Higher Nationals

Internal verification of assessment decisions – BTEC (RQF)

INTERNAL VERIFICATION – ASSESSMENT DECISIONS
Programme title BTEC Higher National Diploma in Computing

Assessor Internal Verifier

Unit 05: Security
Unit(s)
EMC Cloud Solutions
Assignment title
R.H.M.D.V.S.S.BANDARA RAJKRUN
Student’s name
List which assessment Pass Merit Distinction
criteria the Assessor has
awarded.
INTERNAL VERIFIER CHECKLIST

Do the assessment criteria awarded match

those shown in the assignment brief? Y/N

Is the Pass/Merit/Distinction grade awarded

justified by the assessor’s comments on the Y/N
student work?
Has the work been assessed
Y/N
accurately?
Is the feedback to the student:
Give details:

• Constructive?
Y/N
• Linked to relevant assessment
criteria? Y/N

• Identifying opportunities for

improved performance? Y/N

• Agreeing actions? Y/N

Does the assessment decision need

Y/N
amending?
Assessor signature Date

Internal Verifier signature Date

Programme Leader signature(if
Date
required)

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

 Confirm action completed
Remedial action taken

Give details:

Assessor signature Date

Internal Verifier
Date
signature
Programme Leader
Date
signature (if required)

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

Higher Nationals - Summative Assignment Feedback Form
Student Name/ID R.H.M.D.V.S.S.BANDARA RAJAKARUNA KUR/A018363

Unit Title Unit 05: Security

Assignment Number 1 Assessor

Date Received 1st
Submission Date
submission
Date Received 2nd
Re-submission Date
submission
Assessor Feedback:

LO1. Assess risks to IT security

Pass, Merit & Distinction P1 P2 M1 D1

Descripts
LO2. Describe IT security solutions.

Pass, Merit & Distinction P3 P4 M2 D1

Descripts

LO3. Review mechanisms to control organisational IT security.

Pass, Merit & Distinction P5 P6 M3 M4 D2
Descripts

LO4. Manage organisational security.

Pass, Merit & Distinction P7 P8 M5 D3
Descripts

Grade: Assessor Signature: Date:

Resubmission Feedback:

Grade: Assessor Signature: Date:

Internal Verifier’s Comments:

Signature & Date:

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

* Please note that grade decisions are provisional. They are only confirmed once internal and external moderation has taken place and grades decisions have
been agreed at the assessment board.

Pearson
Higher Nationals in
Computing
Unit 5 : Security

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

General Guidelines
1. A Cover page or title page – You should always attach a title page to your assignment. Use previous page as
your cover sheet and be sure to fill the details correctly.
2. This entire brief should be attached in first before you start answering.
3. All the assignments should prepare using word processing software.
4. All the assignments should print in A4 sized paper, and make sure to only use one side printing.
5. Allow 1” margin on each side of the paper. But on the left side you will need to leave room for binging.

Word Processing Rules

1. Use a font type that will make easy for your examiner to read. The font size should be 12 point, and should be
in the style of Time New Roman.
2. Use 1.5 line word-processing. Left justify all paragraphs.
3. Ensure that all headings are consistent in terms of size and font style.
4. Use footer function on the word processor to insert Your Name, Subject, Assignment No, and Page Number
on each page. This is useful if individual sheets become detached for any reason.
5. Use word processing application spell check and grammar check function to help edit your assignment.

Important Points:
1. Check carefully the hand in date and the instructions given with the assignment. Late submissions will not be
accepted.
2. Ensure that you give yourself enough time to complete the assignment by the due date.
3. Don’t leave things such as printing to the last minute – excuses of this nature will not be accepted for failure
to hand in the work on time.
4. You must take responsibility for managing your own time effectively.
5. If you are unable to hand in your assignment on time and have valid reasons such as illness, you may apply (in
writing) for an extension.
6. Failure to achieve at least a PASS grade will result in a REFERRAL grade being given.
7. Non-submission of work without valid reasons will lead to an automatic REFERRAL. You will then be asked to
complete an alternative assignment.
8. Take great care that if you use other people’s work or ideas in your assignment, you properly reference them,
using the HARVARD referencing system, in you text and any bibliography, otherwise you may be guilty of
plagiarism.
9. If you are caught plagiarising you could have your grade reduced to A REFERRAL or at worst you could be
excluded from the course.

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

Student Declaration

I hereby, declare that I know what plagiarism entails, namely to use another’s work and to present it as my own
without attributing the sources in the correct way. I further understand what it means to copy another’s work.

1. I know that plagiarism is a punishable offence because it constitutes theft.

2. I understand the plagiarism and copying policy of the Edexcel UK.
3. I know what the consequences will be if I plagiaries or copy another’s work in any of the assignments for this
program.
4. I declare therefore that all work presented by me for every aspects of my program, will be my own, and where
I have made use of another’s work, I will attribute the source in the correct way.
5. I acknowledge that the attachment of this document signed or not, constitutes a binding agreement between
myself and Edexcel UK.
6. I understand that my assignment will not be considered as submitted if this document is not attached to the
attached.

Student’s Signature: [email protected] Date:

(Provide E-mail ID) (Provide Submission Date)

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

Assignment Brief
Student Name /ID Number

Unit Number and Title Unit 5- Security

Academic Year 2017/2018

Unit Tutor

Assignment Title EMC Cloud Solutions

Issue Date

Submission Date

IV Name & Date

Submission Format:

The submission is in the form of an individual written report. This should be written in a concise, formal
business style using single spacing and font size 12. You are required to make use of headings, paragraphs
and subsections as appropriate, and all work must be supported with research and referenced using the
Harvard referencing system. Please also provide an end list of references using the Harvard referencing
system.

Unit Learning Outcomes:

LO1 Assess risks to IT security.

LO2 Describe IT security solutions.
LO3 Review mechanisms to control organisational IT security.
LO4 Manage organisational security.

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

Assignment Brief and Guidance:

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

EMC Cloud Solutions is reputed as the nation’s most reliable Cloud solution provider in Sri Lanka.
A number of high profile businesses in Sri Lanka including Esoft Metro Camps network, SME Bank Sri
Lanka and WEEFM are facilitated by EMC Cloud Solutions. EMC Cloud provides nearly 500 of its
customers with SaaS, PaaS & IaaS solutions with high capacity compute and storage options. Also EMC
is a selected contractor for Sri Lanka, The Ministry of Defense for hosting government and defense
systems.

EMC’s central data center facility is located at Colombo Sri Lanka along with its corporate head-office in
Bambalapitiya. Their premises at Bambalapitiya is a six story building with the 1st floor dedicated to sales
and customer services equipped with public wifi facility. Second-floor hosts HR, Finance and Training &
Development departments and the third-floor hosts boardroom and offices for senior executives along
with the IT and Data center department. Floor 4,5,6 hosts computer servers which make up the data
center.

With the rapid growth of information technology in Kandy area in recent years, EMC seeks opportunity to
extend its services to Kandy, Sri Lanka. As of yet, the organization still considers the nature of such
extension with what to implement, where is the suitable location and other essential options such as
security are actually being discussed.

You are hired by the management of EMC Solutions as a Security Expert to evaluate the security-related
specifics of its present system and provide recommendations on security and reliability related
improvements of its present system as well as to plan the establishment of the extension on a solid
security foundation.

