Unit 5 Security
Unit 5 Security
• Constructive?
Y/N
• Linked to relevant assessment
criteria? Y/N
Give details:
Internal Verifier
Date
signature
Programme Leader
Date
signature (if required)
Resubmission Feedback:
Pearson
Higher Nationals in
Computing
Unit 5 : Security
Important Points:
1. Check carefully the hand in date and the instructions given with the assignment. Late submissions will not be
accepted.
2. Ensure that you give yourself enough time to complete the assignment by the due date.
3. Don’t leave things such as printing to the last minute – excuses of this nature will not be accepted for failure
to hand in the work on time.
4. You must take responsibility for managing your own time effectively.
5. If you are unable to hand in your assignment on time and have valid reasons such as illness, you may apply (in
writing) for an extension.
6. Failure to achieve at least a PASS grade will result in a REFERRAL grade being given.
7. Non-submission of work without valid reasons will lead to an automatic REFERRAL. You will then be asked to
complete an alternative assignment.
8. Take great care that if you use other people’s work or ideas in your assignment, you properly reference them,
using the HARVARD referencing system, in you text and any bibliography, otherwise you may be guilty of
plagiarism.
9. If you are caught plagiarising you could have your grade reduced to A REFERRAL or at worst you could be
excluded from the course.
I hereby, declare that I know what plagiarism entails, namely to use another’s work and to present it as my own
without attributing the sources in the correct way. I further understand what it means to copy another’s work.
Unit Tutor
Issue Date
Submission Date
Submission Format:
The submission is in the form of an individual written report. This should be written in a concise, formal
business style using single spacing and font size 12. You are required to make use of headings, paragraphs
and subsections as appropriate, and all work must be supported with research and referenced using the
Harvard referencing system. Please also provide an end list of references using the Harvard referencing
system.
EMC’s central data center facility is located at Colombo Sri Lanka along with its corporate head-office in
Bambalapitiya. Their premises at Bambalapitiya is a six story building with the 1st floor dedicated to sales
and customer services equipped with public wifi facility. Second-floor hosts HR, Finance and Training &
Development departments and the third-floor hosts boardroom and offices for senior executives along
with the IT and Data center department. Floor 4,5,6 hosts computer servers which make up the data
center.
With the rapid growth of information technology in Kandy area in recent years, EMC seeks opportunity to
extend its services to Kandy, Sri Lanka. As of yet, the organization still considers the nature of such
extension with what to implement, where is the suitable location and other essential options such as
security are actually being discussed.
You are hired by the management of EMC Solutions as a Security Expert to evaluate the security-related
specifics of its present system and provide recommendations on security and reliability related
improvements of its present system as well as to plan the establishment of the extension on a solid
security foundation.
Activity 01
1.2 Develop and describe security procedures for EMC Cloud to minimize the impact of issues discussed
in section (1.1) by assessing and treating the risks.
Activity 02
2.1 Discuss how EMC Cloud and its clients will be impacted by improper/ incorrect configurations which
are applicable to firewalls and VPN solutions.
2.2 Explain how following technologies would benefit EMC Cloud and its Clients by facilitating a
‘trusted network’. (Support your answer with suitable illustrations).
i) DMZ
ii) Static IP
iii)NAT
2.3 Discuss the benefits of implementing network monitoring systems.
Activity 03
3.1 Formulate a suitable risk assessment procedure for EMC Cloud solutions to safeguard itself and its
clients.
3.2 Explain the mandatory data protection laws and procedures which will be applied to data storage
solutions provided by EMC Cloud. You may also highlight on ISO 3100 risk management methodology.
Activity 04
4.2 Develop and present a disaster recovery plan for EMC Cloud for its all venues to ensure maximum
uptime for its customers (Student should produce a PowerPoint-based presentation which illustrates the
recovery plan within 15 minutes of time including justifications and reasons for decisions and options
used).
1.1
Intoduction
EMC is a well reputed cloud solution provider in Sri Lanka. Normally EMC is providing their services to SME
bank in Sri Lankan and WEEFM Company. EMC cloud solution Company provides SAAS, PAAS, and LAAS to
their customers. And nearly their Customer rate is five hundred roughly. The head office of EMC Company is
situated in Bambalapitiya. The building exists with six stories. In this building the first floor is dedicated to
customer services, second floor is for the HR and the finance and training department in the third floor. Four,
five, six floors are the computer servers. But unfortunately, in this company there is no proper security system
physically wise or computerized. Security system is highly important feature to a company. Because without
a security system the specific company faces to various kinds of risks. According to the current situation of
EMC cloud Solution Company there is no security system at all.
There are the following 4 types of cloud that you can deploy according to the organization's needs-
1. Public Cloud
2. Private Cloud
3. Hybrid Cloud
4. Community Cloud
Cloud computing provides various advantages, such as improved collaboration, excellent accessibility,
Mobility, Storage capacity, etc. But there are also security risks in cloud computing.
Some most common Security Risks of Cloud Computing are given below-
Data Loss
Data loss is the most common cloud security risks of cloud computing. It is also known as data leakage. Data
loss is the process in which data is being deleted, corrupted, and unreadable by a user, software, or application.
