system security controls Knowledge & Understanding Thermoelectric generators Glass Policy CORPORATE STRATEGY 3-ply disposable su…

FIND A SOLUTION AT Academic Writers Bay

Details of Assessment
Term and Year
Term XX 20XX
Time allowed
NA
Assessment No
1
Assessment Weighting
60%
Assessment Type
Written Response
Due Date
Week No. XX
Room
XX
Details of Subject
Qualification
ICT50115 Diploma of Information Technology
Subject Name
System Security
Details of Unit(s) of competency
Unit Code (s) and Names
ICTNWK520 Design ICT system security controls
Details of Student
Student Name

College

Student ID

Student Declaration: I declare that the work submitted is my own and has not been copied or plagiarised from any person or source. I acknowledge that I understand the requirements to complete the assessment tasks. I am also aware of my right to appeal. The feedback session schedule and reassessment procedure were explained to me.
Student’s Signature: ____________________ Date: _____/_____/_________
Details of Assessor
Assessor’s Name
Gitam Lama
Assessment Outcome
Assessment Result
Competent Not Yet Competent
Marks
/60
Feedback to Student Progressive feedback to students, identifying gaps in competency and comments on positive improvements:
__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Assessor Declaration: I declare that I have conducted a fair, valid, reliable and flexible assessment with this student. Student attended the feedback session. Student did not attend the feedback session.
Assessor’s Signature: ___________________ Date: _____/_____/________
Purpose of the assessment
The purpose of this assessment is to assess the student in the following outcomes:
Competent (C)
Not yet Competent (NYC)
Performance Criteria: ICTNWK520 Design ICT system security controls
1. Review organisational security policy and procedures
1.1 Review business environment to identify existing requirements

1.2 Determine organisational goals for legal and security requirements

1.3 Verify security needs in a policy document

1.4 Determine legislative impact on business domain

1.5 Gather and document objective evidence on current security threats

1.6 Identify options for using internal and external expertise

1.7 Establish and document a standard methodology for performing security tests

2. Develop security plan
2.1 Investigate theoretical attacks and threats on the business

2.2 Evaluate risks and threats associated with the investigation

2.3 Prioritise assessment results and write security policy

2.4 Document information related to attacks, threats, risks and controls in a security plan

2.5 Review the security strategy with security approved key stakeholders

2.6 Integrate approved changes into business plan and ensure compliance with statutory requirements

Assessment/evidence gathering conditions
Each assessment component is recorded as either Competent (C) or Not Yet Competent (NYC). A student can only achieve competence when all assessment components listed under “Purpose of the assessment” section are recorded as competent. Your trainer will give you feedback after the completion of each assessment. A student who is assessed as NYC (Not Yet Competent) is eligible for re-assessment.
Resources required for this assessment
Computer with relevant software applications and access to internet Weekly eLearning notes relevant to the tasks/questions
Instructions for Students
Please read the following instructions carefully This assessment must be completed In class At home The assessment is to be completed according to the instructions given by your assessor. Feedback on each task will be provided to enable you to determine how your work could be improved. You will be provided with feedback on your work within two weeks of the assessment due date. All other feedback will be provided by the end of the term. Should you not answer the questions correctly, you will be given feedback on the results and your gaps in knowledge. You will be given another opportunity to demonstrate your knowledge and skills to be deemed competent for this unit of competency. If you are not sure about any aspect of this assessment, please ask for clarification from your assessor. Please refer to the College re-assessment for more information (Student handbook).
Project task
Your task is to prepare a comprehensive report for Devon Accounting which must include reviewing the current security policies to preparing a detailed security plan and providing recommendation on actions and measures to be taken.
Task 1: Review organisational security policies and procedures
Determining the critical business requirements of the network is the first step in developing the security and controls design of the Devon Accounting network, as it means understanding what we need the network to achieve. Careful consideration must be given in the early stages as it will reap rewards later in the design, by identifying and addressing out the problems early.
To begin reviewing organisational security policies and procedures of the Devon Accounting network, you will need to:
Identify security requirements for Devon Accounting by reviewing the business requirements
Identify current security threats for Devon Accounting
Recommend a solution to the threats identified
Determine the need for the update in security policy for Devon Accounting. The updated policy must meet the obligations under the Privacy Act and Australian Privacy Principles.
List the job description for the IT security personnel
Recommend a methodology for performing security tests to these solutions
Task 2: Develop security plan
To begin developing a security plan for Devon Accounting, you will need to:
Investigate and identify possible attacks and threats on the business
Evaluate risks and threats associated with the investigation (threat assessment matrix)
Recommend the security controls to be implemented. Update security policy and document the changes made. The security policy must follow the legal and ethical standards and must meet the obligations under the Privacy Act and Australian Privacy Principles. References for legislation and regulation could be considered from:
Australian Privacy Principles (‘APPs’).
APP 11 and Information Technology Act 2014
Commonwealth Copyright Act 1968
Commonwealth Fair Work Act 2009
Information Privacy Act 2000
Information Technology – Code of practice for information security management
ACS Code of Ethics

Recommend a solution to the security threats identified and prepare a security plan
Investigate and review security strategy with security-approved key stakeholders (Auscert)
Document the changes made
Your supervisor will provide assistance and feedback throughout the various stages of this report.
Table of Contents
1. Introduction 8
2. Security Requirements 9
3. Current Security Threats 12
4. Risk and Threat Assessment 14
5. Solution to the Threats 16
6. Security Policy Updates 18
7. Security Testing Methodology 25
8. Future attacks and threats on the business 28
9. Future Risk and Threat Assessment 31
10. Security Plan – Solution to the future threats 35
11. Security Policy Updates with Legal and Ethical Standards 37
a. Updated Policy 38
b. Legal and Ethical Standards 38
c. Commonwealth Copyright Act 1968 38
d. Australian Privacy Principles 39
e. ACS Code of Ethics and Others 40
12. Review Security Plan (approved key stakeholders) 41
13. Change (Security Plan upon Review) 42
14. Conclusion 43
15. References 44
Marking Scale

Topics
Marks allocated
1
Security requirements
/4
2
Current security threats
/4
3
Risk and threat assessment
/4
4
Solution to the threats
/4
5
Security policy updates
/4
6
Security tests methodologies
/4
7
Future attacks and threats on the business
/7
8
Future risk and threat assessment
/7
9
Security Plan – Solution to the future threats
/7
10
Security policy updates with legal and ethical standards
/7
11
Review Security plan (approved key stakeholders)
/4
12
Change (Security plan upon review)
/4