Activity 01

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

Assuming the role of External Security Consultant, you need to compile a report focusing on following
elements to the board of EMC Cloud Solutions;
1.1 Identify types of security risks EMC Cloud is subject to, in its present setup and the impact, such
issues would create on the business itself.

1.2 Develop and describe security procedures for EMC Cloud to minimize the impact of issues discussed
in section (1.1) by assessing and treating the risks.

Activity 02
2.1 Discuss how EMC Cloud and its clients will be impacted by improper/ incorrect configurations which
are applicable to firewalls and VPN solutions.

2.2 Explain how following technologies would benefit EMC Cloud and its Clients by facilitating a
‘trusted network’. (Support your answer with suitable illustrations).
i) DMZ
ii) Static IP
iii)NAT
2.3 Discuss the benefits of implementing network monitoring systems.

Activity 03
3.1 Formulate a suitable risk assessment procedure for EMC Cloud solutions to safeguard itself and its
clients.

3.2 Explain the mandatory data protection laws and procedures which will be applied to data storage
solutions provided by EMC Cloud. You may also highlight on ISO 3100 risk management methodology.

3.3 Comment on the topic, ‘IT Security & Organizational Policy’

Activity 04

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

4.1 Develop a security policy for EMC Cloud to minimize exploitations and misuses while evaluating
the suitability of the tools used in an organizational policy.

4.2 Develop and present a disaster recovery plan for EMC Cloud for its all venues to ensure maximum
uptime for its customers (Student should produce a PowerPoint-based presentation which illustrates the
recovery plan within 15 minutes of time including justifications and reasons for decisions and options
used).

4.3 ‘Creditors, directors, employees, government and its agencies, owners /

shareholders, suppliers, unions, and the other parties the business draws its resources’ are the main
branches of any organization. Discuss the role of these groups to implement security audit
recommendations for the organization.

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

Grading Rubric
Grading Criteria Achieved Feedback

LO1 Assess risks to IT security

P1 Identify types of security risks to organisations.

P2 Describe organizational security procedures.

M1 Propose a method to assess and treat IT security risks.

LO2 Describe IT security solutions

P3 Identify the potential impact to IT security of incorrect

configuration of firewall policies and thirparty VPNs.

P4 Show, using an example for each, how implementing a DMZ,

static IP and NAT in a network can improve Network Security.
M2 Discuss three benefits to implement network monitoring
systems with supporting reasons.
D1 Investigate how a ‘trusted network’ may be part of an IT security
solution.

LO3 Review mechanisms to control organisational IT

security

P5 Discuss risk assessment procedures.

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

P6 Explain data protection processes and regulations as applicable
to an organisation.

M3 Summarise the ISO 31000 risk management methodology and its

application in IT security.
M4 Discuss possible impacts to organizational security resulting
from an IT security audit.
D2 Consider how IT security can be aligned with organisational
policy, detailing the security impact of any misalignment.
LO4 Manage organizational security

P7 Design and implement a security policy for an organisation.

P8 List the main components of an organisational disaster recovery

plan, justifying the reasons for inclusion.
M5 Discuss the roles of stakeholders in the organisation to
implement security audit recommendations.
D3 Evaluate the suitability of the tools used in an organisational
policy.

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

Activity 01

1.1
Intoduction

EMC is a well reputed cloud solution provider in Sri Lanka. Normally EMC is providing their services to SME
bank in Sri Lankan and WEEFM Company. EMC cloud solution Company provides SAAS, PAAS, and LAAS to
their customers. And nearly their Customer rate is five hundred roughly. The head office of EMC Company is
situated in Bambalapitiya. The building exists with six stories. In this building the first floor is dedicated to
customer services, second floor is for the HR and the finance and training department in the third floor. Four,
five, six floors are the computer servers. But unfortunately, in this company there is no proper security system
physically wise or computerized. Security system is highly important feature to a company. Because without
a security system the specific company faces to various kinds of risks. According to the current situation of
EMC cloud Solution Company there is no security system at all.

1.1.1 Types of Cloud

There are the following 4 types of cloud that you can deploy according to the organization's needs-

1. Public Cloud
2. Private Cloud
3. Hybrid Cloud
4. Community Cloud

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

1.1.2 What are the Security Risks of Cloud Computing

Cloud computing provides various advantages, such as improved collaboration, excellent accessibility,
Mobility, Storage capacity, etc. But there are also security risks in cloud computing.

Some most common Security Risks of Cloud Computing are given below-

Data Loss

Data loss is the most common cloud security risks of cloud computing. It is also known as data leakage. Data
loss is the process in which data is being deleted, corrupted, and unreadable by a user, software, or application.
In a cloud computing environment, data loss occurs when our sensitive data is somebody else's hands, one or
more data elements cannot be utilized by the data owner, hard disk is not working properly, and software is
not updated.

Hacked Interfaces and Insecure APIs

As we all know, cloud computing is completely depends on Internet, so it is compulsory to protect interfaces
and APIs that are used by external users. APIs are the easiest way to communicate with most of the cloud
services. In cloud computing, few services are available in the public domain. These services can be accessed
by third parties, so there may be a chance that these services easily harmed and hacked by hackers.

Data Breach

Data Breach is the process in which the confidential data is viewed, accessed, or stolen by the third party
without any authorization, so organization's data is hacked by the hackers.

Vendor lock-in

Vendor lock-in is the of the biggest security risks in cloud computing. Organizations may face problems when
transferring their services from one vendor to another. As different vendors provide different platforms, that
can cause difficulty moving one cloud to another.

Increased complexity strains IT staff

Migrating, integrating, and operating the cloud services is complex for the IT staff. IT staff must require the
extra capability and skills to manage, integrate, and maintain the data to the cloud.

Spectre & Meltdown

Spectre & Meltdown allows programs to view and steal data which is currently processed on computer. It can
run on personal computers, mobile devices, and in the cloud. It can store the password, your personal
information such as images, emails, and business documents in the memory of other running programs.

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

 Denial of Service (DoS) attacks

Denial of service (DoS) attacks occur when the system receives too much traffic to buffer the server. Mostly,
DoS attackers target web servers of large organizations such as banking sectors, media companies, and
government organizations. To recover the lost data, DoS attackers charge a great deal of time and money to
handle the data.

Account hijacking

Account hijacking is a serious security risk in cloud computing. It is the process in which individual user's or
organization's cloud account (bank account, e-mail account, and social media account) is stolen by hackers.
The hackers use the stolen account to perform unauthorized activities.

1.1.3 Relationship between Vulnerabilities, Threats, Assets and Risks.

Vulnerabilities are the reasons that is helping to start risk. Vulnerability is a function that all the company may
face because of that many users and network personals trying to protect their computer systems from
vulnerabilities by keeping software security patches up to date. (https://www.hq.nasa.gov)

Threats can be caused to the company from inside of the company and may be from the outside the company.
Normally most of the threats are affected from the outside the company. Threats are potentials for vulnerability
to turn into attacks on computer systems, network and more. They can put individual’s computer system and
business computers at risks. According to the Getcybersafe.gc.ca some of the common threats are Hacking,
Malware, Spam, Phishing, Botnets etc. (https://www.researchgate.net)

Assets are the physical resources that company has. Normally company measures the profit from the remaining
assets. Assets are the resources which has an economic value that an individual, corporation or country owns
with the expectation that it will provide a future benefit. (https://www.investopedia.com)

Risks are the darkness situations that going to be happen to that business in near future. Basically, the risks
are defined as the external and internal vulnerabilities that occurs negatively.

