Retail Organization IT Security Risk Assessment Report
VerifiedAdded on 2025/05/08
|23
|4050
|493
AI Summary
Desklib provides solved assignments and past papers to help students succeed.
Security
Student id:
Student name:
0
Student id:
Student name:
0
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Contents
List of Figures..................................................................................................................................3
LO1 Assess risks to IT security.......................................................................................................4
P1 Identify types of security risks to retail organizations............................................................4
P2 Describe retail organizational security procedures.................................................................5
M1 Propose a method to assess and treat IT security risks.........................................................7
LO2 Describe IT security solutions.................................................................................................9
P3 Identify the potential impact on IT security of incorrect configuration of firewall policies
and third-party VPNs...................................................................................................................9
P4 Show, using an example for each, how implementing a DMZ, static IP and NAT in a
network can improve network security........................................................................................9
M2 Discuss three benefits to implement network monitoring systems with supporting reasons
...................................................................................................................................................12
LO3 Review mechanisms to control retail organizational IT security..........................................12
P5 Discuss risk assessment procedure.......................................................................................12
P6 Explain data protection processes and regulation as applicable to an retail organization....14
M3 Summarize the ISO 31000 risk management methodology and its application in IT
security.......................................................................................................................................14
M4 Discuss possible impacts on retail organization security resulting from an IT security
audit...........................................................................................................................................15
LO4 Manage retail organizational security...................................................................................16
1
List of Figures..................................................................................................................................3
LO1 Assess risks to IT security.......................................................................................................4
P1 Identify types of security risks to retail organizations............................................................4
P2 Describe retail organizational security procedures.................................................................5
M1 Propose a method to assess and treat IT security risks.........................................................7
LO2 Describe IT security solutions.................................................................................................9
P3 Identify the potential impact on IT security of incorrect configuration of firewall policies
and third-party VPNs...................................................................................................................9
P4 Show, using an example for each, how implementing a DMZ, static IP and NAT in a
network can improve network security........................................................................................9
M2 Discuss three benefits to implement network monitoring systems with supporting reasons
...................................................................................................................................................12
LO3 Review mechanisms to control retail organizational IT security..........................................12
P5 Discuss risk assessment procedure.......................................................................................12
P6 Explain data protection processes and regulation as applicable to an retail organization....14
M3 Summarize the ISO 31000 risk management methodology and its application in IT
security.......................................................................................................................................14
M4 Discuss possible impacts on retail organization security resulting from an IT security
audit...........................................................................................................................................15
LO4 Manage retail organizational security...................................................................................16
1
P7 Design and implement security policy for an retail organization.........................................16
P8 list the main components of an retail organizational disaster recovery plan, justifying the
reasons for inclusion..................................................................................................................18
M5 Discuss the roles of stakeholders in the retail organization to implement security audit
recommendations.......................................................................................................................18
Reference.......................................................................................................................................20
2
P8 list the main components of an retail organizational disaster recovery plan, justifying the
reasons for inclusion..................................................................................................................18
M5 Discuss the roles of stakeholders in the retail organization to implement security audit
recommendations.......................................................................................................................18
Reference.......................................................................................................................................20
2
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
List of Figures
Figure 1: The likelihood of most of the security risk to an retail organization...............................4
Figure 2: Security procedures of an retail organization...................................................................5
Figure 3: Risk assessment as well as treatment...............................................................................7
Figure 4: Implementation of DMZ..................................................................................................9
Figure 5: Implementing static IP...................................................................................................10
Figure 6: Implementing NAT........................................................................................................10
Figure 7: Risk assessment process.................................................................................................12
Figure 8: ISO 31000......................................................................................................................14
Figure 9: PDCA model..................................................................................................................16
Figure 10: Implementation steps of the information security system............................................16
3
Figure 1: The likelihood of most of the security risk to an retail organization...............................4
Figure 2: Security procedures of an retail organization...................................................................5
Figure 3: Risk assessment as well as treatment...............................................................................7
Figure 4: Implementation of DMZ..................................................................................................9
Figure 5: Implementing static IP...................................................................................................10
Figure 6: Implementing NAT........................................................................................................10
Figure 7: Risk assessment process.................................................................................................12
Figure 8: ISO 31000......................................................................................................................14
Figure 9: PDCA model..................................................................................................................16
Figure 10: Implementation steps of the information security system............................................16
3
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Introduction
This report is based on the security analysis of a retail organization. The report will provide
detailed information about risk assessment methodologies and the treatment procedures of IT
risk to an organization. The main highlight if this report will be solution of IT security, different
types of mechanisms that are required for the control, of IT risk, different review of the
mechanisms for controlling the IT security of the organizations and the management of the
organizational security. The report will explain the different network monitoring system and
procedures to reduce and mitigate risk.
