Higher Nationals

Internal verification of assessment decisions – BTEC (RQF)

INTERNAL VERIFICATION – ASSESSMENT DECISIONS

Programme title BTEC Higher National Diploma in Computing

Mr. Geeth
Assessor Internal Verifier

Unit 05: Security

Unit(s)

EMC Cloud Solutions

Assignment title

Mohamed Nawshard Mohamed Zakeeb

Student’s name

List which assessment Pass Merit Distinction

criteria the Assessor has
awarded.

INTERNAL VERIFIER CHECKLIST

Do the assessment criteria awarded match
those shown in the assignment brief? Y/N

Is the Pass/Merit/Distinction grade awarded

justified by the assessor’s comments on the
student work? Y/N

Has the work been assessed

Y/N
accurately?
Is the feedback to the student:
Give details:

• Constructive?
Y/N
• Linked to relevant assessment
criteria? Y/N

• Identifying opportunities for

improved performance?
Y/N

• Agreeing actions? Y/N

Does the assessment decision need

Y/N
amending?
Assessor signature Date
Internal Verifier signature Date

Programme Leader signature (if

Date
required)
 Confirm action completed
Remedial action taken

Give details:

Assessor signature Date

Internal Verifier
Date
signature
Programme Leader
Date
signature (if required)
Higher Nationals - Summative Assignment Feedback Form

Student Name/ID Mohamed Nawshard Mohamed Zakeeb / KAN/A-009472

Unit 05: Security
Unit Title
Assignment Number 1 Assessor Mr.Geeth
st
21 of February 2019 Date Received 1st
Submission Date
submission
Date Received 2nd
Re-submission Date
submission
Assessor Feedback:

LO1. Assess risks to IT security

Pass, Merit & Distinction P1 P2 M1 D1

Descripts
LO2. Describe IT security solutions.

Pass, Merit & Distinction P3 P4 M2 D1

Descripts

LO3. Review mechanisms to control organisational IT security.

Pass, Merit & Distinction P5 P6 M3 M4 D2
Descripts

LO4. Manage organisational security.

Pass, Merit & Distinction P7 P8 M5 D3
Descripts

Grade: Assessor Signature: Date:

Resubmission Feedback:

Grade: Assessor Signature: Date:

Internal Verifier’s Comments:

Signature & Date:

* Please note that grade decisions are provisional. They are only confirmed once internal and external moderation has taken place and grades decisions have
been agreed at the assessment board.

Pearson
Higher Nationals in
Computing
Unit 5 : Security
General Guidelines
1. A Cover page or title page – You should always attach a title page to your assignment. Use previous page as
your cover sheet and be sure to fill the details correctly.
2. This entire brief should be attached in first before you start answering.
3. All the assignments should prepare using word processing software.
4. All the assignments should print in A4 sized paper, and make sure to only use one side printing.
5. Allow 1” margin on each side of the paper. But on the left side you will need to leave room for binging.

Word Processing Rules

 1. Use a font type that will make easy for your examiner to read. The font size should be 12 point, and should
be in the style of Time New Roman.
2. Use 1.5 line word-processing. Left justify all paragraphs.
3. Ensure that all headings are consistent in terms of size and font style.
4. Use footer function on the word processor to insert Your Name, Subject, Assignment No, and Page
Number on each page. This is useful if individual sheets become detached for any reason.
5. Use word processing application spell check and grammar check function to help edit your assignment.

Important Points:
1. Check carefully the hand in date and the instructions given with the assignment. Late submissions will not be
accepted.
2. Ensure that you give yourself enough time to complete the assignment by the due date.
3. Don’t leave things such as printing to the last minute – excuses of this nature will not be accepted for failure
to hand in the work on time.
4. You must take responsibility for managing your own time effectively.
5. If you are unable to hand in your assignment on time and have valid reasons such as illness, you may apply
(in writing) for an extension.
6. Failure to achieve at least a PASS grade will result in a REFERRAL grade being given.
7. Non-submission of work without valid reasons will lead to an automatic REFERRAL. You will then be asked to
complete an alternative assignment.
8. Take great care that if you use other people’s work or ideas in your assignment, you properly reference
them, using the HARVARD referencing system, in you text and any bibliography, otherwise you may be guilty
of plagiarism.
9. If you are caught plagiarising you could have your grade reduced to A REFERRAL or at worst you could be
excluded from the course.
Student Declaration

I hereby, declare that I know what plagiarism entails, namely to use another’s work and to present it as my own
without attributing the sources in the correct way. I further understand what it means to copy another’s work.

1. I know that plagiarism is a punishable offence because it constitutes theft.

2. I understand the plagiarism and copying policy of the Edexcel UK.
3. I know what the consequences will be if I plagiaries or copy another’s work in any of the assignments for this
program.
4. I declare therefore that all work presented by me for every aspects of my program, will be my own, and
where I have made use of another’s work, I will attribute the source in the correct way.
5. I acknowledge that the attachment of this document signed or not, constitutes a binding agreement
between myself and Edexcel UK.
6. I understand that my assignment will not be considered as submitted if this document is not attached to the
attached.