A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by
external or internal vulnerabilities is known as risks. (https://www.paperdue.com)

1.1.4 Identification of security risks that EMC Company will be faced.

In a business risks are the darkness situations that going to be happen that business in near future. Basically,
the risk is defined as the external and internal vulnerabilities that occurs negatively to the business for an
example possibility of occurring damages to the business, Increase of liabilities, loss rea certain kind of risks
to a business. When we talk about the EMC Company there are various kinds of risks that can occur to the
company because there is no proper security system.

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

 1.1.5 List of Risks

1. Physical damages

Physical damages basically known as the damages that can happen to the physical properties. There is a
loss of physical security system to the EMC Company because of that the possibility of happening security
damages is high to the company. When a company facing to a physical damage it will Couse huge loss to
the company because the properties that used by the company gets damaged after that the company can’t
perform well as in the past. (https://warframe.fandom.com)

2. Equipment malfunction

Equipment malfunction means when there are no any virus guards to the computers or any other electronics
it’s get effected by viruses and it gradually get malfunctioning so without any security, Equipment
malfunction is also certain type of risk to the EMC company(http://fixcleanerpc2017.com)

3. Misuse of data

Misuse of data is a result of loss of security system. Misusing data is badly Couse to the company. By this
rate of assets will get low in the company. Sometimes the company will get bankrupt due to this reason.
So, misusing of data is highly affected to the company. (https://blog.ssa.gov/)

4. Loss of data

Loss of data is a part of risks that can be affected to company. When there is no security. Of the people
may doing frauds to the business? These data loss is any process or event that results in data being
corrupted or deleted and badly unreadable by the user. (https://www.investopedia.com)

1.2 Security procedures that developed to avoid the risks.

Procedures and policies are the rules and regulation that implemented by every company to its security, avoid
various types of frauds etc. So, these procedures and policies should obey by the both employees and
employers. And the other reason to implement rules and regulation is to continue the business for future. Like
that EMC Company also implemented various procedures to minimize their risks. As told in the above that
are the some of the risk that was faced by the EMC Company

1.2.1 List of Security procedures

1. Property damage claim procedure

When we talk about the first risk in the list of risks, to reduce the physical damages that can happen to the
physical properties we can use a good security system but basically the best method is to maintain a

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

 property damage claim procedure. This means when something unfortunately happens to our property, we
can claim our loss according to the loss we gain by using this property damage claim procedure
(https://www.thebalance.com/)

2. Regular inspection procedure

As in the list of risk the second risk that the EMC company is facing to equipment mal function to reduce
it, we can implement a new procedure called regular inspection procedure by this we can reduce regular
equipment mal functioning when we starting to implement this procedure, we have create an inspection
schedule according to that we have inspect our equipment in a regular basis then we can reduce equipment
mal function (https://www.osha.gov)

3. Monitor user action procedure

The third risk that EMC company is facing to data misuse to avoid that we create a new procedure called
Monitor user action procedure it is a one of the best ways to avoid the data mis use It is very important to
monitor actions of users working with sensitive information. Misuse of such data can open organization
to a very high damage control and huge loss of costs and even potential lawsuits. Users with high privileges
also pose additional threat. So, reducing data misusing is very important to the EMC Company
(https://docs.oracle.com/cd/)

4. Create backup procedures

To reduce the loss of data risk we can create the backup of every data we are inputting to the computers.
By that we can reduce the risk of data loss. When a specific company reduce their risk of data loss that
company can enlarge its business area become that company can get ideas from past situation that company
has faced (https://www.investopedia.com)

1.2What is risk management process?

5. To continue a company to a long type period we have to maintain our company in a good manner. So,
we have to protect our company from security breaches, data losses, cyber-attacks, system failures and
natural disasters. To manage those risks there is a risk management process. Risk management process
means monitoring and managing potential risks in order to minimize the negative impact they may
have on an organization. From the security breaches, data losses, cyber-attacks, system failures and
natural disasters the effective risk management process will help identify which risks pose the biggest
threat to an organization and provide guidelines for handling them. To possess the risk management
process effectively there are three steps. They are,

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

 6. Risk Assessment and Analysis – The primary step of the risk management process is called as the
risk assessment and analysis stage. A risk assessment assesses an organization experience to
uncertain events that could impact its day to day actions and estimates the damage those events could
have on an organization income and status.

7. Risk Evaluation – After the risk assessment or analysis has been completed, a risk evaluation should
take place. A risk evaluation compares valued risk against the risk principles that the organization
has already recognized. Risk criteria can include associated cost and benefits, socio economic
factors, legal requirement and system malfunctions.

8. Risk Treatment and Response – The last step in the risk management process is risk treatment and
response. Risk treatment is the Implementation of policies and procedures that will help avoid or
minimize risks. Risk treatment also extends to risk transfer and risk financing.

1.3.1 What is Risk Treatment?

When there are any risks occurring to the company, we have to minimize those or avoid those kinds of risks,
to avoid those or reduce those risks we have to use certain kind of strategies. By using strategies, the avoiding
of risks can be known as the risk’s treatments. Specific treatment strategies can be created to treat specific
risks which have been identified. Treatment strategies may differ, depending on the risk context.

Purpose of the Risk treatment – The purpose of the risk treatment is to reduce, remove or transfer risk from
the company. It is often better for a company to plan ahead and prevent a risk from occurring than it is for
them to take the chance and face that risk. Planning ahead can help to save a company a lot of time and money
because some risks may prove to be very damaging to a business. When we talk about the risk treatments there
two main types of risk treatments, they are

 Avoidance strategies – These tactics seek to totally stop a potential risk from happening or
impacting on a company at all. Main subdivisions of the avoidance strategies group contain transfer
and changings.
 Minimize strategies – These tactics seek to reduce the influence of risk on a product or
organization, so that as little as possible damage is done. Reduce tactics are frequently used when
avoidance strategies are not possible, or have already unsuccessful

(https://www.investopedia.com)

1.3.2 Risk treatment related to scenario.

When there are any risks occurring to the company, we have to minimize those or avoid those kinds of risks,
to avoid those or reduce those risks we have to use certain kind of strategies. By using strategies, the avoiding
of risks can be known as the risk’s treatments. To the EMC company also there are many risks that can be
affected they are physical damages that can be occurred to the EMC company, Equipment malfunctioning,
data misusing and data losing for these kinds of risks there are many treatment or procedures that can
implemented to overcome those risks they are property damage claim procedure, regular inspection procedure,

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

Monitor user action procedure, creating backup procedures by using these kinds of strategies EMC company
can treat the risk and can overcome those risks

Activity 02.

