Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Understanding IT Security Risks, Audit, and Policies towards Organizational Information Security

Verified

Added on 2024/05/14

AI Summary

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Understanding IT security risks, audit, and policies
towards organizational information security (L4)

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Table of Contents
Introduction................................................................................................................................................. 3
LO1 Assess risks to IT security....................................................................................................................... 4
P1 Identify types of security risks to organizations.............................................................................................4
P2 Describe organizational security procedures.................................................................................................5
LO2 Describe IT security solutions................................................................................................................. 7
P3 Identify the potential impact on IT security of incorrect configuration of firewall policies and third-party
VPNs....................................................................................................................................................................7
P4 Show, using an example for each, how implementing a DMZ, static IP and NAT in a network can improve
network security..................................................................................................................................................7
LO3 Review mechanisms to control organizational IT security.......................................................................9
P5 Discuss risk assessment procedures...............................................................................................................9
P6 Explain as data protection processes and regulation applicable to an organization..................................10
LO4 Manage organizational security............................................................................................................ 12
P7 Design and implement a security policy for an organization......................................................................12
P8 List the main components of an organizational disaster recovery plan, justifying the reasons for inclusion.
..........................................................................................................................................................................12
Conclusion.................................................................................................................................................. 15
Reference List............................................................................................................................................. 16
Table of Figures
Figure 1 – Configuring a DMZ..................................................................................................8

Introduction
Companies today face a lot of threat from the outside world that has the potential to deal with
financial damage in the System of Information of the company. The losses could not be
measured properly sometimes it could cause the destruction of the entire system of
information and on the other hand, sometimes it could be dealt with little losses.
Considerably the threat effects vary with their types: some challenges the integrity and
confidentiality in the stored database while others may dent towards the system's availability.
Recently it's noted that constant struggle lies with the companies to identifying the
information threats present and understanding them and their impacts and what means of the
measure could they implement to fight back these attacks, a continuous battle challenge. For
enhancing security threats understanding, a model classification for security threats is
proposed which facilitates towards the threats impact class study rather than the impact threat
as with time threat evolves and varies (Jouini, Rabai, and Aissa, 2014).

LO1 Assess risks to IT security.
P1 Identify types of security risks to organizations.
In this dangerous world data protection is the major focus of all the IT organizations
functioning, to protect the integrity of the data related to the user, confidential for a company,
sellers, etc. Hackers try their best to part user information from them by several evolving
means and would use that business or confidential information for future usage.
Here is the list of few of the security threats defined as follows –
Trojan Horse: These types of the virus could infect a computer or organization's system via
an application that is downloaded from the incredible source and one thinks is legitimate
rather comes with malicious effects. Once the trojan horse is installed or present in your
computer it could perform any function it is programmed for. For example, using keystroke
logger can track computers activity by recording and analyzing keystrokes pressed resulting
in password recording and many severe actions like tracking bank details, recording every
move by webcam and microphone hijacking.
Computer Worm: Without the indulgence of human being worm software are capable of
replicating itself to several computers from another one. With great volume and speed,
worms replicate itself. To understand the working methodology of worm let’s understand it
by an example, worm software or code snippet could transmit themselves through email to all
your contacts and then further from your contact emails to their contact email addresses.
Rootkit: Software being used to access the authority level of the administrator to the
computer network or computer are known as a rootkit. Cybercriminal in a legitimate
application or software could find a security hole or vulnerability for exploitation by
installing a rootkit in one's personal computer that contains software for spying such as
hijacking microphone and recording keypress activity as admin.
Malware: Malware full form elaborates to malicious software which is the program code or
software which are intrusive, hostile, and annoying. Malware in present in the system could
be a trojan horse, malicious rootkits, worms, viruses. All of which are discussed in other
points.
Rogue Software of Security: Rogue software of security are false applications that are
implemented for luring the user to falsely click over a link that pops up unwantedly. When

