lOMoARcPSD|43753895

Unit -05 - Security - Assignment

HND in Computing (ESOFT Metro Campus)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)
 lOMoARcPSD|43753895

Higher Nationals
Internal verification of assessment decisions – BTEC (RQF)
INTERNAL VERIFICATION – ASSESSMENT DECISIONS

Programme title BTEC Higher National Diploma in Computing

Assessor Internal Verifier

Unit 05: Security
Unit(s)
Providing a suitable security solution for METROPOLIS CAPITAL Bank
Assignment title
W. M. Nisal Yuwin Weerasinghe
Student’s name
List which assessment Pass Merit Distinction
criteria the Assessor has
awarded.
INTERNAL VERIFIER CHECKLIST

Do the assessment criteria awarded match

those shown in the assignment brief? Y/N

Is the Pass/Merit/Distinction grade awarded

justified by the assessor’s comments on the Y/N
student work?
Has the work been assessed
Y/N
accurately?
Is the feedback to the student:
Give details:

• Constructive?
Y/N
• Linked to relevant assessment
criteria? Y/N

• Identifying opportunities for

improved performance? Y/N

• Agreeing actions? Y/N

Does the assessment decision need

Y/N
amending?
Assessor signature Date

Internal Verifier signature Date

Programme Leader signature(if
Date
required)

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 1 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Confirm action completed

Remedial action taken

Give details:

Assessor signature Date

Internal Verifier
Date
signature
Programme Leader
Date
signature (if required)

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 2 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Higher Nationals - Summative Assignment Feedback Form

Student Name/ID W.M. Nisal Yuwin Weerasinghe / E005528
Unit Title Unit 05: Security

Assignment Number 1 Assessor

2023/12/30 Date Received 1st
Submission Date
submission
Date Received 2nd
Re-submission Date
submission
Assessor Feedback:

LO1. Assess risks to IT security

Pass, Merit & Distinction P1 P2 M1 D1

Descripts
LO2. Describe IT security solutions.

Pass, Merit & Distinction P3 P4 M2 D1

Descripts

LO3. Review mechanisms to control organisational IT security.

Pass, Merit & Distinction P5 P6 M3 M4 D2
Descripts

LO4. Manage organisational security.

Pass, Merit & Distinction P7 P8 M5 D3
Descripts

Grade: Assessor Signature: Date:

Resubmission Feedback:

Grade: Assessor Signature: Date:

Internal Verifier’s Comments:

Signature & Date:

* Please note that grade decisions are provisional. They are only confirmed once internal and external moderation has taken place and grades decisions have
been agreed at the assessment board.

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 3 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Pearson
Higher Nationals in
Computing
Unit 5: Security

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 4 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

General Guidelines

1. A Cover page or title page – You should always attach a title page to your assignment. Use previous page as your cover
sheet and make sure all the details are accurately filled.
2. Attach this brief as the first section of your assignment.
3. All the assignments should be prepared using a word processing software.
4. All the assignments should be printed on A4 sized papers. Use single side printing.
5. Allow 1” for top, bottom , right margins and 1.25” for the left margin of each page.

Word Processing Rules

1. The font size should be 12 point, and should be in the style of Time New Roman.
2. Use 1.5 line spacing. Left justify all paragraphs.
3. Ensure that all the headings are consistent in terms of the font size and font style.
4. Use footer function in the word processor to insert Your Name, Subject, Assignment No, and Page Number on each
page. This is useful if individual sheets become detached for any reason.
5. Use word processing application spell check and grammar check function to help editing your assignment.

