Assessing and Managing IT Security Risks and Threats

Verified

Added on 2023/04/26

AI Summary

This report provides a comprehensive analysis of IT security, addressing various aspects of risk assessment, threat identification, and mitigation strategies. The report begins by assessing IT security risks, including computer viruses, adware, spyware, and denial-of-service attacks, and then explores relevant security legislation and methods to address these risks. It also covers the implementation of security frameworks and policies, emphasizing the importance of trusted networks and the use of technologies like VPNs, DMZs, and firewalls. The report then delves into specific network technologies like DMZ, static IP, and NAT, explaining their roles in enhancing security. Furthermore, it examines mechanisms to control organizational IT security, including characterizing systems, identifying threats, determining inherent risks, and analyzing control environments. The report also discusses the significance of data protection regulations and ISO risk management in strengthening security measures. Finally, the report offers practical advice on implementing security audits and policies. This report is a valuable resource for students learning about IT security.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Security

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

SECURITY
1
Table of Contents
Introduction...........................................................................................................................................2
Assess risks to IT security.......................................................................................................................2
Part 1.................................................................................................................................................2
Security risks, security legislation, and methods...........................................................................2
Types of security technologies.......................................................................................................4
Part 2.................................................................................................................................................5
DMZ network.................................................................................................................................5
Static IP..........................................................................................................................................5
NAT network..................................................................................................................................5
Review mechanisms to control organisational IT security and Manage organisational security...........6
Part 1.................................................................................................................................................6
Part 2.................................................................................................................................................8
Information security Policy............................................................................................................8
Part 3...............................................................................................................................................10
Conclusion...........................................................................................................................................11
References...........................................................................................................................................12

SECURITY
2
Introduction
Security of data is one of the crucial steps for any organization due to which they can
suffer from security threats and risks. Security is about protecting organizational data,
assets risks, and threats, and private details of employees (Warkentin, and Willison,
2009). This report aim is to analyse the security risks faced by an organization,
highlights the solution to address the security risks and threats and impact of the
security breaches on the business continuity. This report is categorised into major five
parts such as assess risks to IT security, information security solutions, types of security
threats in the world, design and implement a security policy, and role of stakeholders
for the implementation of the security audit recommendations.
Assess risks to IT security
Part 1
According to the given scenario, the leading security organization is facing the security-
related issues and risks that affect the performance of their networks and business. As
an information security engineer, the security of data is very complex in this modern era
because companies are using the internet connectivity that associated with the hacking
and data breaches (Colwill, 2009). To train junior staff members in order to control and
manage the security risks the company should provide the complete education and
training to their employees.
Security risks, security legislation, and methods
There are numbers of security risks, security legislation and methods are associated
with the Company IT networks which are described below:
Computer virus
It is very common security risks that faced by the organization and hackers send the
viruses from their network to company private server. In which attackers produce the
unwanted signals and viruses through complex algorithm methods like malicious and
enter into the company server by which they can reduce the performance of the system
(Sabahi, 2011).

SECURITY
3
Adware and spyware
Adware is defined as software which is used by the hackers in order to track data and
information of the company. Mainly, they collect the relevant data of organization
through internet browsers and social media. Spyware is very similar to the adware but
such kind of software is installed into the company computer devices without their
permission and blocks their private details.
DOS attack
DOS is the denial of service attack which occurs due to lack of security and unauthentic
channels. In this attack criminals first develop huge amounts of traffic and links through
the malicious method and transfer them on organization personal network.
To control and manage these security risks there are numerous security legislation and
methods are developed which are the following:
 The EU general data protection regulation
 California consumer privacy act
 SEC guidance
 NYCRR part 500
 Changing state regulation
There are few steps and methods that can be used for the given scenario in order to
reduce the security risks:
 Use only authentic servers and networks
 Block and identify the spam and fraud links
 Adopt firewall and encryption methods
 Keep data secure through backup plans
 Ensure that employees should turn on security tools and software
Designing and implementing the security framework and policy is one of the best
methods to assess and treat the IT security risks. The security framework involves few
steps such as identify risk, analyse risk, evaluating risk and planning for reducing
security risks. It is observed that the trusted network is a part of IT security solution
because many employees use the third party application and unauthentic servers which

