Student Name: Abdallah Joudeh Student ID: 21110055

Course: Security Assignment Title: Warmaksan

Tutor name: Dr. Heba Alawneh Date: 31st of January, 2023

Chapter Page
Introduction 2
Warmaksan’s assets 2
Warmaksan system’s level of risk 4
Initial Controls 4
Likelihood and Impact of the risks 6
Final Risk Registry 14
Control that can be applied 18
Data protection processes and regulations 23
IT Security Audit 24
Risk Assessment Procedure 26
Benefits of the Appropriate Risk Management Approach and System 27
Security Misalignment 27
Security Policy Design 28
Roles of Stakeholders 35
References 36

1
Introduction
With Warmaksan’s plan to move to a hybrid model architecture for its servers, a lot of changes
are going to occur to the processes of the company. Accordingly, an IT security management
plan needs to be organized to ensure the company’s risks are accounted for and defended at all
costs. Therefore, with the information I have accumulated from the company’s systems, policies,
and procedures; here is a report detailing the many aspects of the company and why they need to
be protected, as well as how they are going to be protected.

Warmaksan’s assets
As a large company, Warmaksan has many assets that range from physical, to software, to data
and even to business assets. Thus, the security management plan must cover all these assets in
relation to the CIA triad, each in a different way to make sure that the system is secure, while
also being usable.
Asset Name (including the CIA)
The availability and reliability of the
servers in datacenter that are used to
provide the service
The integrity of the servers in the
datacenter that are used to provide the
service
The confidentiality of the servers in
the datacenter that are used to provide
the service
The availability, reliability, and
accountability of climate monitoring
and control devices (like temperature
sensors, fans, cooling devices)
Justification for why it’s critical
The servers that provide the service need to be
always available so the users can use it
whenever they want, and if they were to stop
working, the users would stop using the
service all together. The hardware also needs
to be reliable, because we don’t want any
crashes or unpredictable errors to happen
while hosting our service.
The servers in the datacenter must not be
altered in any way, as they are configured in a
specific way to suit the way they are built,
connected, and maintained. So, any change
may break or reduce the performance of the
servers.
The access to the servers in the datacenter
should always be set to a minimum, as any
unauthorized access may lead to a loss of
integrity or availability of the servers, or even
data and software stored on the servers.
The climate monitoring and control devices
are crucial to the performance and usability of
the datacenter. They should always be
available to monitor the datacenter, while also
being accurate in their monitoring.
Furthermore, anyone who adjusts these
devices’ settings should be accountable for
their actions.
2
The availability and reliability of the The operating system used to on the server is
operating system on the servers essential for hosting the service, as the
operating system allows us to make use of the
server’s hardware and install applications that
can be used to host and maintain the service.
The confidentiality of the operating The access to operating system, means an
system on the servers access to the service itself and its inner
workings. Which can lead to the loss of a lot
of assets. Therefore, the confidentiality of the
software should be secure.
The integrity and accountability of the Any change done to the network security tools
network security tools (firewall, anti- can result in opening many vulnerabilities in
malware, IDS, IPS) the network. Thus, the tools should not be
dabbled with and whenever it’s edited, the
person who did the change should be held
accountable.
The integrity of the logs of the service If any change occurs to this data, the service
might become harder to maintain and monitor.
As the logs are essential to monitor the
connections to the service. Also, logs hold
accountability of the users who use the
service.
The confidentiality of the source code Any access to this data can result in finding
used in hosting the service vulnerabilities that can be exploited to attack
other assets of the company.
The confidentiality and integrity of These channels contain data like the work
the data transfer channels tasks, company problems and issues, source
code, and even financial information. Thus,
this data should remain confidential and be
accessed by the authorized people only.
Moreover, the data should remain unchanged
to ensure that no problem and
misunderstanding occur between the
employees.
The availability, integrity, and This data can be seen by anyone so its
accountability of the data being posted confidentiality doesn’t need to be protected,
on Donzel’s social networks but the integrity of data should remain
unaltered because it can create issues for the
people who post a post. Furthermore, the data
should always be available to be seen by
anyone, as a prime feature of any social
networking service is the availability to
connect and communicate with people at any
time. Additionally, the person who posts
should always be accountable for their posts
to mitigate any copyright or impersonation

3
 issues.
The confidentiality and authenticity of These assets are very important as a loss of
the user’s credential data (login these assets can result in legal issues. The
information, payment method and person accessing these assets should be
information) authorized to do so and authenticate to make
sure they are who they say they are.

Warmaksan system’s level of risk

Like any other system, Warmaksan’s system has a level of risk that needs to be defined to find
out how the system should be protected. The level of these risks depends on how likely the risks
are, as well as their impact on the company and its affected stakeholders.
To define the likelihood of the risks, we need first define the controls set to protect the assets,
then the threats that could cause the risk. While the impact of the risks on the other hand,
requires us to define how big is the consequence if a threat successfully occurred.