Important Points:

1. It is strictly prohibited to use textboxes to add texts in the assignments, except for the compulsory information. eg:
Figures, tables of comparison etc. Adding text boxes in the body except for the before mentioned compulsory information
will result in rejection of your work.
2. Avoid using page borders in your assignment body.
3. Carefully check the hand in date and the instructions given in the assignment. Late submissions will not be accepted.
4. Ensure that you give yourself enough time to complete the assignment by the due date.
5. Excuses of any nature will not be accepted for failure to hand in the work on time.
6. You must take responsibility for managing your own time effectively.
7. If you are unable to hand in your assignment on time and have valid reasons such as illness, you may apply (in writing)
for an extension.
8. Failure to achieve at least PASS criteria will result in a REFERRAL grade .
9. Non-submission of work without valid reasons will lead to an automatic RE FERRAL. You will then be asked to complete
an alternative assignment.
10. If you use other people’s work or ideas in your assignment, reference them properly using HARVARD referencing system
to avoid plagiarism. You have to provide both in-text citation and a reference list.
11. If you are proven to be guilty of plagiarism or any academic misconduct, your grade could be reduced to A REFERRAL or
at worst you could be expelled from the course

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 5 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Student Declaration

I hereby, declare that I know what plagiarism entails, namely to use another’s work and to present it as my own
without attributing the sources in the correct way. I further understand what it means to copy another’s work.

1. I know that plagiarism is a punishable offence because it constitutes theft.

2. I understand the plagiarism and copying policy of the Edexcel UK.
3. I know what the consequences will be if I plagiaries or copy another’s work in any of the assignments for this
program.
4. I declare therefore that all work presented by me for every aspects of my program, will be my own, and where
I have made use of another’s work, I will attribute the source in the correct way.
5. I acknowledge that the attachment of this document signed or not, constitutes a binding agreement between
myself and Edexcel UK.
6. I understand that my assignment will not be considered as submitted if this document is not attached to the
attached.

W.M. Nisal Yuwin Weerasinghe 2023/12/30

Student’s Signature: Date:
(Provide E-mail ID) (Provide Submission Date)
Nisalyuwin123@gmail.com

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 6 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Assignment Brief
Student Name /ID Number W.M. Nisal Yuwin Weerasinghe / E005528

Unit Number and Title Unit 5- Security

Academic Year 2022/23

Unit Tutor

Assignment Title METROPOLIS CAPITAL Bank

Issue Date

Submission Date

IV Name & Date

Submission Format:

The submission is in the form of an individual written report. This should be written in a concise, formal
business style using single spacing and font size 12. You are required to make use of headings, paragraphs
and subsections as appropriate, and all work must be supported with research and referenced using the
Harvard referencing system. Please also provide an end list of references using the Harvard referencing
system.

Unit Learning Outcomes:

LO1 Assess risks to IT security.

LO2 Describe IT security solutions.
LO3 Review mechanisms to control organizational IT security.
LO4 Manage organizational security.

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 7 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Assignment Brief and Guidance:

METROPOLIS CAPITAL Bank is one of the leading private banking service providers in Sri Lanka. It
operates over 100 branches and 500 ATM machines across the island as well as 8 Branches overseas. In
order to provide their services, METROPOLIS CAPITAL Bank has a primary datacenter located in
Colombo and a Secondary datacenter located in Galle. Each branch and ATM must have connectivity to
the core banking system to be able to operate normally. In order to establish the connectivity between
datacenters, branches and ATM machines, each location has a single ISP link. This link provides VPN
services between branches, ATMs and datacenters as well as MPLS services for the bank and it
establishes connectivity between datacenters, ATMs, and branches.

METROPOLIS CAPITAL Banks Head Office is a 5 Story Building in Kollupitiya with the Ground
Floor allocated for Customer Services, the First Floor allocated for HR, the Second Floor allocated for
Meeting Rooms and Senior Executive Staff, the Third Floor is allocated for the Technical Support Team
and the Fourth Floor hosts High Performance Servers running core banking systems. Fifth Floor is for
some other outside companies that are not related with the METROPOLIS CAPITAL Bank. Other than
this, METROPOLIS CAPITAL bank provides a lot of services to customers including online and mobile
banking facilities. Therefore, their core banking system must communicate with several outside systems
and all communication between outside systems, Data centers and the Head Office is protected by a
single firewall. In Addition, METROPOLIS CAPITAL Bank has recently implemented a bring your
own device (BYOD) concept for Senior Executive Staff and HR Departments and to facilitate this, they
are providing employee WiFi as well as a guest WiFi Hotspot.
The bank has signed agreements, AMCs, contracts and NDAs with several Local and foreign IT service
vendors. Some local vendors provide services and supports to foreign companies. METROPOLIS
CAPITAL Banks Technical Support Team is a local third-party vendor, contracted by METROPOLIS
CAPITAL Bank and managed by their Supply chain management officer. The Technical Support Team
provides onsite and remote support for their customers.

