Higher Nationals

Internal verification of assessment decisions – BTEC (RQF)

INTERNAL VERIFICATION – ASSESSMENT DECISIONS

Programme title BTEC Higher National Diploma in Computing

Assessor Internal Verifier

Unit 05: Security
Unit(s)
Providing a suitable security solution for METROPOLIS CAPITAL Bank
Assignment title

Student’s name
List which assessment Pass Merit Distinction
criteria the Assessor has
awarded.
INTERNAL VERIFIER CHECKLIST
Do the assessment criteria awarded match
those shown in the assignment brief? Y/N

Is the Pass/Merit/Distinction grade awarded

justified by the assessor’s comments on the Y/N
student work?

Has the work been assessed

Y/N
accurately?
Is the feedback to the student:
Give details:

• Constructive?
Y/N
• Linked to relevant assessment
criteria? Y/N

• Identifying opportunities for

improved performance?
Y/N

Y/N
• Agreeing actions?
Does the assessment decision need
Y/N
amending?
Assessor signature Date

Internal Verifier signature Date

Programme Leader signature (if
Date
required)
 Confirm action completed
Remedial action taken

Give details:

Assessor signature Date

Internal Verifier
Date
signature
Programme Leader
Date
signature (if required)
Higher Nationals - Summative Assignment Feedback Form
Student Name/ID
Unit 05: Security
Unit Title
Assignment Number 1 Assessor
Date Received 1st
Submission Date
submission
Date Received 2nd
Re-submission Date
submission
Assessor Feedback:

LO1. Assess risks to IT security

Pass, Merit & Distinction P1 P2 M1 D1

Descripts
LO2. Describe IT security solutions.

Pass, Merit & Distinction P3 P4 M2 D1

Descripts

LO3. Review mechanisms to control organisational IT security.

Pass, Merit & Distinction P5 P6 M3 M4 D2
Descripts

LO4. Manage organisational security.

Pass, Merit & Distinction P7 P8 M5 D3
Descripts

Grade: Assessor Signature: Date:

Resubmission Feedback:

Grade: Assessor Signature: Date:

Internal Verifier’s Comments:

Signature & Date:

* Please note that grade decisions are provisional. They are only confirmed once internal and external moderation has taken place and grades decisions have
been agreed at the assessment board.
Pearson
Higher Nationals in
Computing
Unit 5 : Security
General Guidelines
1. A Cover page or title page – You should always attach a title page to your assignment. Use previous page as
your cover sheet and be sure to fill the details correctly.
2. This entire brief should be attached in first before you start answering.
3. All the assignments should prepare using word processing software.
4. All the assignments should print in A4 sized paper, and make sure to only use one side printing.
5. Allow 1” margin on each side of the paper. But on the left side you will need to leave room for binging.

Word Processing Rules

1. Use a font type that will make easy for your examiner to read. The font size should be 12 point, and should
be in the style of Time New Roman.
2. Use 1.5 line word-processing. Left justify all paragraphs.
3. Ensure that all headings are consistent in terms of size and font style.
4. Use footer function on the word processor to insert Your Name, Subject, Assignment No, and Page
Number on each page. This is useful if individual sheets become detached for any reason.
5. Use word processing application spell check and grammar check function to help edit your assignment.

Important Points:
1. Check carefully the hand in date and the instructions given with the assignment. Late submissions will not be
accepted.
2. Ensure that you give yourself enough time to complete the assignment by the due date.
3. Don’t leave things such as printing to the last minute – excuses of this nature will not be accepted for failure
to hand in the work on time.
4. You must take responsibility for managing your own time effectively.
5. If you are unable to hand in your assignment on time and have valid reasons such as illness, you may apply
(in writing) for an extension.
6. Failure to achieve at least a PASS grade will result in a REFERRAL grade being given.
7. Non-submission of work without valid reasons will lead to an automatic REFERRAL. You will then be asked to
complete an alternative assignment.
8. Take great care that if you use other people’s work or ideas in your assignment, you properly reference
them, using the HARVARD referencing system, in you text and any bibliography, otherwise you may be guilty
of plagiarism.
9. If you are caught plagiarising you could have your grade reduced to A REFERRAL or at worst you could be
excluded from the course.
Student Declaration

I hereby, declare that I know what plagiarism entails, namely to use another’s work and to present it as my own
without attributing the sources in the correct way. I further understand what it means to copy another’s work.

1. I know that plagiarism is a punishable offence because it constitutes theft.

2. I understand the plagiarism and copying policy of the Edexcel UK.
3. I know what the consequences will be if I plagiaries or copy another’s work in any of the assignments for this
program.
4. I declare therefore that all work presented by me for every aspects of my program, will be my own, and
where I have made use of another’s work, I will attribute the source in the correct way.
5. I acknowledge that the attachment of this document signed or not, constitutes a binding agreement
between myself and Edexcel UK.
6. I understand that my assignment will not be considered as submitted if this document is not attached to the
attached.

Student’s Signature: Date:

(Provide E-mail ID) (Provide Submission Date)
Assignment Brief
Student Name /ID Number

Unit Number and Title Unit 5- Security

Academic Year 2022/23

Unit Tutor

Assignment Title METROPOLIS CAPITAL Bank

Issue Date

Submission Date

IV Name & Date

Submission Format:
The submission is in the form of an individual written report. This should be written in a concise, formal
business style using single spacing and font size 12. You are required to make use of headings, paragraphs
and subsections as appropriate, and all work must be supported with research and referenced using the
Harvard referencing system. Please also provide an end list of references using the Harvard referencing
system.

Unit Learning Outcomes:

LO1 Assess risks to IT security.
LO2 Describe IT security solutions.
LO3 Review mechanisms to control organizational IT security.
LO4 Manage organizational security.

Assignment Brief and Guidance:

METROPOLIS CAPITAL Bank is one of the leading private banking service providers in Sri Lanka. It
operates over 100 branches and 500 ATM machines across the island as well as 8 Branches overseas. In
order to provide their services, METROPOLIS CAPITAL Bank has a primary datacenter located in
Colombo and a Secondary datacenter located in Galle. Each branch and ATM must have connectivity to
the core banking system to be able to operate normally. In order to establish the connectivity between
datacenters, branches and ATM machines, each location has a single ISP link. This link provides VPN
services between branches, ATMs and datacenters as well as MPLS services for the bank and it
establishes connectivity between datacenters, ATMs, and branches.

METROPOLIS CAPITAL Banks Head Office is a 5 Story Building in Kollupitiya with the Ground
Floor allocated for Customer Services, the First Floor allocated for HR, the Second Floor allocated for
Meeting Rooms and Senior Executive Staff, the Third Floor is allocated for the Technical Support Team
and the Fourth Floor hosts High Performance Servers running core banking systems. Fifth Floor is for
some other outside companies that are not related with the METROPOLIS CAPITAL Bank. Other than
this, METROPOLIS CAPITAL bank provides a lot of services to customers including online and mobile
banking facilities. Therefore, their core banking system must communicate with several outside systems
and all communication between outside systems, Data centers and the Head Office is protected by a
single firewall. In Addition, METROPOLIS CAPITAL Bank has recently implemented a bring your
own device (BYOD) concept for Senior Executive Staff and HR Departments and to facilitate this, they
are providing employee WiFi as well as a guest WiFi Hotspot.
The bank has signed agreements, AMCs, contracts and NDAs with several Local and foreign IT service
vendors. Some local vendors provide services and supports to foreign companies. METROPOLIS
CAPITAL Banks Technical Support Team is a local third-party vendor, contracted by METROPOLIS
CAPITAL Bank and managed by their Supply chain management officer. The Technical Support Team
provides onsite and remote support for their customers.

METROPOLIS CAPITAL bank strictly follows the rules and regulations enforced by the government
and the Central Bank. Therefore, they have obtained the ISO 31000:2009 certification. In addition to
this, the areas of datacenters, branches, ATM and HQ is covered by CCTV and 24x7 monitoring is
happening. Other security functions like VA scanning, internal auditing, and security operation done by
the bank employees. They have purchased a VA scanning tool, Privilege access management (PAM)
 system, Endpoint detection and respond (EDR) system, Data loss prevention (DLP) tool, Web
application firewall (WAF) and Secure mail gateway which are managed by the Technical Support
Team.

It has been reported that an emergency is likely to occur where a work from home situation may be
initiated. Therefore, you have been employed by METROPOLIS CAPITAL Bank as a Network Security
Analyst to recommend and implement a suitable Security solution to facilitate this situation.

Activity 01
Discuss and assess the security procedures and types of security risks METROPOLIS CAPITAL Bank
may face under its current status and evaluate a range of physical and virtual security measures that
can be employed to ensure the integrity of organizational IT security. You also need to analyze the
benefits of implementing network monitoring systems for METROPOLIS CAPITAL Bank with valid
reasons in order to minimize security risks identified and enhance the organizational security.

Activity 02
2.1 Discuss how an incorrect/improper configuration for network infrastructure such as firewall and VPN
could impact METROPOLIS CAPITAL Bank. Assess IT security risks that may face by the employees of
METROPOLIS CAPITAL Bank and propose how the organization can facilitate their employees with a
“Secure remote working environment”.

2.2. Discuss how following technologies would benefit METROPOLIS CAPITAL Bank and its Clients to
increase network performance. (Support your answer with suitable illustrations).
i) Static IP,
ii) NAT
iii)DMZ

Activity 03
 3.1 Review risk assessment procedures for METROPOLIS CAPITAL Bank to protect itself and its
clients. Explain the mandatory data protection laws and procedures which will be applied to data storage
solutions provided by METROPOLIS CAPITAL Bank. Explain the topic "ISO 31000 risk management
methodology" and summarize the ISO 31000 risk management methodology and its application in IT
security. Analyze possible impacts to organizational security resulting from an IT security audit.
Recommend how IT security can be aligned with organizational Policy, detailing the security impact of
any misalignment.

Activity 04
4.1 Design and Implement suitable security policy to prevent misuse and exploitations in line with
METROPOLIS CAPITAL Bank using the Organizational policy tools for the given scenario,
While evaluating and justifying the suitability of the tools used in an organizational policy to meet
business needs. Identify the stakeholders who are subject to the METROPOLIS CAPITAL Bank and
describe the role of these stakeholders to build security audit recommendations for the organization.

4.2 Discuss and present a disaster recovery plan for METROPOLIS CAPITAL Bank for all their sites to
guarantee maximum reliability to their clients. (Student must develop a PowerPoint-based presentation
which illustrates the recovery plan within 15 minutes of time including justifications and reasons for
decisions and options used).
Grading Rubric
Grading Criteria Achieved Feedback

LO1 Assess risks to IT security

P1 Discuss types of security risks to organizations.

P2 Assess organizational security procedures.

M1 Analyze the benefits of implementing network monitoring systems

with supporting reasons.
D1 Evaluate a range of physical and virtual security measures that can
be employed to ensure the integrity of organizational IT security.
LO2 Describe IT security solutions

P3 Discuss the potential impact to IT security of incorrect

configuration of firewall policies and third- party VPNs.

P4 Discuss, using an example for each, how implementing a DMZ,

static IP and NAT in a network can improve network security.
M2 Propose a method to assess and treat IT security risks.

LO3 Review mechanisms to control organizational IT

Security
 P5 Review risk assessment procedures in an organization.

P6 Explain data protection processes and regulations as applicable to

an organization.

M3 Summarize the ISO 31000 risk management methodology and its

application in IT security.

M4 Analyze possible impacts to organizational security resulting from

an IT security audit.
D2 Recommend how IT security can be aligned with organizational
Policy, detailing the security impact of any misalignment.
LO4 Manage organizational security

P7 Design a suitable security policy for an organization, including the

main components of an organizational disaster recovery plan.
P8 Discuss the roles of stakeholders in the organization in
implementing security audits.
M5 Justify the security plan developed giving reasons for the elements
selected.

D3 Evaluate the suitability of the tools used in an organizational policy

to meet business needs
Contents
Acknowledgement....................................................................................................................18

Activity 01................................................................................................................................20

LO1 Assess risks to IT security....................................................................................................................20

P1 Discuss types of security risks to organizations......................................................................................20

1.1. Definition of Information Security................................................................................................20

1.2. Definition of an attack...................................................................................................................21

1.2.1. Types of Attacks........................................................................................................................22

1.2.2. Difference between Active Attack and Passive Attack..............................................................24

1.3 Key Concepts of Information Security...............................................................................................24

1.4 Definition of a Threat.........................................................................................................................25

1.5 IT Security Risk.................................................................................................................................29

1.6 Definition of Organizational Risk......................................................................................................30

P2 Assess organizational security procedures..............................................................................................34

1.7 Definition of security procedures.......................................................................................................34

M1 Analyze the benefits of implementing network monitoring systems with supporting reasons.............35

1.8 Definition of network monitoring system..........................................................................................35

1.9 Supports that can be gain through monitoring system of Metropolis Capital Bank..........................39

D1 Evaluate a range of physical and virtual security measures that can be employed to ensure the integrity
of organizational IT security........................................................................................................................40

1.10 Definition of security........................................................................................................................40

1.11 The way physical security and virtual security impact to Metropolis Capital Bank........................44

Activity 02................................................................................................................................45

LO2 Describe IT security solutions..............................................................................................................45

2.1 P3 Discuss the potential impact to IT security of incorrect configuration of firewall policies and third-
party VPNs...................................................................................................................................................45

2.1.1 Introduction about firewalls............................................................................................................45

2.1.2 Types of firewalls............................................................................................................................45

2.1.3 Impacts of incorrect configuration of firewall................................................................................48

 2.1.4 Definition of VPN...........................................................................................................................49

2.1.5 Types of VPN..................................................................................................................................50

2.1.6 Advantages and Disadvantages of VPN..........................................................................................51

2.1.7 Impacts of incorrect configuration of VPN.....................................................................................52

2.2 P4 Discuss, using an example for each, how implementing a DMZ, static IP and NAT in a network
can improve network security......................................................................................................................53

2.2.1 Definition of DMZ..........................................................................................................................53

2.2.2 Importance’s of DMZ......................................................................................................................55

2.2.3 Definition of static IP......................................................................................................................56

2.2.4 Definition of NAT...........................................................................................................................57

2.2.5 Static NAT.......................................................................................................................................58

2.2.6 Dynamic NAT.................................................................................................................................59

2.2.7 Port Address Translation (PAT)......................................................................................................60

2.2.8 The impact of implementing a DMZ, static IP, and NAT in a network can improve the network
security of Metropolis Capital Bank........................................................................................................60

2.3 M2 Propose a method to assess and treat IT security risks....................................................................61

2.3.1 Definition of a Policy......................................................................................................................61

Activity 03................................................................................................................................66

LO3 Review mechanisms to control organizational IT Security.............................................66

3.1 P5 Review risk assessment procedures in an organization....................................................................66

3.1.1 Definition of risk assessment..........................................................................................................66

3.1.2 Example for a risk assessment.........................................................................................................66

3.2 P6 Explain data protection processes and regulations as applicable to an organization........................67

3.2.1 Definition of Data centers...............................................................................................................67

3.2.2 Definition of Data protection..........................................................................................................68

3.2.3 Importance of data centers are for process and regulation application to Metropolis Capital Bank.
..................................................................................................................................................................68

