Unit 5: Security
Security is one of the most important challenges modern organisations face. Security is about protecting organisational assets, including personnel, data, equipment and networks from attack through the use of prevention techniques in the form of vulnerability testing/security policies and detection techniques, exposing breaches in security and implementing effective responses.
The aim of this unit is to provide students with knowledge of security, associated risks and how security breaches impact on business continuity. Students will examine security measures involving access authorisation, regulation of use, implementing contingency plans and devising security policies and procedures.
This unit introduces students to the detection of threats and vulnerabilities in physical and IT security, and how to manage risks relating to organisational security.
Among the topics included in this unit are Network Security design and operational topics, including address translation, DMZ, VPN, firewalls, AV and intrusion detection systems. Remote access will be covered, as will the need for frequent vulnerability testing as part of organisational and security audit compliance.
Students will develop skills such as communication literacy, critical thinking, analysis, reasoning and interpretation, which are crucial for gaining employment and developing academic competence.
LO1: Assess risks to IT security
- IT security risks:
- Risks: unauthorised use of a system; unauthorised removal or copying of data or code from a system; damage to or destruction of physical system assets and environment; damage to or destruction of data or code inside or outside the system; naturally occurring risks.
- Organisational security: business continuance; backup/restoration of data; audits; testing procedures e.g. data, network, systems, operational impact of security breaches, WANs, intranets, wireless access systems.
LO2: Describe IT security solutions
- IT security solution evaluation:
- Network Security infrastructure: evaluation of NAT, DMZ, FWs.
- Network performance: RAID, Main/Standby, Dual LAN, web server balancing.
- Data security: explain asset management, image differential/incremental backups, SAN servers.
- Data centre: replica data centres, virtualisation, secure transport protocol, secure MPLS routing and remote access methods/procedures for third-party access.
- Security vulnerability: logs, traces, honeypots, data mining algorithms, vulnerability testing.
LO3: Review mechanisms to control organisational IT security
- Mechanisms to control organisational IT security:
- Risk assessment and integrated enterprise risk management: network change management, audit control, business continuance/disaster recovery plans, potential loss of data/business, intellectual property, hardware and software; probability of occurrence e.g. disaster, theft; staff responsibilities; Data Protection Act; Computer Misuse Act; ISO 31000 standards.
- Company regulations: site or system access criteria for personnel; physical security types e.g. biometrics, swipe cards, theft prevention.
LO4: Manage organisational security
- Manage organisational security:
- Organisational security: policies e.g. system access, access to internet email, access to internet browser, development/use of software, physical access and protection, 3rd party access, business continuity, responsibility matrix.
- Controlling security risk assessments and compliance with security procedures and standards e.g. ISO/IEC 17799:2005 Information Technology (Security Techniques – code of practice for information security management); informing colleagues of their security responsibilities and confirming their understanding at suitable intervals; using enterprise risk management for identifying, evaluating, implementing and follow up of security risks according to ISO 31000 standards.
- Security: tools e.g. user log-on profiles to limit user access to resources; online software to train and update staff; auditing tools to monitor resource access; security audits; penetration testing; ethical hacking; gathering and recording information on security; initiating suitable actions for remediation.