam. It corrupts as well as steal
data, disable security settings from an individual's computer including personal information
for example passwords and ever going to delete everything on the hard drive (Brotby and
Hinson, 2016).
l壱Botnets
It can be used regarding anything from targeting the attacks on the servers, so that it able to
run spam email campaigns. Botnets included many computers, as it finds difficult to stop for
many businesses. Usually this computer security can be deployed through a botmaster that
commands a number of the compromised computer number of bots to run the activities that
run malicious activities. Zombie army is often collection of infected computers that carry out
boatmaster of ill intent. If the Tesco's network can be overtaken through a botnet, the system
able to subsequently used to mugging other networks through likes of worms, viruses, Trojan
horses as well as DDoS attacks (Das and Khan, 2016).

Figure 1: IT security threats
l壱Spam
Everyone is familiar with the Spam as the junk emails tends to squeeze businesses servers as
well as annoy recipient all across the organization. Spam becomes a threat for the computer
security as it contains harmful links, also overload the mail server as well as distribute
additional spam (Green and Smith, 2016).
l壱Worms
Jiggling is considered as its way into network. It is a worm that is deployed to the self-
replicate from one computer to the another. The only thing makes it differ from the virus is
that it needed no user interaction to get spread. According to this software hat is applied
within large quantities for a short duration of time. It can be considered as wreak havoc on
the network performance as well as it utilize to launch another malicious attacks end-to-end
system (Ingram, 2016).
l壱Hackers
Most of the security breach through the malicious intent of an individual. They are
targeted through hackers regarding financial gain. These are the predators that are seeking
out the opportunities to take advantage on vulnerabilities. It is the reason that why the Tesco

requires to be on the High alert. To avoid the victimized through hackers, an individual must
stay vigilant as well as employ a security plan ,that involves data management solutions as
well as file sharing to keep the businesses safe. For that employees requires the continual
education as well as Training ways to identified thwarts and threats attacks (Kang, Moon and
Park, 2017).
l壱Adware
When unwanted type of advertisements begins to appeal regarding on the computer. It may
be victimized through adware. While trying for accessing software the staff members of the
Tesco accidentally download adware. They also used the retrieve information without needed
the Knowledge and redirect the user's browsers.
l壱Phishing
Usernames as well as passwords are known as the phishing scam trick an internal used that
provides information that can breach the system. This information seek from the employees
by the email as well as disguised such as legitimate requests. Such as financial institution
asking for the login details to fix an account regarding solving an issue. Over the sensitive
information, the hackers try to gain the access as they require to lockup or steal so that is can
compromise company's critical data (Li and et.al., 2016).
l壱Rootkits
Rootkit is considered as the collection of the software that is implemented to obtain
administrator level access as it is designed to complete. It is imagined form the example if a
cyber-attack gain the complete control all over the computers. A hacker procures this kind of
access by the threats as well as vulnerabilities. For example Phishing scams, weak password
or spyware. It has the capacity to go undetected and also it enables to change the current
software of The Tesco. Also, the security applications ha can employed so that it can protect
computer easily (Nazareth and Choi, 2015).

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

l壱Spyware
This is a malicious software done exactly as per its name suggest. It has the ability to spy on
the user without any need of permission or knowledge. This software is installed on the
computer of the Tesco, the criminal who wanted to execute has the capacity to monitor
activity regarding that device. It collects the information to utilize against the business or use
such as website visits, financial data. Some of them detect redirect web browsers, detect
keystrokes and also alters computer settings or also it installs other programs that are called
as dangerous programs. Thus it is considered as the crucial to out protections within place as
well as update them continuously, so that the spyware attacks are thwarts easily (Pacheco and
Hariri, 2016).
l壱Security procedures of the Organisation
It is considered as the detailed step by step instructions on implementing, security
controls list from the Tesco's security policies. It should cover the hardware as well as
software components that assists the process of the business and security related business
procedures. Such as Onboarding of a new staff member. Security policy also refers to the
well-defined plans, rules as well as regulations systems that access the Tesco's system as well
as information included in it. With the help of the Good policy it protects not only systems
and information and system but also the individuals staff members and the firm as whole
(Safa and et.al., 2015).
Security procedure of an organization has been explained below:

