SECURITY

GUIDEBOOK
GUSTO University
HND-45

AUNG KAUNG MAW

HND-45 Aung Kaung Maw

1 CONTENTS
2 Introduction ...................................................................................................................................... 3
3 What is IT Security? ...................................................................................................................... 4
4 Types of Security ............................................................................................................................ 5
4.1 Physical security ..................................................................................................................... 6
4.2 Computer Security ................................................................................................................. 6
4.3 Network Security .................................................................................................................... 6
4.4 IT Security................................................................................................................................. 6
4.5 Cybersecurity ........................................................................................................................... 7
4.6 Information Security ............................................................................................................. 7
5 Risks of Security to GUSTO University that are mostly found ...................................... 7
5.1 The organizational security procedures for GUSTO university ............................. 8
5.2 Importance of Security Procedures ................................................................................. 9
5.3 Key Components of a Comprehensive Security Plan................................................ 9
5.4 Challenges in Implementing and Maintaining Security Procedures .................... 9
6 Potential Impacts to IT Security of Incorrect Configuration of Firewall Policies
and Third-Party VPNs.......................................................................................................................... 10
7 How implementing a DMZ, static IP and NAT in a network can improve network
security ..................................................................................................................................................... 12
7.1 Implementing Static IP ...................................................................................................... 14
Better name resolution across the internet: ......................................................................... 15
Provide a better level of protection: ......................................................................................... 15
There are reduced lapses in connection: ................................................................................ 15
Download and upload speeds tend to be faster: ................................................................. 15
Remote access: ................................................................................................................................. 16
Reduces the risk of losing an important message: ............................................................. 16
Easier to locate shared devices:................................................................................................. 16
8 Implementing NAT ....................................................................................................................... 16
9 Purpose a method to assess and treat IT security risks for the GUSTO university
18
9.1 What is a security risk assessment? ............................................................................. 18
9.1.1 Identify and Prioritize Assets ................................................................................... 18

1
HND-45 Aung Kaung Maw

9.1.2 Identify Threats............................................................................................................. 19

9.1.3 Identification of vulnerabilities ................................................................................ 19
9.1.4 Analyze Controls ........................................................................................................... 20
9.1.5 Determine the Likelihood of an Incident ............................................................. 20
9.1.6 Assess the Impact a Threat Could Have ............................................................. 20
9.1.7 Prioritize Information Security Risks .................................................................... 21
9.1.8 Recommend Controls .................................................................................................. 21
9.1.9 Document the Findings .............................................................................................. 22
9.2 Risk Treatment for GUSTO University .......................................................................... 22
1. Establishing a Risk Management Framework: ...................................................... 22
2. Securing Infrastructure and Network: ..................................................................... 22
9.2.1 Data Protection: ............................................................................................................ 23
9.2.2 Enhancing Security Awareness and Training: ................................................... 23
Vendor and Third-Party Risk Management: ....................................................................... 23
9.2.3 Continuous Monitoring and Improvement: ........................................................ 24
10 The benefits of implementing network monitoring systems ................................... 24
10.1 1.Application performance ............................................................................................ 24
10.2 2.Network performance ................................................................................................. 25
10.3 3.Configuration, change and compliance management .................................... 25
10.4 4.IP Address management ........................................................................................... 25
10.5 5.Network security analysis ......................................................................................... 25
11 Physical and virtual security measures that can be employed to ensure the
integrity of the IT security for GUSTO university .................................................................... 26
11.1 Physical Security Measures:......................................................................................... 26
1. Access Control Systems: ............................................................................................... 26
2. Video Surveillance: .......................................................................................................... 26
3. Secure Perimeter: ............................................................................................................ 26
4. Environmental Controls: ................................................................................................ 26
5. Secure Equipment Disposal: ........................................................................................ 27
11.2 Virtual Security Measures: ........................................................................................... 27
1. Firewalls: ............................................................................................................................. 27
2. Intrusion Detection and Prevention Systems (IDPS): ....................................... 27

2
HND-45 Aung Kaung Maw

3. Encryption: ......................................................................................................................... 27
4. Strong Authentication and Access Controls: ......................................................... 27
5. Regular Patching and Updates: .................................................................................. 28
6. Security Awareness and Training: ............................................................................. 28
7. Incident Response and Business Continuity Planning: ...................................... 28
12 REFERENCES .............................................................................................................................. 28

2 INTRODUCTION

Welcome to your role as a Junior IT Security Specialist at Kernellix Security

Consultancy in Myanmar! Your manager has given you an important task:
creating an IT Security Guidebook for GUSTO University. GUSTO University is
a graduate school of Modern Business and Technology in Myanmar. It has
many people using its computer systems, like students, teachers, staff, and
people from outside. These people use digital systems to do their work and
share important information.

