Activity 01,

As digital technologies have risen, colleges such as Colombo Advanced College (CAC) are
now based on high level IT solutions in function of key operations including lectures, student
handling of data, academic research, and administrative function. Having more than 2,500
students and 150 administrative staff, CAC manages a strong and complicated IT network. The
college recently became the target of a Ransonware attack which inflicted widespread damage
and halted its academic and administrative services. Evidently, the current defenses and
policies of the college were not sufficient in defending agains the advanced cyber risks they
experienced.
In my job as a Junior Network Security Professional at TechSecure Solutions (Pvt) Ltd. I have
to assess CAC’s security and develop a plan for increasing the cybersecurity framework of
CAC. The following assignment will look at different threats that the college poses including
Ransomware, Phishing attempts, unauthorized access, as well as the possibility of physical
intrusion. Moreover, the evaluation will examine the existing security measures currently
established, and explain why firewalls, intrusion detection, multi-factor authentication (MFA),
and encryption are critical to cybersecurity.
In the scope of Activity 1, I will identify critical IT security threats and consider
countermeasures that can be used in a physical and digital world. I will explain how network
monitoring; correct firewall rules, VPN’s configurations, DMZ’s and Static IPs all contribute
to enhanced network security through NAT. Also, I will present strategies for risk detection and
management to ensure that the college’s security and normal workings are assured.
In the following part of this assignment, additional information is given on how Colombo
Aadvanced College can adopt an efficient ISMS as per specification such as ISO/IEC 27001.
It requires bringing clear policies, adopting strategies on disaster resilience, maintaining the
level of consistent system re-examinations, training staff and students on cybersecurity and
having the place on a constant lookout for security falling-outs.
This task seeks to help the college to create a secure, trusted, and visionary technology
environment in which treasured data is guarded, legal necessities are met and smooth learning
and administrative processes are taken place.
Activity 2

Briefing Paper,

2.1 Introduction,
As education institutions in today’s world, it’s important for Colombo Advanced College to put
priority on cybersecurity, to protect the student and faculty data made sensitive by the
educational institution, maintain efficient operation of the institution and also to comply with
legal regulations. The college has recently been the victim of a ransomware attack, which goes
to show the holes in their IT infrastructure and security policies.
To face these challenges, Information Security Management System (ISMS) was to be
implemented. While implementing an ISMS structure IS data security (confidentiality,
integrity, availability) by identifying, assessing and mitigating risks to ensure the IS data
security. This serves the college well by allowing it to create a secure and robust IT environment
by aligning with internationally recognized standards such as ISO/IEC 27001.

2.2 Key principals of ISMS and it’s Importance for CAC (Colombo
advanced collage),
An educational institution of repute in areas of ICT, engineering, and business studies;
Colombo Advanced College deals with huge amounts of confidential data especially pertaining
to student records, research materials, and administrative information. This critical data must
be safeguarded and the operational efficiency maintained and this can only be achieved through
the Information Security Management System (ISMS). An ISMS puts into structure a
framework within the institution to ensure that information is covert, changeless and accessible
(CIA Triad), ensuring the institution is protected from cyber threats, for example, ransomware,
unapproved access and information breaches.

2.3 The CIA Triad – Colombo Advanced Colleg’s fundamental ISMS

Elements,

1. Confidentiality – Confidentiality measures which are roughly equal to privacy, are

intended to shield private data from unwanted access attempts. Data is frequently
categorized based on the kind and extent or harm that may be caused if it ended up in
the wrong hands. Those categories can then be used to build more or less strict data
security procedures
 2. Integrity – Data must be kept accurate consistent, and reliable during its whole
existence. Data must not be altered while in transit, and precautions must be made to
prevent unauthorized individuals from altering it, as in the case of data breaches.

3. Availability – Authorized parities should be able to access information consistently and

easily, which entails maintaining the technological infrastructure, hardware, and
systems that store and display the information.
(Cameron Hashemi-Pour, 2025)

2.4 Threat Reduction and Risk Management for Colombo Advanced

College.
• Identifying and assessing certain threat such as ransomware attacks, phishing scammers
targeting staff emails and unauthorized network access to student database.

• Obviously, this facilitates the implementations of security controls, among others, like
robust firewalls, multi-factor authentication for faculty logins, and encrypted data
storage to protect sensitive information.

• Having separate plans and protocols for the recovery of their system and operations in
case of cyberattacks or any system failures.

Constant Assessment and Improvement,

• Frequent security audits to determine the vulnerabilities inside the institution’s IT
infrastructure.

• Adaptation of the security policies to the developing cyber security threats and
regulatory changes.

• Adopting the various ideas to train the students, faculty, and administrative staff so as
to make them aware about and stop potential security breaches.

2.5 Adopting these concepts is essential for Colombo Advanced

College for a number of reasons,

• Sensitive Data Protection – The institution stores many student and personal
information. However, this data is on the verge of breaching if not with proper security
measures which would set one up for identity theft, fraud or even academic dishonesty.
 • Increasing Regulations – By adopting such an ISMS, Sri Lanka is regulated under
Data Protection Act and ISO/IEC 27001 thereby the risk of penalties and legal problem
reduces.