Initial Controls
Asset Name (including the CIA)
The availability and reliability of the
servers in datacenter that are used to
provide the service
The integrity of the servers in the
datacenter that are used to provide the
service
The confidentiality of the servers in
the datacenter that are used to provide
the service
The availability, reliability, and
accountability of climate monitoring
and control devices (like temperature
sensors, fans, cooling devices)
The availability and reliability of the
operating system on the servers
The confidentiality of the operating
system on the servers
The integrity and accountability of the
network security tools (firewall, anti-
malware, IDS, IPS)
The integrity of the logs of the service
Controls initially used by the company
 Monitoring stations
 Some secured devices
 Minor security procedures (firewall)
 Monitoring stations
 Monitoring stations
 Monitoring stations
 Some secured devices
 Minor security procedures (firewall)
 Some secured devices
 Minor security procedures (firewall)
 Password policy
 Some secured devices
 Minor security procedures (firewall)
 Some secured devices
 Minor security procedures (firewall)

4
The confidentiality of the source code
used in hosting the service
The confidentiality and integrity of the
data transfer channels
The availability, integrity, and
accountability of the data being posted
on Donzel’s social networks
The confidentiality and authenticity of
the user’s credential data (login
information, payment method and
information)
 Some secured devices
 Minor security procedures (use of
VPN and firewall)
 Password policy
 Some secured devices
 Minor security procedures (use of
VPN and firewall)
 Some secured devices
 Minor security procedures (firewall)
 Some secured devices
 Minor security procedures (use of
VPN and firewall)
 Password policy
5
Likelihood and Impact of the risks
Asset Name Possible Impact Likelihood Justification for
(including the Risks likelihood and impact
CIA)
The availability Virus attack, Major Likely Impact: A loss of
and reliability Worm attack, availability/reliability
of the servers in Logic bomb, of the servers means
datacenter that Trojan that no one would be
are used to attack, able to use the service.
provide the And in case of
service DoS/DDoS, permanent loss of this
ICMP attack, asset, a lot of money
UDP flood, and time will be
DHCP required to regain these
spoofing, assets.
DNS attack,
Likelihood: As the
Hardware security procedures are
failure, minimal, the malware
Natural and flooding risks are
disasters, likely to happen.
Human error, However, these risks
Physical don’t usually target the
access, hardware of the servers,
Poor climate, which means the
Exploitable hardware is less likely
monitoring to be affected by these
attacks. Furthermore,
the monitoring stations
are easily exploitable,
and the access doors are
open, so anyone can
gain physical access.
Moreover, there is poor
climate control and no
countermeasures
against hardware failure
and natural disasters.

The integrity of Human error, Minor Likely Impact: Any change to

the servers in Natural the hardware might
the datacenter disasters, misconfigure or crash
that are used to Hardware the system, but this
provide the failure, change can be found

6
 service Physical and undone easily.
access,
Poor climate, Likelihood: There are
Exploitable no countermeasures
monitoring against hardware
failure, natural disasters
or poor climate control.
Also, the unlocked
access doors and the
poor monitoring
stations design can be
used to gain access to
the physical access.
The Social Moderate Possible Impact: Physical access
confidentiality engineering, to the server can be
of the servers in detrimental to the
the datacenter Physical system because it can
that are used to access, lead to access to other
provide the Exploitable assets, however, this is
service monitoring not always the case, as
access to what’s on the
server requires
authentications by
default.

Likelihood: Anyone
can gain access to the
datacenter because of
the exploitable
monitoring stations and
the unlocked access
doors. Furthermore,
attackers can gain
access to the datacenter
by social engineering as
there are no policies to
train employees against
physical access attacks.
The availability, Hardware Moderate Possible Impact: These devices
reliability, and failure, are what is maintaining
accountability Natural the servers in the
of climate disasters, database, if they are
monitoring and Human error, broken or function
control devices Physical differently than what is
(like access, expected, then the
temperature Exploitable servers will get

7
 sensors, fans, monitoring affected. Moreover, if
cooling devices) physical access was the
cause of the loss of this
asset, then there is a
high chance of other
assets being affected.

Likelihood: There is no
countermeasures
against physical access
except the monitoring
stations, which are
poorly designed and
can be exploited to gain
access to these devices’
room. Additionally,
there is no
countermeasures to
make sure that
hardware failure or
natural disasters don’t
occur. Also, human
error can cause these
devices to malfunction.
The availability Virus attack, Major Almost Impact: Like the
and reliability Worm attack, certain hardware assets that are
of the operating Logic bomb, used to run the server,
system on the Trojan the operating system is
servers attack, crucial for the service
to functions, and
DoS/DDoS, without it the users can
ICMP attack, no longer use the
UDP flood, service and the
DHCP reputation of the
spoofing, service, and the
DNS attack company will go down.

Likelihood: The set

security procedures are
not great, therefore,
malware attacks and
flooding attacks can
easily occur. These
attacks usually target
the operating system of

8
 the servers, which
increases the likelihood
of this risk occurring.
The Virus attack, Catastrophic Almost Impact: Accessing the
confidentiality Worm attack, certain operating system can
of the operating Logic bomb, allow the attacker to get
system on the Trojan access to the other
servers attack, assets of the company,
Backdoor, like data and other
software, which can
Social impact the company
engineering, even more.
Website Nevertheless, the loss
attacks, of this asset might also
Password lead to people changing
guessing how the service works
and consequently affect
the users, whether it is
small problem or
hacking the user.