METROPOLIS CAPITAL bank strictly follows the rules and regulations enforced by the government
and the Central Bank. Therefore, they have obtained the ISO 31000:2009 certification. In addition to
this, the areas of datacenters, branches, ATM and HQ is covered by CCTV and 24x7 monitoring is
happening. Other security functions like VA scanning, internal auditing, and security operation done by

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 8 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

the bank employees. They have purchased a VA scanning tool, Privilege access management (PAM)
system, Endpoint detection and respond (EDR) system, Data loss prevention (DLP) tool, Web
application firewall (WAF) and Secure mail gateway which are managed by the Technical Support
Team.

It has been reported that an emergency is likely to occur where a work from home situation may be
initiated. Therefore, you have been employed by METROPOLIS CAPITAL Bank as a Network Security
Analyst to recommend and implement a suitable Security solution to facilitate this situation.

Activity 01
Discuss and assess the security procedures and types of security risks METROPOLIS CAPITAL
Bank may face under its current status and evaluate a range of physical and virtual security measures
that can be employed to ensure the integrity of organizational IT security. You also need to analyze
the benefits of implementing network monitoring systems for METROPOLIS CAPITAL Bank with
valid reasons in order to minimize security risks identified and enhance the organizational security.

Activity 02
2.1 Discuss how an incorrect/improper configuration for network infrastructure such as firewall and VPN
could impact METROPOLIS CAPITAL Bank. Assess IT security risks that may face by the employees of
METROPOLIS CAPITAL Bank and propose how the organization can facilitate their employees with a
“Secure remote working environment”.

2.2. Discuss how following technologies would benefit METROPOLIS CAPITAL Bank and its Clients to
increase network performance. (Support your answer with suitable illustrations).
i) Static IP,
ii) NAT
iii)DMZ

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 9 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Activity 03
Review risk assessment procedures for METROPOLIS CAPITAL Bank to protect itself and its clients.
Explain the mandatory data protection laws and procedures which will be applied to data storage solutions
provided by METROPOLIS CAPITAL Bank. Explain the topic "ISO 31000 risk management
methodology" and summarize the ISO 31000 risk management methodology and its application in IT
security. Analyze possible impacts to organizational security resulting from an IT security audit.
Recommend how IT security can be aligned with organizational Policy, detailing the security impact of
any misalignment.

Activity 04
4.1 Design and Implement suitable security policy to prevent misuse and exploitations in line with
METROPOLIS CAPITAL Bank using the Organizational policy tools for the given scenario,
While evaluating and justifying the suitability of the tools used in an organizational policy to meet
business needs. Identify the stakeholders who are subject to the METROPOLIS CAPITAL Bank and
describe the role of these stakeholders to build security audit recommendations for the organization.

4.2 Discuss and present a disaster recovery plan for METROPOLIS CAPITAL Bank for all their sites to
guarantee maximum reliability to their clients. (Student must develop a PowerPoint-based
presentation which illustrates the recovery plan within 15 minutes of time including justifications and
reasons for decisions and options used).

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 10 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Grading Rubric
Grading Criteria Achieved Feedback

LO1 Assess risks to IT security

P1 Discuss types of security risks to organizations.

P2 Assess organizational security procedures.

M1 Analyze the benefits of implementing network monitoring

systems with supporting reasons.
D1 Evaluate a range of physical and virtual security measures that
can be employed to ensure the integrity of organizational IT
security.
LO2 Describe IT security solutions

P3 Discuss the potential impact to IT security of incorrect

configuration of firewall policies and third- party VPNs.

P4 Discuss, using an example for each, how implementing a DMZ,

static IP and NAT in a network can improve network security.
M2 Propose a method to assess and treat IT security risks.