• Loss of Student Confidence – A data breach can lead to lose of student’s trust, which
moves the line between education and learning and can affect education to an extent.

• The College’s Cyber threats – While a cyber threats like ransomware attack can affect
learning management systems and system administrative processes, the college must
be ready to continue its day-to-day operations. The ISMS is more significant,
guaranteeing that the essential systems shall remain accessible.

• Risk Management – Adoption of risk management measures enables the institution to

pre-emptively detect, evaluate and minimize possible threats to improve its
cybersecurity posture.

2.6 For a College like Colombo Advanced College, putting in place an

information Security Management System (ISMS) has several
advantages,

• Data Enhanced Protection: An ISMS ensures that sensitive information such as

academic records, personal student data etc. is protected against such unauthorized
access or data breach so as to preserve the privacy and security of the college’s
information assets.

• Reducing Risks: When the college is proactively finding risks and taking the
appropriate action to address any risk of security issues, risks are greatly reduced. For
example, access controls restrict the critical data to read, only by the authorized
personnel to limit the risk of breaches.

• Legal Compliance: Educational institutions are subject, as a rule, to data protection

rules and regulations. With this, an ISMS while ensuring that Colombo Advanced
College complies with these legal requirements, will not have to pay the fines and fight
for court challenges of data security breach.

• Improved Operational Effectiveness: Being a structured one, the college’s ISMS

contributes to making it effective in terms of its operations; the processes are
streamlined; and resources are also managed efficiently. This is to provide for
availability to information when it is needed and also to guard against disruption of it.

• Confidence of Stakeholders: An ISMS backed by implementation can strengthen

student’s trust amongst other stakeholders who share the campus. If stakeholders see
this, it gives them confidence that this college is responsible with their information and
 it will strengthen the relationships that they already have and encourage them to stay
involved.

• ISMS as Effective Crisis Response: In case of security breach ISMS gives clear set
of procedures for handling incidents with upshot that college can minimize the impact
and get a handle on quickly. This ensures that any disturbance is dealt so as to save the
college’s reputation.

2.7 Components and Procedures Needed to Create and Keep a Sturdy

ISMS.

Colombo Advanced College needs to address a number of crucial components and procedures
in order to establish and sustain an ISMS,
• Leadership Support - Successful implementation of an ISMS will demand the support
of the college’s leadership in helping set goals, allocation of resources and a view to
security on all levels.

• Communicate Information security policies - The college should develop the clear
information security policies regarding how information can be accessed, how user
accounts should be managed, how security incidents should be responded.

• Risk Management: Risk management is important because it provides key information

regarding the college’s information in terms of threats, such as a cyber-attack or a data
breach. According to these risks, they should have appropriate solutions such as
encryption or multifactor authentication (MFA).

• Human Errors: (Training and Awareness) Regular training for staff & students in the
security practices like recognize the phishing attempts and password creating becomes
strong level will reduce the human errors which may compromise the security.

• Security Controls: Physical, administrative and technical security measures such as

firewalls, secure servers can be implemented to ensure the college’s data and systems
security.

• Security Breach: The college and its processes need to be up to date on a security
breach, including occasion of incident, damage control, communication with
occasioned parties, and documentation to the relevant authorities.

• Regular Monitoring and Auditing: Monitoring and auditing should be done on regular
basis such as penetration test to find out vulnerability, if that system is still secure or
not.
 • Evolution: The ISMS should develop continuously by incorporating feedback from
audit, incident report, etc. and updates in the security threats and regulations to ensure
its effectiveness.
By focusing on these crucial elements, Colombo Advanced College can develop a robust and
adaptable ISMS that ensures ongoing protection of its sensitive data.

2.8 How Colombo Advanced College can implement an ISMS.

Colombo Advanced College must follow a systematic procedure in order to implement an

ISMS correctly,
1. Start with Evaluating Current Security Status: Check for the current security measures
at the college, track valuable assets, and point to the security gaps or weaknesses.

2. Establish Objectives and Scope: Determine what specific aspects of the college’s
information needs be protected (e.g. student data and or faculty communications) as
well as specific, measurable goals supported by the institution’s priorities.

3. Produce: Security Policies and Procedures: Based on the results of the assessment,
prepare appropriate security policies and procedures covering the reduction of
identified risk issues and regular protection.

4. Physical Security Measures: Secure storage is just one of a number of physical

measures you can take to protect your sensitive data, including physical ones like
placing measures of physical security in place like the storage of physical hardware in
a safe or in a locked area and access controls for items that might produce the
information.

5. Train Staff and Students: Provide training to the staff and the students as the
responsibility of the staff and students within ISMS framework and cultivate a culture
of strong security conscious in the college.

6. Continuous Evaluation and Improvement: Always use the results of the evaluation of
the ISMS, conduct the regular audits, and use the feedback to enhance the system on a
continuous basis.