TOTAL
/60
1. Introduction
This comprehensive report is prepared for Devon Accounting as part of the responsibilities of an IT security consultant. There are two main focuses that will be addressed in this report.
To begin with, the organisational security policies and procedures will be reviewed to determine the critical business requirements of the expanding network including both wireless and wired network in Devon Accounting. To be more specific, the security requirements and current security threats are identified by reviewing business requirements, followed by a recommendable solution to resolve the potential threats identified. Also, the security policy will be updated to ensure all security measures are up to date and meet all the requirements under the Australian Privacy Act and Australian Privacy Principles. Moreover, a detailed methodology to perform security tests based on the solution proposed will be prepared and listed in this report.
The second focus of this report is the security plan developed. The possible attacks and threats on the network are investigated and identified. These risks and threats are evaluated using the threat assessment matrix, listing the possible effects of damage on financial loss, productivity loss, and customer confidence loss. Then, appropriate security controls are recommended to be implemented, including but not limited to updating the security policies and relevant documents, strictly following the legal and ethical standards for Australian business. Ultimately, the new security strategies are reviewed with security-approved key stakeholders of Devon Accounting. All the changes made are properly documented for future reference and used as a guideline to keep IT security up to date.
2. Security Requirements
Identifying the security requirements for Devon Accounting plays an important role as part of the methodologies to review the organisation security policies and business requirements. These security requirements will cover six important areas, namely confidentiality, integrity, authentication, non-repudiation, availability, and access control.
Confidentiality
Confidentiality is essential to keep private information of clients and staffs safe without violating the Australian Privacy Act. To be more specific, Devon Accounting are having a lot of sensitive information and records of their clients and this information must be kept securely to maintain its confidentiality.
Based on Devon Accounting’s business requirements, there are a few important security requirements to be followed so confidentiality can be maintained and monitored:
Private and sensitive documents such as photocopies of ID, salary slips, and tax return documentations need to be stored securely, password protected and can only accessible by relevant employees.
Since Devon Accounting is practicing ‘Bring Your Own Device’ (BYOD) policies where employees can use their personal devices for business purposes, stricter security policies must be enforced to ensure confidentiality. For example, employees are restricted to store client’s personal information on their mobile phones and laptops by limiting the access to those documents only via the company local network. Therefore, they have no way to access client’s files when they are not connected to the company’s network.
All the laptops and computers will logout automatically after some time of inactivity. This is important to prevent unauthorised access to data stored in other’s devices. The bottom line of the security requirement is that all employees are accountable to ensure they are the only one to use their devices and lock it whenever they are away.
Integrity
In order to ensure the sensitive data is protected and trustworthy, integrity plays an important role in ensuring the security requirements for Devon Accounting is delivered successfully. For example, all documents of Devon Accounting especially sensitive documents should not be amended in transit and most importantly, security measures such as user access controls and file permissions must be configured to ensure the sensitive information cannot be modified unauthorizedly. Moreover, in order to precent unintentional document changes, version control should be practiced in Devon Accounting especially when staff dealings with new internal policies.
In addition, non-human-caused event such as sever crash and blackout should be taken into consideration when maintaining the integrity of the security requirements. For example, if backups and redundancy plans are planned and implemented to restore data whenever accidents happen, Devon Accounting will not have suffered productivity loss during the recent black out due to storm when the whole systems go offline.
Availability
Availability is the assurance of consistent access to the sensitive data by authorised individuals. This can be assured by maintaining and updating all hardware and software regularly. According to an article written by Bashay (2018), a speedy and adaptive disaster recovery plan is vital for the worst-case scenarios, which will be subject to the successful implementation of a full disaster recovery plan. In order to prevent downtime due to malicious attacks such as denial-of-service DOS attacks and network intrusions, additional software and security equipment should be set up. Not only that, failover, redundancy, RAID, and clustering are significant measures that should be considered to evade serious availability issues.
Authentication
In general cases, IT security consultants and professionals use authentication methods to verify a user’s identity before permitting them to access data. Common authentication methods include a username and password combination, and biometric logins, such as fingerprint scanning recognition. All employees of Devon Accounting should change their password regularly and should not share their password with others. When these verification systems are compromised, sensitive data can be stolen, and information services such as tax return service by Devon Accounting can be impaired. When it comes to combatting attacks like these, it is necessary to investigate any exploitable faults that might exist in the authentication systems and take appropriate steps to eliminate them.
Non-repudiation
When the employees send information through a network, it is essential that the information system be able to provide proof of delivery to confirm that the data was properly transmitted (“The 5 Pillars of Information Assurance”, 2018). The same applies to the receiving end where recipients should have validation of the sender’s identity. This information, called non-repudiation, is required to confirm the individual accountable for processing certain data especially when most data shared in Devon Accounting is sensitive. Although repudiation attacks are not common, a general case is the manipulation of the access logs on a computer to make it hard to recognise which user was logged in at a specific time. If the employee involves in unauthorised activity during the attack, it would be difficult for the company to determine who was answerable for that activity, restraining their capability to avoid upcoming attacks.
Access Control
Access control is a security technique that regulates who or what can view or use resources in a computing environment [ CITATION Mar18 l 3081 ]. It is a fundamental idea in security that reduces risk to the company where access control systems perform identification authentication and user authorisation by assessing compulsory login credentials that can include passwords, PIN or biometric scans. Multifactor authentication is often an important part of layered defence to protect access control systems. Access control is a fundamental component of security compliance programs that ensures security technology and access control policies are in place to protect confidential information, such as customer data. Therefore, Devon Accounting should set up infrastructure and implement procedures that limit access to networks, computer systems, applications, files and sensitive data, such as personally identifiable information, salary, and tax file numbers.
3. Current Security Threats
It is essential to identify current security threats before developing any risk and threat assessment. There are multiple security threats that are already been identified and listed in the Memorandum by Director Andre Jacobs. The details of current issues with Devon Accounting that potentially negatively affected by security threats are listed below.
Several events prove that the current system security is too week to defend Devon Accounting from security threats such as ransomware and malware. For example, a recent malware attack on company’s network caused both data and financial loss. A stronger system is needed to prevent this from happening in the future.
Phishing is another security threat that affected Devon Accounting. There is no email filter and where the employees are receiving countless spams and malicious mails. If the staff is not careful and press on any of the link, company’s security might be compromised.
Virus and worms are difficult to handle by current IT department because the company have no control over how employees use the company’s devices. For instance, staff are using their personal USB which might be infected in company’s devices. Moreover, they can access external websites and social media which may have contained malicious codes. Plus, the current antivirus is outdated and thus not effective in detecting and deleting viruses and worms.
Insider threats occur in Devon Accounting when the employees have authorised access to the company’s network intentionally or unintentionally misuse the privilege to negatively affect the organisation’s critical data and systems. Based on the article written by Rosencrance (2019), insider threats are caused by careless employees who do not comply with the company’s business rules and policies. In Devon Accounting, some staff intentionally bypass security measures out of convenience and store business data using their personal wireless devices and upload to inconsistent cloud storage such as Dropbox, Google Drive, and OneDrive. Additionally, some staff are given remote access, but no monitoring or control is taken place. As a result, insider threats may be one of the biggest security threats in Devon Accounting.
Application and operating systems patches are not installed. According to an article written by Nield (2019), these patches usually fix loopholes and security vulnerabilities, fix bug, and generally improve system performance. In other words, using old system will eventually leave the computers open to these threats.
Theft is one of the physical security threats in Devon Accounting where several laptops have gone missing. Stealing company’s properties for personal gain will lead to loss of sensitive data and information on top of financial loss.
In addition, most of the security controls of Devon Accounting was implemented five years ago which now need to be updated accordingly. To be more specific, the security threats arise from current cyber security controls are listed as followed.
Access privileges are not appropriately applied, and the passwords set up by the employees of Devon Accounting are week and insecure due to the sharing of passwords amongst staff.
Public Wi-Fi can be used on the company’s devices including laptops and computers which lead to exposure of cyber-attacks.
The current version of anti-virus installed is outdated and might failed to detect viruses and malwares. Victims may wind up with an infected computer and do not realise about it.
No control over how the employees can use the company’s devices such as accessing social media sites, use of personal and external hard drives, remote access, and installing software. Employees of Devon Accounting are free to install any software on their devices regardless of the source of the software which might not be legitimate. These activities need to be banned to protect sensitive information and prevent security threats.
There is no control over Devon Accounting’s incoming emails, where the company’s network is clogged up by overloaded spams and junk mails.
In term of cloud computing services and storage, back up has become an issue because employees use different cloud-based application such as Xero and Office 365. Because of the inconsistency, security threats and data loss will potentially happen.
4. Risk and Threat Assessment
Current security threats for Devon Accounting are listed in detailed in the previous section. Security threats can be categorised into internal and external threats depends on the origin of the threat. Internal threats originate from within the company, including frauds, misuse of information and destruction of information, mainly due to weak security policies. On the other hand, external threats originate from outside the company, primarily physical threats, and network security threats.
Internal Threats
Vulnerability Area

