Unit 05 Security Assignment
Uploaded by
Ahmed M A AbasherUnit 05 Security Assignment
Uploaded by
Ahmed M A AbasherlOMoARcPSD|50495251
Unit -05 - Security - Assignment
Higher National Diploma (ESOFT Metro Campus)
Scan to open on Studocu
Studocu is not sponsored or endorsed by any college or university
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Higher Nationals
Internal verification of assessment decisions – BTEC (RQF)
INTERNAL VERIFICATION – ASSESSMENT DECISIONS
Programme title BTEC Higher National Diploma in Computing
Oshada Lokuhetty
Assessor Internal Verifier
Unit 05: Security
Unit(s)
Providing a suitable security solution for METROPOLIS CAPITAL Bank
Assignment title
M H S K Jayasara / E181987
Student’s name
List which assessment Pass Merit Distinction
criteria the Assessor has
awarded.
INTERNAL VERIFIER CHECKLIST
Do the assessment criteria awarded match
those shown in the assignment brief? Y/N
Is the Pass/Merit/Distinction grade awarded
justified by the assessor’s comments on the Y/N
student work?
Has the work been assessed
Y/N
accurately?
Is the feedback to the student:
Give details:
• Constructive?
Y/N
• Linked to relevant assessment
criteria? Y/N
• Identifying opportunities for
improved performance? Y/N
• Agreeing actions? Y/N
Does the assessment decision need
Y/N
amending?
Assessor signature Date
Internal Verifier signature Date
Programme Leader signature (if
Date
required)
M H S K Jayasara Unit 05 - Security Page |1
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Confirm action completed
Remedial action taken
Give details:
Assessor signature Date
Internal Verifier
Date
signature
Programme Leader
Date
signature (if required)
M H S K Jayasara Unit 05 - Security Page |2
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Higher Nationals - Summative Assignment Feedback Form
Student Name/ID M H S K Jayasara / E1181987
Unit Title Unit 05: Security
Assignment Number 1 Assessor
Date Received 1st
Submission Date
submission
Date Received 2nd
Re-submission Date
submission
Assessor Feedback:
LO1. Assess risks to IT security
Pass, Merit & Distinction P1 P2 M1 D1
Descripts
LO2. Describe IT security solutions.
Pass, Merit & Distinction P3 P4 M2 D1
Descripts
LO3. Review mechanisms to control organisational IT security.
Pass, Merit & Distinction P5 P6 M3 M4 D2
Descripts
LO4. Manage organisational security.
Pass, Merit & Distinction P7 P8 M5 D3
Descripts
Grade: Assessor Signature: Date:
Resubmission Feedback:
Grade: Assessor Signature: Date:
Internal Verifier’s Comments:
Signature & Date:
* Please note that grade decisions are provisional. They are only confirmed once internal and external moderation has taken place and grades decisions have
been agreed at the assessment board.
M H S K Jayasara Unit 05 - Security Page |3
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Pearson
Higher Nationals in
Computing
Unit 5: Security
M H S K Jayasara Unit 05 - Security Page |4
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
General Guidelines
1. A Cover page or title page – You should always attach a title page to your assignment. Use previous page as your cover
sheet and make sure all the details are accurately filled.
2. Attach this brief as the first section of your assignment.
3. All the assignments should be prepared using a word processing software.
4. All the assignments should be printed on A4 sized papers. Use single side printing.
5. Allow 1” for top, bottom , right margins and 1.25” for the left margin of each page.
Word Processing Rules
1. The font size should be 12 point, and should be in the style of Time New Roman.
2. Use 1.5 line spacing. Left justify all paragraphs.
3. Ensure that all the headings are consistent in terms of the font size and font style.
4. Use footer function in the word processor to insert Your Name, Subject, Assignment No, and Page Number on each
page. This is useful if individual sheets become detached for any reason.
5. Use word processing application spell check and grammar check function to help editing your assignment.
Important Points:
1. It is strictly prohibited to use textboxes to add texts in the assignments, except for the compulsory information. eg: Figures,
tables of comparison etc. Adding text boxes in the body except for the before mentioned compulsory information will result
in rejection of your work.
2. Avoid using page borders in your assignment body.
3. Carefully check the hand in date and the instructions given in the assignment. Late submissions will not be accepted.
4. Ensure that you give yourself enough time to complete the assignment by the due date.
5. Excuses of any nature will not be accepted for failure to hand in the work on time.
6. You must take responsibility for managing your own time effectively.
7. If you are unable to hand in your assignment on time and have valid reasons such as illness, you may apply (in writing) for
an extension.
8. Failure to achieve at least PASS criteria will result in a REFERRAL grade .
9. Non-submission of work without valid reasons will lead to an automatic RE FERRAL. You will then be asked to complete
an alternative assignment.
10. If you use other people’s work or ideas in your assignment, reference them properly using HARVARD referencing system
to avoid plagiarism. You have to provide both in-text citation and a reference list.
11. If you are proven to be guilty of plagiarism or any academic misconduct, your grade could be reduced to A REFERRAL
or at worst you could be expelled from the course
M H S K Jayasara Unit 05 - Security Page |5
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Student Declaration
I hereby, declare that I know what plagiarism entails, namely to use another’s work and to present it as my own without
attributing the sources in the correct way. I further understand what it means to copy another’s work.
1. I know that plagiarism is a punishable offence because it constitutes theft.
2. I understand the plagiarism and copying policy of the Edexcel UK.
3. I know what the consequences will be if I plagiaries or copy another’s work in any of the assignments for this
program.
4. I declare therefore that all work presented by me for every aspects of my program, will be my own, and where
I have made use of another’s work, I will attribute the source in the correct way.
5. I acknowledge that the attachment of this document signed or not, constitutes a binding agreement between
myself and Edexcel UK.
6. I understand that my assignment will not be considered as submitted if this document is not attached to the
attached.
[email protected] 2023/12/03
Student’s Signature: Date:
(Provide E-mail ID) (Provide Submission Date)
M H S K Jayasara Unit 05 - Security Page |6
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Assignment Brief
Student Name /ID Number M H S K Jayasara / E181987
Unit Number and Title Unit 5- Security
Academic Year 2022/23
Unit Tutor
Assignment Title METROPOLIS CAPITAL Bank
Issue Date
Submission Date
IV Name & Date
Submission Format:
The submission is in the form of an individual written report. This should be written in a concise, formal
business style using single spacing and font size 12. You are required to make use of headings, paragraphs
and subsections as appropriate, and all work must be supported with research and referenced using the
Harvard referencing system. Please also provide an end list of references using the Harvard referencing
system.
Unit Learning Outcomes:
LO1 Assess risks to IT security.
LO2 Describe IT security solutions.
LO3 Review mechanisms to control organizational IT security.
LO4 Manage organizational security.
Assignment Brief and Guidance:
M H S K Jayasara Unit 05 - Security Page |7
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
METROPOLIS CAPITAL Bank is one of the leading private banking service providers in Sri Lanka. It
operates over 100 branches and 500 ATM machines across the island as well as 8 Branches overseas. In
order to provide their services, METROPOLIS CAPITAL Bank has a primary datacenter located in
Colombo and a Secondary datacenter located in Galle. Each branch and ATM must have connectivity to
the core banking system to be able to operate normally. In order to establish the connectivity between
datacenters, branches and ATM machines, each location has a single ISP link. This link provides VPN
services between branches, ATMs and datacenters as well as MPLS services for the bank and it
establishes connectivity between datacenters, ATMs, and branches.
METROPOLIS CAPITAL Banks Head Office is a 5 Story Building in Kollupitiya with the Ground
Floor allocated for Customer Services, the First Floor allocated for HR, the Second Floor allocated for
Meeting Rooms and Senior Executive Staff, the Third Floor is allocated for the Technical Support Team
and the Fourth Floor hosts High Performance Servers running core banking systems. Fifth Floor is for
some other outside companies that are not related with the METROPOLIS CAPITAL Bank. Other than
this, METROPOLIS CAPITAL bank provides a lot of services to customers including online and mobile
banking facilities. Therefore, their core banking system must communicate with several outside systems
and all communication between outside systems, Data centers and the Head Office is protected by a
single firewall. In Addition, METROPOLIS CAPITAL Bank has recently implemented a bring your
own device (BYOD) concept for Senior Executive Staff and HR Departments and to facilitate this, they
are providing employee WiFi as well as a guest WiFi Hotspot.
The bank has signed agreements, AMCs, contracts and NDAs with several Local and foreign IT service
vendors. Some local vendors provide services and supports to foreign companies. METROPOLIS
CAPITAL Banks Technical Support Team is a local third-party vendor, contracted by METROPOLIS
CAPITAL Bank and managed by their Supply chain management officer. The Technical Support Team
provides onsite and remote support for their customers.
METROPOLIS CAPITAL bank strictly follows the rules and regulations enforced by the government
and the Central Bank. Therefore, they have obtained the ISO 31000:2009 certification. In addition to
this, the areas of datacenters, branches, ATM and HQ is covered by CCTV and 24x7 monitoring is
happening. Other security functions like VA scanning, internal auditing, and security operation done by
the bank employees. They have purchased a VA scanning tool, Privilege access management (PAM)
M H S K Jayasara Unit 05 - Security Page |8
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
system, Endpoint detection and respond (EDR) system, Data loss prevention (DLP) tool, Web
application firewall (WAF) and Secure mail gateway which are managed by the Technical Support
Team.
It has been reported that an emergency is likely to occur where a work from home situation may be
initiated. Therefore, you have been employed by METROPOLIS CAPITAL Bank as a Network Security
Analyst to recommend and implement a suitable Security solution to facilitate this situation.
Activity 01
Discuss and assess the security procedures and types of security risks METROPOLIS CAPITAL
Bank may face under its current status and evaluate a range of physical and virtual security measures
that can be employed to ensure the integrity of organizational IT security. You also need to analyze
the benefits of implementing network monitoring systems for METROPOLIS CAPITAL Bank with
valid reasons in order to minimize security risks identified and enhance the organizational security.
Activity 02
2.1 Discuss how an incorrect/improper configuration for network infrastructure such as firewall and VPN
could impact METROPOLIS CAPITAL Bank. Assess IT security risks that may face by the employees of
METROPOLIS CAPITAL Bank and propose how the organization can facilitate their employees with a
“Secure remote working environment”.
2.2. Discuss how following technologies would benefit METROPOLIS CAPITAL Bank and its Clients to
increase network performance. (Support your answer with suitable illustrations).
i) Static IP,
ii) NAT
iii)DMZ
M H S K Jayasara Unit 05 - Security Page |9
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Activity 03
Review risk assessment procedures for METROPOLIS CAPITAL Bank to protect itself and its clients.
