Btec HND Unit 5 Security New PDF
Btec HND Unit 5 Security New PDF
Btec HND Unit 5 Security New PDF
• Constructive?
Y/N
• Linked to relevant assessment
criteria? Y/N
Give details:
Internal Verifier
Date
signature
Programme Leader
Date
signature (if required)
1
Higher Nationals - Summative Assignment Feedback Form
Student Name/ID
Unit Title Unit 05: Security
Resubmission Feedback:
2
Pearson
Higher Nationals in
Computing
Unit 5 : Security
3
General Guidelines
1. A Cover page or title page – You should always attach a title page to your assignment. Use previous page as
your cover sheet and be sure to fill the details correctly.
2. This entire brief should be attached in first before you start answering.
3. All the assignments should prepare using word processing software.
4. All the assignments should print in A4 sized paper, and make sure to only use one side printing.
5. Allow 1” margin on each side of the paper. But on the left side you will need to leave room for binging.
Important Points:
1. Check carefully the hand in date and the instructions given with the assignment. Late submissions will not be
accepted.
2. Ensure that you give yourself enough time to complete the assignment by the due date.
3. Don’t leave things such as printing to the last minute – excuses of this nature will not be accepted for failure
to hand in the work on time.
4. You must take responsibility for managing your own time effectively.
5. If you are unable to hand in your assignment on time and have valid reasons such as illness, you may apply (in
writing) for an extension.
6. Failure to achieve at least a PASS grade will result in a REFERRAL grade being given.
7. Non-submission of work without valid reasons will lead to an automatic REFERRAL. You will then be asked to
complete an alternative assignment.
8. Take great care that if you use other people’s work or ideas in your assignment, you properly reference them,
using the HARVARD referencing system, in you text and any bibliography, otherwise you may be guilty of
plagiarism.
9. If you are caught plagiarizing you could have your grade reduced to A REFERRAL or at worst you could be
excluded from the course.
4
Student Declaration
I hereby, declare that I know what plagiarism entails, namely to use another’s work and to present it as my own
without attributing the sources in the correct way. I further understand what it means to copy another’s work.
5
Assignment Brief
Student Name /ID Number
Unit Tutor
Issue Date
Submission Date
Submission Format:
The submission is in the form of an individual written report. This should be written in a concise, formal
business style using single spacing and font size 12. You are required to make use of headings, paragraphs
and subsections as appropriate, and all work must be supported with research and referenced using the
Harvard referencing system. Please also provide an end list of references using the Harvard referencing
system.
6
Assignment Brief and Guidance:
EMC Cloud Solutions is reputed as the nation’s most reliable Cloud solution provider in Sri Lanka.
A number of high profile businesses in Sri Lanka including Esoft Metro Camps network, SME Bank Sri
Lanka and WEEFM are facilitated by EMC Cloud Solutions. EMC Cloud provides nearly 500 of its
customers with SaaS, PaaS & IaaS solutions with high capacity compute and storage options. Also EMC
is a selected contractor for Sri Lanka, The Ministry of Defense for hosting government and defense
systems.
EMC’s central data center facility is located at Colombo Sri Lanka along with its corporate head-office in
Bambalapitiya. Their premises at Bambalapitiya is a six story building with the 1st floor dedicated to sales
and customer services equipped with public wifi facility. Second-floor hosts HR, Finance and Training &
Development departments and the third-floor hosts boardroom and offices for senior executives along
with the IT and Data center department. Floor 4,5,6 hosts computer servers which make up the data
center.
With the rapid growth of information technology in Kandy area in recent years, EMC seeks opportunity to
extend its services to Kandy, Sri Lanka. As of yet, the organization still considers the nature of such
extension with what to implement, where is the suitable location and other essential options such as
security are actually being discussed.
You are hired by the management of EMC Solutions as a Security Expert to evaluate the security-related
specifics of its present system and provide recommendations on security and reliability related
improvements of its present system as well as to plan the establishment of the extension on a solid
security foundation.
7
Activity 01
Assuming the role of External Security Consultant, you need to compile a report focusing on following
elements to the board of EMC Cloud Solutions;
1.1 Identify types of security risks EMC Cloud is subject to, in its present setup and the impact, such
issues would create on the business itself.
1.2 Develop and describe security procedures for EMC Cloud to minimize the impact of issues discussed
in section (1.1) by assessing and treating the risks.
Activity 02
2.1 Discuss how EMC Cloud and its clients will be impacted by improper/ incorrect configurations which
are applicable to firewalls and VPN solutions.
2.2 Explain how following technologies would benefit EMC Cloud and its Clients by facilitating a
‘trusted network’. (Support your answer with suitable illustrations).
i) DMZ
ii) Static IP
iii)NAT
2.3 Discuss the benefits of implementing network monitoring systems.
Activity 03
3.1 Formulate a suitable risk assessment procedure for EMC Cloud solutions to safeguard itself and its
clients.
3.2 Explain the mandatory data protection laws and procedures which will be applied to data storage
solutions provided by EMC Cloud. You may also highlight on ISO 3100 risk management methodology.
Activity 04
8
4.1 Develop a security policy for EMC Cloud to minimize exploitations and misuses while evaluating
the suitability of the tools used in an organizational policy.
4.2 Develop and present a disaster recovery plan for EMC Cloud for its all venues to ensure maximum
uptime for its customers (Student should produce a PowerPoint-based presentation which illustrates the
recovery plan within 15 minutes of time including justifications and reasons for decisions and options
used).
9
Grading Rubric
Grading Criteria Achieved Feedback
10
P6 Explain data protection processes and regulations as applicable
to an organisation.