The digital systems at GUSTO University include things like learning

management systems, student information systems, online portals, and social
media platforms. It's very important to make sure these systems are secure.
This means keeping information safe, making sure it doesn't get changed
without permission, and making sure it's available when needed.

In this guidebook, we will talk about different ways to keep the systems at
GUSTO University secure. We will learn about things like passwords, who can
access the systems, and how to protect against bad things happening. By
understanding these important concepts, we can help GUSTO University keep
sensitive information safe and make sure everything runs smoothly.

3
HND-45 Aung Kaung Maw

So, let's get started on this exciting journey of learning about IT security and
how we can protect the important information at GUSTO University!

3 WHAT IS IT SECURITY?

IT security, which is also called cybersecurity, is an essential component of

modern information systems. Its main objective is to safeguard digital assets
such as hardware, software, networks, and data from unauthorized access,
use, modification, or destruction. Its significance lies in the fact that IT
security protects confidential information, prevents cyberattacks, and ensures
business continuity.

IT security is a multifaceted field that requires a range of measures and

technologies such as access control, encryption, authentication, firewalls,
intrusion detection and prevention systems, security policies and procedures,
and risk management.

Access control is a process that limits access to information and resources to

authorized users only while preventing unauthorized access using mechanisms

4
HND-45 Aung Kaung Maw

such as passwords, biometric identification, and multifactor authentication.

Encryption is the process of converting plaintext data into ciphertext, making
it unreadable to unauthorized parties and guaranteeing the confidentiality and
integrity of data in transit and storage.

Authentication verifies the identity of users and devices to ensure that only
authorized entities can access resources. This process can entail multifactor
authentication, such as requiring a password and a physical token or
fingerprint scan.

Firewalls and intrusion detection and prevention systems are used to monitor
network traffic and block or alert on suspicious activity, preventing or
mitigating cyberattacks. Security policies and procedures define rules and
guidelines for information security management and compliance. Risk
management entails identifying, evaluating, and minimizing information
security risks to reduce the impact of potential cyberattacks.

IT security aims to achieve three primary objectives: confidentiality, integrity,

and availability. Confidentiality ensures that sensitive information is kept
private and only accessible to authorized users. Integrity ensures that data is
trustworthy, accurate, and complete. Availability ensures that authorized
users can access information and resources when needed.

4 TYPES OF SECURITY

5
HND-45 Aung Kaung Maw

In modern society, security plays a crucial role, particularly in relation to

technology and digital systems. There are different types of security that are
in place to safeguard various aspects of our lives. This discussion will explore
some of the most common types of security.

4.1 PHYSICAL SECURITY

Physical security refers to measures taken to protect tangible assets such as
people, equipment, and property from unauthorized access, theft, or damage.
Examples of physical security include security guards, surveillance cameras,
and access control systems. Physical security is essential in various places
such as universities, banks, hospitals, and government buildings.

4.2 COMPUTER SECURITY

Computer security refers to measures taken to protect computer systems and
networks from unauthorized access or malicious attacks. This includes
software and hardware protection, password protection, antivirus software,
and firewalls. Computer security is essential in businesses, government
offices, and institutions where sensitive data is stored.

4.3 NETWORK SECURITY

Network security involves safeguarding computer networks from unauthorized
access or malicious attacks. This includes measures such as firewalls, intrusion
detection and prevention systems, and virtual private networks (VPNs).
Network security is essential for businesses, universities, and government
offices that rely on a secure network for communication.

4.4 IT SECURITY
Information technology (IT) security is the protection of digital assets such
as hardware, software, and data from unauthorized access, modification, or
destruction. This type of security includes measures such as firewalls,
encryption, and access control to prevent cyberattacks. IT security is crucial

6
HND-45 Aung Kaung Maw

for businesses and institutions that rely on digital systems to store and process
sensitive data.

4.5 CYBERSECURITY
Cybersecurity is a type of IT security that involves protecting digital assets
such as hardware, software, and data from unauthorized access, modification,
or destruction. This type of security includes measures such as firewalls,
encryption, and access control to prevent cyberattacks. Cybersecurity is
essential for businesses, universities, and government offices that rely on
digital systems to store and process sensitive data.