Explain the mandatory data protection laws and procedures which will be applied to data storage solutions
provided by METROPOLIS CAPITAL Bank. Explain the topic "ISO 31000 risk management
methodology" and summarize the ISO 31000 risk management methodology and its application in IT
security. Analyze possible impacts to organizational security resulting from an IT security audit.
Recommend how IT security can be aligned with organizational Policy, detailing the security impact of
any misalignment.
Activity 04
4.1 Design and Implement suitable security policy to prevent misuse and exploitations in line with
METROPOLIS CAPITAL Bank using the Organizational policy tools for the given scenario,
While evaluating and justifying the suitability of the tools used in an organizational policy to meet
business needs. Identify the stakeholders who are subject to the METROPOLIS CAPITAL Bank and
describe the role of these stakeholders to build security audit recommendations for the organization.
4.2 Discuss and present a disaster recovery plan for METROPOLIS CAPITAL Bank for all their sites to
guarantee maximum reliability to their clients. (Student must develop a PowerPoint-based presentation
which illustrates the recovery plan within 15 minutes of time including justifications and reasons for
decisions and options used).
M H S K Jayasara Unit 05 - Security P a g e | 10
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Grading Rubric
Grading Criteria Achieved Feedback
LO1 Assess risks to IT security
P1 Discuss types of security risks to organizations.
P2 Assess organizational security procedures.
M1 Analyze the benefits of implementing network monitoring
systems with supporting reasons.
D1 Evaluate a range of physical and virtual security measures that
can be employed to ensure the integrity of organizational IT security.
LO2 Describe IT security solutions
P3 Discuss the potential impact to IT security of incorrect
configuration of firewall policies and third- party VPNs.
P4 Discuss, using an example for each, how implementing a DMZ,
static IP and NAT in a network can improve network security.
M2 Propose a method to assess and treat IT security risks.
LO3 Review mechanisms to control organizational IT
Security
P5 Review risk assessment procedures in an organization.
P6 Explain data protection processes and regulations as applicable to
an organization.
M H S K Jayasara Unit 05 - Security P a g e | 11
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
M3 Summarize the ISO 31000 risk management methodology and its
application in IT security.
M4 Analyze possible impacts to organizational security resulting
from an IT security audit.
D2 Recommend how IT security can be aligned with organizational
Policy, detailing the security impact of any misalignment.
LO4 Manage organizational security
P7 Design a suitable security policy for an organization, including
the main components of an organizational disaster recovery plan.
P8 Discuss the roles of stakeholders in the organization in
implementing security audits.
M5 Justify the security plan developed giving reasons for the
elements selected.
D3 Evaluate the suitability of the tools used in an organizational
policy to meet business needs
M H S K Jayasara Unit 05 - Security P a g e | 12
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Contents
Activity 01 ................................................................................................................. 16
1.1. What is IT Security................................................................................................................................. 16
1.1.1. Vulnerability ................................................................................................................................... 16
1.2. Assets of Metropolis Bank as of now. ................................................................................................... 16
1.3. Types of Security Risks for METROPOLIS CAPITAL Bank's Assets: .................................................... 18
1.4. Assеssmеnt of Sеcurity Procеdurеs: ................................................................................................. 19
1.5. The potential impacts of the identified security risks on METROPOLIS CAPITAL Bank. ................... 20
1.6. Physical and virtual security measures suggested to Metropolis Bank to mitigate the above risks 22
1.7. How do the above security measures contribute to the integrity of organizational IT security by
addressing the identified risks? ................................................................................................................... 23
Activity 02 ................................................................................................................24
2.1. Discuss about the potential effects on METROPOLIS CAPITAL Bank of an incorrect or poor
configuration for network infrastructure, such as a firewall or VPN. ......................................................... 24
2.1.1. Importance of Firewall and VPN for METROPOLIS CAPITAL Bank. ................................................ 24
2.1.2. Potential Impact of Incorrect Configuration of Firewall Policies and VPNs at METROPOLIS
CAPITAL Bank. .............................................................................................................................................. 26
2.2. Discuss how following technologies would benefit METROPOLIS CAPITAL Bank and ......................... 28
its clients to increase network performance. .............................................................................................. 28
Activity 03................................................................................................................. 32
Review risk assessment procedures for METROPOLIS CAPITAL Bank to protect itself and its clients. ....... 32
3.1. Risk Assessment............................................................................................................................. 32
3.1.2. How is Metropolis Capital Bank's risk calculated? .................................................................... 33
3.1.3. Probability – Impact matrix for Metropolis Capital Bank. ............................................................. 33
3.1.4. Risk Assessment Table for Metropolis Capital Bank. ..................................................................... 34
3.2. Navigating the Data Protection at METROPOLIS CAPITAL Bank. ...................................................... 36
3.2.1. Data Protection Laws and Procedures. ...................................................................................... 37
3.2.2. Consequences of Non-Compliance................................................................................................ 38
Activity 04 ................................................................................................................ 39
4.1. Designing and implementing a comprehensive security policy for METROPOLIS CAPITAL Bank is
crucial to prevent misuse and exploitations of sensitive data. The security policy should align with the
organizational goals and the specific challenges faced by the bank. Below is a framework for creating an
effective security policy using organizational policy tools: ......................................................................... 39
4.1.1. Security policy for Metropolis Capital Bank............................................................................... 39
4.1.2. Password Guidelines for Metropolis Capital Bank. ................................................................... 41
M H S K Jayasara Unit 05 - Security P a g e | 13
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
4.1.3. Ethics Policy for Metropolis Capital Bank. ................................................................................. 44
4.1.4. Remote Access Policy for Metropolis Capital Bank. .................................................................. 47
4.2. Disaster Recovery Plan (DRP) for Metropolis Capital Bank. ............................................................. 49
4.2.1. Roles of Stakeholders in Implementing Security Audits. ............................................................... 53
4.3. Discuss and present a disaster recovery plan for METROPOLIS CAPITAL Bank for all ......................... 56
their sites to guarantee maximum reliability to their clients. ..................................................................... 56
References .................................................................................................................62
M H S K Jayasara Unit 05 - Security P a g e | 14
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Figure 1 (VPN) .................................................................................................................................................. 27
Figure 2 dmz network (what-is-a-dmz) ............................................................................................................ 28
(Barracuda, 2020)Figure 3 3) Network Address Translation
(https://www.google.com/search?q=network+address+translation+(nat)&sca_esv=587313471&tbm=isch&
sxsrf=AM9HkKnPnLmxhTISARtTqYbUGQ1T14qhDA:1701536550448&source=lnms&sa=X&sqi=2&ved=2ahU
KEwjSoqXNnfGCAxXEa2wGHdH5CFgQ_AUoAXoECAMQA) ............................................................................ 30
Figure 4 Probability – Impact matrix (https://www.stakeholdermap.com/risk/risk-assessment-matrix-
simple-3x3.html) .............................................................................................................................................. 33
M H S K Jayasara Unit 05 - Security P a g e | 15
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Activity 01
1.1. What is IT Security
Cybersecurity, also known as information technology (IT) security, is a general name for a collection of
methods, policies, and technologies used to protect digital data and technology assets against attacks,
problems, and online threats. Protecting data and system availability, confidentiality, and integrity is the
main goal of IT security.
1.1.1. Vulnerability
A vulnerability in security refers to a weakness or opportunity in an information system that cybercriminals
can exploit and gain unauthorized access to a computer system. Vulnerabilities weaken systems and open
the door to malicious attacks.
1.2. Assets of Metropolis Bank as of now.
METROPOLIS CAPITAL Bank is a leading supplier of private banking services in Sri Lanka. It is proud
of the wide range of assets in its portfolio, which are important to both its daily business and the trust of its
customers. Physical assets and digital assets are the two primary categories into which these assets can be
usually categorized.
• Physical Assets
1. Head Office Building
The Head Office of METROPOLIS CAPITAL Bank stands tall as a 5-story building located in
Kollupitiya. This strategically designed structure optimizes its space to efficiently cater to various
functions crucial for the bank's operations.
At the ground floor, a dedicated area is allocated for Customer Services, emphasizing accessibility and
convenience for clients engaging with the bank. Moving up to the first floor, this space is designated for
Human Resources (HR), focusing on the management and support of the bank's workforce.
M H S K Jayasara Unit 05 - Security P a g e | 16
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Key workers collaborate and make decisions together as a result of the second floor's central location for
meeting rooms and senior executive staff. The Technical Support Team is based on the third level,
providing a proactive approach for the maintenance and development of the bank's IT infrastructure.
The fourth floor is a critical space housing High-Performance Servers that run the core banking systems
2. Branches and ATM Machines
METROPOLIS CAPITAL Bank operates an extensive network of over 500 ATMs and over 100 branches
around the island, showing its wide reach. In addition, the bank now has eight locations abroad, extending
its reach throughout the world.
3. Data Centers
The Bank’s has a two data Centers. Primary data center located in Colombo. Secondary Data center Located
in Galle.
4. Employee Devices:
As senior executive staff and HR departments have been implementing a "bring your own device" (BYOD)
policy, employee devices—such as laptops and smartphones—have become important for remote work and
daily operations.
• Digital Assets
1.Communication Systems - To maintain connectivity bеtwееn thе bank's various locations and еxtеrnal
systems, digital assets encompass communication infrastructure, including еmail, mеssaging, and sеcurе
data transmission systems.
2.Agreements, Contracts, and NDAs: The bank's confidentiality agreements (NDAs), contracts, and annual
maintenance contracts (AMCs) with both local and global IT suppliers are essential digital records that
regulate the bank's relations with its technology partners.
M H S K Jayasara Unit 05 - Security P a g e | 17
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
3. Sеcurity Tools: Thе bank has invеstеd in various sеcurity tools, including Vulnеrability Assеssmеnt (VA)
scanning tools, Privilеgе Accеss Managеmеnt (PAM) systеms, Endpoint Dеtеction and Rеsponsе (EDR)
systеms, Data Loss Prеvеntion (DLP) tools, Wеb Application Firеwalls (WAFs), and Sеcurе Mail Gatеways
to protеct digital assеts.
4. Platforms for Online and Mobile Banking: The bank's digital assets include its online and mobile banking
platforms, which let users access their accounts and easily complete transactions.
1.3. Types of Security Risks for METROPOLIS CAPITAL Bank's Assets:
• Hеalth and Safеty Incidents
Incidents related to health and safety in the bank's operations have the potential to cause disruptions and
even disasters that affect customers and employees.
• Natural Disasters
Natural Disasters: The bank is at risk of natural disasters like earthquakes, floods, or fires, which could
cause infrastructure damage and data loss at its branches, data centers, and headquarters.