11
12
Cyber-Security is much more than a matter
of IT
Muthiah Udayawarman
HND Batch 85
SECURITY
EMC Cloud Solutions
13
Contents
Acknowledgement ....................................................................................................... 16
Activity 01 ...................................................................................................................17
1.1 .......................................................................................................................................................... 17
1.2 .......................................................................................................................................................... 18
Activity 02 ................................................................................................................. 20
2.1 .......................................................................................................................................................... 20
2.2 .......................................................................................................................................................... 23
2.3 .......................................................................................................................................................... 28
Activity 03 ................................................................................................................. 30
3.1 .......................................................................................................................................................... 30
3.2 .......................................................................................................................................................... 31
3.3 .......................................................................................................................................................... 35
14
Figure 1 VPN, Firewall Setup one 20
15
Acknowledgement
In preparation of my assignment, I had to take the help and guidance of some respected persons who deserve
my Higher National Diploma as the completion of this assignment gave me much pleasure, I would like to
show my higher national diploma to Mr. Tyrell Sir, Course lecture on Esoft Metro Campus for giving me a
good guideline for assignment throughout numerous consolations. I would also like to expand my diploma
to all those who have directly guided me in doing this assignment.
In addition, a thank you to my batch brothers and friends who helped to do this
assignment in good pathway and had lasting effect. many people, especially my classmate have made
valuable comment suggestions on my paper which gave me an inspiration to improve the quality of the
assignment. The success and final outcome of this project required a lot of guidance and assistance from
many people and I am extremely privileged to have got this all along the completion of my project. All that
I have done is only due to such supervision and assistance and I would not forget to thank them.
16
Activity 01
1.1
Main disasters that EMC Cloud Solution would face
1. Natural Disasters
Earth Quake
Land slides
Heavy rain, Storms
Ransomware / Viruses Very High Data in the server can Have good internet security
encrypted and block and firewalls.
the access
Power Outage Medium Shut down of the all Use UPS for systems and keep
the server and systems generators ready
17
1.2
Security Procedures for EMC Cloud
Building and dealing with a security program is an exertion that most associations develop into additional
time. I have worked with new companies who had no guidelines for how resources or systems were utilized
by representatives. I likewise have worked at built up associations where each part of IT and cybersecurity
was intensely overseen. The objective is to locate a center ground where organizations can mindfully deal
with the hazard that accompanies the kinds of advances that they decide to convey.
In building up the establishment for a security program, organizations will generally first assign a worker to
be answerable for cybersecurity. It will be this representative who will start the way toward making an
arrangement to deal with their organization's hazard through security advancements, auditable work forms,
and recorded strategies and techniques. a develop security program will require the accompanying
arrangements and strategies.
An AUP stipulates the imperatives and practices that a representative utilizing hierarchical IT resources must
consent to so as to access to the corporate system or the web. It is standard onboarding arrangement for new
workers. They are offered an AUP to peruse and hint before being allowed a system ID. It is prescribed that
and associations IT, security, legitimate and HR offices examine what is remembered for this approach.
The ACP traces the entrance accessible to representatives with respect to an association's information and data
frameworks. A few points that are commonly remembered for the approach are get to control norms, for
example, NIST's Access Control and Implementation Guides. Different things canvassed right now
benchmarks for client get to, arrange get to controls, working framework programming controls and the
multifaceted nature of corporate passwords. Extra valuable things regularly sketched out incorporate strategies
for checking how corporate frameworks are gotten to and utilized; how unattended workstations ought to be
made sure about; and how access is evacuated when a representative leaves the association.
A change the board strategy alludes to a proper procedure for making changes to IT, programming
improvement and security administrations/activities. The objective of a change the board program is to build
the mindfulness and comprehension of proposed changes over an association, and to guarantee that all
progressions are directed systematically to limit any unfriendly effect on administrations and clients. A
genuine case of an IT change the board arrangement accessible for reasonable use is at SANS.
18
4. Data Security Policy
An association's data security strategies are commonly significant level arrangements that can cover countless
security controls. The essential data security approach is given by the organization to guarantee that all
workers who use data innovation resources inside the expansiveness of the association, or its systems, consent
to its expressed standards and rules. I have seen associations request that representatives sign this archive to
recognize that they have understood it (which is commonly finished with the marking of the AUP
arrangement). This arrangement is intended for representatives to perceive that there are decides that they will
be considered responsible to with respect to the affectability of the corporate data and IT resources.
The episode reaction arrangement is a composed way to deal with how the organization will deal with an
occurrence and remediate the effect on tasks. It's the one arrangement CISOs want to never need to utilize.
Notwithstanding, the objective of this approach is to depict the way toward taking care of an episode
concerning constraining the harm to business tasks, clients and decreasing recuperation time and expenses.
The remote access strategy is an archive which plots and characterizes worthy techniques for remotely
associating with an association's inward systems. I have additionally observed this arrangement incorporate
addendums with rules for the utilization of BYOD resources. This arrangement is a prerequisite for
associations that have scattered systems with the capacity to reach out into uncertain system areas, for
example, the nearby café or unmanaged home systems. A case of a remote access approach is accessible at
SANS.
7. Email/Communication Policy
An organization's email strategy is a record that is utilized to officially diagram how workers can utilize the
business' picked electronic correspondence medium. I have seen this arrangement spread email, online
journals, web based life and talk advances. The essential objective of this strategy is to give rules to
representatives on what is viewed as the adequate and inadmissible utilization of any corporate
correspondence innovation.
An association's fiasco recuperation plan will by and large incorporate both cybersecurity and IT groups' info
and will be created as a major aspect of the bigger business coherence plan. The CISO and groups will deal
with an occurrence through the episode reaction approach. In the event that the occasion has a huge business
sway, the Business Continuity Plan will be initiated.
The BCP will arrange endeavors over the association and will utilize the fiasco recuperation intend to
reestablish equipment, applications and information regarded basic for business progression. BCP's are novel
to every business since they portray how the association will work in a crisis.
19
The above policies and documents are just some of the basic guidelines I use to build
successful security programs.
Activity 02
2.1
Discuss how EMC Cloud and its clients will be impacted by improper/ incorrect configurations which are
applicable to firewalls and VPN solutions.