In a cloud computing environment, data loss occurs when our sensitive data is somebody else's hands, one or
more data elements cannot be utilized by the data owner, hard disk is not working properly, and software is
not updated.
As we all know, cloud computing is completely depends on Internet, so it is compulsory to protect interfaces
and APIs that are used by external users. APIs are the easiest way to communicate with most of the cloud
services. In cloud computing, few services are available in the public domain. These services can be accessed
by third parties, so there may be a chance that these services easily harmed and hacked by hackers.
Data Breach
Data Breach is the process in which the confidential data is viewed, accessed, or stolen by the third party
without any authorization, so organization's data is hacked by the hackers.
Vendor lock-in
Vendor lock-in is the of the biggest security risks in cloud computing. Organizations may face problems when
transferring their services from one vendor to another. As different vendors provide different platforms, that
can cause difficulty moving one cloud to another.
Migrating, integrating, and operating the cloud services is complex for the IT staff. IT staff must require the
extra capability and skills to manage, integrate, and maintain the data to the cloud.
Spectre & Meltdown allows programs to view and steal data which is currently processed on computer. It can
run on personal computers, mobile devices, and in the cloud. It can store the password, your personal
information such as images, emails, and business documents in the memory of other running programs.
Denial of service (DoS) attacks occur when the system receives too much traffic to buffer the server. Mostly,
DoS attackers target web servers of large organizations such as banking sectors, media companies, and
government organizations. To recover the lost data, DoS attackers charge a great deal of time and money to
handle the data.
Account hijacking
Account hijacking is a serious security risk in cloud computing. It is the process in which individual user's or
organization's cloud account (bank account, e-mail account, and social media account) is stolen by hackers.
The hackers use the stolen account to perform unauthorized activities.
Vulnerabilities are the reasons that is helping to start risk. Vulnerability is a function that all the company may
face because of that many users and network personals trying to protect their computer systems from
vulnerabilities by keeping software security patches up to date. (https://www.hq.nasa.gov)
Threats can be caused to the company from inside of the company and may be from the outside the company.
Normally most of the threats are affected from the outside the company. Threats are potentials for vulnerability
to turn into attacks on computer systems, network and more. They can put individual’s computer system and
business computers at risks. According to the Getcybersafe.gc.ca some of the common threats are Hacking,
Malware, Spam, Phishing, Botnets etc. (https://www.researchgate.net)
Assets are the physical resources that company has. Normally company measures the profit from the remaining
assets. Assets are the resources which has an economic value that an individual, corporation or country owns
with the expectation that it will provide a future benefit. (https://www.investopedia.com)
Risks are the darkness situations that going to be happen to that business in near future. Basically, the risks
are defined as the external and internal vulnerabilities that occurs negatively.
A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by
external or internal vulnerabilities is known as risks. (https://www.paperdue.com)
In a business risks are the darkness situations that going to be happen that business in near future. Basically,
the risk is defined as the external and internal vulnerabilities that occurs negatively to the business for an
example possibility of occurring damages to the business, Increase of liabilities, loss rea certain kind of risks
to a business. When we talk about the EMC Company there are various kinds of risks that can occur to the
company because there is no proper security system.
1. Physical damages
Physical damages basically known as the damages that can happen to the physical properties. There is a
loss of physical security system to the EMC Company because of that the possibility of happening security
damages is high to the company. When a company facing to a physical damage it will Couse huge loss to
the company because the properties that used by the company gets damaged after that the company can’t
perform well as in the past. (https://warframe.fandom.com)
2. Equipment malfunction
Equipment malfunction means when there are no any virus guards to the computers or any other electronics
it’s get effected by viruses and it gradually get malfunctioning so without any security, Equipment
malfunction is also certain type of risk to the EMC company(http://fixcleanerpc2017.com)
3. Misuse of data
Misuse of data is a result of loss of security system. Misusing data is badly Couse to the company. By this
rate of assets will get low in the company. Sometimes the company will get bankrupt due to this reason.
So, misusing of data is highly affected to the company. (https://blog.ssa.gov/)
4. Loss of data
Loss of data is a part of risks that can be affected to company. When there is no security. Of the people
may doing frauds to the business? These data loss is any process or event that results in data being
corrupted or deleted and badly unreadable by the user. (https://www.investopedia.com)
Procedures and policies are the rules and regulation that implemented by every company to its security, avoid
various types of frauds etc. So, these procedures and policies should obey by the both employees and
employers. And the other reason to implement rules and regulation is to continue the business for future. Like
that EMC Company also implemented various procedures to minimize their risks. As told in the above that
are the some of the risk that was faced by the EMC Company
When we talk about the first risk in the list of risks, to reduce the physical damages that can happen to the
physical properties we can use a good security system but basically the best method is to maintain a
As in the list of risk the second risk that the EMC company is facing to equipment mal function to reduce
it, we can implement a new procedure called regular inspection procedure by this we can reduce regular
equipment mal functioning when we starting to implement this procedure, we have create an inspection
schedule according to that we have inspect our equipment in a regular basis then we can reduce equipment
mal function (https://www.osha.gov)
The third risk that EMC company is facing to data misuse to avoid that we create a new procedure called
Monitor user action procedure it is a one of the best ways to avoid the data mis use It is very important to
monitor actions of users working with sensitive information. Misuse of such data can open organization
to a very high damage control and huge loss of costs and even potential lawsuits. Users with high privileges
also pose additional threat. So, reducing data misusing is very important to the EMC Company
(https://docs.oracle.com/cd/)
To reduce the loss of data risk we can create the backup of every data we are inputting to the computers.
