Professional Documents
Culture Documents
Security Final Assignment
Security Final Assignment
Security Final Assignment
Chapter Page
Introduction 2
Warmaksan’s assets 2
Warmaksan system’s level of risk 4
Initial Controls 4
Likelihood and Impact of the risks 6
Final Risk Registry 14
Control that can be applied 18
Data protection processes and regulations 23
IT Security Audit 24
Risk Assessment Procedure 26
Benefits of the Appropriate Risk Management Approach and System 27
Security Misalignment 27
Security Policy Design 28
Roles of Stakeholders 35
References 36
1
Introduction
With Warmaksan’s plan to move to a hybrid model architecture for its servers, a lot of changes
are going to occur to the processes of the company. Accordingly, an IT security management
plan needs to be organized to ensure the company’s risks are accounted for and defended at all
costs. Therefore, with the information I have accumulated from the company’s systems, policies,
and procedures; here is a report detailing the many aspects of the company and why they need to
be protected, as well as how they are going to be protected.
Warmaksan’s assets
As a large company, Warmaksan has many assets that range from physical, to software, to data
and even to business assets. Thus, the security management plan must cover all these assets in
relation to the CIA triad, each in a different way to make sure that the system is secure, while
also being usable.
Asset Name (including the CIA) Justification for why it’s critical
The availability and reliability of the The servers that provide the service need to be
servers in datacenter that are used to always available so the users can use it
provide the service whenever they want, and if they were to stop
working, the users would stop using the
service all together. The hardware also needs
to be reliable, because we don’t want any
crashes or unpredictable errors to happen
while hosting our service.
The integrity of the servers in the The servers in the datacenter must not be
datacenter that are used to provide the altered in any way, as they are configured in a
service specific way to suit the way they are built,
connected, and maintained. So, any change
may break or reduce the performance of the
servers.
The confidentiality of the servers in The access to the servers in the datacenter
the datacenter that are used to provide should always be set to a minimum, as any
the service unauthorized access may lead to a loss of
integrity or availability of the servers, or even
data and software stored on the servers.
The availability, reliability, and The climate monitoring and control devices
accountability of climate monitoring are crucial to the performance and usability of
and control devices (like temperature the datacenter. They should always be
sensors, fans, cooling devices) available to monitor the datacenter, while also
being accurate in their monitoring.
Furthermore, anyone who adjusts these
devices’ settings should be accountable for
their actions.
2
The availability and reliability of the The operating system used to on the server is
operating system on the servers essential for hosting the service, as the
operating system allows us to make use of the
server’s hardware and install applications that
can be used to host and maintain the service.
The confidentiality of the operating The access to operating system, means an
system on the servers access to the service itself and its inner
workings. Which can lead to the loss of a lot
of assets. Therefore, the confidentiality of the
software should be secure.
The integrity and accountability of the Any change done to the network security tools
network security tools (firewall, anti- can result in opening many vulnerabilities in
malware, IDS, IPS) the network. Thus, the tools should not be
dabbled with and whenever it’s edited, the
person who did the change should be held
accountable.
The integrity of the logs of the service If any change occurs to this data, the service
might become harder to maintain and monitor.
As the logs are essential to monitor the
connections to the service. Also, logs hold
accountability of the users who use the
service.
The confidentiality of the source code Any access to this data can result in finding
used in hosting the service vulnerabilities that can be exploited to attack
other assets of the company.
The confidentiality and integrity of These channels contain data like the work
the data transfer channels tasks, company problems and issues, source
code, and even financial information. Thus,
this data should remain confidential and be
accessed by the authorized people only.
Moreover, the data should remain unchanged
to ensure that no problem and
misunderstanding occur between the
employees.
The availability, integrity, and This data can be seen by anyone so its
accountability of the data being posted confidentiality doesn’t need to be protected,
on Donzel’s social networks but the integrity of data should remain
unaltered because it can create issues for the
people who post a post. Furthermore, the data
should always be available to be seen by
anyone, as a prime feature of any social
networking service is the availability to
connect and communicate with people at any
time. Additionally, the person who posts
should always be accountable for their posts
to mitigate any copyright or impersonation
3
issues.