2.1 Potential impact to the organization when there is an improper firewall system and
VPNs.

2.1.1 What is Firewalls

Many of the reputed It companies is used to install a firewall system to the servers because it like security
system that using to protect the important information’s. When we broadly talk about the firewall it’s a
software program that used prevents unauthorized access to or from a private network. When there is a access
from a unauthorized network or from a another private network it’s a risks to the company because they can
take all the internal information through that so to prevent those stuffs most companies are using firewall
system. Firewalls are the tools that can be used to enhance the security of the computers connected to a
network. By installing a firewall system, it makes the computer unique in other words the firewall absolutely
isolates our computer from internet using a Wall of cod. Firewalls has various abilities the main ability it has
was it can enhance the security by enabling granular control over what type of system functions. Some people
think that the firewall is a system that is used to controls the traffic that passes through the network system
but it’s actually software that is used to prevent unauthorized access of network systems. Normally these are
the things that is done by the firewall system (https://www.fieldengineer.com/)

 Defend resources
 Validate access
 Manage and control network traffic
 Record and report on events
 Act as an intermediary

2.1.2 What is a firewall Policy?

Firewall policy is a set of rules that includes how to use this software so it’s easy to handle the software. This
an application that is designed to control the flow of internet protocol (IP). And the firewall policy is contained
the types of firewalls and Firewall Architectures. When we talk about the types of firewalls there are various
kinds’ types, they are

 Packet filters
 Proxy servers
 Application gateways

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

Packet Filters: A packet filter is a firewall that reviews each packet for user-defined filtering rules to control
whether to pass or block it. For example, the filtering rule might need all Telnet requests to be dropped. Using
this information, the firewall will block all packets that have a port number 23 (the default port number for
Telnet) in their header. Filtering rules can be built on source IP address, destination IP address, Layer 4 (that
is, TCP/ UDP) source port, and Layer 4 destination port. Thus, a packet filter makes decisions based on the
network layer and the transport layer.

Proxy Servers: A proxy service is an application that redirects users’ requests to the real services based on
an organization’s security policy. All message between a user and the actual server occurs through the proxy
server. Thus, a proxy server performs as a communications broker between clients and the real application
servers. Because it performs as a checkpoint where requests are validated against specific applications, a proxy
server is usually processing intensive and can become a bottleneck under heavy traffic conditions

Application Gateways: An application gateway is a proxy server that offers access control at the application
layer. It performs as an application-layer gateway between the protected network and the untrusted network.
Because it works at the application layer, it is talented to examine traffic in detail and, therefore, is considered
the most secure type of firewall. It can stop certain applications, such as FTP, from incoming the protected
network. It can also log all network actions according to applications for both accounting and security audit
purposes. (https://docs.microsoft.com/)

2.1.3 What is Virtual private network (VPN)?

When we browse something or search something from network system their web traffic from snooping,
interfaces, and censorship to avoid this we can use VPN (Virtual private networks). VPN is a Secure tunnel
between two or more devises to prevent from web traffic, snooping, interference, and censorship. A VPN uses
data encryption and other security mechanisms to prevent unauthorized users from accessing data, and to
ensure that data cannot be modified without detection as it flows through the Internet. It then uses the tunneling
process to transport the encrypted data across the Internet. Tunneling is a mechanism for encapsulating one
protocol in another protocol. In the context of the Internet, tunneling allows such protocols as IPX, AppleTalk,
and IP to be encrypted and then encapsulated in IP. Similarly, in the context of VPNs, tunneling disguises the
original network layer protocol by encrypting the packet and enclosing the encrypted packet in an IP envelope.
This IP envelope, which is an IP packet, can then be transported securely across the Internet. At the receiving
side, the envelope is removed and the data it contains is decrypted and delivered to the appropriate access
device, such as a router. (https://www.vpnsecure.me/)

2.1.4 What is VPN policy?

VPN policy is a set of rules that includes how to use this secure tunnel so it’s easy to handle this tunnel. This
is an application that is designed to control the web traffic from snooping, interference and censorship. And
the VPN policy is contained the types of VPNs and VPN Architectures. When we talk about the types of VPN
there are various kinds’ types, they are

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

  Access VPNs provide remote users such as road warriors (or mobile users), telecommuters, and
branch offices with reliable access to corporate networks.
 Intranet VPNs allow branch offices to be linked to corporate headquarters in a secure manner.
2.1.5 How improper firewalls and VPNs impact to the EMC Company?

EMC is a well reputed cloud solution provider in Sri Lankan. Normally EMC is providing their services to
SME bank in Srilankan and WEEFM Company. EMC cloud solution Company provides SAAS, PAAS, and
LAAS to their customers. Not only in Sri Lanka EMC Company is doing transactions with external countries
when doing those transactions firewalls and VPNs are the two software that is very important to install.
Because when doing transaction through networks some unauthorized accesses can be attacked to the network
system, not only that some other private networks also can attack to the network system. When it gets attacked
by other accesses, they can get important information of EMC Company, especially by the competitors. If the
competitors EMC Company get the details about the company it’s a huge risk to the company to prevent these
kinds of risks the firewalls are very important to install. And if there are improper firewalls also, we have to
face these risks

The other reason was the existing of improper VPNs it’s the other problem that arise when doing online
transactions because when we doing online transactions without using a proper VPNs sometimes there might
have web traffic, snooping and interference by these webs traffics transaction can’t do properly it may buffer.
From the improper VPNs the reputation of the EMC Company might get damaged because of that we have to
install proper VPNs (https://www.vpnsecure.me/)

2.2 Static IPs, DMZ and NAT.

2.2.1 What is static IPs?

A static Internet Protocol (IP) address (static IP address) is a permanent number assigned to a computer by an
Internet service provider (ISP). IP addresses are useful for gaming services, website hosting or Voice over
Internet Protocol (VoIP). Speed and reliability are key advantages. According to a static address is constant,
systems with static IP addresses are vulnerable to data extraction and higher security risks.

Advantages of Static IPs

 It’s good for creating Computer servers

 It makes it easier for geolocation
 It’s also better for dedicated services

Disadvantages of static IPs

 Static IP address could be security risk

 Static IPs are preferred for hosting servers
 The process to set a static IP is complex

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

(https://www.techopedia.com/)

What is DHCP IPs?

A DHCP server is used to import other IP addresses and automatically configure another network information.
In most homes and small businesses, the router works as the DHCP server. In large networks, a single
computer may act as the DHCP server.

In short, the process goes like this: A device (the client) requests an IP address from a router (the host), after
which the host assigns an available IP address to allow the client to communicate on the network. A bit more
detail below...

Advantages of DHCP IPs

 Easy to manages DHCP IPs

 We can create a tailored configuration for clients
 Clients can use DHCPs to obtain the information needed

Disadvantages of DHCP IPs

 There are many security issues in DHCP IPs

 It’s gets failure when there is single DHCP server
 There are problems in DHCP server if we are using older Microsoft Servers.