[email protected] 21st of February

Student’s Signature: Date:
(Provide E-mail ID) (Provide Submission Date)
Assignment Brief
Student Name /ID Number Mohamed Nawshard Mohamed Zakeeb / KAN/A-009472

Unit Number and Title Unit 5- Security

Academic Year 2017/2018

Unit Tutor

Assignment Title EMC Cloud Solutions

Issue Date 29th of November 2018

Submission Date 21st of February 2019

IV Name & Date

Submission Format:
The submission is in the form of an individual written report. This should be written in a concise, formal
business style using single spacing and font size 12. You are required to make use of headings, paragraphs
and subsections as appropriate, and all work must be supported with research and referenced using the
Harvard referencing system. Please also provide an end list of references using the Harvard referencing
system.

Unit Learning Outcomes:

LO1 Assess risks to IT security.
LO2 Describe IT security solutions.
LO3 Review mechanisms to control organisational IT security.
LO4 Manage organisational security.

Assignment Brief and Guidance:

EMC Cloud Solutions is reputed as the nation’s most reliable Cloud solution provider in Sri Lanka.
A number of high profile businesses in Sri Lanka including Esoft Metro Camps network, SME Bank Sri
Lanka and WEEFM are facilitated by EMC Cloud Solutions. EMC Cloud provides nearly 500 of its
customers with SaaS, PaaS & IaaS solutions with high capacity compute and storage options. Also EMC
is a selected contractor for Sri Lanka, The Ministry of Defense for hosting government and defense
systems.

EMC’s central data center facility is located at Colombo Sri Lanka along with its corporate head-office in
Bambalapitiya. Their premises at Bambalapitiya is a six story building with the 1 st floor dedicated to sales
and customer services equipped with public wifi facility. Second-floor hosts HR, Finance and Training &
Development departments and the third-floor hosts boardroom and offices for senior executives along
with the IT and Data center department. Floor 4,5,6 hosts computer servers which make up the data
center.

With the rapid growth of information technology in Kandy area in recent years, EMC seeks opportunity to
extend its services to Kandy, Sri Lanka. As of yet, the organization still considers the nature of such
extension with what to implement, where is the suitable location and other essential options such as
security are actually being discussed.

You are hired by the management of EMC Solutions as a Security Expert to evaluate the security-related
specifics of its present system and provide recommendations on security and reliability related
improvements of its present system as well as to plan the establishment of the extension on a solid
security foundation.

Activity 01
Assuming the role of External Security Consultant, you need to compile a report focusing on following
elements to the board of EMC Cloud Solutions;
1.1 Identify types of security risks EMC Cloud is subject to, in its present setup and the impact, such
issues would create on the business itself.

1.2 Develop and describe security procedures for EMC Cloud to minimize the impact of issues discussed
in section (1.1) by assessing and treating the risks.

Activity 02
2.1 Discuss how EMC Cloud and its clients will be impacted by improper/ incorrect configurations which
are applicable to firewalls and VPN solutions.

2.2 Explain how following technologies would benefit EMC Cloud and its Clients by facilitating a
‘trusted network’. (Support your answer with suitable illustrations).
i) DMZ
ii) Static IP
iii)NAT
2.3 Discuss the benefits of implementing network monitoring systems.

Activity 03
3.1 Formulate a suitable risk assessment procedure for EMC Cloud solutions to safeguard itself and its
clients.

3.2 Explain the mandatory data protection laws and procedures which will be applied to data storage
solutions provided by EMC Cloud. You may also highlight on ISO 3100 risk management methodology.

3.3 Comment on the topic, ‘IT Security & Organizational Policy’

Activity 04
4.1 Develop a security policy for EMC Cloud to minimize exploitations and misuses while evaluating the
suitability of the tools used in an organizational policy.

4.2 Develop and present a disaster recovery plan for EMC Cloud for its all venues to ensure maximum
uptime for its customers (Student should produce a PowerPoint-based presentation which illustrates the
recovery plan within 15 minutes of time including justifications and reasons for decisions and options
used).

4.3 ‘Creditors, directors, employees, government and its agencies, owners /

shareholders, suppliers, unions, and the other parties the business draws its resources’ are the main
branches of any organization. Discuss the role of these groups to implement security audit
recommendations for the organization.
Acknowledgment

I have taken efforts in this project. It’s cannot be finished with some peoples support. I
would like to thank them. I thank my god give chance to finish this assignment. I am
highly thankful to my lecturer Mr.Geeth for his guidance as well as for providing
important information regarding the project and also his support to complete the project. I
would like to thank my parents for their co-operation and encouragement, which helped
me in the completion of this project. My thankful for my whole classmate for support and
help in some situation to finished the assignment.