READ ALSO...   We can work on Database Security

Insider threats due to unrestricted website surfing
Leading to infections of viruses, phishing and other malware.
Insider threats due to unrestricted software downloads and installations
Leading to infection of viruses, copyright violations, and possible software piracy.
Insider threats due to unrestricted remote access
Leading to unauthorised access and potential information theft.
No Email filter – All email is routed to user inboxes
Leading to higher security breaches from macro viruses and malicious links.
Weak security administration – weak user passwords
Leading to Unauthorised access and potential misuse of sensitive information.
Unrestricted access to external media such as USB and personal devices
Leading to theft of data, and infection of the systems.
Unrestricted access to personal devices and connection to unauthenticated network such as public Wi-Fi
Leading to theft of data and information.
External Threats
Vulnerability Area

Physical Security Threats (Stolen Laptops)
Leading to possible identity theft, leak of sensitive information, and financial loss.
No backup power (UPS) during incident such as blackout
Whole systems go offline leading to productivity loss and potential information loss.
Weak capacity and old networking equipment
Leading to data loss and potential exposure to cyber-attacks.
Risk Assessment Matrix
Risk Assessment Matrix
Possible Effect
Personnel
Facilities and equipment
Applications
Communication
Software and operating systems
Insignificant
Low
Low
Low
Medium
Medium
Marginal
Low
Low
Medium
Medium
High
Moderate
Low
Medium
Medium
High
High
Critical
Medium
Medium
High
High
Extreme
Catastrophic
Medium
High
High
Extreme
Extreme
A risk assessment matrix streamlines the information from the risk assessment form, making it easier to identify major threats in a single glance. As part of the risk management process for Devon Accounting, the risk assessment matrix is prepared based on the possible effect starting from insignificant to catastrophic, for all five relevant categories including personnel, facilities and equipment, applications, communications, as well as software and operating systems. To be more specific, a hazard that is very likely to happen and will have major losses will receive a higher risk rating than a hazard that’s unlikely and will cause little harm. The details of the risk rating based on the risk assessment matrix can be explained as followed.
1. Low
A definite hazard with insignificant consequences. Low risks can be ignored or overlooked as they usually are not a significant threat.
2. Medium
A likely hazard with marginal consequences. Medium risks require reasonable steps for prevention but they’re not a priority.
3. High
An occasional hazard with critical consequences. High risks call for immediate action.
4. Extreme
An unlikely hazard with catastrophic consequences. Extreme risks may cause significant damage, will definitely occur, or a mix of both. They are high priority.
5. Solution to the Threats
According to the article on Introduction to network security (2019), network security can be any action designed to protect usability and integrity of the network and data using both hardware and software technologies. Effective network security manages access to the network. It targets a variety of threats and prevents them from entering and spreading on the organisation’s network.
Technology Options
Threat
Technology Options
Vendor Details
Viruses and malwares infections
Antivirus and antimalware software
Norton https://au.norton.com/antivirus
Unauthorized network access, advanced malware infections, and application-layer attack
Next-Generation Firewall (NGFW)
Forcepoint NGFW https://www.infradata.com
Wi-Fi spoofing, unauthorised tracking over insecure network
Virtual Private Network (VPN)
Norton https://au.norton.com/wifi-privacy
Security breach and advanced malware intrusion
Advanced Malware Protection (AMP)
Cisco https://www.cisco.com
Unauthorised changes to system and access to non-encrypted drive
Latest Windows Operating System (BitLocker can encrypt entire drive)
Microsoft (Windows Security) https://www.microsoft.com/en-au/windows
There are many types of different network security solutions to the possible threats. The solutions that are suitable to be implemented in Devon Accounting are listed as followed.
Antivirus and antimalware software – The current software need to be updated to ensure the software are capable to combat new viruses and protect the computers. The best antimalware programs scan for malware and viruses upon entry, and continuously track files to find any suspicious activities.
Next-Generation Firewall (NGFW) – Firewalls put up a barrier between the trusted internal network and the untrusted network such as the Internet. Rules and policies are defined to allow and block traffic. The NGFW is a threat-focused firewall that combine traditional firewall and other network device filtering functionalities to protect the network from threats including advanced malware and application-layer attacks.
Virtual Private Network (VPN) – A VPN encrypts the connection from an endpoint to a network, often over the Internet. The encrypted connection helps ensure that sensitive data is safely transmitted, stops unauthorized people from eavesdropping on the traffic, and allows the user to conduct work remotely. This is particularly important for Devon Accounting because part of the employees need to have remote access. For example, an employee can work outside the office and still securely connect to the corporate network. Even smartphones and tablets can connect through a VPN.
Advanced Malware Protection (AMP) – Difference from the general malware protection software, AMP provides added threat intelligence and both static and dynamic sandboxing malware analysis engines. In simple terms, AMP identify what malware is doing, including associated HTTP and DNS traffic, TCP/IP streams, and therefore enabling the security team of Devon Accounting to gain better awareness of potential threats in the company’s network.
Windows 10 Operating System – In Devon Accounting, most of the workstations are running with Windows and graphics department uses Apple computers. Aside from the graphics department, other departments need access to sensitive information. BitLocker feature of Windows 10 operating system enables drive encryption and thus protecting the files, especially customer’s details and tax return information. Unauthorised access to the drive without the right encryption key will make the data unreadable. Therefore, BitLocker can be utilised to prevent threats such as hackers from stealing sensitive and confidential information from Devon Accounting.
6. Security Policy Updates
Current Security policy for Devon Accounting is attached in Appendix 4. Based on the latest security review and assessment, other policies are added to ensure all aspects of business operation for Devon Accounting is taken into consideration.
Introduction
This document sets forth standards which must be adhered to by all employees, contractors and any user granted access to any machine or service. Failure to comply with this Policy will result in disciplinary action and may result in termination of employment.
Policy Scope
This Policy applies to any person authorized to access any computer or device on the Firm’s private LAN. This includes but is not limited to contractors, temporary workers, vendors, sub-contractors, employees, and attorneys authorized to access any of Devon Accounting’s private LAN via Remote Access or direct access, for any reason.
Password Policy
The password policy defines the password strength guidelines that are used to regulate whether a new password is valid. A password strength rule is a rule to which a password must conform. A password policy sets the rules that passwords for a service must meet, such as length and type of characters allowed and disallowed. This policy applies to all the users at Devon Accounting, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services. The following standards and other rules for passwords are configured.
Minimum and maximum length is set to 8 – 15 characters.
Character restrictions: None.
Frequency of password reuse: 180 days.
Specify a minimum password age: 30 days.
Any system that handles valuable information must be protected with a password-based access control system.
Every user must have a separate, private identity for accessing IT network services.
Sharing of passwords is forbidden. They should not be revealed or exposed to public sight.
Whenever a password is deemed compromised, it must be changed immediately.
For critical applications, digital certificates and multiple factor authentication using smart cards should be used whenever possible.
Identities must be locked if password guessing is suspected on the account.
System Access Policy
The System Access Policy defines the requirements for the proper and secure control of access to IT systems and infrastructure at Devon Accounting. This policy applies to all the users, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
Any system that handles valuable information must be protected with a password-based access control system.