This will ensure that Colombo Advanced College will put in place a secure and adaptive ISMS
to safeguard its information.
2.9 Conclusion,
Situated at Colombo Advanced College, an Information Security Management System (ISMS)
must be implemented to protect sensitive data and keep the institution’s digital infrastructure
safe. If the college can follow a structed approach that evaluates current security measures, sets
the objective to deal with, implement strong policies and regularly evaluate the system, can
effectively mitigate risks and reduce the chances of security breaches. ISMS, with an emphasis
on the CIA Triad (Confidentiality, Integrity, Availability), will help the college avoid
noncompliance laws, enhance confidence from the shareholders, and streamline the operations.
Eventually, with the adoption of ISMS, Colombo Advanced College will ensure a secure
environment and continue to keep up its academic mission by taking care of data security as
well.
Activity 3

Colombo Advanced Colleg’s Data Security Process Review Document,

3.1 Introduction,
Educational institutions such as Colombo Advanced College (CAC) store and process gigantic
data volumes of sensitive data which includes student records, academic research and
administrative data, so data security is a paramount issue. After a ransomware attack has
recently been executed and it is figured we need more secured data security sensitive, this
review shall review existing data protection strategies at the college, analyze any legal
applicable frameworks and suggest improvements to the college’s IT security in light of the
whole college objectives.

3.2 Assessment of the current Risk Assessment procedures at

Colombo Advanced College,
An organization’s information security risk management is an essential part of its information
security programme. The risk assessment process that is reportedly being followed at Colombo
Advanced College (CAC) has been identified as an area that needs to change particularly post
the current ransomware attack.
Present practices,
Currently, CAC's digital infrastructure is subjected to the occasional risk assessment process
of existing risk assessment process. Nevertheless, there does not exist solid document or
structured methodology to back up these reviews. If you want to get a little geeky, impromptu
vulnerability assessments are performed by the IT team (usually with anecdotally based
evidence, sporadic tool aids). Risks are primarily assessed in the risk assessments as visible
threats like network breach or equipment failure, but not all assets, including student data,
academic research and administrative systems were routinely assessed and addressed.
Strengths,
1. Unstructured Reviews: Although these Reviews are not formal, the IT department does
know what threats could be faced and takes corrective action in case of any serious
vulnerability identified.

2. Incident response: After the ransomware attack, the college has realized that it needs
better organized and proactive risk management approach.

Weaknesses,
1. Lack of Formal Framework: There is no consistency in the risk assessment procedures
and these do not address the complete aspects. There is not enough definition of key
components including data classification, risk prioritization, risk mitigation, etc.
 2. Periodicness of Risk Assessments: There are no predefined or periodic risk
assessments, and as a result, the college might not pick up new risks in time.

Recommendation.
Therefore, Colombo Advanced College is suggested to develop an organizational risk
management framework such as ISO/IEC 27001 to help in systematic control of all information
security risks. More complete evaluation and more alignment with the college's overall goals
and objectives would be ensured by this.

3.3 Policies and adherence to Data protection at Colombo Advanced

College,

With the reliance on digital systems Samsung at the CAC had to pay extra attention to data
protection strategies for the safeguard of student, faculty and research data. More specifically,
the college’s recent ransomware attack revealed tainted vulnerabilities in the framework of the
college’s security; therefore, the importance of following set data protection standards and
devising effective risk mitigation measures is undeniable.
Current Data Security Measures,
Colombo Advanced College employs many security methods to protect its digital assets,
• Encryption: Student records and research information are encrypted both in storage and
in transmission to avoid unauthorized access of miscellaneous data.

• Management of user access: Role based permissions are the access rule for accessing
the confidential information. Nevertheless, more actions are needed to apply tighter
access controls to prevent the access to sensitive data by anyone but essential personnel.

• Methods for Data Backup: Although CAC runs backup periodically, there is no such
automated solution nor geographically distributed backups, a considerable risk in case
of system wide failure.

• Procedures for Responding to incidents: On case bases, security breaches are handled
but lack a central incident management system which leads it to always be absent,
inconsistent track and delayed response.
Relevant Law and regulation Frameworks,
CAC must adhere to important data protection laws in order to preserve compliance and respect
moral data handling standards, such as,
• General Data Protection Regulation (GDPR): With the global collaborations of CAC,
paying attention to GDPR is not an option. It includes giving explicit consent by
implementation of explicit consent mechanisms, implementing privacy by design, and
notify of data breach within the 72-hour regulatory window.

• Sri Lanka Data Protection Act (Proposed): Sri Lanka is in late stage of formalizing its
data protection framework and CAC must proactively integrate the best practices as
much ahead in the compliance requirement to improve the protection of personal data.

Strengths in Data security,

• Additional features that CAC has already deployed on CAC includes robust encryption
and role-based access control (RBAC) to reduce exposure to restricted personnel.

• A change in Times: The growth in the awareness of the cyber threats is the institution’s
first step in the way of tackling future threats with incident response and data security.

Found Security Vulnerabilities,

• Inefficiency: CAC lacks sufficient frequency of compliance audits, hence making
security loopholes unidentified.

• Undefined Data Ownership: In the absence of a clear policy on research data ownership,
the question of who owns the data, as well as who gets to determine how it will be
accessed, is undefined.

Suggested Improvements,
In order to improve its security posture, CAC ought to,
• Provide Scheduled Security Audits for evaluating GDPR and upcoming Sri Lanka’s
data protection law compliance.

