Faculty of Engineering and Technology

STUDENT NAME: Seinio Tweulongelwa Ndeiluka

STUDENT NUMBER: 2126922

STUDY PROGRAMME: Bachelor of Science (Honours) in Network Security and

Computer Forensics

LECTURE’S NAME: Erasmus Mfodwo

1. SUBJECT: Fundamentals of Network SecurityC6-FNS-13

DUE DATE: 16 August 2023

ASSIGNMENT: One (1)

Answer the following questions:

1
Table of Contents
Introduction 3
What is an operating system 3
Discuss the different functions of an operating system 4-5
Conclusion 5
Reference 6

2
1. Introduction

2. Mention the phases of the Security Lifecycle. Explain each phase in detail [15
marks]

The Security Lifecycle

Identify: The very first stage whereby you need to facilitate and point out timeline and
define notes that drives the required resource of what it is that you are trying to protect,

furthermore consultation on overall objective ,goals ,any security policy, business

standards, regulation, etc. will be identified and analyzed too.

Assess: The assessment phase of the Security Lifecycle relays on the identification

phase , to be able to perform a thorough security assessment. In this stage, risk

management will also be conducted, and consultation on rules of engagement, perform

risk analysis, return on investment for specific controls being considered, and establish

a baseline of acceptable security ,evaluate current and future risks and vulnerabilities.

Design: This step of the cycle includes the formulation of a solution around, and all the

necessary actions required to solve the issues such as security risks, data breaches,

cyber threats, ensure the risk tolerance is within spec, meeting the requirements of any

policies or regulation identified during the identification and assessment phases .

Implement: This step of the cycle includes monitor and maintain an acceptable level of

security as identified in assessment phase and potentially adjusted in Designing phase ,

report on anything that could or is implicate the security of the asset and maintain

availability of the asset.

3
 Protect: Leung (2023), stated that the protection phase includes both testing and

installation, while Modern Analyst Media LLC (2023), stated that this phase provide

services to archive off out of date information, ensure that all used media is properly

disposed of to protect confidential information from being leaked, plan for, and

evaluate termination of a service that is being phased out.

Monitor: This phase referred as the maintenance phase ,whereby archive off outdate

information, ensure that all used properties of system disposed is protect from

possible leaking confidential information ,plan for, and evaluate termination of a

service that is being phased out both will take place at this stage .

3. How can the information be classified into categories? Explain each category in
detail [10 marks]
According to Irwin (2022),information classification is a process in which
organizations assess the data that they hold and the level of protection it should be
given and usually classify information in terms of confidentiality – i.e., who is granted
access to view it.

Simplilearn (2023) stated that first step of information classification is assigning value
to each information asset, depending on the risk of loss or harm if the information gets
disclosed. Based on value, information is sorted as:
Confidential Information – information that is protected as confidential by all entities
included or impacted by the information. The highest level of security measures should
be applied to such data.
Classified Information – information that has restricted access as per law or
regulation.
Restricted Information – information that is available to most but not all employees.
Internal Information – information that is accessible by all employees.

4
 Public Information – information that everyone within and outside the organization
can access.
4. What are the roles involved in handling each piece of information? Explain their
responsibilities in detail [ 15 marks]

Information Responsibilities
Roles
Information  interprets information.
Owner  implements security information standards.
 procedures for access availability to information
 safeguarding of information Assets
Data Steward  provide direct authority.
(data Owner)  control over the management of information
 use of specific information
 facilitate the interpretation.
 implementation of data policies, standards, and procedures
Data Users  protect and maintain information systems and data.
 complies with standards and procedures for access Information and
Assets
IT Resource  Provide the administrative and physical control and technical support of
Owner IT Resources
 Providing the oversight of third-party hosted or managed IT Resources
 Complying with policies, standards, procedures in supporting IT
Resources Ensuring safeguards protecting IT Resources and Information
Assets.

5. What is Security Awareness and why is it important? [ 10 marks].

Security awareness is an ongoing process of educating and training employees about

the threats that prowl in organization. Simplicity, security awareness is knowing what

5
 security threats are and acting responsibly to avoid potential risks or reduce human
security risks in organization and its stakeholders . the importance and the ultimate
goal is how to prevent such threats and what they must do in the event of a security
incident or how to mitigate harm in case thus threats penetrated any organization
system and it’s stakeholders . It also helps employees to be more proactive responsible
for keeping the company and its assets safe and secure.