The confidentiality and authenticity of These assets are very important as a loss of
the user’s credential data (login these assets can result in legal issues. The
information, payment method and person accessing these assets should be
information) authorized to do so and authenticate to make
sure they are who they say they are.
Initial Controls
Asset Name (including the CIA) Controls initially used by the company
The availability and reliability of the Monitoring stations
servers in datacenter that are used to Some secured devices
provide the service Minor security procedures (firewall)
The integrity of the servers in the Monitoring stations
datacenter that are used to provide the
service
The confidentiality of the servers in Monitoring stations
the datacenter that are used to provide
the service
The availability, reliability, and Monitoring stations
accountability of climate monitoring
and control devices (like temperature
sensors, fans, cooling devices)
The availability and reliability of the Some secured devices
operating system on the servers Minor security procedures (firewall)
The confidentiality of the operating Some secured devices
system on the servers Minor security procedures (firewall)
Password policy
The integrity and accountability of the Some secured devices
network security tools (firewall, anti- Minor security procedures (firewall)
malware, IDS, IPS)
The integrity of the logs of the service Some secured devices
Minor security procedures (firewall)
4
The confidentiality of the source code Some secured devices
used in hosting the service Minor security procedures (use of
VPN and firewall)
Password policy
The confidentiality and integrity of the Some secured devices
data transfer channels Minor security procedures (use of
VPN and firewall)
5
Likelihood and Impact of the risks
Asset Name Possible Impact Likelihood Justification for
(including the Risks likelihood and impact
CIA)
The availability Virus attack, Major Likely Impact: A loss of
and reliability Worm attack, availability/reliability
of the servers in Logic bomb, of the servers means
datacenter that Trojan that no one would be
are used to attack, able to use the service.
provide the And in case of
service DoS/DDoS, permanent loss of this
ICMP attack, asset, a lot of money
UDP flood, and time will be
DHCP required to regain these
spoofing, assets.
DNS attack,
Likelihood: As the
Hardware security procedures are
failure, minimal, the malware
Natural and flooding risks are
disasters, likely to happen.
Human error, However, these risks
Physical don’t usually target the
access, hardware of the servers,
Poor climate, which means the
Exploitable hardware is less likely
monitoring to be affected by these
attacks. Furthermore,
the monitoring stations
are easily exploitable,
and the access doors are
open, so anyone can
gain physical access.
Moreover, there is poor
climate control and no
countermeasures
against hardware failure
and natural disasters.
6
service Physical and undone easily.
access,
Poor climate, Likelihood: There are
Exploitable no countermeasures
monitoring against hardware
failure, natural disasters
or poor climate control.
Also, the unlocked
access doors and the
poor monitoring
stations design can be
used to gain access to
the physical access.
The Social Moderate Possible Impact: Physical access
confidentiality engineering, to the server can be
of the servers in detrimental to the
the datacenter Physical system because it can
that are used to access, lead to access to other
provide the Exploitable assets, however, this is
service monitoring not always the case, as
access to what’s on the
server requires
authentications by
default.
Likelihood: Anyone
can gain access to the
datacenter because of
the exploitable
monitoring stations and
the unlocked access
doors. Furthermore,
attackers can gain
access to the datacenter
by social engineering as
there are no policies to
train employees against
physical access attacks.
The availability, Hardware Moderate Possible Impact: These devices
reliability, and failure, are what is maintaining
accountability Natural the servers in the
of climate disasters, database, if they are
monitoring and Human error, broken or function
control devices Physical differently than what is
(like access, expected, then the
temperature Exploitable servers will get
7
sensors, fans, monitoring affected. Moreover, if
cooling devices) physical access was the
cause of the loss of this
asset, then there is a
high chance of other
assets being affected.
Likelihood: There is no
countermeasures
against physical access
except the monitoring
stations, which are
poorly designed and
can be exploited to gain
access to these devices’
room. Additionally,
there is no
countermeasures to
make sure that
hardware failure or
natural disasters don’t
occur. Also, human
error can cause these
devices to malfunction.
The availability Virus attack, Major Almost Impact: Like the
and reliability Worm attack, certain hardware assets that are
of the operating Logic bomb, used to run the server,
system on the Trojan the operating system is
servers attack, crucial for the service
to functions, and
DoS/DDoS, without it the users can
ICMP attack, no longer use the
UDP flood, service and the
DHCP reputation of the
spoofing, service, and the
DNS attack company will go down.