• Also, we can implement Automated Backup Solutions such as offsite storage to protect
the data and recover it in the case of cyberattacks.

• Create a Centralized Incident Management System to smoothen the way for reporting
and response to the security incident.

• Define guidelines for who owns clear data for example, research data as well as student
records.
Thus, in taking these measures, CAC can set a secure security framework and comply to
regulatory requirements while safeguarding vital institutional data from growing cyber-attacks.

3.4 A comprehensive Guide to Effective Risk Management and the

Application of ISO Standards

To continue to secure Colombo Advanced College (CAC) in the tactical, strategic, and
operational security theatre correctly, it is imperative that the current approach to risk
management at CAC aligns to international benchmarks. ISO/IEC 27001 is one of the most
known frameworks for this purpose, offer a structured methodology to set up an Information
Security Management System (ISMS) and reduce the risks of security effectively.

The function of ISO/IEC 270001 in Enhancing IT Security,

The ISO/IEC 27001 however is a risk based approach in information security, and it forms a
systematic way whereby CAC, like other institutions, can clearly identify, assess and eliminate
security threats. Key components include:
1. Establishing Presence in a Limited Context: Determining the area or sites of work and
the related disciplines as part of understanding the Institutional Security Landscape.

2. CAC’s Management’s Leadership Commitment and Security Culture: The constant

support and integration of security initiatives into daily operations and the availability
of resources to ensure security best practice.

3. A structured risk management approach is having a systematic risk assessment process

to identify the weaknesses, assess the risks or effect, and put in place the appropriate
security procedures.

4. Standardization of Network Security: Deployment of such criteria that will implement

measures that improve the network security, the practices of access control, the
measures regarding the incident response, and the criteria related to the business
continuity.

Implementation at Colombo Advanced College,

• Specific Portions of ISO/IEC 27001; CAC should adhere to ISO 27002 and ISO 27003
to ensure particular checklists related to specific areas are undertaken periodically.

• Continuous Security Improvement: The fact that the framework’s continuous

improvement model drives security advancements to apply to changing internet threats
allows CAC’s data infrastructure to be resilient.
Suggested Action plan,
Adopting ISO/IEC 27001 is a way to strengthen CAC’s risk management framework and
operate proactively in cybersecurity. Thus, the institution will be equipped to identify, evaluate
and mitigate security risks aimed at safeguarding the academic and administrative digital assets
of the institution in line with the global standards.

3.5 Evaluation of the Effects at Colombo Advanced College of an IT

security Audit.

IT security audit refers to a thorough analysis of an organization’s security infrastructure to

check whether this particular approach is sufficient to safeguard digital properties. Such an
audit is required for the Colombo Advanced College (CAC) to evaluate the existing security
controls, identify the same as well as ensure compliance to the international as well as national
data protection regulations. In light of the recent ransomware attack, an IT security audit would
be a necessary step in CAC being able to better strengthen CAC’s overall cybersecurity posture.
Possible Effects of an Audit of IT Security,
A security audit of CAC would offer important nuggets of information about an institution’s IT
infrastructure including:
• The audit will identify weaknesses in network infrastructure, data storage policies,
access control mechanisms, and beyond, the audit will identify the areas where
unauthorized access could occur or a cyber-attack could occur.

• Also, compliance assessment to make sure that CAC abides by data protection
regulations like GDPR and Sri Lanka’s Data Protection Act. As a result, the audit will
expose gaps in which the institution may not be fully compliant, helping avoid legal
and financial consequence for the company.

• Evaluation of how ready the college is in case of any security breach (Incident Response
Readiness). We will also check the effectiveness with existing plans of responding to
incidents, and will identify how improvement could be made, like in areas of log
management, threat detection and response times.

• Security Policies and Their Controls: CAC’s Capacity to Meet its Security Policies and
Controls: the ability of CAC’s intrusion detection systems, intrusion prevention
systems, user authentication methods, and data encryption processes.

• Operational Continuity and Disaster Recovery Preparedness is the ability of the

institution to recover and continue data and services following a security incident. This
includes review of the backup strategies as well as disaster recovery mechanisms.
Suggestions for Enhancing IT security Following an audit,
Regarding the identified gaps, Colombo Advanced College should put in place corrective
measures as follows:
• Add multi factor authentication (MFA) and further tighten the role-based access
permission policy as this will extensively reduce the chances of unauthorized data
getting exposed.

• Network upgrades: Replacement of unnecessary firewalls, anti-malware software and

intrusion detection systems that enhance the network security.

• Firewall removal: Replacing the existing firewalls with new firewalls that add no added
value as they are solely for security reasons.

• Aligning internal policies: Apply internal policies in line with GDPR & Sri Lanka’s
Data Protection Act to enable CAC to conform to evolving regulatory requirements.

• Automate Setup of Backups with Off Site Storage: Have backups with off-site storage
to decrease downtime and provide data redundancy if there’s a cyber-attack.

Through conducting regular IT security audits, CAC will effectively improve its capability to
recognize, prevention, and response to cyber threats hence making the digital learning
environment for students, faculty, and staff safer and more secure.

