Faculty of Engineering and Technology

STUDENT NAME: Seinio Tweulongelwa Ndeiluka

STUDENT NUMBER: 2126922

STUDY PROGRAMME: Bachelor of Science (Honours) in Network Security

and Computer Forensics

LECTURE’S NAME: Mukai Turugari

Module Name: Fundamentals of Network Security

Module code :C6-FNS-13

DUE DATE: 8th November 2023

ASSIGNMENT: End Assessment

Answer the following questions:

Student No. 2126922

Question 1: Knowledge and Understanding

1. Overview

I have recently been employed as a security consultant for Ozone Insurance Company,
whereby I am tasked to develop a security policy, explain the core components and
objectives of a network security policy, and specify security measures I will include in
its policy.

2. What is security policy?

Robert Grimmick (2023) explains that a security policy (also called an information
security policy or IT security policy) is a document that spells out the rules,
expectations, and overall approach that an organization uses to maintain the
confidentiality, integrity, and availability of its data. Security policies exist at many
different levels, from high-level constructs that describe an enterprise’s general
security goals and principles to documents addressing specific issues, such as remote
access or Wi-Fi use.

In my opinion, security policy is often used as a combination type of policy documents

that are in the organization that ranges from standard operating procedures, branding,
marketing, logistics and physical defending the organization and its assets. These
documents work together to help the company achieve its security goals.

3. Network security policy

A network security policy delineates guidelines for computer network access,

determines policy enforcement, and lays out the architecture of the organization’s
network security environment, and defines how the security policies are implemented
throughout the network architecture. Network security policies describes an

2
Student No. 2126922

organization’s security controls. It aims to keep malicious users out while also
mitigating risky users within your organization, AlgoSec( 2022).

4. Importance of IT Network security policies

Most organizations not only understand the importance and benefits of IT Network
security policies, but they also draft, write, and promote them. The aim is to regulate
and declare the formality of the drafted policies as a vital role requirement to shape the
organization. Ozone Insurance Company is no different from other organizations, it
needs to know the reasons why IT security policies are important for the following
reasons:-
 To outline rules for user behaviors, including IT personnel which are key
players in drafting IT Network security policies.
 To identify consequences for not adhering to IT Network security policies.
 IT Network security policies play a crucial role in ensuring compliance with
regulations in the organization.
 Define risks within the organization.
 To provide guidelines on how to reduce these risks.
 To develop the foundation of the security program in an organization.
 To develop IT Network security awareness and threats.

5. Types of IT Network security policies.

I. Access control policies

 To specify who, what, when, where, and how users and devices can
access network resources and services. Examples of Access Cards,
Biometrics, Face Recognition, and Fingerprint to access the Ozone
Insurance Data Centre.

3
Student No. 2126922

II. Encryption policies

 To define how the organization encrypts and decrypts, its network data
and communications. Example VNP tunnel for employees to access the
office while away from the office.
III. Backup and recovery policies

 To define how the organization backs up and restores its network data
and systems in case of a disaster, outage, or incident.

IV. Incident response policies

 To define how the organization responds to and manages network

security incidents.

V. Acceptable use policies

 To define how the organization expects its users and devices to use the
network resources and services responsibly and ethically.

VI. Security awareness and training policies

 To define how the organization educates and trains its users and staff on
network security best practices and policies.

6. Core components and objectives of network security.

It’s easy to protect some data that is valuable to you only. You could store your
pictures or ideas or notes on an encrypted thumb drive, locked away in a spot where
only you have the key, but companies and organizations have to deal with this on a vast

4
Student No. 2126922

scale. After all, it’s the company data—products, customer and employee details, ideas,
research, and experiments—that make your company useful and valuable.
The “assets” we normally think of, like hardware and software, are simply the
tools that allow you to work with and save your company data, Chrissy Kidd (2020).

The core components and objectives of network security are defined by the CIA
Security Triad:

Fig 1
Confidentiality: A system’s ability to ensure that only the correct, authorized
user/system/resource can view, access, change, or otherwise use data.