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

SECURITY
4
are developed by the attackers in order to collect their private details. If the company
and employees use the trusted networks and servers than they can avoid the security
risks because such kind of network provides a private key that cannot be accessed by
the hackers without user’s permission.
Types of security technologies
VPN
VPN is defined as the virtual private network which is used to interconnect two or more
computer networks with each other. The company can adopt the VPN technology in
their IT security because it secures the data and information of the consumer and
hackers cannot hack VPN network without consumer permission.
DMZ
In the computer security, the demilitarized zone is the physical network which detects
the unwanted networks and links from the computer device. It is observed that the DMZ
network is more secure as compare to the VPN network that provides the buffer zone
between the organization network and public network (Zissis, and Lekkas, 2012). Such
kind of network can be involved in the IT security of the organization because it has the
potential to control and manage the security risks and threats.
FW
A firmware is defined as the electronic system which is mainly used in the computer
devices as a security tool and it can be used for the given scenario in order to manage
the security risks. The major function of this security technology is that it can be used in
the business sector in order to manage and manipulate the signals and information
(Krutz, and Vines, 2010).
NAT technology
It is defined as the network address translation which is a part of internet ordinary that
allows the LAN networks to utilize the numbers of IP addresses. With the help of this
technology company can control and monitor the traffic signals from the network. It is
analysed that a NAT network is located where the local area network helps other
networks to secure the companies personal information and data. After designing and

SECURITY
5
implementing all these networks companies can increase security, privacy, improve the
performance of computer networks, reduce security risks and threats, and easily
communicate with their clients and stakeholders.
Part 2
DMZ network
DMZ is one of the best networks for reducing security risks and threats and it is very
easy to understand the implement. Many organizations like Amazon, Wal-Mart and so
on implemented this technology behind the firewall software by which they can easily
protect their servers from hackers (Zhang, et al., 2010). It can be implemented by
making a portion of organization network sit on the various internet protocol servers.
For example, one organization that has two computer systems which deliver web
hosting services. Both devices are public in the services and networks they run and local
area networks that involves three desktop machines, a windows98 and one Linux
laptop that separated from two servers that are in a DMZ.
Static IP
In the static IP network, few routers reserve an internet protocol address for a
particular device and company can implement this technology by using the
communication devices which are interconnected with the company IT network. It is
done by providing an IP address with the MAC address so that the router can assign an
IP address to each computer network and block the unauthentic networks (Humphreys,
2008). For example, to design and set up a web server for an organization server which
is reachable by any person in the ecosphere, the IT team require for forwarding the
inward appeal on the port number 80 to organization web server system. If the entire
server was reboot and acquire the latest IP address from the router network that means
the old server of the IP network would not work properly and the company server
would break. So, they should connect the static IP with the routers and other computer
networks for enhancing the overall performance of the server.
NAT network
NAT is defined as the network address translation which can be used in the IT security
for increase the rate of security of the servers. In which the single internal address is
connected to the single external address and it is mostly used when a computer system