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

the user clicks the provided link software is installed. One may think of the update to be
authentic and when asked whether to "remove" or "update" the detected software update,
naturally one may choose an option.
Microsoft has a dedicated page where it lists all such rogue software and the methods to
protect against them.
Malicious Spyware: For Trojan software to function cybercriminal uses Malicious spyware
for defining the way Trojan functions and for victim spying. A most common example is of
the keystroke logger that can track computers activity by recording and analyzing keystrokes
pressed resulting in password recording and many severe actions like tracking bank details,
recording every move by webcam and microphone hijacking. This information periodically is
recorded by cybercriminal by means of internet. Keylogging software shares its availability
all over the internet is being used by organizations where they monitor their employee's
record based on keypress activity.
Botnet: Group of or network of a particular group of computers being compromised by
cybercriminal through trojan horse or malicious software are botnets. A zombie computer is
an individual in the group (Sanchez, 2010).
P2 Describe organizational security procedures.
Network Services governing policies – This department regarding a policy of security in
organization defines the method about handling the issues like IP address configuration and
managing remote access. A component such as switches and router security is also covered
and managed by it. Policy regarding network intrusion detection should also be defined.
Acceptable Use – What are the criteria for usage acceptable in the organization should be
well defined to the employees in accordance with the definition. In the act to exercise
disciplinary and legal action when necessary, it is advised that use policy acceptability
document is signed by the employees is always an excellent idea.
Monitoring Compliance – To ensure compliance with the varying security policy of data
and elements, conducting audits with management and the company's staff is much needed.
On based regularly company must perform and schedule audits.
System Data Security Policies – Operating system and server’s configuration for security is
must and essential concern towards the policy regarding data security. The company should
essential clearly define the password, account management and rules related to the server that

operates upon or within the company’s own network. Policies related to database, firewall,
and antivirus falls under system data security policy.
Scanning for Vulnerabilities – They're a saying that says "The person beforehand should
know about the ways to crack into the house before someone else does”. In the same fashion
IT companies should beforehand know about the present vulnerability beforehand than the
hackers. A company should regularly check networks as the cybercriminal would
automatically scan for the vulnerability as they are discovered.
The Response to Incidents – When their arises a breach in security, it at most necessary to
implement required action to handle such situations. This also involves the incident’s
reporting and evaluation such that measures taken prevent from happening it again (Basani,
2016).

LO2 Describe IT security solutions.
P3 Identify the potential impact on IT security of incorrect configuration of
firewall policies and third-party VPNs.
As their arises increase in saving and productivity of the advantage that comes with the
remotely accessible VPN and firewall policies that attract organizations. Proper care and
measures have to be taken to prevent possible threats and vulnerability that could happen in
this technology. Here we are going to list and discuss the top concerns regarding the security
of firewall policies and VPNs as described below –
DDoS: Devices at the users end like tablets, mobiles, laptops, etc. are such devices that
generally have less in place security than the corporate network, hence prove to be an easier
target for the exploiters. Devices such as mentioned above are less secured or unsecured
prove to be more vulnerable towards worms, password harvesting, and viruses which further
when looked at larger picture generally proceeds towards attacks like Distributed Denial of
Service or DDoS. IN case of malicious traffic over corporate networks could have severe
possessions over VPN.
Man in the middle: Attacks like a man in the middle could happen if the VPN is configured
using a third party service like insecure protocol for authentication or IKE. These type of
attack are easily possible and all that is needed is to interpose between the remote server and
VPN server. Then using someone's authentication one could have access to the server by
using that captured data and authenticate to the server for access permission.
Trusted authority to certificate hack SSL: From the cases in the past, let us take the
example of Comodo case where the VPN was hacked, and from that example it evident that
organization authorized to authenticate VPN's connection via SSL named Trusted authority
certificate could be also hacked to gain access to the remote network. In this case of Comodo
Registration Authority was compromised have attacker manipulated the license itself which
granted them a secured connection with the corporate networks, protocols, servers, and port
number of TCP (Virgillito, 2015).

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

P4 Show, using an example for each, how implementing a DMZ, static IP and
NAT in a network can improve network security.
DMZ stands for the demilitarized zone are the networks private enough that they are present
as isolate network and lies within larger networks and private networks, one of which is the
internet. These are known as the demilitarized network based upon the way they function and
thus called the DMZ network. Neither of the area being bordered belongs to such areas.
Figure 1 – Configuring a DMZ
When host services like these are positioned in DMZ like subnetwork, inversely it protects a
larger network from the security breach and possible attacks that is the foremost service of
DMZ when compromised (Heer, 2017).
Computer that allow to access networks remotely while being in closed networks provides
best workability with static addressed IP. This facilitates the computers present remotely to
access the same server again repeatedly by connecting with invariable IP addresses (Hartman,
2015).

LO3 Review mechanisms to control organizational IT security
P5 Discuss risk assessment procedures.
Mitigating risk, understanding, controlling, and managing is what all about cybersecurity is a
critical asset to organizations. A company is managing risk related to business if they
working towards security rather than their liking or not.
Now here are the steps that undergo accomplishing the procedures that are required for
assessing the procedures of risk. These steps are as follows –
Step 1: Prioritise and identify assets
In this step technical team analyze what is important to an organization that could be called as
an asset based on importance from a business point of view. Thus a list is created after
consulting with management and business user related to the valuable asset in an
organization.
Step 2: Identify Threats
Definition of threat defines a threat as a vulnerability in the organization that could be
exploited to cause harm and breach security. These threats could be anything from malware,
hackers, interception, system failure, or impersonation, etc.
Step 3: Identify Vulnerability
Spotting and identifying the vulnerability is needed. The vulnerability could breach and harm
the security of an organization which is a type of weakness. Identification of vulnerability
could be done via audit reports, vendor data, vulnerability database, analyzing vulnerability, a
software system for analyzing security, and lastly incident team of response.
Step 4: Analyse Control
Analyzing the control process involves the analyzing of the controls in the planning stage or
the place, such that to eliminate or minimize the threat or its probability of exploiting system
again.
Step 5: Threat Impact Analysing
Threat impact analyzing is a process that includes following these factors –
System’s mission including implemented process.