LO3 Review mechanisms to control organizational IT

Security

P5 Review risk assessment procedures in an organization.

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 11 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

P6 Explain data protection processes and regulations as applicable

to an organization.

M3 Summarize the ISO 31000 risk management methodology and its

application in IT security.
M4 Analyze possible impacts to organizational security resulting
from an IT security audit.
D2 Recommend how IT security can be aligned with organizational
Policy, detailing the security impact of any misalignment.
LO4 Manage organizational security

P7 Design a suitable security policy for an organization, including the

main components of an organizational disaster recovery plan.
P8 Discuss the roles of stakeholders in the organization in
implementing security audits.
M5 Justify the security plan developed giving reasons for the
elements selected.
D3 Evaluate the suitability of the tools used in an organizational
policy to meet business needs

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 12 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Table of Contents
Acknowledgement ....................................................................................................... 15
Activity 01 .................................................................................................................. 16
1.1 Security Procedures and Types of Security Risks: ....................................................... 16
1.1.1 Physical Security Measures: .................................................................................. 16
1.1.2 Cybersecurity Measures: ........................................................................................ 16
1.1.3 Operational Measures: ........................................................................................... 16
1.1.4 Employee-Related Measures: ................................................................................ 17
1.2 Benefits of Network Monitoring Systems: ................................................................... 17
Activity 02 .................................................................................................................. 18
2.1 Incorrect/Improper Configuration for Network Infrastructure: .................................... 18
2.1.1 IT Security Risks for Employees: .......................................................................... 18
2.1.2 Facilitating a Secure Remote Working Environment: ........................................... 18
2.1 Static IP: ......................................................................................................................... 19
2.2 NAT (Network Address Translation): ............................................................................ 19
2.3 DMZ (Demilitarized Zone): .......................................................................................... 20
Activity 3 ................................................................................................................... 21
3.1 Review of Risk Assessment Procedures: ...................................................................... 21
3.2 Mandatory Data Protection Laws and Procedures: ....................................................... 21
3.3 ISO 31000 Risk Management Methodology: ............................................................... 21
3.4 Impacts of IT Security Audit: ....................................................................................... 22
3.5 Alignment of IT Security with Organizational Policy: ................................................. 22
Activity 04 .................................................................................................................. 23
4.1 Design and Implementation of Security Policy: ........................................................... 23
4.1.1 Evaluation of Organizational Policy Tools: ........................................................... 23
4.1.2 Identification of Stakeholders: ............................................................................... 23
4.2 PowerPoint-based presentation which illustrates the recovery plan for a METROPOLIS
CAPITAL Bank ...................................................................................................................... 25
References .................................................................................................................. 33

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 13 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Table of Figure
Figure 1 Slide01 DR Plan METROPOLIS CAPITAL Bank ............................................................ 25
Figure 2 about Metropolis Capital Bank ................................................................................. 25
Figure 3 Why Recovery Plan ................................................................................................... 26
Figure 4 Risk Assessment ........................................................................................................ 26
Figure 5 Types of Disasters Considered .................................................................................. 27
Figure 6 Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) .................. 27
Figure 7 Critical IT Systems and Data ...................................................................................... 28
Figure 8 Backup and Data Protection ..................................................................................... 28
Figure 9 Redundancy and Failover Systems............................................................................ 29
Figure 10 Communication Plan ............................................................................................... 29
Figure 11 Testing and Training ................................................................................................ 30
Figure 12 Vendor and Third-Party Coordination .................................................................... 30
Figure 13 Continuous Improvement ....................................................................................... 31
Figure 14 Legal and Regulatory Compliance ........................................................................... 31
Figure 15 Conclusion ............................................................................................................... 32

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 14 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Acknowledgement
Before heading into the proceedings of this assignment I would like to thank my lecturer
Ms. Kavindi for all her effort made to coach me and my colleagues. Your guidance and
support was most needed and the motivations helped. And I would like to thank Esoft
organization for giving me this opportunity to reveal out my talents though the
assignment. I would like to thank my friends in batch 2022/23 Feb/March for all the
support.