4.6 INFORMATION SECURITY

Information security involves the protection of sensitive data from
unauthorized access, modification, or destruction. This includes measures
such as data encryption, access control, and regular data backups.
Information security is crucial for businesses and institutions that handle
sensitive data such as personal information, financial data, and medical
records.

5 RISKS OF SECURITY TO GUSTO UNIVERSITY THAT ARE MOSTLY FOUND

GUSTO University is a prime target for security risks due to the large amount
of sensitive information they store, including student data, research findings,
and financial information. Some of the most common risks of security that
GUSTO university may face include

GUSTO University face a risk of cybersecurity attacks, including malware

infections, phishing attacks, and denial-of-service attacks, which can lead to

7
HND-45 Aung Kaung Maw

the theft of confidential information or disruptions to essential systems.

Additionally, GUSTO University may encounter the following security risks:

1. Data breaches: These can occur due to human error, system failures, or
cyberattacks, leading to the loss of sensitive data, legal consequences,
and harm to reputation.

2. Unauthorized access: Intruders may access restricted areas or computer

systems without permission, resulting in property damage or theft of
confidential information.

3. Intellectual property theft: University may be at risk of losing intellectual

property, particularly in relation to patented technologies and research
findings.

4. Physical security threats: Physical security risks, such as theft, violence,

and vandalism, are also possible in university settings.

5. Insider threats: Members of the university community, including

students, faculty, and staff, may intentionally or inadvertently share
confidential information or compromise security systems.

5.1 THE ORGANIZATIONAL SECURITY PROCEDURES FOR GUSTO UNIVERSITY

GUSTO university is required to have strong security measures to protect their
digital assets and sensitive data. With the increasing number of cyber threats,
it is essential for universities to be proactive in implementing effective security
procedures. This study evaluates the security procedures for GUSTO university
and emphasizes the importance of security procedures, key components of a
comprehensive security plan, and challenges in implementing and maintaining
security procedures.

8
HND-45 Aung Kaung Maw

5.2 IMPORTANCE OF SECURITY PROCEDURES

GUSTO university store significant amounts of sensitive data, including
student records, research findings, and financial information. To protect such
data from unauthorized access, modification, or destruction, security
procedures are necessary. These procedures help safeguard against
cyberattacks and ensure the confidentiality, integrity, and availability of data.
Additionally, security procedures assist university in complying with legal and
regulatory requirements.

5.3 KEY COMPONENTS OF A COMPREHENSIVE SECURITY PLAN

A comprehensive security plan for GUSTO university should comprise several
key components, such as risk assessment, access control, data encryption,
and an incident response plan. Risk assessment is necessary to identify
potential threats and vulnerabilities to the university's digital assets and
sensitive data. Access control procedures must be implemented to prevent
unauthorized access to sensitive data. Data encryption should be utilized to
protect sensitive data from unauthorized access or theft. An incident response
plan must be developed to address security breaches or other incidents that
may compromise the university's digital assets and sensitive data. The plan
should include procedures for detecting, containing, and mitigating security
incidents.

5.4 CHALLENGES IN IMPLEMENTING AND MAINTAINING SECURITY PROCEDURES

Implementing and maintaining security procedures can be challenging for
GUSTO university. One of the main challenges is keeping up with the
continuously evolving threats and technologies. Cyber threats are constantly
changing, and university must stay alert to implement new security measures
to address emerging threats. Another challenge is ensuring that security
procedures do not hinder the regular operations of the university. Security
measures should be implemented in a way that is transparent and does not
obstruct the work of students and staff.

9
HND-45 Aung Kaung Maw

6 POTENTIAL IMPACTS TO IT SECURITY OF INCORRECT CONFIGURATION OF

FIREWALL POLICIES AND THIRD-PARTY VPNS

The increasing demand for secure data transmission in an organization leads

to a booming market of virtual private network (VPN) solutions. In addition,
the decentralized tendency of production facilities and the development of the
mobile workforce also increase the need for access to enterprise information
resources.

A misconfigured firewall can damage your organization in more ways than you
think. Firewall are an essential part of your network security, and a
misconfigured firewall can damage your organization and give easy access to
an attacker. Here's where to look for the holes. Another more subtle potential
security breach can occur when users randomly change VPN client
parameters, such as the pre-shared key .

10
HND-45 Aung Kaung Maw

A virtual private network (VPN) operates pretty much in binary mode: Either
the secure connection is established or it isn't. If the secure connection does
not successfully complete, it is not possible to send traffic to the secured
resources. So there is little room for security breaches. However security
breaches could still occur in subtle ways.