Likelihood: Attacks
like malware attacks
can occur easily as the
security procedures are
implemented poorly.
These attacks’ usual
target is access the
operating system of the
servers, as they can
gain access to more
assets. Moreover, there
are no countermeasures
against social
engineering or website
attacks. Also, the set
password policy has
issues and can not be
relied on to protect the
confidentiality of the
operating system.
The integrity Virus attack, Major Possible Impact: These assets
and Worm attack, are crucial for the
accountability Logic bomb, whole system; any
of the network Trojan change will lead to
security tools attack, misconfiguration which

9
(firewall, anti- Backdoor will give light to new
malware, IDS, vulnerabilities that can
IPS) be exploited

Likelihood: The set

security procedures are
minor and malware
attacks are possible to
occur, and especially to
target the security tools
that protect the
network.
The integrity of Virus attack, Moderate Possible Impact: This data is
the logs of the Worm attack, important to maintain
service Logic bomb, the service and hold
Trojan accountability, thus if
attack, there are any changes or
corruptions this will
Ransomware lead to a lot of problem
, monitoring the requests
and hold people
Data accountable for their
corruption, actions.
Human error
Likelihood: The
security procedures set
are poor and malware
attacks and ransomware
attacks can easily
happen. Moreover,
there are no backups to
protect against data
corruption or human
error that might cause
the logs to be lost.
The Virus attack, Major Almost Impact: Accessing this
confidentiality Worm attack, certain data may lead to
of the source Logic bomb, finding vulnerabilities
code used in Trojan present in the system
hosting the attack, that can be exploited.
service Backdoor,
Likelihood: Malware
Social attack can occur due to
engineering, the minor security
Web procedures. Also, the
spoofing, password policy is

10
 Spyware, poorly designed and the
Password password can be
guessing, guessed to gain access.
Website Additionally, there are
attacks no countermeasures
against social
engineering, spyware,
or website attacks.
The Virus attack, Minor Possible Impact: The loss of the
confidentiality Worm attack, integrity of this data
and integrity of Logic bomb, won’t impact the
the data transfer Trojan company a lot because
channels attack, it doesn’t have any data
Backdoor, that needs to be
accurate, however, it
ARP will cause problems
poisoning, between the workers.
Man-in-the- Furthermore, some of
middle, the data like financial
DHCP employee information
attacks needs to remain
confidential and if they
are exposed then it will
affect the employees of
the company
negatively.

Likelihood: The
security procedures set
are not good enough to
stop the malware
attacks that could
occur. Also, there are
no countermeasures to
stop ARP-poisoning,
man-in-the-middle,
DHCP attacks.
However, these data
transfer channels are
not likely to be attacked
as they are within the
organization.
The availability, DoS/DDoS, Major Likely Impact: This data is the
integrity, and ICMP attack, data being viewed and
accountability UDP flood, interacted with the most
of the data DHCP when using the service.

11
being posted on spoofing, Therefore, if it’s not
Donzel’s social DNS attack, available, then the
networks service is unusable.
Website Moreover, the integrity
attacks, of the data needs to be
Ransomware unaltered because it
, causes users to
encounter problems that
Human error will lead them to suing
the company. Also, the
person uploading this
data needs to be
accounted in case of
legal issues.

Likelihood: The set

security procedures can
be bypassed, and
flooding attacks can
occur to stop the
availability of this data.
Furthermore, there are
no countermeasures
against website and
ransomware attacks.
Also, the integrity of
the data can be lost due
to human error, which
there are no controls to
stop or verify.
The Virus attack, Catastrophic Almost Impact: The user data
confidentiality Worm attack, certain needs to be always
and authenticity Logic bomb, confidential, due to the
of the user’s Trojan many laws that ensure
credential data attack, their private data is
(login Backdoor, confidential at all times,
information, and any access to the
payment Social data by unauthorized
method and engineering, users or incorrect
information) Web authentication that will
spoofing, lead to accessing the
Spyware, user data will lead to
Password defiance of
guessing governmental or
international
regulations.

12
Likelihood: The
security procedures set
are not very effective to
stop malware attacks.
Additionally, the
password policy is not
enough to stop
password guessing.
Also, there no controls
or countermeasures to
protect against social
engineering, web
spoofing or spyware. In
addition, this asset is
one of the most targeted
assets, and there will be
more attempt to attack
it, which means the
likelihood of the risk
occurring is higher.