Thanks, You
W.M. Nisal Yuwin Weerasinghe

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 15 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Activity 01

1.1 Security Procedures and Types of Security Risks:

METROPOLIS CAPITAL Bank faces a multitude of security risks across its diverse
operations. Physically, the vulnerability lies in unauthorized access to critical areas such
as datacenters, branches, and ATMs. Cybersecurity risks encompass network
vulnerabilities, potential breaches of the single firewall protecting communications, and
the introduction of BYOD, which adds complexity and increases the risk of device-related
vulnerabilities. Operational risks stem from dependence on third-party vendors and the
need to maintain regulatory compliance. Moreover, employee-related risks, including
insider threats and potential security lapses in unsecured WiFi networks, contribute to the
overall risk landscape.

1.1.1 Physical Security Measures:

To mitigate physical security risks, METROPOLIS CAPITAL Bank can implement

robust access controls, such as biometric systems, to prevent unauthorized entry into
datacenters and other critical areas. Enhancing the existing surveillance infrastructure
with additional cameras will provide comprehensive coverage and deter potential threats.

1.1.2 Cybersecurity Measures:

Addressing cybersecurity risks involves implementing multi-layered firewalls to reduce

the risk of a single point of failure. Intrusion Detection and Prevention Systems (IDPS)
can actively monitor network traffic for anomalies and swiftly respond to potential threats.
Regular updates and secure configurations of VPN protocols will ensure secure
communication between datacenters, branches, and ATMs (Arnal, 2023).

1.1.3 Operational Measures:

To manage operational risks, METROPOLIS CAPITAL Bank should conduct thorough

security assessments of third-party vendors and establish a robust audit framework to

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 16 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

ensure ongoing compliance with security standards. Regular internal audits will further
validate adherence to regulatory requirements.

1.1.4 Employee-Related Measures:

The bank should prioritize employee training programs to raise awareness of

cybersecurity threats and instill best practices. Implementing strict security policies for
both employee and guest WiFi networks will help mitigate potential risks associated with
unsecured connections.

1.2 Benefits of Network Monitoring Systems:

Implementing network monitoring systems offers several advantages for METROPOLIS

CAPITAL Bank. Early threat detection is a key benefit, allowing the identification of
unusual patterns or activities that may indicate a security threat before it escalates.
Network monitoring also aids in performance optimization, helping the bank identify and
address potential bottlenecks that could impact overall operations. In the event of security
incidents, network monitoring facilitates quick and efficient incident response,
minimizing the impact of breaches and ensuring a swift resolution.
Furthermore, network monitoring contributes to compliance assurance by continuously
assessing security measures against regulatory requirements. It optimizes resource
utilization, ensuring that the bank's network operates efficiently and effectively.
Additionally, network monitoring helps enforce security policies consistently across the
organization, maintaining a proactive approach to cybersecurity.

In conclusion, the implementation of a comprehensive security strategy involving

physical and virtual measures, along with network monitoring systems, is essential for
METROPOLIS CAPITAL Bank to safeguard its operations, data, and customer trust in
the face of evolving security challenges (Ask, 2023).

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 17 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Activity 02

2.1 Incorrect/Improper Configuration for Network Infrastructure:

An incorrect or improper configuration of network infrastructure, specifically firewall and

VPN systems, poses significant risks to METROPOLIS CAPITAL Bank's IT security. In
terms of firewall configuration, inadequate settings may result in security breaches,
allowing unauthorized access and potential compromise of sensitive data. Furthermore,
improper rules might lead to data tampering, enabling unauthorized modifications or
deletions. Service disruptions are also a concern, as incorrect configurations could
unintentionally block legitimate traffic, causing disruptions in the bank's day-to-day
operations. On the VPN front, weak configurations may expose transmitted data to
interception, jeopardizing the confidentiality of communications between branches,
ATMs, and datacenters. Additionally, improper VPN settings may open avenues for
unauthorized access and compromise the integrity of transmitted data (Burton, 2020).