4
This report is based on the security analysis of a retail organization. The report will provide
detailed information about risk assessment methodologies and the treatment procedures of IT
risk to an organization. The main highlight if this report will be solution of IT security, different
types of mechanisms that are required for the control, of IT risk, different review of the
mechanisms for controlling the IT security of the organizations and the management of the
organizational security. The report will explain the different network monitoring system and
procedures to reduce and mitigate risk.
4
LO1 Assess risks to IT security.
P1 Identify types of security risks to retail organizations
IT security is the most important security factor that is to be implemented in aretail organization
to prevent access to the most valuable information. IT infrastructure is the most important asset
that needs security. Following are the types of security risk to aretail organization:
Spam: The users of the email are open to this risk where fake promotions are posted through
emails that fools the employees for sharing the sensitive information of the company. The
spammers basically sent malicious links to the user's that redirects the users to some malicious
site that downloads malicious things to the retail organization system.
Malware: Malware contains a wide range of software that is malicious for example worms,
Trojans as well as spyware that can infiltrate the machine with no realization. Malware infects
the machine and spread through executable files of the retail organization from one to another
machine through a network connection that causes the IT epidemic.
Viruses: Viruses can cause disasters to the IT structure of the company as it can replicate easily
through the network of computers without the user knowing about it until a disaster occurs.
Viruses are also able to capture the keystroke which affects the details of the hacking the
password system of the retail organization.
Not understanding the source of cyber risk:Retail organizations generally fails to understand
the importance of the assets, the security of the critical assets if the retail organization
Lack of policies defining the cybersecurity of the retail organization: when there are no
defined policies' regarding the safety of the intellectual property and the employee is a lack in the
knowledge of protecting the intellectual property of the company(Iskandar et.al, 2019).
5
P1 Identify types of security risks to retail organizations
IT security is the most important security factor that is to be implemented in aretail organization
to prevent access to the most valuable information. IT infrastructure is the most important asset
that needs security. Following are the types of security risk to aretail organization:
Spam: The users of the email are open to this risk where fake promotions are posted through
emails that fools the employees for sharing the sensitive information of the company. The
spammers basically sent malicious links to the user's that redirects the users to some malicious
site that downloads malicious things to the retail organization system.
Malware: Malware contains a wide range of software that is malicious for example worms,
Trojans as well as spyware that can infiltrate the machine with no realization. Malware infects
the machine and spread through executable files of the retail organization from one to another
machine through a network connection that causes the IT epidemic.
Viruses: Viruses can cause disasters to the IT structure of the company as it can replicate easily
through the network of computers without the user knowing about it until a disaster occurs.
Viruses are also able to capture the keystroke which affects the details of the hacking the
password system of the retail organization.
Not understanding the source of cyber risk:Retail organizations generally fails to understand
the importance of the assets, the security of the critical assets if the retail organization
Lack of policies defining the cybersecurity of the retail organization: when there are no
defined policies' regarding the safety of the intellectual property and the employee is a lack in the
knowledge of protecting the intellectual property of the company(Iskandar et.al, 2019).
5
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Figure 1: The likelihood of most of the security risk to anretail organization
Source: (Techtalk, 2019)
P2 Describe retail organizational security procedures
Retail organization security policies and procedures are implemented in aretail organization in
order to protect the intellectual property of the company. The security procedures and policies
that are implemented in the company to protect its sensitive data are as follows:
Authorized access to the system of the retail organization those who are not authorized are
required to ask for access permission.
Limiting the system access to modification of viewing of as well as the destruction of the
important information in their resources that are protected for the users those who are
authorized having required knowing about that specific information.
The system, users are responsible for all the actions are occurring inside their systems.
Labeled security: The access to the system is according to the criteria as information
sensitivity that are shown by the label, user formal clearance for using the information that is
represented by profiles of the user by applying the rules for accessing the systems that are
based on the intensity and sensitivity of the information.
The information’s are classified according to the sensitivity that is described by the retail
organization.
6
Source: (Techtalk, 2019)
P2 Describe retail organizational security procedures
Retail organization security policies and procedures are implemented in aretail organization in
order to protect the intellectual property of the company. The security procedures and policies
that are implemented in the company to protect its sensitive data are as follows:
Authorized access to the system of the retail organization those who are not authorized are
required to ask for access permission.
Limiting the system access to modification of viewing of as well as the destruction of the
important information in their resources that are protected for the users those who are
authorized having required knowing about that specific information.
The system, users are responsible for all the actions are occurring inside their systems.