8
the servers, which
increases the likelihood
of this risk occurring.
The Virus attack, Catastrophic Almost Impact: Accessing the
confidentiality Worm attack, certain operating system can
of the operating Logic bomb, allow the attacker to get
system on the Trojan access to the other
servers attack, assets of the company,
Backdoor, like data and other
software, which can
Social impact the company
engineering, even more.
Website Nevertheless, the loss
attacks, of this asset might also
Password lead to people changing
guessing how the service works
and consequently affect
the users, whether it is
small problem or
hacking the user.
Likelihood: Attacks
like malware attacks
can occur easily as the
security procedures are
implemented poorly.
These attacks’ usual
target is access the
operating system of the
servers, as they can
gain access to more
assets. Moreover, there
are no countermeasures
against social
engineering or website
attacks. Also, the set
password policy has
issues and can not be
relied on to protect the
confidentiality of the
operating system.
The integrity Virus attack, Major Possible Impact: These assets
and Worm attack, are crucial for the
accountability Logic bomb, whole system; any
of the network Trojan change will lead to
security tools attack, misconfiguration which
9
(firewall, anti- Backdoor will give light to new
malware, IDS, vulnerabilities that can
IPS) be exploited
10
Spyware, poorly designed and the
Password password can be
guessing, guessed to gain access.
Website Additionally, there are
attacks no countermeasures
against social
engineering, spyware,
or website attacks.
The Virus attack, Minor Possible Impact: The loss of the
confidentiality Worm attack, integrity of this data
and integrity of Logic bomb, won’t impact the
the data transfer Trojan company a lot because
channels attack, it doesn’t have any data
Backdoor, that needs to be
accurate, however, it
ARP will cause problems
poisoning, between the workers.
Man-in-the- Furthermore, some of
middle, the data like financial
DHCP employee information
attacks needs to remain
confidential and if they
are exposed then it will
affect the employees of
the company
negatively.
Likelihood: The
security procedures set
are not good enough to
stop the malware
attacks that could
occur. Also, there are
no countermeasures to
stop ARP-poisoning,
man-in-the-middle,
DHCP attacks.
However, these data
transfer channels are
not likely to be attacked
as they are within the
organization.
The availability, DoS/DDoS, Major Likely Impact: This data is the
integrity, and ICMP attack, data being viewed and
accountability UDP flood, interacted with the most
of the data DHCP when using the service.
11
being posted on spoofing, Therefore, if it’s not
Donzel’s social DNS attack, available, then the
networks service is unusable.
Website Moreover, the integrity
attacks, of the data needs to be
Ransomware unaltered because it
, causes users to
encounter problems that
Human error will lead them to suing
the company. Also, the
person uploading this
data needs to be
accounted in case of
legal issues.
12
Likelihood: The
security procedures set
are not very effective to
stop malware attacks.
Additionally, the
password policy is not
enough to stop
password guessing.
Also, there no controls
or countermeasures to
protect against social
engineering, web
spoofing or spyware. In
addition, this asset is
one of the most targeted
assets, and there will be
more attempt to attack
it, which means the
likelihood of the risk
occurring is higher.