5
Student No. 2126922

Integrity: A system’s ability to ensure that the system and information are
accurate and correct.
Availability: A system’s ability to ensure that systems, information, and services
are available the vast majority of the time.

In a world that is evolving together with the Internet of Things (IoT), this is a new
normal way of increasingly complex Network security. Network architecture is
constantly under threat from unauthorized users who are also evolving and
continuously finding ways to identify vulnerabilities in network security and
exploit them. Therefore, the CIA Security Triad is no longer enough, below is a
table for some other components that Ozone Insurance Company should include in
network security.

network security objectives

components
Access control To protect against unauthorized access and control of network
devices and systems.

Encryption To ensure that data are unreadable to unauthorized users

Physical security to protect and prevent unauthorized user's access to electronic

information assets and physical venues

Authentication to keep the networks, secure by permitting only authenticated

users
Data integrity preservation To educate, make awareness, governance, and build trust of
the users
Malware invasion to prevent data breaches, malware attacks, and other cyber
threats

6
Student No. 2126922

7. IT Security measures
An effective policy is to set clear standards where an expectation can be drawn for
the IT Network security team. Reports required by policies should adhere and
compile to the policy as agreed, this will enable the IT Network security team to
measure their success in meeting the goals of the policies.

Employees always strive- and willingly to succeed, therefore falling short can also
be used to justify increases in resources when a justification is needed. For
example, if reports are required by the SAP or Windows patch management policy
to show that the patch is critical and updates take longer than anticipated, then
management can consider adding more resources or outsourcing some functions.

Question 2: Application and Analysis

1. Security Breach and Risk Analysis

a) Security breach
According to AO Kaspersky Lab (2023), a security breach is any incident that
results in unauthorized access to computer data, applications, networks, or
devices. It results in information being accessed without authorization.
Typically, it occurs when an intruder can bypass security mechanisms.

Security breaches depend on several scenarios on how the illegal exploiter

accesses and again the pass-through of what was guarded regardless it is a
building, server room, application, device, or data storage.

2. Types of security breaches

 Exploit attacks on a system vulnerability, for example, Legacy systems
with old and outdated software.

7
Student No. 2126922

 Weak passwords cracked or guessed. For example, the administrator did

not set or enforce a standard on how to create or renew a password, with
pre-defined available password creation standards.
 Malware attacks a phishing email used to gain entry into the
organization’s domain. For example, the organization fails to educate or
raise awareness among employees on identifying phishing emails and the
danger.
 Drive-by downloads use viruses or malware to enter the organization’s
systems through a compromised or spoofed website. For example, if users
insert a ransomware virus-affected memory stick from the home network
after browsing unsecured sites onto the organization's computer then all
domain files are locked.
 Social engineering a smooth talk with the employees and exploiter mined
crucial information and used it to gain access to an organization's billing
system.

b) Risk analysis
The term risk analysis refers to the assessment process that identifies the
potential for any adverse events that may negatively affect organizations and
the environment, Adam Hayes(2023).

3. Step by Step to Perform a Risk Analysis

Step one: Identify Risks

list all possible potential risks you may encounter from internal threats and
external threats from outside forces. Analyzed and evaluated based on the
likelihood of success or the projected impact the benefits might have.
Involve many departments with the company, you may also benchmark the
companies that had similar risks before.

8
Student No. 2126922

Step two: Identify Uncertainty

Identify troublesome areas in the company and analyze the current state of
an organization to better understand needs or gaps that are already known.

Example: trojan malware detected on the computer at the finance

department which is placed on a special zone of the network that isolates
finance from the rest of the network, but the Network administrator may not
know how many computers were affected, IT department may suggest the
removal of Finance subnet from the network and delt it in isolation to
determine the spread the virus throughout the network.

Step three: Estimate the Impact

A business may see a potential risk looming and want to know how the
situation may impact the business.

Example: the IT department has assessed that there is only a 1% chance that
trojan malware may have spread to other departments due to that the
Finance department has been on a special network zone all along. If it
happens, it will only cost the company N$ 2 million.