6. Explain in detail the following:

a. How can the objectives of the Awareness Program be defined? [10 marks]
Awareness Program is defined as a tool that help employees to quick identifying
threats, which can significantly reduce the risk of security incidents and help
prevent data breaches. Security awareness program not only helps stop threat actors
in their tracks, but also promotes an organizational culture that is focused on
heightened security. Security awareness programs are a necessity for the survival of
your organization just like advertisements. Your organization must invest in
security training, tools, and talent to minimize risk and ensure company-wide data
security.

Awareness programs carry messages that need to be teach, understood, accepted by

each and every employee in the organization regards what level and roles they play
in the organization .

Bragg, Rhodes-Ousley, Strassberg (2003), stated that the objectives of a security

awareness program really need to be clarified in advance, because presentation is
the key to success. A well-organized, clearly defined presentation to the employees
will generate more support and less resistance than a poorly developed, random,
ineffective attempt at communication. Of paramount importance is the need to
avoid losing the audience’s interest or attention or alienating the audience by
making them

6
 feel like culprits or otherwise inadequate to the task of protecting security. The
awareness program should be positive, reassuring, and interesting.

b. How does it increase the effect in the organization? and [15 marks]
A well-defined awareness program can help significantly reduce the cost and
number of security incidents in your organization. And reduce employees’ expose
information directly or indirectly to threats and risks.
According to Roberta B, Mark RO & Keith S (2005),security awareness programs
are meant to change behaviors, habits, and attitudes. To be successful in this, an
awareness program must appeal to positive preferences. The overall message of the
program should emphasize factors that appeal to the audience. An awareness
program can focus on the victims and the harmful results of incautious activities.
People need to be made aware that bad security practices hurt people, whether they
intend to or not. The negative effects can be spotlighted to provide motivation, but
the primary value of scare tactics is to get the user community to start thinking
about security (and their decisions and behaviors) in a way that helps them see how
they can protect themselves from danger.

Actions that cause inconvenience or require a sacrifice from the audience may not
be
adopted if the focus is on the difficulty of the actions themselves, rather than the
positive effects of the actions. The right message will have a positive spin,
encouraging the employees to perform actions that make them heroes, such as the
courage and independence it takes to resist appeals from friends and coworkers to
share copyrighted software. Withstanding peer pressure to make unethical or risky
choices can be shown in a positive light.

c. How is the awareness program implemented by the employees? [15 marks]

7
  By understand how to recognize a security problem,
 Begin thinking about how they can perform their job functions in
compliance with the security policy.
 How they should react to security incidents
 How to report potential security events,
 what to do about unauthorized or suspicious activity
 How to use information technology systems in a secure manner
 how to handle personal practices such as password creation and
management, file transfers and downloads,
 how to handle e-mail attachments.

Security practices should be shown to be the responsibility of everyone in the

company, from executive management down to each employee. Employees will
take security practices more seriously when they see that it is important to the
company rather than just another initiative like any other, and when executives lead
by example. Codes of ethics or behavior principles can be used to let all employees
know exactly what to do and what is expected of them (Roberta et al.,2005).

7. Review your classmate's work [10 marks]

8. Reference
 Roberta Bragg, Mark Rhodes-Ousley, Keith Strassberg, June 29,2005 , Network
Security foundation Network Security foundation, Network Security
 Modern Analyst Media LLC January 2023. The Security Lifecycle retrieved from
https://www.modernanalyst.com/Resources/Articles/tabid/115/ID/482/The-
Security-Lifecycle.aspx
 June Wai See Leung, March 22, 2023, Information Security Program Life Cycle
retrieved from https://en.wikipedia.org/wiki/History_of_operating_systems.
 Luke Irwin,August 30th , 2022, What is ISO 27001 Information Classification?,
Retrieved from https://www.itgovernance.co.uk/blog/what-is-information-
classification-and-how-is-it-relevant-to-iso-27001#:~:text=Confidential%20(only

8
 %20senior%20management%20have,Public%20information%20(everyone%20has
%20access)
 Simplilearn , August 7, 2023,Information Classification in Information Security,
retrieved from https://www.simplilearn.com/information-classification-article