• Equipmеnt Failurе
Hardware failures can affect the bank's physical assets, such as servers and ATMs, which might disrupt
services.
• Physical Intrusion
Physical assets, like servers and customer records, may be compromised by unauthorized access or theft at
branches, data centers, or head offices.
M H S K Jayasara Unit 05 - Security P a g e | 18
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
• Cybеr Attacks
Digital assets are particularly vulnerable to cyberattacks, including ransomware, phishing, and malware,
which can result in financial losses and data breaches.
• Data Brеachеs
Unauthorized access to customer data or digital communication systems may lead to data breaches, which
could harm the bank's reputation and subject it to fines from regulators.
• Compliancе Violations
Non-compliance with data protection regulations or cybersecurity standards may result in non-banking
entities' reputation and legal status being negatively impacted.
• Insider Threats
Employees having access to digital assets may misuse them deliberately or accidentally, which could
potentially result in data loss or disruptions to services.
1.4. Assеssmеnt of Sеcurity Procеdurеs:
The sеcurity procеdurеs at METROPOLIS CAPITAL Bank havе notablе strеngths but also somе arеas that
rеquirе improvеmеnt:
Strеngths
Sеcurity Tools: Thе bank's invеstmеnt in various sеcurity tools, including Vulnеrability Assеssmеnt (VA)
scanning tools, Privilеgе Accеss Managеmеnt (PAM) systеms, Endpoint Dеtеction and Rеsponsе (EDR)
systеms, Data Loss Prеvеntion (DLP) tools, Wеb Application Firеwalls (WAFs), and Sеcurе Mail
Gatеways, rеflеcts a proactivе approach to digital assеt sеcurity.
M H S K Jayasara Unit 05 - Security P a g e | 19
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
ISO 31000 Certification: The bank's compliance with ISO 31000:2009 standards shows its dedication to
systemic risk management and improves its capacity to identify and reduce a range of risks.
CCTV and round-the-clock monitoring: Robust physical security is provided by wide CCTV coverage
and 24/7 monitoring of vital areas, such as data centers and branches.
Arеas for Improvеmеnt
Security Awarеnеss Training: Increasing employee security awareness and training programs may help in
reducing the risk of security breaches, especially with regard to social engineering attacks.
Insider Threat Detection: Improving intrusion detection systems is essential for actively reducing external
security risks. Detecting suspicious activities can be made easier by implementing user behavior analytics
and monitoring.
Third-party Vendor Managеmеnt: Given how much the bank depends on these third-party vendors, a
greater control and assessment of them is required. This involves evaluating the security protocols to make
sure they meet the bank's requirements.
Disastеr Rеcovеry Planning: The disaster recovery plan needs to be thoroughly reviewed, updated, and
tested on a regular basis to ensure that it is effective in protecting digital and physical assets during
emergencies.
1.5. The potential impacts of the identified security risks on METROPOLIS CAPITAL Bank.
a. Equipment Failure:
• Service Disruptions: Hardware failures in servers and ATMs have the potential to disrupt banking
services, affecting customer transactions and causing inconvenience. Extended downtime may lead to
financial losses and customer dissatisfaction.
M H S K Jayasara Unit 05 - Security P a g e | 20
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
b. Natural Disasters:
• Infrastructure Damage: In the event of natural disasters such as earthquakes, floods, or fires,
significant infrastructure damage can occur at the bank's branches, data centers, and the head office. This
leads to prolonged service disruptions and financial losses.
c. Health and Safety Incidents:
• Operational Disruptions: Health and safety incidents have the potential to cause mishaps that could
endanger the lives of customers and employees. Liabilities may arise from this, and the bank's reputation
may suffer.
d. Physical Intrusion:
• Data and Asset Compromise: Physical assets, such as servers and customer records, can be affected by
theft or unauthorized entry at branch offices, data centers, or the head office. This might lead to financial
theft, illegal access to private information, and brand harm to the bank.
e. Insider Threats:
• Illegal Access: External attackers could lead to data loss, which would impact the privacy of the data.
This may result in financial losses and damage to customer confidence, particularly if private customer
data is compromised.
f. Data Breach:
• Damage to Reputation: Illegal access to customer information or digital communication systems may
result in data breaches, damaging the bank's reputation and possibly having legal effects.
g. Vendor Security Vulnerabilities:
• Data Integrity and Availability: Via the exploitation of third-party vendor vulnerabilities, data integrity
and availability may be compromised. Customer trust may be impacted by data that is altered, lost, or
becomes inaccessible.
M H S K Jayasara Unit 05 - Security P a g e | 21
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
1.6. Physical and virtual security measures suggested to Metropolis Bank to mitigate the above
risks
a) Physical Sеcurity Measures:
1. Biomеtric Accеss Control:
• Preventing Unauthorized Entry and Physical Intrusion: Biometric access control guarantees that vital
areas, such data centers and the head office, are only accessible to authorized personnel. This
considerably lowers the possibility of theft and unauthorized physical penetration.
2. Advanced Monitoring and Threat Detection:
• Improving Detection and Reaction: Advanced surveillance and intrusion detection systems are able to
proactively keep an eye out for odd activity at key spots. Early detection lowers the risk of data
breaches and server compromises by enabling security personnel to quickly respond to potential
physical security threats.
b) Virtual Sеcurity Mеasurеs:
Implementing a firewall: A firewall is an essential component of every network defense system. That
controls traffic flow, acts as a strong barrier against unauthorized access, and offers strong protection against
malware. A firewall reinforces your network's overall security posture by carefully monitoring and filtering
all incoming and outgoing data to ensure that only secure communications are allowed.
By using encryption: Data is effectively protected by encryption, that maintains it safe when it's in use as
well as when it's inactive. Encryption converts data into an unreadable format, making it much harder for
unwanted parties to access or translate, whether it is being transferred across networks or kept on devices.
Because of its dual role, sensitive information remains private and confidential for the duration of its
lifecycle, that improves the security infrastructure as a whole.
M H S K Jayasara Unit 05 - Security P a g e | 22
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Setting up permissions and user accounts: Enhancing network security needs careful control over user
access, which is done by creating unique user accounts and carefully allocating rights. This logical technique
gives administrators the ability to control and specify exactly which network segments each user is allowed
to access. Organizations can create a customized control mechanism that strengthens network security
overall and lowers the risk of unwanted access by modifying permissions based on roles and responsibilities.
Monitoring activity: Maintaining a close eye on everything going on in your network is a proactive way to
recognize unusual activity and respond to security risks quickly and efficiently.
(Clancy, October 4, 2022)
1.7. How do the above security measures contribute to the integrity of organizational IT security
by addressing the identified risks?
Taking Benefit of Vulnerabilities: Integrity testing and vulnerability scanning actively identify and
address weaknesses in the system, reducing the possibility of online attacks and data breaches.
Physical Intrusion and Unauthorized Access: Biometric access control, advanced monitoring, and
intrusion detection reduce the risk of unwanted physical access and intrusion while safeguarding physical
assets from theft and damage.
Data breaches and unauthorized access: End-to-end encryption protects digital assets, making it
extremely difficult for attackers to access sensitive data without authorization. Financial losses and data
breaches are less likely to happen as a result.
Data Leakage: Data loss prevention (DLP) and methods of encryption minimize the risk of insider attacks
and unauthorized access to data by monitoring and controlling data flows.
METROPOLIS CAPITAL Bank may considerably improve its security position, lower the chance of
security incidents, and ensure the reliability of organizational IT security by implementing and upholding
these security measures, safeguarding both physical and digital assets from multiple dangers.
M H S K Jayasara Unit 05 - Security P a g e | 23
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Activity 02
2.1. Discuss about the potential effects on METROPOLIS CAPITAL Bank of an incorrect or poor
configuration for network infrastructure, such as a firewall or VPN.
2.1.1. Importance of Firewall and VPN for METROPOLIS CAPITAL Bank.
1. Firewall:
▪ Monitors Network Traffic
The most important of all the advantages of firewall security is the capacity to keep an eye on network
traffic. Threats may damage your operations by taking advantage of data that enters and exits your
systems. Firewalls secure your systems by monitoring and analyzing network traffic and applying
established guidelines and filters. You can adjust your security settings according to what passes through
your firewall and what you see coming in, provided your IT staff is well-trained.
▪ Prevents Hacking
Thieves and other bad actors are encouraged to start digital operations by the trend of businesses moving
more toward them. Firewalls are even more crucial now that data theft and computer hostage-taking are on
the rise because they keep hackers from accessing your emails, systems, data, and more. A firewall has the
ability to totally thwart an attacker or discourage them from choosing a difficult target.
▪ Promotes Privacy
The promotion of privacy is one main advantage. You establish a safe haven for your clients by taking
proactive steps to protect both your and their data. Everyone enjoys having their data stolen, particularly
when it is obvious that steps might have been taken to stop the hack.
▪ Stops Virus Attacks
Nothing can stop your internet activities more quickly or strongly than an internet-wide attack. As thousands
of new threats develop every day, it is important that you set up safeguards to maintain the integrity of your
systems. Controlling system access points and blocking virus attacks is one of the most obvious advantages
of firewalls. Depending on the virus's nature, the damage it causes to your systems could be infinite.
(Fortinet home, 2021)
M H S K Jayasara Unit 05 - Security P a g e | 24
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
2. Virtual Private Network (VPN):
An understanding of virtual private network (VPN) benefits and disadvantages can help your organization
decide if and how to use one. In many situations, the benefits of using a VPN outweigh the drawbacks. How
important is it to have a VPN and what are the advantages of a VPN? When properly configured, it could
significantly bolster your business' security profile.
▪ Secure Connectivity Between Locations:
METROPOLIS CAPITAL Bank operates over 100 branches and 8 overseas offices. VPNs facilitate secure
connectivity between these locations, ensuring that data transmitted between different sites remains private
and protected from interception.
▪ Prevent Data Throttling
Data throttling happens if your internet service provider (ISP) decides to reduce the speed of your
connection after you have used a certain amount of your allotted data. You will quickly discover that
avoiding a data cap is one of the advantages of having a VPN, especially since not even your ISP can see
how much data you are using. Employees who must utilize data plans on their smartphones to access the
internet while traveling may find this to be of particular benefit.
▪ Get Access to Geo-blocked Services
With a VPN, you can get another Internet Protocol (IP) address. IP addresses indicate where the device is
located as it browses the internet, streams content, or engages in other online activity. Some sites and
services do not allow users from certain countries to access some or all of what they have to offer. This is
common with streaming services that cater to specific locations.