By that we can reduce the risk of data loss. When a specific company reduce their risk of data loss that
company can enlarge its business area become that company can get ideas from past situation that company
has faced (https://www.investopedia.com)
5. To continue a company to a long type period we have to maintain our company in a good manner. So,
we have to protect our company from security breaches, data losses, cyber-attacks, system failures and
natural disasters. To manage those risks there is a risk management process. Risk management process
means monitoring and managing potential risks in order to minimize the negative impact they may
have on an organization. From the security breaches, data losses, cyber-attacks, system failures and
natural disasters the effective risk management process will help identify which risks pose the biggest
threat to an organization and provide guidelines for handling them. To possess the risk management
process effectively there are three steps. They are,
7. Risk Evaluation – After the risk assessment or analysis has been completed, a risk evaluation should
take place. A risk evaluation compares valued risk against the risk principles that the organization
has already recognized. Risk criteria can include associated cost and benefits, socio economic
factors, legal requirement and system malfunctions.
8. Risk Treatment and Response – The last step in the risk management process is risk treatment and
response. Risk treatment is the Implementation of policies and procedures that will help avoid or
minimize risks. Risk treatment also extends to risk transfer and risk financing.
When there are any risks occurring to the company, we have to minimize those or avoid those kinds of risks,
to avoid those or reduce those risks we have to use certain kind of strategies. By using strategies, the avoiding
of risks can be known as the risk’s treatments. Specific treatment strategies can be created to treat specific
risks which have been identified. Treatment strategies may differ, depending on the risk context.
Purpose of the Risk treatment – The purpose of the risk treatment is to reduce, remove or transfer risk from
the company. It is often better for a company to plan ahead and prevent a risk from occurring than it is for
them to take the chance and face that risk. Planning ahead can help to save a company a lot of time and money
because some risks may prove to be very damaging to a business. When we talk about the risk treatments there
two main types of risk treatments, they are
Avoidance strategies – These tactics seek to totally stop a potential risk from happening or
impacting on a company at all. Main subdivisions of the avoidance strategies group contain transfer
and changings.
Minimize strategies – These tactics seek to reduce the influence of risk on a product or
organization, so that as little as possible damage is done. Reduce tactics are frequently used when
avoidance strategies are not possible, or have already unsuccessful
(https://www.investopedia.com)
When there are any risks occurring to the company, we have to minimize those or avoid those kinds of risks,
to avoid those or reduce those risks we have to use certain kind of strategies. By using strategies, the avoiding
of risks can be known as the risk’s treatments. To the EMC company also there are many risks that can be
affected they are physical damages that can be occurred to the EMC company, Equipment malfunctioning,
data misusing and data losing for these kinds of risks there are many treatment or procedures that can
implemented to overcome those risks they are property damage claim procedure, regular inspection procedure,
Activity 02.
2.1 Potential impact to the organization when there is an improper firewall system and
VPNs.
Many of the reputed It companies is used to install a firewall system to the servers because it like security
system that using to protect the important information’s. When we broadly talk about the firewall it’s a
software program that used prevents unauthorized access to or from a private network. When there is a access
from a unauthorized network or from a another private network it’s a risks to the company because they can
take all the internal information through that so to prevent those stuffs most companies are using firewall
system. Firewalls are the tools that can be used to enhance the security of the computers connected to a
network. By installing a firewall system, it makes the computer unique in other words the firewall absolutely
isolates our computer from internet using a Wall of cod. Firewalls has various abilities the main ability it has
was it can enhance the security by enabling granular control over what type of system functions. Some people
think that the firewall is a system that is used to controls the traffic that passes through the network system
but it’s actually software that is used to prevent unauthorized access of network systems. Normally these are
the things that is done by the firewall system (https://www.fieldengineer.com/)
Defend resources
Validate access
Manage and control network traffic
Record and report on events
Act as an intermediary
Firewall policy is a set of rules that includes how to use this software so it’s easy to handle the software. This
an application that is designed to control the flow of internet protocol (IP). And the firewall policy is contained
the types of firewalls and Firewall Architectures. When we talk about the types of firewalls there are various
kinds’ types, they are
Packet filters
Proxy servers
Application gateways
Proxy Servers: A proxy service is an application that redirects users’ requests to the real services based on
an organization’s security policy. All message between a user and the actual server occurs through the proxy
server. Thus, a proxy server performs as a communications broker between clients and the real application
servers. Because it performs as a checkpoint where requests are validated against specific applications, a proxy
server is usually processing intensive and can become a bottleneck under heavy traffic conditions
Application Gateways: An application gateway is a proxy server that offers access control at the application
layer. It performs as an application-layer gateway between the protected network and the untrusted network.