Labeled security: The access to the system is according to the criteria as information
sensitivity that are shown by the label, user formal clearance for using the information that is
represented by profiles of the user by applying the rules for accessing the systems that are
based on the intensity and sensitivity of the information.
The information’s are classified according to the sensitivity that is described by the retail
organization.
6
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Audit trails: Audit trial is conducted that is recorded under a specific ID of the user that
records the login and logout activities for a specific system.
Backup is maintained by the company as cloud storage such that the data remain protected in
case of any miss happening.
Policies are made regarding the disposal or destruction of the sensitive information of the
company.
All the information of the retail organization has specific ownership.
The managers are responsible for explaining the security policies to each and every employee
of the retail organization.
A corporate information system is followed for establishing good communication between
the different levels of the retail organization for ensuring the security of the retail
organization.
Training the employees regarding the security policies of the workstations (Danezis et.al,
2015).
Figure 2: Security procedures of aretail organization
Source: Science, 2019
7
records the login and logout activities for a specific system.
Backup is maintained by the company as cloud storage such that the data remain protected in
case of any miss happening.
Policies are made regarding the disposal or destruction of the sensitive information of the
company.
All the information of the retail organization has specific ownership.
The managers are responsible for explaining the security policies to each and every employee
of the retail organization.
A corporate information system is followed for establishing good communication between
the different levels of the retail organization for ensuring the security of the retail
organization.
Training the employees regarding the security policies of the workstations (Danezis et.al,
2015).
Figure 2: Security procedures of aretail organization
Source: Science, 2019
7
M1 Propose a method to assess and treat IT security risks.
Risk assessment, as well as treatment, includes the procedure of prioritizing, identifying as well
as managing the information risks that can be faced by aretail organization.
Identification of the risk
There are different sources of data that are included in risk that are the incidents that earlier
occurred in the retail organization, and all the other incidents and the sources of the risk to the
retail organization intellectual property.
Producing a framework for risk management of the retail organization
This contains the policies that are helpful in determining and identifying the risk, whom the risk
is assigned, what is the effect of the risk to the company’s confidentiality and availability as well
as the integrity of the information.
The risk assessment methodology is required to look after the following issues:
The criteria of the baseline security
The scale of the risk
The appetite of the risk
Methodologies that include scenario-based assessment or asset-based evaluation.
Analysis of the risk
After the identification of the threats as well as the vulnerabilities that are related to the
information security of the retail organization. Analyzing the vulnerability that is related to the
retail organization such that the area of the attack can be accessed.
Evaluation of the risk
Once the IT risk that is related to the retail organization are identified and accessed theseriskare
listed and weighed against the levels of the risk that are predefined according to the acceptable
limit in order to sort which risk is to be addressed first and which risk can be ignored for some
time and can be addressed later.
8
Risk assessment, as well as treatment, includes the procedure of prioritizing, identifying as well
as managing the information risks that can be faced by aretail organization.
Identification of the risk
There are different sources of data that are included in risk that are the incidents that earlier
occurred in the retail organization, and all the other incidents and the sources of the risk to the
retail organization intellectual property.
Producing a framework for risk management of the retail organization
This contains the policies that are helpful in determining and identifying the risk, whom the risk
is assigned, what is the effect of the risk to the company’s confidentiality and availability as well
as the integrity of the information.
The risk assessment methodology is required to look after the following issues:
The criteria of the baseline security
The scale of the risk
The appetite of the risk
Methodologies that include scenario-based assessment or asset-based evaluation.
Analysis of the risk
After the identification of the threats as well as the vulnerabilities that are related to the
information security of the retail organization. Analyzing the vulnerability that is related to the
retail organization such that the area of the attack can be accessed.
Evaluation of the risk
Once the IT risk that is related to the retail organization are identified and accessed theseriskare
listed and weighed against the levels of the risk that are predefined according to the acceptable
limit in order to sort which risk is to be addressed first and which risk can be ignored for some
time and can be addressed later.
8
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Selecting the proper option for the treatment of the risk
There are different ways of treating the risk that is identified and accessed in the risk assessment
processes:
Risk avoidance by complete elimination of the risk that is identified.
Modification of the risk by the application of the security measures and controls.
Outsourcing the risks that are identified to some external parties.
When the risk that is identified is under the criteria of the acceptance of the established risk
then the risk is to be retained.
Statement of Applicability (SOA)must contain the processes for the control of risk (Ahmad
et.al, 2015).
Figure 3: Risk assessment as well as treatment
Source: (pecb.com, 2019)
9
There are different ways of treating the risk that is identified and accessed in the risk assessment
processes:
Risk avoidance by complete elimination of the risk that is identified.
Modification of the risk by the application of the security measures and controls.
Outsourcing the risks that are identified to some external parties.