M.N.M.Zakeeb
…………………………………..

Mohamed Zakeeb Unit 05 | Security Page

Table of Content
1. Identify types of security risks EMC Cloud...........................................................19

2. Way to minimize Security risks.............................................................................20

3. Firewall..................................................................................................................21

Client Impact in Misconfigured Firewall...............................................................21

4. VPN (Virtual Private Network).............................................................................22

Client Impact in Misconfigured VPN....................................................................22

5. DMZ.......................................................................................................................23

6. Static IP..................................................................................................................23

7. NAT (Network Address Translation).....................................................................24

8. Benefit of implementing network monitoring system...........................................25

9. Risk Assessment.....................................................................................................26

Qualitative Risk Assessment..................................................................................26

Quantitative Risk Assessment................................................................................26

10. Way to develop risk assessment.............................................................................26

11. Risk assessment for EMC Cloud Solution.............................................................27

12. Data protection law and procedures for EMC cloud data storage.........................28

Data Protection Act 2018.......................................................................................28

ISO 31000..............................................................................................................29

13. IT Security & Organization Policy........................................................................30

14. Security Policy for EMC Cloud.............................................................................31

Physical security.....................................................................................................31

Authentication........................................................................................................32

Privacy....................................................................................................................32

Security awareness training....................................................................................32

Special access.........................................................................................................32

Mohamed Zakeeb Unit 05 | Security Page

 Access to visitors....................................................................................................32

Password................................................................................................................33

Network security....................................................................................................33

Risk management...................................................................................................33

Virus protection......................................................................................................33

15. Disaster Recovery Plan..........................................................................................33

Evaluate the business activities..............................................................................34

Determine Recovery Time Requirement...............................................................35

Test Hypothesis......................................................................................................35

Policies and Procedures..........................................................................................36

16. Roles of Stakeholders to implement a security audit.............................................37

17. Gann Chart.............................................................................................................39

Mohamed Zakeeb Unit 05 | Security Page

Table of Figures
Figure 1 Cloud system with firewall and VPN..................................................................21
Figure 2 DMZ Architecture...............................................................................................23
Figure 3 DRP Evaluate Business Activities.......................................................................34
Figure 4 Determine Recovery Time Requirement.............................................................35
Figure 5Test Hypothesis....................................................................................................36
Figure 6 Policies and Procedures.......................................................................................36

Mohamed Zakeeb Unit 05 | Security Page

Table of Tables
No table of figures entries found.

Mohamed Zakeeb Unit 05 | Security Page

Activity 1

1.1

Identify types of security risks EMC Cloud

EMC is reliable cloud solution provider in Sri Lanka. EMC Cloud, where the datacentre
is located in Colombo and head office is located at Bambalapitiya. It provide about 500 of
its customer with SaaS, PaaS and IaaS. Many high profile businesses in Sri Lanka are
facilitated by EMC Cloud Solution. Include SME bank Sri Lanka, WEEFM and Ministry
of defence is hosting government and defence system.

Following are the types of risk can occur to its present setup. Colombo is in the coastal
area so, there is a risk from natural disasters, such as Tsunami, Flood, storm etc. If this
type of natural threats happened, this make major impact on the Cloud network. Data loss
is a major risk faced by EMC Cloud. Colombo is a city that loses electric power regularly
where company loses its consistent working. Causes of data loss are Viruses and
Malwares, Natural Disasters, Software Corruption, Human Errors and Hardware
Malfunction. These types of risk are happening regularly in cloud computing. Viruses and
malwares will slow down the system and steal customer’s details. Human errors are
accidently delete data and accidently dropping storage devices. This is also a reason to
data loss.

Availability risk another problem for cloud computing. When there is a one ISP (Internet
Service Provider) in the organization, and when its go down, it will take all EMC Cloud
Solution’s Customers’ Cloud Network as well. Compatibility between servers is another
thread for EMC. Because if one server have issue and cannot accessed that server’s data,
will be cause a serious problem for the company those whose data involved in that
particular server. Sabotage attack (Cyber-attacks) is another type of risk that for EMC
Cloud Solution. This can come from unauthorized people or hackers. This is also a threat
for a large organization like EMC Cloud Solution. They can steal clients’ details.
Equipment failure is also a major risk to the EMC Cloud, which is cannot be replaced
instantaneously. The data that is stored in the EMC Cloud should be given the most
privilege according to the details provided in the cloud.

The data that is transfer along the network should be encrypted so that the middle man
attacks could be refrained. These are the risk can occur for EMC Cloud Solution.

Mohamed Zakeeb Unit 05 | Security Page

1.2

Way to minimize Security risks

The way to minimize the impact of issues occurred by natural disasters is to insure the
company. Through insurance the company can gain its lost amount of money back.
Firewall is the way to stop the unauthorized access to the network. Also DMZ zone could
be created for the outsides to gain access to the network. This would prevent the network
being attacked by the hackers or cyber attackers etc. also we can apply IPS or IDS which
can filter and scan the packets which is transferred through the network.