Any system that handles confidential information must be protected by a two factor -based access control system.
Discretionary access control list must be in place to control the access to resources for different groups of users.
Mandatory access controls should be in place to regulate access by process operating on behalf of users.
Access to resources should be granted on a per-group basis rather than on a per-user basis.
Access shall be granted under the principle of “less privilege”, i.e., each identity should receive the minimum rights and access to resources needed for them to be able to perform successfully their business functions.
Whenever possible, access should be granted to centrally defined and centrally managed identities.
Users should refrain from trying to tamper or evade the access control in order to gain greater access than they are assigned.
Automatic controls, scan technologies and periodic revision procedures must be in place to detect any attempt made to circumvent controls.
Secure Wi-Fi & Devices Policy
The Secure Wi-Fi Policy defines the requirements for the proper and secure use of Wi-Fi and devices at Devon Accounting. This policy applies to all the users, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
Company employees are expected to use the Internet responsibly and productively. Internet access is limited to job-related activities only and personal use is not permitted.
Job-related activities include research and educational tasks that may be found via the Internet that would help in an employee’s role.
All Internet data that is composed, transmitted and/or received by Devon Accounting’s computer systems is considered to belong to Devon Accounting and is recognized as part of its official data. It is therefore subject to disclosure for legal reasons or to other appropriate third parties.
The equipment, services and technology used to access the Internet are the property of Devon Accounting and the company reserves the right to monitor Internet traffic and monitor and access data that is composed, sent or received through its online connections.
Only registered devices can be connected to company’s Wi-Fi.
All personal devices such as laptops and mobile phones need to connect to VPN before accessing company’s network and work-related confidential documents.
If an employee is unsure about what constituted acceptable Internet usage, then he/she should ask his/her supervisor for further guidance and clarification.
Legitimate SoftwarePolicy
The legitimate software policy defines the requirements for the proper and secure use of legitimate software at Devon Accounting. This policy applies to all the users, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
Software must not include malicious or unwanted software.
Software must not create any unexpected behaviours. The software must behave consistently with the declared behaviour and functionalities at install.
Software must not perform activities that are hidden to the user or otherwise attempt to hide its presence or operation on the device, unless for legitimate background processes (which would be disclosed to users at install). For clarity, this does not include activities that would normally be expected to be hidden as part of regular product functionality, such as calculations.
Software that automatically dials a phone number or connects remotely to another device or system without legitimate reasons and/or user consent is not allowed.
Software must not limit the user’s control or programmatic control of the user’s browser default search settings, home page and new tab, either through additional questioning/prompts or other means of prevention when a change to the default search, home page or new tab settings is attempted.
Unsigned software is not allowed. All software must be digitally signed by its author using a valid certificate issued by a reputable certification authority.
All employees cannot install software that is not approved by Devon Accounting. Installation of non-legitimate software will lead to disciplinary actions and possible termination of employment.
Patches and Anti-VirusPolicy
The patches and anti-virus policy defines the requirements for the proper installation of antivirus software and its patches at Devon Accounting. This policy applies to all the users, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
Virus protection should be installed on every machine on the network.
All anti-virus clients, servers, and gateway products should be kept actively running and capable of generating audit logs at all times.
The master installation of the software should be enabled for automatic updates and periodic scans, and the servers should also have these features enabled.
The master installation should automatically push updates out to the systems and devices on the network.
‘Clean’ devices Policy
The clean devices policy defines the requirements for the proper and secure use of the devices including but not limited to company’s and personal’s laptops, computers, mobile phones and tablets at Devon Accounting. This policy applies to all the users, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
All devices that are used for work purposes in Devon Accounting must not contain any fraudulent installs, clicks or engagement.
VPN need to be installed in every device that are connecting to the company’s network including remote access.
Installation of non-approved software or apps will lead to disciplinary actions and possible termination of employment.
Social Media Policy
The social media policy defines the requirements for the use of social media at Devon Accounting. This policy applies to all the users, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
Not to disclose Devon Accounting’s confidential information, proprietary or sensitive information. Information is considered confidential when it is not readily available to the public.
Not to post any material that would directly or indirectly defame, harass, discriminate against or bully any Devon Accounting’s team member, supplier or customer.
Aside from Sales and Marketing department and Customer Service Department, employees of Devon Accounting are prohibited to access social media using company’s devices including but not limited to company’s and personal’s laptops, computers, mobile phones and tablets.
Email Policy
The Email Policy section defines the requirements for the proper and secure use of electronic mail at Devon Accounting. This policy applies to all the users at Devon Accounting, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
All the assigned email addresses, mailbox storage and transfer links must be used only for business. Occasional use of personal email address on the Internet for personal purpose may be permitted if in doing so there is no perceptible consumption in the Organisation system resources and the productivity of the work is not affected.
In no way may the email resources be used to reveal confidential or sensitive information from the Organisation outside the authorized recipients for this information.
Using the email resources of the Organisation for disseminating messages regarded as offensive, racist, obscene or in any way contrary to the law and ethics is absolutely discouraged.
Use of the Organisation email resources is maintained only to the extent and for the time is needed for performing the duties. When a user ceases his/her relationship with the company, the associated account must be deactivated according to established procedures for the lifecycle of the accounts.
Outbound messages from corporate users should have approved signatures at the foot of the message.
Privacy is not guaranteed. When strongest requirements for confidentiality, authenticity and integrity appear, the use of electronically signed messages is encouraged. However, only the Information Security Officer may approve the interception and disclosure of messages.
Attachments must be limited in size according to the specific procedures of the Organisation. Whenever possible, restrictions should be automatically enforced.
Cloud Computing Services and Storage Policy
The Cloud Computing Services and Storage Policy section defines the requirements for the proper and secure use of cloud computing services and storage at Devon Accounting. This policy applies to all the users at Devon Accounting, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
Use of cloud computing services for work purposes must be formally authorized by the IT Manager. The IT Manager will certify that security, privacy and all other IT management requirements will be adequately addressed by the cloud computing vendor.
For any cloud services that require users to agree to terms of service, such agreements must be reviewed and approved by the IT Manager.
The use of such services must comply with Devon Accounting’s existing Acceptable Use Policy/Computer Usage Policy/Internet Usage Policy/BYOD Policy.
Employees must not share log-in credentials with co-workers. The IT department will keep a confidential document containing account information for business continuity purposes.
The use of such services must comply with all laws and regulations governing the handling of personally identifiable information, corporate financial data or any other data owned or collected by Devon Accounting.