SECURITY
6
inside a privately addressed network that must be accessed directly from the internet
(Chou, 2013). Such kind of network blocks the traffic signals from the network that help
the company to reduce the security risks and issues. For example, Amazon uses the
static NAT in order to avoid the unwanted signals and access the private address
directly from the internet. Therefore, with the help of all these networks and
technologies, the company can enhance their network security and improve the overall
performance of the communication system.
Review mechanisms to control organisational IT security and Manage
organisational security
Part 1
To assess the IT security risks information technology provided several steps by which
a company can identify the most harmful risks and harmless risks which are described
below:
Characterize the system: it is the first step to identify the security risks and viable
threats. The company should divide the computer system into different parts like
process, application, and function (Shaikh, and Haider, 2011).
Identify threats: there are major three kinds of security threats occur in the computers
such as unauthorized access, misuse of the data through unauthentic networks and data
leakage. In the unauthorized access hackers directly enter into the company system
with the help of malware. The misuse of data could be the result of unapproved use of
information (Park, and Park, 2007). The data leakage threat involves permitting the
utilization of unencrypted USB without any restriction.
Determine inherent risk and impact: according to the impact of security threats the
company can identify harmful and harmless threats and risks. If impact would be
damaging but easily recoverable that it will involve in the medium category (Shaw, et
al., 2009). If the impact would be minimal and does not affect the personal data files
then it will involve in the low category.
Analyse the control environment: After that organization requires to loot at few
categories of the data and information to assess their environment. Mainly, the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

SECURITY
7
organization wants to evaluate security threat prevention, solution, and mitigation in
order to improve the security of the data. There are few examples involve:
 Consumer provisioning controls
 Administration control
 Consumer and employees authentication controls
 Data centre security and privacy controls
Analyse and evaluate the risks associated with the information: it is the final step
for assessing the security risks and threats where companies require analysing the
security risks and threats. For evaluating risks companies can design and implement the
security policies and frameworks (Hashizume, et al., 2009). After analysis, the IT team
should provide the security tools and techniques for reducing the impact of risks and
threats on the information system.
It is observed that the security of the networks and information can be increased with
the help of data protection regulations and ISO risk management. ISMS regulation
provides a way to secure the organization document and also increase the level of the
security within the company (Baker, and Wallace, 2007). In which first risks are
identified and evaluated through ISO risk management. The GDPR regulation also helps
companies for detecting the security risks and threats associated with the computer
networks. In which first private data security breaches are identified and set out few
steps and guidelines for controlling and maintaining the security breaches (Mármol, and
Pérez, 2009). The ISO risk management play a significant role in reducing the effect of
cyber-attacks and risks on company data (Von Solms, and Van Niekerk, 2013). There are
few steps involves in the ISO risk management such as determining security risks,
analysis risks, evaluating risks, planning and monitoring risks and designing the
security frameworks.
The IT security audit is a process which is used to control and manage the risks faced by
an organization. In which the security service provider first identify the types of
security risks and threats faced by an organization. It positively impacts on the security
of an organization and involves few processes which are the following:
 Device and platform identification

SECURITY
8
 Security policy review
 Security architecture review
 Risks assessment
 Firewall configuration review
 Penetration testing
The employees and stakeholders show a substantial character in the field of info safety
of an organization. Mainly, employees used the unauthentic servers and third-party
application which are produced by the hackers. If employees know about unauthentic
networks and data breach then they can avoid unauthorized servers and block spam
emails which can help for improving the security of data. Stakeholders also help
organization for developing the information security policy to evaluate the behaviour of
employees towards the security risks and threats. Stakeholders should ensure that they
use the password-based system to secure the data and information. Employees and
stakeholders are responsible for the security risks because they use the third party
application if they use the security tools like encryption, firewall and backup plan then
they can help the organization to reduce the threats and risks.
Part 2
Information security Policy
There are several steps involves for designing and implementing the security policy
which are following:
Identify the security risks and threats: in this step first organization must identify the
key factors that increase the security risks in the workplace. In this step, the company
should determine the various kinds of security issues with their impacts.
Analyse the security risks: the IT team should analyse the security threats and discuss
with the employees in order to find their opinions about security breaches. The
company can adopt the information technology team for analysing how security risks
occur and what are key factors that increase risks in the organization (Vacca, 2012). To
analyse company should make a report and identify types of security risks occur in their
organization and discuss with their employees and management team.