Want a Disaster Recovery Plan (DRP) to recover the data when sudden attack or disasters
occurred. For availability issue, want more than one Internet Service Provider (ISP) to
give uninterrupted service for the Clients. EMC should also use virus guard to prevent the
network transferring viruses for the EMC network. For the data that is sent along the
network should use HTTPS or SSL protocols. To prevent the company from losing
power, the company must have a backup power devices to maintain a consistent work.

The data should be regularly backup in the cloud or elsewhere to prevent data loss. The
company should have extra equipment which can instantly cover up the equipment
failure. The staff should have regular security discussion along with the IT professional to
maintain a high level of security within the EMC Cloud.

The company should fully air conditioned, so that the devices of the EMC Cloud are not
damaged due to the environmental temperature. The internet connection within the
company should be with reliable speed to transfer data and files along the network. The
company should upgrade with the latest technologies, that the cloud can provide a highly
amount of services to the clients.

The data should transfer along the network very smoothly without bottleneck in the EMC
network. The EMC network should be monitored using different monitoring software like
solar winds, Nagios, PRTG etc.

Mohamed Zakeeb Unit 05 | Security Page

Activity 2

2.1

Figure 1 Cloud system with firewall and VPN

Firewall
Firewall is a software which used to secure the private network. Firewall will help to
block the unauthorized access, unauthorized web user and unauthorized sites from
accessing the private network. Firewall can be implemented by a software or hardware.
Firewall is a defence in security sensitive information for safety.

Client Impact in Misconfigured Firewall

Misconfiqured firewall will make major impact on the EMC cloud. When the firewall is
miscofiqured, it will allow the attackers to access client’s sensitive data. It will lead to
close down the company. Also when unauthorized people access the network they can
change or insert valuable data. Sometime unauthorized people can take whole control of

Mohamed Zakeeb Unit 05 | Security Page

the data center. Whenever the data send or received, attacker can easily access those data,
and blocked that communication as well. That will not let the clients to get the full service
from EMC cloud.

VPN (Virtual Private Network)

VPN is a private network which is built over the public network. Its help for security
mechanism like Encryption. VPN is allow the user to send or receive data from their
network securely via ISP. Large organizations are using Password for Authentication to
gain access to the VPN. Also some users are use VPN to use internet anonymously.

Client Impact in Misconfigured VPN

The reason to put a VPN in a clod data centres like EMC cloud is to safeguard the client’s
sensitive data. When the VPN is misconfigured, a tunnel breakdown will occur, that will
lead to misdirection communication. That means, when a user send a data, it can be
received by others instead of relevant user. Also cannot establish a connection with the
employees who work remotely using VPN. This problems can lead to network breach and
also data will be not secured. It will lead to close down the EMC cloud.

Mohamed Zakeeb Unit 05 | Security Page

2.2

DMZ

Figure 2 DMZ Architecture

Demilitarized Zone (DMZ) is a secure and transitional network between the

organization’s internal and external network. DMZ server is a front-line network which
is connect with external network while separate from internal network for security
purposes.

The primary benefit of DMZ is allowed to access the internet service from public internet
in a secure way. Also, help to secure from external nodes and networks from interacting
or access the internal network. DMZ will limit the access to the internal network. Also,
scan all the communication between them on a firewall before that transfer internally.
When a attacker trying to access the organization’s network, their only can see DMZ,
cannot access the core network behind that. DMZ is safer and secure than firewall. As
well as it can work as a proxy server as well.

Whenever the outsider want to connect with the EMC cloud, it will lead them to DMZ,
which has no direct connection with the internal network of the EMC. When there is a no
DMZ in EMC cloud, when the attacker trying to attack the network, they have chance to
access EMC cloud’s datacentre easily. But in case there is DMZ in EMC cloud it will
lead the attackers to only access the DMZ, not the internal network.

Static IP

Mohamed Zakeeb Unit 05 | Security Page

Static IP is an IP address which does not change over time. But this can be assign for a
single computer. Dynamic IP address alternative for static IP, But it can be assign for
temporary. Static IP is dedicated for a one server forever. So whenever the user log in to
it, it will using same IP address for all the sessions. This is helpful to EMC cloud identify
the user easily. Static IP address is dependable and secured. So attacker will have some
difficulties to attack the EMC. User can use static IP as the constant IP address. That,
only the user can access without sharing with anyone.

NAT (Network Address Translation)

Network address translation is a function which is allow the user to use single IP address
for public and private network communication. There are many public network in the
world and limited number of private network. Therefore, NAT is an effective solution for
heavy traffic.