The IT Manager decides what data may or may not be stored in the Cloud.
Personal cloud services accounts may not be used for the storage, manipulation or exchange of company-related communications or company-owned data.
Remote Access Policy
The Remote Policy section defines the requirements for the acceptable methods of remotely connecting to the internal network of Devon Accounting. This policy applies to all the users at Devon Accounting, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
Any Authorized User must take reasonable steps to ensure that his or her Remote Access to the Devon Accounting’s private LAN is treated with the same security approach as his or her computer connection within the Firm’s offices.
A user is said to have provided “Two-factor Authentication” when the user has supplied two separate forms of evidence that the user is who the user claims to be. Two-factor authentication is also called strong authentication. It is defined as two out of the following three forms of evidence.
As part of installing the two-factor authentication system, Devon Accounting may issue some of its Employees an authentication device known as a fob. It is the sole responsibility of anyone issued such a device to safeguard the device against loss or damage. The Firm in many cases will replace one (1) such device at no expense to the user. Future replacements may be at the user’s expense.
Where an authentication device becomes lost or inoperative, the user must immediately notify the IT Department of the loss.
Any Employee using a Remote Access must ensure that the Employee’s computer or device is updated with the most recent security patches for his or her operating system.
All machines connecting to the network remotely must run current versions of anti-virus software with regularly updated virus definitions.
No Employee using any Remote Access shall access Devon Accounting’s private LAN while connected to any other network (this is called being “dual-homed”), unless the Employee has complete control over such other network such as their private home network.
Encryption Policy
The Encryption Policy section defines the requirements for data and drive encryption for Devon Accounting. This policy applies to all the users at Devon Accounting, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
Encryption must always be used to protect strictly confidential information transmitted over data networks to protect against risks of interception. This includes when accessing network services which require authentication (for example, usernames and passwords) or when otherwise sending or accessing strictly confidential information.
Sensitive and confidential files and documents stored in Devon Accounting’s computer must be encrypted and accessed only by authorised employees.
Where strictly confidential data is stored in public, cloud-based storage facilities the data must be encrypted prior to storing to ensure that it is not possible for the cloud service provider to decrypt the data.
In relation to email, any personal or commercially sensitive data should only be sent via the Devon Accounting’s email system when absolutely necessary and where that is true, the data must be sent in an encrypted form. The recommended method would be to attach the data as an encrypted file to one email then sending the recipient details of how to decrypt in a separate email in order to reduce the chances of interception or any accidental or malicious distribution of the sensitive data.
7. Security Testing Methodology
In the current era of information technology, there are many different security testing methodologies available to be implemented. The final methodology used for performing security tests will be chosen depending on the application, development status, and the development methodology. In this section, two of the well-known methodologies will be discussed and the most suitable security testing methodology will be chosen with reasons given.
At the outset, according to an article written by QA Mentor (2019), agile security testing is driven by iterations in which security requirements are translated into automated security test cases. By promoting test driven development in this way, security tests are created before the system even exists. The steps involved in agile security testing is demonstrated in the below diagram.
05On the other hand, penetration security testing involves using tools and methods in the same way that a malicious user would. According to Tony (2019), the Penetration Testing Execution Standard (PTES) defines the penetration testing as five phases as illustrated in the following chart.
04
01
02
03
In Devon Accounting, penetration security testing methodology is implemented to identify security weaknesses. Compared to agile security testing, penetration security testing is more suitable because it fits into Devon Accounting’s security requirements to test the organisation’s security policy, its adherence to compliance requirements, its employees’ security awareness, and the company’s ability to identify and respond to security incidents. Penetration testing should be performed after careful consideration, notification and planning as while it is very effective it can slow network response times. A penetration test can be used to simulate an inside and outside attack so can test security features internally and externally.
To be more specific, first step of penetration security testing is to build threat model, involving identifying risks and threats and breaking the threat down into smaller parts. Then in step 2, test plan is created with road map for the security testing effort, deliverables, activities, timelines, and resources needed. In step 3, test cases are executed including testing vulnerabilities in the file system registry, UI security, design security such as unsecured ports and implementation security. Next, problem report is created to show the proof of the presence of vulnerabilities and cover the steps to reproduce, the severity of the vulnerability, and the exploit scenarios. Lastly, in step 5, post-mortem is performed to analyse the bugs found and identify root cause through RCA and improve the process for future projects.
Aside from penetration security testing, there are several other security testings involved to maintain secure IT environment in Devon Accounting, including network scanning, vulnerability scanning, password cracking, log review, file integrity checkers, and virus detectors. All these methods are discussed as followed.
Network Scanning
Network scanning includes steps to identify all hosts potentially connected to Devon Accounting’s network, the services operating on those hosts, including but not limited to FTP, and HTTP, and the specific application running the recognized service, such as WU-FTPD, ISS, Apache for the HTTP service using a port scanner. The outcome of a scan is a complete list of entire active hosts and services, switches, printers and routers functioning in the address space scanned by the port scanning tool. The purpose of network scanning is identified as followed.
Determine and identify unauthorised hosts connected to Devon Accounting’s network.
Detect vulnerable services and deviations from the allowed services defined in the security policy of Devon Accounting.
Collect forensic evidence for future reference.
Support the preparation for penetration testing.
Contribute in the configuration of the intrusion detection system
Vulnerability Scanning
Vulnerability scanners take the idea of port scanning to a higher level. It provides information on the related vulnerabilities instead of relying on human interpretation of test outcomes. Therefore, these scanners are considered as a comparatively effective method for Devon Accounting to quantify vulnerabilities. Vulnerability scanners provide system and network administrators with proactive tools that can be utilised to detect and categorise vulnerabilities.
Password Cracking
Password cracking software is used to identify weak passwords that does not meet the requirement of password policy of Devon Accounting. It ensures all the employees set up strong passwords for all devices that are being used for work purposes including but not limited to laptops, computers, and mobile phones. Passwords are usually stored and transmitted in an encrypted form called a hash. When the staff logs on to a computer system and enters a password, a hash is generated and compared to a stored hash. To be more specific, if the entered and stored hashed match, the user is authenticated. Crackers such as hybrid, dictionary and brute force attacks can be used to test password strength.
Log Reviews
Log review and analysis can be used to provide a dynamic representation of current system activities that can be linked with the intent and content of the security policy. Auditing logs can be used to authenticate and validate that the system is functioning and operating according to Devon Accounting’s security policies.
File Integrity Checkers
These tools provide IT administrators with the capability to detect and identify changes to folders and files, especially unauthorised changes such as customer’s sensitive information of Devon Accounting.
Virus Detectors