2.1.1 IT Security Risks for Employees:

Remote working environments introduce specific IT security risks for METROPOLIS

CAPITAL Bank's employees. Phishing attacks become more prevalent, with employees
susceptible to unknowingly disclosing sensitive information. The use of unsecured
networks in home environments increases the risk of data interception or unauthorized
access. Employee devices, often personal, may lack adequate security measures,
rendering them vulnerable to malware or other cyber threats. The absence of in-office
monitoring tools may lead to delayed detection of security incidents or breaches.

2.1.2 Facilitating a Secure Remote Working Environment:

To address these challenges, METROPOLIS CAPITAL Bank can implement several

measures to establish a secure remote working environment. Enhancing VPN
configurations with robust encryption and secure authentication methods ensures the
safeguarding of remote connections. Regular security awareness training for employees
is crucial to educate them about phishing threats and promote safe online practices.
Endpoint security measures, such as antivirus software and regular device health checks,

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 18 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

can fortify the security of employees' devices. Encouraging the use of secure, password-
protected home WiFi networks and providing guidelines for securing personal routers
mitigates the risk associated with unsecured networks. Enforcing multi-factor
authentication (MFA) for remote access adds an extra layer of security against
unauthorized access. The deployment of remote monitoring tools enables the tracking of
employee activities, ensuring early detection of any suspicious behavior or security
incidents. Regular security audits of remote devices and networks identify and address
potential vulnerabilities, contributing to an overall robust IT security posture for remote
employees.

2.1 Static IP:

The adoption of Static IP addresses can offer notable advantages to METROPOLIS

CAPITAL Bank and its clients, particularly in ensuring a stable and predictable network
environment. With a Static IP, the bank's critical services, such as servers hosting core
banking systems, benefit from a consistent identifier that remains unchanged over time.
This stability is paramount for clients and network elements, enabling reliable connections
without the uncertainties associated with dynamic IP addresses. Furthermore, in the
context of remote access services, such as Virtual Private Network (VPN) connections,
Static IPs simplify the connection process, providing clients with a secure and reliable
means to access the bank's network from external locations. Additionally, for services
hosted by the bank, such as web applications or databases, the use of Static IPs ensures a
seamless and reliable user experience, as clients can consistently access these services
without disruptions caused by IP address changes (Lunaproxy, 2023).

2.2 NAT (Network Address Translation):

Network Address Translation (NAT) stands as a valuable technology for METROPOLIS

CAPITAL Bank, aiding in efficient address space conservation and enhancing security.
By allowing multiple devices on the bank's internal network to share a single public IP
address, NAT optimizes address utilization. This becomes especially relevant in large-
scale networks where a limited pool of public IP addresses is available. Additionally,
NAT contributes to improved security by acting as a barrier between the internal network
and the external internet, hiding internal IP addresses. This added layer of protection helps

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 19 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

guard against certain types of cyber threats, bolstering the overall security posture of the
bank. Furthermore, NAT facilitates internet access for multiple clients by enabling them
to share a single public IP address, ensuring efficient utilization of the limited pool of
public IPs (CISCO, 2020).

2.3 DMZ (Demilitarized Zone):

The implementation of a Demilitarized Zone (DMZ) holds significant benefits for

METROPOLIS CAPITAL Bank and its clients, particularly in terms of enhanced security
for public-facing services. By isolating public-facing servers, such as web or email
servers, in the DMZ, the bank adds an extra layer of security by limiting direct access to
internal resources. This strategic architecture protects the internal network from potential
threats originating from the internet. Moreover, the DMZ's role in providing protection
against external threats ensures that even if a security breach were to occur, the impact on
critical internal systems is minimized. Additionally, the DMZ's scalability and
performance benefits are crucial, allowing the efficient scaling of public-facing services.
As client demand increases, the bank can seamlessly add servers to the DMZ without
directly impacting the internal network, ensuring optimal performance for clients
accessing these services. In conclusion, the incorporation of Static IP addresses, NAT,
and DMZ technologies collectively contributes to a more stable, secure, and scalable
network infrastructure for METROPOLIS CAPITAL Bank and enhances the overall
experience for its clients.