3.6 Suggestion: Combining Organizational Policy and IT Security,

The institution’s IT security strategy for Colombo Advanced College (CAC) must be
seamlessly intersected with the institution’s wider organisational goals and policies to ensure
security and resiliency of their digital infrastructure. The approach allows security measures to
not be seen as standalone initiatives but foundational measures supportive of academic and
administrative operations. Security alignment as a culture of cybersecurity awareness gives less
risk and more compliance to the Legal and regulatory requirements.
Making Sure IT Security Complies with Organizational Objectives,
• IT security policies should be strategically integrated with CAC’s core mission of
providing a safe and effective learning environment. Continually, security policies need
to be assessed periodically and updated to suit coming cyber threats as well as new
institutional needs.

• Security Awareness and Training: Since CAC is an academic institution, they must
provide continuous training in cybersecurity to the stake holders. It should educate all
 the stakeholders about the meaning of data protection, phishing risks, password security
and compliance protocols.

• Security: IT is not the department to which security belongs, it must be a collaborative

approach amongst other departments. This will bridge the lack of understanding
between IT security and academic administration which will establish cross functional
security teams to combat the issue.

The repercussions of not coordinating IT security with institutional Policies,

• One of the heightened security risks is misalignment which can create unprotected
systems, weak access controls, and more likely of getting hit by cyber threats thus
making student and faculty data exposed.

• As such, Non-Compliance Regulationally: Violating Sri Lanka's Data Protection Act

and the GDPR will result to fines, legal consequences, damaging one's reputation.

• Security Integration: The absence of security integration can result in a data breach
which will hurt stakeholder trust and cause the college to lose its reputation as a top
academic institution.

Suggestions for Colombo Advanced College’s Strategy,

To properly integrate IT Security with institutional regulations, CAC should,
• Ensure academic and administrative operations to align security measures with security
aspects.

• In order to improve security governance, an IT security committee should be created,

that will be responsible for compliance monitoring and policy enforcement.

• Incorporate regulatory guidelines of international and national bodies like ISO/IEC

27001, GDPR and Sri Lanka’s Data Protection Act into institution’s security framework
for ensuring compliance with standards.

• Encourage culture of cyber responsibility to ensure that every stake holder, including
administrators, students etc exist in a cyber responsible culture.

Expending these actions will enable Colombo Advanced College to improve its security
posture and reduce risks, while allowing its creation of a robust and future proofed
cybersecurity framework that will serve to support its longterm mission and objectives.
3.7 Conclusion,
Though Colombo Advanced College (CAC) has made some necessary security steps, the
college’s data protection measures are totally needed. There are a number of key areas that need
improvement on the formalized risk assessments, regulatory compliance, and stronger
alignment between IT security policies and institutional goals. However, to get rid of it we must
address these gaps in order to curb cyber threats, data breach and engineer a resilient security
posture.
With a structured risk management framework in place such as ISO/IEC 27001, the proactive
approach will be adopted and all risks will be systematically identified, assessed and mitigated.
IT security audits on a regular basis, constant monitoring and timely updates to security
controls will also enhance the institution’s capacity to get more alert and respond to any
emerging measures.
A proper IT security plan needs to synchronize with the college mission in order to develop an
elevated awareness about cybersecurity across the community. A collaborative defense model
will strengthen institutional resilience through active participation of all members of the college
in security best practices. Implementation of security functions into core operations allows
CAC to adhere to regulatory requirements which protect academic and administrative data
according to GDPR and Sri Lanka’s Data Protection Act and other applicable laws.
By establishing such strategic initiatives, Colombo Advanced College would be able to build
an IT environment that is secure and future proof while making sure that the level of data
protection and compliance remained at its highest.
Activity 4

Report: Appraisal of an ISMS for Colombo Advanced College and Design of a Suitable
Security Policy

4.1 Introduction,

Recently, Colombo Advanced College (CAC), which is a leading institution in ICT,

engineering and business studies, fell prey to a ransomware attack that affected data loss and
disrupted day to day operations. Of greater importance was that this incident once again
highlighted the requirement for a robust information security framework to continue to protect
the critical asset and to keep operations running. Functional and nonfunctional security
requirements are evaluated for the implementation of an ISMS at CAC. It also gives a security
policy which includes some points of a disaster recovery plan to forestall any future risk.
The report also determines what are the key stakeholders executing a security audit that CAC
can comply with regulatory standards and is more resilient to cybersecurity.

4.2 Frameworks for the ISS at Colombo Advanced College

The structured methodology for information security management is defined by an Information

Security Management System (ISMS), which guards of sensitive data and maintains
confidentiality, integrity and availability of data. The principal aim of introducing an ISMS at
Colombo Advanced College is to build a robust security culture, minimize risks and strengthen
the protection from later developed cyber threats that may cause damage to the critical systems
and institutional data.