Any company connected to the Internet is at risk of “contracting” computer viruses and malwares. The negative impacts of viruses can be as harmless as pop-up messages on a computer screen to destructive malware that can destroy data and even Devon Accounting’s whole system. Installation of local network and end user antivirus programs is essential to maintain a safe and secure IT work environment for the company in conjunction with firewalls installation.
8. Future attacks and threats on the business
The possible future attacks for Devon Accounting are investigated and listed. Nowadays, more than ever before, the information contained in a company is at risk. There are a large number of threats to this information, representing diverse and complex challenges to protect the information, personnel, and systems that process, transport, and store it. This requires a wide array of protection mechanisms and strategies to be thorough. An important component of this protection is the understanding of the future attacks and threats on Devon Accounting.
No.
Threat Category
Examples
1
Acts of human error or failure
Accidents, employee mistakes
2
Intellectual property compromise
Piracy, copyright infringement
3
Deliberate espionage or trespass
Unauthorized access, data collection
4
Deliberate information extortion
Blackmail of information disclosure
5
Deliberate sabotage or vandalism
Destruction of systems or information
6
Deliberate theft
Illegally taking equipment or information
7
Deliberate software attacks
Viruses, worms, denial of service (DOS)
8
Forces of nature
Fires, floods, earthquakes
9
Deviations in service from providers
Power and Internet provider issues
10
Technological hardware failures
Equipment failure
11
Technological software failures
Bugs, code problems, unknown loopholes
12
Technological obsolescence
Antiquated or outdated technologies
From the lists of possible future attacks and threats on Devon Accounting, six of them are the most common threats and more likely to happen in the future, namely acts of human error or failure, deliberate espionage or trespass, deliberate acts of theft, deliberate software attacks, deviations in service from providers, and forces of nature.
Acts of human error or failure
To begin with, acts of human error or failure includes actions without malicious intent, and it can be caused by inexperience, improper training, and incorrect assumptions. In other words, employees are among the greatest threats to the organisation’s data. This is because employee mistakes can easily lead to revelation of classified data, entry of erroneous data, accidental data deletion or modification, data storage in unprotected area, and failure to protect information.
Deliberate espionage or trespass
Secondly, deliberate acts of espionage or trespass involve unauthorised person accessing protected information. Shoulder surfing occurs anywhere a person accesses confidential information. In general, hackers use skill, guile, or fraud to bypass controls protecting others’ information. Also, spoofing is a technique used to gained unauthorised access where the intruder imitates a trusted IP address. Therefore, controls need to be implemented to let trespassers know they are encroaching on organisation’s cyberspace.
Deliberate software attacks
Next, deliberate software attacks include viruses, worms, trojan horses, logic bombs, backdoors, and denial-of-service (DoS) attacks. While viruses, worms and trojan horses are some of the current threats to Devon Accounting, DoS attack is possible to happen in the future in Devon Accounting.
To be more specific, DoS attack happens when attackers’ traffic floods take down internet services. If the attacker floods a website or computer system with more traffic than it was built to handle, the website’s server will be overloaded, and it will be unlikely for the website to serve up its content to visitors who are trying to access it.
In some occurrences, these DoS attacks are performed by many computers simultaneously. This scenario of attack is known as a Distributed Denial-of-Service Attack (DDoS). This type of attack can be even more problematic to overcome due to the attacker appearing from many different IP addresses around the world at the same time, causing identifying the source of the attack even more difficult for network administrators.
Moreover, mail bombing is one of the DoS attacks where the attacker routes large quantities of email to targeted user of Devon Accounting’s system. Mail bombs will usually fill the allotted space on an e-mail server for the users e-mail and can result in crashing the e-mail server, or at the very least, possibly rendering the user’s computer useless as their e-mail client attempts to download the huge amounts of e-mail.
Deviations in service from providers
Deviations in quality of service might happen in Devon Accounting where the products or services are not delivered as expected such as internet connectivity issues. Information system depends on many support systems. For example, internet services, communications, and power outages will greatly affect the systems availability and thus causing negative impact on the company’s productivity. This is considered as one of the threats for Devon Accounting because it cannot be prevented. However, the impact of this threat can be minimised by preparing backup plans whenever there is limited internet services or power outage.
Deliberate theft
On the other hand, deliberate acts of theft involve illegal taking of Devon Accounting’s physical, electronic, or intellectual property. A few laptops of Devon Accounting went missing in the past and most likely will happen again in the future if no additional steps are taken to prevent that. Stealing company’s properties for personal gain will lead to loss of sensitive data and information on top of financial loss. Physical theft is relatively easy to control by installing security cameras in the office and have a proper registration before distributing laptops and electronic devices to the employees.
Forces of nature
Last but not the least, as seen in the past, an occurrence of black out due to storm resulted in the whole systems of Devon Accounting to go offline. Thus, the forces of nature will very likely to be a threat for the company again in the future because it cannot be prevented. It will disrupt information storage, transfer, and usage while possibly harm individual lives. Although the nature forces cannot be prevented, but its damage can be limited by implementing controls such as installing Uninterruptible Power Supply (UPS) to provide emergency power when the main power source fails. Worst case scenarios with the contingency plans must be identified and prepared in advance to handle the treat of nature forces.
9. Future Risk and Threat Assessment
The motivation and the resources available for executing a cyber-attack make humans a potentially dangerous source of threat. Table below summarises an overview of many of today’s common threats, their possible motivations, and the methods or threat action. This information is important to Devon Accounting because it helps to study the human threat environments through future risk and threat assessment. [ CITATION Sto02 l 3081 ]
Threat source
Threat Actions
Threat Motivations
Insiders (poorly trained, disgruntled, malicious, negligent, dishonest, or terminated employees)
Blackmail Computer abuse Fraud and theft Information bribery Input of falsified, corrupted data Interception Malicious code Sale of personal information System bugs, intrusion, sabotage Unauthorized system access
Curiosity Ego Intelligence Monetary gain Revenge Unintentional errors and omissions (for example, data entry error, programming error)
Hacker
Hacking Social engineering System intrusion, break-ins Unauthorized system access
Ego Rebellion Challenge
IT Criminal
Computer crime Fraudulent act Information bribery Spoofing System intrusion
Destruction of information Illegal information disclosure Monetary gain Unauthorized data alteration
Industrial espionage (companies, foreign governments, other government interests)
Economic exploitation Information theft Intrusion on personal privacy Social engineering System penetration Unauthorized system access
Competitive advantage Economic espionage
Threat Assessment Matrix
The threat assessment matrix plots the severity of an event occurring. By visualizing existing and potential threats in the matrix, the impact with highest-priority and corresponding plans to the threats that need the most attention can be created. There are a few categories of threats being assessed, namely unauthorised data disclosure, alteration or deletion, unintentional data alteration or destruction, service non-delivery or deviations, access control failure, facilities and equipment failure, denial or degradation of service (DOS) and security policy non-compliance. The three areas of impact are evaluated in this threat assessment matrix, including financial loss, productivity loss, and the loss of customer confidence.
Areas of Threat / Vulnerability and possible effects of Damage
Risk of Financial loss
Risk of Productivity loss
Risk Of loss of Customer Confidence
H
M
L
H
M
L
H
M
L
Personnel
Unauthorised data disclosure, alteration or deletion
H