2.2.2 What is DMZ?

DMZ means demilitarized zone this refers to host or another network system that exists as a secure and
intermediate network system in other words we define it as path between two or more organizations internal
network and the external. DMZ is mainly realized to safe an internal network from communication with and
exploitation and access by external nodes and networks. DMZ can be a logical sub-network, or a physical
network substitute as a safe bridge between an interior and exterior network. A DMZ network has restricted
access to the internal network, and all of its communication is scanned on a firewall before being transported
internally. If an attacker plans to breach or attack an organization’s network, a successful attempt will only
result in the compromise of the DMZ network - not the core network behind it. DMZ is considered more
secure, safer than a firewall, and can also work as a proxy server. (https://searchsecurity.techtarget.com/)

2.2.3 Real function of the DMZ

The over-all idea is that you put your public faced servers in the "DMZ network" so that you can separate
them from your private, trusted network. The use case is that because your server has a public face, it can be
greatly rooted. If that happens, and a hateful party gains access to your server, he should be lonely in the DMZ
network and not have direct access to the private hosts (https://searchsecurity.techtarget.com/)

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

 2.2.4 Architecture of DMZs network

There are many ways to plan a network with a DMZ. The two basic approaches are to use either one or two
firewalls, though most modem DMZs are planned with two firewalls. The basic method can be prolonged on
to create complex constructions, depending on the network requirements. A solo firewall with at least three
network interfaces can be used to make a network architecture containing a DMZ. The outside network is
formed by joining the public internet. Different sets of firewalls rules for traffic among the internet and the
DMZ, the LAN and the DMZ, and the LAN and the internet firmly control which ports and types of traffic
are permitted into the DMZ from the internet, limit connectivity to specific hosts in the inside network and
prevent unrequested connections either to the internet or the inside LAN from the DMZ
(https://searchsecurity.techtarget.com/)

2.2.5 What is NAT (Network Address Translation)

Network Address Translation is the procedure where a network device, usually a firewall, allocates a public
address to a computer inside an isolated network. The key use of NAT is to limit the number of public IP
addresses an organization or company must use, for both economy and security purpose. However, to access
resources outside the network, like the internet, these computers have to have a public address in order for
replies to their requests to return to them. This is where NAT comes into play

Internet needs that require Network Address Translation (NAT) are quite compound but happen so quickly
that the end user hardly knows it has occurred. A workstation inside a network makes a request to a computer
on the internet. Routers within the network identify that the request is not for a resource inside the network,
so they send the request to the firewall. The firewall sees the request from the computer with the internal IP.
IT then makes the same request to the internet using its own public address, and returns the response from the
internet resource to the computer inside the private network. From outlook of the workstation, it appears that
communication is directly with the site on the internet. When NAT is used in this way, all users inside the
private network access the internet have the same public IP address when they use the internet. There are many
Benefits we can get from the Network Address Translation (NAT). They are,

 Reuse of private IP addresses

 Enhance security for private networks by keeping internal address private from the external network
 Connecting a large number of hosts to the global internet using a smaller number of public (external)
IP address, there by conserving IP address space.

(http://nokitel.im/index.php)

2.2.6 How Static IPs, DMZ, NAT helps to the EMC Company?

 Static IPs – It is a permanent number assigned to a computer through internet service provider.
Static IPs are useful to web hosting or voice over internet protocol (VOIP). The main advantage
of using static IPs is speed and reliability. So, when EMC Company is doing transaction with

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

 external countries it needs a fast internet connection for these kinds of activities the static IPs are
highly help full to the EMC Company.

 DMZ – This refers to host or another network system that exists as a secure and intermediate
network system, in other words we can define it as a path between two or more organizations
internal network and the external. When EMC Company dealing with their clients some external
network system might be attacked to the EMCs network work system. To prevent these kinds of
attacks the EMC company can use DMZ network systems

 NAT – Network address translation is used to the limits the number of public IP address that
EMC Company must use, for both economically and security purposes. When there is public IP
address the network system of the EMS Company is used to reply to the requests that comes
through unknown IP address. To prevent these activities NAT is highly help full to the EMC
Company.

2.2.7 What is Trustered Network system?

A Trusted network system is a network of plans that are linked to each other, and it can expose only to official
users, and allows for only protected data to be transmitted. A Trusted Network System architecture uses
current standards, protocols and hardware plans to implement “trust.” Trusted Network System deliver vital
security services such as user authentication, complete network device admission control, end-device status
checks, policy-based access control, traffic filtering, and automated remediation of non-compliant devices and
auditing. The Trusted Computing Group has broadcast industry standards for Trusted Network System.
Several profitable Trusted Network System technologies have been advanced, including Cisco Trust Sec,
Cisco Clean Access (formerly known as Cisco Network Admission Control, and Microsoft Network Access
Protection.

Components of the trusted network system

 Network Access Device: All connectivity to a Trusted Network System is implemented via a
network admission device, which applies policy. NAD functionality may exist in devices such as
switches, routers, VPN concentrators and wireless access points.
 Posture Remediation Servers: These servers deliver remediation choices to a client device in case of
non-compliance. For example, a server may keep the latest virus signatures and need a non-
compliant client device to load the signatures before joining a Trusted Network System.
 Directory Server: This server validates client devices based on their identities or roles.
 Posture Validation Servers: Posture validation servers assess the compliance of a client before it can
join a TN. A PVS is typically a specialization for one client attribute
e.g., operating system version and patch or virus signature release.
 Other Servers: These contain trusted versions of Audit, DNS, DHCP and VPN servers.
 Client Device: Every client device must be assessed prior to admission to a Trusted Network
System.
 Authorization and Access Control Server: The authorization and access control server upholds the
policy and provides rules to NADs based on the results of authentication and posture validation.

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

(https://support.norton.com/)

2.3 What is Network Monitoring System?

Network monitoring is a computer network's systematic effort to detect slow or failing network mechanisms,
such as overloaded or stopped/frozen servers, failing routers, failed switches or other difficult devices. In the
event of a network disappointment or similar outage, the network monitoring system alerts the network
administrator. Network monitoring is a subset of network management.

Network monitoring is generally carried out through software applications and tools. Network monitoring
services are broadly used to detect whether a given Web server is operative and connected properly to
networks worldwide. Many servers that make this job provide a more complete visualization of both the
Internet and networks. And there many benefits in Network monitoring system the main three benefits are

 Protecting your network against attackers – Network monitoring system is able to identify
distrustful traffic, there by authorizing owners to act fast. A network monitoring service is able to
provide a broad overview of an SMB’s entire IT infrastructure, so that nothing is misused.
Today, exploits are more sophisticated and advanced, and are able to target a system in a
diversity of ways. Monitoring antivirus and firewall solutions separately firewalls solutions
separately may leave security gaps
 Keeping Informed without in-house staff – A network monitoring service will send warnings
and information to an SMB owner as issues arise. Otherwise, an SMB may need to either effort
to monitoring their network security themselves or hire a full-time IT employee- Which could be
very costly. Data breaches can be more harmful and more expensive the longer they go without
being noticed.
 Optimizing and monitoring your network – Many small business owners are expected towards
rapid growth. This growth cannot be possible if parts of their IT infrastructure are over- loaded or
slowed. Network monitoring services will map out the infrastructure of a small business,
showing an SMB owner area of development and any issues that currently need to be addressed.

(https://indesignsecrets.com/)

Activity 03

3.1 Risk Assessment Procedures.

3.1.1 What is a risk?

Risk means a darkness situation that we will face in future. IT occurring over a relatively short time. These
risks may occur due to the results of mankind. Most of the risks can happen to the organization due to the
faults of the workers in the organization so as an owner of the organization the owner should assess the risks
(https://www.thesaurus.com/)

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

What is Risk Assessment?