Because it works at the application layer, it is talented to examine traffic in detail and, therefore, is considered
the most secure type of firewall. It can stop certain applications, such as FTP, from incoming the protected
network. It can also log all network actions according to applications for both accounting and security audit
purposes. (https://docs.microsoft.com/)
When we browse something or search something from network system their web traffic from snooping,
interfaces, and censorship to avoid this we can use VPN (Virtual private networks). VPN is a Secure tunnel
between two or more devises to prevent from web traffic, snooping, interference, and censorship. A VPN uses
data encryption and other security mechanisms to prevent unauthorized users from accessing data, and to
ensure that data cannot be modified without detection as it flows through the Internet. It then uses the tunneling
process to transport the encrypted data across the Internet. Tunneling is a mechanism for encapsulating one
protocol in another protocol. In the context of the Internet, tunneling allows such protocols as IPX, AppleTalk,
and IP to be encrypted and then encapsulated in IP. Similarly, in the context of VPNs, tunneling disguises the
original network layer protocol by encrypting the packet and enclosing the encrypted packet in an IP envelope.
This IP envelope, which is an IP packet, can then be transported securely across the Internet. At the receiving
side, the envelope is removed and the data it contains is decrypted and delivered to the appropriate access
device, such as a router. (https://www.vpnsecure.me/)
VPN policy is a set of rules that includes how to use this secure tunnel so it’s easy to handle this tunnel. This
is an application that is designed to control the web traffic from snooping, interference and censorship. And
the VPN policy is contained the types of VPNs and VPN Architectures. When we talk about the types of VPN
there are various kinds’ types, they are
EMC is a well reputed cloud solution provider in Sri Lankan. Normally EMC is providing their services to
SME bank in Srilankan and WEEFM Company. EMC cloud solution Company provides SAAS, PAAS, and
LAAS to their customers. Not only in Sri Lanka EMC Company is doing transactions with external countries
when doing those transactions firewalls and VPNs are the two software that is very important to install.
Because when doing transaction through networks some unauthorized accesses can be attacked to the network
system, not only that some other private networks also can attack to the network system. When it gets attacked
by other accesses, they can get important information of EMC Company, especially by the competitors. If the
competitors EMC Company get the details about the company it’s a huge risk to the company to prevent these
kinds of risks the firewalls are very important to install. And if there are improper firewalls also, we have to
face these risks
The other reason was the existing of improper VPNs it’s the other problem that arise when doing online
transactions because when we doing online transactions without using a proper VPNs sometimes there might
have web traffic, snooping and interference by these webs traffics transaction can’t do properly it may buffer.
From the improper VPNs the reputation of the EMC Company might get damaged because of that we have to
install proper VPNs (https://www.vpnsecure.me/)
A static Internet Protocol (IP) address (static IP address) is a permanent number assigned to a computer by an
Internet service provider (ISP). IP addresses are useful for gaming services, website hosting or Voice over
Internet Protocol (VoIP). Speed and reliability are key advantages. According to a static address is constant,
systems with static IP addresses are vulnerable to data extraction and higher security risks.
A DHCP server is used to import other IP addresses and automatically configure another network information.
In most homes and small businesses, the router works as the DHCP server. In large networks, a single
computer may act as the DHCP server.
In short, the process goes like this: A device (the client) requests an IP address from a router (the host), after
which the host assigns an available IP address to allow the client to communicate on the network. A bit more
detail below...
DMZ means demilitarized zone this refers to host or another network system that exists as a secure and
intermediate network system in other words we define it as path between two or more organizations internal
network and the external. DMZ is mainly realized to safe an internal network from communication with and
exploitation and access by external nodes and networks. DMZ can be a logical sub-network, or a physical
network substitute as a safe bridge between an interior and exterior network. A DMZ network has restricted
access to the internal network, and all of its communication is scanned on a firewall before being transported
internally. If an attacker plans to breach or attack an organization’s network, a successful attempt will only
result in the compromise of the DMZ network - not the core network behind it. DMZ is considered more
secure, safer than a firewall, and can also work as a proxy server. (https://searchsecurity.techtarget.com/)
The over-all idea is that you put your public faced servers in the "DMZ network" so that you can separate
them from your private, trusted network. The use case is that because your server has a public face, it can be
greatly rooted. If that happens, and a hateful party gains access to your server, he should be lonely in the DMZ
network and not have direct access to the private hosts (https://searchsecurity.techtarget.com/)
There are many ways to plan a network with a DMZ. The two basic approaches are to use either one or two
firewalls, though most modem DMZs are planned with two firewalls. The basic method can be prolonged on
to create complex constructions, depending on the network requirements. A solo firewall with at least three
network interfaces can be used to make a network architecture containing a DMZ. The outside network is
formed by joining the public internet. Different sets of firewalls rules for traffic among the internet and the
DMZ, the LAN and the DMZ, and the LAN and the internet firmly control which ports and types of traffic
are permitted into the DMZ from the internet, limit connectivity to specific hosts in the inside network and
prevent unrequested connections either to the internet or the inside LAN from the DMZ
(https://searchsecurity.techtarget.com/)
Network Address Translation is the procedure where a network device, usually a firewall, allocates a public
address to a computer inside an isolated network. The key use of NAT is to limit the number of public IP
addresses an organization or company must use, for both economy and security purpose. However, to access
resources outside the network, like the internet, these computers have to have a public address in order for
replies to their requests to return to them. This is where NAT comes into play
Internet needs that require Network Address Translation (NAT) are quite compound but happen so quickly
that the end user hardly knows it has occurred. A workstation inside a network makes a request to a computer
on the internet. Routers within the network identify that the request is not for a resource inside the network,
so they send the request to the firewall. The firewall sees the request from the computer with the internal IP.
