Executive MSc in Information Security

Assignment
Principles of Information Security (PIS)

Prepared by:
Name | Student No.
Vishwa Bandara | EMSc-IS-83-551

Submitted to:
Dr. Manjula Sandirigama

Due Date:
29th July 2023
Part – A

Area/Sub Domain of Controls Selected Access Control

Policy Statements

1. Access Control Policy

At our organization, we prioritize information security through an Access Control Policy that
governs how we manage user access to our systems and data. This policy will ensure that access rights
and privileges are assigned based on job roles and business requirements, following the principle of
least privilege.

2. User Authentication Policy

We are committed to ensuring that only authorized individuals can access our information systems.
To achieve this, we have a User Authentication Policy that mandates the use of robust authentication
methods, such as passwords, multi-factor authentication (MFA), or biometrics, depending on the
sensitivity of the data and system being accessed.

3. Access Review and Monitoring Policy

Our vigilance extends to regular reviews of user access privileges and monitoring access activities
for any suspicious or unauthorized behavior. With our Access Review and Monitoring Policy, we aim
to promptly detect and respond to potential security breaches.

4. Remote Access Policy

We understand the importance of secure remote access to our systems. Our Remote Access Policy
establishes the guidelines for connecting remote devices to our information systems, emphasizing
using VPNs and encryption to maintain security.

Strategic and Execution Plans

1. Awareness and Training

Strategic Plan We will conduct organization-wide awareness programs to educate all employees
about the significance of access control and the potential risks associated with unauthorized access.
Execution Plan Our dedicated training modules and workshops will ensure that everyone
comprehends the Access Control Policy and knows how to adhere to its requirements effectively.

2. Access Control Technology Implementation

Strategic Plan To support our access control efforts, we will invest in cutting-edge access control
technologies and solutions that align with our organization's needs and industry best practices.
Execution Plan Our IT team will conduct a thorough analysis to identify the most suitable access
control solutions, followed by a seamless implementation process that ensures effective access
restriction enforcement.

3. Role-Based Access Control (RBAC) Implementation

Strategic Plan We recognize the value of Role-Based Access Control in granting access based on
job roles and responsibilities, minimizing the risk of unauthorized access.

1
 Execution Plan Our team will define clear access roles, permissions, and responsibilities for each
job role within the organization and seamlessly integrate the RBAC model into existing systems and
processes.

4. Regular Access Reviews and Monitoring

Strategic Plan To maintain a proactive approach, we will establish a continuous monitoring
mechanism to identify and respond to access control violations promptly.
Execution Plan We will implement access review processes at regular intervals (e.g., quarterly or
bi-annually) to assess user access rights and privileges. Additionally, our IT team will employ security
information and event management (SIEM) tools to closely monitor access logs for any suspicious
activities.

5. Multi-Factor Authentication (MFA) Deployment

Strategic Plan To reinforce our authentication mechanisms, we will implement MFA for critical
systems and sensitive data.
Execution Plan Identifying the systems and data repositories that require an additional layer of
security, we will gradually deploy MFA technologies such as biometrics, smart cards, or one-time
passwords.

6. Regular Policy Audits and Compliance Assessments

Strategic Plan Ensuring continued adherence to the Access Control Policy and its effectiveness is a
priority for us.
Execution Plan We will conduct periodic policy audits and security assessments to evaluate the
implementation and effectiveness of access controls. Any identified gaps or non-compliance will be
addressed promptly.

Please note that the above plans are tailored to our organization's needs and context. We will involve
relevant stakeholders, such as IT teams, management, and legal/compliance, in the planning and
implementation processes to ensure a comprehensive and successful approach to information security.

2
Part – B

Brute Force Password Guessing

In this attack, an attacker attempts to gain unauthorized access to the data by repeatedly trying
different password combinations until the correct one is found. The attacker utilizes automated tools
to speed up the process, trying various common passwords or even dictionary words. If weak
passwords are used or not enough security measures are in place to limit login attempts, the attacker
could eventually gain access to the data.

Ransomware Attack

Ransomware is a type of malware that encrypts the victim's data and demands a ransom payment to
provide the decryption key. In this attack, the attacker gains access to the system, often through
phishing emails or unpatched vulnerabilities. Once inside, the attacker deploys the ransomware, which
then encrypts critical data. The victim is left with a choice: pay the ransom to get the decryption key
or risk losing access to their data permanently.

3
Part-C

The main goal of the Data Protection Act 1998 (DPA) was to protect your privacy and rights when it
comes to your data. This law applied to both electronic and paper-based systems that held your
information. It put rules in place for organizations (known as data controllers) that collected and
processed your data, as well as those who handled data on behalf of these organizations (known as
data processors).

The DPA laid out eight essential principles that organizations had to follow when dealing with
personal data. These principles ensured that your data was treated fairly and lawfully, used for specific
and legitimate purposes, and kept accurate and up-to-date. It also required that your data be stored
securely and not kept for longer than necessary.

As an individual, you had rights under this law. You had the right to access your data held by
organizations, request corrections if there were any mistakes, and even object to certain types of data
processing.

One crucial aspect was obtaining your consent before organizations could process your data. They had
to explain clearly why they needed your information and seek your explicit agreement unless there
were specific situations where consent wasn't necessary for valid reasons.

The DPA also addressed the transfer of your data outside the European Economic Area (EEA) to
ensure it was adequately protected wherever it went.

Organizations were required to take appropriate measures to protect their data from unauthorized
access, loss, or damage, and they had to register with the Information Commissioner's Office (ICO) to
show they were complying with the law.

If organizations failed to adhere to the Data Protection Act, they could face enforcement actions,
including fines or even criminal prosecution in severe cases.

It's important to note that the Data Protection Act 1998 was eventually replaced by the General Data
Protection Regulation (GDPR) in the EU, which brought even stronger protections for your data. So,
always keep yourself updated with the latest data protection regulations to stay informed about your
rights and how your information is being handled.