Step four: Root Cause Analysis

A root cause analysis is performed because something is happening that

shouldn't be, and it is now known and needs to be analyzed.

Step five: Implement Solutions

Decide business needs based on the information gathered in previous steps

then develop workaround procedures for the business in the event of
disruption.

9
Student No. 2126922

Question 3: Synthesis and Evaluation

3.1. Introduction
What is Security architecture

Security architecture is the design of the systems, processes, and policies that protect
an organization's data, assets, and users from cyber threats. It can be centralized or
decentralized, depending on how the security functions are distributed and coordinated
across the network, (Security Architecture Design,2023).

 Centralized security architecture.

Centralized security architecture means that a single authority security team handles all
the security decisions, controls, and monitoring.

 Decentralized security architecture.

Decentralized security architecture means that multiple security departments handle the
security decisions, controls, and monitoring within their environment, and they don’t
propagate it to a higher level.

In this questionnaire, I will Compare and contrast and list the advantages and
disadvantages of centralized and decentralized security organization approaches, and
how to choose the best one for your security goals, resources, and context.

 Compare and contrast.

Centralized security Decentralized security organizations

organizations
Simplify the management Increase the resilience

10
Student No. 2126922

Enforcement auditing of Increase performance

security policies
Reduce the complexity Adaptability of the network due to regionalism
Reduce the cost of security Empower the local entities to make security
infrastructure decisions based on their context and needs.

advantages and disadvantages of centralized security organizations

Advantages disadvantages
Efficient communication cannel Bureaucratic command
Clear vision Remote controlled
Economical workplace delays
Decision-making is simple Employee dissatisfaction
Increases productivity

advantages and disadvantages of decentralized security organizations

Advantages disadvantages
Quick decision and response time Problem coordinating
Better ability to expand the organization Increased expenditure
On-demand training incongruity in operations
appraisals self-centeredness
better utilization of management Reliance on hierarchy

Most of the time centralization security organizations become a bottleneck over some
time. It loses the connection to what's happening, and people get tired of absent
services. As time goes the inconsistencies create so much chaos and dissatisfaction in
organizational leadership, which leads to the cycle of starting over again. On the other
hand, decentralization security organizations' main issue is inconsistency and creates

11
Student No. 2126922

dislike between scattered security teams. There is no correct answer when choosing the
security architecture for the organization rather than aligning the security architecture
with the organization's business objectives and requirements to improve the security
architecture.

Question 4: Application and Analysis

Network Security Architecture: Ozone Insurance Company

4. Reference

 Blog/Data Security[Internet]. What is a Security Policy? Definition, Elements, and

Examples: Robert Grimmick,[Last updated April 6, 2023]available from:
https://www.varonis.com/blog/what-is-a-security-policy

12
Student No. 2126922

 AlgoSec Inc[Internet].Network security policy examples & procedures:AlgoSec,

[updated June 6, 2022] available from:
https://www.algosec.com/resources/security-policy/
 BMC Blogs[Internet].What Is the CIA Security Triad? Confidentiality, Integrity,
Availability Explained,Chrissy Kidd,[updated November 24, 2020]available from:
https://www.bmc.com/blogs/cia-security-triad/June
 My Kaspersky[Internet ].What is a security breach?: AO Kaspersky Lab,[Januanry
2023] available from: https://www.kaspersky.com/resource-center/threats/what-is-
a-security-breach
 Investopedia [Internet].Risk Analysis: Definition, Types, Limitations, and
Examples: ADAM HAYES[updated January 05, 2023] available from:
https://www.investopedia.com/terms/r/risk-analysis.asp
 All Security Architecture Design[Internet].How do you choose between
centralized and decentralized security architecture?: Security Architecture Design
[Published Aug 16, 2023] available from: https://www.linkedin.com/advice/0/how-
do-you-choose-between-centralized#:~:text=Choosing%20between%20centralized
%20and%20decentralized,the%20organizational%20culture%20and
%20governance.

13