3.3 M3 Summarize the ISO 31000 risk management methodology and its application in IT security.......69

3.3.1 Definition of ISO 3100 risk management methodology.................................................................69

3.3.2 Summery about ISO 3100 and its application in IT Security..........................................................70

 3.4 M4 Analyze possible impacts to organizational security resulting from an IT security audit...............71

3.4.1 Definition of IT audit......................................................................................................................71

3.4.2 Types of IT Audit............................................................................................................................72

3.4.3 Benefits of IT audit..........................................................................................................................73

3.4.4 Analyze the impacts when auditing for Metropolis Capital Bank..................................................73

3.5 D2 Recommend how IT security can be aligned with organizational Policy, detailing the security
impact of any misalignment.........................................................................................................................74

Activity 04................................................................................................................................75

LO4 Manage organizational security.......................................................................................75

4.1 P7 Design a suitable security policy for an organization, including the main components of an
organizational disaster recovery plan...........................................................................................................75

4.1.1 Create a Security Policy..................................................................................................................75

Metropolis Capital Bank Policy................................................................................................................75

4.1.2 A presentation about disaster recovery plan....................................................................................77

4.2 P8 Discuss the roles of stakeholders in the organization in implementing security audits....................81

4.2.1 Definition of Stakeholders...............................................................................................................81

4.2.2 Describe the different types of stockholders involved in an organization......................................82

4.2.3 Explain the concept of an organization...........................................................................................83

4.2.4 Importance in implementing security audits for an organization....................................................84

4.2.5 Definition of Security audit.............................................................................................................84

4.2.6 The way security audit impact to Metropolis Capital Bank............................................................85

4.2.7 Discuss the specific roles and responsibilities of stakeholders in the context of security audit.....86

4.3 M5 Justify the security plan developed giving reasons for the elements selected.................................88

4.4 D3 Evaluate the suitability of the tools used in an organizational policy to meet business needs.........89

Conclusion................................................................................................................................90

Reference..................................................................................................................................91
Figure 1 Information Security..........................................................................................................................21
Figure 2 Types of attacks.................................................................................................................................23
Figure 3 Active Attack.....................................................................................................................................23
Figure 4 Passive Attack....................................................................................................................................24
Figure 5 Virus...................................................................................................................................................26
Figure 6 Worms................................................................................................................................................27
Figure 7Trojans................................................................................................................................................27
Figure 8 Spyware.............................................................................................................................................28
Figure 9 Fileless malware.................................................................................................................................29
Figure 10 Dos Attack.......................................................................................................................................29
Figure 11 DDOS Attack...................................................................................................................................30
Figure 12 Network Monitoring System...........................................................................................................37
Figure 13 Firewall............................................................................................................................................46
Figure 14 Packet filtering firewall....................................................................................................................47
Figure 15 Circuit-level gateway.......................................................................................................................47
Figure 16 Application-level gateway...............................................................................................................48
Figure 17 Stateful inspection firewall..............................................................................................................48
Figure 18 Next-generation firewall..................................................................................................................49
Figure 19 VPN.................................................................................................................................................50
Figure 20 Remote Access VPN........................................................................................................................51
Figure 21 Site to Site VPN...............................................................................................................................52
Figure 22 DMZ.................................................................................................................................................54
Figure 23 Example for IP Address...................................................................................................................58
Figure 24 NAT.................................................................................................................................................58
Figure 25 Example for Static NAT..................................................................................................................59
Figure 26 Dynamic NAT..................................................................................................................................60
Figure 27 Port Address Translation (PAT)......................................................................................................61
Figure 28 Data centers......................................................................................................................................68
Figure 29 ISO 31000 risk management............................................................................................................71
Figure 30 IT Audit............................................................................................................................................72
Figure 31 Presentation cover page...................................................................................................................78
Figure 32 Definition of Disaster Recovery Plan..............................................................................................79
Figure 33 Importance of Disaster Recovery Plan............................................................................................79
Figure 34 Types of Disasters that Organization can plan................................................................................80
Figure 35 Recovery Plan Consideration...........................................................................................................80
Figure 36 Types of disaster recovery plan.......................................................................................................81
Figure 37 Components of disaster recovery plan.............................................................................................81
Figure 38 Benifits of disaster recovery plan....................................................................................................82
Figure 39 stakeholders......................................................................................................................................83
Figure 40 Security Audit..................................................................................................................................86

Table 1 Advantages and Disadvantage of Information security......................................................................23

Table 2 Difference between Active Attack and Passive Attack.......................................................................26
Table 3 Key Concept........................................................................................................................................26
Table 4 Advantages and Disadvantages for physical security.........................................................................43
Table 5 Advantages and Disadvantages of Virtual Security............................................................................45
Table 6 Advantages and Disadvantages of VPN..............................................................................................53
Table 7 Risk Assessment..................................................................................................................................69
 Acknowledgement
I would like to express my heartfelt gratitude to Esoft Metro Campus and, in particular, to our dedicated
lecturer, Ms. Ann, for their invaluable support and guidance throughout the completion of our recent
assignment.
Ms. Ann's unwavering commitment to fostering a conducive learning environment has been instrumental in
our academic journey. Her profound knowledge, passion for teaching, and willingness to go the extra mile to
help her students have truly made a significant impact on our educational experience.
Esoft Metro Campus has consistently provided us with a platform to acquire not only theoretical knowledge
but also practical skills that are essential for our personal and professional growth. The resources,
infrastructure, and supportive staff at the campus have played a pivotal role in enhancing our learning
experience.
This assignment challenged us to think critically and apply the concepts we have learned, and the guidance
provided by Ms. Ann was invaluable in helping us navigate through the complexities of the task. Her
constructive feedback, patience, and willingness to clarify doubts have been instrumental in our success.
Once again, I extend my sincere appreciation to Esoft Metro Campus and Ms. Ann for their unwavering
support and dedication to our education. Your contributions have not only enriched our academic lives but
have also prepared us for the challenges that lie ahead in our academic journey.
Thank you for your commitment to our growth and development. We are truly grateful for your guidance
and support.
Activity 01
LO1 Assess risks to IT security.
P1 Discuss types of security risks to organizations.
1.1. Definition of Information Security
Information security is the process of preventing data from being accessed, used, disclosed, disrupted,
altered, or destroyed by unauthorized parties. It covers a collection of practices and techniques used to
protect the accessibility, privacy, and accuracy of information as well as the systems and infrastructure that
support it. The objectives of information security are reduced risks, safe information assets, and protection
of sensitive data. This requires both the protection of data stored in digital representations on systems like
databases, computers, and networks as well as data that is transmitted through various communication
routes.
Information security entails a number of elements, including policies, processes, technologies, and
practices, to prevent unauthorized access or privacy violations, protect data integrity, and ensure the
ongoing availability of crucial information and systems. Access control, encryption, network security,
incident response, risk management, and awareness training are among the subjects it covers. By
implementing efficient information security measures that address potential threats and vulnerabilities,
safeguard sensitive data, maintain stakeholder trust, and adhere to legal and regulatory requirements,
organizations and individuals can reduce the effects of security incidents or data breaches.
Source: (Fruhlinger, 2020)

Figure 1 Information Security

Source: Accessed: 19 July 2023
1.1.1 Advantages and Disadvantage of Information security.
Advantages
Utilizing information security is quite
simple. Users can easily password-
protect files to secure less sensitive
information. Users can install
fingerprint scanners, firewalls, or
detecting systems for the most
delicate content.
The number of crimes involving
technology will rise as well. Making
the usage of information security
highly effective.
It prevents unauthorized access to
sensitive personal information.
It protects the government by keeping
top-secret information and
conspiracies away from terrorists and
hostile nations.
Users' vital information is protected
by information security when it is
being stored as well as used.
Table 1 Advantages and Disadvantage of Information security
Disadvantages
Because technology is constantly
evolving, users must constantly invest in
updated information security.
Because technology is constantly
evolving, nothing will ever be 100
percent secure.
The security of the entire system could
be jeopardized if a user overlooks even
one area that has to be safeguarded.
People may not fully comprehend what
they are dealing with due to how
difficult it might be.
A user's productivity may suffer if they
are required to enter passwords on a
regular basis.

1.2. Definition of an attack.

An assault, which can take many different forms, is one of the biggest security dangers in information
technology. An information gathering attack that has little to no impact on systems is called a passive
attack. A good example of this is wiretapping. An active assault has the ability to seriously hurt a person or
organization's resources because it tries to alter system resources or interfere with how they work. An
excellent example of this would be a virus or other type of malware.
Source: (Attack 2023)
 1.2.1. Types of Attacks.

Figure 2 Types of attacks

Source: Advisera (2023)

Active Attack
Active attacks are a sort of cybersecurity attack when an attacker tries to change, damage, or impair a
system's or network's regular operation. Active attacks, as opposed to passive assaults, which just involve
monitoring or eavesdropping on a system or network, can be more harmful since they include the attacker
taking actual action against the target system or network. Source:
GeeksforGeeks, (2023)

Figure 3 Active Attack

Source: A., J. (2023)
Types of active attacks are as follows:
 Masquerade
 Modification of messages
 Repudiation
 Replay
 Denial of Service

Passive Attack
A passive attack does not eat up system resources and instead makes an effort to gather or use information
from the system. Attacks that are passive in nature spy on or keep track of transmission. The adversary
wants to intercept the transmission of information in order to collect it. Attackers that use passive methods
observe or gather data without making any changes or erasing it. Passive assaults can take the form of
eavesdropping, in which the attacker listens in on network traffic to gather sensitive data, or sniffing, in
which the attacker intercepts and examines data packets to steal sensitive data.
GeeksforGeeks, (2023)

Figure 4 Passive Attack

Source: Alimam Miya, By and Miya, A. (2023)

Types of Passive attacks are as follows:

 The release of message content
 Traffic analysis
 1.2.2. Difference between Active Attack and Passive Attack.
Active Attack Passive Attack

1. Information can be changed. 1. Information cannot be changed.

2. Attack victims who are still alive are 2. The victim of a passive attack is not
aware of the assault. aware of the assault.

3. Resources on the system are modified. 3. No changes are made to the system's
resources.

4. Active attack puts the availability and 4. The availability and integrity of data
integrity of data in danger. may be threatened by passive attacks.

5. It is preferable to prevent such attacks. 5. Detection of passive attacks is given

higher priority than prevention.

6. Completed quickly. 6. Was performed over an extended time.

7. It is considerably simpler to avoid. 7. It is challenging to stop.

8. Was done to assault the system. 8. Executed to get system information.

9. In this type of assault, the execution 9. The system is not damaged.

system is harmed.

Table 2 Difference between Active Attack and Passive Attack

1.3 Key Concepts of Information Security

Information security's three pillars are confidentiality, integrity, and accessibility. At least one of these
principles must be implemented in each component of the information security program. They are
collectively known as the CIA Triad.

Table 3 Key Concept

Source: SlideServe,(2023)
1.3.1 Confidentiality
Confidentiality protection prevents unauthorized data transmission. Protecting individual privacy and
ensuring that only those with a need to view it or access it in order to fulfill their organizational obligations
do so are the two main objectives of the confidentiality principle.

1.3.2 Integrity
Protect against unauthorized information modification. Threat actors may damage or modify your data to
cause subsequent harm even if they cannot see it all at once.

1.3.3 Availability
Availability safeguards a system's capacity to provide full user access to software systems and data when
required. Making the technology infrastructure, applications, and data available when needed for a
business process or the advantage of a company's clients is the aim of availability.
Source (Imperva 2023)

1.4 Definition of a Threat

The most prevalent kind of cyberattack is known as malware, which is an acronym for "malicious
software," which includes viruses, worms, trojan horses, spyware, and ransomware. A system is typically
infected by malware through a link on an unreliable website, an email, or an unwanted software download.
It deploys on the target system, gathers private information, manipulates and denies access to network
components, and has the potential to delete data or completely shut down the system.
Here are some of the main types of malware attacks:
Viruses
An application is infected by a piece of code. The harmful code is executed when the application is
launched.

Figure 5 Virus
Source: Protect your devices and data from malware (no date)
Worms
malware that gains access to an operating system by utilizing software flaws and backdoors. The worm can
launch assaults like distributed denial of service (DDoS) after it is set up in the network.

Figure 6 Worms
Source: Raposo, L. and Name (no date)

Trojans
malicious code or software that conceals itself in games, apps, or email attachments as a legitimate
program. The malware is downloaded by an unwary user, who then lets it take over their computer.

Figure 7Trojans
Source: Ice (2019)

Ransomware
Through encryption, a person or organization is prevented from accessing their own systems or data. There
is no assurance that paying the ransom will actually restore full access or functioning. Instead, the attacker
often wants a ransom in exchange for a decryption key.
Cryptojacking
Without the victim's awareness, attackers install malware on their victim's device and start using their
processing power to earn cryptocurrency. Systems that are affected might become sluggish, and
cryptojacking tools might make systems unstable.
Spyware
An unwary user's data, including private information like passwords and payment information, is accessed
by a hostile actor. Mobile devices, desktop programs, and web browsers can all be impacted by spyware.

Figure 8 Spyware
Source: Start-up spyware company accidentally exposed its data
online

Adware
An advertiser can give the user targeted advertising by tracking a user's browsing activity to identify
behavior patterns and interests. Adware is similar to spyware but does not require the user to install
software on their device, and while it may not always be used maliciously, it can be used without the user's
knowledge and endanger their privacy.

[Space Left Intentionally]

Fileless malware
The operating system does not have any installed software. For malicious purposes, native files like WMI
and PowerShell are modified. Because the compromised files are recognized as legitimate, this covert
method of assault is challenging to spot (antivirus can't identify it).

Figure 9 Fileless malware

Source: Toulas, B. (2022)

Rootkits
Applications, firmware, operating system kernels, or hypervisors can all be modified with software to
enable remote administrative access to a computer. The attacker can take full control of the computer,
launch the operating system from a corrupted environment, and spread further malware.
Source: Cyber security threats: Types & sources: Imperva (2023)

DOS Attack
An attempt to disable a device or network such that its intended users are unable to access it is known as a
denial-of-service (DoS) attack. DoS attacks achieve this by bombarding the object of attack with
connections or by providing it with data that causes an issue.