4.2.1 Colombo Advanced College’s (CAC) ISMS Implementation

Map,

Colombo Advanced College (CAC) will be implemented with the help of an Information
Security Management System (ISMS) to cover all the institution information and systems from
being compromised henceforth. The plan is outlined below:
Phase 1 – Preliminary Planning and Evaluation,
Objective – Assess the CAC ISMS’s scope and conduct a comprehensive risk analysis.
Steps to take,
• Does it involve members of the IT department, academic leadership and administrative
staff? Then form an ISMS project team.

• Establish the ISMS scope that is most critical, predominantly ISMS scope covering
student records, academic research data, administrative functions.

• Understand CAC’s risk factors, review all of their systems, and check their data.

• Then, gap analysis is done between the actual security and what is desired by being able
to identify existing security weaknesses, such as old infrastructure and low security
policy.

Phase 2 – Framework Design and Policy Development,

Object – Create the CAC security policies, processes and control that are required.
Steps to take,
• Policies for information security such as access control, data protection, network
security and incident response do need to be created.

• Write the procedures for data backup, encryption, patch management and vulnerability
testing, and form a framework of ISMS.

• Decide who needs roles and responsibilities: security officers, IT (information

technology), system administrators, and academic departments involved in the system.

Phase 3 – Technical Execution,

Object – At CAC, put technological security controls and safeguards into place.
Steps to take,
• Give the college a new improved network infrastructure replacing that old hardware
and software as per security policy.

• Effector line used to securely store sensitive data at rest and in transit using the
encryption.

• Multi factor authentication (MFA) and role based access controls (RBAC) are on the
critical systems and data.

• Install firewalls and deploy intrusion detection prevention systems (IDS / IPS), and
endpoint protection to secure network.
 • To block, patch management and software whitelisting the unauthorized applications
and their vulnerabilities can be automated.

Phase 4 – Validation and Testing,

Objective – Check for adherence to security criteria and confirm the ISMS’s efficacy.
Steps to take,
• You will perform penetration testing to discover any security gaps, a security measure
and the strength of implementation.

• Ensure readiness and effectiveness of threat response, disaster recovery and incident
response scenarios by running threat tests and simulation scenarios.

• Compliance to data protection regulations in cases like GDPR or local laws in areas of
third-party audits.

Phase 5 – Observation and Ongoing Enhancement,

Objective – Maintain security over time by regularly assessing and enhancing the ISMS.
Steps to take,
• Always perform regular security audits to check on emerging threats and the
weaknesses, always on an adaptive ground.

• Create a procedure for always advancement, processing findings of the audit, adopting
the lessons learnt, and changing with the development of security threats.

• Monitor security events that are being happening, e.g., intrusion detection and network
traffic analysis.

This structured approach will clearly recommend to CAC how to build and maintain a robust
ISMS that will protect critical information and systems as well as establish a culture of security
awareness and resilience.

4.3 Policy on Security at Colombo Advanced College (CAD)

Availability of CAC’s ISMS is ensured by the existence of a robust security policy. This policy
sets security of all the data in workplace, the access to the data and the managements of the
incidents. A disaster recovery focus of the college security policy outline is provided below.
4.3.1 Key elements of the security strategy,

1. Data security and Management,

• Data classification protocols that establish ways to protect sensitive information (for
instance, student records, research data) with encryption in transit as well as in rest.

• Adhere to the principle of least privilege which in this case meant to impose the access
control policies according to the principle of least privilege imposing that users have
access to the data that are only suitable to their role.

• Enforce multi factor authentication (MFA) for those systems considered vital to access.

2. Network Security,

• Introducing firewalls, intrusion detection systems (IDS) and intrusion prevention

systems (IPS) to monitor and stop any unauthorised network access is also necessary.

• Continuous blocking of sensitive departments from the general administrative areas

will be achieved through segmenting the network.

3. Incident Response and Reporting,

• Establish a centralized incident reporting system in place to take actions as soon as the
breach to ensure a solution.

• Supervise the process of developing a structured incident response protocol that

contains the threats, containment, eradication, recovery and learning phases.

4. Backup and Recovery,

• Define and enforce data backup schedule and ensure backups are securely stored either
offline or separate secured location.

• Set up an Establish Recovery Time Objectives (RTO) and Establish Recovery Point
Objectives (RPO) to reduce impact of data loss and maintain business continuity.
 5. Awareness and Training for Employees,

• On a continuous basis, have staff undergo complaints training regarding new phishing
threats, passwords security, data protection, and reporting suspicious activity.

• It also makes sense to launch regular security awareness campaigns to encourage the
development of a secure security culture at the college.

4.3.2 Disaster Recovery Plan (SRP)

The Disaster Recovery Plan (DRP) describes what CAC will do if the network runs afoul with
a major security breach, natural disaster or system failure. Key components include:
• Backups: Ensures that backup/copy of all critical applications and student records for
the specified RTO and RPO are kept encrypted and available so that the corresponding
data can be recovered using data recovery.

• Processes: Clear protocols for informing both the key stakeholders like faculty,
students, IT teams and regulatory bodies in case of incident and recovery status.

• In any situation, the instant it happens, perform a Post Incident Review: Analysis of the
incident to identify its root cause, assess the effectiveness of the response, and develop
the security enhancements necessary.

• Several automation security monitoring tools will spot real time threats such as
unauthorized intrusions or ransomware attack.