It is also common for some business websites to limit how you can use their public work services based on
where you are, such as getting quotes or accessing more specific information about their services. If you use
a VPN, you can make it look like you are using the internet from a location that is acceptable to the service
you are trying to access.
If your employees need to have full access to all safe information and services offered by websites, a VPN
can make it easier.
M H S K Jayasara Unit 05 - Security P a g e | 25
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
▪ Securing Remote Communication:
With the rise of remote work scenarios and the potential for employees to access sensitive data from various
locations, VPNs are essential. They establish encrypted tunnels for secure communication over the internet,
ensuring the confidentiality of data in transit. (Fortinet home, 2021)
2.1.2. Potential Impact of Incorrect Configuration of Firewall Policies and VPNs at
METROPOLIS CAPITAL Bank.
Misconfigured firewall policies and unconnected virtual private networks (VPNs) may significantly impact
the safety and smooth operation of METROPOLIS CAPITAL Bank. It is imperative to comprehend the
diverse ways in which these misconfigurations may potentially affect the bank in order to mitigate related
IT security threats.
▪ Impact of Incorrect Configuration of Third-Party VPNs.
a) Data Interception:
• Impact: Misconfigured VPNs may create opportunities for data interception, especially during data
transmission between the bank's locations or remote employees.
• IT Security Risks: Intercepted data can be exploited by threat actors for unauthorized access, leading to
potential data breaches and compromising the confidentiality of financial transactions.
b) Weak Encryption Protocols:
• Impact: Inadequate configuration of VPN encryption protocols may result in weak or outdated security
measures.
• IT Security Risks: Weak encryption exposes the transmitted data to interception and decryption by
attackers, undermining the confidentiality and integrity of sensitive information.
c) Access Control Issues:
• Impact: Misconfigured VPN access controls may grant inappropriate permissions, allowing unauthorized
individuals to access confidential financial systems and data.
• IT Security Risks: Unauthorized access increases the risk of data breaches, financial fraud, and
compromises the bank's compliance with regulatory standards.
M H S K Jayasara Unit 05 - Security P a g e | 26
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Figure 1 (VPN)
▪ Impact Of Misconfiguration Firewall Policies.
i. Unauthorized Accеss:
• Impact: Misconfigurations in firеwall policies may inadvеrtеntly allow unauthorizеd accеss to thе bank's
intеrnal nеtwork. This could lеad to unauthorizеd individuals gaining еntry to sеnsitivе financial data,
customеr information, and critical systеms.
• IT Sеcurity Risks: Unauthorizеd accеss posеs a significant sеcurity risk, potеntially lеading to data
brеachеs, financial thеft, and rеputational damagе for thе bank.
ii. Traffic Mismanagеmеnt:
• Impact: Impropеrly configurеd firеwalls may disrupt thе normal flow of nеtwork traffic, lеading to sеrvicе
intеrruptions and dеlays in customеr transactions.
• IT Sеcurity Risks: Whеnеvеr sеrvicеs go down, attackеrs might takе advantagе of thе situation. Thеy could
do things likе launch attacks to stop sеrvicеs or try to gеt into systеms without pеrmission, еspеcially whеn
thе nеtwork is not stablе.
M H S K Jayasara Unit 05 - Security P a g e | 27
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
iii. inadequate Application Layеr Sеcurity:
• Impact: Failurе to configurе firеwalls to control and monitor spеcific applications may еxposе thе bank to
risks associatеd with unrеgulatеd application usagе.
• IT Sеcurity Risks: Malicious applications or unauthorizеd sеrvicеs could еxploit this misconfiguration,
potеntially lеading to thе introduction of malwarе or thе compromisе of sеnsitivе financial applications.
2.2. Discuss how following technologies would benefit METROPOLIS CAPITAL Bank and
its clients to increase network performance.
Figure 2 dmz network (what-is-a-dmz)
A Demilitarized Zone (DMZ) is a network segment that is placed strategically to act as a buffer between
the internal network of METROPOLIS CAPITAL Bank and the external, untrusted network, which is
usually represented by the internet. A complex network architectural technique that greatly improves
overall network security is the installation of a demilitarized zone (DMZ). This is accomplished by
properly separating the organization's internal resources from its external-facing services, adding a strong
extra layer of defense against potential cyber threats.
M H S K Jayasara Unit 05 - Security P a g e | 28
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
✓ Benefits
1. Enabling access control: Through the public internet, businesses can give users access to services
that are located outside of their network's boundaries. While providing network segmentation to
make it more difficult for an unauthorized user to enter the private network, the DMZ permits
access to these services. A proxy server, which centralizes internal traffic flow and makes
monitoring and recording of that traffic easier, may also be included in a demilitarized zone
(DMZ).
2. Blocking Internet Protocol (IP) spoofing: Attackers try to mimic authorized devices logged into
networks and spoof IP addresses in an effort to obtain access to systems. Such spoofing attempts
can be detected by a DMZ and stopped until another service confirms the validity of the IP address.
Network segmentation is another feature of the DMZ that allows traffic to be arranged and public
services to be accessed outside of the internal private network.
3. Stopping reconnaissance on networks: A DMZ stops attackers from carrying out the reconnaissance
task by putting up a barrier between the internet and a private network, which helps them find
possible targets. Although servers in the demilitarized zone are open to the public, a firewall adds
an extra degree of protection by preventing an intruder from seeing inside the internal network. The
internal firewall keeps the private network safe and hinders external reconnaissance even in the
event that a DMZ system is compromised. (Barracuda, 2020)
2)Static IP
A Static IP address is a stalwart and unchanging identifier meticulously assigned to a device within a
network. This unyielding characteristic stands in stark contrast to dynamic IP addresses, offering a fixed
point of reference for devices. In the context of network configurations, the utilization of static IPs is a
robust strategy that significantly bolsters security. The stability provided by static IPs simplifies the
monitoring of network activity, contributing to a more secure and easily managed network environment.
✓ Benefits
i. Supports name resolution across Wide Area Networks (WANs), which enables devices to be
reached by their host-names reliably.
ii. Provides better protection against network security problems on home networks.
M H S K Jayasara Unit 05 - Security P a g e | 29
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
iii. Using static IP addresses on your home networks avoids any IP address conflicts.
iv. More accurate geolocation than a dynamic IP address.
v. Download and upload speeds are generally faster than dynamic IPs.
(Walsh, September 15, 2023)
3) Network Address Translation (NAT).
(Barracuda, 2020)Figure 3 3) Network Address Translation
(https://www.google.com/search?q=network+address+translation+(nat)&sca_esv=587313471&tbm=isch&sxsrf=AM9HkKnPnLmxhTISARtTqY
bUGQ1T14qhDA:1701536550448&source=lnms&sa=X&sqi=2&ved=2ahUKEwjSoqXNnfGCAxXEa2wGHdH5CFgQ_AUoAXoECAMQA)
Network address translation (NAT) is a technique commonly used by internet service providers (ISPs) and
organizations to enable multiple devices to share a single public IP address. By using NAT, devices on a
private network can communicate with devices on a public network without the need for each device to
have its own unique IP address.
✓ Benefit
i. IP address conservation: By enabling multiple devices to share a single IP address, NAT helps
conserve IP address space. This is especially important for organizations that have been assigned a
limited number of IP addresses by their ISP.
ii. Improved security: NAT can provide a measure of security by hiding the internal network from
the outside world. This can be useful for preventing attacks that target specific IP addresses or for
preventing devices on the internal network from being accessed directly from the internet. NAT can
also help prevent devices on the internal network from accessing malicious or unwanted websites.
iii. Better speed: NAT can improve communication speed by reducing the number of packets that
need to be routed through the network. This is because NAT eliminates the need for each device on
the internal network to have its own unique IP address.
M H S K Jayasara Unit 05 - Security P a g e | 30
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
iv. Flexibility: NAT can also be used to provide flexibility in network design, which is particularly
useful for organizations that want to change their network configuration without changing their IP
addresses. Organizations may want to change their network configuration to improve security or
performance or to add new devices to the network.
v. Multi-homing: NAT can be used to allow devices on a private network to connect to multiple
public networks, a network configuration practice called multi-homing. This can be valuable for
organizations that want to connect to multiple ISPs or that want to provide failover in case one of
the ISPs goes down. Multi-homing with NAT provides connection redundancy and increases
uptime by allowing traffic to be routed through multiple ISPs.
vi. Cost savings: NAT reduces the number of IP addresses an organization needs, which can save
them money on IP address licenses and other associated costs.
vii. Easier network administration: NAT makes it easier to manage a network by reducing the
number of IP addresses that need to be assigned. This benefits organizations with a large fleet of
devices and those that want to reduce the amount of time and effort required to manage their
networks.
(Fortinet home, 2021)
Conclusion.
Demilitarized zones (DMZs), static IP addresses, and network address translation (NAT) have all been
skillfully combined by the METROPOLIS CAPITAL Bank to create a robust and intelligent network
architecture. This establishes a strong base that demonstrates their commitment to maintaining the
network's extreme security. The DMZ serves as a physical barrier, separating and safeguarding internal
data from external services. Static IP keeps everything consistent, which makes it simpler to monitor the
network and identify any anomalies immediately. By protecting public IP space, masking internal IP
addresses, and enhancing security, NAT provides an additional degree of protection. When combined,
these technological solutions ensure that the bank's network is extremely secure, reduces risks, performs
effectively, and offers significant advantages in addressing the cybersecurity issues of today. In order to
ensure that operations run smoothly and safely for the bank and its customers, METROPOLIS CAPITAL
Bank is not only robust but also equipped to handle any challenge that the field of network security may
present.
M H S K Jayasara Unit 05 - Security P a g e | 31
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Activity 03
Review risk assessment procedures for METROPOLIS CAPITAL Bank to protect itself and its
clients.
3.1. Risk Assessment.
Understanding comprehensive risk assessment has become essential for organizations to safeguard their
assets and ensure continuity in the dynamic landscape of continuous business operations. This assessment
covers a range of threats that pertain to both digital and physical realms. Digital risks, such as cyberthreats
and data breaches, are important considerations in an era dominated by technology. Physical threats, such
as physical incursions and natural disasters, continue to pose a serious threat. In order for companies to
strengthen their resilience and secure their operations, they must adeptly navigate both the digital and
physical dimensions of the multifaceted risk landscape, which is set forth in this introduction.
• Importance of Risk Assignment.
An essential component of effective risk management is risk assignment, which is crucial in assisting firms
in navigating uncertainties, seizing opportunities, and achieving their strategic goals. Assigning risks
involves determining, evaluating, and distributing accountability for potential threats and opportunities
within a predetermined framework. This is why it is crucial to comprehend and apply strong risk
assignment strategies:
✓ Proactivе Risk Idеntification.