Figure 10 Dos Attack

Source: (DDoS attack trends for Q1 2021 - cloudflare)
DDOS Attack
Several infected networks assault an objective in a denial-of-service, or DDoS, attack, rendering the chosen
resource unavailable to consumers. The target could be a server, webpage, or other kind of network
resource. The target system is forced to slow down or possibly crash and shut down due to the deluge of
incoming messages, connection requests, or malformed packets, depriving legitimate users or systems of
service. Source: (Lutkevich & Beaver, 2021)

Figure 11 DDOS Attack

Source: (What is a DDOS attack: Types, prevention & remediation)

1.5 IT Security Risk

The threat or damage that could result from illegal access, use, disclosure, disruption, modification, or
destruction of digital information is known as an information security risk. Cyberthreats, data breaches,
malware, and other security incidents that jeopardize the confidentiality, integrity, and accessibility of
sensitive data are some of the possible sources of this risk.
It's crucial to understand the difference between a risk and a threat in order to comprehend the idea of
information security risk. A threat is a possible risk to the information assets of a business, such as a
malware infection or an attempted hack. The possibility that the threat may actually hurt the organization is
what constitutes a risk. In other words, just because a threat exists doesn't mean it automatically puts an
organization at risk.
Risk to information security can have serious repercussions for enterprises. For instance, data breaches can
cause the loss of sensitive data, such as financial and personal information, which can cause reputational
harm, legal repercussions, and financial losses. Systems and networks that have been compromised by
malware and cyber threats can interrupt business processes and result in downtime. This may lead to
missed sales, reduced output, and strained client relationships.
Source: riskoptics,(2023)
1.5.1 Definition of risk management
Risk management is the process of identifying, assessing, and controlling risks to the assets and income of
the firm. These risks can be brought on by a variety of factors, including monetary uncertainty, legal
obligations, technology issues, poor strategic management, accidents, and severe weather conditions.
An effective risk management strategy helps a company consider all potential hazards. Another facet of
risk management is the connection between risks and the possible cascade consequences they may have on
an organization's strategic goals.
Source: (Tucci, 2023)

1.5.2 Five Principles of Risk Management

1. Risk identification
2. Risk control
3. Claims management
4. Risk financing
5. Risk analysis

1.6 Definition of Organizational Risk

The potential losses that an organization might suffer as a result of a negative event or activity could be
characterized as an organizational risk. The possibility of a particular event or activity occurring could
make it more difficult for an organization to achieve its aims. Organizational risk includes issues with
finances, compliance, operations halts, and reputational damage.
Source: (Organizational risk 2023)

1.6.1 Types of organizational risk.

 Market / Reputation risk
 Financial risk
 Legal risk
 Strategic risk
 Technology risk
 Culture risk
 Fraud risk
1. Market / Reputation risk
Any threat or danger that could harm your company's reputation among customers and harm the
company's overall success is known as a reputational risk. These hazards frequently come as a surprise
and can happen suddenly.
Source: (Needle, 2022)

2. Financial risk
Financial risk is the possibility that the company may be unable to manage its debt and meet its financial
commitments. Instability, losses in the financial sector, or changes in stock prices, currency exchange
rates, interest rates, etc. are the usual causes of this kind of risk.

3. Operational risk
Operational risk is the possibility of suffering losses due to ineffective or defective procedures, rules,
policies, plans, or situations that interfere with business operations. Operational risk can be brought on
by several sources, including human mistakes, criminal activities like fraud, and natural disasters.

4. Legal risk
A mistake or willful disregard for client responsibilities exposes businesses to legal risk. It is regulated
by the same legal system that sets the standards for goods, customers, and commercial practices. The
potential risks of violating tax laws are seen from the standpoint of an investor.

5. Strategic risk
A company's business model may be adversely affected by an occurrence, which is known as strategic
risk. The value proposition that draws clients and produces revenue is compromised by a strategic risk.
As an illustration, if a company's business strategy is to be the low-cost provider of a product and a rival
from a country with low wages suddenly joins the market, the company will find that its value
proposition has been shattered.

6. Technology risk
The possibility that a technological failure may cause a firm to be disrupted is what is meant by the term
"technology risk," also known as "information technology risk." Information security events,
cyberattacks, password theft, service failures, and other dangers are just a few of the many technology
risks that businesses must deal with.
Every sort of technological risk has the potential to result in financial, reputational, regulatory, or
strategic risk if an adequate incident response is not used. Consequently, it's essential to have a strong
technology risk management strategy in place to foresee such issues.
 7. Culture risk
The word "risk culture" refers to the values, beliefs, knowledge, attitudes, and awareness of risk that are
shared by a group of individuals that have a similar goal. All organizations, including for-profit and
nonprofit organizations as well as for-profit and public organizations, must follow this rule.

8. Fraud risk
Fraud risk refers to the potential for any unforeseen loss, including those involving money, reputation, or
physical property, because of dishonest behavior on the part of internal or external actors. Financial
losses resulting from theft, embezzlement, or other sorts of financial crime are one-way fraud influences
society.

1.6.2 The way organizational risk can impact to Metropolis Capital Bank.
The performance, standing, and financial stability of Metropolis Capital Bank can all be significantly
impacted by organizational risk. Organizational risks, such as inefficient financial management, fraud, or
operational inefficiencies, can result in significant financial losses for the bank. These losses may be
brought on, among other things, by financial theft, unsuccessful investments, or disciplinary actions.
Financial losses have the potential to lower a bank's capital base, restrict its capacity to provide loans and
diminish shareholder value. Organizational risks that result in poor news or low public perception could
harm the bank's reputation. For instance, if the bank is linked to a scandal or is thought to have engaged in
unethical behavior, customers may lose faith in it. A bank's market position may suffer, and its customer
base may be lost as a result of a damaged reputation. It may also find it difficult to attract new clients. For
failing to comply with legal and regulatory duties, the bank may face legal action, fines, and other
consequences. Risks to an organization can have severe effects, such as breaching anti-money laundering
laws or failing to understand consumer expectations. A bank's ability to conduct business may be restricted
by regulatory actions, certain activities may be prohibited, or even the license of the bank may be revoked.
Organizational risks,
including technological setbacks, cyberattacks, and internal system failures, could impair the bank's ability
to conduct business. Loss of services slowed transactions, and disgruntled customers may result from these
interruptions. Operational hiccups undermine not only the bank's effectiveness but also the trust that its
clients have in it to deliver dependable services. Organizational hazards that cause a toxic environment or
low employee engagement may affect employee morale and productivity. High turnover rates can harm the
cost of hiring new employees, the loss of institutional knowledge, and the continuity of service. Unhappy
employees may give poor customer service and low customer satisfaction. Organizational risks may affect
a bank's ability to attract.
 investors and gain access to the capital markets. If a bank is perceived as having weak risk management
practices or a high-risk profile, investors could be reluctant to participate or give money. Lower investor
confidence may limit the bank's ability to expand and its access to finance.
To prevent the impacts of these risks, Metropolis Capital Bank should have strong risk management
practices including successful compliance systems, ongoing surveillance, and regular risk assessments. It
should also promote a culture of risk accountability and knowledge among all employees, ensuring that
everyone is aware of their roles in risk management. By proactively detecting, assessing, and managing
organizational risks, the bank can retain its financial stability, uphold its good name, and increase its long-
term profitability.

1.6.3 Recommendations for preventing risks.

There are some recommendations for Metropolis Capital Bank to prevent risk.

First every bank needs to create a risk management framework to prevent from a risk and it is same for the
Metropolis Capital Bank. Create an extensive risk management framework that covers every aspect of the
bank's activities. This should involve locating, analyzing, monitoring, and minimizing a variety of risks,
including credit, operational, market, and liquidity risks. secondly, to prevent a risk there should be a strong
corporate governance. In a metropolis capital bank corporate governance structure is strong and roles,
duties, and reporting lines are all well-defined. Ensure that the board of directors’ exercises sound control
over management and holds them responsible for risk management procedures. Also, ensure conformity to
all relevant laws, rules, and industry standards by putting in place robust compliance mechanisms. Keep up
with changing regulatory requirements by routinely reviewing and updating compliance policies and
processes. To find potential risks and weaknesses in the Metropolis Capital Bank's operations, conduct
frequent risk assessments. Analyzing new risks and gauging how well existing risk controls are working
should be included in this. To protect assets, stop fraud, and spot inconsistencies, Metropolis Capital Bank
should have a place for robust internal control measures. This comprises internal audits regularly,
authorization procedures, and the segregation of roles. Employ and educate qualified personnel who possess
the knowledge and abilities needed to properly manage risks. To keep staff members up to speed on the
most effective risk management techniques, promote a culture of risk awareness, and offer continual
training. To safeguard consumer information, stop data breaches, and assure the availability and integrity of
crucial systems, implement strong information security procedures. It also involves employee awareness
initiatives, encryption, regular security audits, and tight access limits.
Risk prevention is a continual process that calls for constant observation, evaluation, and modification. A
metropolitan capital bank can strengthen its resilience and defend against numerous risks by putting these
suggestions into practice and upholding a solid risk management culture.

P2 Assess organizational security procedures.

1.7 Definition of security procedures.
A security procedure is a predetermined flow of steps that must be taken in order to carry out a certain
security duty or function. In order to achieve a goal, procedures are typically composed of a sequence of
actions that must be carried out repeatedly and consistently. Security procedures offer a set of documented
activities for managing the organization's security concerns after they are put into place, which will aid in
training, process auditing, and process improvement. In order to establish the consistency required to
reduce variation in security processes and strengthen control of security inside the business, procedures
give a starting point. Another effective strategy for cutting waste, raising quality, and boosting productivity
in the security division is to reduce variation.
Source: Security procedure (no date)

1.7.1 Definition of Organizational security procedures.

A security procedure is a series of steps that must be followed to ensure security during routine business
operations. Security procedures work in tandem with security policies, standards, and guidelines to
establish a framework for secure company operations. A security procedure can also enable, enforce, or put
into effect the security controls listed in your organization's policies. Every safety technique abides by the
security laws, rules, regulations, and standards. Additionally, an organization's security program is based
on its security regulations.

1.7.2 Types of Organizational security procedures.

There are numerous types of security policies and procedures. From there the 2 main types of
organizational security procedures are:
01. Administrative
02. Technical
 01.Administrative
Administrative policies govern both the kind of risks that should be avoided and the appropriate responses
to those risks. They are used to prevent harm and property damage at work. They accomplish this by
making certain conduct that endangers the workplace or workers illegal. In contrast to the actual
environmental threat, the administrative category often focuses on observing and modifying human
behavior.
02.Technical
The company's information technology (IT) security policy serves as a blueprint for its culture. Technical
security regulations, which also outline the protocols for anybody who accesses an organization's
resources, protect organizations and their employees. These policies and procedures prevent unauthorized
users from accessing an organization's network and data. Cyber security procedures and other tools are
needed to detect hazardous exploits concealed within products.

M1 Analyze the benefits of implementing network monitoring systems with

supporting reasons.
1.8 Definition of network monitoring system.
Network monitoring is the process of keeping track of the reliability and health of a computer network
using network monitoring software. The topology maps and useful insights produced by network
performance monitoring (NPM) systems are typically based on the performance data gathered and
examined. This network mapping gives IT teams total access into network elements, application
performance monitoring, and related IT infrastructure, enabling them to monitor the general health of the
network, identify warning signs, and improve data flow.
A network monitoring system keeps an eye out for broken network components and overloaded resources,
regardless of whether the network resources are hosted on-site, in a data center, by a cloud services
provider, or as part of a hybrid ecosystem. For instance, it might detect abrupt surges in network traffic,
switches and routers with high error rates, or servers with overburdened CPUs. Notifying network
administrators of performance issues is a crucial function of NPM software.
Systems for network monitoring also gather information to evaluate traffic patterns, gauge performance,
and check availability. Setting up criteria so that you get immediate warnings whenever one is violated is
one way to keep an eye out for performance problems and bottlenecks. Even while some thresholds are
straightforward static thresholds, contemporary NPM systems employ machine learning (ML) to estimate
typical performance across all of a network's metrics depending on the hour of the day and the day of the
week. Alerts generated by NPM systems with such ML-driven baselines are frequently more actionable.
Source: What is network monitoring? (no date)
 Figure 12 Network Monitoring System
Source: (faqs 2023)

1.8.1 Benefits of network monitoring system

The network can be seen more clearly thanks to network monitoring, which enables the early detection of
dangers. With the use of this knowledge, you may take precautions to reduce any potential risks. As an
illustration, you could stop the impacted services from operating until it is secure to do so if there are
indications that an attack is in progress.

 Detect Intrusions in Real-Time

Real-time intrusion detection is made possible via network monitoring. You can act swiftly in response to a
threat by taking action to halt the harmful behavior. By using monitoring, you may also discover the
attack's origin and what steps can be made to prevent further attacks.

 Reduce downtime by detecting problems before it happens.

It costs money and takes time to experience computer downtime. Utilizing network monitoring equipment
can minimize downtime brought on by computer malfunctions. In the event of a problem, can locate the
root cause, address the issue, and resume operations as soon as feasible.

 Improve efficiency and productivity.

Network monitoring increases productivity and efficiency by giving you insight into how your company is
operating. With thorough reports, you can immediately determine where resources are being spent most
effectively. Additionally, network monitoring is possible around-the-clock without personally inspecting
every device.
  Protect the organization from cyber-attacks.
More often than ever, there have been cybersecurity breaches. Every day, hackers hunt for vulnerabilities
in firms to exploit. Making it more difficult for hackers to get illegal access, network monitoring
technologies can uncover any vulnerabilities in the network.

 Gain better control of the network.

User can have more effective network control with network monitoring. And can keep tabs on user
activity, view network traffic, and even prevent certain IP addresses from using certain services.

 Reduce operational costs.

By assisting the identifying issues before they arise, network monitoring lowers operational costs. User can
swiftly identify the offender and take steps to stop additional harm, for instance, if an employee
unintentionally deletes crucial files.

 Prevent data loss due to malicious attacks.

Data protection against harmful attacks is made possible via network monitoring. When a hacker enters the
network without authorization, they might try to steal important data. The user must make sure their
network is current and safe. Users can verify their networks using network monitoring software.
Source: (Admin, 2022)

1.8.2 Types of network monitoring system

There are four types of network monitoring. They are:
01. Availability monitoring
02. Configuration monitoring
03. performance monitoring
04. cloud infrastructure monitoring

01. Availability Monitoring

For network teams, the quickest approach to determine whether a device is online and ready to use is
through availability monitoring. More than just keeping track of whether a device is fully online or
offline, some availability monitoring systems can also monitor other factors. This category frequently
includes notifications of a particular interface's state as well as hardware checks for network devices.
Examples for Availability Monitoring:
 Internet Control Message Protocol
 Simple Network Management Protocol
 Event Logs

02. Configuration Monitoring

For individuals responsible for managing conventional network components that make use of local
configuration files, configuration monitoring checks are crucial. Both from a performance and IT
security perspective, automated systems that can check identically configured devices for errors are
essential. These programs often compare a device configuration file's command-line output against
those of other networked files that carry out comparable functions. To make sure that every network
component is configured to perform uniformly, network teams might investigate discrepancies in
settings.

03. Performance Monitoring

Although network availability monitoring and performance monitoring have certain similarities, they
also differ significantly. The operational state of the parts that make up the network infrastructure is
more of a focus on availability monitoring. This is what health monitoring also accomplishes but with a
stronger focus on the user's performance experience. As a result, network utilization, latency, and
unfavorable path selection are given more attention during performance monitoring.
Examples for Performance Monitoring:
 SNMP
 Event logs
 Flow-based monitoring
 Packet capture analysis
 Streaming telemetry

04. Cloud infrastructure monitoring

Many times, network monitoring technologies used on corporate networks can also be used by private
and public cloud instances. Although many cloud service providers have their own set of integrated
network monitoring tools. Even though these cloud monitoring solutions are frequently free for users,
they frequently cannot be integrated with other third-party technologies that businesses already use. To
decide whether to invest more time and effort in centralizing monitoring into a small number of tools or
manage many, distributed network monitoring services, organizations must consider the benefits and
drawbacks of each option. Though putting those tools into use may be more difficult, they aid in giving
complete visibility throughout the business network and into the cloud.
Source: (Froehlich, 2021)
1.9 Supports that can be gain through monitoring system of Metropolis Capital Bank.
Various types can support monitoring the systems of Metropolis Capital Bank.