Firewalls are regularly delegated arrange firewalls or server-based firewalls. System firewalls channel traffic
between at least two systems and run on organize equipment. Host-put together firewalls run with respect to
the host PC and control arrange traffic all through those machines. They are likewise named security firewalls
to ensure the security of PCs or nearby systems, to forestall interruptions, assaults from outside and forestall
firewalls frequently set by Internet specialist organizations. set up and is liable for keeping PCs from getting
to specific sites or servers, regularly utilized for Internet restriction purposes. In the event that the design isn't
amended, there could be a security rupture that may prompt the case that private record could be taken.
Potential effect on IT security.
20
There may prompt an information break by making a gap in the system and the third individual could
exploit that rupture and take the delicate records. Desired traffic couldn't land it's needed goal. The traffic
arrives at a goal it ought to have not come to.
As security dangers become increasingly progressed, dealing with your firewall setups has never been
progressively significant. IT experts invest a lot of their energy agonizing over defects and vulnerabilities, yet
as per Gartner inquire about, 95% of all firewall ruptures are brought about by misconfiguration, not
imperfections.
Firewalls are a basic piece of your system security, and a misconfigured firewall can harm your association
and give simple access to an assailant. However misconfigurations are alarmingly normal. In my work I run
over loads of mix-ups in firewall designs. The following are five of the most widely recognized sorts that I
experience, alongside exhortation on how you can dodge them.
Firewalls are frequently set up with an open strategy of permitting traffic from any source to any goal. This is
on the grounds that IT groups don't know precisely what they need at the beginning, and consequently start
with expansive standards and work in reverse. Notwithstanding, actually because of time pressures or just not
viewing it as a need, they never get round to characterizing firewall approaches. This leaves the system in a
never-endingly uncovered state.
Associations ought to follow the rule of least benefit – that is, giving the base degree of benefit that the client
or administration needs to work regularly, along these lines restricting the potential harm brought about by a
rupture. It's likewise a smart thought to routinely return to your firewall strategies to take a gander at
application utilization slants and recognize new applications being utilized on the system and what network
they require.
Administrations that are left running on the firewall that don't should be is another misstep I regularly find.
Two of the principle offenders are dynamic directing, which ordinarily ought not be empowered on security
gadgets as best practice, and "maverick" DHCP servers on the system disseminating IPs, which can
conceivably prompt accessibility issues because of IP clashes. I'm additionally amazed to see the quantity of
gadgets that are still overseen utilizing decoded conventions like telnet, regardless of the convention being
more than 30 years of age.
The response to this issue is solidifying gadgets and guaranteeing that setups are consistent before the gadget
is placed into a creation setting. This is something with which a great deal of ventures battle. However, by
designing your gadgets dependent on the capacity that you really need them to satisfy and following the
guideline of least favored access, you will improve security and lessen the odds of incidentally leaving a
hazardous help running on your firewall.
21
3. Non standard validation systems
During my work, I regularly discover associations that utilization switches that don't keep the venture standard
for confirmation. For instance, a huge bank I worked with had all the gadgets in its essential server farm
constrained by a focal verification system, yet didn't utilize a similar instrument at its remote office. By not
authorizing corporate verification guidelines, staff in the remote branch could get to nearby records with frail
passwords, and had an alternate cutoff on login disappointments before account lockout.
This situation lessens security and makes more vectors for assailants, as it's simpler for them to get to the
corporate system through the remote office. Associations ought to guarantee that every single remote office
follow a similar focal confirmation instrument as the remainder of the organization.
Organizations will in general have great administration approaches necessitating that test frameworks ought
not associate with creation frameworks and gather creation information. Be that as it may, practically speaking,
this is frequently not upheld in light of the fact that the individuals who are working in testing consider creation
to be as the most precise approach to test. The issue happens in light of the fact that when you permit test
frameworks to gather information from creation, you're probably going to carry that information into a
situation with a lower level of security. The information could be profoundly delicate, and it could likewise
be dependent upon administrative consistence. So on the off chance that you do utilize creation information
in a test situation, ensure that you utilize the right security controls as indicated by the characterization of the
information.
The issue that I see more regularly than I ought to is associations not breaking down log yields from their
security gadgets - or without enough granularity. This is probably the greatest error you can make as far as
system security; not exclusively will you not be alarmed when you're enduring an onslaught, however you'll
have practically zero detectability when you're examining post-rupture.
The reason I regularly hear for not logging appropriately is that logging framework is costly, and difficult to
convey, break down, and keep up. Be that as it may, the expenses of being broken without being alarmed or
having the option to follow the assault are definitely far higher.
Endeavors need to take a gander at the condition of their firewall security and distinguish where gaps may
exist. By tending to these misconfiguration issues, associations can rapidly improve their general security act
and drastically decrease their danger of a break.
22
2.2
What is a DMZ Network?
The goal of a DMZ is to add an extra layer of security to an organization's local area network. A protected and
monitored network node that faces outside the internal network can access what is exposed in the DMZ, while
the rest of the organization's network is safe behind a firewall.
When implemented properly, a DMZ Network gives organizations extra protection in detecting and mitigating
security breaches before they reach the internal network, where valuable assets are stored.
Purpose of a DMZ
The DMZ Network exists to protect the hosts most vulnerable to attack. These hosts usually involve services
that extend to users outside of the local area network, the most common examples being email, web servers,
and DNS servers. Because of the increased potential for attack, they are placed into the monitored subnetwork
to help protect the rest of the network if they become compromised.
Hosts in the DMZ have tightly controlled access permissions to other services within the internal network,
because the data passed through the DMZ is not as secure. On top of that, communications between hosts in
the DMZ and the external network are also restricted to help increase the protected border zone. This allows
hosts in the protected network to interact with the internal and external network, while the firewall separates
and manages all traffic shared between the DMZ and the internal network. Typically, an additional firewall
will be responsible for protecting the DMZ from exposure to everything on the external network.
All services accessible to users on communicating from an external network can and should be placed in the
DMZ, if one is used. The most common services are:
• Web servers: Web servers responsible for maintaining communication with an internal database server
may need to be placed into a DMZ. This helps ensure the safety of the internal database, which is often
storing sensitive information. The web servers can then interact with internal database server through
an application firewall or directly, while still falling under the umbrella of the DMZ protections.