System Criticality.
System’s sensitivity and data.
Step 6: Prioritising risk to information security
What are the odds of vulnerability exploitation by threat?
Threat’s impact of vulnerability exploitation.
Step 7: Recommend Control
Using the risk level as a basis, determine the actions that senior management and other
responsible individuals must take to mitigate the risk.
Based on the ranking or severity of the risk is to be determined. Based on the rank
appropriate mitigation actions are taken by senior management and other people responsible
for solving such actions. Risk level is categorized as medium, high, and low.
Step 8: Result Documenting
In the end, proper documentation of the risk occurred and its solutions must be tracked. So
that in future if any such vulnerability occurs a proper solution would be defined helping to
resolve such action (Sotnikov, 2018).
P6 Explain as data protection processes and regulation applicable to an
organization
Since 1998 DPA, Act of Data Protection has shielded many consumers and individuals, this
security act was recently elevated to new heights when a General Data Regulation Protection
or GDPR was introduced in 2018 last year. Any organization present in Europe and deal with
their citizens have to follow this approach as the legislative acts and governs them and also
applies to those having their headquarters outside Europe.
Company-specific procedures and policy that suit the company's handle of data should be
created. For example, every organization first need to state about what are the employee’s
and staff’s procedures and data policies, and secondly what the use of defining these policies
so their also a need to record those data from the customers.
DPA assigned principles and guidelines could be manipulated and is controlled by GDPR.
They follow guidelines that are aligned with the guidelines defined originally and any policy

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

that follows legislation is considered as a starting point. And the company's state data must be
held –
 Be processed and obtained lawfully and fairly.
 Be obtained only for the lawful and specific purpose and should not be implemented in
any possible manner not purpose compatible.
 Should be kept updated and to the point accurately.
 When the purpose finishes should not be restrained unnecessarily.
 Should be prevented from destruction, accidental loss, and unauthorized losses.
 Be not excessive, relevant, and adequate for such purposes.
 Based on data right subjects that are processed with accordance.
 Cannot be transferred to any company outside the Economic area of Europe until unless
their data protection laws are equivalent to the laws present and have to prove that.
Every organization should guarantee that all the mentioned points are followed and respected
(Hopping and Halverson, 2019).

LO4 Manage organizational security.
P7 Design and implement a security policy for an organization.
Research your requirement for security
While considering the study of security policy within an organization, one must pay attention
to these questions also –
 Guarding of which documentation or document is needed?
 Data to be protected is sensitive to which level?
 Business function based on what are the natural categories you could define (Engineering,
Sales, Marketing)?
 What code is the one that their execution control you want?
 The risk that is masqueraded by the user and what is their level?
 Application usage is limited and restricted to concerned users or is distributed and
available for the masses?
The provided questions are not to be considered an ultimatum, but rather lays the basic
foundation towards developing a policy regarding security in the organization.
1. Create Roles
2. Create users
3. Assigning users to roles.
4. Create the required executive privileges and URI.
5. Deciding on how you want to combine privileges to a group for their roles.
6. Granting privileges access to WebDAV, XDBC, HTTP, and ODBC as needed.
7. Defining permission by default directly for the users or indirectly via roles.
8. The level with which database, projects must be protected must be defined with
granularity (MarkLogic, 2018).
P8 List the main components of an organizational disaster recovery plan,
justifying the reasons for inclusion.
Planning for disaster recovery only ensure the protection of your organization's hardware,
data, and assets and what not is the part of this plan is that in an event of mishap how rapidly
we could back up and restore our processes. So it is needed to put a devised plan towards