The monitoring system can increase Metropolis Capital Bank's security by continuously scanning for any
unexpected activity or potential security issues. It can detect suspicious transaction patterns, unauthorized
access attempts, or any other indications of fraud or aggressive behavior. By immediately alerting the
appropriate parties, the solution aids in preventing security breaches and protecting the bank and its clients
from any dangers. A monitoring system is crucial for fraud detection and prevention. In order to detect
fraudulent activities including account theft, identity theft, and incorrect transactions, it can monitor
customer behaviour and transactional data. By flagging suspicious activities or trends, the technology
enables Metropolis Capital Bank to take immediate action, look into the situation further, and protect its
customers' accounts and assets. Financial firms are subject to a number of regulatory rules and compliance
requirements. The monitoring system ensures that the Metropolis Capital Bank follows these regulations
by reviewing transactions for any potential violations. It can recognize and report suspected behaviors like
money laundering or financing terrorism in accordance with the rules of regulatory authorities. The
monitoring system's encouragement of compliance helps the bank maintain its reputation, stay out of
trouble, and keep moral standards. Monitoring systems help the Metropolis Capital Bank detect and
minimize operational risk. By analyzing transactional and client data, the system can identify risk factors
such as unusual trading activity, significant fund transfers, or significant changes in consumer behavior.
This enables the bank to manage risks proactively, implement effective risk mitigation techniques, and
lower potential losses. The monitoring system's operational efficacy can be improved by automating
transaction detection and analysis. Finding anomalies or potential threats takes less manual labor, allowing
bank workers to focus on other crucial tasks. The system's ability to generate reports, send out alerts in real
time, and visualize data enables quicker decision-making and improves operational effectiveness overall.
Additionally, the system keeps a close eye on customer accounts for any suspicious activity in order to
protect the bank's customers. . It can detect unauthorized access attempts, strange login behaviors, or
changes to personal information to add an additional layer of security. By promptly warning users of
potential threats and urging them to change their passwords or contact their bank, the system helps
customers take the necessary precautions to protect their accounts and sensitive information.

The monitoring system of Metropolis Capital Bank provides crucial assistance in the areas of security,
fraud prevention, compliance, risk management, operational efficiency, and customer protection. It ensures
the bank's effective functioning while defending the organization's and its clients' interests.
 D1 Evaluate a range of physical and virtual security measures that can be
employed to ensure the integrity of organizational IT security.
1.10 Definition of security
Information technology (IT) security refers to the methods, tools, and personnel used to safeguard a
business's digital assets. The basic goal of IT security is to safeguard these assets, gadgets, and services
from unauthorized users, often known as threat actors, who might disrupt, steal from, or exploit them.
These risks could be intentional or unintentional, and they could come from the outside or the inside.
A successful security plan uses a number of approaches to minimize flaws and concentrate on specific
cyber threats. To identify, stop, and address security concerns, security procedures, IT services, and
software tools are all used. However, both IT security providers and thieves benefit from technological
improvements. To safeguard firm assets, businesses must regularly evaluate, update, and enhance security
to stay ahead of threats and more cunning hackers.
Source: (Bacon & Contributor, 2021)

1.10.1 Types of security

 Physical Security
 Virtual Security

1.10.2 Physical Security

Physical security measures, which lessen the likelihood of theft, damage, and harm to persons and property,
are a combination of items and procedures. Physical security can be used to protect anything that you can
touch. This is a catch-all phrase for all methods of safeguarding material possessions.
Source: (Ralph, 2021)

[Space Left Intentionally]

Advantages and Disadvantages of Physical Security.
Advantages Disadvantages
Physical security measures like security High Cost
guards, access control systems, and
CCTV footage can serve as an alert to
unapproved visitors or potential thieves.
Measures taken to secure physical assets, False Sense
such as sensitive papers and inventory,
are valuable assets that are also protected
by physical security.
Physical security measures aid in Limited Scope
ensuring the safety and security of
clients, guests, and staff.
Have rules and criteria established by Potential for Human error
law for physical security.
Table 4 Advantages and Disadvantages for physical security
Source: Author’s work

Types of Physical Security.

There are three main components of physical security.
01. Access control
02. Surveillance
03. Testing

01. Access control

A method of controlling access to a system or physical or virtual resources is access control. Access
control in computing is a procedure that allows people to be given access to systems, resources, or data as
well as specific privileges. Users in access control systems have to show credentials before being allowed
access. These credentials may take many different shapes in physical systems, but the ones that cannot be
transferred offer the highest level of protection.
Source: (Access control 2017)

02. Surveillance
For both preventive and post-incident recovery, this is one of the most crucial physical security elements.
In this context, surveillance refers to the tools, employees, and resources that businesses utilize to keep an
eye on what goes on in various physical locations and establishments. Closed-circuit television (CCTV)
cameras, which capture activities across many spaces, are the most popular sort of surveillance. The
advantage of these surveillance cameras is that they are useful in both preventing and catching criminal
activity. Threat actors are deterred from breaking into or vandalizing a building when they encounter a
CCTV camera because they are worried that their identities may be captured on film. Similarly, to this, if a
specific asset or piece of equipment is taken, surveillance can offer the visual proof required to identify the
offender and their methods.
Source: (Cobb, 2021)

03. Testing
Physical security is both a preventative strategy and a tool for responding to incidents. The importance of
testing is rising, particularly when it comes to organizational cohesion. Because they aid in the
coordination of big groups and their way of response, fire drills are an essential exercise for schools and
buildings. To practice role assignments and responsibilities and reduce the possibility of errors, these
policy tests should be carried out regularly.
Source: (Cobb, 2021)

1.10.3 Virtual Security

Virtualized security refers to software-based security solutions designed to function in a virtualized IT
environment. Contrast this with traditional hardware-based network security, which uses static firewalls,
routers, and switches and is based on older technology.
Source: (VMware glossary 2023)

[Space Left Intentionally]

Advantages and Disadvantages of Virtual Security.
Advantages Disadvantages

Scalability and flexibility Complexity and technical expertise.

Rapid Incident response Insider threats and human error.

Compliance and Regulatory Requirements Cost considerations

Protection against cyber threats Potential vulnerabilities and exploits

Real-time monitoring and detection. Constantly evolving threat landscape

Table 5 Advantages and Disadvantages of Virtual Security.

Source: Authors’s work

Types of Virtual Security.

Three types of Virtual Security:
01. Network security
02. Application security
03. Cloud security

01. Network security

Network security is a collection of technology that protects the usefulness and integrity of a company's
infrastructure by preventing a wide range of potential threats from entering or propagating within a
network.
02. Application security
Application security, which tries to protect against threats including unauthorized access and modification
by developing, adding, and testing security aspects within applications, is the process of developing,
adding, and testing security features within applications.
Source: (Vmware glossary 2023)

03. Cloud security

The terms "cloud" or "cloud computing" security are frequently used to refer to a collection of security
measures intended to protect data, apps, and infrastructure stored in the cloud. These actions ensure the
control of data and resource access, the preservation of data privacy, and user and device authentication.
They also help with data compliance with rules. Cloud security is applied in cloud settings to protect
against viruses, hackers, distributed denial of service (DDoS) attacks, and illegal user access and use.
Source: (Box, inc.. 2019)
1.11 The way physical security and virtual security impact to Metropolis Capital
Bank.
When it comes to safeguarding Metropolis Capital Bank's operations and assets, both physical security and
Virtual security are essential.
Access controls, perimeter security, and surveillance systems are physical security measures that help keep
unauthorized people from physically accessing critical places within the bank, such as server rooms, data
centers, or vaults. By doing this, the Metropolis Capital Bank can assist in preventing theft, damage, and
unlawful interference with the bank's tangible assets and critical data. Security cameras, fire suppression
systems, and intrusion detection systems are some measures that help quickly identify and address physical
hazards, including thefts, fires, and break-ins. Early identification and action reduce possible harm or loss,
guaranteeing operational continuity and protecting customer data. According to numerous legislative
frameworks and industry standards, physical security measures must be put in place to protect sensitive
financial data. These standards must be fulfilled for Metropolis Capital Bank to comply with regulations,
avoid fines, and increase client confidence in the security of their financial information. Virtual security
mechanisms such as firewalls, encryption, and intrusion prevention systems safeguard customer data from
illegal access, alteration, or disclosure. The bank secures networks, systems, and data to protect customer
information from cyber threats, including data breaches and unauthorized access attempts. Malware,
phishing, ransomware, and other types of unwanted activity are just a few of the cyberattacks that virtual
security measures help to fend off. The Metropolis Capital Bank lowers the risk of successful cyber
assaults, ensuring the integrity and availability of its IT infrastructure by performing security awareness
training, applying frequent system patches, and putting in place tight access restrictions. In the event of a
physical security incident or system breakdown, the bank can continue normally operating thanks to virtual
security measures like data backups, disaster recovery plans, and response protocols. With these
safeguards, Metropolis Capital Bank can recover systems and data promptly, minimizing downtime and
guaranteeing that clients receive uninterrupted services. The Metropolis Capital Bank's dedication to
safeguarding customer data and preserving the integrity of its systems is shown by the robust virtual
security measures it has in place. Metropolis Capital Bank increases client trust and confidence in its
services by assuring the security of online transactions, preventing identity theft, and protecting against
financial crime.
A breach in one area might affect the other. Thus, it's critical to understand that physical and virtual
security measures are connected. The assets, activities, and sensitive financial information managed by the
Metropolis Capital Bank must therefore be protected using a comprehensive and integrated approach to
security.
Activity 02
LO2 Describe IT security solutions
2.1 P3 Discuss the potential impact to IT security of incorrect configuration
of firewall policies and third- party VPNs.
2.1.1 Introduction about firewalls
A firewall is a hardware- or software-based network security device that analyzes all incoming and
outgoing traffic and accepts, rejects, or drops that particular traffic in accordance with a predetermined set
of security rules. Allow: Permit the traffic Block the traffic and respond with "unreachable error" if you
reject. Drop: obstruct traffic and leave a message An external, untrusted network, such as the Internet, is
separated from secured internal networks by a firewall.
Source: Introduction of firewall in computer network,2023

Figure 13 Firewall
Source: (Introduction of firewall in computer network, 2023)

2.1.2 Types of firewalls.

There are five types of firewalls in security:
 Packet filtering firewall
 Circuit-level gateway
 Application-level gateway
 Stateful inspection firewall
 Next-generation firewall
 1. Packet filtering firewall
The data flow between incoming and outgoing networks is controlled by a packet filtering firewall, which
is a component of network security. The firewall looks over each packet of user data and control
information before putting it through a set of established rules.

Figure 14 Packet filtering firewall

Source: (GeeksforGeeks, 2023)

2. Circuit-level gateway
A firewall known as a circuit-level gateway that provides User Datagram Protocol (UDP) and
Transmission Control Protocol (TCP) connection security connects the transport and application levels of
an Open Systems Interconnection (OSI) network model, including the session layer. In contrast to
application gateways, circuit-level gateways monitor TCP data packet handshaking and session adherence
to firewall rules and regulations.

Figure 15 Circuit-level gateway

Source: (Imgur, 2023)
 3. Application-level gateway
A smooth link between a program running on a host in one realm and its equivalent running on a host in
another domain is made possible by Application-Level Gateways (ALGs), software-specific translation
agents. VOIP is one example of such applications.

Figure 16 Application-level gateway

Source: (ResearchGate, 2019)

4. Stateful inspection firewall

Stateful Inspection (SI) Firewalls are pieces of technology that control the flow of data between two or
more networks. Stateful inspection firewalls monitor the status of sessions and discard packets that do not
belong to a session that is allowed by a predetermined security policy. As a result, this is usually referred to
as "session-level protection." They keep state information for each network session and base their
judgments on a session state table.

Figure 17 Stateful inspection firewall

Source: (Application assurance)
 5. Next-generation firewall
A network security device called a next-generation firewall (NGFW) offers features that go beyond those
of a conventional, stateful firewall. A next-generation firewall contains extra features like application
awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence, whereas a
classic firewall normally provides stateful inspection of incoming and outgoing network traffic.

Figure 18 Next-generation firewall

Source: (What is a Next Gen Firewall, 2023)

2.1.3 Impacts of incorrect configuration of firewall.

The security and regular operations of Metropolis Capital Bank may be greatly impacted by the
inappropriate implementation of a firewall.
A firewall acts as a barrier between the internal network and potential outside threats. By configuring the
firewall incorrectly, unauthorized access to the bank's systems and private data may be made accessible.
Hackers and other bad actors may take advantage of these weaknesses to gain access without permission,
steal customer information, commit fraud, or disrupt financial services. Incorrect firewall configuration
may permit unauthorized access to vital data. This raises the likelihood of data breaches that lead to the
theft of sensitive client data, including account numbers, personal identifiers, and financial information.
The bank and its clients might suffer financial losses as a result of these situations, and Metropolis Capital
Bank's reputation might also be damaged. Financial institutions, especially banks, are subject to a number
of regulations and industry standards relating to data protection and information security. A weak firewall
makes it possible for these regulations to be broken, which may incur penalties, legal implications, and a
loss of stakeholders' and consumers' trust. Inadequate firewall settings may unintentionally block
legitimate network traffic or stop vital banking services. This might make it impossible for customers to
access their accounts, use online banking services, or conduct transactions. Customers can grow impatient
and lose faith in the bank's ability to provide trustworthy services, which could harm the bank's reputation.
Since they may require a lot of time and money to locate and correct, firewall setup problems can be
challenging. IT professionals may be required for problem-solving, security audits, and implementing
corrective action. Operational costs could rise if resources are taken away from other critical tasks and
strategic objectives. A poorly built firewall may limit the Metropolis Capital Bank's ability to use cutting-
edge technology, integrate with other companies, or provide innovative solutions. It might be harder for the
bank to respond swiftly to shifting market circumstances and fresh business opportunities, which could
give rivals an advantage.
In order to lower these risks, Metropolis Capital Bank must regularly review and update firewall
configurations, follow industry standards for network security, conduct frequent security audits, and keep
up continuous monitoring and maintenance of the firewall infrastructure. The bank may further secure its
systems and client data from potential threats by working with skilled cybersecurity specialists and putting
in place a comprehensive security architecture.

2.1.4 Definition of VPN.

The term "Virtual Private Network," or VPN, refers to the possibility of creating a secure network
connection when utilizing public networks. VPNs mask your online identity and encrypt your internet
activity. This makes it more challenging for outside parties to monitor your internet activities and steal
data. Real-time encryption is employed.
Source: Kaspersky (2023)

Figure 19 VPN
Source: (Kaspersky, 2023)
2.1.5 Types of VPN
1. Remote Access VPN
2. Site to Site VPN

1. Remote Access VPN

Remote Access VPN enables a user to join a private network and remotely access all of its resources and
services. Through the Internet, a private and secure link is made between the user and the private network.
Both residential and commercial users can benefit from remote access VPN. While away from the office, a
firm employee connects to the private network of the company using a VPN to access files and resources
remotely. Private users, or users at home, use VPN services primarily to get around geographic Internet
blocks and access prohibited websites. Users that are concerned about internet security also utilize VPN
services to increase their privacy and security online.
Source: Types of virtual private network (VPN) and its protocols (2023)

Figure 20 Remote Access VPN

Source: Your guide to remote access VPN

2. Site to Site VPN

A Site-to-Site VPN is also called as Router-to-Router VPN and is commonly used in the large companies.
Companies or organizations, with branch offices in different locations, use Site-to-site VPN to connect the
network of one office location to the network at another office location.
Source: Types of virtual private network (VPN) and its protocols (2023)

 Intranet based VPN: When several offices of the same company are connected using Site-to-Site
VPN type, it is called as Intranet based VPN.
 Extranet based VPN: When companies use Site-to-site VPN type to connect to the office of another
company, it is called as Extranet based VPN.
 Figure 21 Site to Site VPN
Source: WP-content: A beginner’s guide to wordpress’ most important directory (2023)

2.1.6 Advantages and Disadvantages of VPN.

Advantages Disadvantages

safeguards your data decreases the speed of the internet

connection
protects your online privacy Cheap or free VPNs are risky and may
grab your info.