13
Final Risk Registry
Hardware
failure,
Natural
disasters,
Human error,
Physical
access,
Poor climate,
Exploitable
monitoring
The integrity of the Human error, Monitoring Minor Likely High 10
servers in the Natural stations
datacenter that are disasters,
used to provide the Hardware
service failure,
Physical
access,
Poor climate,
Exploitable
monitoring
The confidentiality Social Monitoring Moderate Possible High 8
of the servers in the engineering, stations
datacenter that are
used to provide the Physical
service access,
Exploitable
14
monitoring
The availability, Hardware Monitoring Moderate Possible High 9
reliability, and failure, stations
accountability of Natural
climate monitoring disasters,
and control devices Human error,
(like temperature Physical
sensors, fans, access,
cooling devices) Exploitable
monitoring
The availability Virus attack, Some secured Major Almost Extreme 4
and reliability of Worm attack, devices certain
the operating Logic bomb, Minor security
system on the Trojan procedures
servers attack, (firewall)
DoS/DDoS,
ICMP attack,
UDP flood,
DHCP
spoofing,
DNS attack,
Hardware
failure,
Natural
disasters,
Human error
The confidentiality Virus attack, Some secured Catastrophic Almost Extreme 2
of the operating Worm attack, devices certain
system on the Logic bomb, Minor security
servers Trojan procedures
attack, (firewall)
Backdoor, Password
policy
Social
engineering,
Website
attacks,
Password
guessing
The integrity and Virus attack, Some secured Major Possible Extreme 7
accountability of Worm attack, devices
the network Logic bomb, Minor security
security tools Trojan procedures
(firewall, anti- attack, (firewall)
15
malware, IDS, IPS) Backdoor,
Ransomware
The integrity of the Virus attack, Some secured Moderate Possible High 11
logs of the service Worm attack, devices
Logic bomb, Minor security
Trojan procedures
attack, (firewall)
Ransomware,
Data
corruption,
Human error
The confidentiality Virus attack, Some secured Major Almost Extreme 3
of the source code Worm attack, devices certain
used in hosting the Logic bomb, Minor security
service Trojan procedures
attack, (use of VPN
Backdoor, and firewall)
Password
Social policy
engineering,
Web
spoofing,
Spyware,
Password
guessing,
Website
attacks
The confidentiality Virus attack, Some secured Minor Possible Medium 12
and integrity of the Worm attack, devices
data transfer Logic bomb, Minor security
channels Trojan procedures
attack, (use of VPN
Backdoor, and firewall)
ARP
poisoning,
Man-in-the-
middle,
DHCP
attacks
The availability, DoS/DDoS, Some secured Major Likely Extreme 6
integrity, and ICMP attack, devices
16
accountability of UDP flood, Minor security
the data being DHCP procedures
posted on Donzel’s spoofing, (firewall)
social networks DNS attack,
Website
attacks,
Ransomware,
Human error
The confidentiality Virus attack, Some secured Catastrophic Almost Extreme 1
and authenticity of Worm attack, devices certain
the user’s Logic bomb, Minor security
credential data Trojan procedures
(login information, attack, (use of VPN
payment method Backdoor, and firewall)
and information) Password
Social policy
engineering,
Web
spoofing,
Spyware,
Password
guessing
17
Controls that can be applied
19
The integrity and accountability of the Install anti-malware applications
network security tools (firewall, anti- Install a next-generation firewall
malware, IDS, IPS) Use IDS and IPS
Use AAA servers
Monitor and log access requests using
NetFlow, port mirroring with SPAN,
or syslog servers
Use packet sniffer to log and analyze
the data being transmitted between
devices on the network
20
(ZPF)
Encrypt data channels being used
Use AAA servers
Monitor and log access requests using
NetFlow, port mirroring with SPAN,
or syslog servers
Use packet sniffer to log and analyze
the data being transmitted between
devices on the network
Increase the awareness of the
employees
The availability, integrity, and Install a stateless firewall to ensure
accountability of the data being posted protection against flooding attacks
on Donzel’s social networks Use access control list (ACL) for
protection against flooding attacks
Install a next-generation firewall
Backup the data being used onto off
premise database servers
Increase the awareness of the
employees and users
21
Install a next-generation firewall
Use IDS and IPS
Apply a strong password policy
Increase the awareness of the users
Add multiple security authentication
layers
Reduce the people who can have
access to the customers data
Encrypt all the data being sent from
the user and hash the passwords
before saving onto the database
Use AAA servers
Monitor and log access requests using
NetFlow, port mirroring with SPAN,
or syslog servers
Use packet sniffer to log and analyze
the data being transmitted between
devices on the network
Encrypt transfer channels with secure
protocols or VPNs
Backup user data onto off premise
servers
22
devices on the network
Encrypt transfer channels with secure
protocols or VPNs
Backup the business data onto off
premise servers
Secure all on premise devices,
monitoring stations and access doors
to both the datacenter and the offices
Use trusted VPNs when connecting
remotely onto the company’s network
Data is one of the most important assets in any system, as it can contains all the work and
achievements a company has done, as well as data about the company’s customers and users.