SECURITY
9
Design a security plan or framework: after identifying the security risks the company
should design a framework for decreasing the impact of the security intimidations on
personal data. This step will divide the security risks as per their impact and collect the
relevant data from employees because employees use the unauthentic networks that
create problem in the networks (Bønes, et al., 2007). There are several steps involve in
the security plans which are the following:
 Check the configuration of networks
 Provide proper guidelines to employees about security risks
 Turn on security tools and update software on a regular basis
 Motivate employees and take feedback from the management team
 Adopt encryption and cryptography
 Use firewall software (Tianfield, 2012).
 Use backup plans
Implement security tools and plan: after designing the security tools and frameworks
company now implement them and ensure that they provide the complete information
to their employees and stakeholders (Da Veiga, and Eloff, 2010). Providing complete
training and education company should adopt the IT team and make a complete plan for
better understanding. Adopt encryption and firewall techniques and implement in the
information networks and employees must turn on firewall software in order to detect
and identify the traffic and unwanted signals. The company should ensure that an
employee uses only authentic networks and configured servers for reducing the data
breach, hacking and malware attacks. In the end, the company can produce a monthly
report and analysis which types of security risk more harmful and which is less harmful
(Mellado, et al., 2007). There are major two parts of any security policy, one deals with
the external threats to manage the integrity of the computer networks. The second deal
with internal risks and threats by adopting the appropriate resources and tools. For
addressing the external threats there are several tools and techniques which can be
used such as firewalls, e-mail filters, antivirus software, spam detection techniques,
robust technology for detecting the unwanted signals and fraud emails from the
computer. All these sources should be implemented in the IT security and undetected
by the consumers (Appari, and Johnson, 2010). For reducing the internal security risks

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

SECURITY
10
the company can implement an acceptable use policy (AUP) that identifies the
behaviour of employees and stakeholders.
Part 3
In the above security policy there are several tools and techniques used in order to
avoid the security risks and threats which are described below:
 Use authentic servers
 Adopt encryption and cryptography tools
 Use firewall and antivirus software
 Adopt backup plans
Use of authentic servers: it is observed that many employees use the unauthentic
servers during the communication process and they access their private accounts in
unauthorized websites which increase the security risks. For which company can adopt
the authentic servers and they should ensure that their employee’s uses only authorized
servers (Behnia, Rashid, and Chaudhry, 2012).
Adopt encryption and cryptography: both encryption and cryptography are advanced
security tools that have the potential to control and monitor the security risks.
Encryption is defined as a technique that converts the information into a form of code
and provides a private key that cannot be accessed by the attackers without user
permission. Cryptography is very similar to the encryption where it crypt the
information and data and identify the traffic signals from the communication devices.
The main advantage of this technology is that it blocks the unwanted signals from
networks and improves the security of the organization data.
Use firewall and antivirus software: firewall is security software which is used by
many companies in order to reduce the security risks. The company can download in
the employee’s computer devices that detect the malware, viruses and traffic signal
from the device and block them immediately (Johnson, and Goetz, 2007). There are
several antivirus software that can be used for reducing security threats such as 360,
Quick hill, Avase, and many more. All these software identify the viruses and unwanted
signals from the computer system and provide a notification on the computer screen by
which employees can secure their data and information.

SECURITY
11
Backup Plans: it is a very common security step which is used by many companies and
business industries because hackers can easily enter into their servers and they can
secure their personal information by using backup plans. Cloud computing is one of the
advanced tools that provide a platform to backup personal data and information. So, the
company can adopt this technique and uses a high-level password system in order to
improve the security of data.
Stakeholders show a vital part in the application of the privacy and security audit
recommendation and they can check and update computer software on regular basis. If
employees use the Gmail process to communicate with their clients then they should
ensure that they block and avoid spam and fraud emails.
Conclusion
This report is based on the security of information and readers can enhance their skill in
the era of info security. It is concluded that the lack of privacy is one of the biggest issue
faced by an organization and many employee’s uses authentic servers and click on
unwanted links that increase the rate of security risks. This report described the
security risks faced by an organization, risks assessment, security policy for risks and
threats and role of stakeholders and employees in the IT security. Employees should
ensure that they block the spam and fraud emails from the account because they are
transferred by hackers to detect their private details.