13
 Final Risk Registry

Asset Name Possible Existing Impact Likelihood Risk Level Priority

(including the Risks Controls
CIA)
The availability Virus attack, Monitoring Major Likely Extreme 5
and reliability of Worm attack, stations
the servers in Logic bomb, Some secured
datacenter that are Trojan devices
used to provide the attack, Minor security
service procedures
DoS/DDoS, (firewall)
ICMP attack,
UDP flood,
DHCP
spoofing,
DNS attack,

Hardware
failure,
Natural
disasters,
Human error,
Physical
access,
Poor climate,
Exploitable
monitoring
The integrity of the Human error, Monitoring Minor Likely High 10
servers in the Natural stations
datacenter that are disasters,
used to provide the Hardware
service failure,
Physical
access,
Poor climate,
Exploitable
monitoring
The confidentiality Social Monitoring Moderate Possible High 8
of the servers in the engineering, stations
datacenter that are
used to provide the Physical
service access,
Exploitable

14
 monitoring
The availability, Hardware Monitoring Moderate Possible High 9
reliability, and failure, stations
accountability of Natural
climate monitoring disasters,
and control devices Human error,
(like temperature Physical
sensors, fans, access,
cooling devices) Exploitable
monitoring
The availability Virus attack, Some secured Major Almost Extreme 4
and reliability of Worm attack, devices certain
the operating Logic bomb, Minor security
system on the Trojan procedures
servers attack, (firewall)

DoS/DDoS,
ICMP attack,
UDP flood,
DHCP
spoofing,
DNS attack,

Hardware
failure,
Natural
disasters,
Human error
The confidentiality Virus attack, Some secured Catastrophic Almost Extreme 2
of the operating Worm attack, devices certain
system on the Logic bomb, Minor security
servers Trojan procedures
attack, (firewall)
Backdoor, Password
policy
Social
engineering,
Website
attacks,
Password
guessing
The integrity and Virus attack, Some secured Major Possible Extreme 7
accountability of Worm attack, devices
the network Logic bomb, Minor security
security tools Trojan procedures
(firewall, anti- attack, (firewall)

15
malware, IDS, IPS) Backdoor,

Ransomware

The integrity of the Virus attack, Some secured Moderate Possible High 11
logs of the service Worm attack, devices
Logic bomb, Minor security
Trojan procedures
attack, (firewall)

Ransomware,

Data
corruption,
Human error
The confidentiality Virus attack, Some secured Major Almost Extreme 3
of the source code Worm attack, devices certain
used in hosting the Logic bomb, Minor security
service Trojan procedures
attack, (use of VPN
Backdoor, and firewall)
Password
Social policy
engineering,
Web
spoofing,
Spyware,
Password
guessing,
Website
attacks
The confidentiality Virus attack, Some secured Minor Possible Medium 12
and integrity of the Worm attack, devices
data transfer Logic bomb, Minor security
channels Trojan procedures
attack, (use of VPN
Backdoor, and firewall)

ARP
poisoning,
Man-in-the-
middle,
DHCP
attacks
The availability, DoS/DDoS, Some secured Major Likely Extreme 6
integrity, and ICMP attack, devices

16
 accountability of UDP flood, Minor security
the data being DHCP procedures
posted on Donzel’s spoofing, (firewall)
social networks DNS attack,

Website
attacks,
Ransomware,

Human error
The confidentiality Virus attack, Some secured Catastrophic Almost Extreme 1
and authenticity of Worm attack, devices certain
the user’s Logic bomb, Minor security
credential data Trojan procedures
(login information, attack, (use of VPN
payment method Backdoor, and firewall)
and information) Password
Social policy
engineering,
Web
spoofing,
Spyware,
Password
guessing

17
Controls that can be applied
Critical Asset Name (including the
CIA)
The availability and reliability of the
servers in datacenter that are used to
provide the service
The integrity of the servers in the
datacenter that are used to provide the
service
The confidentiality of the servers in
the datacenter that are used to provide
the service
Controls to improve security
 Install anti-malware applications
 Install a stateless firewall to ensure
protection against flooding attacks
 Use access control list (ACL) for
protection against flooding attacks
 Install a next-generation firewall
 Install backup servers off premise that
are identical to the used ones
 Automate and protect the climate
control devices
 Increase the number of guards near the
datacenter
 Secure the monitoring stations by
separating them into different subnets,
securing the entrances to the stations,
and connect the station to a power
generator in case of a power outage
 Ensure that the access doors to the
datacenter are secured and accessed
only by authorized people
 Use IDS and IPS
 Automate and protect the climate
control devices
 Increase the number of guards near the
datacenter
 Secure the monitoring stations by
separating them into different subnets,
securing the entrances to the stations,
and connect the station to a power
generator in case of a power outage
 Ensure that the access doors to the
datacenter are secured and accessed
only by authorized people
 Increase the awareness of the
employees
 Increase the number of guards near the
datacenter
 Secure the monitoring stations by
18