IT then makes the same request to the internet using its own public address, and returns the response from the
internet resource to the computer inside the private network. From outlook of the workstation, it appears that
communication is directly with the site on the internet. When NAT is used in this way, all users inside the
private network access the internet have the same public IP address when they use the internet. There are many
Benefits we can get from the Network Address Translation (NAT). They are,
(http://nokitel.im/index.php)
2.2.6 How Static IPs, DMZ, NAT helps to the EMC Company?
Static IPs – It is a permanent number assigned to a computer through internet service provider.
Static IPs are useful to web hosting or voice over internet protocol (VOIP). The main advantage
of using static IPs is speed and reliability. So, when EMC Company is doing transaction with
DMZ – This refers to host or another network system that exists as a secure and intermediate
network system, in other words we can define it as a path between two or more organizations
internal network and the external. When EMC Company dealing with their clients some external
network system might be attacked to the EMCs network work system. To prevent these kinds of
attacks the EMC company can use DMZ network systems
NAT – Network address translation is used to the limits the number of public IP address that
EMC Company must use, for both economically and security purposes. When there is public IP
address the network system of the EMS Company is used to reply to the requests that comes
through unknown IP address. To prevent these activities NAT is highly help full to the EMC
Company.
A Trusted network system is a network of plans that are linked to each other, and it can expose only to official
users, and allows for only protected data to be transmitted. A Trusted Network System architecture uses
current standards, protocols and hardware plans to implement “trust.” Trusted Network System deliver vital
security services such as user authentication, complete network device admission control, end-device status
checks, policy-based access control, traffic filtering, and automated remediation of non-compliant devices and
auditing. The Trusted Computing Group has broadcast industry standards for Trusted Network System.
Several profitable Trusted Network System technologies have been advanced, including Cisco Trust Sec,
Cisco Clean Access (formerly known as Cisco Network Admission Control, and Microsoft Network Access
Protection.
Network Access Device: All connectivity to a Trusted Network System is implemented via a
network admission device, which applies policy. NAD functionality may exist in devices such as
switches, routers, VPN concentrators and wireless access points.
Posture Remediation Servers: These servers deliver remediation choices to a client device in case of
non-compliance. For example, a server may keep the latest virus signatures and need a non-
compliant client device to load the signatures before joining a Trusted Network System.
Directory Server: This server validates client devices based on their identities or roles.
Posture Validation Servers: Posture validation servers assess the compliance of a client before it can
join a TN. A PVS is typically a specialization for one client attribute
e.g., operating system version and patch or virus signature release.
Other Servers: These contain trusted versions of Audit, DNS, DHCP and VPN servers.
Client Device: Every client device must be assessed prior to admission to a Trusted Network
System.
Authorization and Access Control Server: The authorization and access control server upholds the
policy and provides rules to NADs based on the results of authentication and posture validation.
Network monitoring is a computer network's systematic effort to detect slow or failing network mechanisms,
such as overloaded or stopped/frozen servers, failing routers, failed switches or other difficult devices. In the
event of a network disappointment or similar outage, the network monitoring system alerts the network
administrator. Network monitoring is a subset of network management.
Network monitoring is generally carried out through software applications and tools. Network monitoring
services are broadly used to detect whether a given Web server is operative and connected properly to
networks worldwide. Many servers that make this job provide a more complete visualization of both the
Internet and networks. And there many benefits in Network monitoring system the main three benefits are
Protecting your network against attackers – Network monitoring system is able to identify
distrustful traffic, there by authorizing owners to act fast. A network monitoring service is able to
provide a broad overview of an SMB’s entire IT infrastructure, so that nothing is misused.
Today, exploits are more sophisticated and advanced, and are able to target a system in a
diversity of ways. Monitoring antivirus and firewall solutions separately firewalls solutions
separately may leave security gaps
Keeping Informed without in-house staff – A network monitoring service will send warnings
and information to an SMB owner as issues arise. Otherwise, an SMB may need to either effort
to monitoring their network security themselves or hire a full-time IT employee- Which could be
very costly. Data breaches can be more harmful and more expensive the longer they go without
being noticed.
Optimizing and monitoring your network – Many small business owners are expected towards
rapid growth. This growth cannot be possible if parts of their IT infrastructure are over- loaded or
slowed. Network monitoring services will map out the infrastructure of a small business,
showing an SMB owner area of development and any issues that currently need to be addressed.