• Disconnect Affected Systems: Isolating devices that are infected to avoid further
damage in the systems; blocking malicious IP addresses.

The purpose of having this security policy is to ensure that Colombo Advanced College’s
remains resilient against cyber threats as well as any other security issue, with the view to
ensure continuity in its operation and integrity of its data.
4.4 The functions of Stakeholders in putting a security Audit into
practice.

Key stakeholders in the administration, faculty, students and staff at all levels of the institution
are instrumental in the successful implementation of CAC’s Information Security Management
System (ISMS) and security policies. Stakeholders and their role is provided below.

1. College Management Executive Leadership,

• Role - They should provide strategic direction, allocate resources and provide
institutional support for ISMS initiatives.
Responsibilities,
• Help in the compliance with data protection regulations as well as institutional
policies.

• Ensure that existing security projects and infrastructure can meet departmental
needs.

• Confirming set security priories and integrate cybersecurity into the college’s
overall strategy.

2. IT Department,

• Role - Responsible for technical implementation of ISMS, security audit, risk

management, etc.
Responsibilities,
• Which helps to perform security audits and risk assessments to identify the
vulnerabilities.

• Manage control security, firewall and access management systems.

• It supervises the data backup and recovery procedure of data so that the business
should be running fine.

• Staying on the lookout if, when systems aren’t functioning the way they should,
they may be disabled, they may fail and repeatedly monitor for potential threats
and incidents.
 3. Heads of Academic and Administrative,

• Role - Ensure that the policies support the operational needs of academic and
administrative departments in security terms.
Responsibilities,
• It also promotes faculty and staff adherence towards best security practices.

• With an access control and data protection policy, it can be the means to
enforcing that security policy.

• Assist in the promotion of security awareness, as well as security awareness and

training programs of students and employees.

4. Consultants and Security Officers,

• Role - Help other professionals in auditing their ISMS or for regulatory

compliance.
Responsibilities,
• Have these done independently, and independently audit and assess
vulnerabilities.

• Check whether it conforms with industry security standards (e.g. ISO/IEC

27001).

5. Final users (Students and Employees),

• Role - It must adhere to CAC’s security policies as well as the security of the
institutional data.
Responsibilities,
• Participate in cybersecurity awareness training.

• Heads should also follow password management and data protection guidelines.

• File suspect activities and security incidents to IT department.

If CAC clearly defines roles and responsibilities, the security audit process can remain
effective, become compliant, and continuously better the cybersecurity framework.
4.5 Conclusion,

Implementation of an Information Security Management System (ISMS) at Colombo

Advanced College is necessary to resist and prevent security breaches by safeguarding the most
sensitive institutional data. Using structured implementation of ISMS such as risk assessment,
policy development, installation of technical security controls, and continual monitoring, CAC
can put a good resilient security posture in place.
Robust data protection, well defined incident response protocols and comprehensive disaster
recovery plan are what the proposed security policy covers for this purpose: effective threat
mitigation and business continuity. To sustain the ISMS and install the culture of cybersecurity
awareness throughout the institution, active participation of all the stakeholder (executive
leaders to students) is needed.
Following the described approach of implementation and dedicated continuous improvement
Colombo Advanced College will be prepared to protect the digital assets and to meet the
security regulation requirements as well as to increase the operational resilience against the
changing cyber threats.
Activity 5

Security Policy for Colombo Advanced College.

Version – 1.0
Data – March 2025
Approved by – TechSecure Solutions (Pvt) Ltd.

1. Introduction
The Commitment at Colombo Advanced College ensures safety for digital realms where
students and staff members and institutional data reside. The policy specifies all protective
measures needed to secure the college's information assets together with its networks and IT
infrastructure. The college executes these guidelines to stop cyber threats and defend sensitive
information with reliable response actions for security incidents.

2. Objective
The policy's main objectives include two parts,
• The policy needs to protect both IT infrastructure and confidential data against
unauthorized modification and destruction as well as unauthorized access.

• The organization needs to implement security standards that affect all users who operate
system functions.

• All data protection practices must adhere to national as well as international standards.

• The organization must establish a clear setup for responding when security incidents
occur.

• The institution will work to strengthen security methods that apply to hybrid education
and distant access systems.

3. Scope,
This policy applies to,
• The policy extends to all users who work at the college including employees, students
and external vendors and handle IT resources.

• Every college-operated networked system that is accessible through the architecture

belongs to this policy.
 • The Institutional Data policy describes all types of information stored at the institution
that includes academic transcripts and financial registers and administrative documents.

4. Data protection and Security,

4.1 Data classification,
• Confidential Data - The highest security measures must be enforced on Confidential
Data which contains personal records academic results and faculty research.

• Sensitive Data - The protection of sensitive data includes financial operations alongside
payroll and proprietary research that demands data encryption during storage as well as
transmission.

• Public data - The protection protocol for public data includes course materials and
general announcements which needs minimal encryption together with secure access
control.

4.2 Data encryption,

• All sensitive data needs encryption protection through AES-256 standard protocols
along with equivalent encoding methods.

• Data confidentiality within email contents requires usage of encrypted channels

including S/MIME and PGP.