✓ ▪ Enhancеd Dеcision-Making.
✓ ▪ Rеsourcе Optimization.
✓ ▪ Stratеgic Planning and Goal Alignmеnt
How to do a risk assessment
The HSE has recommended a five-step process for completing a risk assessment. This provides a useful
checklist to follow to ensure that the assessment is suitably comprehensive. It involves:
✓ Identifying potential hazards
✓ Identifying who might be harmed by those hazards
✓ Evaluating risk (severity and likelihood) and establishing suitable precautions
✓ Implementing controls and recording your findings
✓ Reviewing your assessment and re-assessing if necessary. (2023 British Safety Council., 2023)
M H S K Jayasara Unit 05 - Security P a g e | 32
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
3.1.1. Risks identified by Metropolis Capital Bank in accordance with Activity-1.
➢ Natural disasters such as floods and fires.
➢ Hеalth and Safеty Incidents
➢ Equipmеnt Failurе
➢ Physical Intrusion
➢ Cybеr Attacks
➢ Data Brеachеs
➢ Compliancе Violations
➢ Insider Threats
3.1.2. How is Metropolis Capital Bank's risk calculated?
Thе risk assеssmеnt at Mеtropolis Capital Bank is conductеd using a matrix that considеrs both thе
likеlihood and thе impacts of diffеrеnt scеnarios. (Probability-impact matrix)
3.1.3. Probability – Impact matrix for Metropolis Capital Bank.
Figure 4 Probability – Impact matrix (https://www.stakeholdermap.com/risk/risk-assessment-matrix-simple-3x3.html)
In risk assessment, a probability-impact matrix—often displayed as a 3x3 matrix—is a tool used to
evaluate and rank hazards according to their likelihood and potential impact. The components of a
standard 3x3 probability-impact matrix are broken down as follows:
M H S K Jayasara Unit 05 - Security P a g e | 33
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
3.1.4. Risk Assessment Table for Metropolis Capital Bank.
▪ Table Template
Action to
# Risk Description Probability Impact Risk Level Minimize
Risk
▪ Background Information.
Security Risks of
Company Name: Metropolis Capital Bank Tittle of Assessment: Metropolis
Capital Bank
Date of Risk
Assessor Signature: 2023/12/02
Assessment:
Action to
Risk
# Risk Description Probability Impact Minimize
Level
Risk
01 Natural The possibility of fires Medium Medium Install disaster
disasters and floods endangers the recovery plans,
physical infrastructure, make investments
with buildings and in sturdy building
equipment suffering infrastructure,
possible damage. and secure off-
site backups.
02 Hеalth and Operational Disruptions: Low High This includes
Safеty Health and safety conducting
Incidents incidents have the regular safety
potential to cause mishaps drills,
that could endanger the maintaining up-
lives of customers and to-date safety
employees. Liabilities protocols, and
may arise from this, and providing
M H S K Jayasara Unit 05 - Security P a g e | 34
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
the bank's reputation may comprehensive
suffer. training.
03 Equipmеnt Hardware failures can Medium Medium Regular
Failurе affect the bank's physical Maintenance and
assets, such as servers and Upgrades,
ATMs, which might Redundancy and
disrupt services. Failover Systems,
Climate Control
and
Environmental
Monitoring
04 Physical Physical assets, like Low Medium Implement robust
Intrusion servers and customer access control
records, may be systems that
compromised by restrict entry to
unauthorized access or authorized
theft at branches, data personnel only.
centers, or head offices.
05 Cybеr Attacks Digital assets are Low Low Deploy robust
particularly vulnerable to firewalls and
cyberattacks, including network security
ransomware, phishing, solutions to
and malware, which can monitor and
result in financial losses control incoming
and data breaches. and outgoing
network traffic
06 Data Brеachеs Unauthorized access to Medium Medium Encryption of
customer data or digital Customer Data,
communication systems Strong Access
may lead to data breaches, Controls
which could harm the
bank's reputation and
M H S K Jayasara Unit 05 - Security P a g e | 35
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
subject it to fines from
regulators.
07 Compliancе Non-compliance with data Medium High Designate a
Violations protection regulations or Compliance
cybersecurity standards Officer,
may result in non-banking Employee
entities' reputation and Training
legal status being Programs
negatively impacted.
08 Insider Threats Employees having access Low Low Employee
to digital assets may Training and
misuse them deliberately Awareness, Data
or accidentally, which Loss Prevention
could potentially result in (DLP) Tools
data loss or disruptions to
services.
3.2. Navigating the Data Protection at METROPOLIS CAPITAL Bank.
Within METROPOLIS CAPITAL Bank's intricate operations, ensuring the security of data stands as a
paramount focus. The bank meticulously adheres to the regulations and statutes governing this aspect, with a
pivotal role played by the Data Protection Act of 1998. This legislation delineates the bank's responsibilities
in safeguarding crucial information and establishes stringent guidelines for the collection, processing, and
storage of personal data. Serving as the foundation of the bank's data security practices, this law outlines the
M H S K Jayasara Unit 05 - Security P a g e | 36
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
core principles that govern METROPOLIS CAPITAL's commitment to maintaining the confidentiality and
integrity of information.
3.2.1. Data Protection Laws and Procedures.
i. Computer Misuse Act of 1990.
The pivotal role of the Computer Misuse Act of 1990 in bolstering data protection measures cannot be
overstated, as it criminalizes unauthorized access to computer systems. Essentially serving as a legal
deterrent against cyber threats, this legislation underscores METROPOLIS CAPITAL Bank's unwavering
commitment to preserving the confidentiality and security of client information.
This Act assumes a crucial role by explicitly defining unauthorized access to computer systems as a
criminal offense. It acts as a legal bulwark, imposing consequences for individuals or entities attempting to
compromise the security of METROPOLIS CAPITAL Bank's computer systems. The legal penalties
prescribed by the Act act as a robust deterrent, discouraging malicious actors from engaging in activities
that could compromise the bank's data integrity.
Recognizing the evolving landscape of cyber threats, METROPOLIS CAPITAL Bank utilizes the
Computer Misuse Act as a proactive shield. The emphasis on criminalizing unauthorized access
underscores the bank's dedication to maintaining the highest standards of data protection. By integrating
the provisions of this Act into its cybersecurity strategy, METROPOLIS CAPITAL Bank sends a clear
message: any attempt to breach the sanctity of its computer systems will be met with legal consequences,
reinforcing the institution's commitment to safeguarding client information against cyber threats.
(McCallion, November 21, 2023)
ii. Data protection Act of 1998.
The Data Protection Act of 1998 serves as a pivotal legal instrument, establishing a comprehensive
framework that governs the ethical and legal processing of personal data. Within this framework,
METROPOLIS CAPITAL Bank operates with meticulous precision, aligning its practices with the Act's
stringent guidelines. The legislation delineates the rights of individuals regarding their personal data and
places clear obligations on organizations to handle such data in a fair and lawful manner.
M H S K Jayasara Unit 05 - Security P a g e | 37
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
METROPOLIS CAPITAL Bank's commitment to compliance is evident through deliberate actions. The
bank ensures transparency in its data handling processes, providing clear information to individuals about
how their data will be used. Robust measures are in place to prevent any unauthorized access to sensitive
information, bolstering the overall security infrastructure. This commitment extends throughout the data
lifecycle, from the initial point of collection, where individuals' data rights are respected, to the secure
storage within the bank's infrastructure, ensuring the integrity and confidentiality of the data are preserved
in accordance with the stipulations set forth by the Data Protection Act of 1998.
In essence, every facet of METROPOLIS CAPITAL Bank's data management aligns with the principles
and requirements mandated by this pivotal legislation, solidifying a commitment to responsible, lawful,
and ethical data processing practices. (Guide, 2015)
3.2.2. Consequences of Non-Compliance.
i. Critical Importance of Adherence.
For METROPOLIS CAPITAL Bank, adhering to data protection laws transcends a mere legal obligation—
it represents a profound commitment to safeguarding both the bank and its clients. Recognizing that trust in
the financial sector hinges heavily on the responsible handling of data, the bank ensures strict compliance
with all relevant rules. By meticulously meeting these standards, METROPOLIS CAPITAL not only
fulfills its legal duties but also goes above and beyond to maintain the utmost security for client
information.
This unwavering dedication establishes a robust environment where the bank's reputation and client
relationships are fortified through a steadfast focus on confidentiality, integrity, and availability. The
commitment to data protection becomes a cornerstone in building and reinforcing trust, essential elements
in the financial world where the security of sensitive information is paramount.
I. Non-compliance with the Data Protection Act of 1998 carries substantial consequences for
METROPOLIS CAPITAL Bank. Breaches of this legislation can result in severe financial
penalties, legal actions, and reputational damage. Individuals have the right to seek compensation
for damages caused by breaches of their data rights. Furthermore, the Information Commissioner's
Office (ICO) has the authority to issue enforcement notices, compel changes in data processing
M H S K Jayasara Unit 05 - Security P a g e | 38
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
practices, and impose fines for non-compliance. The regulatory landscape underscores the
importance of rigorous adherence to data protection laws, emphasizing the potential impact on both
the financial viability and standing of METROPOLIS CAPITAL Bank within the industry.
Activity 04
4.1. Designing and implementing a comprehensive security policy for METROPOLIS CAPITAL
Bank is crucial to prevent misuse and exploitations of sensitive data. The security policy
should align with the organizational goals and the specific challenges faced by the bank.
Below is a framework for creating an effective security policy using organizational policy
tools:
4.1.1. Security policy for Metropolis Capital Bank.
In formulating a comprehensive security policy for METROPOLIS CAPITAL Bank, it is crucial to address
specific elements that are paramount to safeguarding the organization's digital assets, ensuring regulatory
compliance, and fostering a resilient security posture. The security policy serves as a living document,
dynamically adapting to evolving threats and technologies to maintain its effectiveness over time.
Email Policy - Metropolis Capital Bank
Subject: Metropolis Capital Bank Email Usage Policy
Overview:
Electronic email serves as a vital communication tool within Metropolis Capital Bank, facilitating seamless
information exchange. However, it's essential to recognize the potential legal, privacy, and security risks
associated with email misuse. This email policy outlines the acceptable and unacceptable use of Metropolis
Capital Bank's email system to ensure responsible and secure communication practices.
Purpose:
The primary purpose of this email policy is to establish guidelines for the proper use of Metropolis Capital
Bank's email system. Users are expected to adhere to the outlined principles, promoting ethical conduct,
compliance with laws, and proper business practices.