(https://indesignsecrets.com/)
Activity 03
Risk means a darkness situation that we will face in future. IT occurring over a relatively short time. These
risks may occur due to the results of mankind. Most of the risks can happen to the organization due to the
faults of the workers in the organization so as an owner of the organization the owner should assess the risks
(https://www.thesaurus.com/)
So, as we talk above risks are common thing to various big organization communities, companies ETC. So,
risk assessment means the term used to the overall process for identify and analysis the hazards and risk that
going to occur to the company or organization, Analysis and evaluate the risk associated with that hazard. So,
by identify and analysis the risk we have to determine the appropriate or control the risk when the hazards
cannot be eliminated. We can identify certain kinds of risks through looking our work place by identify the
things, situation, process etc. That may Couse harm to the people. After we identify the risk to avoid this risk
from the organization when this determination is mad, we can next decide what measures should be there or
in the organization to effectively eliminate or control the harm happening to the organization.
(https://www.investopedia.com)
Data protection is very useful things to do in an organization because in any organization or in big companies
there many useful data in it so when those data got leaked to their competitors the organization or the company
will get bank rapt for sure. These are some of the use full information that reputed companies have
So, these kinds of information got leaked from the business or organization that may occur a huge risk to that
organization. So, there are many ways to protect these kinds of important data they are
As an owner in big organization Fixing of CCTV cameras is knowledgeable decision that taking by him
because use of CCTV cameras must comply with state criminal’s eave dropping status which require posting
signs where video monitoring is taking place and another useful that we get from the CCTV cameras are when
some stealers or robbers attacked to the organization, we can monitor it from the cameras and we can take
necessary decisions
Employee monitoring
This is also a method of data protection because some of the workers or employees may do Froud activities to
the company So as an owner we have to aware about that So frequently monitoring the employees or workers
is an important task to do. But there are limits to monitor the employees. Because their privacy things that
employee also protecting so monitoring of the employees is permitted where the monitoring of
For everything there must be lows and regulations that we should fallow. If not that organization or company
can’t do it for continuously. First, we have to see what the meaning of law is. Low means a certain kind of
order that is implemented by the head of the organization to minimize the mistakes, frauds, and faverations
among the workers who are working in the organization
Implementing lows is a difficult task that is done by the CEO of the company because he should know how
to implement the suitable laws for the workers. When the low gets high some employee might not work
properly or when there is less laws also the worker might not properly. Forget the work done by the workers
the CEO must think from his perspective, the company’s perspective and employee’s perspective then he can
continue his organization or the company peacefully without any mistakes, frauds and faverations
Every CEO is looking for reduce the risks that coming towards his organization for that he should implement
lows and regulations continuously but there are guidelines when implementing lows for the risks, that
guidelines when are in ISO 31000 – 2018
When we talk about the ISO 31000: 2018 this is consisting of risk management guidelines, providing
principles and frame works to manage risks in EMC Company. When the CEO of the EMC Company is
following those ISO 31000: 2018 low it easy to handle the EMC Company. Because all the guidelines and
frameworks are in it. Any business-like small scale and large-scale business or companies can use this ISO
31000: 2018 low.
By using this ISO 31000: 2018 low it can help the EMC Company to increase the likely hood of achieving
objectives. And can easily identify the strength and weakness of the EMC Company. These things are involved
to the vision and mission of the EMC Company. However, ISO 31000: 2018 act cannot be used for
certification purposes. But it provides guidance for internal and external audit programs
By maintain or following this ISO 31000: 2018 low the owner of the EMC Company can compare the risks,
Threats that comes towards the EMC Company. In other words, the CEO of the EMC Company can compare
the threats that he faced in the past with the new threats that comes towards. And other benefit the owner of
the EMC Company has was it can compare their risk management practices with an internationally recognized
Benchmark providing sound principals for effective management and corporate governance. Another benefit
If the EMC Company is affected with the risks the EMC Company can have consequences in terms of
economic performance and professional reputation as well as the environment safely and social out comes. If
the threats or risks get effected to the economic performance of the EMC company it a huge loss for the
company because customers will reject the company and the banks who giving loans to the company may
rejected and the finally the employees who are depend from the EMC company get affected. After the
economic performances it get affected to the professional reputation. If the EMC Company is dealing or doing
transaction with the foreign countries the professional reputation is highly important. If it gets damaged due
to the threats or risks attacks those countries also starting to reject the company. Because of these reasons
managing risks effectively helps the EMC Company to perform well in an environment full of uncertainty
(https://securityintelligence.com)
In Every huge scale company, there is Audit firm to examine the current situation of the company. If the
employees did any frauds, illegal business they get caught in this situation. That is the benefit of an audit firm.
If there no any department called audit firm the company must get bank rapt because no one is there to find
out the frauds and other wrong things that is happening in the company. In some companies there are security
audits, which means this audit is there to check weather security system is working in proper manner. If there
is no audit system to examine the security system the security system also might get corrupted by the above
things and points, we can tell that there is a huge impact to the organization security from the IT security
audits.
When all the IT services connected with the IT security audit the organization can have more formidable IT
system in place. There are many departments in the company when the IT security audit connect to each
department the function of the IT security audit may range from database management to resource planning
as a chain network. For a company data is the one of the key assets that requires top security control. If the
data get released or hacked by the competitors or other firm it is a main reason to the company get bank rapt
or the company get a bad reputation, because of these reasons we have to protect our data. IT security auditors
determine the type of information we have. How it flows in and out of organization and who has access to the
information. (https://cheekymunkey.co.uk)
3.4.3 IT security Audits can identify the Vulnerable points and problem areas in the
company.