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 20 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Activity 3

3.1 Review of Risk Assessment Procedures:

METROPOLIS CAPITAL Bank's risk assessment procedures should be thorough and

comprehensive to protect both the institution and its clients. Regular risk assessments are
critical for identifying and prioritizing potential risks across various domains, including
physical, cyber, operational, and compliance risks. Involving key stakeholders such as IT
security professionals and compliance officers ensures a holistic approach to risk
management. The ongoing monitoring of the risk landscape enables the bank to adapt its
mitigation strategies to evolving threats, ensuring the effectiveness of the risk
management framework over time.

3.2 Mandatory Data Protection Laws and Procedures:

Adherence to mandatory data protection laws is imperative for METROPOLIS CAPITAL

Bank to safeguard client information. These regulations, such as the General Data
Protection Regulation (GDPR) or other local laws, set forth specific requirements for
secure data storage, encryption, access controls, and breach notification. Procedures
implemented by the bank should encompass robust encryption for sensitive data, secure
access controls, and a well-defined breach response plan. Compliance with these laws not
only ensures legal obligations are met but also serves to protect the sensitive information
of the bank's clients.

3.3 ISO 31000 Risk Management Methodology:

The ISO 31000 risk management methodology provides a structured and international
standard for effective risk management processes. In the context of METROPOLIS
CAPITAL Bank's IT security, this methodology guides the organization in identifying,
assessing, treating, monitoring, and communicating risks systematically. By establishing
the context, identifying risks, assessing their potential impact, implementing risk
treatment strategies, and continuously monitoring and reviewing these processes, the bank
can integrate a risk management culture that aligns with organizational objectives.

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 21 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

3.4 Impacts of IT Security Audit:

Conducting IT security audits has multifaceted impacts on organizational security. These

audits serve as a proactive measure, identifying vulnerabilities within the IT infrastructure
that could potentially be exploited by malicious actors. Additionally, they contribute to
enhanced security awareness among employees, fostering a culture of cybersecurity
within the organization. Furthermore, audits ensure compliance with relevant regulations
and standards, reducing the risk of legal consequences. The findings from these audits
guide continuous improvement efforts, enabling the organization to refine security
policies, procedures, and infrastructure for a more robust and resilient security posture.

3.5 Alignment of IT Security with Organizational Policy:

Aligning IT security with organizational policy is crucial for METROPOLIS CAPITAL

Bank to ensure a cohesive and effective security framework. This alignment involves
defining clear security policies that are explicitly tied to organizational goals and
compliance requirements. Regular training and awareness programs help educate
employees on security policies and best practices, reducing the risk of human error.
Continuous monitoring and auditing processes assess and enforce adherence to security
policies, while incident response planning ensures a swift and effective response to
security incidents. Collaborative efforts across departments foster an environment where
security measures align seamlessly with broader organizational objectives, reducing the
risk of misalignment and potential security gaps.

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 22 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Activity 04

4.1 Design and Implementation of Security Policy:

For METROPOLIS CAPITAL Bank, a comprehensive security policy is crucial to

prevent misuse and exploitations. Access control policies should define user privileges,
employing robust authentication mechanisms and restricting access to sensitive
information based on job roles. Data encryption policies must be in place to safeguard
data in transit and at rest, specifying encryption standards and regular key updates.
Network security policies should define firewall rules and implement Intrusion Detection
and Prevention Systems (IDPS). Endpoint security policies must mandate the use of
protection software, ensuring regular updates and controls for removable media. Incident
response and reporting policies are essential, outlining procedures for prompt reporting
and a well-defined incident response plan. Policies related to remote access should specify
secure VPN protocols, configurations for employee-owned devices (BYOD), and
effective monitoring of remote activities.

4.1.1 Evaluation of Organizational Policy Tools:

To enhance the effectiveness of the security policy, METROPOLIS CAPITAL Bank can
leverage various organizational policy tools. Security Information and Event
Management (SIEM) tools provide real-time monitoring and analysis, while Data Loss
Prevention (DLP) solutions prevent unauthorized data transfers. Identity and Access
Management (IAM) systems offer centralized control over user access, and Security
Awareness Training Platforms educate employees. Endpoint Protection Platforms (EPP)
ensure comprehensive protection against malware and other threats. These tools provide
automation, monitoring, and enforcement capabilities, aligning with the organization's
business needs.

