UNIT 5: SECURITY

LO3 Review mechanisms to control organisational IT

security
 Learning Outcomes and Assessment Criteria
Pass Merit Distinction
LO3 Review mechanisms to control organisational IT  
security D2 Consider how IT security can
be aligned with organisational
P5 Discuss risk assessment M3 Summarise the ISO 31000 risk policy, detailing the security impact
procedures. management methodology and its of any misalignment.
application in IT security.
P6 Explain data protection
M4 Discuss possible impacts to
processes and regulations as organisational security resulting
applicable to an organisation. from an IT security audit.
LO3 Review mechanisms to control
organisational IT security
■ Mechanisms to control organisational IT security:
– Risk assessment and integrated enterprise risk management:
■ Network change management, audit control, business continuance/disaster
recovery plans, potential loss of data/business, intellectual property, hardware
and software; probability of occurrence e.g. disaster, theft; staff
responsibilities; Data Protection Act; Computer Misuse Act; ISO 31000
standards.
– Company regulations:
■ Site or system access criteria for personnel; physical security types e.g.
biometrics, swipe cards, theft prevention.
Risk assessment and integrated
enterprise risk management:
■ Network change management
■ Audit control
■ Business continuance/disaster recovery plans,
■ Potential loss of data/business,
■ Intellectual property,
■ Hardware and software
■ Probability of occurrence e.g. disaster, theft; staff responsibilities; Data
Protection Act; Computer Misuse Act; ISO 31000 standards.
(NCCM) Network configuration and
change management
■ With this system/discipline in place
organising and maintaining information
about all of the components in a computer
network becomes significantly easier.
■ Network device configuration information
will be stored in a centrally located server,
where device configurations can be easily
downloaded.
■ The network administrator refers to the
network configuration management
database to determine the best course of
action when repairs, modifications or
upgrades are needed.
(NCCM) Network configuration and
change management
■ Uses include:
– Daily checking of device
configuration data to spot any
changes in configuration files, which
could reveal cyber threats and
potential failures. 
– Creating bulk changes such as
implementing mass changes to
passwords on devices throughout the
network
– Auditing and reporting allowing for
easy track information about network
components.
■ This image is taken from:
– https://www.manageengine.com/network-configuration-manager/network-configur
ation-and-change-management.html
■ This is a good resource to see a practical software application of NCCM.
 Audits could include:
– Review and management
Audit control ■ eg access to systems.
– Establishment and review of
personal, corporate and
technical trust.
■ An organisation that is unaware of
– Vetting of staff.
how and where security breaches
might occur could soon be faced – Forensic analysis of systems
with a situation that will be costly, ■ Use of custom forensics or existing
and could be very embarrassing. sysadmin tools.

■ Instead, a security audit should be

conducted to check what might go
wrong, and to plan improvements
before a hacker – or some other
individual – takes advantage of the
situation.
 Training should be given so that employees know
what to do, for example, if they suspect a virus
Business continuance attack:
• Who should they contact first?
• Should they turn their ICT system off?

Employees also need to know what to do if they

■ While a security audit will identify think their login ID is being used by someone else:
weaknesses that ought to be addressed, and • Who should they inform of their fear?
an organisation should make every effort to • What methods might be used to trap the culprit?
remedy any shortfall, there will always be a
risk of a security breach. What procedures should be followed to prevent
similar lapses in security in future.
■ For this reason, an analysis of risks should be
carried out and a contingency plan drawn up.
■ This contingency plan should cover backup,
offsite storage, data recovery procedures,
access to immediate hardware replacement,
plus insurance that covers replacement, loss
of business and all the recovery work.
Backup/restoration of data
■ Employees who are responsible for data
recovery should also know the
procedures to follow.
■ The aim should be to plan ahead so that
the whole system can be up and running
again within a specified time-scale, e.g.
24 hours.
■ Then, if the worst case scenario
happens, disaster recovery should be as
smooth as possible. The contingency
plan has to be developed from a full risk
analysis, so that every eventuality is
taken into consideration.
Potential loss of data/business
■ Costs
– If data is lost, costs are incurred in recovering the data.
– If software is corrupted, a copy should be available, but the replacement will take
time and incur staff costs.
– Depending on how serious a breach was experienced, there may be a need to consult
specialists, and this too will incur extra costs
■ Loss of business
– A security breach can result in the collapse of an ICT system.
– The time during which normal service is not available is called downtime.
– Organisations that rely on an ICT system to take orders will suffer a loss of business
during the downtime. Some customers will come back later, but some will not; they
will already have taken their business elsewhere.
– If a security breach causes data loss, and it proves difficult to recover that data, then
the result can be disastrous for an organisation.
Intellectual property
■ Intellectual property protection helps you to stop people stealing or copying:
– the names of your products or brands
– your inventions
– the design or look of your products
– things you write, make or produce

■ Copyright, patents, designs and trade marks are all types of intellectual property
protection. You get some types of protection automatically, others you have to apply for.
Consider that you must have mechanisms in place to protect a
company's IP
Hardware
and software
■ Risk assessment of this take place
through ISO 27001 Risk
Assessment and Treatment
Process.
Probability of occurrence
■ Consider the following when outlining likelihood of security
risks:
– Disaster
– Theft
■ How can a company meet the following:
– Data Protection Act (2018
– Computer Misuse Act (1990)
– ISO 31000 standards.
■ What are staff responsibility's in this process? Explaining why
data is collected, how it is stored, management of data, following
security guidelines etc.
Data Protection Act 2018

■ Implementation of General Data Protection Regulation(GDPR)

■ Outlines strict rules called ‘data protection principles”
■ There is stronger legal protection for more sensitive information, such as:
– Race, ethnic background, political opinions, religious beliefs, trade
union membership, genetics biometrics (where used for
identification), health, sex life or orientation
■ Outlines rights to find out what information the government and other
organisations store about you. 
Computer Misuse Act (1990)

■ Protect computer users against attacks and theft of information.

■ Offences under the act include:
– hacking,
– unauthorized access to computer systems
– purposefully spreading malicious and damaging software (malware),
such as viruses.
ISO 31000 standards

■ Provides guidelines for dealing with today’s threats

■ Not requirements, and is therefore not intended for
certification purposes.
■ Risk management guidelines include:
– Planning
– Implementing
– Measure
– Learn.
Company regulations:

■ Site or system access criteria for personnel;

– It should not be easy to walk into a facility without a key or
badge, or without being required to show identity or
authorization.
– Controlling physical access is your first line of defense, by
protecting your data (and your staff) against the simplest of
inadvertent or malicious intrusions and interferences.
■ Physical security types could include e.g. biometrics, swipe
cards, theft prevention(Cameras etc.).