IT Security Risk Assessment and Management: A Comprehensive Report

Verified

Added on 2025/04/08

AI Summary

Desklib provides past papers and solved assignments for students. This report covers IT security risks and solutions.

Security
0

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Contents
Introduction................................................................................................................................3
LO1 Assess risks to IT security.................................................................................................4
P1 1 Identify types of security risks to organisations............................................................4
P2 Describe organisational security procedures....................................................................7
M1 Propose a method to assess and treat IT security risks....................................................8
LO2 Describe IT security solutions...........................................................................................9
P3 Identify the potential impact to IT security of incorrect configuration of firewall
policies and third-party VPNs................................................................................................9
P4 Show, using an example for each, how implementing a DMZ, static IP and NAT in a
network can improve network security................................................................................11
M2 Discuss three benefits to implement network monitoring systems with supporting
reasons..................................................................................................................................15
LO3 Review mechanisms to control organisational IT security..............................................16
P5 Discuss risk assessment procedures................................................................................16
P6 Explain data protection processes and regulation as applicable to an organisation.......17
M3 Summarise the ISO 31000 risk management methodology and its application in IT
security.................................................................................................................................18
M4 Discuss possible impacts to organisation security resulting from an IT security audit.20
LO4 Manage organisational security.......................................................................................21
P7 Design and implement security policy for an organisation............................................21
P8 List the main components of an organisational disaster recovery plan, justifying the
reasons for inclusion............................................................................................................22
M5 Discuss the roles of stakeholder in the organisation to implement security audit
recommendations.................................................................................................................23
Conclusion................................................................................................................................24
References................................................................................................................................25
1

Table of Figures
Figure 1: DOS Diagram.............................................................................................................4
Figure 2: CIA Diagram..............................................................................................................5
Figure 3: DMZ Implementation...............................................................................................11
Figure 4: Static IP.....................................................................................................................12
Figure 5: NATs........................................................................................................................13
Figure 6: NAT example..........................................................................................................14
Figure 7: Framework................................................................................................................18
2

Introduction
This project based on IT security risk. For this project find out the solution how to deal
organisation with a security problem. This project describes all types of security risk and
procedures necessary for overall protection for organisation. In the overall assessment, main
components of security will be discussed in a separate part. Mainly risk assessment
procedures of IT security will be discussed with the configuration of VPN and the firewall
policies.
3

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

LO1 Assess risks to IT security
P1 1 Identify types of security risks to organisations
There is a lot of organization that faces the threats every day. In the local Retail Company,
the word security is on the top as for employees, building, financial etc. There are more other
sectors in which we need the security mostly in local Retail Company. So, there are some
threats from which you protect local Retail Company.
Denial of Services
Figure 1: DOS Diagram
(Source: Hacks et al., 2019)
It switches off the network, in this attack the attacker, again and again, giving request to a
server which results in a block of that site or unreachable because there is a limit of a request
for a particular site this which result that the authorised will not able to get the request for that
site. As we known all user who have their Gmail got these types of mail like love level, loan,
better your skills etc. There are almost above 60 percentage of spam messages in our Gmail
account. As we all known how important is Gmail for us now a time specially for office. A
harmful link come in spam messages which download the virus in your pc. To protect your
pc for these kinds of spam you need to download a anti- spam software.
4

CIA
Figure 2: CIA Diagram
(Source: Security Awareness Company, 2019)
It stands for confidential, Integrity and availability is a triad .it is the milestone of the security
information used to analyse the information related to security of local Retail Company. It
uses its three terms for security. Virus introduced automatically, and it affects your computer
files. It comes through email, messages and internet. And also, by sharing networks. They
also attack the password of your bank account. It is a bigger problem in local Retail Company
because it may cause any files. To protect we have to download the anti-virus software.
Malware
It causes various harmful software like worms, spyware and trojans. It spread internally and
damaged other files which are interlinked to this network that known as Epidemic. It traces
the passwords of your account and passes to the host. As it is more harmful than virus, you
need to always update your anti-virus.
Monitoring the Network
Servers need to be work continuously as for local Retail Company to move forward daily. If
it is not in working condition, it will affect on work of an individual that results in to affect
the whole It sector. So, it needs to maintained daily to ignore the downs in local Retail
Company.
Scanning the vulnerability and patch management
When using open networks, we have to careful because attacker has the place to enter. Scan
the network to find a vulnerability is a first and major step. By completing the scanning, we
5

have to deploy the patch on the network that is on high risk, update patches time to time will
decrease the probability of attacks (Furnell, 2002).
6