Your IP address is concealed. Premium VPN services are pricey.

serves as a useful method of defense for VPNs do not shield users from social
activists in difficult environments. media data archiving. some devices are
unreliable

depends on special steps to prevent VPNs are not allowed in several

bandwidth restriction countries.

protects against DDoS attacks VPNs do not protect you from

voluntarily disclosing your information.

protects you when working remotely decreases the speed of the internet
connection

Table 6 Advantages and Disadvantages of VPN

2.1.7 Impacts of incorrect configuration of VPN.
Improper VPN (Virtual Private Network) configuration could have a number of detrimental effects for
Metropolis Capital Bank.
Through a VPN that has been configured incorrectly, unauthorized users or malicious actors may access
crucial data and internal systems of Metropolis Capital Bank. This breach may result in data theft,
unauthorized access to customer information, or network infrastructure compromise. Due to an incorrect
VPN configuration, confidential information may unintentionally leak out of the private network. As a
result, private data, money transactions, or customer information may be compromised, which could have
detrimental legal and financial repercussions. Financial institutions like Metropolis Capital Bank are
required to abide by stringent regulatory requirements such as the General Data Protection Regulation
(GDPR) and the Payment Card Industry Data Security Standard (PCI DSS), which are set out by the
payment card industry. A badly configured VPN may allow for the violation of these regulations, which
could subject the bank to penalties, legal repercussions, and reputational damage. If a VPN is set up
incorrectly, the bank's network architecture may become exposed. These vulnerabilities could be used by
cybercriminals to launch attacks, obtain unauthorized access, or exploit gaps in the system's security
measures. If the VPN is configured improperly, the bank's activities could be interrupted, compromising
employee productivity, client access to services, and overall company continuity. Downtime caused by a
misconfiguration might cost the bank money and damage its reputation. A security lapse or data leak
could do significant damage to Metropolis Capital Bank's reputation. Customers' lack of trust in the bank's
ability to safeguard their financial information may cause a loss of revenue and difficulty attracting new
clients.
To mitigate these impacts, Metropolis Capital Bank must make sure that the VPN is set up properly and
that it is routinely reviewed and verified for any potential vulnerabilities. By conducting thorough security
audits, using industry best practices, and collaborating with qualified network security specialists, such
issues can be prevented and the bank's infrastructure and critical data can be secured.

[Space Left Intentionally]

2.2 P4 Discuss, using an example for each, how implementing a DMZ, static
IP and NAT in a network can improve network security.
2.2.1 Definition of DMZ.
A perimeter network called a DMZ, or demilitarized zone, protects an enterprise's internal local-area
network from illegal traffic.
Using a demilitarized zone network, a business can connect to unreliable networks like the internet without
compromising the security of its private network or local area network (LAN). A few examples of servers
used by businesses to store information and offer services that are accessible from the outside are Domain
Name Systems (DNS), File Transfer Protocol (FTP), messages, a third party, Telephone over the Internet
Protocol (VoIP), and web servers.
They are separated and have restricted access to the LAN in order to ensure that these servers and
resources may be accessed via the internet but not the internal LAN. Therefore, employing a DMZ strategy
makes it more difficult for hackers to gain access to an organization's data and internal systems via the
internet. By guaranteeing that employees can communicate effectively and share information instantly over
a secure connection and while also offering a location free from risks, a company can decrease the possible
weaknesses of its local area network.
Source: (Lutkevich, 2021)

Figure 22 DMZ
Source: A., J. (2023)
 Examples for DMZ.
There are six examples for DMZ. They are:
 Web servers  DNS servers
 FTP servers  Proxy servers
 Email servers  VoIP servers

1. Web servers
A DMZ can be used to set up web servers that communicate with internal database servers. As a result,
internal databases—the repositories in charge of maintaining confidential information—become more
secure. Web servers can directly connect to the internal database server or use application firewalls to do so,
even if the DMZ is still defending against threats.
2. FTP servers
FTP, or file transfer protocol, is a method of sending data to any computer connected to the internet,
anywhere in the world. On computer networks, it is a typical network protocol used to transfer files from a
client to a server. Significant content on an FTP server, which also permits direct file interaction, may be
found on a company website. As a result, it must always be kept apart from vital internal systems.
3. Email servers
A piece of software known as a mail server, sometimes known as a mail transfer agent, receives incoming
emails from nearby users and distant senders and forwards them for delivery. Frequently, servers unable to
connect directly to the internet are used to store personal messages and the user information that records
login information. In order to connect with and access the email database without being directly exposed to
potentially dangerous traffic, an email server is built or installed inside the DMZ.
4. DNS servers
A DNS server maintains a database with the hostnames associated with public IP addresses. It usually
resolves or converts these names into IP addresses. DNS servers employ specialized software, and the
protocols for inter-server communication are also specialized. Queries coming from outside the DMZ are
blocked from accessing the internal network by a DNS server placed inside the DMZ. A second DNS server
can be added to your internal network to further improve security.
5. Proxy servers
A proxy server and a firewall are frequently used in tandem. Other computers utilize it to access websites.
When another device requests a Web page, the proxy server retrieves it and transmits it to the correct asking
computer. By establishing connections on their behalf, proxy servers shield clients from communicating
directly with a server. They also distinguish between internal and external networks and reduce traffic by
caching web information.
 6. VoIP servers
While internal LAN access is restricted and firewalls are set up to scrutinize all incoming data, voice-over-
internet protocol (VoIP) servers can connect to both the internal network and the Internet.

2.2.2 Importance’s of DMZ

The below are the importance’s of DMZ.
1. Security Barrier:
The internal network of a company serves as a trusted network's barrier between the public internet and
that company. It reduces the attack surface and lowers the danger of unauthorized access by isolating
sensitive internal resources like application servers, databases, and other systems from direct internet
exposure.
2. Protection for Public-Facing Services:
Services provided by businesses that must be accessed via the internet frequently include web servers,
email servers, and FTP servers. By locating these services in the DMZ, you can increase security.
Attackers will be confined to the DMZ and barred from entering the internal network even if the services
are compromised.
3. Containment of Threats:
A DMZ can prevent lateral transfer of threats in the unfortunate case of a security breach or malware
outbreak. Attackers who gain entry to the DMZ will only have restricted access and won't be able to
directly access important resources on the internal network.
4. Enhanced Network Segmentation:
Logical network segmentation is made possible by the DMZ, which separates various types of network
traffic and establishes unique security zones. Because of this isolation, security administrators can more
easily impose access controls, track network activity, and effectively implement security rules.
5. Simplified Security Management:
Security administrators can concentrate their efforts on securing a particular area of the network by
centralizing the organization's externally facing services in the DMZ. This compartmentalization makes
security management easier and makes it easier to spot potential security breaches.
6. Compliance and Regulatory Requirements:
Network security measures, including the use of DMZs, must be implemented in accordance with
numerous industry rules and data protection legislation. Organizations can demonstrate their dedication to
keeping up good security procedures by complying to such regulations.
7. Redundancy and High Availability:
Load balancers and redundant systems are frequently found in DMZs, which can provide high availability
for services accessed by the general public. Other servers can take over if one fails, minimizing downtime
and preserving service continuity.
8. Incident Response and Monitoring:
Security teams can spot shady activity and potential security breaches by watching network traffic coming
into and going out of the DMZ. For prompt incident response and the installation of strong security
measures, this visibility is essential.

2.2.3 Definition of static IP

A static IP address is a 32-bit number that identifies a computer's internet address on the internet. This
number, which appears as a dotted quadrilateral, will be given to you by a typical internet service provider
(ISP). An IP address, or internet protocol address, acts as a unique identity for a device that connects to the
internet. Computers use IP addresses to find and contact one another online similarly to how people use
phone numbers to find and contact one another over the phone. An IP address can be used to find out
information about the hosting provider and the area.
Source: (Gillis, 2020)

Example for static IP

Easy to recall, logical, and constant, the author's home server is configured to 192.168.1.10, the primary
laptop to 192.168.1.11, and so forth. The client can assign these static IP addresses directly to the device
by, for example, configuring each computer's network settings in Windows, or they can be assigned at the
router level.

[Space Left Intentionally]

 Figure 23 Example for IP Address
Source: (JasonGerend,2018)

2.2.4 Definition of NAT

Private IP networks can use the internet and cloud thanks to a service called "Network Address
Translation" (NAT). Before packets are delivered to an external network, NAT converts private IP
addresses in an internal network to a public IP address.
Source: (What is Network Address Translation,2023)

Figure 24 NAT
Source: (What is Network Address Translation,2023)
Types of NAT
 Class A: 10.0.0.0 - 10.255.255.255 (10.0.0.0 / 8)
 Class B: 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
 Class C: 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)

Example for NAT

when NAT is active on both a DSL modem and a wireless router that is connected to the same network. A
Wi-Fi router was used to link the host devices to the public network.

2.2.5 Static NAT

Routers or firewalls transfer a single private IP address to a single public IP address via static NAT. A
single public IP address is assigned to each private IP address. Because static NAT requires one public IP
address for every private IP address, it is not frequently utilized.
To configure static NAT, three steps are required:

1. configure private/public IP address mapping by using the ip nat inside source static PRIVATE_IP
PUBLIC_IP command
2. configure the router’s inside interface using the ip nat inside command
3. configure the router’s outside interface using the ip nat outside command

Here is an example.

Figure 25 Example for Static NAT

Source: (Upravnik, 2023)
2.2.6 Dynamic NAT
With dynamic NAT, the mapping of a local address to a global address occurs dynamically, as opposed to
static NAT, when a static mapping between a private and public address had to be explicitly defined. In
other words, the router randomly selects an unassigned address from the global address pool. As long as
traffic is being exchanged, the dynamic entry remains in the NAT translations table. After a certain amount
of inactivity, the entry times out, and new translations can be made using the global IP address.
Source: (Upravnik, 2023a)

With dynamic NAT, you need to specify two sets of addresses on your Cisco router:
 The inside addresses that will be translated
 A pool of global addresses

To configure dynamic NAT, the following steps are required:

1. Configure the router’s inside interface using the ip nat inside command
2. Configure the router’s outside interface using the ip nat outside command
3. Configure an ACL that has a list of the inside source addresses that will be translated
4. Configure a pool of global IP addresses using the ip nat pool NAME FIRST_IP_ADDRESS
LAST_IP_ADDRESS netmask SUBNET_MASK command
5. Enable dynamic NAT with the ip nat inside source list ACL_NUMBER pool NAME global
configuration command

Consider the following example:

Figure 26 Dynamic NAT

Source: (Upravnik, 2023a)
2.2.7 Port Address Translation (PAT)
By using Port Address Translation (PAT), each internal private IP address is given a distinct port while
sharing a single public IP address. The common sort of NAT utilized in modern networks is often referred
to as NAT Overload. Even the majority of consumer-grade routers support it.
PAT enables the support of several hosts with a minimal number of public IP addresses. It functions by
establishing dynamic NAT mapping, where a universal (public) IP address and a special port number are
chosen. Every distinct pairing of the private IP address and port is recorded in the router's NAT database
and translated to the global address and a specific port number.
Source: (Upravnik, 2022)

Figure 27 Port Address Translation (PAT)

Source: (Upravnik, 2022)

2.2.8 The impact of implementing a DMZ, static IP, and NAT in a network can
improve the network security of Metropolis Capital Bank.
By adopting a DMZ (Demilitarized Zone), static IP addressing, and NAT (Network Address Translation),
Metropolis Capital Bank can improve the security of its network.
There is a DMZ, or distinct network segment, between the internal network, which is a trusted network,
and the external network, which is an untrusted network and typically the Internet. In order to create a
DMZ, Metropolis Capital Bank can place any servers that are accessible to the general public there,
including its email or internet servers. Isolation makes it less likely that unauthorized individuals will
access private information and systems on the internal network. It increases security by allowing managed
and restricted access to the DMZ servers. Giving a network device a static IP address might increase its
security. Static IP addresses make it easier to manage and keep track of network devices. The bank can set
up specific rules and access controls based on known IP addresses to limit access to the network to only
authorized devices. It helps to lessen the risk of unauthorized devices connecting to the network and makes
it simpler to identify and track devices. NAT is a technique that transforms privately used IP addresses on a
local network into internet IP addresses that are open to the public. By using NAT to hide the internal IP
addresses of its equipment from external networks, Metropolis Capital Bank makes it more difficult for
potential attackers to reach such devices directly. By acting as a gateway and allowing many devices with
private IP addresses to connect to the Internet using a single public IP address, NAT adds an extra degree
of security.
In general, using a DMZ, static IP addressing, and NAT together can improve the network security of
Metropolis Capital Bank. These actions help to isolate important servers, limit network access, and conceal
the internal network's infrastructure, which lowers the attack surface and strengthens the bank's network
security posture. It's important to keep in mind that network security is a multi-layered strategy, and in
order to provide full protection, other security measures like firewalls, intrusion detection systems, and
regular security audits should also be implemented.

2.3 M2 Propose a method to assess and treat IT security risks.

2.3.1 Definition of a Policy
A policy is a set of principles, guidelines, regulations, or procedures developed by an individual, group, or
governing body to control decisions, actions, and behaviors within a certain context or domain. Policies are
frequently created to provide direction, provide consistency, foster accountability, and manage risks in a
variety of disciplines, including government, business, education, healthcare, and any other area where a
systematic approach is necessary.
Policies provide as a framework for decision-making by outlining the recommended activities or behaviors
in order to achieve goals or outcomes. They are able to discuss a wide range of topics, including but not
limited to. The processes that define the organization, responsibilities, and modes of decision-making
inside a business or institution are known as governance and management. Operational procedures policies
develop efficient, safe, and regulation-compliant rules and protocols for carrying out certain tasks or
activities. people resources Regulations covering hiring, firing, performance evaluations, workplace
conduct, and other aspects of managing a staff. digital technology, regulations that govern the usage,
management, and protection of technology resources as well as the use of digital assets in a secure manner.
Financial management, guidelines for spending, paying bills, filing taxes, and other financial transactions.
Health and safety policies, which aim to create a safe and healthy environment, encompass a variety of
subjects, including occupational health, workplace safety, and disaster preparedness.
Regular reviews and revisions are made to policies to take into account new information or conditions.
Policies are typically documented and given to the proper parties. Effective policies have the following
qualities: clarity, consistency, justice, and alignment with the goals and values of the organization or
institution they manage.

Purpose of using a password

Using a password is crucial for protecting a user's cash, devices, systems, or services as well as sensitive
information. Passwords act as a kind of identification by confirming the user's identity and granting access
to private information.