So, as we talk above risks are common thing to various big organization communities, companies ETC. So,
risk assessment means the term used to the overall process for identify and analysis the hazards and risk that
going to occur to the company or organization, Analysis and evaluate the risk associated with that hazard. So,
by identify and analysis the risk we have to determine the appropriate or control the risk when the hazards
cannot be eliminated. We can identify certain kinds of risks through looking our work place by identify the
things, situation, process etc. That may Couse harm to the people. After we identify the risk to avoid this risk
from the organization when this determination is mad, we can next decide what measures should be there or
in the organization to effectively eliminate or control the harm happening to the organization.
(https://www.investopedia.com)

3.2 Data protection process that applicable to an organization.

Data protection is very useful things to do in an organization because in any organization or in big companies
there many useful data in it so when those data got leaked to their competitors the organization or the company
will get bank rapt for sure. These are some of the use full information that reputed companies have

 The type of the customers they have

 Number of costumers they have
 Banking information
 Information about the assets

So, these kinds of information got leaked from the business or organization that may occur a huge risk to that
organization. So, there are many ways to protect these kinds of important data they are

 Fixing CCTV cameras

 Employee monitoring system

Fixing of CCTV cameras

As an owner in big organization Fixing of CCTV cameras is knowledgeable decision that taking by him
because use of CCTV cameras must comply with state criminal’s eave dropping status which require posting
signs where video monitoring is taking place and another useful that we get from the CCTV cameras are when
some stealers or robbers attacked to the organization, we can monitor it from the cameras and we can take
necessary decisions

Employee monitoring

This is also a method of data protection because some of the workers or employees may do Froud activities to
the company So as an owner we have to aware about that So frequently monitoring the employees or workers
is an important task to do. But there are limits to monitor the employees. Because their privacy things that
employee also protecting so monitoring of the employees is permitted where the monitoring of

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

the employees make a clear disclosure regarding the type of the scope of the monitoring in which its
engaged (https://searchdatabackup.techtarget.com)

3.3 Summarization of ISO 31000 risk management law.

3.3.1 What is Law?

For everything there must be lows and regulations that we should fallow. If not that organization or company
can’t do it for continuously. First, we have to see what the meaning of law is. Low means a certain kind of
order that is implemented by the head of the organization to minimize the mistakes, frauds, and faverations
among the workers who are working in the organization

Implementing lows is a difficult task that is done by the CEO of the company because he should know how
to implement the suitable laws for the workers. When the low gets high some employee might not work
properly or when there is less laws also the worker might not properly. Forget the work done by the workers
the CEO must think from his perspective, the company’s perspective and employee’s perspective then he can
continue his organization or the company peacefully without any mistakes, frauds and faverations

Every CEO is looking for reduce the risks that coming towards his organization for that he should implement
lows and regulations continuously but there are guidelines when implementing lows for the risks, that
guidelines when are in ISO 31000 – 2018

3.3.2 Summarization of ISO 31000: 2018 related to EMC Company

When we talk about the ISO 31000: 2018 this is consisting of risk management guidelines, providing
principles and frame works to manage risks in EMC Company. When the CEO of the EMC Company is
following those ISO 31000: 2018 low it easy to handle the EMC Company. Because all the guidelines and
frameworks are in it. Any business-like small scale and large-scale business or companies can use this ISO
31000: 2018 low.

By using this ISO 31000: 2018 low it can help the EMC Company to increase the likely hood of achieving
objectives. And can easily identify the strength and weakness of the EMC Company. These things are involved
to the vision and mission of the EMC Company. However, ISO 31000: 2018 act cannot be used for
certification purposes. But it provides guidance for internal and external audit programs

By maintain or following this ISO 31000: 2018 low the owner of the EMC Company can compare the risks,
Threats that comes towards the EMC Company. In other words, the CEO of the EMC Company can compare
the threats that he faced in the past with the new threats that comes towards. And other benefit the owner of
the EMC Company has was it can compare their risk management practices with an internationally recognized
Benchmark providing sound principals for effective management and corporate governance. Another benefit

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

it has was the Owner of the EMC Company can identify the risks before it effected to the company. From
these benefits EMC Company can move forward without any threats and risks. And owner of the EMC
Company can take decisions before there is risks attack or threat attack.

3.3.3 ISO 31000: 2018 Risk Management

If the EMC Company is affected with the risks the EMC Company can have consequences in terms of
economic performance and professional reputation as well as the environment safely and social out comes. If
the threats or risks get effected to the economic performance of the EMC company it a huge loss for the
company because customers will reject the company and the banks who giving loans to the company may
rejected and the finally the employees who are depend from the EMC company get affected. After the
economic performances it get affected to the professional reputation. If the EMC Company is dealing or doing
transaction with the foreign countries the professional reputation is highly important. If it gets damaged due
to the threats or risks attacks those countries also starting to reject the company. Because of these reasons
managing risks effectively helps the EMC Company to perform well in an environment full of uncertainty
(https://securityintelligence.com)

3.4 What is Audit? (M4)

In Every huge scale company, there is Audit firm to examine the current situation of the company. If the
employees did any frauds, illegal business they get caught in this situation. That is the benefit of an audit firm.
If there no any department called audit firm the company must get bank rapt because no one is there to find
out the frauds and other wrong things that is happening in the company. In some companies there are security
audits, which means this audit is there to check weather security system is working in proper manner. If there
is no audit system to examine the security system the security system also might get corrupted by the above
things and points, we can tell that there is a huge impact to the organization security from the IT security
audits.

3.4.1 What is IT security Audit?

An IT security Audit involves an IT specialist examining an organization existing IT infrastructure to identify

the strength of its current arrangements and any potential vulnerabilities. IT security is very important to the
EMC company because by handling or maintain IT security audits it ensures the cyber defenses are up to date
as they can be effectively detecting or giving response to any kind of threats possess by the hackers and other
criminals who manipulate IT systems for their own ends. When the EMC Company is dealing with external
countries cyber defenses are very important, if it fails, very dangerous hackers attacked to the servers and take
all the important information but if the cyber defenses are up to date there is no risk.

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

 3.4.2 What an IT security Audit does for the company.

When all the IT services connected with the IT security audit the organization can have more formidable IT
system in place. There are many departments in the company when the IT security audit connect to each
department the function of the IT security audit may range from database management to resource planning
as a chain network. For a company data is the one of the key assets that requires top security control. If the
data get released or hacked by the competitors or other firm it is a main reason to the company get bank rapt
or the company get a bad reputation, because of these reasons we have to protect our data. IT security auditors
determine the type of information we have. How it flows in and out of organization and who has access to the
information. (https://cheekymunkey.co.uk)

3.4.3 IT security Audits can identify the Vulnerable points and problem areas in the
company.

The special feature of IT security audits system has, it can identify the vulnerable points and problem areas
easily. The IT system is a vast one with several components including hardware, software, data and procedures
but the IT security system can find out the vulnerable areas easily. From the IT security system, we can check
weather our hardware or software tools are configured properly and working properly. And security audits are
retracing the security incidents or the dangerous situation that company faced in the past from the previous
that might have exposed our security weak points. The other main thing that is done by the audit was the focus
on the carrying out tests in terms of network weaknesses, operating system, access control and security
applications (https://cheekymunkey.co.uk)

3.5 How IT security aligned with organization policy?

Security purposes aligned with the company’s goals and documented in company policies and procedures.
Company policies and procedures are not just paperwork—they are the basis of a strong security plan. Once
the company policies and procedures have been advanced or updated with the company staffs help, your
organization’s security basis will be more current, sound and in compliance.