• Mail servers: individual email messages, as well as the user database built to store login credentials
and personal messages, are usually stored on servers without direct access to the internet. Therefore,
an email server will be built or placed inside the DMZ in order to interact with and access the email
database without directly exposing it to potentially harmful traffic.
23
• FTP servers: These can host critical content on an organization's site, and allow direct interaction with
files. Therefore, an FTP server should always be partially isolated from critical internal systems.
A DMZ configuration provides additional security from external attacks, but it typically has no bearing on
internal attacks such as sniffing communication via a packet analyzer or spoofing via email or other means.
DMZ Designs
There are numerous ways to construct a network with a DMZ. The two major methods are a single firewall
(sometimes called a three-legged model), or dual firewalls. Each of these system can be expanded to create
complex architectures built to satisfy network requirements:
• Single firewall: A modest approach to network architecture involves using a single firewall, with a
minimum of 3 network interfaces. The DMZ will be placed Inside of this firewall. The tier of
operations is as follows: the external network device makes the connection from the ISP, the internal
network is connected by the second device, and connections within the DMZ is handled by the third
network device.
• Dual firewall: The more secure approach is to use two firewalls to create a DMZ. The first firewall
(referred to as the “frontend” firewall) is configured to only allow traffic destined for the DMZ. The
second firewall (referred to as the “backend” firewall) is only responsible for the traffic that travels
from the DMZ to the internal network. An effective way of further increasing protection is to use
firewalls built by separate vendors, because they are less likely to have the same security
vulnerabilities. While more effective, this scheme can be more costly to implement across a large
network.
On many home networks, internet enabled devices are built around a local area network which accesses the
internet from a broadband router. However, the router serves as both a connection point and a firewall,
automating traffic filtering to ensure only safe messages enter the local area network. So, on a home network,
a DMZ can built by adding a dedicated firewall, between the local area network and the router. While more
expensive, this structure can help to protect internal devices from sophisticated attacks better protects the
inside devices from possible attacks by the outside.
DMZ’s are an essential part of network security for both individual users and large organizations. They
provides an extra layer of security to the computer network by restricting remote access to internal servers and
information, which can be very damaging if breached.
24
At the point when Static IP Addresses Are Used
Static IP addresses are vital for gadgets that need steady access.
For instance, they're fundamentally required if your PC is designed as a server, for example, a FTP server or
web server. This is something to be thankful for, in such a case that you need to guarantee that individuals can
generally get to your PC to download documents, at that point you have to drive the PC to utilize a static,
never-changing IP address. On the other hand, if the server were allotted a powerful IP address, it would
change once in a while which would keep your switch from knowing which PC on the system is the server.
Thus, in the event that you need to get to your home PC while you're on trips, or your work PC when you're
at home, setting up the PC to utilize a static IP address lets you arrive at that PC all the time without expecting
that the location will change and square your entrance to it.
Consider a common printer as another model for when to utilize a static IP address. On the off chance that
you have a printer that everybody in your home or office needs to share, you'd give it an IP address that won't
change regardless. That way, when each PC is set up to interface with that printer, those associations will
remain uncertainly on the grounds that the location will never show signs of change.
25
System Address Translation (NAT)
To get to the Internet, one open IP address is required, however we can utilize a private IP address in our
private system. The possibility of NAT is to permit various gadgets to get to the Internet through a solitary
open location. To accomplish this, the interpretation of private IP address to an open IP address is required.
System Address Translation (NAT) is a procedure wherein at least one neighborhood IP address is converted
into at least one Global IP address and the other way around so as to give Internet access to the nearby has.
Likewise, it does the interpretation of port numbers for example veils the port number of the host with another
port number, in the bundle that will be directed to the goal. It at that point makes the relating passages of IP
address and port number in the NAT table. NAT for the most part works on switch or firewall.
By and large, the outskirt switch is arranged for NAT . the switch which has one interface in neighborhood
(inside) system and one interface in the worldwide (outside) organize. At the point when a parcel navigate
outside the neighborhood (inside) arrange, at that point NAT changes over that nearby (private) IP address to
a worldwide (open) IP address. At the point when a parcel enters the nearby system, the worldwide (open) IP
address is changed over to a neighborhood (private) IP address.
In the event that NAT come up short on addresses, i.e., no location is left in the pool arranged then the parcels
will be dropped and an Internet Control Message Protocol (ICMP) have inaccessible bundle to the goal is sent.
Assume, in a system, two has An and B are associated. Presently, them two solicitation for a similar goal, on
a similar port number, say 1000, on the host side, simultaneously. In the event that NAT does a lone
interpretation of IP addresses, at that point when their bundles will show up at the NAT, both of their IP
locations would be conceal by the open IP address of the system and sent to the goal. Goal will send answers
on the open IP address of the switch. In this manner, on accepting an answer, it will be muddled to NAT with
respect to which answer has a place with which have (on the grounds that source port numbers for both An
and B are same). Henceforth, to stay away from such an issue, NAT covers the source port number also and
makes a section in the NAT table.
Inside alludes to the addresses which must be interpreted. Outside alludes to the addresses which are not in
charge of an association. These are the system Addresses in which the interpretation of the addresses will be
finished.
Inside residential location An IP address that is allocated to a host on the Inside (neighborhood) arrange. The
location is presumably not an IP address allotted by the specialist organization i.e., these are private IP address.
This is within have seen from within organize. Inside worldwide location IP address that speaks to at least
one inside neighborhood IP delivers to the outside world. This is within have as observed from the outside
system. Outside residential area This is the genuine IP address of the goal have in the nearby system after
interpretation. Outside worldwide location This is the outside host as observed structure the outside system. It
is the IP address of the outside goal have before interpretation.
26
System Address Translation (NAT) Types
Static NAT In this, a solitary unregistered (Private) IP address is mapped with a lawfully enlisted (Public) IP
address balanced mapping among nearby and worldwide location. This is commonly utilized for Web
facilitating. These are not utilized in associations as there are numerous gadgets who will require Internet get
to and to give Internet get to, the open IP address is required. Assume, if there are 3000 gadgets who need
access to the Internet, the association need to purchase 3000 open tends to that will be expensive.