The value is normally not known to the user, and this will result in the client
not being able to establish a VPN connection. The user will then try to obtain
the correct VPN configuration parameter to make the client work again.

For example: The key value could be observed or overheard during a phone
conversation.

If the VPN client includes other security-relevant functions, such as a client

firewall, things can get even more dicey. Changing critical client firewall rules
that are meant to protect the access device can introduce significant
vulnerabilities.

Results in two negative outcomes:

1.Desired traffic does not reach its intended destination.

It was blocked.

11
HND-45 Aung Kaung Maw

It was routed to the wrong destination.

It could not be routed at all.

2.Undesirable traffic reaches a destination it should not.

Number 1 will likely be noticed fairly quickly when processes don’t work as
expected.

Number 2 is usually worse. While it’s possible this could cause some negative
consequence by accident, it’s also a possible attack vector for individuals with
malicious intent.

7 HOW IMPLEMENTING A DMZ, STATIC IP AND NAT IN A NETWORK CAN

IMPROVE NETWORK SECURITY

A demilitarized zone (DMZ) is a

networking area or sub-network that is
isolated from the organization's overall
connected footprint using logical or
physical blocks, providing secure access
to untrusted connections. It is a
component of a network that houses
network-facing features or services,
most often servers. In a particular Local
Area Network (LAN), the area referred to as the DMZ is separated from the
network's essential components, such as devices and databases.

The Local Area Network of the Organization may host the firewall's installation
and configuration.

12
HND-45 Aung Kaung Maw

The network's common services, such as the mail, web, and DNS services,
must be accessible to the general public, though, or else performance would
suffer. Because of this, external attacks can still happen through these
services (and the servers they are connected to). Then, these network
components that are exposed to the outside world should be separated into
DMZ subnetworks in order to safeguard the internal system of the Local Area
Network that houses company devices and data against attacks. The LAN of
the Organization will be separated from the Internet by the DMZ. Between the
DMZ and the LAN, a security gateway that resembles a firewall is present to
filter out harmful traffic.

The servers inside the DMZ are unprotected from the outside, making them
open to attack. The Dual Firewall DMZ, which incorporates an external firewall
that filters traffic from external networks, was created to address this issue.
By establishing the DMZ network, which will shield their local area network
from untrusted traffic and enable access management, the organization will
have an additional layer of safety. For instance, the organization's Local Area
Network might have access to the database as well as a mail server for
receiving and sending emails. When the mail server is placed inside the DMZ,
it keeps access to the database while avoiding direct contact with untrusted
traffic, which could lead to attacks on the internal services of the network.

Since hackers would need to get past two firewalls to access internal networks,
a greater level of security ensures that only genuine traffic can enter the DMZ.
As a result, it is extremely difficult for hackers to breach internal networks. A
DMZ may also have a proxy server, which centralizes internal network activity
and makes it easier to monitor and record that traffic.

An organization can securely access essential internet services through a DMZ

network. By acting as a middleman, it stops attackers from conducting
reconnaissance to identify potential targets.

13
HND-45 Aung Kaung Maw

The internal firewall safeguards the private network if a DMZ system is

corrupted while preventing outside monitoring. Because of this, compromising
one network node does not compromise the entire system.

By creating a fake IP address and pretending to be a signed-in, approved

device, attackers may try to gain access to systems. While another service
verifies the IP address, a DMZ can identify and stop any spoofing efforts. A
safe area for traffic organization and public service access separate from the
company's private network is made possible by network fragmentation thanks
to the DMZ.

7.1 IMPLEMENTING STATIC IP

Static IP addresses remain the same palmately as the ISP issued and do not
need to be reassigned. However, because it is given out by the DHCP Server,
dynamic IP will always fluctuate, which is bad for business. As a result, in

14
HND-45 Aung Kaung Maw

some areas of an organization's LAN, setting up static IP is preferred than

dynamic IP due to the following advantages that Static IP may provide.

BETTER NAME RESOLUTION ACROSS THE INTERNET: When a static IP address is

given to a device, It can be reliably reached by using its assigned host name
instead of an IP address. As a result, FTP servers, web servers, and other
related components use fixed addresses. They are not dynamic, therefore
finding them doesn't require monitoring changes to them.

them.

PROVIDE A BETTER LEVEL OF PROTECTION: Even if a static IP address produces a

fact but a dynamic IP address creates change, selecting this decision over a
DHCP address assignment gives you a benefit. Your home network gains an
additional layer of defense against potential network security problems when
you use a static IP address.