The special feature of IT security audits system has, it can identify the vulnerable points and problem areas
easily. The IT system is a vast one with several components including hardware, software, data and procedures
but the IT security system can find out the vulnerable areas easily. From the IT security system, we can check
weather our hardware or software tools are configured properly and working properly. And security audits are
retracing the security incidents or the dangerous situation that company faced in the past from the previous
that might have exposed our security weak points. The other main thing that is done by the audit was the focus
on the carrying out tests in terms of network weaknesses, operating system, access control and security
applications (https://cheekymunkey.co.uk)
Security purposes aligned with the company’s goals and documented in company policies and procedures.
Company policies and procedures are not just paperwork—they are the basis of a strong security plan. Once
the company policies and procedures have been advanced or updated with the company staffs help, your
organization’s security basis will be more current, sound and in compliance.
Cooperate with your organization to grow the strategies for successfully communicating policies,
standards and procedures for measuring good security practices and agreements
Provide current management of the company policies, procedures and standards to safeguard those
documents are kept current and relevant
3.4.4 Aligning Security with company objectives
Aligning security with the organization’s greater business needs is becoming gradually important, but how do
you really do it? What it comes down to is being talented to map security to business purposes. Done right,
security can be a main business driver. Today, everyone from finance to Develops to sales and engineering
has security top of mind, at least if they know what’s good for them.
Misalignment rises when the future purposes or plan is somewhat conflicting with the actual result. The idea
of alignment in IS has been travelled especially in IT business alignment. The idea of alignment has also been
examined in software expansion to address issues around alignment between growth and testing. The concept
of alignment particularly in IT is complex as it is quite disjointed and relates to different surfaces. Hence in
order to achieve suitable alignment, it is important to safeguard focused is on specific components of
alignment rather than on the general alignment. For this reason, the lack of alignment which is mentioned to
in this study as misalignment, is discussed in the setting of firstly, Outside entities such as customers,
standards, and guidelines, regulations and third-party software, the different roles involved in the software
growth process, the current and mandatory skills for integrating security requirements and lastly the general
system re-equipment. All the recognized forms of misalignment pose as challenges to the integration of
security supplies in mobile application development. The section that follows gives an impression of the
different form’s alignment. (https://cheekymunkey.co.uk)
Activity 4
Organizational design is measured in policy works as a forceful policy tool to put policy to action. However,
earlier research has not examined the project organization as an exact form of organizational design and,
hence, has not given much care to such organizations as a planned choice when choosing policy tools. The
purpose of the article is to examine the project as a policy tool; how do such impermanent organizations
function as a specific form of organization when public policy is applied? The article is based on a framework
of policy operation and is demonstrated with two welfare reforms in the Swedish public sector, which were
prepared and applied as project organizations. The case studies and the examination show that it is vital that a
project organization fits into the overall governance structure when used as a policy tool. If not, the project
will remain summarized and will not have sufficient influence on the permanent organizational structure. The
concept of encapsulation indicates a need to defend the project from a potential hostile environment. The
implication of this is that organizational design as a policy tool is a matter that rates more attention in the
planned discussion on implementing public policies and on the suitability of using certain policy tools.
(http://infosectoday.com)
A disaster recovery plan (DRP) is a documented, structured method with commands for replying to accidental
incidents. This step-by-step plan consists of the defenses to minimize the effects of a disaster so the
The overall idea is to develop a plan that will allow the IT department to recover enough data and system
functionality to allow a business or organization to operate. (https://resources.infosecinstitute.com)
An organization can start its DRP plan with an instant of vital action steps and a list of important contacts, so
the most vital information is quickly and easily available. The plan should describe the roles and tasks of
disaster recovery team members and outline the criteria to launch the plan into action. The plan then specifies,
in detail, the incident response and recovery activities. (https://resources.infosecinstitute.com)
4.3 Role of the stake holders related to the security of the company.
Definition of the term "stakeholder": "A person, group or organization that has attention or concern in an
organization. Stakeholders can affect or be affected by the organization's actions, objectives and policies.
Some examples of key stakeholders are creditors, directors, employees, government (and its agencies), owners
(shareholders), suppliers, unions, and the community from which the company’s attractions its resources. Not
all stakeholders are equivalent. A company's customers are permitted to fair trading practices but they are not
allowed to the same consideration as the company's employees. The stakeholders in a corporation are the
individuals and constituencies that contribute, either willingly or unwillingly, to its wealth-creating volume
and activities, and that are therefore its potential receivers and or risk bearers.
Primary Stakeholders – Usually interior stakeholders, are those that involve in financial
dealings with the business (for example stockholders, customers, suppliers, creditors, and
employees).
Secondary stake holders – Usually outside stakeholders, are those who although they do not
engage in direct financial conversation with the business – are affected by or can affect its
activities (for example the general public, communities, activist groups, business support groups,
and the media).