The availability, reliability, and
accountability of climate monitoring
and control devices (like temperature
sensors, fans, cooling devices)
The availability and reliability of the
operating system on the servers
The confidentiality of the operating
system on the servers
separating them into different subnets,
securing the entrances to the stations,
and connect the station to a power
generator in case of a power outage
 Ensure that the access doors to the
datacenter are secured and accessed
only by authorized people
 Monitor the devices
 Perform checkup regularly
 Secure the monitoring stations by
separating them into different subnets,
securing the entrances to the stations,
and connect the station to a power
generator in case of a power outage
 Lock the door that contains these
devices and allow access to authorized
personnel only
 Install anti-malware applications
 Install a stateless firewall to ensure
protection against flooding attacks
 Use access control list (ACL) for
protection against flooding attacks
 Install a next-generation firewall
 Install backup servers off premise that
are identical to the used ones
 Use IDS and IPS
 Install anti-malware applications
 Install a next-generation firewall
 Use IDS and IPS
 Apply a Zone-based Policy Firewall
(ZPF)
 Allow access to remotely used devices
only using a trusted VPN
 Increase the awareness of the
employees
 Apply a strong password policy
 Use AAA servers
 Monitor and log access requests using
NetFlow, port mirroring with SPAN,
or syslog servers
19
The integrity and accountability of the
network security tools (firewall, anti-
malware, IDS, IPS)
The integrity of the logs of the service
The confidentiality of the source code
used in hosting the service
The confidentiality and integrity of the
data transfer channels
 Install anti-malware applications
 Install a next-generation firewall
 Use IDS and IPS
 Use AAA servers
 Monitor and log access requests using
NetFlow, port mirroring with SPAN,
or syslog servers
 Use packet sniffer to log and analyze
the data being transmitted between
devices on the network
 Install anti-malware applications
 Install a next-generation firewall
 Use IDS and IPS
 Apply a Zone-based Policy Firewall
(ZPF)
 Backup the data used
 Use digital signature to ensure that the
data was not changed
 Install anti-malware applications
 Install a next-generation firewall
 Use IDS and IPS
 Apply a Zone-based Policy Firewall
(ZPF)
 Encrypt transfer channels with secure
protocols or VPNs
 Use AAA servers
 Monitor and log access requests using
NetFlow, port mirroring with SPAN,
or syslog servers
 Use packet sniffer to log and analyze
the data being transmitted between
devices on the network
 Increase the awareness of the
employees
 Apply a strong password policy
 Apply DMZ to the network
 Apply a Zone-based Policy Firewall
20

The availability, integrity, and
accountability of the data being posted
on Donzel’s social networks
The confidentiality and authenticity of
the user’s credential data (login
information, payment method and
information)
Recommended controls to protect
customers
(ZPF)
 Encrypt data channels being used
 Use AAA servers
 Monitor and log access requests using
NetFlow, port mirroring with SPAN,
or syslog servers
 Use packet sniffer to log and analyze
the data being transmitted between
devices on the network
 Increase the awareness of the
employees
 Install a stateless firewall to ensure
protection against flooding attacks
 Use access control list (ACL) for
protection against flooding attacks
 Install a next-generation firewall
 Backup the data being used onto off
premise database servers
 Increase the awareness of the
employees and users
 Install anti-malware applications
 Install a next-generation firewall
 Use IDS and IPS
 Apply a strong password policy
 Increase the awareness of the users
 Add multiple security authentication
layers
 Encrypt all the data being sent from
the user and hash the passwords
before saving onto the database
Protecting the customer includes protecting
their data as a person can be directly affected
if their data were to be access, modified, or
deleted.
 Install anti-malware applications
21

Recommended controls to protect
business-critical data
 Install a next-generation firewall
 Use IDS and IPS
 Apply a strong password policy
 Increase the awareness of the users
 Add multiple security authentication
layers
 Reduce the people who can have
access to the customers data
 Encrypt all the data being sent from
the user and hash the passwords
before saving onto the database
 Use AAA servers
 Monitor and log access requests using
NetFlow, port mirroring with SPAN,
or syslog servers
 Use packet sniffer to log and analyze
the data being transmitted between
devices on the network
 Encrypt transfer channels with secure
protocols or VPNs
 Backup user data onto off premise
servers
 Install anti-malware applications
 Install a next-generation firewall
 Apply DMZ to the network
 Apply a Zone-based Policy Firewall
(ZPF)
 Use IDS and IPS
 Apply a strong password policy
 Increase the awareness of the
employees
 Add multiple security authentication
layers
 Encrypt all data before storing it
 Use AAA servers
 Monitor and log access requests using
NetFlow, port mirroring with SPAN,
or syslog servers
 Use packet sniffer to log and analyze
the data being transmitted between
22
 devices on the network
 Encrypt transfer channels with secure
protocols or VPNs
 Backup the business data onto off
premise servers
 Secure all on premise devices,
monitoring stations and access doors
to both the datacenter and the offices
 Use trusted VPNs when connecting
remotely onto the company’s network

Data protection processes and regulations

Data is one of the most important assets in any system, as it can contains all the work and
achievements a company has done, as well as data about the company’s customers and users.
Accordingly, the data should always be protected from any malicious actions that might modify,
delete, or access it. Therefore, data protection processes and regulations must be set in place to
ensure its protections, which also includes the GDPR (General Data Protection Regulation) law
that is set to protect and give control of the personal data to the individuals who this data relate
to.
1) The system must be built with consideration that the data being used must be private and
secured.
2) Processing of the data must be secured, so no data can be captured when getting
processed.
3) No data should be processed unless it’s under the six laws: Consent, Contract, Public
Task, Vital Interest, Legitimate Interest, Legal Requirement.
4) Encrypting data, whether it is using ciphers and encryption algorithms that ensure that the
data can be transmitted securely between devices without any unauthorized access or
using hashes that can be used to ensure the data’s integrity and to stop anyone from
accessing the original data.
5) Backing up the data is one of the most common ways to protect the data from being
modified or deleted, as you have an extra copy of the data that is 100% accurate.
6) Installing anti-malware applications to ensure that no malware is getting access to the
data.
7) Install firewalls to filter any malicious actions on the network.
8) Monitor, log, and analyze the data to make sure that the data being transferred is not
malicious or doesn’t have a malicious intent behind it.
9) Use trusted VPNs for any transfer of very sensitive data or for remote access.
10) Hold security awareness sessions to make sure that the employees are not falling for any
social engineering attacks.