When the user wants to connect with each other. But, IPv4 is limited the IP address to
control client volume. NAT was introduced to solve this. And also manage various clients
request from one private IP address required by public networks. Network Address
Translation’s centre is a router, which is used to hide real IP address and change that into
a new public IP address. For an external network, this IP will be shown as the IP of the
router, but that’s not.

NAT is helpful for EMC cloud network to limit the IP addresses of the company to
reduce the complexity and maintain the security easily. When the employee is of the
EMC cloud is use same IP address to access external network, it will be very useful for
the security of the EMC network.

Mohamed Zakeeb Unit 05 | Security Page

1.3

Benefit of implementing network monitoring system

Protect the network from unauthorized user or attackers

By implementing the monitoring system, can identify the apprehensive traffic in the
network and can act fast. When the company has SMB (Server Message Block), network
monitoring service will be able to provide a broad overview that. SMB mean a protocol
for serial ports, printers, sharing files and communication abstraction between computers.
Today, exploits are more advance, and it’s able to target the system in many ways,
therefore monitoring the antivirus and firewall will be help to control this.

Can fix the issues quickly

In a down situation, time is very important. Therefore implement the monitoring system
will help the time-strapped network professional to solve the problems easily and quickly.
Whether a company want to deal with a configuration error or exceptional traffic
fluctuation, network monitoring system will help to figure it out.

Protect the data for all time

Cloud service providing company may be can aware, about data loss of their client’s. by
implementing a monitoring system will help to create automated, centralized backup
easily for all systems. Also the network monitoring system will make easy to keep
backups with synchronized. Also allow the user to access another server’s data with
secure protocol.

Remotely connect to the infrastructure

Network monitoring will allow the user to access from anywhere in the world. Also allow
the SMB owner to conduct business from home, office or whether they are travelling
abroad. This is very useful and important when dealing with small amount of staff
members when needed to complete the task on your own.

Can Identify the Security threats

Network monitoring will help to protect again data breaches. Also secure the company
data. Network monitoring tool will provide first level security, which has the biggest

Mohamed Zakeeb Unit 05 | Security Page

advantage to get the picture of normal performance of the organization. So it help spot
threat which out of the ordinary.

Activity 3

3.1

Risk Assessment
Risk assessment is the identification of threats or hazards which will impact on an
organization. This is a systematic method to look work activities, considering about risks
can happen in the organization, and determine a suitable control measure to avoid loss,
damage or injury in the organization. Also create awareness among the organization’s
employee. Reduce the negative incident in the organization. Also save cost by being
proactive.

There are two types of risk assessment,

1. Qualitative Risk Assessment

2. Quantitative Risk Assessment

Qualitative Risk Assessment

This method will assign a numeric values for probability of the risk and the impact. It
doesn't allot financial qualities to resources or conceivable misfortunes. It is the simpler,
snappier, and less expensive approach to evaluate hazard. The main issue with this is that
is difficult to give an accurate value for many type of hazards.

Quantitative Risk Assessment

This method will help to measure the hazards with exact monetary values. Quantitative
risk assessment will attempt to give an expected yearly loss for any risks. It also can give
asset values for network equipment as well.

Way to develop risk assessment

1. Identify the threats or hazards. Want to identify the possible threats that can
occur in the organization. Includes natural disasters, cyber-attacks, utility risks
and power failure.

Mohamed Zakeeb Unit 05 | Security Page

 2. Determine what, or who, might be affected. Want to identify that, which
business assets would be negatively influence.
3. Evaluate the risk and generate control measure
4. Record the finding. Risk assessment finding should be recoded to access easily,
whenever they want.
5. Review and update regularly. Because controls can change quickly in modern
business.

Risk assessment for EMC Cloud Solution

Step 1 - Identify the threats and hazard

Identify the threats and hazard which can occur in EMC cloud organization. Must
consider about the situated place, network type, using technologies, data storage method
when identify threats.

The possible threats and hazard are natural disaster, sabotage attack, utility risk, system
failure, etc.

Step 2 – Determine what, or who might be effected

Want to determine who or what might be effected because identified threats and hazards.
Because of the natural disaster, network devices, employees , sensitive data , clients user
experience might be effect.

Sensitive data , and clients might be effected because of sabotage attack. System failure
will effect customers or clients daily work which is done by using the cloud.

Step 3 – Evaluate the risk and generate control measure

Want to give solution to control all risk what can occur in the EMC cloud. There is a way
to evaluate the risk under three different categories. Like low, medium and high satge
risk. It will help the organization to control the threats and hazards easily. Also to aware
from risk, can make company policies and term and regulation.

Step 4 – Record the Findings

Mohamed Zakeeb Unit 05 | Security Page

Documenting the risk assessment will help the organization to take imidite and corrct
decision in the future. That report must be include, the risks which can occur in the
organization and what the control measures, vulnerabilities and effecting assets.

Step 5 - Review and update regularly

The organization must update their policies, terms and condition and risk assessment
method according to the modern data business.