M H S K Jayasara Unit 05 - Security P a g e | 39
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Scope:
This policy encompasses all email communication originating from a Metropolis Capital Bank email address
and applies to all employees, vendors, and agents acting on behalf of the bank.
Policy:
4.1 Ethical Use:
All email usage must align with Metropolis Capital Bank policies, adhering to ethical conduct, safety
protocols, legal compliance, and proper business practices.
4.2 Business-related Purpose:
Metropolis Capital Bank email accounts are designated for business-related purposes. While personal
communication is allowed on a limited basis, non-Metropolis Capital Bank commercial uses are strictly
prohibited.
4.3 Data Protection:
All Metropolis Capital Bank data within emails or attachments must be handled according to the Data
Protection Standard, ensuring its security.
4.4 Record Retention:
Emails qualify as Metropolis Capital Bank business records and should only be retained if there is a
legitimate and ongoing business reason. Retention must follow the Metropolis Capital Bank Record
Retention Schedule.
4.5 Offensive Content:
The email system must not be used for creating or distributing disruptive or offensive messages. Employees
encountering such content should report it promptly.
4.6 No Automatic Forwarding:
Users are prohibited from automatically forwarding Metropolis Capital Bank email to third-party systems,
and forwarded messages must not contain confidential information.
4.7 Third-party Systems:
The use of third-party email systems and storage servers for Metropolis Capital Bank business is strictly
forbidden. Official communication and transactions must use approved channels and documentation.
4.8 Personal Usage:
M H S K Jayasara Unit 05 - Security P a g e | 40
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Reasonable personal use of Metropolis Capital Bank resources for emails is acceptable. Non-work related
emails should be stored separately, and the distribution of chain letters or joke emails is prohibited.
4.9 Privacy Expectations:
Employees should have no expectation of privacy for anything stored, sent, or received on the company's
email system.
4.10 Monitoring:
Metropolis Capital Bank may monitor messages without prior notice. Users should be aware that the
company is not obligated to monitor email messages.
Policy Compliance:
5.1 Compliance Measurement:
The Infosec team will verify policy compliance through various methods, including walk-thrus, monitoring,
audits, and feedback to the policy owner.
5.2 Exceptions:
Any exception to the policy must be approved by the Infosec team in advance.
5.3 Non-Compliance
Violations may result in disciplinary action, including termination of employment.
This policy is a dynamic document that may evolve to address emerging threats and technologies. Your
adherence to these guidelines is crucial for maintaining the security and integrity of Metropolis Capital
Bank's digital assets.
4.1.2. Password Guidelines for Metropolis Capital Bank.
Subject: Metropolis Capital Bank Password Guidelines
Overview:
M H S K Jayasara Unit 05 - Security P a g e | 41
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Passwords are a critical aspect of our information security at Metropolis Capital Bank. A well-constructed
password is essential for safeguarding individual systems, data, and our network. This guideline outlines
best practices for creating and maintaining secure passwords to enhance our overall cybersecurity posture.
Purpose:
The purpose of these guidelines is to provide best practices for the creation of strong and secure passwords,
emphasizing the importance of password strength in ensuring the integrity of our information security.
Scope:
This guideline applies to all personnel associated with Metropolis Capital Bank, including employees,
contractors, consultants, temporary workers, and individuals affiliated with third parties. It covers all types
of passwords, including user-level accounts, system-level accounts, web accounts, email accounts, screen
saver protection, voicemail, and local router logins.
Statement of Guidelines:
1. Characteristics of Strong Passwords:
- Should contain at least 12 alphanumeric characters.
- Must include both upper- and lower-case letters.
- Should contain at least one number (0-9).
- Must include at least one special character (e.g., !$%^&*()_+|~-=\`{}[]:";'<>?,/).
2. Characteristics of Weak Passwords:
- Contain fewer than eight characters.
- Can be found in a dictionary, including foreign languages, or exist in language slang, dialects, or jargon.
- Contain personal information such as birthdates, addresses, phone numbers, or names of family
members, pets, friends, and fantasy characters.
- Contain work-related information such as building names, system commands, sites, companies,
hardware, or software.
- Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
- Contain common words spelled backward or preceded/followed by a number (e.g., terces, secret1,
1secret).
M H S K Jayasara Unit 05 - Security P a g e | 42
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
- Include common phrases like "Welcome123," "Password123," or "Changeme123."
3. Best Practices:
- Avoid writing down passwords.
- Create passwords based on phrases, affirmations, or song titles.
- Example: The phrase "This May Be One Way To Remember" could become the password TmB1w2R!
or another variation. (Note: Do not use these examples as actual passwords.)
4. Passphrases:
- Passphrases are generally used for public/private key authentication.
- They should follow general password construction guidelines, including upper and lowercase letters,
numbers, and special characters.
Policy Compliance:
5.1 Compliance Measurement:
- The Infosec team will verify compliance through periodic walk-throughs, video monitoring, business tool
reports, internal and external audits, and feedback to the policy owner.
5.2 Exceptions:
- Any exception to the policy must be approved by the Infosec team in advance.
5.3 Non-Compliance:
- Employees found in violation of this policy may be subject to disciplinary action, up to and including
termination of employment.
Your commitment to adhering to these password guidelines is crucial in maintaining a robust information
security environment at Metropolis Capital Bank.
M H S K Jayasara Unit 05 - Security P a g e | 43
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
4.1.3. Ethics Policy for Metropolis Capital Bank.
Subject: Metropolis Capital Bank Ethics and Conduct Policy
Overview:
Metropolis Capital Bank is dedicated to upholding a culture of integrity, trust, and ethical conduct among its
employees, partners, vendors, and affiliates. Demonstrating ethical behavior is crucial to setting us apart
from competitors, and any breaches of ethical standards will be promptly addressed to maintain the
company's reputation.
Purpose:
The purpose of this policy is to establish a foundation of openness and trust, emphasizing the expectations
for fair business practices. By adhering to this policy, we aim to guide business behavior and foster a
workplace where ethical conduct is a collective effort involving every member of the Metropolis Capital
Bank team.
Scope:
This policy applies to all individuals associated with Metropolis Capital Bank, including employees,
contractors, consultants, temporary workers, and those affiliated with third parties.
Policy:
4.1 Executive Commitment to Ethics:
- 4.1.1 Senior Leadership Example:
Executives must prioritize honesty and integrity in all business practices, setting a prime example for the
entire organization.
4.1.2 Open Door Policy:
Executives should maintain an open-door policy, welcoming suggestions and concerns from employees
to foster a transparent environment.
-4.1.3 Conflict of Interest:
M H S K Jayasara Unit 05 - Security P a g e | 44
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Executives must disclose any conflict of interests related to their position within Metropolis Capital
Bank.
4.2 Employee Commitment to Ethics:
- 4.2.1 Fair Treatment:
Employees will treat everyone fairly, promote mutual respect, and avoid any intent or appearance of
unethical practices.
- 4.2.2 Effort and Intelligence:
Every employee is expected to apply effort and intelligence in upholding ethical values.
- 4.2.3 Conflict of Interest:
Employees must disclose any conflict of interests related to their position within Metropolis Capital
Bank.
- 4.2.4 Customer and Vendor Satisfaction:
Employees will contribute to increasing customer and vendor satisfaction by providing quality products
and timely responses to inquiries.
- 4.2.5 Self-Reflection Questions:
Employees should consider specific questions when faced with questionable behavior related to legality,
compliance with policies, alignment with company values, potential impact on stakeholders, personal
concerns if the behavior appeared in the news, and the potential adverse effects if all employees engaged in
similar behavior.
4.3 Company Awareness:
- 4.3.1 Rewarding Ethical Conduct:
Ethical conduct in interpersonal communications will be rewarded.
- 4.3.2 Trustworthy Atmosphere:
Metropolis Capital Bank will promote a trustworthy and honest atmosphere to reinforce the vision of
ethics within the company.
4.4 Maintaining Ethical Practices:
- 4.4.1 Ethical Stance from the Top:
Every employee, manager, and director must consistently maintain an ethical stance and support ethical
behavior.
M H S K Jayasara Unit 05 - Security P a g e | 45
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
- 4.4.2 Open Dialogue and Feedback:
Employees should encourage open dialogue, seek honest feedback, and treat everyone fairly, honestly,
and objectively.
-4.4.3 Best Practice Disclosure Committee:
A best practice disclosure committee is established to ensure the ethical code is delivered to all
employees, and concerns regarding the code can be addressed.
- 4.4.4 Annual Compliance Recertification:
Employees are required to recertify their compliance with the Ethics Policy on an annual basis.
4.5 Unethical Behavior:
- 4.5.1 Avoiding Unethical Practices:
Metropolis Capital Bank will avoid any intent or appearance of unethical or compromising practices in
relationships, actions, and communications.
- 4.5.2 Harassment and Discrimination:
Harassment or discrimination will not be tolerated.
- 4.5.3 Unauthorized Use of Company Information:
Unauthorized use of company information, including trade secrets and sensitive data, will not be
tolerated.
- 4.5.4 Impropriety:
Metropolis Capital Bank will not permit impropriety and will act ethically and responsibly in accordance
with laws.
- 4.5.5 Corporate Asset Use:
Employees will not use corporate assets or business relationships for personal use or gain.
Policy Compliance:
5.1 Compliance Measurement:
- Metropolis Capital Bank will verify compliance through various methods, including business tool
reports, internal and external audits, and feedback.
5.2 Exceptions:
M H S K Jayasara Unit 05 - Security P a g e | 46
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
- None.
5.3 Non-Compliance:
- Employees found to have violated this policy may be subject to disciplinary action, up to and including
termination of employment.
Your commitment to upholding ethical standards is vital in maintaining the trust and integrity of Metropolis
Capital Bank.
4.1.4. Remote Access Policy for Metropolis Capital Bank.
Subject: Metropolis Capital Bank Remote Access Policy
Overview:
Remote access to Metropolis Capital Bank's corporate network is essential for maintaining productivity;
however, it comes with inherent security risks. This policy aims to define rules and requirements for
connecting to our network remotely. The goal is to minimize potential exposure to damages resulting from
unauthorized use, including the loss of sensitive data, intellectual property, damage to our image, internal
system disruption, and financial liabilities.
Purpose:
The purpose of this policy is to establish guidelines for remote access connections, ensuring the secure and
authorized use of Metropolis Capital Bank resources. It applies to all individuals with remote access
privileges, whether using a Metropolis Capital Bank-owned or personally-owned computer.
Scope:
M H S K Jayasara Unit 05 - Security P a g e | 47
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
This policy applies to all Metropolis Capital Bank employees, contractors, vendors, and agents utilizing
remote access connections for work purposes. It covers technical implementations of remote access
connecting to Metropolis Capital Bank networks.