23
 11) Ensure the complete destruction of sensitive data after using it, whether it’s physical or
digital data.
12) Monitoring of physical access to devices that contain the data.
13) Maintaining devices that store that data to ensure that the data doesn’t get corrupt or
becomes inaccessible.
14) Combine all the processes and regulations to increase the protection of the data.

IT Security Audit

The IT security audit compares the IT security of a certain company with the IT security that the
company should have, and consequently defining whether the IT security within a company has
any flaws or if it is secure enough against malicious attacks that might threaten the company.
This audit can improve the reputation of the company, save it money, and protect the users of the
company’s service. Therefore, here is an analysis of the IT security and its impact on the
company according to the data gathered from the security check.
IT Security Analysis Physical components: The security of the physical
components with the company is very poor, and although
there are monitoring stations, they are easily exploitable,
which means any person can disable them and get access to
physical components without being accountable.
Furthermore, the datacenter, where the servers used to
provide the service, can be easily access and the
temperature and humidity of the datacenter is not monitored
and controlled correctly. Moreover, there are no regulations
and controls set to protect the employee devices, which can
give access to other devices within the system.

Applications and software components: There are little to

no anti-malware or firewall software set to protect the assets
of the company. Additionally, no regulation has been set to
keep software being used up to date on patches that can
increase the security of the software. The password policy
has issues that need to be fixed to reduce the access to
systems that use passwords as their only authentication
layer.

Network vulnerabilities: The data being transferred is not

being encrypted to ensure its protections. Furthermore, there
are few network security devices that are set up to make
sure that the data being received and sent is filtered and safe
from any malicious actions.

Human Dimension: The employees and users are not

24
 regularly informed and educated on the risks that can lead
to the loss of business assets, which can occur if the
employee or the user is not taking care of their actions.

Accountability: The only monitoring regulation that has

been set is the monitoring stations, which are very unsecure.
Security Audit impact The combination of all the IT security flaws will affect the
usage of the service provided by the company and the work
of the company itself.

The lack of physical protection can lead to access to many

of the company’s hardware, which can lead to access to the
data being stored on the hardware and how the data is
processed, this can cause the company to lose a lot of
money trying to retrieve the data, fix its processing and
dealing with the consequences of sensitive data spread.

Furthermore, the lack of security software, updates, and the

poor security policies will lead to many vulnerabilities that
can be exploited and affect the company’s assets.

In addition, the data that is being stored and transferred is

not encrypted which means access to the system can allow
the attacker to get access to the data without any problems.

Moreover, if the employees and users are not aware that

they play a great role in the security of the data of both the
company and users, then they are very likely to fall to
common attacks by malicious attackers.

Lastly, the lack of accountability on the actions of

employees, users, and attackers means that no person can be
blamed on the loss of any of the assets. Therefore, the
blame will fall on the company in the end, which will cost it
a lot of money.

All these impacts are going to further impact the company

as it goes ahead with its project of partially moving its
primary system to the cloud.

25
Risk Assessment Procedure

Security Risk Combined approach of both the detailed (formal) and

informal approaches
Assessment Approach
Acceptable Risk Level Low
Risk Assessment Type Qualitative Risk Assessment
Risk Assessment 1. I gathered information to build a context with which
I can understand the system, its components, and the
Process (In steps)
set controls.
2. I defined the critical assets of the company and that
relate to its planned project.
3. I connect which set controls I have gathered from
the first step with the critical assets.
4. I determined the threats/vulnerabilities that can
affect the critical assets.
5. I assessed the critical assets, set controls, and
threats/vulnerabilities to produce the likelihood of
the risks that threaten the company by using the
detailed analysis and confirming with my
experience security systems.
6. I measured the impact of the risks that will affect
the company if they were to occur by analyzing the
critical assets and its threats/vulnerabilities in detail.
7. According to the likelihood and the impact, I was
able to determine the risk level of each of critical
asset and the priority of protecting it.
8. Based on the detailed analysis and my experience of
security system I was able to produce controls and
countermeasures that can be applied to secure the
critical assets of the company.