Figure 2: Security procedures
At base level there are various departments of security. Any kind of threat that are identified are
distributed to their respective department. Each department focus on resolving any kind of security
issue that occurs within the organization. If there is any kind of security issue that cannot be resolved
at base level then it is shifted to next level.
At second level security issue is send to the administration assistant. Administration assistant then
focuses the security issue and it can be resolved at this then they do it and if not, the issue is then
transferred to the top level.
Security department is headed by Director of security. Director of security have various security
advisors working under them who provide advises to the director in order to strengthen their security.
Lastly security threat is resolved at this stage and if any kind of important decisions are required to be
taken then it is taken.
l壱A method to assess and treat IT security risks.
Identify Threats – It depends on the various assets or information that has been compromised
such as Tesco's data center located within a region where there are environmental threats
such as Floods. Are the industry are becomes more actively targeted as well as hacked by a
Known crime syndicate or the policy of the government. Threat modeling is considered as
the crucial activity that assists risks to know the threats as well as various ways as these

threats can causes risks so that it causes risk to realize through the exploiting vulnerabilities.
Such as finance risk, it can be managed by making of the budget (Walterbusch, Fietz and
Teuteberg, 2017).
l壱Trusted network becomes a part of an IT security how?
Trusted network such as Mobile security is considers as the top of the worry for the
company. As all the workers of the Tesco frame used the Smartphones, as they also access
corporate data from the mobile phones as well as this means that keep of the sensitive
information into the wrong hands within an intricate puzzle. As it considers higher than ever.
It is easy to focus on the malware of this type as mobile malware infections are becomes
incredible common within the real world Data breaches incidents and many physical attacks
is also done with the threat of the information leaked . Thus, the nature of the malware of
mobile as well as inherent protections build within system called mobile operating systems
(Warkentin and et.al., 2016).
l壱Incorrect configuration of firewall policies
Many times incorrect firewall policies also increases IT security risk for organizations.
Organizations need to focus on Configuring firewall policies and need to narrow down open
firewall policy. If firewall policies are kept broad and open or are configured incorrectly then
it can increase chances of breech and can cause potential damage to the system (Walterbusch,
Fietz and Teuteberg, 2017).
l壱Incorrect configuration of third-party VPNs
Virtual private network helps in ensuring whether secure private connection has been
established or not. Third part VPN have various security weaknesses that can increase IT security risk
for organizations. In fact, third party VPN are weakest network security that can be easily become a
reason for data breech these days. Third party VPN compromises IT security in many ways and also
increases chances of credential theft as it is quite easier for hackers to access default passwords.
Incorrect configuration of VPN of third part can lead to various kinds of security threats such
as: incorrect VPN can increase chances of system hacking where passwords or any kind of

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

sensitive information can be easily hacked, chances of unauthorized access on the system can
increase due to this overall security of the system can get compromised.
l壱Implementing a DMZ, static IP and NAT
There are many ways through which network security can be improved like by
implementing DMZ, static IP and NAT in a network etc. DMZ in a network can be
implemented by adding a dedicated firewall between a router and local area network. It helps
in providing an extra layer of security by restricting remote access to various information and
internal servers.
Below diagram will provide an overview of the way in which DMZ helps in secuiring
the network.
From the above diagram it is clear that DMZ adds an additional layer to the network
between the router and local area network. It restricts the overall access to the network.
Implementing a static IP in a network can help in adding a second router to a network,
helps in providing better network security problem protection and also helps in avoiding IP
address conflicts (Warkentin and et.al., 2016).

Lastly implementation of network address transaction (NAT) can help in improving
internet security by addressing IP requirements of an organization. It helps in making all
local IP addresses to one global IP address so that it becomes difficult for hackers to track
original IP. All the incoming and outgoing IPs need to go through a translation process so
that those IP addresses are generalized and then are send to correct internal system. This
helps in increasing network security (Walterbusch, Fietz and Teuteberg, 2017). NAT helps in
increasing the overall security of the network by decreasing the number of ip addresses that
are required by an organization. An example of NAT has been explained below.
Above given diagram clearly explains the way in which source IP address is translated
into another ip address as it leaves the interface.
l壱Benefits of the Networking monitoring
Mention below are some major benefits of networking monitoring service
It able to protect the system that are capable to recognized traffic which is suspicious and
therefore able to provide a broad overview of the entire IT infrastructure so that nothing is
going to be missed. They are able to target a system into a more variety forms. Such as
Monitoring antivirus as well as firewall solutions that able to leave separately security gaps.
·It also sends alerts as well as information to an SMB owner an issue arises. Otherwise, they
hire the full time IT employee which is very costly (Warkentin and et.al., 2016).