01. Security - Passwords help stop unauthorized people from accessing sensitive, private, or private
information. They serve as a barrier, preventing unauthorized access to resources that are secured
without the proper password.

02. Passwords - are used for user authentication to confirm a user's identity when they want to access a
system, device, or account. The user certifies their ownership or authorization to use that account or
resource by entering the proper password.

03. Data security - By limiting access to the information to those who have been given permission,
passwords assist safeguard the confidentiality of personal or secret data. This is especially crucial for
accounts that house sensitive data like financial or personal information or communications.

04. Online accounts, including email, social networking, online banking, and e-commerce platforms, must
be protected with passwords. They act as a line of defense against unauthorized entry, assisting in the
prevention of fraud, identity theft, and unlawful use of personal accounts.

05. Passwords are typically used in computer networks to safeguard connections to Wi-Fi networks,
routers, servers, and other network hardware. Network managers can keep unauthorized users off their
network and possibly protect its security by creating a strong password.

Regulation compliance: Password-based security measures must be put in place by many businesses and
organizations due to legal or regulatory requirements. By guaranteeing that only authorized users have
access to sensitive data or systems, passwords assist in meeting compliance requirements.
When possible, implement additional safety features like multi-factor authentication and create strong, one-
of-a-kind passwords for each account to ensure the safety of passwords.

Access control of a policy

Access control must be used when rules are carried out, especially when it comes to data security and
information security. It outlines the processes and safeguards used to regulate and manage user access to
resources, information, and systems in accordance with predetermined regulations. Access control ensures
that only authorized people or organizations are granted the required access privileges by restricting
unauthorized access. When it comes to access management of a policy, it is crucial to establish and enforce
who has access to the policy document as well as who can implement, modify, or review the policy.

01. In a management system or central repository, policies are often written down and kept. This
repository can be equipped with access control methods to limit who can view the policy documents
and gain access to them. Because of this, the policies can only be viewed by authorized individuals,
and maintaining confidentiality is also ensured.

02. To limit a person's or a group's access to policy papers, several levels of permission can be granted to
them. For instance, some people who require access to the policies but do not need to be able to
change them may be given read-only access. The ability to alter or update the policies, however, may
be granted to specific employees or policy administrators with greater authority.

03. The method of controlling access based on job positions or responsibilities inside an organization is
called "role-based access control" and is frequently employed. There are access permissions and
limitations assigned to each role. By tying rights to established roles rather than to specific users, this
makes managing access control simpler.

04. Mechanisms for monitoring and recording policy document access should be in place. Organizations
may track who accessed the policy when it happened, and what was done by installing access logging
and auditing. Identifying any illegal access attempts or policy changes is much easier thanks to this.

05. updating of policies regularly: Access control should include this step as well. To guarantee that only
authorized workers can make modifications or updates to policies, organizations may assign specific
people or groups the duty of reviewing policies.
Organizations can enforce sound management, confidentiality, and integrity of policy documents by
putting in place strong access control systems. This lowers the possibility of unauthorized changes, data
breaches, or policy abuse.

Benefits of a policy
Policies in numerous sectors are advantageous for organizations, institutions of higher learning, the
government, and other regulated environments.
01. Consistent action and decision-making are facilitated by policies. To achieve standardization and
uniformity throughout an organization or institution, they construct a set of standards and norms.
Fairness, equality, and predictability in procedures and results are all supported by this consistency.

02. For people or stakeholders, policies clearly define expectations and rules. They offer guidance on the
proper way to carry out duties, appropriate behaviors, and desired results. Making sure that everyone is
aware of their obligations and roles, and clear policies help reduce uncertainty, disagreements, and
misunderstandings.

03. Risk management and risk mitigation are frequent goals when developing policies for certain tasks or
contexts. They support risk identification and provide strategies for mitigating or preventing it. Policies
help to create a more secure and safe environment by establishing rules and procedures that safeguard
people, property, and reputations.

04. Laws, rules, and industry standards are all things that policies aid firms in adhering to. They make
certain that procedures and methods comply with moral and legal requirements. Organizations can
show they are adhering to rules by adhering to set policies, which is important during audits and
investigations by the legal or regulatory authorities.

05. By outlining the constraints within which decisions should be made, policies act as a foundation for
decision-making. They give certain people or groups the authority to make decisions, allowing them to
do so within the established parameters in a reasoned and consistent manner. Policies simplify the
decision-making process, hence lowering ambiguity and uncertainty.

06. Employee conduct and activities are governed by policies, which operate as a point of reference for
them. Expected behavior, business ethics, and performance criteria are described. Additionally, policies
create an accountability structure that enables companies to deal with any deviations or violations by
enacting the proper disciplinary actions.
07. Its culture, beliefs, and strategic goals are reflected in its policies. They assist in forming and reiterating
desired behaviors, fostering a supportive and consistent workplace culture. Between stakeholders,
policies can foster mutual respect, trust, and a feeling of purpose.

08. It is possible to review and modify policies because they are not constant. Organizations can react to
evolving conditions, fresh technologies, and new threats by routinely examining and revising rules. To
keep policies current, efficient, and in line with organizational objectives, this encourages ongoing
improvement.

Within organizations and institutions, policies generally offer structure, direction, and control. In the end,
they provide consistency, responsibility, and compliance, which helps with efficiency, risk management,
and the accomplishment of business goals.

[Space Left Intentionally]

Activity 03
LO3 Review mechanisms to control organizational IT Security
3.1 P5 Review risk assessment procedures in an organization.
3.1.1 Definition of risk assessment
Risk assessment is the process of locating risks that could potentially impair an organization's capacity to
conduct business. These assessments help in recognizing these inherent business risks and provide
mitigation strategies, operating processes, and systems to decrease their detrimental effects on corporate
operations. Businesses can utilize a risk assessment framework (RAF) as a tool to communicate their
assessment's findings, including any threats to their information technology (IT) infrastructure, in a
prioritized manner. The Risk Assessment Framework (RAF) helps a business identify potential hazards,
any assets that are put at risk, as well as any negative effects that could result should these risks come to
pass.
Source: (Cole, 2021)
3.1.2 Example for a risk assessment.

Threat Vulnerability Asset & Risk Solution

Consequences
Fire. (High) No use of fire All the devices Staff and team We should
extinguishers. are damaged members may receive training
Table 7 Risk Assessment
(High)
Source: Authors work from fire area. be injured from about fire.
(High) fire area.
(High)
3.2 P6
Thundering No use of The devices The data will Buy a lightning
(Low) lightning rods. will shut down lost. (Low) rod.
(Medium) (Low)
Server Down No The data will The customer Buy new server
(High) maintainers. be lost. (High) base is low. or maintain.
(High) (High)
Data Loss Data Backup All Data will Company lost. we have to
(High) (Medium) be lost. (High) back up the
(High) data to the
cloud every
day
Environment No use of air Devices can be The works Buy a air
(High) conditioner. heat and cannot work. conditioner
(Medium) damaged. (High)
(High)

Explain data protection processes and regulations as applicable to an

organization.
3.2.1 Definition of Data centers
A data center is a physical room, building, or other structure that houses the IT infrastructure needed to
create, execute, and provide applications and services as well as to store and manage the data that goes
along with them.
Over the past few years, data centers have changed from being privately owned, strictly regulated on-
premises facilities housing traditional IT infrastructure for the sole use of one company to remote facilities
or networks of facilities owned by cloud service providers housing virtualized IT infrastructure for the
shared use of numerous companies and customers.
Source: (What is a data center? 2023)

Figure 28 Data centers

Source: (Kittichais, 2017)

3.2.2 Definition of Data protection

Data protection is the process of defending sensitive data against loss, tampering, and damage.
Data protection is becoming more crucial as data production and storage have expanded at an unparalleled
rate. Additionally, as data is used more and more in corporate operations, even a brief period of downtime
or a little quantity of data loss can have a significant impact on a company.
Organizations may collapse as a result of the consequences of a data breach or data loss disaster. In light of
the fact that the majority of enterprises are currently bound by some type of data privacy standard or
regulation, failing to protect data can result in monetary losses, loss of reputation and customer trust, and
legal consequences. One of the main obstacles to digital transformation in enterprises of all sizes is data
protection.
Source: (What is Data Protection: Principles, strategies & policies: Imperva, 2023)

3.2.3 Importance of data centers are for process and regulation application to
Metropolis Capital Bank.
Business operations and legal compliance for organizations like Metropolis Capital Bank depend on data
centers.
Massive volumes of sensitive data, such as customer information, financial records, and transactional
information, should be housed at every bank in a reliable and secure environment at data centers. They
have many effective physical and digital security measures in place, including access controls, firewalls,
encryption, and backup systems. The availability, integrity, and confidentiality of the data are ensured by
preventing unauthorized access, data loss, and breaches. Data centers provide advantages like high
availability and continuous operation. They have redundant power supplies, cooling systems, backup
generators, and network infrastructure to lessen downtime. This is crucial for financial institutions like
Metropolis Capital Bank since any decrease in processing speed or data availability could result in
financial losses, impair customer service, and breach regulatory requirements. Metropolis Capital Bank
generates and processes enormous amounts of data every day, including customer transactions, risk
assessments, compliance reports, and regulatory filings. Data centers provide the processing power and
storage capacity needed to handle these data-intensive operations efficiently. They include server clusters,
high-performance computing systems, and data storage arrays that can quickly process and analyze
enormous datasets, enabling banks to make informed decisions, identify trends, lower risks, and comply
with reporting regulations. Data centers implement efficient disaster recovery plans to guarantee
Metropolis Capital Bank's continuity in the case of natural disasters, hardware failures, or cyberattacks.
They put up failover systems so that operations could be quickly moved to different locations, redundant
copies of the data were created, and off-site backups were made. By doing this, Metropolis Capital Bank
can minimize the effects of disruptions and adhere to regulatory obligations while promptly restarting
operations and restoring critical data. Numerous legislation and compliance requirements, including as
know-your-customer (KYC) rules, anti-money laundering (AML) laws, and financial reporting standards,
apply to the banking industry. Data centers offer the infrastructure and security safeguards needed to carry
out these regulatory obligations. They facilitate the implementation of data governance, audit trails, and
access controls that protect against data breaches and illegal access to sensitive data, assist in
demonstrating compliance, and enable regulatory audits. As financial organizations grow and their data
needs evolve, data centers offer the scalability and flexibility to meet increasing data volumes and
processing requirements. They can quickly scale up storage and processing power, adapt to new
technologies by incorporating new services and applications, and evolve with the times. This scalability
allows Metropolis Capital Bank to manage its expanding data needs while continuing to adhere to evolving
regulatory regimes.
The ability of Metropolis Capital Bank to store, manage, and secure enormous volumes of data depends on
data centers. They provide the support systems, security safeguards, and operational resilience needed to
ensure regulatory compliance, preserve customer data, and maintain uninterrupted financial services.
3.3 M3 Summarize the ISO 31000 risk management methodology and its
application in IT security.
3.3.1 Definition of ISO 3100 risk management methodology.
A group of standards known as ISO 31000 deal with risk management in organizations. Organizations can
utilize these worldwide standards as a jumping off point for a general approach to risk management.
Organizations face a variety of issues on a regular basis, such as trying to evaluate and enhance various
processes to increase productivity and efficiency. They also have to cope with a variety of dangers, which
can change depending on their sector.
To provide organizations with a framework when addressing the risks that they and their workers confront
throughout their operations, the ISO 31000 risk management standard was created.
Source: (What is the ISO 31000 risk management standard? 2023)

Figure 29 ISO 31000 risk management

Source: (R/3.bp.blogspot.com)
3.3.2 Summery about ISO 3100 and its application in IT Security.
Using ISO 31000, businesses can find out more about the risks to their IT security. They can then
effectively allocate resources and make educated decisions to control these risks.
by urging Metropolis Capital Bank to establish and put in place suitable controls and security measures.
The standard encourages risk reduction through a methodical process. The likelihood and consequences of
information security events are reduced as a result. The ISO 31000 standard inspired Metropolis Capital
Bank to integrate IT security risk management into its overall risk management framework. This makes
sure that business risks and IT security threats are taken into account, enabling a more thorough and
integrated plan. By adhering to ISO 31000, the bank may demonstrate their commitment to utilizing
reliable risk management strategies. This can encourage adherence to regulatory requirements, boost
stakeholder confidence, and lay the groundwork for responsibility in IT security management.
Although ISO 31000 doesn't specifically address IT security, its guiding principles and architecture can be
effectively applied to enhance company IT security practices. By implementing a risk-based strategy and
incorporating risk management practices into its IT security strategies, Metropolis Capital Bank can
improve its ability to recognize, evaluate, and lessen IT security threats.

3.4 M4 Analyze possible impacts to organizational security resulting from

an IT security audit.
3.4.1 Definition of IT audit
An IT audit, also known as an information technology audit, is a review and analysis of computer systems,
organizations, procedures, and practices. A company can use IT audits to check whether its current IT
controls are compatible with its operational and financial controls, protect business assets, and ensure data
integrity. Although most people are familiar with financial audits that determine an organization's financial
health, IT audits are still a relatively new phenomenon that are now becoming more significant as a result
of the development of cloud technology. Examining existing security procedures and processes as well as
IT governance in general is the major objective of an IT audit. In order to safeguard the company from
security concerns like data leaks, an IT auditor makes sure that these safeguards are installed correctly and
successfully. Even if adequate security and compliance are provided, a plan of action must be in place in
the event that an unlikely incidence endangers the safety and reputation of the scrutinized firm.
Source: (Cole, 2014)
 Figure 30 IT Audit
Source: Bing

3.4.2 Types of IT Audit

 Security audits
 Compliance audits
 Operational audits,
 IT governance audits

 Software development audits

The above are the types of IT audit and the Below are the explanation to IT audits.

1.Security audits.
A security audit assesses the security of the system from a methodical standpoint by assessing how
effectively an information system complies with a predetermined set of criteria. As part of a
 comprehensive audit, it is standard practice to analyze the software, hardware, information processing
methods, and user behavior.

2. Compliance audits
A compliance audit entails a thorough investigation of a company's adherence to legal obligations. The
strength and thoroughness of risk management procedures, security regulations, user access limitations,
and compliance preparations are evaluated in reports on compliance audits.

3. Operational audits
An operational audit is a method for evaluating a business' operations. It is vital to analyze the internal
systems, processes, and practices of the business. In addition to the company's financial status, the
management procedures are evaluated in this type of audit. An operational audit searches for areas where
the organization's operations could be more effective, productive, and efficient.

4. IT governance audits
Internal audits of IT governance should examine more than just how rules are being followed. By assessing
the effectiveness of IT governance components and assuring stakeholders that policies and processes are
followed and are functioning as intended, internal audit enhances the performance of the firm.

5. Software development audits

A software audit is an internal or external review of a software application to assess the application's
quality, development, and compliance with laws, regulations, and policies. The procedure is handled by
internal teams, one independent auditor, or multiple.