SECURITY
12
References
Appari, A. and Johnson, M.E., (2010) Information security and privacy in healthcare:
current state of research. International Journal of Internet and enterprise
management, 6(4), pp.279-314.
Baker, W.H. and Wallace, L., (2007) Is information security under control?: Investigating
quality in information security management. IEEE Security & Privacy, 2(1), pp.36-44.
Behnia, A., Rashid, R.A. and Chaudhry, J.A., (2012) A survey of information security risk
analysis methods. SmartCR, 2(1), pp.79-94.
Bønes, E., Hasvold, P., Henriksen, E. and Strandenæs, T., (2007) Risk analysis of
information security in a mobile instant messaging and presence system for
healthcare. International journal of medical informatics, 76(9), pp.677-687.
Chou, T.S., (2013) Security threats on cloud computing vulnerabilities. International
Journal of Computer Science & Information Technology, 5(3), p.79.
Colwill, C., (2009) Human factors in information security: The insider threat–Who can
you trust these days?. Information security technical report, 14(4), pp.186-196.
Da Veiga, A., and Eloff, J.H., (2010) A framework and assessment instrument for
information security culture. Computers & Security, 29(2), pp.196-207.
Hashizume, K., Rosado, D.G., Fernández-Medina, E. and Fernandez, E.B., (2013) An
analysis of security issues for cloud computing. Journal of internet services and
applications, 4(1), p.5.
Humphreys, E., (2008) Information security management standards: Compliance,
governance and risk management. information security technical report, 13(4), pp.247-
255.
Johnson, M.E. and Goetz, E., (2007) Embedding information security into the
organization. IEEE Security & Privacy, 5(3), pp. 12-14.
Krutz, R.L. and Vines, R.D., (2010) Cloud security: A comprehensive guide to secure cloud
computing. Wiley Publishing.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

SECURITY
13
Mármol, F.G., and Pérez, G.M., (2009) Security threats scenarios in trust and reputation
models for distributed systems. computers & security, 28(7), pp.545-556.
Mellado, D., Fernández-Medina, E., and Piattini, M., (2007) A common criteria based
security requirements engineering process for the development of secure information
systems. Computer standards & interfaces, 29(2), pp.244-253.
Park, Y. and Park, T., (2007) A survey of security threats on 4G networks. In Globecom
Workshops, 2007 IEEE, 12(6), pp. 1-6). IEEE.
Sabahi, F., (2011) Cloud computing security threats and responses. In Communication
Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on, 12(2), pp.
245-249.
Shaikh, F.B. and Haider, S., (2011). Security threats in cloud computing. In Internet
technology and secured transactions (ICITST), 2011 international conference for, 16(6),
pp. 214-219). IEEE.
Shaw, R.S., Chen, C.C., Harris, A.L. and Huang, H.J., (2009) The impact of information
richness on information security awareness training effectiveness. Computers &
Education, 52(1), pp.92-100.
Tianfield, H., (2012) Security issues in cloud computing. In Systems, Man, and
Cybernetics (SMC), 2012 IEEE International Conference on, 12(4), pp. 1082-1089.
Vacca, J.R., (2012) Computer and information security handbook. Newnes.
Von Solms, R. and Van Niekerk, J., (2013) From information security to cybersecurity.
computers & security, 38(4), pp.97-102.
Warkentin, M. and Willison, R., (2009) Behavioral and policy issues in information
systems security: the insider threat. European Journal of Information Systems, 18(2),
pp.101-105.
Zhang, X., Wuwong, N., Li, H. and Zhang, X., (2010) Information security risk
management framework for the cloud computing environments. In Computer and
Information Technology (CIT), 2010 IEEE 10th International Conference on, 12(4), pp.
1328-1334.