Excluded stake holders – Those such as children or the unbiassed public, initially as they had
no financial impact on the company. Now as the concept takes an anthropocentric viewpoint,
while some groups like the general public may be documented as stakeholders’ others remain
excluded. Such a viewpoint does not give plants, animals or even geology a voice as
We can view Security’s customers from two viewpoints: the roles and tasks that they have, and the security
assistances they obtain. The roles and tasks aspect is vital because it controls how we should interconnect to
our various security customers, based on allowing and swaying them to perform their roles in security, even
if that role is a humble one, such as using an access card to gain admission to the facility. It is also vital because
fulfilling their roles and tasks as employees, managers, contractors or partners is the way that security’s
customers “pay for” the security that they obtain. If they do not see or understand the value of security or are
not joyful about how much they have to pay for it (i.e. how much trouble they have to go through for security),
they may select to bypass security, such as by following to enter the ability.
While some individuals in our company or organization pay for security by assigning or approving security
project funding, the popular of individuals pay for security by fulfilling their roles and tasks, and that is
dangerous to establishing sound security throughout the organization or company. Due to the importance of
the roles that our workers play in security as well as the assistances security provides to them, we refer to the
security’s customers as stakeholders. (http://www.businessdictionary.com)
In last month’s column we started with making of a personal Lean Journal, and a first exercise of identifying
the security stakeholders. Why performs this exercise? There are many assistances for security staff and majors
as well as for security managers and directors who perform it. It helps to start with a small group first and then
enlarge out using the results of the first workout to refine your efforts. Begin at the uppermost level of security
and work down, such as the headquarters or local level for large organizations, and security manager, staff,
managers and officers at the site level. Here are some of the benefits of this exercise:
(https://www.executestrategy.net)
Conclusion
EMC is a well reputed cloud solution provider in Sri Lanka. Normally EMC is providing their services to
SME bank in Sri Lankan and WEEFM Company. EMC cloud solution Company provides SAAS, PAAS, and
LAAS to their customers. And nearly their Customer rate is five hundred roughly. The head office of EMC
References
Anon,(2019).[online]Availableat: https://www.researchgate.net/publication/266686928_Clas
sification_of_Security_Threats_in_Information_Systems [Accessed 13 Feb. 2019].
Investopedia.(2019).ReturnonAssetsROA.[online]Availableat: https://www.investopedia.cm/
terms/r/returnonassets.asp [Accessed 13 Feb. 2019].
Paperdue.com. (2019). Business Risk Essays: Examples, Topics, Titles, & Outlines | Page 11.
[Online] Available at: https://www.paperdue.com /topic/business-risk-essays/11 [Accessed
13 Feb. 2019].
Phil Gambino, C. and View all posts Phil Gambino, C. (2019). Social Security Takes Fraud
Seriousl|SocialSecurityMatters.[Online]Blog.ssa.gov.Available
at: https://blog.ssa.gov/social-security-takes-fraud-seriously/ [Accessed 13 Feb. 2019].
The Balance. (2019). Do You Need Help Filing a Property Damage Claim? [online] Available
at: https://www.thebalance.com/what-is-a-property-damage-claim-527109 [Accessed 15 Feb.
2019].
Docs.oracle.com.(2019).DBMS_MONITOR.[online]Availableat: https://docs.oracle.com/cd/
B19306_01/appdev.102/b14258/d_monitor.htm [Accessed 15 Feb. 2019].
Fieldengineer.com. (2019). What Is a Firewall and Why Is It Important for Network Security?
[online] Available at: https://www.fieldengineer.com/blogs/what-is-firewall-important-
network-security [Accessed 15 Feb. 2019].
Search Security. (2019). What is DMZ (networking)? - Definition from WhatIs.com. [online]
Available at: https://searchsecurity.techtarget.com/
Support.norton.com. (2019). Change the trust level of your network and devices. [online]
Available
at: https://support.norton.com/sp/en/us/home/current/solutions/v9802264_ns_retail_en_us
[Accessed 15 Feb. 2019].
www.thesaurus.com. (2019). I found great synonyms for "risk" on the new Thesaurus.com!
[online] Available at: https://www.thesaurus.com/browse/risk [Accessed 15 Feb. 2019].
Investopedia.(2019).RiskAssessment.[online]Availableat: https://www.investopedia.com/ter
ms/r/risk-assessment.asp [Accessed 15 Feb. 2019].
Security Intelligence. (2019). 10 Takeaways from the ISO 31000:2018 Risk Management
Guidelines. [online] Available at: https://securityintelligence.com/10-takeaways-from-the-
iso-310002018-risk-management-guidelines/ [Accessed 15 Feb. 2019].
Cheeky Munkey. (2019). What is an IT security audit? - Cheeky Munkey. [online] Available
at: https://cheekymunkey.co.uk/what-is-an-it-security-audit/ [Accessed 15 Feb. 2019].
Infosectoday.com. (2019). Why Information Security Training and Awareness Are Important.
[online] Available at: http://infosectoday.com/Articles/Security_Awareness_Training.htm
[Accessed 15 Feb. 2019].
Cascade Strategy. (2019). The Benefits of Applying the Stakeholder Theory - Cascade
Strategy. [online] Available at: https://www.executestrategy.net/blog/stakeholder-theory/
[Accessed 15 Feb. 2019].