26
Benefits of the Appropriate Risk Management Approach and System

The way the risk assessment is held is important to the outcome of the risk assessment, which
therefore can determine the security procedures that need to be implemented to protect the
system from any risks.
Different risk assessment approaches can combine the best of the approaches used. In our case,
the combined approach of the detailed approach and informal approach can help produce a
detailed analyzed risk assessment that is as secure as possible as well as confirm this risk
assessment with my own knowledge and experience, which can either improve the risk
assessment more or help me in building up my knowledge.
On the other hand, the ISO 31000 Enterprise Risk Management System provides
recommendations and plans that will help improve the risk assessment. This risk management
system is comprehensive and is integrated within all aspects of the organization’s operations.
Additionally, the system is continually improved based on the best data and knowledge
available. Consequently, by using this risk management system the company can rival other
companies in the industry, which will make the company more trustable by sponsors and users.
Furthermore, it will prepare the company against the worst possibilities by increasing the
effectiveness and security of the operations and the employees that are performing these
operations. Thus, the company will be more successful in performing its planned project and in
achieving its goals.

Policy Misalignment

The policy used influences the actions and decisions taken within the organization, and it is
constantly being changed to improve the decisions taken and the actions made. However, if the
actions and decisions are misaligned with the IT security policy set, the company will be affected
negatively. Such impacts include:
 Different actions/decisions in different areas of the system that are not aligned with the
policy, can lead to these actions/decisions conflicting with each other, which will cause
the system to have vulnerabilities that can be exploited. For instance: vulnerabilities
might emerge when two incompatible pieces of software are used. This exploitation of
vulnerabilities can cost the company a lot of time and money to deal with its
consequences.
 If each supervisor takes a different decision, the employees that work under them will be
confused on which decision to follow and the output of their work will be of poor quality
and thus the system will be less efficient and unsecure. An employee who must choose
between two options and fail to do one of them, will stress on what to do and how to do
it.
 If the policy is misaligned, any compliance with any other companies or organizations
might lead to voiding the contract between the two companies and/or our company
getting sued for this misalignment.

27
  A decision misaligned with the IT security policy might result in decisions that the
consumer(s) will find unattractive and therefore reduce the reputation of the company.
 A misalignment in an action taken after a breach in the security might result in further
damage to the system and the consumers of the company.
Therefore, the policy must be followed and maintain in order to avoid the impacts mentioned
above. This can be done by:
 Providing the policies to all employees and executives in the company, when they enter
the company and every time a change has been made to the policy.
 Ensure that the employees and executives read the policy by informing and reminding
them to read it.
 Confirm that all the employees and executives can understand the policy and that it can
be understood by new employees who don’t know a lot about the company’s departments
and general information.
 Verify that all the employees and executives have agreed to the policies without any
special cases and if they were to break it, they will be held responsible.
 Make sure that the policy is followed by all employees and executives without any
exceptions and that it is enforced on all the employees and executives in all departments
of the company.

Security Policy Design

Due to the upcoming project that the company is going to go through, a security policy needs to
be set in place to ensure that the process and outcome of the project goes as smoothly as possible
while also being secure.
Policy Introduction
Included Policies Justification for the Included Policies
Office Building Entrance Policy This policy ensures that the people who
enter the office building have
authorization to do so
Office Room Policy This policy makes sure that the office
room is secure and cannot be used to
threaten any of the company’s assets
Datacenter Policy This policy confirms that the datacenter is
safe from any risks
Remote Access Policy This policy ensures that the remote
workers are connecting and working on
their job securely
Applications Policy This policy ensures that the applications
being used on the devices are safe to use
and don’t pose any harm to any of the
company’s assets

28
Password Policy This policy makes sure that the passwords
used to login into the system by either the
employees or the customers are difficult
to obtain, and thus gaining access to
confidential data
Disaster Recovery Plan Policy The DRP policy is needed to make sure
that the recovery plan is implemented
correctly and there are no
misunderstandings that could lead to
further damage than before
Backup Policy Backup is crucial to save a copy of
important data in case the original data
was lost or corrupted
Documentation Policy The documentation is needed to ensure
that the recovery plan can be understood
easily and implemented without any
problem
VPN Policy VPN is important for hiding the real IP
address and in encrypting the data when
connecting to the company’s network.
This policy makes sure that the VPN is
used how it is supposed to be used
Firewall Policy This policy makes sures that the firewall
is setup correctly and therefore, that the
data received is filtered and is not harmful
to the system
Cloud Policy This policy ensures that the cloud, which
is going to host a part of the company’s
system, is set up correctly so that it is
secure and is easily accessible by both the
employees and the customers