THERE ARE REDUCED LAPSES IN CONNECTION: You can experience lapses in

internet connectivity if your ISP (or business) assigns you a dynamic IP
address. Some of these breaks might just last a moment, while others might
require a restart of your hardware. Despite the fact that this is frequently
referred to as a "ping," what is truly occurring is a lack of recognition. When
your IP address changes, it becomes more challenging to find you. Because a
static IP address never resets, it solves this issue, which is advantageous for
users of high bandwidth.

DOWNLOAD AND UPLOAD SPEEDS TEND TO BE FASTER: When a static IP address is

assigned to your device, access to content is frequently quicker since static IP
addresses have less discrepancies. The speed fluctuations might not matter if
you have DSL. However, for high-speed internet users, the variations may
exceed one megabit. You should compare the two options if you frequently
download or upload large files to the internet in order to determine which is
best for you.

15
HND-45 Aung Kaung Maw

REMOTE ACCESS: You can connect to your computer (or other device) from any
location in the world if it has a static IP address. As long as the gadget is
powered on and linked to the internet, you can examine your data. This makes
using a VPN's advantages, staying in touch with people, and working on tasks
while on the road easier.

REDUCES THE RISK OF LOSING AN IMPORTANT MESSAGE: If you use a dynamic IP

address instead of a static IP address for your server, you may not get all
messages sent to you. When the dynamic IP address changes, any messages
sent to the previous address are lost until the DNS records are restored. This
is never an issue with a static IP address. Your address remains constant at
all times, so you'll always know when someone is attempting to contact you.

EASIER TO LOCATE SHARED DEVICES: It is simpler to locate the equipment if

multiple employees need to use the same networked printer when the
connection is made with a static IP address. You can search for items by name
when using shared printers, which are used in some offices. Printing can take
a long time if the printers were given a dynamic IP address.

8 IMPLEMENTING NAT

16
HND-45 Aung Kaung Maw

NAT, or Network Access Translation, is the process of converting a network's

private IP addresses to a single unique public IP address (single or collection
of addresses) in order to connect to the internet. NAT is often built into the
router or available as a separate device.

Static NAT: This kind of NAT maps a single private IP address to a certain
public IP address (1:1) and does not change.

Dynamic NAT :In this type of NAT, a collection or pool of particular public IP
addresses is designated to correspond with the private IP address of the local
network. Although the mappings created by the Dynamic NAP are temporary,
there is still a 1:1 link.

PAT (Port Address Translation):In contrast to the first two, PAT transforms
internal IP addresses into a single public address via a many-to-one
relationship.

The fundamental objective of NAT deployment is to reduce the shortage of

public IPv4 addresses. The cost will be considerable since there won't be as
many IPv4 addresses available if every device on the network has its own
public IP address. NAT should be used as a result because it will benefit the
business. Furthermore, implementing NAT can add an additional layer of
protection because only public IP addresses—not private IP addresses—are
revealed, concealing the original source and destination addresses.

It stops the use of IPv4 addresses from running out. By hiding the original
source and destination addresses, it may be able to provide an additional level
of security. When you connect to the open Internet, you have more choices.
You can use your own personal IPv4 addressing scheme and prevent internal
address changes in the event that you move service providers thanks to it.

17
HND-45 Aung Kaung Maw

9 PURPOSE A METHOD TO ASSESS AND TREAT IT SECURITY RISKS FOR THE

GUSTO UNIVERSITY

9.1 WHAT IS A SECURITY RISK ASSESSMENT?

Cybersecurity risk assessment refers to the systematic procedure of
recognizing and appraising potential risks faced by assets susceptible to
cyberattacks. In essence, it involves the identification and evaluation of both
internal and external threats, assessing their potential ramifications on factors
such as data accessibility, confidentiality, and integrity, and estimating the
financial implications associated with experiencing a cybersecurity incident.
Armed with this information, organizations can customize their cybersecurity
measures and data protection controls to align with their specific risk tolerance
levels.

IT security risk management plays a crucial role in the overall management

process of a company. It involves the identification, evaluation,
communication, and acceptance of IT security risks.

1. Methods for evaluating IT risks

To analyze security risks in computer systems, a clear and defined

process can be followed. The following steps are elaborated upon in
subsequent sections:

9.1.1 Identify and Prioritize Assets

Assets refer to anything that holds value for an organization, including
hardware, software, data, buildings, infrastructure, products,
knowledge sources, customer relationships, and reputations. To assess
the risk, the security requirements of each asset need to be evaluated
based on their value. This evaluation may consider factors such as the
cost of replacement or reconstruction, the asset's significance to
business operations, the value of lost or destroyed data or assets, or the

18
HND-45 Aung Kaung Maw

value of missed business opportunities. This evaluation of values and

potential consequences is known as an "impact assessment."