Dynamic NAT In this sort of NAT, an unregistered IP address is converted into an enlisted (Public) IP address
from a pool of open IP address. On the off chance that the IP address of pool isn't free, at that point the bundle
will be dropped as a lone a fixed number of private IP address can be meant open locations.
Assume, on the off chance that there is a pool of 2 open IP addresses, at that point just 2 private IP locations
can be interpreted at a given time. In the event that third private IP address needs to get to Internet, at that
point the bundle will be dropped in this manner numerous private IP delivers are mapped to a pool of open IP
addresses. NAT is utilized when the quantity of clients who needs to get to the Internet is fixed. This is likewise
expensive as the association need to purchase numerous worldwide IP delivers to make a pool.
Port Address Translation (PAT) This is otherwise called NAT over-burden. Right now, (private) IP delivers
can be meant a solitary enlisted IP address. Port numbers are utilized to recognize the traffic i.e., which traffic
has a place with which IP address. This is most every now and again utilized as it is savvy as a huge number
of clients can be associated with the Internet by utilizing just a single genuine worldwide (open) IP address.
27
2.3
Keeping up full system perceivability
You can't sufficiently comprehend your system's exhibition in the event that you don't have full system
perceivability. Your organization should have the option to watch all of traffic that movements through your
system, just as screen each associated gadget and look at normal execution measurements. Any system
observing apparatus deserving at least moderate respect will give exhaustive checking capacities that doesn't
leave any bit of your system in obscurity. That way, there won't be execution influencing issues concealing
some place on your system.
While arrange checking arrangements are fundamentally intended for execution observing purposes, they
can likewise assist you with discovering security dangers sneaking in your framework. Some malware and
infections are intended to wait on a system after they've gotten entrance without taking any kind of action at
first; others may be performing little activities that would be imperceptible to the human eye. System
checking arrangements will watch a system for strange and suspicious system traffic (demonstrating a
security danger is drawing system assets) and caution your organization to the issue.
You can never ensure 100% assistance uptime, even with the most impressive system observing arrangement
yet they can assist you with forestalling sudden system blackouts. A key capacity of system checking
arrangements is watching for organize traffic that shows the disappointment of a gadget or system is going
to occur. Along these lines, your undertaking can preemptively address any surprising vacation, permitting
you to augment administration accessibility at every possible opportunity.
For most system chairmen, data transfer capacity use is one of the most significant exhibition measurements
to break down. In a perfect world, your organization needs to use however much transmission capacity as
could reasonably be expected while guaranteeing that each help is running effectively. A system checking
arrangement will follow data transmission use, illuminate your system when transfer speed usage is arriving
at basic levels, and guarantee that nature of-administration (QoS) conventions are running accurately.
System execution issues don't simply represent a money related cost; the time it takes your system group to
fix an issue could be spent on other, progressively significant errands. In that capacity, diminishing the time
between when an exhibition issue happens and when it's fixed is basic for organizations. System checking
arrangements alert your group to execution issues when they find them, which means an organization can
get directly to work tending to the issue. Many checking apparatuses additionally incorporate diagnostics
devices that give your group an underlying evaluation of the issue, so your representatives don't have to
invest as a lot of energy diagnosing the issue.
28
Testing changes to a system or gadget
At whatever point you roll out an improvement to your system or a gadget, you have to test it to guarantee
that it's proceeding as you anticipate. Including or reconfiguring a gadget can botch the remainder of your
system in the event that it isn't actualized appropriately. System checking instruments permit you to test new
or refreshed equipment and associations, allowing you to check whether they could cause issues before they
contrarily sway your system.
A system observing arrangement continually tracks execution information and presentations it through visual
portrayals on their dashboard. Checking apparatuses can likewise produce reports that your endeavor can
audit, changing over them into a few printable document types. Your organization can pick the timetable
that the arrangement creates these reports on week after week, month to month, quarterly, and so forth.
Execution issues can happen whenever, in any event, when there isn't anyone in the workplace to fix them.
In the event that an issue occurs after business hours, your venture has to think about it; organize checking
devices ceaselessly watch a system, implying that they can find these issues for you. A strong system
observing arrangement won't convey the alarms for these issues quickly, in any case, since those cautions
could be lost when your group returns to work. In a perfect world, the arrangement will defer the alarm until
a period dictated by the system head.
29
Activity 03
3.1
4 Risk evaluation structure Risk the board movement is done to address hazard all through the association
as an exhaustive and association wide action. Hazard assessment is one of the significant parts in the
association wide hazard the executives procedure (RMP), which is characterized in NIST Special Publication
800-39, Managing Information Security Risk: Organization, Mission, and Information System RMP
incorporates four parts: (a) structure chance; (b) assessing hazard; (c) Responding to hazard. and (d)
Monitoring hazard. hazard assessment system among the four segments. Hazard structure is the chief
advance to assess chance, highlighting how associations mount dangers or manufacture chance settings.
Also, the "settings" depicts the earth of cloud or some other data framework. It is genuinely burdensome to
set up a down to earth and high productivity system, since the associations cause fitting assessments as well
as to recognize as far as possible.
Risk assessment is the optional advance after hazard encircling, which tends to the hazard assessment issues.
It comprises of two perspectives: one is recognizing the imperilments and vulnerabilities; the other is
distinguishing the harm. The imperilments incorporate both interior and outside elements. Also, the harm
implies the unfavorable occasion when the enemies control some defenselessness effectively. chance is a
capacity representing the likelihood of an imperilment occasion's rate and potential side impact should the
occasion happen. As a rule, chance assessment process comprises of four stages. (a) planning for the
assessment; (b) leading the assessment; (c) imparting assessment results; and (d) keeping up the assessment.