Companies cybersecurity experts:

 Cooperate with your organization to grow the strategies for successfully communicating policies,
standards and procedures for measuring good security practices and agreements
 Provide current management of the company policies, procedures and standards to safeguard those
documents are kept current and relevant
3.4.4 Aligning Security with company objectives

Aligning security with the organization’s greater business needs is becoming gradually important, but how do
you really do it? What it comes down to is being talented to map security to business purposes. Done right,
security can be a main business driver. Today, everyone from finance to Develops to sales and engineering
has security top of mind, at least if they know what’s good for them.

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

In this post, we’ll offer numerous ways to tie the gap between security and the rest of the company, allowing
you to successfully bring it into the organization in order to meet any number of business purposes.
(https://cheekymunkey.co.uk)

3.4.5 How IT security Misaligned with organization policy?

Misalignment rises when the future purposes or plan is somewhat conflicting with the actual result. The idea
of alignment in IS has been travelled especially in IT business alignment. The idea of alignment has also been
examined in software expansion to address issues around alignment between growth and testing. The concept
of alignment particularly in IT is complex as it is quite disjointed and relates to different surfaces. Hence in
order to achieve suitable alignment, it is important to safeguard focused is on specific components of
alignment rather than on the general alignment. For this reason, the lack of alignment which is mentioned to
in this study as misalignment, is discussed in the setting of firstly, Outside entities such as customers,
standards, and guidelines, regulations and third-party software, the different roles involved in the software
growth process, the current and mandatory skills for integrating security requirements and lastly the general
system re-equipment. All the recognized forms of misalignment pose as challenges to the integration of
security supplies in mobile application development. The section that follows gives an impression of the
different form’s alignment. (https://cheekymunkey.co.uk)

Activity 4

4.1 suitability of the tools used in the polices

Organizational design is measured in policy works as a forceful policy tool to put policy to action. However,
earlier research has not examined the project organization as an exact form of organizational design and,
hence, has not given much care to such organizations as a planned choice when choosing policy tools. The
purpose of the article is to examine the project as a policy tool; how do such impermanent organizations
function as a specific form of organization when public policy is applied? The article is based on a framework
of policy operation and is demonstrated with two welfare reforms in the Swedish public sector, which were
prepared and applied as project organizations. The case studies and the examination show that it is vital that a
project organization fits into the overall governance structure when used as a policy tool. If not, the project
will remain summarized and will not have sufficient influence on the permanent organizational structure. The
concept of encapsulation indicates a need to defend the project from a potential hostile environment. The
implication of this is that organizational design as a policy tool is a matter that rates more attention in the
planned discussion on implementing public policies and on the suitability of using certain policy tools.
(http://infosectoday.com)

4.2 What is DRP?

A disaster recovery plan (DRP) is a documented, structured method with commands for replying to accidental
incidents. This step-by-step plan consists of the defenses to minimize the effects of a disaster so the

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

organization can continue to operate or quickly restart mission-critical functions. Classically, disaster recovery
planning includes an analysis of business processes and continuity needs. Before making a detailed plan, an
organization often performs a business influence examination and risk analysis, and it establishes the recovery
time objective and recovery point objective. In other words, disaster recovery plan mean Disaster recovery
planning is just part of business steadiness planning and applied to aspects of an organization that trust on an
IT infrastructure to function.

The overall idea is to develop a plan that will allow the IT department to recover enough data and system
functionality to allow a business or organization to operate. (https://resources.infosecinstitute.com)

4.2.1 Creating disaster recovery plan.

An organization can start its DRP plan with an instant of vital action steps and a list of important contacts, so
the most vital information is quickly and easily available. The plan should describe the roles and tasks of
disaster recovery team members and outline the criteria to launch the plan into action. The plan then specifies,
in detail, the incident response and recovery activities. (https://resources.infosecinstitute.com)

4.3 Role of the stake holders related to the security of the company.

4.3.1 Who is a stake holder?

Definition of the term "stakeholder": "A person, group or organization that has attention or concern in an
organization. Stakeholders can affect or be affected by the organization's actions, objectives and policies.
Some examples of key stakeholders are creditors, directors, employees, government (and its agencies), owners
(shareholders), suppliers, unions, and the community from which the company’s attractions its resources. Not
all stakeholders are equivalent. A company's customers are permitted to fair trading practices but they are not
allowed to the same consideration as the company's employees. The stakeholders in a corporation are the
individuals and constituencies that contribute, either willingly or unwillingly, to its wealth-creating volume
and activities, and that are therefore its potential receivers and or risk bearers.

Types of the Stake Holders

 Primary Stakeholders – Usually interior stakeholders, are those that involve in financial
dealings with the business (for example stockholders, customers, suppliers, creditors, and
employees).
 Secondary stake holders – Usually outside stakeholders, are those who although they do not
engage in direct financial conversation with the business – are affected by or can affect its
activities (for example the general public, communities, activist groups, business support groups,
and the media).
 Excluded stake holders – Those such as children or the unbiassed public, initially as they had
no financial impact on the company. Now as the concept takes an anthropocentric viewpoint,
while some groups like the general public may be documented as stakeholders’ others remain
excluded. Such a viewpoint does not give plants, animals or even geology a voice as

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

 stakeholders, but only an active value in relation to human groups or individuals.
(http://www.businessdictionary.com)
4.3.2 Role of a security stake holder related to the company.

We can view Security’s customers from two viewpoints: the roles and tasks that they have, and the security
assistances they obtain. The roles and tasks aspect is vital because it controls how we should interconnect to
our various security customers, based on allowing and swaying them to perform their roles in security, even
if that role is a humble one, such as using an access card to gain admission to the facility. It is also vital because
fulfilling their roles and tasks as employees, managers, contractors or partners is the way that security’s
customers “pay for” the security that they obtain. If they do not see or understand the value of security or are
not joyful about how much they have to pay for it (i.e. how much trouble they have to go through for security),
they may select to bypass security, such as by following to enter the ability.

While some individuals in our company or organization pay for security by assigning or approving security
project funding, the popular of individuals pay for security by fulfilling their roles and tasks, and that is
dangerous to establishing sound security throughout the organization or company. Due to the importance of
the roles that our workers play in security as well as the assistances security provides to them, we refer to the
security’s customers as stakeholders. (http://www.businessdictionary.com)

Security Stakeholders Exercise

In last month’s column we started with making of a personal Lean Journal, and a first exercise of identifying
the security stakeholders. Why performs this exercise? There are many assistances for security staff and majors
as well as for security managers and directors who perform it. It helps to start with a small group first and then
enlarge out using the results of the first workout to refine your efforts. Begin at the uppermost level of security
and work down, such as the headquarters or local level for large organizations, and security manager, staff,
managers and officers at the site level. Here are some of the benefits of this exercise:

 Transfers knowledge and insights from more experienced personnel.