Policy:
4. General Access and Usage:
- Access to the Internet for recreational use through Metropolis Capital Bank's network is limited to
Authorized Users (employees, contractors, vendors, and agents).
- Authorized Users are responsible for preventing non-Authorized Users from accessing Metropolis
Capital Bank resources when using personal computers.
- Illegal activities through the Metropolis Capital Bank network are strictly prohibited, and the Authorized
User bears responsibility for any misuse.
4.1 Requirements:
- 4.1.1 Secure Remote Access:
- Control remote access with encryption (e.g., Virtual Private Networks (VPNs)) and strong passphrases.
- 4.1.2 Login and Password Protection:
- Authorized Users must protect their login and password, even from family members.
- 4.1.3 Network Connectivity:
- When using a Metropolis Capital Bank-owned computer, ensure the remote host is not connected to any
other network simultaneously.
- 4.1.4 Approval for External Resources:
- Approval from InfoSec and the relevant business unit manager is required for using external resources
to conduct Metropolis Capital Bank business.
- 4.1.5 Anti-virus Software:
- All hosts connected to Metropolis Capital Bank internal networks via remote access must use up-to-date
anti-virus software.
- 4.1.6 Equipment Requirements:
- Personal equipment used for remote access must meet Metropolis Capital Bank-owned equipment
standards.
M H S K Jayasara Unit 05 - Security P a g e | 48
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
5. Policy Compliance:
- 5.1 Compliance Measurement:
- The InfoSec Team will verify compliance through various methods, including walk-throughs,
monitoring, tool reports, internal and external audits, and inspections.
- 5.2 Exceptions:
- Any exceptions must be approved by Remote Access Services and the InfoSec Team in advance.
- 5.3 Non-Compliance:
- Violations of this policy may result in disciplinary action, up to and including termination of
employment.
6. Related Standards, Policies, and Processes:
- Please review the following policies for additional details:
- Acceptable Encryption Policy
- Acceptable Use Policy
- Password Policy
- Third Party Agreement
- Hardware and Software Configuration Standards for Remote Access to Metropolis Capital Bank
Networks
Thank you for your commitment to ensuring the security of Metropolis Capital Bank's remote access
connections.
4.2. Disaster Recovery Plan (DRP) for Metropolis Capital Bank.
I. Mitigation Strategies and Preparedness.
• Development of Mitigation Strategies.
Metropolis Capital Bank adopts a proactive stance in developing mitigation strategies tailored to address
identified risks. These strategies encompass a combination of preventive measures, risk transfer
mechanisms, and contingency plans. The bank strives to create a resilient framework that can adapt to
evolving threats, emphasizing both technology-driven solutions and robust operational protocols.
M H S K Jayasara Unit 05 - Security P a g e | 49
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
• Preparedness Measures.
Preparedness is a cornerstone of Metropolis Capital Bank's disaster recovery approach. The bank invests in
ongoing training and awareness programs to ensure that all employees are well-versed in their roles and
responsibilities during a disaster. Regular drills and simulations are conducted to test the effectiveness of the
DRP and enhance the organization's preparedness to respond swiftly and decisively in the face of adversity.
• Collaborative Partnerships.
Metropolis Capital Bank recognizes the importance of collaborative partnerships with external entities,
including emergency responders, regulatory bodies, and industry peers. By fostering these relationships, the
bank enhances its ability to coordinate responses, share best practices, and stay informed about emerging
threats and regulatory updates.
II. Incident Response and Recovery.
• Activation of Incident Response Plan.
In the event of a disaster, Metropolis Capital Bank activates its Incident Response Plan (IRP) promptly. The
IRP defines clear roles and responsibilities, designates decision-making authority, and outlines
communication protocols. By adhering to a structured incident response framework, the bank aims to
contain and mitigate the impact of the disaster swiftly.
• Recovery Procedures.
Metropolis Capital Bank's recovery procedures are designed to minimize downtime and restore normal
operations efficiently. These procedures encompass data restoration, system recovery, and the gradual
resumption of critical business functions. The bank places a premium on ensuring that the recovery process
is methodical, thorough, and aligned with the overarching goal of restoring normalcy.
• Continuous Improvement and Learning.
Post-incident, Metropolis Capital Bank conducts thorough reviews and analyses to identify lessons learned
and areas for improvement. This commitment to continuous learning ensures that the DRP evolves in
tandem with emerging risks and changing operational landscapes. Regular updates and refinements to the
plan are integral to sustaining its effectiveness over time.
M H S K Jayasara Unit 05 - Security P a g e | 50
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
In conclusion, Metropolis Capital Bank's Disaster Recovery Plan reflects a holistic and dynamic approach to
safeguarding operational continuity in the face of diverse threats. The plan's iterative nature, coupled with a
commitment to proactive risk management, positions the bank to navigate challenges with resilience and
uphold the trust of clients and stakeholders.
Risk Assessment Table.
Disaster Brief Description of Potential Consequences &
Probability Impact
Remedial Actions
Equipmеnt Failurе Medium Medium Implementing a proactive maintenance
schedule for equipment to identify and address
potential issues before they lead to failure.
Continuous monitoring helps detect anomalies
early.
Cybеr Attacks Medium High Regular training programs for employees to
enhance awareness of cyber threats, phishing
attacks, and safe online practices, Encryption
of sensitive data to protect it from unauthorized
access. This ensures that even if data is
compromised, it remains unintelligible without
the encryption key.
Lighting Medium Medium Probability of a lightning incident is medium.
Impact includes potential fire hazard and
equipment damage Remedial actions involve
evacuating affected areas, ensuring electrical
safety, inspecting and repairing damaged
Natural Disaster
equipment, and implementing lightning
protection measures.
Flood Low Low Probability of a flood is low. Impact includes
infrastructure damage and potential data loss.
Remedial actions involve evacuation to higher
ground, securing data centers, remediating
flood damage, restoring critical services, and
implementing flood prevention measures.
M H S K Jayasara Unit 05 - Security P a g e | 51
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Communication Plan
Title Name Job Role Contact No
Mr Saman Jayathunga Disaster Recovery Coordinator 071-2358789
Mrs Shanika Hasini Deputy Disaster Recovery Coordinator 076-6547892
Mr Janith Liyanage Data Backup and Recovery Specialist 071-7896325
Mr Thusitha Kaldera Communication Coordinator 075-8523689
Mrs Hasanthika Madumali Communication Coordinator 072-3625789
Mr Sajith madushanka Facility Recovery Manager 074-2314231
External contacts. / Emergency Contact
Organization or Name Tele Phone
Sri Lanka Police 119 / 0412352456
Technical Team 041-2537895
Fire Station 041-2356145 / 076-456238
Internet Service provider 1212
Disaster Management Centre 041-2356159
Disaster Recovery Table
Disaster
Impact First Action Recovery Methods
Equipmеnt Failurе Operational Downtime Automated system System restoration, data
Data Loss or Corruption alerts, initiate recovery from backups,
Reputational Damage system conduct root cause analysis
backup
M H S K Jayasara Unit 05 - Security P a g e | 52
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
Cybеr Attacks Data Breach Activate incident Isolate affected systems,
Financial Loss response team conduct forensic analysis,
Operational Disruption implement security patches
Lighting Potential fire hazard, Evacuate affected Inspect and repair damaged
equipment damage areas,ensure equipment, implement lightning
Natural Disaster
electrical safety protection measures
Flood Infrastructure damage, Evacuation to Remediate flood damage, restore
data loss higher ground, critical services, implement flood
secure data centers prevention measures
4.2.1. Roles of Stakeholders in Implementing Security Audits.
• Investors:
- Contribution to the Organization: Investors play a pivotal role by providing essential capital for the
organization's operations and expansion, contributing to financial stability and growth
- Role in Security Audits: Due to their vested interest, investors actively participate in security audits,
advocating for robust security measures to protect their investments and ensure the organization's
resilience against potential threats
• Managers:
- Contribution to the Organization: Managers bring valuable skills and expertise to decision-making
processes and oversee day-to-day operations, contributing to the overall success of the organization.
- Role in Security Audits: Managers are integral to implementing security policies and procedures. During
security audits, their focus is on aligning security measures with business objectives and ensuring
operational efficiency.
M H S K Jayasara Unit 05 - Security P a g e | 53
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
• Employees:
- Contribution to the Organization: Employees contribute their skills and expertise, playing a crucial role
in driving the organization's success.
- Role in Security Audits: As end-users of security measures, employees are vital in adhering to security
protocols. Security audits assess employee awareness, training, and adherence to established security
practices.
• Customers:
- Contribution to the Organization: Customers contribute revenue through the purchase of goods and
services, sustaining the organization's financial health.
- Role in Security Audits: Customers, highly concerned about the security of their data, become a focal
point in security audits. The assessment ensures that measures are in place to protect customer information,
fostering trust and loyalty.
In summary, each stakeholder group - investors, managers, employees, and customers - plays a distinct role
in both contributing to the organization's success and influencing the outcomes of security audits. Their
collective involvement is crucial for maintaining a secure and resilient organizational environment.
• Government:
- Contribution to the Organization: Government entities contribute by establishing rules governing good
business practices and may also act as customers for specific services.
- Role in Security Audits: Compliance with government regulations is a central focus in security audits.
Stakeholders ensure that security measures align with legal requirements set forth by regulatory bodies.
• Owners:
-Contribution to the Organization: Owners bring skills, expertise, and contribute to the overall strategic
direction of the organization.
- Role in Security Audits: Owners, with a vested interest in the organization's long-term success, play a
critical role in approving security budgets, policies, and overarching security strategies.
M H S K Jayasara Unit 05 - Security P a g e | 54
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
In essence, the government's role involves both rule-setting and potential engagement as customers, while
owners significantly contribute to strategic decisions and are pivotal in shaping the organization's security
landscape during audits. Their involvement ensures alignment with legal requirements and long-term
success.
Security has a profound impact on various stakeholders within an organization:
- Customers:
- Security breaches can lead to the compromise of customer data, resulting in legal consequences and a
loss of trust.
- Employees:
- Inadequate security measures may jeopardize job security if business decisions negatively impact the
organization's stability.
- Investors:
- Security is a critical factor for investors; insufficient security measures may deter investments.
- Managers:
- The security of sensitive business plans and data directly affects managerial decision-making and
strategic planning.
- Owners:
- Security lapses can lead to the departure of employees, refusal of investments, and a decline in customer
trust, impacting the overall viability of the business.
Ensuring robust security measures is not just a technical necessity but a strategic imperative that safeguards
the interests of customers, employees, investors, managers, and owners alike. It is integral to maintaining
trust, stability, and the long-term viability of the business.