Based upon the consequence of hazard assessment, chance reacting segments will react to the hazard to take
care of the issues and intervene the symptom as quickly as time permits. Associations will do chance
reactions as indicated by techniques and controls appropriately. By and by, chance can't be annihilated totally
and may change after some time. The two different ways that associations screen hazard after some time and
assess the hazard on progressing establishments are the two key segments of hazard observing. The target of
reconnaissance is to ensure that chance reaction measures are placed into utilization. Predictable observation
can order design related varieties to cloud and the situations of activity. After that whether the hazard reaction
measures are strong of not can be determinate. Through this technique, the hazard could be maintained at a
nearly low level all through.
Components Purpose
30
Monitoring To Certify that risk response measures are put in to practice effectively.
3.2
Why Data Protection is Necessary for Sri Lanka
Information assurance is progressively getting pertinent to Sri Lanka, with the quick ascent in digitalization
and advanced network. By mid 2017, Sri Lanka had more dynamic cell phone memberships than individuals,
with 124 memberships for each 100 people. Starting at 2017, over 75% of the 6.2 million web clients in Sri
Lanka were evaluated to get to the web through cell phones. This proceeded with ascend in digitalization
produces an ever increasing number of information and elevates the requirement for information insurance
and protection laws.
Inside Sri Lanka, there is additionally an expanding dependence on advanced and cloud administrations,
which gather information. For instance, transportation applications, for example, Uber and PickMe both
gather information for disconnected examination. Additionally, there is expanded use of online networking
stages and cloud correspondence stages for email and schedule the executives (for example Google mail and
schedule). These frameworks, being the essential methods for correspondence, gather a lot of information
day by day and afterward target commercials dependent on these gathered information.
Moreover, the utilization of Virtual Private Networks (VPN) additionally gets security concerns. In specific
cases, applications offering this support for nothing, sell purchaser web movement information to ad focusing
on offices. Given the way that VPNs can catch all information that are being transmitted or gotten by a
gadget, the data caught can be exceptionally nitty gritty (for example decoded informing administrations,
area, contact data, application use) and can without much of a stretch be by and by recognizable.
As Sri Lanka is set to empower 5G transmission in 2020, the requirement for extensive security enactment
is uplifted. A lot of information sent over current portable systems isn't encoded or on the off chance that it
is, use obsolete and effectively by-acceptable encryption strategies and are in this manner defenseless to
capture.
The requirement for cybersecurity and information insurance turns out to be increasingly critical with the
beginning of e-taxpayer supported organizations in Sri Lanka. The danger of misrepresentation and data
fraud increments, alongside the danger of cyberattacks.
In the mean time, Sri Lanka's web based business industry is anticipated to reach USD 400 million by 2020.
As organizations adventure on to computerized stages, it is crucial for adequate protection laws to be in
power to tie down information just as to improve business and purchaser certainty.
Likewise, data and correspondence innovation (ICT) related administrations, including programming, have
gotten one of the key help area fares of Sri Lanka. These administration sends out incorporate robotized
application testing, foundation re-appropriating, top of the line innovative work (R&D), undertaking asset
arranging (ERP), cloud innovation and versatile applications. While a portion of the fares will be dependent
upon consistence with outside security enactment, for example, the General Data Protection Regulation
(GDPR), national information insurance will additionally decrease the danger of loss of IP.
31
Current Data Privacy Legislation in Sri Lanka
Despite the fact that there is enactment around electronic exchanges, shopper insurance, and cybercrimes,
no particular laws are as of now set up for security and information assurance in Sri Lanka. As indicated by
the mapping of information assurance and security directed by the United Nations Conference on Trade and
Development (UNCTAD) in 2019, out of 107 nations mapped, 21% have no enactment around protection
and information insurance, including Sri Lanka.
All things considered, a Data Protection Bill for Sri Lanka was as of late propelled with a specialist advisory
group set up by the Ministry of Digital Infrastructure and Information Technology. The enactment is to be
actualized in three phases with the whole bill coming into activity inside a time of 3 years. This bill has been
drafted with the point of covering the essential standards of security and information assurance displayed
after enactment set up by comparable nations.
The correction to the Electronic Transaction Act in 2017 orchestrates Sri Lanka's electronic exchange
enactment with the UN Electronic Communications Convention (ECC), the global standard for web based
business enactment. In spite of the fact that the current Electronic Transaction Act and the Computer Crimes
Act encourage internet business, they don't accommodate adequate security and information assurance.
Potential Concerns
One key concern is that security guideline may unduly confine business exercises by expanding the
regulatory weight on organizations to conform to various stringent information guideline approaches. This
is a worry particularly to little and medium endeavor (SME) organizations, and may even go about as an
obstruction to exchange and limit advancement.
The absence of universal similarity in security guideline makes numerous issues and confines global
exchange and ventures. Profoundly divided, wandering worldwide, local, and national administrative
methodologies make reception awkward to most gatherings and spots a significant expense trouble.
Information insurance laws could go about as a hindrance for creating nations to exchange globally.
The World Trade Organization's (WTO) General Agreement on Trade and Services (GATS) grants cross
outskirt limitations that empower "the insurance of the security of people corresponding to the preparing and
scattering of individual information and assurance of secrecy of individual records and records".
Notwithstanding, the order indicates that "such measures are not applied in a way which would comprise a
methods for subjective or unmerited segregation between nations where like conditions win, or a hidden
limitation on exchange administrations".
Another issue is the harmony between observation for national security purposes and protection. The ascent
of mass observation additionally presents noteworthy dangers to information security. Presently, numerous
legislatures gather correspondence and web information for examination, to recognize dangers to national
security. In spite of the fact that these projects balance protection needs against security concerns,
reservations on these emerge from the enormous measure of actually recognizable information that is
gathered (frequently most web information inside a country). In spite of the fact that this information is for
the most part filtered in total and in an algorithmic way, there are worries about information spillage from
such screening programs.
32
Route Forward
At present, there is no accord for a solitary model for information security laws. Nonetheless, similarity is
the expressed target of numerous worldwide and provincial information assurance activities. Sri Lanka's
information assurance laws should be drafted to be globally acknowledged, to encourage the smooth cross
fringe move of information. For nations without pertinent laws set up, the UNCTAD suggests that
legislatures should focus on more noteworthy inclusion in information insurance, where, holes in inclusion
need to tended to while finding some kind of harmony among observation and protection.