1
l壱Risk assessment procedures
Risk assessment is a procedure through which risks or hazards are identified and
eliminated. Risk assessment procedure helps an organization to identify all kinds of risk and
then eliminate it. There are five risks assessment steps:
Step 1- Recognized the hazard, such as anything which might causes harm.
In this step all the risk associated with the organization are identified can categorized
on the basis of the level of hard they can cause to the organization.
Step 2 – Learn and decides who may harmed and how it will be
At this step all the risk categorized is analysed i.e. what kind of risk will affect which
part of organization and till what level it will affect an organization.
Step 3 -Analysis the risk as well as take the actions.
On the basis of analysis necessary actions are taken where main focus is to either
eliminate or reduce the level of risk associated with the organization.
Step 4- After that make a record of the findings.
In this step after taking care of the risk, employees are required to file a report in
which main findings of the risk assessment are written where all the risk are noted
down and ways in which it is eliminated is also noted down.
Step 5- After that assessment can be reviewed (Safa and et.al., 2015).
Lastly risk assessment done is reviewed in order to ensure safe working practises and
applicability of safety instructions within the organization.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

l壱Data protection plan and procedures
Tesco must follow plan and procedures such as data of the Tesco must be
·Accurate and up to date
·Data must be adequate, not excessive and relevant for purposes.
·It can be processed fairly as well as lawfully.
·It must be keep safe from the accidental loss, unauthorized access as well as destruction.
·It must not be transferred to one country to another country such as outside the European
Economic area, unless and until it has same level of protection regarding personal data.
·It must be processed within accordance of data subject’s rights (Walterbusch, Fietz and
Teuteberg, 2017).
·Methodology of ISO 31000 risk management
It assists Firms like Tesco to enhance the likelihood of accomplishing objectives,
improves the recognition of threats and opportunities as well as effectively delegate and
utilize resource for the risk treatment. It provides Guidance for internal as well as external
audit programs but cannot be used for the certification purpose. It able to compare their
practices of the risk management with an international recognized Benchmark and gives
sound principles for the corporate governance and for effective management (Green and
Smith, 2016).
l壱Influence on the organizational security resulting audit of IT security.
l弐Data is considers as one of the key assests that needed top security controls as the it
auditors det that which kind of information and how it flows in as well as out of firms like
Tesco and also which can access to such information.
l弐The auditing team can also focused the groundwork for an improvement needed that area
(Nazareth and Choi, 2015).
l弐It can also recognize problem areas as well as vulnerable areas
l弐It also regulates that whether security polices as well as standard or not.

l壱Consider how IT security can be aligned with organisational policy,
detailing the security impact of any misalignment
The firm's security policies enables employees and staff to work according to the mention
guidelines and process in policies and if there is security policies are not followed it can
result in security breach of systems (Safa and et.al., 2015). It is extremely important for an
organization to align their security with the organizational policies. It will help[ in
minimizing security gaps present in the organization. In order to align IT security with the
organizational policies it is important for the organization to specify all kinds of IT security
and integrate them with security models such as COBIT or ISO standards. This will help
them to align their basic IT security with their organizational policies. These standards
further helps the organization to minimize mismanagement and secure all kinds of vulnerable
or sensitive information.
l壱Design and implement a security policy for a firm.
Security policiy
A security policy of Tesco have following policies
·Purpose- Clear aim and expectation regarding policy.
·Policy compliance- State as well as federal regulations may drive some require regarding a
security policy. So it is essential to list them.
·Last tested date- Policies requires to be frequently tested document and a living document as
well as challenged.
·Policy last updated date- In the Tesco there is a need of the security policy documents to
adapt to changes ,outside threats as well as technology (Warkentin and et.al., 2016).
·Contact- Information security policies are needed to be read ,understands as well as
followed through all the individuals in a firm like Tesco ,so if there are questions ,also there
requirement to be an owner.
Stakeholders play a crucial role by providing data and information related to security,
polices ad procedures that can be implemented. They also give suggestion and measures that
can be taken to secure system (Walterbusch, Fietz and Teuteberg, 2017). Stakeholders role
within an organization is extremely important to implement security audit recommendations.
Stakeholders involved in security audit are: Board of directors, Payroll clerk, audit