M H S K Jayasara Unit 05 - Security P a g e | 55
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
4.3. Discuss and present a disaster recovery plan for METROPOLIS CAPITAL Bank for all
their sites to guarantee maximum reliability to their clients.
M H S K Jayasara Unit 05 - Security P a g e | 56
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
M H S K Jayasara Unit 05 - Security P a g e | 57
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
M H S K Jayasara Unit 05 - Security P a g e | 58
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
M H S K Jayasara Unit 05 - Security P a g e | 59
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
M H S K Jayasara Unit 05 - Security P a g e | 60
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
M H S K Jayasara Unit 05 - Security P a g e | 61
Downloaded by Hadi Ahmd ([email protected])
lOMoARcPSD|50495251
References
2023 British Safety Council., 2023. What is a risk assessment?. [Online]
Available at: https://www.britsafe.org/training-and-learning/informational-resources/risk-assessments-
what-they-are-why-they-re-important-and-how-to-complete-
them#:~:text=It%20is%20a%20legal%20requirement,or%20more%20people%20are%20employed.&text=
The%20main%20purpose%2
[Accessed 02 12 2013].
Barracuda, 2020. What is a DMZ network?. [Online]
Available at: https://www.barracuda.com/support/glossary/dmz-network
[Accessed 02 12 2023].
Clancy, R., October 4, 2022. What Is Virtual Network Security, and How Can It Help Thwart Threats?.
[Online]
Available at: https://www.eccouncil.org/cybersecurity-exchange/network-security/what-is-virtual-
network-security/
[Accessed 2 12 2023].
Fortinet home, 2021. Benefits of a VPN. [Online]
Available at: https://www.fortinet.com/resources/cyberglossary/benefits-of-
vpn#:~:text=Without%20a%20VPN%2C%20you%20may,and%20receive%20secure%20and%20anonymou
s.
[Accessed 2 12 2023].
Fortinet home, 2021. Firewall Benefits: The Importance of Firewall Security. [Online]
Available at: https://www.fortinet.com/resources/cyberglossary/benefits-of-firewall
[Accessed 02 12 2023].
Fortinet home, 2021. What is Network Address Translation (NAT)?. [Online]
Available at: https://www.fortinet.com/lat/resources/cyberglossary/network-address-translation
[Accessed 02 12 2023].
Guide, H. S., 2015. Data Protection Act. [Online]
Available at: https://www.sciencedirect.com/topics/computer-science/data-protection-
act#:~:text=British%20Information%2C%202012-
,Data%20Protection%20Act%201998,be%20collected%2C%20stored%20and%20processed.
[Accessed 03 12 2023].
McCallion, J., November 21, 2023. What is the Computer Misuse Act?. [Online]
Available at: https://www.itpro.com/it-legislation/28174/what-is-the-computer-misuse-act
[Accessed 03 12 2023].
Walsh, B., September 15, 2023. What Is a Static IP Address and Why Do You Need One?. [Online]
Available at: https://www.wizcase.com/blog/what-is-a-static-ip-address-and-do-you-need-
one/?gad_source=1&gclid=Cj0KCQiAyKurBhD5ARIsALamXaHIeq8FthlK0CO3y8HbdJrJZtn5e4HLfeIy7wWsd
bueeofL6fmJd2kaAtP6EALw_wcB
[Accessed 2 12 2023].
M H S K Jayasara Unit 05 - Security P a g e | 62
Downloaded by Hadi Ahmd ([email protected])
You might also like
- 46-1539072883525-Unit 5 Security (K.Sathurcigan)No ratings yet46-1539072883525-Unit 5 Security (K.Sathurcigan)117 pages
- E195687 (Sayuru Imesh) - Unit-32 Information Security Management Final SubmitNo ratings yetE195687 (Sayuru Imesh) - Unit-32 Information Security Management Final Submit105 pages
- A-067880-1628317685222-92301-G.K Ashen - 97 - Security - Unit 05No ratings yetA-067880-1628317685222-92301-G.K Ashen - 97 - Security - Unit 0586 pages
- A Certified in Risk and Information Systems Control (CRISC) Exam Guidebook And Updated Questions ISACA CRISC Exam Guidebook And Updated QuestionsFrom EverandA Certified in Risk and Information Systems Control (CRISC) Exam Guidebook And Updated Questions ISACA CRISC Exam Guidebook And Updated QuestionsNo ratings yet
- ESOFT Admin Module-Assessment Resource 8311 8311-1723612790046-Unit 05 Security Assignment (2024 Update)No ratings yetESOFT Admin Module-Assessment Resource 8311 8311-1723612790046-Unit 05 Security Assignment (2024 Update)17 pages
- Unit 5 Security HND in Computing Final AssignmentNo ratings yetUnit 5 Security HND in Computing Final Assignment38 pages
- E123262-1665585623602-188547-E123262-Fudhail Faizal-Security-Assignment01No ratings yetE123262-1665585623602-188547-E123262-Fudhail Faizal-Security-Assignment0178 pages
- Unit 05 - Security Reworded 2021 Bhanuka PereraNo ratings yetUnit 05 - Security Reworded 2021 Bhanuka Perera69 pages
- Internal Verification of Assessment Decisions - BTEC (RQF) : Higher Nationals100% (2)Internal Verification of Assessment Decisions - BTEC (RQF) : Higher Nationals33 pages
- Internal Verification of Assessment Decisions - BTEC (RQF) : Higher Nationals100% (2)Internal Verification of Assessment Decisions - BTEC (RQF) : Higher Nationals54 pages
- Shafni - Shiyam (Information Security Management) 22 UpdateNo ratings yetShafni - Shiyam (Information Security Management) 22 Update122 pages
- CISA - Practice Questions and Answers v1.0No ratings yetCISA - Practice Questions and Answers v1.0680 pages
- ESOFT - Admin - Module-Assessment - Resource - 8311 - 8311-1723612790046-Unit 05 - Security Assignment (2024 Update)No ratings yetESOFT - Admin - Module-Assessment - Resource - 8311 - 8311-1723612790046-Unit 05 - Security Assignment (2024 Update)15 pages
- 3-Designing A Free Data Loss Prevention SystemNo ratings yet3-Designing A Free Data Loss Prevention System30 pages
- E222195-1719241634912-476343-M.P. Dilshan Madusankha Cooray - Student ID-E222195 - Reg - ID-00217236No ratings yetE222195-1719241634912-476343-M.P. Dilshan Madusankha Cooray - Student ID-E222195 - Reg - ID-0021723676 pages
- Irani - Kan-1661451330426-158199-Security Unit 5No ratings yetIrani - Kan-1661451330426-158199-Security Unit 5114 pages
- Dishan Sanjaya Final - 1155-1619623492920-Security - Reworded - 2021No ratings yetDishan Sanjaya Final - 1155-1619623492920-Security - Reworded - 202186 pages
- ET15 Sophos Central Enpoint and Server Engineer v2No ratings yetET15 Sophos Central Enpoint and Server Engineer v216 pages
- 8311-1723612790046-Unit 05 - Security Assignment (2024 Reset 2No ratings yet8311-1723612790046-Unit 05 - Security Assignment (2024 Reset 250 pages
- E217999 M.R.M Rashad Unit 10 Cyber SecurityNo ratings yetE217999 M.R.M Rashad Unit 10 Cyber Security56 pages
- E126387-1689596044876-240097-Bakeer Ahamed-E126387-SecurityNo ratings yetE126387-1689596044876-240097-Bakeer Ahamed-E126387-Security39 pages
- A 019730 1636705235242 114189 W.M.supun Anjana Jayasinghe Security Reworded 2021No ratings yetA 019730 1636705235242 114189 W.M.supun Anjana Jayasinghe Security Reworded 202168 pages
- Data Loss Prevention - GTB TechnologiesNo ratings yetData Loss Prevention - GTB Technologies22 pages
- Soft Etro Ampus: #3, de Fonseka Road, Colombo 04No ratings yetSoft Etro Ampus: #3, de Fonseka Road, Colombo 0460 pages
- 1447 1628760497056 Unit 6 MSCP 2021 and 22 RWNo ratings yet1447 1628760497056 Unit 6 MSCP 2021 and 22 RW56 pages
- (ISC)2 Certified Information Systems Security Professional CISSP Realistic Practice TestFrom Everand(ISC)2 Certified Information Systems Security Professional CISSP Realistic Practice TestNo ratings yet
- The Definitive Guide To Data Loss PreventionNo ratings yetThe Definitive Guide To Data Loss Prevention12 pages
- Assignment 2 Front Sheet: Qualification BTEC Level 5 HND Diploma in ComputingNo ratings yetAssignment 2 Front Sheet: Qualification BTEC Level 5 HND Diploma in Computing40 pages
- 6820-1710564924273-Unit-32 Information Security Management 22 UpdateNo ratings yet6820-1710564924273-Unit-32 Information Security Management 22 Update19 pages
- Microsoft Virtual Training Day Security Compliance and Identity FundamentalsNo ratings yetMicrosoft Virtual Training Day Security Compliance and Identity Fundamentals130 pages
- 203-1540467331035-Unit 5 Security 2018.07.03No ratings yet203-1540467331035-Unit 5 Security 2018.07.0313 pages
- 788-1601897459456-Unit 05 - Security - 2020No ratings yet788-1601897459456-Unit 05 - Security - 202014 pages
- SC 900 Microsoft Security Fundamentals Exam Study Guide PDFNo ratings yetSC 900 Microsoft Security Fundamentals Exam Study Guide PDF17 pages
- ISO 27001 Controls List Free Download PDFNo ratings yetISO 27001 Controls List Free Download PDF14 pages
- Mcafee Data Loss Prevention Discover 11.10.x Installation Guide 11-8-2022No ratings yetMcafee Data Loss Prevention Discover 11.10.x Installation Guide 11-8-202220 pages
- Iso 27001 2022 Client Transition ChecklistNo ratings yetIso 27001 2022 Client Transition Checklist14 pages
- NetSec-Generalist Dumps - Palo Alto Networks Network Security GeneralistNo ratings yetNetSec-Generalist Dumps - Palo Alto Networks Network Security Generalist12 pages
- Symantec Endpoint Encryption, Powered by PGP™ TechnologyNo ratings yetSymantec Endpoint Encryption, Powered by PGP™ Technology3 pages
- Robotic Process Automation and Intelligent Automation Security Challenges: A ReviewNo ratings yetRobotic Process Automation and Intelligent Automation Security Challenges: A Review7 pages
- Incident Response Plan For Fictional Company - Delta Force Solutions IncNo ratings yetIncident Response Plan For Fictional Company - Delta Force Solutions Inc6 pages