Information security laws need to stay aware of new progressions in advances to be compelling. Holes in
inclusion should be tended to, while finding some kind of harmony among observation and security. Also,
while there are lost business openings because of the absence of household lawful security, excessively
prohibitive assurance could go about as an obstruction to exchange. Organizations consistence weight ought
to be dealt with help given to organizations to conquer boundaries to selection.
33
Data Laws and Procedures
assent' signifies any openly given, explicit, educated and unambiguous sign of a person's desires by which
the individual in question, by an announcement or by a reasonable governmental policy regarding minorities
in society, implies consent to the handling of persona information identifying with that person;
'information controller' signifies an individual or association which, alone or mutually with others, decides
the reasons and methods for the preparing of individual information;
'information processor' signifies an individual or association which forms individual information for the
information controller;
'individual data' implies any data identifying with a person who can be distinguished, for example, by a
name, a recognizable proof number, area information, an online identifier or to at least one elements explicit
to the physical, physiological, hereditary, mental, monetary, social or social personality of that common
individual.
'individual information rupture' signifies a break of security prompting the coincidental or unlawful
demolition, misfortune, modification, unapproved exposure of, or access to, individual information;
'preparing' signifies any activity or set of tasks performed on close to home information, for example,
assortment, recording, association, organizing, capacity (counting filing), adjustment or change, recovery,
interview, use, exposure by transmission, spread or in any case making accessible, arrangement or blend,
limitation, deletion or obliteration.
'profiling' signifies any type of robotized handling of individual information comprising of the utilization of
individual information to assess certain individual angles identifying with a person, specifically to dissect or
anticipate viewpoints worried that characteristic individual's presentation grinding away, financial
circumstance, wellbeing, individual inclinations, interests, unwavering quality, conduct, area or
developments;
'pseudonymisation' signifies the handling of individual information in such a way, that the individual
information can never again be credited to a person without the utilization of extra data, given that such extra
data is kept independently and is dependent upon specialized and authoritative measures to guarantee that
the individual information are not ascribed to a distinguished or recognizable person;
'touchy individual data' implies individual information uncovering racial or ethnic birthplace, political
assessments, strict or philosophical convictions, or worker's organization participation, and the preparing of
hereditary information, biometric information, information concerning wellbeing, a person's sexual
coexistence or sexual direction and a person's criminal feelings.
For the reasons for this arrangement we utilize the term 'individual information' to incorporate 'touchy
individual information' aside from where we have to allude to delicate individual information explicitly.
'supervisory position' signifies a free open power which is answerable for observing the utilization of
information insurance. In the UK the supervisory authority is the Information Commissioner's Office (ICO).
34
3.3
An IT Security Policy distinguishes the guidelines and techniques for all people getting to and utilizing an
association's IT resources and assets.
An Information Technology (IT) Security Policy recognizes the guidelines and strategies for all people
getting to and utilizing an association's IT resources and assets. Powerful IT Security Policy is a model of
the association's way of life, where rules and methodology are driven from its representatives' way to deal
with their data and work. In this way, a powerful IT security approach is an interesting report for every
association, developed from its kin's points of view on hazard resistance, how they see and worth their data,
and the subsequent accessibility that they keep up of that data. Therefore, numerous organizations will
discover a standard IT security strategy improper because of its absence of thought for how the association's
kin really use and offer data among themselves and to general society.
The goals of an IT security arrangement is the safeguarding of privacy, trustworthiness, and accessibility of
frameworks and data utilized by an association's individuals. These three standards create the CIA ternion:
Uprightness guarantees the change of advantages is dealt with in a predetermined and approved way
Accessibility is a condition of the framework wherein approved clients have constant access to said resources
The IT Security Policy is a living archive that is persistently refreshed to adjust with advancing business and
IT prerequisites. Establishments, for example, the International Organization of Standardization (ISO) and
the U.S. National Institute of Standards and Technology (NIST) have distributed models and best practices
for security approach arrangement. As stipulated by the National Research Council (NRC), the
determinations of any organization strategy should address:
1. Goals
2. Extension
3. Explicit objectives
Additionally compulsory for each IT security approach are segments devoted to the adherence to guidelines
that administer the association's business. Normal instances of this incorporate the PCI Data Security
Standard and the Basel Accords around the world, or the Dodd-Frank Wall Street Reform, the Consumer
Protection Act, the Health Insurance Portability and Accountability Act, and the Financial Industry
Regulatory Authority in the United States. A large number of these administrative elements require a
composed IT security arrangement themselves.
An association's security approach will assume an enormous job in its choices and bearing, yet it ought not
modify its technique or mission. In this way, it is critical to compose an approach that is drawn from the
association's current social and auxiliary system to help the progression of good profitability and
advancement, and not as a conventional arrangement that hinders the association and its kin from meeting
its strategic objectives.
35
Activity 04
4.1
There are two sections to any security approach. One arrangements with forestalling outer dangers to keep
up the trustworthiness of the system. The second arrangements with lessening inward dangers by
characterizing suitable utilization of system assets. Tending to outside dangers is innovation situated. While
there are a lot of innovations accessible to lessen outside system dangers - firewalls, antivirus
programming, interruption recognition frameworks, email channels and others - these assets are for the
most part actualized by IT staff and are undetected by the client.
Be that as it may, fitting utilization of the system inside an organization is an administration issue. Executing
a worthy use strategy (AUP), which by definition manages worker conduct, requires affability and
discretion.
In any event, having such an arrangement can shield you and your organization from risk in the event that
you can show that any wrong exercises were attempted infringing upon that strategy. Almost certain, be
that as it may, an intelligent and very much characterized approach will decrease data transfer capacity
utilization, augment staff profitability and lessen the possibility of any lawful issues later on. These 10
focuses, while unquestionably not far reaching, give a presence of mind way to deal with creating and
executing an AUP that will be reasonable, clear and enforceable.