READ ALSO...   Legal and Ethical Considerations for Group and Family Therapy - No Plagiarism

M

M

Unintentional data alteration or destruction
H

M

L
Service non-delivery or deviations

L

M

H

Access control failure

M

M

L
Security policy non-compliance

M

L
H

Software and operating systems
Unauthorised data disclosure, alteration or deletion
H

M

H

Unintentional data alteration or destruction

M

M

H

Service non-delivery or deviations

M

H

M

Denial or degradation of services

L

M

L
Access control failure

L

M

M

Security policy non-compliance

L

L

L
Facilities and equipment
Unauthorised data disclosure, alteration or deletion
H

M

H

Unintentional data alteration or destruction
H

M

H

Service non-delivery or deviations

L
H

M

Denial or degradation of services
H

H

M

Facilities and equipment failure

L

M

M

Security policy non-compliance

M

L

L
Applications
Unauthorised data disclosure, alteration or deletion
H

H

H

Unintentional data alteration or destruction

M

H

H

Service non-delivery or deviations
H

H

M

Access control failure

M

M

L
Security policy non-compliance

L

M

L
Communications
Unauthorised data disclosure, alteration or deletion

M

M

H

Unintentional data alteration or destruction

M

M

H

Service non-delivery or deviations
H

M

L
Access control failure

L
H

L
Facilities and equipment failure

L

M

M

Security policy non-compliance

L

L

M

Unauthorized/ Unintentional Data Disclosure, Alteration or Deletion
Confidential and sensitive information such as customer’s identity documents, tax file numbers, salary slips, and tax return documentations must be kept secure and accessible only by authorised employees. Failure to keep information safe and protected can result in undisclosed materials falling into the hands of competitors or even worse, identity theft. Australian businesses are obligatory to keep personal information private. Australian laws can be breached if personal information is disclosed or leaked to unwanted parties. The unintentional sending of information to third parties can breach privacy and data loss reporting regulations. Man-in-the-middle attacks can result in information copied or sent outside of the company being intercepted by third parties for the purpose of identity theft, intellectual property theft and intent to damage reputation.
Service Non-Delivery or Deviations
Deviations in quality of service might happen in Devon Accounting where the products or services are not delivered as expected such as internet connectivity issues. Information system depends on many support systems. For example, internet services, communications, and power outages will greatly affect the systems availability and thus causing negative impact on the company’s productivity.
Access Control Failure
Physical access to sensitive areas in buildings such as the control room of Devon Accounting and virtual access to sensitive information stored in the computers or clouds can result in equipment being inadvertently or deliberately deactivated and lead to information leaking where these data is being viewed and shared with unauthorised people. Both can result in breaches in regulation and reduced ability to conduct business due to reputational damages.
Misuse of computer resources
Computer resources such as internet access, email, and file storage services are provided for business purposes of Devon Accounting. The misuse of these resources for personal or illegal activities can reduce the resources availability for business purposes and can expose the business to legal and reputation risk.
Facilities and Equipment Failure
Equipment and IT facilities such as servers and printers can fail due to electrical or software fault. If replacement equipment and devices are not able to be provided or repaired in a specified time frame, then the ability to do business is negatively impacted due to productivity reductions.
Denial or degradation of service (DOS) or Cause of Nature
Services can be degraded by natural disaster affecting core internet backbone technologies such as oceanic fibre optic cables being damaged by earthquake, equipment failures and denial of service attacks (DoS). Any of these can result in the decelerating or discontinuing of services required to perform business operations. In the event where Devon Accounting is significantly affected by these threats, the company will be impacted negatively on both revenue and reputation.
Security Policy Non-Compliance
Security policies are designed to protect Devon Accounting’s system so that a safe and secure IT work environment can be maintained. Without proper policy implementation and execution by management, the planned security policies may be overlooked and ignored by employees which may put the business at risk.
10. Security Plan – Solution to the future threats
All the relevant security threats and its impact on the organisation are explained in the previous section. According to Bianco (2019), there are some most common solutions that can be added in the security plan to prevent security threats in the future, including but not limited to implementing effective security policy, use of strong authentication, and carrying out Security Awareness Training (SAT).
Strong Authentication
Effective Security Policy
At the outset, the security policy should include procedures to prevent and detect misuse, as well as guidelines for conducting insider investigations. It should spell out the potential consequences of misuse. Next, the policy details must ensure to includes the limits on access and dissemination of personal data about the employees, customers and others who might be targets of investigations. Mishandling this data can have severe consequences, including legal action. It is essential to specify who is allowed to access what data, under which circumstances, and with whom they are allowed to share this information. In order to protect the Devon Accounting from allegations of unfair or unequally applied penalties, the security policy must spell out the consequences of misusing company resources.
Secondly, password-cracking technology is relatively advanced, and stronger password is needed to be configured. Many Devon Accounting’s employees share passwords. The alternatives are expensive, and general deployment is beyond the means of most organisations. A more cost-effective compromise is to apply strong multifactor authentication only to particularly sensitive applications or systems, such as HR or accounting departments. If the multifactor authentication is deployed where user IDs and passwords with tokens, smart cards or fingerprint readers are combined, these methods might not solve all the IT security issues. Once the session is established, a knowledgeable insider may be able to spoof transactions under the user’s name or simply use the computer while the authorised person stepped away. Therefore, Windows stations can be set to lock out users after a fixed period of inactivity and require reauthentication.
Next, Security Awareness Training (SAT) should be carried out as a solution to future threats. One of the major risks to Devon Accounting’s information security is often not a loophole in the technology control environment. Rather it is the action or inaction by staffs and other personnel that can lead to security incident. To be more specific, these incidents involve the disclosure of information that could be used in a social engineering attack, not reporting observed unusual activity, as well as accessing sensitive and confidential information irrelevant to the employee’s job scope without following the proper procedures. It is therefore important for Devon Accounting to have a security awareness program or training in place to guarantee employees are aware of the importance of protecting sensitive and confidential information, what they should do to handle information securely, and the risks of mishandling information. Security awareness Training (SAT) should be conducted as a continuous program to ensure that training and knowledge is not just delivered as an annual activity, rather it is used to keep and sustain a high level of security awareness in Devon Accounting day after day.
The key to an effective security awareness training is in directing and targeting the delivery of applicable and appropriate material to the suitable audience in a timely and efficient manner. The communication channel should also fit Devon Accounting’s culture to ensure its effectiveness. By circulating security awareness training through multiple communication channels, the company ensures that all employees are exposed to the same information several times in different ways.
Last but not the least, management training should include more detailed information regarding the consequences and penalties of a security breach to management stakeholders. In other words, management should realise that not only the monetary penalties of failing to safeguard systems should be avoided, but also the long-term negative impacts to the company due to reputational damage.
11. Security Policy Updates with Legal and Ethical Standards
A risk register is developed to provide a useful tool for managing and reducing the risks identified. The Priorities Assessment for Devon Accounting is performed using Risk Register.
Threat
Predisposing conditions
Vulnerabilities Entities
Confidentiality
Integrity [H,M,L]
Availability [H,M,L]
Overall Impact
Likelihood of attack initiation
Likelihood Success
Total likelihood
Overall risk rating
Cost effectiveness
Denial of service
Traffic generation overwhelming system
All web servers
L
L
H
H
M
M
M
M
M
Malware
Infection of systems by malicious code
All servers and computers
H
H
H
H
M
M
M
H
H
Phishing
Impersonating staff to gain credentials
All servers and computers
H
H
H
H
M
M
M
H
H
Man-in-the- middle
Hijacking of data communicated between devices
All servers and computers
M
M
L
M
M
L
M
L
L
Cross site scripting
SQL injection attack on website data
All web servers
M
M
L
M
M
L
M
M
M
Lost or stolen laptop leads to exposure of sensitive data.
No encryption on almost all laptops
All servers, network devices, and laptops
H
L
H
H
H
H
H
H
M
Credential re-use
Staff sharing passwords
All servers, network devices, and laptops
H
M
H
H
H
H
M
H
M
a. Updated Policy
The updated security policy for Devon Accounting is already provided in the previous section on Page 18 in this report. Upon performing both risk and threats assessment for current and future IT environment, additional details are to be added and updated in the security policy, including legal and ethical standards, Commonwealth Copyright Act 1968, Australian Privacy Principles, and ACS Code of Ethics. This Policy applies to any person authorised to access any computer or device on Devon Accounting’s internal network. This includes but is not limited to contractors, temporary workers, vendors, sub-contractors, employees, and attorneys authorized to access any of Devon Accounting’s network via Remote Access or direct access, for any reason.
b. Legal and Ethical Standards
All Devon Accounting’s employees are obliged to protect confidential information gained in the course of their professional activities and not disclose it to any unauthorised party nor use it for personal gain. All employees, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services shall:
act honourably, responsibly, diligently, lawfully and uphold the reputation, standing and dignity of the company, employer or client to which the security professional has a professional or legal association.