4.1.2 Identification of Stakeholders:

Key stakeholders at METROPOLIS CAPITAL Bank play distinct roles in the

implementation and adherence to security policies. Executive management sets the
overall direction and tone, ensuring policies align with organizational objectives. The IT
security team is responsible for implementation and enforcement, monitoring events, and

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 23 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

responding to incidents. Employees are vital stakeholders, adhering to policies,

undergoing training, and reporting security incidents. Customers trust the bank's security
measures, relying on adherence to policies to safeguard their data. Regulatory authorities
oversee compliance, ensuring the bank adheres to specific security standards and
regulations.

4.1.2.1 Role of Stakeholders in Security Audit Recommendations:

Stakeholders contribute to the security audit recommendations at METROPOLIS

CAPITAL Bank in various ways. Executive management provides resources and strategic
decision-making based on audit outcomes. The IT security team conducts the audit,
identifies vulnerabilities, and recommends remediation measures, collaborating with
other stakeholders for implementation. Employees play a role in participating in training,
following protocols, and reporting potential risks. Customers may provide feedback on
security measures, ensuring their concerns are considered. Regulatory authorities review
audit reports to verify compliance, ensuring the bank meets legal and industry standards.
The collaborative efforts of stakeholders in the security audit process contribute to
continuous improvement in the bank's security posture.

In conclusion, a well-designed security policy, supported by suitable tools and involving

key stakeholders, is essential for METROPOLIS CAPITAL Bank to prevent misuse, align
with organizational goals, and meet regulatory requirements. The collaborative efforts of
stakeholders in the security audit process contribute to the continuous improvement of the
bank's security posture.

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 24 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

4.2 PowerPoint-based presentation which illustrates the recovery plan for a

METROPOLIS CAPITAL Bank

Figure 1 Slide01 DR Plan METROPOLIS CAPITAL Bank

Figure 2 about Metropolis Capital Bank

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 25 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Figure 3 Why Recovery Plan

Figure 4 Risk Assessment

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 26 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Figure 5 Types of Disasters Considered

Figure 6 Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 27 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Figure 7 Critical IT Systems and Data

Figure 8 Backup and Data Protection

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 28 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Figure 9 Redundancy and Failover Systems

Figure 10 Communication Plan

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 29 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Figure 11 Testing and Training

Figure 12 Vendor and Third-Party Coordination

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 30 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Figure 13 Continuous Improvement

Figure 14 Legal and Regulatory Compliance

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 31 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

Figure 15 Conclusion

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 32 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)

 lOMoARcPSD|43753895

References
Arnal, C., 2023. Strengthening Security: The Power of Multiple Layers Against Advanced Threats.
[Online]
Available at: 2023

Ask, 2023. The Benefits of Implementing Network Monitoring Tools for IT Security. [Online]
Available at: https://www.ask.com/news/benefits-implementing-network-monitoring-tools-
security

Burton, D., 2020. The Dangers of Firewall Misconfigurations and How to Avoid Them. [Online]
Available at: https://www.akamai.com/blog/security/the-dangers-of-firewall-misconfigurations-
and-how-to-avoid-them

CISCO, 2020. What Is Network Address Translation (NAT)?. [Online]

Available at: https://www.cisco.com/c/en/us/products/routers/network-address-
translation.html
[Accessed 1 12 2023].

Lunaproxy, 2023. Advantages And Disadvantages Of Data Center IP And Static Residential IP.
[Online]
Available at: https://www.lunaproxy.com/help/blog/advantages-and-disadvantages-of-data-
center-ip-and-static-residential-ip
[Accessed 28 12 2023].

W. M Nisal Yuwin Weerasinghe Unit -05 - Security Page 33 of 33

Downloaded by Mawiya Asif (mawiya12asif@gmail.com)