9.1.2 Identify Threats

Threats encompass any actions or events that have the potential to
harm an organization. There are various types of threats that an
organization may face, including environmental factors (e.g., floods,
light, storms, earthquakes), organizational deficiencies (e.g., ill-defined
responsibilities), human errors (e.g., sending emails to the wrong
address, missing important dates, writing passwords on stickers),
technical errors (e.g., hardware failures, short circuits, hard disk
failures), and intentional acts (e.g., hacking, phishing, fraud, use of
malicious code, theft). Threats can arise from sources such as
vandalism, espionage, or human mistakes and accidents. In the case of
the first two sources, the severity of the threat depends on the motive
behind the threat and the attractiveness of the asset.

9.1.3 Identification of vulnerabilities

Vulnerabilities represent weaknesses in an asset that can be exploited
by one or more threats. These weaknesses can exist in various aspects
of an IT system, including hardware, software, organizational structure,
infrastructure, and personnel. Different types of security vulnerabilities
exist, such as physical vulnerabilities (e.g., lack of access control,
inadequate protection), software vulnerabilities (e.g., absence of
security patches, absence of antivirus software), and network
vulnerabilities (e.g., absence of network segmentation, insecure ports,
connections to untrusted parties). Conducting tests on the IT system is
an essential approach to identifying weaknesses. These tests can involve
security and assessment procedures, penetration testing techniques,
and automated vulnerability scanning tools.

19
HND-45 Aung Kaung Maw

9.1.4 Analyze Controls

The effectiveness of controls that are currently in place or under
development to minimize or eliminate the likelihood of a threat exploiting a
vulnerability. Technical controls include encryption, intrusion detection
mechanisms, and identification and authentication solutions. Non-technical
controls encompass security policies, administrative actions, and physical and
environmental safeguards.

Both technical and non-technical controls can be further classified as

preventive or detective. Preventive controls aim to anticipate and prevent
attacks, such as encryption and authentication devices. Detective controls are
employed to identify ongoing or past threats, including audit trails and
intrusion detection systems.

9.1.5 Determine the Likelihood of an Incident

Evaluate the likelihood that a vulnerability will be exploited, considering the
nature of the vulnerability, the capabilities and motivations of potential threat
sources, and the presence and effectiveness of existing controls. Instead of
assigning numerical scores, many organizations utilize categories such as
high, medium, and low to assess the probability of an attack or other adverse
event.

Handpicked related content: Webinar: Enhancing IT Risk Mitigation through

Data Classification and Access Control

9.1.6 Assess the Impact a Threat Could Have

Analyze the potential consequences of an incident on the affected asset,
considering factors such as:

• The asset's mission and its importance to related processes

• The asset's value to the organization

• The asset's sensitivity To gather this information, refer to a business

impact analysis (BIA) or mission impact analysis report. This document
20
HND-45 Aung Kaung Maw

utilizes quantitative or qualitative methods to determine the impact of

harm to the organization's information assets, encompassing aspects
like loss of confidentiality, integrity, and availability. The impact on the
system can be qualitatively evaluated as high, medium, or low.

9.1.7 Prioritize Information Security Risks

For each threat/vulnerability combination, assess the level of risk to the IT
system based on the following factors:

• The likelihood of the threat exploiting the vulnerability

• The estimated cost associated with each occurrence

• The adequacy of the existing or planned information system security

controls in mitigating or reducing the risk A risk-level matrix is a helpful
tool for estimating risk in this manner. A high likelihood of the threat
occurring is assigned a value of 1.0, medium likelihood receives 0.5, and
low likelihood is rated as 0.1. Similarly, a high impact level is given a
value of 100, medium impact level 50, and low impact level 10. Risk is
calculated by multiplying the threat likelihood value by the impact value,
and risks are categorized as high, medium, or low based on the result.

9.1.8 Recommend Controls

Based on the determined level of risk, identify appropriate actions to mitigate
the risk. Here are general guidelines for each risk level:

• High: Develop a plan for corrective measures promptly.

• Medium: Develop a plan for corrective measures within a reasonable

timeframe.

• Low: Decide whether to accept the risk or implement corrective actions.