3.2

Data protection law and procedures for EMC cloud data storage
Data protection law is different from country to country. Data protection laws a setup by
the government or standard organization to protect the information. And also maintain
CIA triad (Confidentiality, integrity, Availability). Following are the some data protection
laws which will give good advantages for EMC cloud.

Data Protection Act 2018

This is also a United Kingdom’s implementation of GDRP (General Data Protection

Regulation).

“Everyone responsible for using personal data has to follow strict rules called ‘data
protection principles’. They must make sure the information is:

 used fairly, lawfully and transparently

 used for specified, explicit purposes
 used in a way that is adequate, relevant and limited to only what is necessary
 accurate and, where necessary, kept up to date
 kept for no longer than is necessary
 handled in a way that ensures appropriate security, including protection against
unlawful or unauthorized processing, access, loss, destruction or damage

There is stronger legal protection for more sensitive information, such as:

Mohamed Zakeeb Unit 05 | Security Page

 race

 ethnic background

 political opinions

 religious beliefs

 trade union membership

 genetics

 biometrics (where used for identification)

 health

There are separate safeguards for personal data relating to criminal convictions and
offences.” (UK Government, 2019)

ISO 31000

“Organizations that manage risks effectively are more likely to protect themselves and
succeed in growing their business. The challenge for any business is to integrate good
practice into their day-to-day operations and apply it to the wider aspects of their
organizational practice. 

BS ISO 31000 is the international standard for risk management. By providing

comprehensive principles and guidelines, this standard helps organizations with their
risk analysis and risk assessments. Whether you work in a public, private or community
enterprise, you can benefit from BS ISO 31000, because it applies to most business
activities including planning, management operations and communication processes.

Whilst all organizations manage risk to some extent, this international standard’s best-
practice recommendations were developed to improve management techniques and
ensure safety and security in the workplace at all times. By implementing the principles
and guidelines of BS ISO 31000 in your organization,

You’ll be able to improve operational efficiency, governance and stakeholder confidence,

while minimizing losses. This international standard also helps you to boost health and
safety performance, establish a strong foundation for decision making and encourage
proactive management in all areas.

Mohamed Zakeeb Unit 05 | Security Page

Benefit of ISO 31000

 Proactively improve operational efficiency and governance

 Build stakeholder confidence in your use of risk techniques
 Apply management system controls to risk analysis to minimize losses
 Improve management system performance and resilience
 Respond to change effectively and protect your business as you grow” 
(The British Standards Institution, 2019)

3.3

IT Security & Organization Policy

Policies are set of a guidelines to protect the organization, employee and their clients.
Organization policies contain regulatory procedures, employee practice, employee
disciplines, about internet and email use. In the modern world attackers are find smart
ways to bypass the security of the organization. So organization like EMC which manage
lots of sensitive data, want to protect their data, and network devices, assets. There are
many types of policies that the organization might develop. Such as e-polices, health and
safety policies, employee policies, security policies. In the security policies, IT security is
most important. There are several types of IT security like Network security, internet
security, data storage security application security.

IT security policies are rules and guideline for accessing and using company’s IT assets
or resources. The main objectives of IT security is CIA (Confidentiality, Integrity and
Availability).

 Confidentiality – Restrict the access for only authorized people. It is help to

prevent sensitive information from reaching unauthorized
peoples
 Integrity – Allow only authorized people to modify IT assets or data.
 Availability – Want to have continuous access for authorized users for allowed
assets

Mohamed Zakeeb Unit 05 | Security Page

“Designed to guide employees’ behaviour with regard to the security of company data,
assets, IT systems, etc. These security policies define the who, what, and why regarding
the desired behaviour, and they play an important role in an organization’s overall
security posture. Information security policies should reflect the risk appetite of executive
management and therefore serve to establish an associated security mind-set within an
organization”. (Dunham, 2018)

TASK 4

4.1

Security Policy for EMC Cloud

“IT Security Policy is a model of the organization’s culture, in which rules and
procedures are driven from its employees' approach to their information and work. Thus,
an effective IT security policy is a unique document for each organization, cultivated
from its people’s perspectives on risk tolerance, how they see and value their
information, and the resulting availability that they maintain of that information. For this
reason, many companies will find a boilerplate IT security policy inappropriate due to its
lack of consideration for how the organization’s people actually use and share
information among themselves and to the public.

The objectives of an IT security policy is the preservation of confidentiality, integrity, and

availability of systems and information used by an organization’s members. These three
principles compose the CIA triad:

 Confidentiality  involves the protection of assets from unauthorized entities

 Integrity ensures the modification of assets is handled in a specified and
authorized manner
 Availability is a state of the system in which authorized users have continuous
access to said assets”
(Paloalto Netowork, 2019)
Following is the security policy for the EMC cloud,

Mohamed Zakeeb Unit 05 | Security Page

Physical security

Want put CCTV surveillance in important area like entrance gate, server room, working
place etc. security guards must be in the entrance gate and inside the organization to
prevent from abnormal actions. Allow only authorized people to come inside of the
organization from entrance by giving an ID card with barcode reader.