 Shares knowledge between shifts and functions.
 Can reveal security value not immediately apparent to security personnel.
 Expands security personnel awareness of the value of their jobs.
 Increases sensitivity of security personnel to security stakeholders’ concerns.
 Provides a check on the effectiveness and scope of security personnel training.
 Helps to reinforce the common purpose and build camaraderie.

(https://www.executestrategy.net)

Conclusion

EMC is a well reputed cloud solution provider in Sri Lanka. Normally EMC is providing their services to
SME bank in Sri Lankan and WEEFM Company. EMC cloud solution Company provides SAAS, PAAS, and
LAAS to their customers. And nearly their Customer rate is five hundred roughly. The head office of EMC

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

company is situated in Bambalapitiya. But in the EMC company there is a poor security system as physically
and networkcally. So, by Implanting new security procedures we can make new system for EMC company
and by using firewalls, VPNs, DMZ, NAT we can make a good network security system to the EMC company.
So, from the things we learn above we know how to maintain the company without any risks and if there are
any risks, we know how to overcome those. Other than that, finally we know about audit, importance about
audit, who are stakeholder and role of the stakeholders.

References

Hq.nasa.gov.(2019).[online] Available at: https://www.hq.nasa.gov [Accessed 13 Feb. 2019].

Anon,(2019).[online]Availableat: https://www.researchgate.net/publication/266686928_Clas
sification_of_Security_Threats_in_Information_Systems [Accessed 13 Feb. 2019].

Investopedia.(2019).ReturnonAssetsROA.[online]Availableat: https://www.investopedia.cm/
terms/r/returnonassets.asp [Accessed 13 Feb. 2019].

Paperdue.com. (2019). Business Risk Essays: Examples, Topics, Titles, & Outlines | Page 11.
[Online] Available at: https://www.paperdue.com /topic/business-risk-essays/11 [Accessed
13 Feb. 2019].

WARFRAMEWiki.(2019).Damage.[online]Availableat: https://warframe.fandom.com /wiki/

Damage [Accessed 13 Feb. 2019].

Fixcleanerpc2017.com. (2019). ## Fixcleaner Softpedia - 2017 (FIX) 5 Star Rating - My Faster

PC Windows 10 Download. [Online] Available at: http://fixcleanerpc2017.com /Fixcleaner
Soft-pedal=p9619/ [Accessed 13 Feb. 2019].

Phil Gambino, C. and View all posts Phil Gambino, C. (2019). Social Security Takes Fraud
Seriousl|SocialSecurityMatters.[Online]Blog.ssa.gov.Available
at: https://blog.ssa.gov/social-security-takes-fraud-seriously/ [Accessed 13 Feb. 2019].

The Balance. (2019). Do You Need Help Filing a Property Damage Claim? [online] Available
at: https://www.thebalance.com/what-is-a-property-damage-claim-527109 [Accessed 15 Feb.
2019].

Osha.gov. (2019). Section 6 - Chapter II. Inspection Procedures. [online] Available

at: https://www.osha.gov/Firm_osha_data/100006.html [Accessed 15 Feb. 2019].

Docs.oracle.com.(2019).DBMS_MONITOR.[online]Availableat: https://docs.oracle.com/cd/
B19306_01/appdev.102/b14258/d_monitor.htm [Accessed 15 Feb. 2019].

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

Pmi.org. (2019). Risk analysis and management.

learning/library/risk-analysis-project-management-7070 [Accessed 15 Feb. 2019].

Fieldengineer.com. (2019). What Is a Firewall and Why Is It Important for Network Security?
[online] Available at: https://www.fieldengineer.com/blogs/what-is-firewall-important-
network-security [Accessed 15 Feb. 2019].

Docs.microsoft.com. (2019). Set-NetFirewallRule (net security). [online] Available

at: https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallrule
[Accessed 15 Feb. 2019].

VPNSecure.me. (2019). How VPN Works. [online] Available at: https://www.vpnsecure.me/

how-vpn-works/ [Accessed 15 Feb. 2019].

Techopedia.com. (2019). What is a Static IP Address? - Definition from Techopedia. [online]

Available at: https://www.techopedia.com/

definition/9544/static-internet-protocol-ip-address-static-ip-address [Accessed 15 Feb. 2019].

Search Security. (2019). What is DMZ (networking)? - Definition from WhatIs.com. [online]
Available at: https://searchsecurity.techtarget.com/

definition/DMZ [Accessed 15 Feb. 2019].

Nokitel.im. (2019). Interview Questions – nokitel. [online] Available

at: http://nokitel.im/index.php/interview-questions/ [Accessed 15 Feb. 2019].

Support.norton.com. (2019). Change the trust level of your network and devices. [online]
Available
at: https://support.norton.com/sp/en/us/home/current/solutions/v9802264_ns_retail_en_us
[Accessed 15 Feb. 2019].

InDesign Secrets. (2019). network monitoring - InDesign Secrets. [online] Available

at: https://indesignsecrets.com/topic/network-monitoring [Accessed 15 Feb. 2019].

www.thesaurus.com. (2019). I found great synonyms for "risk" on the new Thesaurus.com!
[online] Available at: https://www.thesaurus.com/browse/risk [Accessed 15 Feb. 2019].

Investopedia.(2019).RiskAssessment.[online]Availableat: https://www.investopedia.com/ter
ms/r/risk-assessment.asp [Accessed 15 Feb. 2019].

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363

SearchDataBackup. (2019). What is data protection? - Definition from WhatIs.com. [online]
Available at: https://searchdatabackup.techtarget.com/definition/data-protection [Accessed 15
Feb. 2019].

31000:2018, I. (2019). ISO 31000:2018. [online] ISO.

Security Intelligence. (2019). 10 Takeaways from the ISO 31000:2018 Risk Management
Guidelines. [online] Available at: https://securityintelligence.com/10-takeaways-from-the-
iso-310002018-risk-management-guidelines/ [Accessed 15 Feb. 2019].

Cheeky Munkey. (2019). What is an IT security audit? - Cheeky Munkey. [online] Available
at: https://cheekymunkey.co.uk/what-is-an-it-security-audit/ [Accessed 15 Feb. 2019].

Infosectoday.com. (2019). Why Information Security Training and Awareness Are Important.
[online] Available at: http://infosectoday.com/Articles/Security_Awareness_Training.htm
[Accessed 15 Feb. 2019].

InfoSec Resources. (2019). Improving SCADA System Security. [online] Available

at: https://resources.infosecinstitute.com/improving-Scada-system-security/ [Accessed 15
Feb. 2019].

BusinessDictionary.com. (2019). What comes after those ellipses? [online] Available

at: http://www.businessdictionary.com/definition/stakeholder.html [Accessed 15 Feb. 2019].

BusinessDictionary.com. (2019). The Role of Stakeholders in Your Business. [online]

Availableat: http://www.businessdictionary.com/article/601/the-role-of-stakeholders-in-
your-business/ [Accessed 15 Feb. 2019].

Cascade Strategy. (2019). The Benefits of Applying the Stakeholder Theory - Cascade
Strategy. [online] Available at: https://www.executestrategy.net/blog/stakeholder-theory/
[Accessed 15 Feb. 2019].

R.H.M.D.V.S.S.B.Rajakaruna HND Computing Badge – 35 KUR/A-018363