When evaluating controls to mitigate each risk, consider factors such as
organizational policies, cost-benefit analysis, operational impact,

21
HND-45 Aung Kaung Maw

feasibility, applicable regulations, overall effectiveness of recommended

controls, safety, and reliability.

9.1.9 Document the Findings

The final step in the risk assessment process is to create a risk assessment
report that supports management in making informed decisions regarding
budget, policies, procedures, and other relevant aspects. The report should
describe the vulnerabilities associated with each threat, the assets at risk, the
impact on the IT infrastructure, the likelihood of occurrence, and the
recommended controls.

9.2 RISK TREATMENT FOR GUSTO UNIVERSITY

The following risk treatment measures are specifically tailored for an
information technology university:

1. Establishing a Risk Management Framework: Create a well-

structured framework encompassing risk identification, assessment,
mitigation, and monitoring processes. This framework should adhere to
industry best practices and account for the unique IT risks faced by the
university.

2. Securing Infrastructure and Network: Implementation of Firewalls

and Intrusion Detection Systems: Deploy firewalls at network
boundaries to regulate incoming and outgoing traffic. Employ intrusion
detection and prevention systems to identify and respond to potential
threats.

Regular Vulnerability Assessments and Patch Management: Conduct

periodic vulnerability assessments to identify weaknesses within the IT
Infrastructure. Promptly apply security patches and updates to mitigate
known vulnerabilities.

22
HND-45 Aung Kaung Maw

Network Segmentation: Divide the network into segments to isolate critical

systems and sensitive data from the rest of the network. This approach
minimizes the potential impact of security breaches or unauthorized access.

9.2.1 Data Protection:

a. Utilizing Data Encryption: Employ encryption techniques to safeguard
sensitive data both during storage and transmission. Implement robust
encryption algorithms for data storage, communication channels, and backup
processes.

b. Data Backup and Disaster Recovery: Establish a robust backup strategy to

ensure data integrity and availability. Regularly test and validate the
restoration process. Develop disaster recovery plans to effectively recover
from major incidents.

c. Implementing Access Controls: Enforce role-based access controls (RBAC)

to restrict user access based on their job responsibilities. Implement strong
password policies, multi-factor authentication, and periodic password
changes.

9.2.2 Enhancing Security Awareness and Training:

a. Conducting Regular Security Awareness Training: Educate students,
faculty, and staff on IT security best practices, including awareness of
phishing, social engineering, and safe browsing habits.

b. Incident Response and Reporting: Establish clear procedures for incident

response to enable swift and coordinated actions. Encourage reporting of
potential security breaches or suspicious activities.

Vendor and Third-Party Risk Management: Assess the security

controls and practices of third-party vendors and service providers.
Implement appropriate contracts and agreements to ensure adherence
to security standards, thereby protecting the university's data and
systems.

23
HND-45 Aung Kaung Maw

9.2.3 Continuous Monitoring and Improvement:

Performing Security Audits and Assessments: Regularly conduct security
audits and assessments to identify potential vulnerabilities and evaluate the
effectiveness of security controls.

Staying Informed about Security Trends: Remain up to date on emerging

threats, vulnerabilities, and best practices in IT security. Monitor relevant
industry news, engage in security communities, and leverage threat
intelligence sources.

Analyzing Incidents and Implementing Lessons Learned: Conduct thorough

post-incident analysis to comprehend the underlying causes of security
incidents. Apply the knowledge gained to enhance existing security controls
and prevent future incidents.

10 THE BENEFITS OF IMPLEMENTING NETWORK MONITORING SYSTEMS

Network Monitoring by and large deals with monitoring all elements of a

network including servers, routers, firewalls, traffic & bandwidth, network
device configurations and the applications hosted in them.

Also, a holistic network monitoring doesn't end with just monitoring and
providing information. Here's a list of a few key aspects of network
monitoring:

10.1 1.APPLICATION PERFORMANCE

•Application Discovery and Dependency Mapping (ADDM)

•Anomaly Detection

•Fault Management with Root Cause Analysis

24
HND-45 Aung Kaung Maw

10.2 2.NETWORK PERFORMANCE

•Health, availability and performance of network and its devices

•Fault detection, alerts and troubleshooting

•Network visualization and usage trends

•Capacity-planning

•Bandwidth usage analysis

•Network traffic analysis (Based on speed, usage, packets and

volume)

•QoS policy performance monitoring

•Traffic shaping

•WLC controller monitoring (Usage by SSID, access points, clients and apps)

10.3 3.CONFIGURATION, CHANGE AND COMPLIANCE MANAGEMENT

•Configuration back

•Real-time change tracking

10.4 4.IP ADDRESS MANAGEMENT

•Switch Port Mapping

•MIB Browser

10.5 5.NETWORK SECURITY ANALYSIS

•Firewall policy management

•Log analysis

•Anomaly alerts

•Firewall compliance and device management

To understand and troubleshoot network issues effectively, it

25
HND-45 Aung Kaung Maw

is imperative that all the elements of a network are monitored centrally and
the alerts are in correlation.