What are your dangers from improper use? Do you have data that ought to be limited? Do you send or get a
great deal of huge connections and records? Are possibly hostile connections making the rounds? It may be
a nonissue. Or on the other hand it could be costing you a large number of dollars every month in lost worker
profitability or PC personal time.
A decent method to recognize your dangers can be using checking or revealing apparatuses. Numerous sellers
of firewalls and Internet security items permit assessment periods for their items. On the off chance that
those items give revealing data, it tends to be useful to utilize these assessment periods to survey your
dangers. In any case, it's imperative to guarantee that your workers know that you will record their action for
the motivations behind hazard evaluation, if this is something you decide to attempt. Numerous
representatives may see this as an attack of their protection if it's endeavored without their insight.
There are numerous kinds of security arrangements, so it's imperative to perceive what different associations
like yours are doing. You can put in two or three hours perusing on the web, or you can purchase a book, for
example, Information Security Policies Made Easy by Charles Cresson Wood, which has in excess of 1,200
strategies prepared to redo. Additionally, converse with the salesmen from different security programming
merchants. They are constantly glad to give out data.
36
3. Ensure the approach fits in with lawful prerequisites
Contingent upon your information possessions, locale and area, you might be required to adjust to certain
base norms to guarantee the protection and honesty of your information, particularly if your organization
holds individual data. Having a suitable security strategy archived and set up is one method for moderating
any liabilities you may bring about in case of a security rupture.
Try not to be exuberant. An excess of security can be as awful as excessively little. You may locate that,
aside from keeping the trouble makers out, you don't have any issues with suitable use since you have an
experienced, committed staff. In such cases, a composed implicit rules is the most significant thing. Extreme
security can be an impediment to smooth business activities, so ensure you don't overprotect yourself.
Nobody needs a strategy directed from above. Include staff during the time spent characterizing suitable use.
Keep staff educated as the standards are created and devices are executed. On the off chance that individuals
comprehend the requirement for a mindful security approach, they will be significantly more slanted to agree.
Staff preparing is regularly ignored or undervalued as a component of the AUP execution process. Be that
as it may, by and by, it's presumably one of the most valuable stages. It not just encourages you to educate
workers and assist them with understanding the strategies, yet it likewise permits you to talk about the viable,
certifiable ramifications of the strategy. End clients will regularly pose inquiries or offer models in a
preparation gathering, and this can be fulfilling. These inquiries can assist you with characterizing the
arrangement in more detail and change it to be progressively valuable.
Ensure each individual from your staff has perused, marked and comprehended the arrangement. Every
single new contract should sign the strategy when they are welcomed ready and ought to be required to
rehash and reconfirm their comprehension of the approach in any event yearly. For huge associations, utilize
mechanized devices to help electronically convey and follow marks of the records. A few apparatuses even
give testing instruments to test client's information on the strategy.
System security is quite serious. Your security arrangement is definitely not a lot of deliberate rules however
a state of work. Have an away from of techniques set up that illuminate the punishments for breaks in the
security arrangement. At that point uphold them. A security strategy with heedless consistence is nearly as
terrible as no arrangement by any stretch of the imagination.
37
9. Update your staff
A security arrangement is a unique archive on the grounds that the system itself is continually developing.
Individuals go back and forth. Databases are made and decimated. New security dangers spring up. Keeping
the security strategy refreshed is sufficiently hard, however keeping staff members mindful of any
progressions that may influence their everyday tasks is significantly progressively troublesome. Open
correspondence is the way to progress.
Having an arrangement is a certain something, authorizing it is another. Web and email content security
items with adjustable standard sets can guarantee that your strategy, regardless of how unpredictable, is clung
to. The interest in devices to uphold your security approach is presumably one of the most financially savvy
buys you will ever make
38
4.2
39
40
41
42
43
Conclusion
Specially in this moment I would like to thank to Esoft metro campus for give us such a great future path for
the students. In Esoft metro campus there are modern technologies and graduate lecturers give them full
supports for our career growth.
During my practicum experience, I have had the opportunity to observe teachers utilizing many different
forms of assessment in their classrooms. I have noticed teachers using informal assessment techniques such
as asking questions; and I have observed teachers using a varied assortment of formal techniques such as
written tests, class presentations, and Indoor Assessments. I have been fortunate to be able to try out some
of these forms of assessment during my lessons. By utilizing and reflecting on different types of assessment,
I am developing a repertoire of effective assessment techniques that I can use when student teaching.
Because I am in a primary grade for practicum, I notice my cooperating teacher using a lot of informal
assessment techniques. For example, while reading a story aloud to the group, she may stop and ask if some
students would like to retell, offer a prediction, or make an inference. By stopping at certain points in the
book and asking open ended questions, she is informally assessing the students’ understanding of the story
and their use of reading strategies. Another type of informal assessment involves the teacher simply watching
the students’ current performance on a task. I noticed my cooperating teacher walking around to each student
while he or she was working on an activity, and visually observing the progress made by each. By walking
around the classroom, and monitoring each child’s progress on the task, the teacher can take note of the
child’s current understanding, and any areas in which the child may need more explanation or assistance.
In my future classroom, assessment will take many forms, formative and summative, informal and formal.
The process of learning, to me, is just as important as the product. Because of my belief, I will assess using
more process-oriented forms of assessment such as writing portfolios and journals to show development over
time. Most importantly, however, I will use assessment to inform my instruction. Not only am I assessing
how well the student is performing a task, but I am also assessing the effectiveness of my teaching strategies.
In conclusion, assessments can range from simply asking questions during a lesson to class presentations
after a unit of study and gave us to do some best projects during the class times. Assessment is not only a
way we can measure student performance, but it is also a way for teachers to plan instruction and reflect on
their own methods of teaching. I plan to use assessments in my classroom that show progress over time, as
well as assessments that allow the student to display what they have learned at the conclusion of the lesson.
Assessment is a way for students and teachers to evaluate their learning
44
45