Authentication

Only allow authorized people to enter working departments. In every working department
want a card reader to punch the ID card. Than the door will open. And also give alert
when ID card is not recognized by the reader. It will help to detect the unauthorized
people.

Privacy

Only important peoples like HR manager, CEO, Supervisor know the some business
privacy matters. That will help protect the privacy without leek.

Security awareness training

Want to conduct security awareness training for the staffs to prevent from security failure.
Employees want to have knowledge about the security to protect EMC cloud’s client’s
sensitive data.

Special access

Only important authorized peoples have rights to accesses some important things like,
network server, data storage. This help to safeguard the organization. Otherwise there will
be problem which is can occur because everyone can use every devices.

Mohamed Zakeeb Unit 05 | Security Page

Access to visitors

When clients come to the organization, there will be separate place to communicate with
them. Assign a specific team communicate with the clients about the services what EMC
is provide. Only authorized staffs can enter all other place than this.

Password

Card reared is not enough for places like data storage, and network server want passcode
verification to access those servers to protect the sensitive information. Also that
passcode is known by employees who is in important roles like managers, leaders.

Network security

When connecting with external network there want protection for internal network
devices. So want VPN, Firewall, DMZ, Static IP and NAT to secure the network.

Risk management

Company like EMC cloud has large amount of data. Therefor there is a chance for threats
and hazards. So to control them want risk assessment plan to prevent from data losses and
other risks. Also want disaster recovery plan as well.

Virus protection

In the working place, there will be thousands of nodes which is used for daily work. So
that nodes have protection from malware and viruses. So want to put virus guard software
like Kaspersky will help to prevent from this.

4.2

Disaster Recovery Plan

Mohamed Zakeeb Unit 05 | Security Page

“A Disaster Recovery Plan (DRP) is a business plan that describes how work can be
resumed quickly and effectively after a disaster. Disaster recovery planning is just part of
business continuity planning and applied to aspects of an organization that rely on an IT
infrastructure to function.

The overall idea is to develop a plan that will allow the IT department to recover enough
data and system functionality to allow a business or organization to operate - even
possibly at a minimal level.

The creation of a DRP begins with a DRP proposal to achieve upper level management
support. Then a business impact analysis (BIA) is needed to determine which business
functions are the most critical and the requirements to get the IT components of those
functions operational again after a disaster, either on-site or off-site.” (Techopedia,
2019)

Following is the disaster recovery plan for EMC cloud. Step by step process,

Evaluate the business activities

Figure 3 DRP Evaluate Business Activities

Want to identify the business process of the EMC cloud solution which is imperative for
business. For EMC cloud there many imperative process like data storing and connection
with ISP (Internet Service Provider). Next want to identify the label dependencies. “This
is refers for the application which is used in EMC cloud is depend upon the most and
diagnose each application maximum downtime accordingly” (Centre Technologies,
2014). Define the important applications or devices of the organization. Want to
investigate the current weakness and risk of the organization. Also want to consider about
availability, restores, and backups as well. Next want to gather information to dictate the
recovery time requirements.

Mohamed Zakeeb Unit 05 | Security Page

Determine Recovery Time Requirement

Figure 4 Determine Recovery Time Requirement

To gather enough information, first want to perform a Business Impact Analysis (BIA)
to measure the downtime of the impacted things in the EMC cloud Solution. Such as
reduced clients confidence, ISP breakdown etc. Dictate the availability requirement and
calculate the cost of downtime .Next step is to define RPO (Recovery Point Objectives).
This is refers that give more priority to organization’s data dependencies to ensure that
the backup was made and can be restores whenever needed. Next step is to differentiate
Recovery Time Objectives (RTO). “This is refers to the amount of time after data
corruption or hardware failure has occurred in which full restoration is desired.” (Centre
Technologies, 2014). Assign Maximum Tolerable Downtime (MTD). This refers that
the maximum time length that take for most important devices, data of the EMC cloud
can be unavailable before the unalterable damage has been done.

Next test the hypothesis to aware from weakness and risks. If the risk is high, want a
innovative and creative solution.

Mohamed Zakeeb Unit 05 | Security Page

Test Hypothesis

Figure 5Test Hypothesis

To test the hypothesis, want to assess risks. That refers that aware of the risk faced in
EMC cloud. Such as data loss, utility risk. Want create risk chart to record the risks and
rank those. “Walk through a DRP scenario and perform a technology gap analysis of
your current vs. desired RPOs, RTOs and MTD.” (Centre Technologies, 2014). When
find any problem in old DRP, maybe want to put more innovative technologies and give
more priority to close technology gaps and address risk area. After that want to
implement a new solution plan to include those new solution into the Disaster Recovery
Plan (DRP).