Examples of network monitoring tools are

1. SolarWinds Network Performance Monitor

2. Auvik
3. Datadog Network Monitoring
4. Paessler PRTG Network monitor

11 PHYSICAL AND VIRTUAL SECURITY MEASURES THAT CAN BE EMPLOYED TO

ENSURE THE INTEGRITY OF THE IT SECURITY FOR GUSTO UNIVERSITY

11.1 PHYSICAL SECURITY MEASURES:

1. Access Control Systems: Implementation of access control systems
is essential to restrict physical access to IT facilities, data centers, server
rooms, and other sensitive areas. Methods such as key cards, biometric
authentication, or security guards can be employed to ensure that only
authorized individuals are granted entry.

2. Video Surveillance: Installing video surveillance cameras in critical

locations within IT facilities serves the purpose of monitoring and
recording activities. This measure acts as a deterrent against
unauthorized access, provides evidential support in the event of security
incidents, and aids in the identification of culprits.

3. Secure Perimeter: To safeguard IT facilities, physical barriers, fencing,

gates, and locks should be implemented to establish a secure perimeter.
This serves to prevent unauthorized entry and facilitates better control
and monitoring of access points.

4. Environmental Controls: Measures should be taken to protect IT

equipment from potential environmental hazards such as fire, water
damage, or temperature fluctuations. This can include the

26
HND-45 Aung Kaung Maw

implementation of fire suppression systems, water leak detection

systems, and environmental monitoring systems to ensure optimal
conditions for the IT infrastructure.

5. Secure Equipment Disposal: Establishing protocols for the proper

disposal of IT equipment is crucial in preventing data leakage. This
involves employing secure data wiping or destruction methods for
storage devices before they are disposed of.

11.2 VIRTUAL SECURITY MEASURES:

1. Firewalls: Implementation of firewalls at network boundaries is crucial
for monitoring and controlling incoming and outgoing network traffic.
This acts as a filtering mechanism to identify and block malicious traffic
and unauthorized access attempts.

2. Intrusion Detection and Prevention Systems (IDPS): The

deployment of IDPS solutions allows for the monitoring of network traffic
and the identification of suspicious or malicious activities. Such systems
have the capability to automatically block or notify administrators of
potential security breaches.

3. Encryption: Utilizing encryption techniques is vital to protect sensitive

data during transmission and while at rest. This involves encrypting data
stored on servers, laptops, and portable devices, as well as utilizing
secure communication protocols like HTTPS for data transmission.

4. Strong Authentication and Access Controls: Enforcing strong

authentication mechanisms, such as two-factor authentication (2FA) or
multi-factor authentication (MFA), is crucial to verify the identity of
users accessing IT systems or sensitive data. Implementing access
controls based on the principle of least privilege helps restrict user
permissions to only what is necessary for their designated roles.

27
HND-45 Aung Kaung Maw

5. Regular Patching and Updates: Ensuring that software, operating

systems, and applications are regularly patched and updated with the
latest security patches and fixes is essential. This measure helps protect
against known vulnerabilities and exploits.

6. Security Awareness and Training: Conducting regular security

awareness and training programs for staff, faculty, and students is
important to educate them about safe computing practices, social
engineering threats, and the significance of maintaining strong
passwords and secure data handling procedures.

7. Incident Response and Business Continuity Planning: Developing

comprehensive incident response plans and business continuity plans is
crucial to effectively respond to security incidents, minimize their
impact, and recover IT operations in a timely manner.

12 REFERENCES

https://www.geeksforgeeks.org/what-is-demiltarized-zone/

https://www.fortinet.com/resources/cyberglossary/what-is-dmz

https://nuverabusiness.com/static-ip-
benefits/#:~:text=Much%20like%20a%20physical%20street,constant%20a
nd%20does%20not%20change.

https://www.avast.com/c-static-vs-dynamic-ip-
addresses#:~:text=Convenient%20remote%20access%3A%20A%20static,
other%20voice%20and%20video%20communications.

28
HND-45 Aung Kaung Maw

29