When the risk that is identified is under the criteria of the acceptance of the established risk
then the risk is to be retained.
Statement of Applicability (SOA)must contain the processes for the control of risk (Ahmad
et.al, 2015).
Figure 3: Risk assessment as well as treatment
Source: (pecb.com, 2019)
9
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
LO2 Describe IT security solutions
P3 Identify the potential impact on IT security of incorrect configuration of firewall
policies and third-party VPNs.
There are several impacts of the improper configuration of the network security to the IT security
of the retail organization but the two basic negative results of improper configuration are as
follows:
The traffic that is addressed in the network is not able to reach the proper destination due to
blockage of the routing path of the traffic, the traffic got routed to some other destination or
the traffic is not able to rout at all.
The traffic that is not desired by the destination of the system got routed to the destination.
Sometimes the firewall is configured such that it easily allows more traffic irrespective of the
source of the traffic that can easily cause potential security damage to the IT structure of the
retail organization.
Running of the information in the firewall that is not required to be executed that allows the
cause of risky services running in the system.
Third-party VPN not following the security policies can cause unauthorized access to the IT
network of the company. This reduces the security of the retail organizationand `increase the
attack vectors (de et.al, 2017).
P4 Show, using an example for each, how implementing a DMZ, static IP and NAT in a
network can improve network security.
Implementing a DMZ to a network
The demilitarized zone (DMZ) acts as a type of network that is isolated from other networks that
bridge a gap between a network that is largely connected with a private network. Due to the strict
monitoring and restriction that is provided by DMZ, it is neither as secure as a private network
nor it is much insecure as a public network. DMZ basically acts as a mediator in the transfer of
data and information helps in the security of the companies that are planning to extend their
services and planning to increase their network system to the other exterior unsecured networks
as the companies basically provides email, DNS server as well as web access services which
10
P3 Identify the potential impact on IT security of incorrect configuration of firewall
policies and third-party VPNs.
There are several impacts of the improper configuration of the network security to the IT security
of the retail organization but the two basic negative results of improper configuration are as
follows:
The traffic that is addressed in the network is not able to reach the proper destination due to
blockage of the routing path of the traffic, the traffic got routed to some other destination or
the traffic is not able to rout at all.
The traffic that is not desired by the destination of the system got routed to the destination.
Sometimes the firewall is configured such that it easily allows more traffic irrespective of the
source of the traffic that can easily cause potential security damage to the IT structure of the
retail organization.
Running of the information in the firewall that is not required to be executed that allows the
cause of risky services running in the system.
Third-party VPN not following the security policies can cause unauthorized access to the IT
network of the company. This reduces the security of the retail organizationand `increase the
attack vectors (de et.al, 2017).
P4 Show, using an example for each, how implementing a DMZ, static IP and NAT in a
network can improve network security.
Implementing a DMZ to a network
The demilitarized zone (DMZ) acts as a type of network that is isolated from other networks that
bridge a gap between a network that is largely connected with a private network. Due to the strict
monitoring and restriction that is provided by DMZ, it is neither as secure as a private network
nor it is much insecure as a public network. DMZ basically acts as a mediator in the transfer of
data and information helps in the security of the companies that are planning to extend their
services and planning to increase their network system to the other exterior unsecured networks
as the companies basically provides email, DNS server as well as web access services which
10
inherently as well subsequently link the network of the company to the attacks that are
happening outside the private network.
Figure 4: Implementation of DMZ
Source: (Cisco, 2019)
Implementing a Static IP
As compared to dynamic IP address implementation of a static IP address is more secured. Using
a static IP help in better and proper routing of the information to the destination. The lagging
time and the latency in static IP are generally low that increase the speed of transferring and
receiving of data by the network. The CCTV is regulated by static IP address and help in
securing the environment of the company networking system. Static IP helps in controlling the
email and other information that is transferred across the network system of the company. There
is no requirement of the involvement of the third party in a host of the website in case of static IP
address. Through static IP address, the servers can be accessed online with remote access
permission to the server (Preda, 2013).
11
happening outside the private network.
Figure 4: Implementation of DMZ
Source: (Cisco, 2019)
Implementing a Static IP
As compared to dynamic IP address implementation of a static IP address is more secured. Using
a static IP help in better and proper routing of the information to the destination. The lagging
time and the latency in static IP are generally low that increase the speed of transferring and
receiving of data by the network. The CCTV is regulated by static IP address and help in
securing the environment of the company networking system. Static IP helps in controlling the
email and other information that is transferred across the network system of the company. There
is no requirement of the involvement of the third party in a host of the website in case of static IP
address. Through static IP address, the servers can be accessed online with remote access
permission to the server (Preda, 2013).
11
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 23
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.