implementation rather than putting together all the pieces while in a storm. So now its almost
required to devise a plan for recovering organization during the disaster, and these steps are
defined below as –
Role assignments and control plan
Detailed documents with all the information related to employee and employee information
like contact, designation, the address should be tracked regularly in such a fashion that in an
event of disaster each and every employee understands about their role.
Plan for your equipment
In an event of major disaster each and every organization, on prenote should have a well-
defined action plan to manage the installed equipment to safety.
Data continuity system
There is a requirement of the level of understanding form the organization from the
communication and supply point what are the financial needs and operational needs exactly.
Backup check
Backup of organizational data should be present and regularly backup over each and every
local organizational server, in order to prepare to hoard your data in act of disaster. Another
thing to be mentioned is that all the backup of data must be stored at some place where
disaster could not affect it.
A detailed asset of inventory
In the disaster plan for recovering detailed information of items in inventory must be made
like servers, scanners, their components, tablets, phones, printers, workstations and
technologies other than that whose implementation is daily based.
Office equipment picture
Each and every arrangement of inventory items individually must be made. A complete
assessment of before and after images of a disaster helps a lot in restoring the equipment that
is being used by the employees on a regular basis. So for reporting purpose and showing the
diligence behind moving the equipment to safe place in act of disaster picture must be taken.
Service restoration and communication with vendor

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Restoring all the services to their original consent is necessary and one should make sure that
they are at track rapidly after the storm has passed. Communication with the vendor for
supplies must be maintained and should be frontline thought at this stage (Entech, 2018).
These steps provide for a strong recovery plan foundation and thus we had chosen this plan as
no organization knows when a disaster could happen and to safeguard their business its at
most necessary to safeguard the organizational data, but extra detailed attention while making
such plans should be included.

Conclusion
Thus we understood that the threat effects varies with their types: some challenges the
integrity and confidentiality in the stored database while others may dent towards the
system's availability. Recently its noted that constant struggle lies with the companies to
identifying the information threats present and understanding them and their impacts and
what means of the measure could they implement to fight back these attacks, a continuous
battle challenge. For enhancing security threats understanding, a model classification for
security threats is proposed which facilitates towards the threats impact class study rather
than the impact threat as with time threat evolves and varies.
Thus for security implementation and protecting a data each and every organization has to
undergo a lot of processes and prepare a plan for doing so.

Reference List
Basani, V. (2016) 9 Important Elements to Corporate Data Security Policies that Protect
Data Privacy, Securitymagazine.com. Security Magazine. Available at:
https://www.securitymagazine.com/articles/87113-important-elements-to-corporate-data-
security-policies-that-protect-data-privacy (Accessed: March 7, 2019).
Entech (2018) 7 Key Elements of a Business Disaster Recovery Plan - Entech, Entech.
Available at: https://entechus.com/7-key-elements-of-a-business-disaster-recovery-plan/
(Accessed: March 8, 2019).
Heer, T. (2017) Three Ways to Improve Your IP Network Security, Belden.com. Available at:
https://www.belden.com/blog/industrial-security/three-ways-to-improve-your-ip-network-
security (Accessed: March 8, 2019).
Hopping, C. and Halverson, G. (2019) Data protection policies and procedures, IT PRO.
Available at: https://www.itpro.co.uk/data-protection/28177/data-protection-policies-and-
procedures (Accessed: March 8, 2019).
Jouini, M., Rabai, L. B. A. and Aissa, A. B. (2014) “Classification of Security Threats in
Information Systems,” Procedia Computer Science, 32, pp. 489–496. doi:
10.1016/j.procs.2014.05.452.
MarkLogic (2018) Designing Security Policies (Security Guide) — MarkLogic 9 Product
Documentation, Marklogic.com. Available at:
https://docs.marklogic.com/guide/security/design-policy (Accessed: March 8, 2019).
Sanchez, M. (2010) The 10 most common security threats explained, blogs@Cisco - Cisco
Blogs. Available at: https://blogs.cisco.com/smallbusiness/the-10-most-common-security-
threats-explained (Accessed: March 7, 2019).
Sotnikov, I. (2018) How to Perform IT Risk Assessment, Netwrix.com. Available at:
https://blog.netwrix.com/2018/01/16/how-to-perform-it-risk-assessment/ (Accessed: March 8,
2019).
Virgillito, D. (2015) The Importance of an Effective VPN Remote Access Policy, InfoSec
Resources. Available at: https://resources.infosecinstitute.com/importance-effective-vpn-
remote-access-policy/#gref (Accessed: March 8, 2019).

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Hartman, D. (2015) The Advantages & Disadvantages to a Static IP Address |
Techwalla.com, Techwalla. Available at: https://www.techwalla.com/articles/the-advantages-
disadvantages-to-a-static-ip-address (Accessed: March 8, 2019).

1 out of 17

+13062052269

info@desklib.com

Understanding IT Security Risks, Audit, and Policies towards Organizational Information Security

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Security / BTEC-L5c Assessment 2022

Assignment on Risks and Risk Management

IT Security: Types of Risks, Organizational Procedures, Impact of Firewall Configuration, Implementation of DMZ, Static IP and NAT

Network Security: A Comprehensive Guide to Protecting Your Organization

Assignment On Implements Technological 2022

iT Security