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

P2 Describe organisational security procedures
Procedures of security information
Policy
It is regulated by an information security policy.
Access Control
All the members have their authorised system and this may control by the local Retail
Company policy. It includes authorization, identification and authentication.
Password used by all companies like Gmail, Facebook etc. Password policies are followed to
ignore the risk. It includes password management, password composition guidelines. For
most system, we need to add more stages to access the information by any local Retail
Company staff. So, we may control the accessed to system.
Digital Messaging
In this, polices are applied to send the message or mail on social media, blogs text message
etc. It includes the permissible and prohibited use.
Scope
This policy applied on all the member of local Retail Company.
Operations Management
It includes the security of information and protecting the networks and help in processing, the
procedure of operation must be maintained, documented and always available on call, duties
must segregate to avoid the access of unauthorized user, protect against the program code,
protecting the entered information and monitoring is necessary to check the probability of
risk.
Physical data and data centres
It consists of security perimeter, controls the entries, security tools and utilities.
Store data must be checked properly to see the licensed data. The sensitive data need to be
deleted by use of standard format.
7

M1 Propose a method to assess and treat IT security risks.
Choose best method
By choosing the right methodology for your company is necessary to drive the assessment
process. It helps in these problems like scenario-based assessment, baseline security, appetite
and scale of risk.
Check the list of information
To use the asset risk, we need to work on previous list that has electronic files, removable
media, intangibles and hard copies etc.
Find out the threats
Detect the vulnerability they may be in every asset.
Extent the risk
Give crash values to the occurring risk.
Reduce the risk to some level
Terminate the risk by removing it wholly, treat it by using security tools, transfer it by giving
it to another person and tolerate it.
Reports of risk need to compile
It is compulsory to make reports for RTP (Risk Treatment Plan) and SoA (Statement of
Applicability).
Monitor by checking
It is necessary to update, check and maintain it for working continuously (Ruighaver, A.B.,
Maynard, S.B. and Chang, S., 2007).
8

LO2 Describe IT security solutions
P3 Identify the potential impact to IT security of incorrect configuration of
firewall policies and third-party VPNs
Firewall Impact
Configuration of board policy
It is open for flowing any jam from source to destination. It exactly not known which is need
to be created. Because of the less time it is will not define the firewall policy. It gives the
low-level access so that user can perform normally. That result in less crash. It is important to
daily visit you police to check the network used by an application and the connection
required.
Services for risk and management
There are many applications which are running, which is not in use is a common fault. To
overcome this problem by configuring the application you need to decrease the probability of
risk.
Authentication for non-standard
There are many routers that are not up to the marked that is not matched to the standard,
easily get the password of another user. To overcome this remote organization, have same
process of authentication as other organization.
System test by data production
It company have high governance policy to test which is not linked to the data production.
The risk comes when you give data for testing as it has low-level security. To reduce this,
you need to have good security tools.
Security device have log outputs
Companies not checked the logs because it is difficult to maintain, analyse, high cost. So,
reduce it by properly logging.
VPNs
Mismatch of shared key
9

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

There is a known problem if you, again and again, confront share key mismatch fault coming
after detecting the shared key. It is necessary to check the shared key when repairing it.
Address the network
Network address is needed to be similar when it is linked with vDC for specifying the router
prefix.
Isolated Network
VPN linkage may not work as it has an isolated vDC network.
Not support the VPN types
It is not carrying VPN linkage on-premise and vDC(data centres), Example NAT (Stouffer,
K. and Falco, J., 2006.).
10

P4 Show, using an example for each, how implementing a DMZ, static IP and
NAT in a network can improve network security
Implement DMZ
Figure 3: DMZ Implementation
(Source: Soldier of Fortune, 2019)
DMZ is known as Demilitarized Zones which are network equivalent of neutral ground and
also known as screened subnetwork or perimeter network. It is a physical subnet which helps
in separating an internal Local Area Network from other networks which are untrusted like
internet includes external-facing servers, services and resources and therefore, they can be
access with the help of internet but remaining LAN remain unreachable. Hence, this helps in
additional security to LAN as it prevents hackers to access internal servers directly and any
other data via internet. Services which are provided like proxy servers and Domain name
system, should be placed in this DMZ network.
DMZ has a host like (FTP server, web etc.) that is holding the switch on not routed VLAN.
DMZ have IPs public. Don’t have its own IP address and NAT. It diminishes between the
internal and internet. It will not have proper security. By using we may isolate the LAN by
public servers. It exposed ports.
11