protect client information in accordance with client information security policy.
act in the interests of the security of society and their client.
not abuse a professional position for personal gain and reject improper inducement.
avoid conflicts of interest.
implement and follow processes for the clearance of partners, employees, contractors and other stakeholders in accordance with the classification of client or employer information accessed.
avoid deceptive acts by actively taking steps to prevent corrupt practices or professional misconduct.
never knowingly mislead or allow others to be misled.
apply effective physical, procedural and IT controls to protect client or employer information in their care from unauthorised release.
apply the need-to-know principle.
c. Commonwealth Copyright Act 1968
The Commonwealth Copyright Act 1968 is referred in preparing the policies, procedures and responsibilities to prevent infringing software copyrights and properly manage Devon Accounting’s software assets. All employees, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services shall:
use software in accordance with licence agreements.
not make, without appropriate authority, copies of Devon Accounting’s owned or leased software for work related or personal purposes.
not remove, without appropriate authority, Devon Accounting’s owned or leased software from Devon Accounting’s controlled premises.
not give, without reasonable excuse, copies of Devon Accounting owned or leased software to persons outside of the company.
report all instances of software misuse.
not to install any software before getting approval from authorised person.
d. Australian Privacy Principles (APPs)
Australian Privacy Principles are to be followed when collecting and storing customer’s personal information. All employees, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services shall:
collect personal information if it is necessary for the function or activity of your business.
make available an up-to-date and clear privacy policy, setting out certain information on how you will manage personal information.
take reasonable steps to protect the personal information collected or held.
take reasonable steps to ensure that personal information collected is accurate, complete and up to date.
give individuals access to their personal information on request.
de-identify or delete unsolicited personal information as soon as is practical, if it is not necessary for the function or activity of your business.
not use or disclose personal information for a purpose different from the original purpose of collection, except in limited circumstances.
collect and use personal information, you generally need the individuals consent first.
use or disclose personal information for a direct marketing purpose, except in limited circumstances.
e. ACS Code of Ethics and Others
It is essential for Devon Accounting to adhere to Australian Computer Society (ACS) code of ethics. The Society requires its members to subscribe to a set of values and ideals which uphold and advance the honour, dignity and effectiveness of the profession of information technology. Under clause 4.3, one must act with professional responsibility and integrity in dealings with the community and clients. To implement ACS Code of Ethics in Devon Accounting’s security policy, the updated security policy must include the IT security consultant and network administrator because they have full control on system configuration and security testing. Therefore, these people need to be monitored and no one can escape from complying the security policy.
12. Review Security Plan (Approved Key Stakeholders)
Security risk and threats management requires monitoring to ensure Devon Accounting is able to adopt and respond to incident and changes in its threat or risk environment and thus prevent further exposure to hazards. Making decisions and implementing risk treatments is not the end of security plan. In fact, the security planning cycle is continuous and require constant review by approved key stakeholders to determine how effectively the protective security controls and measures are performing from time to time. [CITATION Thr19 l 3081 ]
In order to have a better security plan developed for Devon Accounting, cyber emergency response team such as AusCERT plays an important role. AusCERT is a leading Cyber Emergency Response Team (CERT) in Australia and the Asia Pacific region. This organisation monitors and assesses worldwide cyber network threats and vulnerabilities. It is a centralised point of information and provides notification services with incident warnings, security bulletins and information regarding phishing and malware activities predominantly targeted at Australian users. In addition, AusCERT provides updated information on a range of software and hardware products, on top of aiding organisations and users to understand, identify and respond to threats worldwide.
Monitoring, Evaluation and Advice from AusCERT
AusCERT delivers both proactive and reactive incident response assistance to members by collecting information from a diversity of sources to identify if Devon Accounting’s network or information associated with the company’s domain may have been compromised or could be compromised. The sources are varied, including but not limited to monitoring malicious activity on the Internet, and identifying systems that may have been compromised.
With the intention of protecting Devon Accounting’s external and internal systems from the comparatively high threats such as phishing and malware, the company is advised to subscribe to AusCERT’s Incident Management Service. This subscription delivers outstanding services to paid members with proactive actions to detect attacks that Devon Accounting may not otherwise have been aware.
AusCERT acts as a trusted intermediary whose services complement those Devon Accounting’s IT security department. To be more specific, AusCERT is a dedicated service provider that offer data feeds containing the following essential information.
Compromised websites that are spreading malware.
Lists of hosts contributing in denial of service (DoS) attacks.
Useful and updated information about phishing attacks.
Essential information concerning the leaking of confidential data
Partnering with threat specialists such as AusCERT enhances the protection and treatment implementation that might not otherwise exist within Devon Accounting’s internal IT security departments. At the end of the day, AusCERT’s incident management service provides advice to Devon Accounting in identifying security incidents or breaches, and ultimately reducing damages or loss in term of financial, productivity, and customer’s confidence.
13. Change (Security Plan Upon Review)
The security plan should be reviewed at least annually and revised as necessary. Some events that may necessitate the review and revision of the security plan include theft or loss, and changes to relevant entity personnel.
Revision History
Revision Number
Summary of Revision
Revision Author
Date
Accepted By
0.0
DevonSecurityPlan_v.0 Initial Draft – added more security policy based on preliminary observation.
IT Security Consultant – Soon Khen
07 Sept 2019
Network Administrator – Bill Simmons
0.1
DevonSecurityPlan_v.1 Second Draft – larger areas of security are taken into consideration in drafting security plan including risk and threats assessments.
IT Security Consultant – Soon Khen
22 Sept 2019
Network Administrator – Bill Simmons
1.0
DevonSecurityPlan_v1.0 Published security plan upon reviewed and advised by AusCERT.
IT Security Consultant – Soon Khen
23 Oct 2019
Network Administrator – Bill Simmons
14. Conclusion
This comprehensive report is prepared upon reviewing the organisational security policies and procedures to determine the critical business requirements of the expanding network including both wireless and wired network in Devon Accounting.
The possible attacks and threats on the network are investigated and identified. These risks and threats are evaluated using the threat assessment matrix, listing the possible effects of damage on financial loss, productivity loss, and customer confidence loss. Then, appropriate security controls are recommended to be implemented, including but not limited to updating the security policies and relevant documents. Ultimately, the new security strategies are reviewed with security-approved key stakeholders of Devon Accounting. All the changes made are properly documented for future reference and used as a guideline to keep IT security up to date. At the end of the report, the security policy is updated accordingly.
In conclusion, a successful implementation of IT security policy in Devon Accounting rely on:
Senior management’s commitment.
The full support and participation of all employees.
The competence of the risk assessment team, which must have the expertise to apply the risk assessment methodology to a specific site and system, identify mission risks, and provide cost-effective safeguards that meet the needs of the organisation.
The awareness and cooperation of members of the user community, who must follow procedures and comply with the implemented controls to safeguard the mission of Devon Accounting.
An ongoing evaluation and assessment of the IT risks and threats for Devon Accounting.
15. References
Bashay, F. (2018, February 02). What Is the CIA Triangle and Why Is It Important for Cybersecurity Management? Retrieved from Dufenda: https://www.difenda.com/blog/what-is-the-cia-triangle-and-why-is-it-important-for-cybersecurity-management
Bianco, D. (2019, May 22). 10 ways to prevent computer security threats from insiders. Retrieved from Tech Target: https://searchsecurity.techtarget.com/feature/Ten-ways-to-prevent-insider-security-threats
Introduction to network security. (2019). Retrieved from Cisco Small Business Resource Center: http://www.cisco.com/cisco/web/solutions/small_business/resource_center/articles/secure_my_business/network_security_checklist/index.html
Nield, D. (2019, January 25). What Happens if I Don’t Install Microsoft Updates? Retrieved from Chron: https://smallbusiness.chron.com/happens-dont-install-microsoft-updates-68004.html
Rosencrance, L. (2019, June 01). Top 10 types of information security threats for IT teams. Retrieved from Tech Target: https://searchsecurity.techtarget.com/feature/Top-10-types-of-information-security-threats-for-IT-teams
Rouse, M. (2018, June 15). Access Control. Retrieved from Tech Target: https://searchsecurity.techtarget.com/definition/access-control
Security Planning and Risk Management. (2019). Retrieved from Protective Security Policy Framework: https://www.protectivesecurity.gov.au/governance/security-planning-risk-management/Pages/default.aspx
Security Testing Methodology. (2019). Retrieved from QA Mentor: https://www.qamentor.com/methodologies/security-testing-methodology/
Stoneburner, G. (2002, July). Risk Management Guide for Information Technology Systems. United States: Natianal Institute of Standards and Technology.
The 5 Pillars of Information Assurance. (2018, July 02). Retrieved from Norwich University Online: https://online.norwich.edu/academic-programs/resources/the-5-pillars-of-information-assurance
Tony, H. H. (2019, February 19). Penetration Testing Methodologies. Retrieved from OWASP: https://www.owasp.org/index.php/Penetration_testing_methodologies

READ ALSO...   The Devil and Tom Walker
Order from Academic Writers Bay
Best Custom Essay Writing Services

QUALITY: 100% ORIGINAL PAPERNO PLAGIARISM – CUSTOM PAPER