29
Included Policies
Office Building Entrance Policy
Office Room Policy
Datacenter Policy
Remote Access Policy
Applications Policy
List of sub-policies
 All people who enter need to be
frisked before entering.
 Any person who needs to enter for
repairs needs to have a formal
permission.
 Employees need to use their ID
card to enter.
 Employees need to use biometric
scanner for authentication
 The desk must be clear of any
paper with confidential
information.
 The computer needs to be locked
if no one is using them.
 Glass doors/windows need to have
reflectors on the outside.
 The door to the room needs to
have a biometric scanner for
access control.
 No technician can enter without a
permission.
 Entrance requires an access card
as well as a biometric scan.
 Temperature and humidity control
devices’ settings should not be
changed.
 Server cables should be
inaccessible unless with a key.
 Cables in the datacenter should be
organized for ease of finding and
maintenance.
 Remote access should be done
through an encrypted channel.
 One person should be able to
connect per each encrypted
channel.
 Connecting to the remote access
channel should require a
password.
 Only work applications can be
installed on devices.
 Install work application using
trusted sources.
 Only licensed/free applications
30
 should be used for work.
 Applications should always up to
date with the new patches.
Password Policy  Password should be 8 characters
or more.
 Password should include a mix of
uppercase and lowercase letters.
 Password should include a mix of
letters, numbers, and symbols.
 Passwords should be changed
every month.
 New passwords should be
different from already used
passwords.
 Saving of password on papers or
unencrypted files is strictly
forbidden.
Disaster Recovery Plan (DRP) Policy  The DRP team is responsible for
planning the DRP process and
helping in implementing it in
disaster scenarios.
 The recovery time objective
(RTO) should be set to determine
the needed time to solve the
disaster and for the company to go
back to running normally.
 The recovery point objective
(RPO) should be set to define the
maximum amount of data that can
be lost in a disaster scenario and
to expect the impact on the
company.
 A DRP automation should be set
to reduce the time and energy
spent on the recovery and
decrease the number of human
errors that might occur.
Backup Policy  Data should be backup regularly.
 The backup should have a copy on
site for ease of access and of site
in case of physical damage.
 Apply redundancy to each copy of
the backups using RAID
technology.
 Clean up data that is not used

31
 from backups.
 Ensure that the backups are not
accessible by employees who
don’t need to have access to it.
 Secure the backup using firewalls
and anti-viruses.
 Verify data before backup to filter
out any harmful data.
Documentation Policy  DRP documentation should be
easy to read and understand.
 The documentation should walk
each process in the DRP in details.
 Documentation needs to be
accurate and reviewed.
 Documentation needs to be up to
date with any change to the DRP.
VPN Policy  Only trusted VPN should be used.
 VPN should be configured and
setup correctly on all devices.
 The VPN should be up to date on
the latest patch.
 VPN should require a password to
connect.
 VPN channels should be as secure
as possible.
Firewall Policy  The firewall should be correctly
configured.
 The firewall should be up to date
with new vulnerability and
attacks.
 The firewall should be on at all
times on every device.
Cloud Policy  The cloud servers should be
compatible with the service
provided.
 The cloud subscription should be
from a trusted provider.
 The cloud servers should have
enough performance to handle the
service’s requests and processing.
 The cloud should be only
accessible by employees who
handle the cloud system.
 The cloud servers should be
updated and secured against any

32
risks.

33
Tools used within the policy The Evaluation of the Tool
VPN The VPN will make sure that all the IP
addresses used are hidden and it will act
as an encrypted connection channel that
will allow the user to communicating
safely
Firewall The firewall will reduce the amount of
harmful traffic that enters the
network/devices and therefore, reducing
the number of incidents that may occur
Anti-virus The anti-virus will make sure that no
harmful application/process are occurring
on any device, which make the devices
more secure to use
RAID technology The RAID technology will make sure that
the data is redundant and thus, reduce the
data corruption incidents and will increase
the integrity of the data
Biometric scanners and access cards The access cards will ensure that no one
without the card can enter the office
building or the datacenter.
The biometric scanner will further secure
the entrance and will authenticate the
holder of the card
DPR automation The DRP automation will backup data,
notify the DRP team and do other process
that will help in dealing with the disaster.
This can help in increasing the efficiency
of the DRP and in reducing the impact of
the disaster. Also, the automation will be
always activated and ready for any
disaster to happen.
Cloud The cloud will allow us to host the service
on servers off premise and that the
company won’t have to maintain them

34
Roles of Stakeholders

In order to ensure that the security within the company is set in place and that it is protecting the
company from the impacts that the risks will cause if the risks were to occur, multiple
stakeholders have to work together to achieve that. These stakeholders will range from
management to employees with different jobs. Each one of these stakeholders will have a role to
play in the security audit recommendations and implementation. Here is how different
stakeholders affect the security audit:
 Management: Verify that the implementation of the security is completed on time and
that the resources and requirements needed for the implementation of the security audit
are prepare and ready to be used whenever needed.
 IT Officers: Perform the implementation of the security audit recommendations and
ensure that it doesn’t interfere with any of the system process and performance.
 Risk Owners: They work with management and IT in order to confirm that the risks
identified in the security audit are mitigated and that the system is less likely to be
threatened by them.
 Security Officers: They make sure that the physical premise is secure against any
physical access. They most importantly ensure that the on-premise datacenter is secure
and that no unauthorized access to it has been made.
 Compliance Officers: They make sure that the organization and the rest of the
stakeholders are compliant to the security audit recommendations and no misalignment is
happening.

35
References

Demo: Protecting the stateful firewall (no date) NETSCOUT. Available at:
https://www.netscout.com/demo/protecting-stateful-firewall (Accessed: January 14, 2023).

Person (no date) Seven principles of the GDPR, Accountable. https://www.accountablehq.com/.

Available at: https://www.accountablehq.com/post/principles-of-the-gdpr (Accessed:
January 14, 2023).

36