Policies and Procedures

Mohamed Zakeeb Unit 05 | Security Page

 Figure 6 Policies and Procedures

Want to create step by step instruction to clarify the procedure and criteria to achieve full
recovery and restoring normal operation. Want to “Define severity definitions and assign
escalation rules for procedures that may be needed in order to meet DRP timeline
requirements and MTD according to various disaster scenarios.” (Centre Technologies,
2014).

Form a team and want to give roles and responsible to do DRP properly. Want assign
suitable roles responsible for the workers. By giving suitable roles will help to avoid
recovery failure.

After that want to test the DRP to ensure that there is now dropdown in the plan which is
have vulnerability with EMC cloud solution organization. DRP team must provide audit
report to maintain DRP. This is help solve major disaster in future.

4.3

Roles of Stakeholders to implement a security audit

When implement the security audit, EMC cloud must be consider about their stakeholders
like Creditor, Directors, Employee, investors and take their suggestion or
recommendation to the security audit. The reason for this is, when conduct audit
sometimes the cost will be higher than estimate. So for that can take loan from creditors.

Security audit should be accepted by the higher officer like directors to proceed the audit.
Employees’ ideas will help to do a successful security audit. Also they help to provide
details about the data center, and other organization information. Investors and
shareholders are the one who is purchase the shares of the organization. When the EMC
cloud want more investment for security audit. Can get financial support from them.

Mohamed Zakeeb Unit 05 | Security Page

So the roles of the stakeholder are most important when conduct a security audit. Because
they are very important in every step of the security audit as define in above paragraphs.

References
Centre Technologies, 2014. Centre Technologies. [Online]
Available at: https://centretechnologies.com/15-steps-designing-successful-disaster-
recovery-plan/
[Accessed 21 February 2019].

Dunham, R., 2018. LINFORD & COMPANY LLP. [Online]

Available at: https://linfordco.com/blog/information-security-policies/
[Accessed 13 February 2019].

Paloalto Netowork, 2019. Paloalto Netowork. [Online]

Available at: https://www.paloaltonetworks.com/cyberpedia/what-is-an-it-security-policy
[Accessed 21 February 2019].

Rouse, M., 2019. TechTarget. [Online]

Available at: https://searchsecurity.techtarget.com/definition/DMZ
[Accessed 28 January 2019].

Techopedia, 2019. Techopedia. [Online]

Available at: https://www.techopedia.com/definition/1074/disaster-recovery-plan-drp
[Accessed 21 Febraury 2019].

The British Standards Institution, 2019. The British Standards Institution. [Online]
Available at: https://www.bsigroup.com/en-GB/iso-31000-risk-management/
[Accessed 21 February 2019].

Mohamed Zakeeb Unit 05 | Security Page

UK Government, 2019. GOV.UK. [Online]
Available at: https://www.gov.uk/data-protection
[Accessed 16 February 2019].

Mohamed Zakeeb Unit 05 | Security Page

Gann Chart

December 2018 January 2019 February 2019

1st 2nd 3rd 4th 2nd 3rd 4th 4th 1st 2nd 3rd 4th

Task 01

Task 02

Task 03

Task 04

Mohamed Zakeeb Unit 05 | Security Page

Grading Rubric

Grading Criteria Achieved Feedback

LO1 Assess risks to IT security

P1 Identify types of security risks to organisations.

P2 Describe organizational security procedures.

M1 Propose a method to assess and treat IT security risks.

LO2 Describe IT security solutions

P3 Identify the potential impact to IT security of incorrect

configuration of firewall policies and thirparty VPNs.

P4 Show, using an example for each, how implementing a DMZ, static

IP and NAT in a network can improve Network Security.
M2 Discuss three benefits to implement network monitoring systems
with supporting reasons.
D1 Investigate how a ‘trusted network’ may be part of an IT security
solution.

LO3 Review mechanisms to control organisational IT

security

Mohamed Zakeeb Unit 05 | Security P a g e | 41

 P5 Discuss risk assessment procedures.

P6 Explain data protection processes and

regulations as applicable to an organisation.

M3 Summarise the ISO 31000 risk management

methodology and its application in IT security.

M4 Discuss possible impacts to organizational

security resulting from an IT security audit.
D2 Consider how IT security can be aligned with
organisational
policy, detailing the security impact of any
misalignment.
LO4 Manage organizational security

P7 Design and implement a security policy for

an organisation.
P8 List the main components of an
organisational disaster recovery plan, justifying
the reasons for inclusion.
M5 Discuss the roles of stakeholders in the
organisation to implement security audit
recommendations.
D3 Evaluate the suitability of the tools used in
an organisational policy.

Mohamed Zakeeb Unit 05 | Security P a g e | 42

Mohamed Zakeeb Unit 05 | Security P a g e | 43