3.4.3 Benefits of IT audit

1. Checks susceptibility to threat
2. Evaluating the System
3. Data Security
4. strengthens controls.
5. Develops IT Governance

3.4.4 Analyze the impacts when auditing for Metropolis Capital Bank.
When doing an examination for Metropolis Capital Bank, a number of scenarios could happen. The
reliability and quality of financial data, guaranteeing rule compliance, identifying potential risks, and
operational flaws are all crucial components of audits.
The correctness and completeness of financial statements and reports are verified by auditing. Auditors
should carefully examine Metropolis Capital Bank's financial records, transactions, and internal controls to
ensure that the information provided is accurate. As a result, the bank's financial integrity is increased, and
stakeholders have greater faith in its business processes. The Metropolis Capital Bank is subject to a
number of laws and regulations created by governmental and regulatory bodies. A bank's compliance with
anti-money laundering and know-your-customer regulations, for instance, is checked via an audit. By
discovering and correcting any non-compliance issues during the audit, the bank can prevent potential fines
and reputational damage. Auditors assess the bank's internal control structure, risk management strategies,
and operational procedures. Through this review, they are able to identify potential risks, weaknesses, and
control gaps. The audit provides the bank with the opportunity to create more stringent controls and take
remedial action, which reduces the risk of fraud, errors, or operational disruptions. Audits usually reveal
the inefficiencies and flaws in systems and procedures. An examination of the bank's operations by the
auditor may lead to recommendations for cost-saving measures, process simplification, and efficiency
enhancements. You may put these ideas into practice to boost customer service, operational effectiveness,
and resource allocation. A thorough audit carried out by a reputable, independent auditing agency can
improve the bank's dependability and repute. External stakeholders, including investors, clients, and
regulators, evaluate the bank's financial health, risk management practices, and ethical compliance using
audit reports. A successful audit raises stakeholder trust and improves the bank's reputation. As auditors
evaluate the internal control environment at the bank, they can discover a poor or ineffective internal
control environment. The auditors' suggestions and comments have reinforced the bank's internal control
architecture. This can involve bolstering role separation, data security measures, and documentation
procedures to reduce the risk of fraud and mistakes. The audit's findings and recommendations are highly
advantageous to the bank's management and board of directors. In the audit report, emerging risks, market
trends, and problem areas could be highlighted. With this information, the management of the bank may
make decisions on risk-reduction, resource allocation, and strategic planning plans with certainty. Audits
are not a one-time event but a continual procedure. Routine audits support a culture of continuous
improvement within the bank through ongoing monitoring, self-evaluation, and weakness rectification. By
employing audit input, the bank may improve performance, reduce procedures, and adapt to changing
market conditions.
Auditing has several different consequences on Metropolis Capital Bank, including improving financial
accuracy, compliance, risk management, process improvement, trust, and strategic decision-making. The
bank may improve operations and maintain the confidence of its stakeholders by fixing issues, putting
suggestions into action, and adhering to regulations.
 3.5 D2 Recommend how IT security can be aligned with organizational
Policy, detailing the security impact of any misalignment.
A Metropolis Capital Bank's policies help ensure that it complies with all relevant legal and regulatory
requirements. The bank provides guidelines on how to safeguard customer data, prevent money laundering,
adhere to anti-corruption laws, and meet industry-specific regulations. Failure to follow these regulations
may result in legal consequences, penalties, and reputational damage. Credit risk, market risk, operational
risk, and liquidity risk are just a few of the many hazards that a bank must identify, assess, and manage.
Policies specify how to do this. They specify the roles at different organizational levels as well as the risk-
reduction strategies. Policies provide standardized procedures for daily actions, which promote consistency
and efficiency. Employees are given the flexibility to choose within set parameters while processes are
streamlined and roles and responsibilities are clarified. Transparency, accountability, and those three things
are encouraged by policies in the workplace. They provide guidelines for handling sensitive information,
conflicts of interest, and employee behavior. Policies also specify how violations and unethical behavior
should be reported. The implications that could affect Metropolis Capital Bank are listed above, while
those that could occur in the absence of a policy are listed below.
Without policies, Metropolis Capital Bank may unwittingly infringe the law, putting it at risk for fines and
other legal and regulatory repercussions. The institution's reputation may suffer as a result of customers'
trust being damaged. Lack of established procedures and standards may lead to inconsistent operations,
errors, and inefficiency. Risk management may be difficult as a result, operations may be affected, and
there may be financial losses. If there are no policies in place, roles, responsibilities, and moral obligations
might not be obvious. Lack of clear protocols for handling misconduct and unethical behavior may create
an atmosphere where these things are more likely to occur. Policies provide a framework that facilitates
strategic planning and decision-making. Without clear policies, it becomes difficult to align business
objectives, rein in expansion, and respond to evolving market conditions.

Activity 04
LO4 Manage organizational security.
4.1 P7 Design a suitable security policy for an organization, including the
main components of an organizational disaster recovery plan.
4.1.1 Create a Security Policy

Metropolis Capital Bank Policy

Introduction.
The privacy and security of customer information are priorities for Metropolis Capital
Bank, which adheres to all relevant laws and regulations. This policy outlines the
Data Security
 Information about customers will be kept private, and only those with a
legitimate need to know will be given access.
 Customer data shall be protected physically against unauthorized access, theft,
or damage by the proper security measures being put in place.
 Identified roles and responsibilities will determine how access to consumer data
is allowed. To ensure appropriateness and relevance, access rights will be
evaluated frequently.
 To safeguard customer data from unauthorized access, alteration, or disclosure,
Conclusion.
The greatest standards of privacy and data protection are upheld by Metropolis Capital
Bank, which is dedicated to safeguarding customer information. The framework for the
bank's data protection policies is established by this policy, which also promotes client
confidence and ensures compliance with all relevant laws and regulations.
4.1.2 A presentation about disaster recovery plan.

Figure 31 Presentation cover page

Source: Authors work

[Space Left Intentionally]

Figure 32 Definition of Disaster Recovery Plan
Source: Authors work

Figure 33 Importance of Disaster Recovery Plan

Source: Authors work
Figure 34 Types of Disasters that Organization can plan
Source: Authors work

Figure 35 Recovery Plan Consideration

Source: Authors work
Figure 36 Types of disaster recovery plan
Source: Authors work

Figure 37 Components of disaster recovery plan

Source: Authors work
Figure 38 Benifits of disaster recovery plan
Source: Authors work

4.2 P8 Discuss the roles of stakeholders in the organization in implementing

security audits.

4.2.1 Definition of Stakeholders

An entity with a stake in the decisions made and the activities done by a business, organization, or project
is referred to as a stakeholder. Stakeholders may or may not have a formal affiliation with the organization.
Stakeholders may directly or indirectly affect the initiatives or programs of an organization. They are
frequently required to help businesses and projects for them to prosper.

[Space Left Intentionally]

 Figure 39 stakeholders
Source: (2018)

4.2.2 Describe the different types of stockholders involved in an organization.

1.Individual Investors
These are private individuals that invest their own money to buy a company's stock. They can be individual
shareholders who purchase a few shares or institutional investors that purchase significant ownership
interests.

2.Institutional Investors
These are businesses that make significant financial investments on behalf of their members or customers.
Investment banks, insurance businesses, hedge funds, and mutual funds are a few examples. Institutional
investors can possess big stakes in businesses and frequently have access to significant financial resources.
3.Cooporate stockholders
Shares of a specific organization are occasionally owned by other corporations or businesses. These
corporate stockholders may be rivals, suppliers, or strategic allies who bought shares in the corporation for
a variety of objectives, including increasing power, establishing professional connections, or diversifying
their investment portfolio.

4.Founders and Management

The founders and top management of a company frequently own stock as well. Founders frequently own a
sizable share of the company's equity at launch, and they may still do so after it goes public or draws
outside investors. As part of their salary, management employees like CEOs and top executives may also
earn stock options or equity-based compensation.

5.Employee stockholders
With stock option plans or employee stock ownership plans, several businesses provide their employees
the chance to become stockholders. This promotes a sense of ownership and alignment with the company's
aims by allowing employees to have a stake in the business and profit from its success.

6.Retail Inverters
Retail investors are people who use trading platforms or brokerage accounts to make stock purchases. In
terms of the size of their investments, they are different from institutional investors. Retail investors
frequently buy and sell stocks for their portfolios, but they might not be as powerful or wealthy as
institutional investors.

4.2.3 Explain the concept of an organization.

An organization, or an organized entity, is created when a group of people come together to work toward a
common goal or purpose. This purposeful framework enables people to work together, coordinate their
efforts, and try to accomplish goals. The many diverse forms of organizations include corporations, non-
profits, governmental groups, institutions of higher learning, and others. The fundamental components of
an organization are people, resources, frameworks, and procedures.
Any business's most valuable resource is its workforce. They contribute their knowledge, expertise, and
skills in order to achieve the organization's goal. The hierarchy of an organization defines the relationships
between those in positions of authority and the many degrees of power by allowing people to hold a variety
of positions and responsibilities. Organizations require a range of resources in order to operate effectively.
Along with tangible resources like land and other physical assets, this list of resources may also contain
intangible ones like intellectual property, the internet, and human resources. Effective management and
utilization of these resources are essential to an organization's success. The structure of an organization
refers to the framework of responsibilities, responsibility, and interactions within it. It describes the various
divisions, teams, or units that make up the organization as well as how power is allocated and information
is shared. Common structural elements include reporting lines, administrative stages, and set processes. In
order to complete a series of tasks and actions, a business uses processes. These can be operational
procedures like strategy planning or decision-making or administrative processes like budgeting or
performance reviews. Things like production, marketing, and customer service are examples of operational
processes. Processes that have been explicitly established ensure effective communication inside the
organization.
A commonality is a shared objective, reason for existing, or set of values that guides an organization's
decisions. They develop strategies and tactics to carry them out, and they establish objectives and
benchmarks to evaluate their success and progress. Organizations exist in a variety of industries, including
business and trade as well as healthcare, education, and government. These organizations can range in size
from small start-ups or neighborhood non-profits to huge multinational corporations or international
organizations. Organizations typically offer spaces for teamwork, allowing members to work together on
initiatives that further common goals, benefit society, and more.

4.2.4 Importance in implementing security audits for an organization.

1. Protects an organization's vital data resources.
2. Maintains the organization's compliance with several security certifications.
3. Discovers security flaws before hackers.
4. Updates the organization on security precautions.
5. Determines the weak points in the physical security.
6. Helps the organization create new security rules.
7. Enables the organization to be ready to act quickly in the event of a cybersecurity compromise.

4.2.5 Definition of Security audit

A security audit measures how effectively a company's information system conforms with specified
standards to evaluate how secure it is. The security of the system's software, information handling policies,
user behavior, physical setup, and environment are frequently evaluated as part of a complete audit.
Security audits are routinely used to check for compliance with regulations that specify how businesses
must handle information, such as the Patient Protection and Affordable Care Act, the Sarbanes-Oxley Act,
and the State of California Privacy of Information Act.
Source: (Gillis, 2022)
Figure 40 Security Audit
Source: MacNeill, B.(2023)

4.2.6 The way security audit impact to Metropolis Capital Bank.

In several ways, a security audit could significantly affect Metropolis Capital Bank.
Finding security gaps and faults in the Metropolis Capital Bank's systems, networks, and operations is
made easier with the help of a security audit. Because the bank can proactively address these issues and
implement the required security measures, there is a lesser likelihood of security lapses or unauthorized
access to sensitive data. Metropolis Capital Bank can identify potential risks and develop mitigation
strategies by conducting a security audit. The audit may point out areas where the bank's security controls
are insufficient or outdated, enabling the deployment of stronger security measures to safeguard customer
data, financial transactions, and personal information. Financial institutions like Metropolis Capital Bank
are required to adhere to a number of legal criteria pertaining to data security and privacy.
With the aid of a security audit, the bank's security procedures can satisfy two compliance frameworks,
including the General Data Protection Regulation (GDPR) and the Credit Card Industry Information
Security Standard (PCI DSS). The bank avoids the penalties, fines, and damage to its reputation that come
with non-compliance by demonstrating compliance. Due to security assessments, customers may feel
secure knowing their financial information and transactions are safe.
By regularly conducting audits and addressing any detected security problems, Metropolis Capital Bank
demonstrates its commitment to keeping a secure banking environment. As a result, current customers will
feel more trustworthy, and it might help attract new customers that respect privacy and data protection.
Regular security audits assess the bank's ability to manage issues. The audit looks at how the bank
manages incident operations, including techniques for detection, reaction, and recovery, to help identify
potential areas for improvement. As a result, there is a guarantee that the Metropolis Capital Bank will be
prepared to react to security-related incidents, such as data breaches or cyberattacks, in a way that limits
potential harm and cuts downtime. Banks that prioritize security and can demonstrate they have robust
security protocols have an advantage over their competitors in a time when cyberattacks and data breaches
are widespread. By regularly conducting security audits, Metropolis Capital Bank may differentiate itself
from competitors by showcasing its commitment to protecting the assets and personal information of its
clients.
For Metropolis Capital Bank to maintain its market share in the banking industry, improve its security
posture, and abide by legislation, security audits are crucial.

4.2.7 Discuss the specific roles and responsibilities of stakeholders in the context of
security audit.
Several stakeholders have important roles to play and duties to fulfill in the context of a security audit.
These parties work together to guarantee the efficacy, reliability, and compliance of the security measures
used by an organization.

01. Business Management

 Identify the organization's overarching security goals and policies.
 Set aside the funds required for security audits and upgrades.
 Ensure that the results of security audits are implemented and corrected.
 Encourage an organization-wide culture of security compliance and awareness.

02. Security Division/Team

 To find vulnerabilities, hazards, and noncompliance, conduct security audits and assessments.
 Create and put into effect security controls, policies, and practices.
 monitoring and studying security occurrences, breaches, and logs.
 Address security audit findings in coordination with other stakeholders.
 Keep current with new security threats and technologies.

03. The internal auditors

 The efficiency of security procedures and controls should be evaluated.
 Check for adherence to organizational policies, industry standards, and legal requirements.
 To find potential security gaps, conduct risk assessments.
 Based on audit results, offer suggestions for improving security posture.
 See to it that auditing is done impartially and independently.
04. Department of IT
 Implement and maintain technical security measures (such as intrusion detection systems and
firewalls).
 For suspect activity, keep an eye on system logs and network traffic.
 Evaluate vulnerabilities and run penetration tests.
 Updates and security fixes should be applied promptly.
 Address security issues and vulnerabilities in conjunction with the security team.

05. Employees
 Abide by security guidelines and rules.
 Attend security awareness training.
 Security occurrences and shady behavior should be immediately reported.
 obey the rules on passwords, access, and data protection.
 Keep the assets of the organization accessible, honest, and confidential.

06. Third-party suppliers and service providers

 Observe any security criteria included in contracts or service-level agreements.
 assist with security audits and deliver the required paperwork.
 Implement suitable security measures to safeguard the organization's systems and data.
 Any security issues or breaches should be reported right away to the company.
 Address security flaws or vulnerabilities in conjunction with the company.

07. Compliance bodies and regulators:

 Define security frameworks, rules, and standards.
 enforce adherence to industry-specific security standards.
 Observe firms' compliance with security standards by conducting audits or assessments.
 Describe risk management strategies and best practices for security.