Accordingly, the data should always be protected from any malicious actions that might modify,
delete, or access it. Therefore, data protection processes and regulations must be set in place to
ensure its protections, which also includes the GDPR (General Data Protection Regulation) law
that is set to protect and give control of the personal data to the individuals who this data relate
to.
1) The system must be built with consideration that the data being used must be private and
secured.
2) Processing of the data must be secured, so no data can be captured when getting
processed.
3) No data should be processed unless it’s under the six laws: Consent, Contract, Public
Task, Vital Interest, Legitimate Interest, Legal Requirement.
4) Encrypting data, whether it is using ciphers and encryption algorithms that ensure that the
data can be transmitted securely between devices without any unauthorized access or
using hashes that can be used to ensure the data’s integrity and to stop anyone from
accessing the original data.
5) Backing up the data is one of the most common ways to protect the data from being
modified or deleted, as you have an extra copy of the data that is 100% accurate.
6) Installing anti-malware applications to ensure that no malware is getting access to the
data.
7) Install firewalls to filter any malicious actions on the network.
8) Monitor, log, and analyze the data to make sure that the data being transferred is not
malicious or doesn’t have a malicious intent behind it.
9) Use trusted VPNs for any transfer of very sensitive data or for remote access.
10) Hold security awareness sessions to make sure that the employees are not falling for any
social engineering attacks.
23
11) Ensure the complete destruction of sensitive data after using it, whether it’s physical or
digital data.
12) Monitoring of physical access to devices that contain the data.
13) Maintaining devices that store that data to ensure that the data doesn’t get corrupt or
becomes inaccessible.
14) Combine all the processes and regulations to increase the protection of the data.
IT Security Audit
The IT security audit compares the IT security of a certain company with the IT security that the
company should have, and consequently defining whether the IT security within a company has
any flaws or if it is secure enough against malicious attacks that might threaten the company.
This audit can improve the reputation of the company, save it money, and protect the users of the
company’s service. Therefore, here is an analysis of the IT security and its impact on the
company according to the data gathered from the security check.
IT Security Analysis Physical components: The security of the physical
components with the company is very poor, and although
there are monitoring stations, they are easily exploitable,
which means any person can disable them and get access to
physical components without being accountable.
Furthermore, the datacenter, where the servers used to
provide the service, can be easily access and the
temperature and humidity of the datacenter is not monitored
and controlled correctly. Moreover, there are no regulations
and controls set to protect the employee devices, which can
give access to other devices within the system.
24
regularly informed and educated on the risks that can lead
to the loss of business assets, which can occur if the
employee or the user is not taking care of their actions.
25
Risk Assessment Procedure
26
Benefits of the Appropriate Risk Management Approach and System
The way the risk assessment is held is important to the outcome of the risk assessment, which
therefore can determine the security procedures that need to be implemented to protect the
system from any risks.
Different risk assessment approaches can combine the best of the approaches used. In our case,
the combined approach of the detailed approach and informal approach can help produce a
detailed analyzed risk assessment that is as secure as possible as well as confirm this risk
assessment with my own knowledge and experience, which can either improve the risk
assessment more or help me in building up my knowledge.
On the other hand, the ISO 31000 Enterprise Risk Management System provides
recommendations and plans that will help improve the risk assessment. This risk management
system is comprehensive and is integrated within all aspects of the organization’s operations.
Additionally, the system is continually improved based on the best data and knowledge
available. Consequently, by using this risk management system the company can rival other
companies in the industry, which will make the company more trustable by sponsors and users.
Furthermore, it will prepare the company against the worst possibilities by increasing the
effectiveness and security of the operations and the employees that are performing these
operations. Thus, the company will be more successful in performing its planned project and in
achieving its goals.
Policy Misalignment
The policy used influences the actions and decisions taken within the organization, and it is
constantly being changed to improve the decisions taken and the actions made. However, if the
actions and decisions are misaligned with the IT security policy set, the company will be affected
negatively. Such impacts include:
Different actions/decisions in different areas of the system that are not aligned with the
policy, can lead to these actions/decisions conflicting with each other, which will cause
the system to have vulnerabilities that can be exploited. For instance: vulnerabilities
might emerge when two incompatible pieces of software are used. This exploitation of
vulnerabilities can cost the company a lot of time and money to deal with its
consequences.