engagement partners, stockholders etc. All the stakeholders are asked important questions
that are required to be answered for proper internal audit functions. This helps the audit team
to understand security types, influence of all the stakeholders on the overall security of the
organization. All the information gathered from the stakeholders is analysed by the audit
team aso that any kind of changes, improvement, quality can be analysed and brought within
the organization.
l壱Key elements of disaster recovery plan
When it comes to the disaster, communication considers as the crucial one. A plan is crucial because
it pulls all the staff members on the same page as well as assures clearly outlines about all the
communication. Documents are well updated as well as information and also the employees should
understand their roles as well as responsibilities while following the disaster. Such as setting up
redirecting phones, setting up workstations and also assessing damage.
Disaster recovery plan
Disaster recovery plan is an important document which consist of various kinds of instructions that
are required to be followed in case of a disaster. It is crucial to have a plan to protect the equipment
when there is approaching of Storm. Individual need to protect the equipment off the floor as well as
it moved within a room that has no windows as well as wrapped securely within a plastic so assure
that no water can get into the equipment (Walterbusch, Fietz and Teuteberg, 2017).
Disaster recovery plan consist of various things such as: First of all this plan consists of various
strategies that can be used by organization at the time of recovery and for this organization need to
consider issues such as budget, resources, technology, data, suppliers etc. Next is to gather all the
relevant documents of the infrastructure, identify vulnerable assets and based on this design a disaster
plan. They should also buy disaster recovery services that are nowdays available online on cloud
where organization can store their data so that at the time of a disaster they can easily recover their
data. They can also copy their data on virtual servers where backup of their data or services will be
stored. So on the basis of the above information main components of disaster recovery plan are:
·cloud storage to store all kinds of data such that they can easily recover their data at the time of
recovery.
·Virtual servers where backups of the data will be stored.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

·Information about all kinds of data, vulnerable assets so that data protection plan for them can be
build.
·Tools that are used by an organization.
·Purpose of the policy- The aim of the firms like Tesco is to reduce the security as well as business
risks and let the users know very well that they are permitted to utilize the tools of the organization.
·Scope of the policy-The policy implies to all the firm’s members are able to pursuant section
4.01(C) regarding Bylaws as well as contribution .It implies that no matter what where the email
utilize takes places. It applies to use the tools of the organization.
·Tools and guidelines- The Tesla encourages its members as well as contributors to utilize the
provided tools whenever suitable. Such as it includes the commutation with others contributors with
the help of the instant messaging, email, videoconferencing), work with the other members as well as
stakeholders on the material such as team documents, collaborated folders, project documents).
·Unauthorized use- Project tools such as software license, email account and chat system will not
use regarding personal reasons as well as non-proctor related activities. Any usage of this kind tools
that will be not related to the project affects that able to affects the service availability regarding the
project users as well as other activities (Walterbusch, Fietz and Teuteberg, 2017)..

·Conclusion
Above study had been concluded that computer security attempts to assure the confidentiality,
availability and integrity of the computer systems as well as their components. On computing system
there are subjects to attacks such as software, hardware as well as data. These three are responsible
for the security vulnerabilities. It focused on the benefit of the monitoring of the networking such as
it provide firewall solutions. It also focused on the recovery plan of the Disaster management such as
communication is necessary during the disaster

·REFERENCES
Backes, M., Bugiel, S. and Derr, E., 2016. October. Reliable third-party library detection in android
and its security applications. In Proceedings of the 2016 ACM SIGSAC Conference on
Computer and Communications Security (pp. 356-367). ACM.
Bertino, E. and Islam, N., 2017. Botnets and internet of things security. Computer. (2). pp.76-79.
Brotby, W.K. and Hinson, G., 2016. Pragmatic security metrics: applying metametrics to information
security. Auerbach Publications.
Das, A. and Khan, H.U., 2016. Security behaviors of smartphone users. Information & Computer
Security. 24(1). pp.116-134.
Green, M. and Smith, M., 2016. Developers are not the enemy!: The need for usable security
apis. IEEE Security & Privacy. 14(5). pp.40-46.
Ingram, A., 2016. Spaces of security and insecurity: Geographies of the war on terror. In Spaces of
Security and Insecurity (pp. 15-32). Routledge.
Kang, W.M., Moon, S.Y. and Park, J.H., 2017. An enhanced security framework for home appliances
in smart home. Human-centric Computing and Information Sciences. 7(1). p.6.
Li, J. and et.al., 2016. Graded security forensics readiness of SCADA systems. Informatik 2016.
Mukherjee, M. and et.al., 2017. Security and privacy in fog computing: Challenges. IEEE Access. 5.
pp.19293-19304.
Nazareth, D.L. and Choi, J., 2015. A system dynamics model for information security
management. Information & Management. 52(1). pp.123-134.
Pacheco, J. and Hariri, S., 2016. September. IoT security framework for smart cyber infrastructures.
In 2016 IEEE 1st International Workshops on Foundations and Applications of Self* Systems
(FAS* W) (pp. 242-247). IEEE.
Safa, N.S. and et.al., 2015. Information security conscious care behaviour formation in
organizations. Computers & Security. 53. pp.65-78.
Walterbusch, M., Fietz, A. and Teuteberg, F., 2017. Missing cloud security awareness: investigating
risk exposure in shadow IT. Journal of Enterprise Information Management. 30(4). pp.644-
665.
Warkentin, M. and et.al., 2016. Continuance of protective security behavior: A longitudinal
study. Decision Support System. 92. pp.25-35.