4.3 Data Backup and Recovery

• Companies should implement a system for daily secure data backups located either
offsite or in the cloud.

• The Disaster Recovery Plan (DRP) needs to restore data within 48 hours throughout
breached or failed conditions.

• Regular checks must verify the integrity of stored backup data.

5. User Access Control

5.1 Access Control,
• Organizations grant system permissions according to the principle of minimum
necessity required for each user.
 • RBAC (Role-based access control) ensures different user groups are in possession of
the right permissions.

• Every person accessing the system needs a special login ID paired with a strong
password.
5.2 Authentication Measure,
• Access to sensitive systems is required to use Multi Factor Authentication (MFA).

• Passwords have to be at least 8 characters long with uppercase and lowercase letters
and numbers are also required.

• Once terminated or inactive after some 90 days, accounts have to be deactivated.

6. Network Security,
6.1 Firewall and Intrusion Prevention,
• Therefore, a Next-Generation Firewall (NGFW) also needs to be installed to restrict
unauthorized access as well as cyber threats.

• The used intrusion detection systems (IDS) and intrusion prevention systems (IPS) will
scan network activity in real time.

6.2 network Segmentation,

• The system will be segmented such that critical infrastructure will be isolated from the
random user access.

• They will be separated so as to cut down on the possible security breaches of the
administrative and student networks.

7. Device and Endpoint Security,

7.1 Antivirus and Malware Protection,
• The antivirus and anti-malware software of all devices (workstations, servers, laptops,
mobile devices) must be updated and configured to run-in real-time scanning.

• If a device can not provide the antivirus software compliance, then the device will be
denied network access until the compliance can be achieved.
7.2 Patch Management,
• First, all systems and software from operating systems and applications to network
devices, must be updated regularly with the latest security patches and fixes are.

• Critical vulnerabilities will be patched immediately and at least monthly patch

management will be conducted.

8. Incident Response and Reporting,

8.1 Incident Resource Plan,
• There needs to be a complete Incident Response Plan (IRP) in place about how to
respond to security incidents (such as a data breach, a ransomware attack).

• An immediate containment, root cause analysis, and recovery procedures, including

recovering data from backups, shall be included as part of the IRP.

• There is a 24x7 dedicated incident response team (IRT) to respond to the incidents and
reduce the impact.

8.2 Reporting Security Incidents,

• By any means, all employees and students must forward security incidents or suspicious
activities to the IT security team through the previously established reporting channels.

• So that each Security Event occurs will have a completed Security Incident Report
(SIR) documenting all events so that proper documentation and follow-up occur.

9. Security Awareness and Training,

9.1 User Training Programs,
• Each user (a student, a faculty or staff member) is to be trained on cybersecurity on
joining the college and periodically thereafter.

• This part of training will teach an employee how to recognize phishing emails, use
secure passwords, dealing with sensitive information, and how to travel the Web safely.

9.2 Phishing Simulations,

• Each user (a student, a faculty or staff member) is to be trained on cybersecurity on
joining the college and periodically thereafter.

• Training will include how to recognise phishing emails, use secure password, manage
sensitive information and safely navigate on online resources.
 10. Continuous Monitoring and Auditing,
10.1 Real-time Monitoring,
• A Security Information and Event Management (SIEM) system will be used to monitor
network traffic, system logs, as well as security tools alerts in time.

• All-important systems and applications will be monitored for suspicious activity, as

well as unauthorized attempts at access.

10.2 Regular Security Audits,

• Security audits will be conducted regularly, at least once a year and only by external
experts to detect vulnerabilities, assess the compliance to the security policy and
identify deficiencies.

• The audit results will be updated for the security measure and defenders against new
threats.

11. Hybrid Learning and Remote Access Security,

11.1 Online Learning Platform Protection,
• Given that all online learning platforms are automatically using secure protocols
(HTTPS), data transferred between these platforms needs to be encrypted.

• Staff and students should be authenticated to online platforms with MFA.

11.2 Secure Remote Access,

• Carefully, staff and students who are accessing college resources remotely must do so
with a secure Virtual Private Network (VPN) with strong encryption to protect
communications.

• It should be secured to its remote desktop with MFA and logging for all remote
connections.

12. Legal and Compliance Standards,

• Comply with the laws and regulations applicable in Sri Lanka in relation to data
protection such as Sri Lankan Personal Data Protection Act (PDPA), and other such
laws.
 • Where there is an application or relevance, we plan to integrate security practices and
policies to international standards such as ISO/IEC 27001 or the NIST Cybersecurity
Framework for example GDPR.

13. Enforcement and Accountability,

• This security policy may be violated with disciplinary action, up to and including
termination or expulsion, as appropriate.

• This policy is responsible for being adhered to by managers and department heads to
ensure that the teams of these professionals comply with the said policy; and further
reporting any violations.

14. Policy Review and Updates,

• The policy will be updated each year or promptly if an emerging threat appears or a
new technology comes into view.

• All stakeholders will be updated accordingly after updates.

End of the Documents,

It has to be distributed among Colombo Advanced College’s staff, students, and stakeholders
for compliance and reference.