If each supervisor takes a different decision, the employees that work under them will be
confused on which decision to follow and the output of their work will be of poor quality
and thus the system will be less efficient and unsecure. An employee who must choose
between two options and fail to do one of them, will stress on what to do and how to do
it.
If the policy is misaligned, any compliance with any other companies or organizations
might lead to voiding the contract between the two companies and/or our company
getting sued for this misalignment.
27
A decision misaligned with the IT security policy might result in decisions that the
consumer(s) will find unattractive and therefore reduce the reputation of the company.
A misalignment in an action taken after a breach in the security might result in further
damage to the system and the consumers of the company.
Therefore, the policy must be followed and maintain in order to avoid the impacts mentioned
above. This can be done by:
Providing the policies to all employees and executives in the company, when they enter
the company and every time a change has been made to the policy.
Ensure that the employees and executives read the policy by informing and reminding
them to read it.
Confirm that all the employees and executives can understand the policy and that it can
be understood by new employees who don’t know a lot about the company’s departments
and general information.
Verify that all the employees and executives have agreed to the policies without any
special cases and if they were to break it, they will be held responsible.
Make sure that the policy is followed by all employees and executives without any
exceptions and that it is enforced on all the employees and executives in all departments
of the company.
Due to the upcoming project that the company is going to go through, a security policy needs to
be set in place to ensure that the process and outcome of the project goes as smoothly as possible
while also being secure.
Policy Introduction
Included Policies Justification for the Included Policies
Office Building Entrance Policy This policy ensures that the people who
enter the office building have
authorization to do so
Office Room Policy This policy makes sure that the office
room is secure and cannot be used to
threaten any of the company’s assets
Datacenter Policy This policy confirms that the datacenter is
safe from any risks
Remote Access Policy This policy ensures that the remote
workers are connecting and working on
their job securely
Applications Policy This policy ensures that the applications
being used on the devices are safe to use
and don’t pose any harm to any of the
company’s assets
28
Password Policy This policy makes sure that the passwords
used to login into the system by either the
employees or the customers are difficult
to obtain, and thus gaining access to
confidential data
Disaster Recovery Plan Policy The DRP policy is needed to make sure
that the recovery plan is implemented
correctly and there are no
misunderstandings that could lead to
further damage than before
Backup Policy Backup is crucial to save a copy of
important data in case the original data
was lost or corrupted
Documentation Policy The documentation is needed to ensure
that the recovery plan can be understood
easily and implemented without any
problem
VPN Policy VPN is important for hiding the real IP
address and in encrypting the data when
connecting to the company’s network.
This policy makes sure that the VPN is
used how it is supposed to be used
Firewall Policy This policy makes sures that the firewall
is setup correctly and therefore, that the
data received is filtered and is not harmful
to the system
Cloud Policy This policy ensures that the cloud, which
is going to host a part of the company’s
system, is set up correctly so that it is
secure and is easily accessible by both the
employees and the customers
29
Included Policies List of sub-policies
Office Building Entrance Policy All people who enter need to be
frisked before entering.
Any person who needs to enter for
repairs needs to have a formal
permission.
Employees need to use their ID
card to enter.
Employees need to use biometric
scanner for authentication
Office Room Policy The desk must be clear of any
paper with confidential
information.
The computer needs to be locked
if no one is using them.
Glass doors/windows need to have
reflectors on the outside.
The door to the room needs to
have a biometric scanner for
access control.
Datacenter Policy No technician can enter without a
permission.
Entrance requires an access card
as well as a biometric scan.
Temperature and humidity control
devices’ settings should not be
changed.
Server cables should be
inaccessible unless with a key.
Cables in the datacenter should be
organized for ease of finding and
maintenance.
Remote Access Policy Remote access should be done
through an encrypted channel.
One person should be able to
connect per each encrypted
channel.
Connecting to the remote access
channel should require a
password.
Applications Policy Only work applications can be
installed on devices.
Install work application using
trusted sources.
Only licensed/free applications
30
should be used for work.
Applications should always up to
date with the new patches.
Password Policy Password should be 8 characters
or more.
Password should include a mix of
uppercase and lowercase letters.
Password should include a mix of
letters, numbers, and symbols.
Passwords should be changed
every month.
New passwords should be
different from already used
passwords.