The achievement of a security audit depends on these parties working together effectively and
communicating with one another. Stakeholders can collaboratively contribute to the ongoing enhancement
of a company's safety record and resilience against changing threats by carrying out their various tasks and
duties.
4.3 M5 Justify the security plan developed giving reasons for the elements
selected.
To safeguard an organization's resources and data, a thorough security policy must be developed. The
following is a step-by-step process for creating a security policy.
01. Define the Goals and the Scope
 By outlining the property, systems, and data that the security policy will cover, you can determine
its scope.
 Clearly define the policy's goals, such as maintaining system availability, safeguarding sensitive
data, and adhering to legal requirements.
02. Perform a risk assessment.
 Analyze the possible threats and weaknesses to the resources and systems of the company.
 Determine potential risks, the likelihoods, and the effects of different security occurrences.
 Place dangers in order of likelihood and probable impact.
03. Specify the necessary security measures.
 To reduce identified risks, decide on the security controls and precautions that are required.
 Consider industry best practices, statutory and regulatory obligations, and any unique requirements
of the organization.
 Define the standards for business continuity, incident response, data protection, access control, and
other pertinent areas.
04. Construct security policies.
 Based on the determined requirements, develop unique regulations that cover particular security
areas.
 The following are some examples of policies: permissible use, classification of information, control
of passwords, security of networks, and incident handling.
 The goals, regulations, duties, and instructions about the area should be expressly stated in each
policy.
05. Get Stakeholders Involved.
 To get feedback and make sure their needs are considered, work together with important
stakeholders from many departments, including information technology, legal, HR, and
management.
 To improve the efficacy and applicability of the policy, solicit feedback and consider pertinent
suggestions.
06. Review and endorsement.
 Review the security policy that has been written in-depth.
  Consult with legal counsel and subject matter experts to make sure that all rules and regulations are
being followed.
 Ensure that the appropriate approvals are received from the organization's highest executives and
any other leaders.
07. Discuss and Train.
 Inform all staff members and stakeholders of the security policy.
 Hold training seminars to make sure everyone is aware of their obligations.
 Give instructions on how to execute the policy and respond to any queries or worries.
08. Update and Review Frequently:
 The security policy should be reviewed and updated regularly.
 Keep an eye out for shifts in the regulatory environment, the threat landscape, and technical
developments that could have an impact on the policy.
 Improve the efficiency of the policy by incorporating the knowledge gained from security events
and employee feedback.

4.4 D3 Evaluate the suitability of the tools used in an organizational policy

to meet business needs.
To build a strong and reliable disaster recovery plan, the following tools and measures can be used,
considering the bank's current infrastructure and security measures.

Virtual Private Network (VPN)

The Metropolis Capital Bank uses VPN services to create secure connections between data centers,
branches, ATMs, and external systems. An appropriate strategy is to allow remote workers who are
working from home to use VPN. Employees can access the core banking system of the bank and other
resources securely thanks to VPNs, which offer secure encrypted connections over the internet.

Multi-Factor Authentication (MFA)

MFA implementation gives an additional layer of security for remote access to the bank's systems. The
possibility of illegal access brought on by compromised credentials is greatly diminished when users are
required to supply additional credentials (such as a password and a one-time verification code).

Endpoint Security
It is essential to guarantee the security of the devices used by employees given the BYOD concept
implemented for Senior Executive Staff and HR Departments. Endpoint security tools, such as Endpoint
Detection and Response (EDR) systems, can be used to keep an eye on endpoints, safeguard them from
sophisticated threats, and give real-time threat intelligence.

Virtual Desktop infrastructure (VDI)

Implementing a Virtual Desktop Infrastructure (VDI) can improve security and provide the bank with more
control over the apps and data that are accessible from remote devices. VDI makes it possible for staff
members to use a virtualized desktop environment that is hosted on centralized servers, guaranteeing that
data stays inside the bank's secure environment.

Data Loss Prevention (DLP)

Implementing a Data Loss Prevention (DLP) solution is crucial given the sensitivity of the financial data
the bank handles. DLP tools can keep an eye on and regulate the transmission of sensitive data, preventing
the leak or unauthorized disclosure of private data.

Secure Remote Collaboration Tools

Employees need safe channels for cooperation and communication when working remotely. The bank
ought to think about installing secure remote collaboration tools, such as encrypted messaging platforms,
end-to-end encrypted virtual conference solutions, and secure file-sharing platforms, to guarantee that
private information is safeguarded during remote contact.

Incident Response and Business Continuity Plan

It is critical to improve current incident response and business continuity plans specifically for a work-
from-home scenario. This comprises precise rules for reporting and handling security problems, steps for
managing incidents remotely, and regular testing and validation of the plans to guarantee their efficacy.

It's vital to keep in mind that the usefulness of these tools and measures depends on several variables,
including the bank's specific needs, budget, and existing infrastructure. To customize the disaster recovery
plan to the needs of the bank specifically, it is advised to undertake a complete risk assessment and interact
with pertinent stakeholders, including the technical support team and management.

Conclusion
In this assignment, the security measures for protecting digital assets in enterprises are examined. Risk
assessments, access controls, improved network security, system update management, personnel training,
and the development of incident response plans are all given a lot of attention. Enterprises can implement
 these measures to safeguard their digital assets, lessen vulnerabilities, and lessen the impact of security
events.

Reference
(No date) Bing. Available at: https://www.bing.com/?%2Fth (Accessed: 19 July 2023).

Fruhlinger, J. (2020) What is information security? definition, principles, and jobs, CSO Online. Available
at: https://www.csoonline.com/article/3513899/what-is-information-security-definition-principles-and-
jobs.html#:~:text=Information%20security%2C%20sometimes%20abbreviated%20to,or%20physical
%20location%20to%20another. (Accessed: 16 May 2023).

Difference between active attack and PASSIVE ATTAC (no date) Tutorials Point. Available at:
https://www.tutorialspoint.com/difference-between-active-attack-and-passive-attack (Accessed: 22 May
2023).

Advisera (2023) ISO 13485:2016 Documentation Toolkit, 13485Academy. Available at:

https://advisera.com/13485academy/iso-13485-documentation-toolkit/ (Accessed: 20 July 2023).

Active and passive attacks in information security (2023) GeeksforGeeks. Available at:
https://www.geeksforgeeks.org/active-and-passive-attacks-in-information-security/ (Accessed: 20 July
2023).

A., J. (2023) WP-content uploads: What it is and how to upload files in WordPress, Hostinger Tutorials.
Available at: https://www.hostinger.com/tutorials/wordpress-content-uploads (Accessed: 20 July
2023).

Alimam Miya, By and Miya, A. (2023) What is computer network attacks?, Use My Notes. Available at:
https://usemynotes.com/computer-network-attacks/ (Accessed: 20 July 2023).

‘key information security concepts’ presentation slideshows (no date) SlideServe. Available at:
https://www.slideserve.com/search/key-information-security-concepts-ppt-presentation (Accessed: 20
July 2023).

What is information security: Policy, principles & threats: Imperva (2023) Learning Center. Available at:
https://www.imperva.com/learn/data-security/information-security-infosec/ (Accessed: 22 May 2023).

(No date a) What is information security risk? — riskoptics - reciprocity. Available at:
https://reciprocity.com/resources/what-is-information-security-risk/ (Accessed: 20 July 2023).

What are computer viruses?: Definition & types of viruses (no date) Fortinet. Available at:
https://www.fortinet.com/resources/cyberglossary/computer-virus (Accessed: 22 July 2023).

Toulas, B. (2022) Hackers breach software vendor for Magento Supply-Chain attacks, BleepingComputer.
Available at: https://www.bleepingcomputer.com/news/security/hackers-breach-software-vendor-for-
magento-supply-chain-attacks/ (Accessed: 22 July 2023).
Protect your devices and data from malware (no date) Microsoft Support. Available at:
https://support.microsoft.com/en-us/windows/protect-my-pc-from-viruses-b2025ed1-02d5-1e87-ba5f-
71999008e026 (Accessed: 22 July 2023).

(No date) Start-up spyware company accidentally exposed its data online - izoologic. Available at:
https://izoologic.com/2018/11/08/start-spyware-company-germany-accidentally-exposed-data-online/
(Accessed: 22 July 2023).

Raposo, L. and Name (no date) Don’t be in the dark when it comes to malware, SNECS. Available at:
https://www.snecsllc.com/dont-be-in-the-dark-when-it-comes-to-malware/ (Accessed: 22 July 2023).

Ice (2019) Things you should do if you get a trojan virus, Web Safety Tips. Available at:
https://www.websafetytips.com/things-you-should-do-if-you-get-a-trojan-virus/ (Accessed: 22 July
2023).

Cyber security threats: Types & sources: Imperva (2023) Learning Center. Available at:
https://www.imperva.com/learn/application-security/cyber-security-threats/ (Accessed: 22 July 2023).

(No date) DDoS attack trends for Q1 2021 - cloudflare. Available at:
https://cf-assets.www.cloudflare.com/slt3lc6tev37/5UkCE0bVNndsnHAJvXs5LL/
d6b7d68c75daeca7fa313f5023646d86/BDES-1645_DDoS_Trends_Report_Q1-21_Report.pdf
(Accessed: 11 June 2023).

What is a DDOS attack: Types, prevention & remediation (no date) OneLogin. Available at:
https://www.onelogin.com/learn/ddos-attack (Accessed: 12 June 2023).

Security procedure (no date) Security Procedure - an overview | ScienceDirect Topics. Available at:
https://www.sciencedirect.com/topics/computer-science/security-procedure (Accessed: 22 July 2023).

What is network monitoring? (no date) IBM. Available at: https://www.ibm.com/topics/network-monitoring

(Accessed: 22 July 2023).

(No date a) Introduction of firewall in computer network - geeksforgeeks. Available at:

https://www.geeksforgeeks.org/introduction-of-firewall-in-computer-network/ (Accessed: 23 July
2023).

(No date) GeeksforGeeks. Available at:

https://media.geeksforgeeks.org/wp-content/cdn-uploads/20211005201108/GATE2021_QP_CS-1.pdf
(Accessed: 03 August 2023).

Imgur (no date) Imgur.com, Imgur. Available at: https://imgur.com/iXCwsPA (Accessed: 03 August 2023).

(No date a) Research article - researchgate | find and share research. Available at:
https://www.researchgate.net/profile/Michail-Michalos/publication/
341370438_Design_and_Implementation_of_Firewall_Security_Policies_using_Linux_Iptables/
links/5ec516bc299bf1c09acc07ee/Design-and-Implementation-of-Firewall-Security-Policies-using-
Linux-Iptables.pdf?origin=publication_detail (Accessed: 03 August 2023).

(No date a) Application assurance - stateful firewall. Available at:

https://documentation.nokia.com/html/0_add-h-f/93-0267-HTML/7X50_Advanced_Configuration_Gu
ide/AA-FW.html (Accessed: 03 August 2023).

What is a Next Gen Firewall (NGFW)? (no date) HPE Aruba Networking. Available at:
https://www.arubanetworks.com/faq/what-is-next-gen-firewall/ (Accessed: 03 August 2023).
Kaspersky (2023) What is VPN? how it works, types of VPN, www.kaspersky.com. Available at:
https://www.kaspersky.com/resource-center/definitions/what-is-a-vpn (Accessed: 03 August 2023).

Types of virtual private network (VPN) and its protocols (2023) GeeksforGeeks. Available at:
https://www.geeksforgeeks.org/types-of-virtual-private-network-vpn-and-its-protocols/ (Accessed: 03
August 2023).

(No date a) Your guide to remote access VPN - greyson.com. Available at: https://www.greyson.com/wp-
content/uploads/2020/03/Greyson-Technologies-Remote-Access-VPN-Guide.pdf (Accessed: 03
August 2023).

WP-content: A beginner’s guide to wordpress’ most important directory (2023) MalCare. Available at:
https://www.malcare.com/blog/wp-content-uploads/ (Accessed: 03 August 2023).

Lutkevich, B. (2021) What is a DMZ in networking?, Security. Available at:

https://www.techtarget.com/searchsecurity/definition/DMZ (Accessed: 12 June 2023).

A., J. (2023) WP-content uploads: What it is and how to upload files in WordPress, Hostinger Tutorials.
Available at: https://www.hostinger.com/tutorials/wordpress-content-uploads (Accessed: 03 August
2023).

Gillis, A.S. (2020) What is a static IP address?, WhatIs.com. Available at:

https://www.techtarget.com/whatis/definition/static-IP-address#:~:text=A%20static%20IP%20address
%20is,that%20connects%20to%20the%20internet. (Accessed: 12 June 2023).

JasonGerend (no date) Ipconfig, Microsoft Learn. Available at: https://learn.microsoft.com/en-us/windows-

server/administration/windows-commands/ipconfig (Accessed: 04 August 2023).

What is Network Address Translation (nat)? (2023) Cisco. Available at:

https://www.cisco.com/c/en/us/products/routers/network-address-translation.html (Accessed: 04
August 2023).

Upravnik (2023) Static Nat, Study CCNA. Available at: https://study-ccna.com/static-nat/ (Accessed: 04
August 2023).

Upravnik (2023a) Dynamic nat, Study CCNA. Available at: https://study-ccna.com/dynamic-nat/ (Accessed:
04 August 2023).

Upravnik (2022) Port Address Translation (PAT) configuration, Study CCNA. Available at: https://study-
ccna.com/port-address-translation-pat-configuration/ (Accessed: 04 August 2023).

Cole, B. (2021) What is a risk assessment? - definition from whatis.com, Security. Available at:
https://www.techtarget.com/searchsecurity/definition/risk-assessment (Accessed: 12 June 2023).

What is a data center? (no date) IBM. Available at: https://www.ibm.com/topics/data-centers (Accessed: 04
August 2023).

Kittichais (2017) Big Data Icon set data center and centralized vector image on VectorStock, VectorStock.
Available at: https://www.vectorstock.com/royalty-free-vector/big-data-icon-set-data-center-and-
centralized-vector-16266121 (Accessed: 04 August 2023).

What is Data Protection: Principles, strategies & policies: Imperva (2023) Learning Center. Available at:
https://www.imperva.com/learn/data-security/data-protection/ (Accessed: 04 August 2023).
What is the ISO 31000 risk management standard? (2023) SafetyCulture. Available at:
https://safetyculture.com/topics/iso-31000-risk-management/ (Accessed: 04 August 2023).

3.bp.blogspot.com on Reddit.com • R/3.bp.blogspot.com (no date) reddit. Available at:

https://www.reddit.com/domain/3.bp.blogspot.com/ (Accessed: 04 August 2023).

Cole, B. (2014) What is it audit (Information Technology Audit)?: Definition from TechTarget, CIO.
Available at: https://www.techtarget.com/searchcio/definition/IT-audit-information-technology-
audit#:~:text=An%20IT%20audit%20is%20the,with%20the%20business’s%20overall%20goals.
(Accessed: 16 June 2023).

(No date) Bing. Available at: https://www.bing.com/?%2Fth (Accessed: 04 August 2023).

About Pam JahnkeGetting up at 2 in the morning might shock some of her listeners (2018) Symposium
brings stakeholders to the table, Mid. Available at:
https://www.midwestfarmreport.com/2018/04/03/symposium-brings-stakeholders-to-the-table/
(Accessed: 11 September 2023).

Gillis, A.S. (2022) What is a security audit? - definition from TechTarget, CIO. Available at:
https://www.techtarget.com/searchcio/definition/security-audit (Accessed: 18 June 2023).

MacNeill, B. (no date) Security & Audit Services. Available at: https://synapticvision.com/services/security
(Accessed: 11 September 2023).