Saving of password on papers or
unencrypted files is strictly
forbidden.
Disaster Recovery Plan (DRP) Policy The DRP team is responsible for
planning the DRP process and
helping in implementing it in
disaster scenarios.
The recovery time objective
(RTO) should be set to determine
the needed time to solve the
disaster and for the company to go
back to running normally.
The recovery point objective
(RPO) should be set to define the
maximum amount of data that can
be lost in a disaster scenario and
to expect the impact on the
company.
A DRP automation should be set
to reduce the time and energy
spent on the recovery and
decrease the number of human
errors that might occur.
Backup Policy Data should be backup regularly.
The backup should have a copy on
site for ease of access and of site
in case of physical damage.
Apply redundancy to each copy of
the backups using RAID
technology.
Clean up data that is not used
31
from backups.
Ensure that the backups are not
accessible by employees who
don’t need to have access to it.
Secure the backup using firewalls
and anti-viruses.
Verify data before backup to filter
out any harmful data.
Documentation Policy DRP documentation should be
easy to read and understand.
The documentation should walk
each process in the DRP in details.
Documentation needs to be
accurate and reviewed.
Documentation needs to be up to
date with any change to the DRP.
VPN Policy Only trusted VPN should be used.
VPN should be configured and
setup correctly on all devices.
The VPN should be up to date on
the latest patch.
VPN should require a password to
connect.
VPN channels should be as secure
as possible.
Firewall Policy The firewall should be correctly
configured.
The firewall should be up to date
with new vulnerability and
attacks.
The firewall should be on at all
times on every device.
Cloud Policy The cloud servers should be
compatible with the service
provided.
The cloud subscription should be
from a trusted provider.
The cloud servers should have
enough performance to handle the
service’s requests and processing.
The cloud should be only
accessible by employees who
handle the cloud system.
The cloud servers should be
updated and secured against any
32
risks.
33
Tools used within the policy The Evaluation of the Tool
VPN The VPN will make sure that all the IP
addresses used are hidden and it will act
as an encrypted connection channel that
will allow the user to communicating
safely
Firewall The firewall will reduce the amount of
harmful traffic that enters the
network/devices and therefore, reducing
the number of incidents that may occur
Anti-virus The anti-virus will make sure that no
harmful application/process are occurring
on any device, which make the devices
more secure to use
RAID technology The RAID technology will make sure that
the data is redundant and thus, reduce the
data corruption incidents and will increase
the integrity of the data
Biometric scanners and access cards The access cards will ensure that no one
without the card can enter the office
building or the datacenter.
The biometric scanner will further secure
the entrance and will authenticate the
holder of the card
DPR automation The DRP automation will backup data,
notify the DRP team and do other process
that will help in dealing with the disaster.
This can help in increasing the efficiency
of the DRP and in reducing the impact of
the disaster. Also, the automation will be
always activated and ready for any
disaster to happen.
Cloud The cloud will allow us to host the service
on servers off premise and that the
company won’t have to maintain them
34
Roles of Stakeholders
In order to ensure that the security within the company is set in place and that it is protecting the
company from the impacts that the risks will cause if the risks were to occur, multiple
stakeholders have to work together to achieve that. These stakeholders will range from
management to employees with different jobs. Each one of these stakeholders will have a role to
play in the security audit recommendations and implementation. Here is how different
stakeholders affect the security audit:
Management: Verify that the implementation of the security is completed on time and
that the resources and requirements needed for the implementation of the security audit
are prepare and ready to be used whenever needed.
IT Officers: Perform the implementation of the security audit recommendations and
ensure that it doesn’t interfere with any of the system process and performance.
Risk Owners: They work with management and IT in order to confirm that the risks
identified in the security audit are mitigated and that the system is less likely to be
threatened by them.
Security Officers: They make sure that the physical premise is secure against any
physical access. They most importantly ensure that the on-premise datacenter is secure
and that no unauthorized access to it has been made.
Compliance Officers: They make sure that the organization and the rest of the
stakeholders are compliant to the security audit recommendations and no misalignment is
happening.
35
References
Demo: Protecting the stateful firewall (no date) NETSCOUT. Available at:
https://www.netscout.com/demo/protecting-stateful-firewall (Accessed: January 14, 2023).
36