lOMoARcPSD|51488188

Security - assignment

Network Security (ESOFT Metro Campus)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by Hanna Davis ([email protected])
 lOMoARcPSD|51488188

Higher Nationals - Summative Assignment Feedback Form

Student Name/ID R.R.Sandali Sithmani Ariyakamal (E221198)
Unit Title Unit 05: Security

Assignment Number 1 Assessor Mr.Beven

Date Received 1st
Submission Date
submission
Date Received 2nd
Re-submission Date
submission
Assessor Feedback:

LO1. Assess risks to IT security

Pass, Merit & Distinction P1 P2 M1 D1

Descripts
LO2. Describe IT security solutions.

Pass, Merit & Distinction P3 P4 M2 D1

Descripts

LO3. Review mechanisms to control organisational IT security.

Pass, Merit & Distinction P5 P6 M3 M4 D2
Descripts

LO4. Manage organisational security.

Pass, Merit & Distinction P7 P8 M5 D3
Descripts

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

* Please note that grade decisions are provisional. They are only confirmed once internal and external moderation has taken place and grades decisions have
been agreed at the assessment board.
Assessor Feedback:

Grade: Assessor Signature: Date:

Resubmission Feedback:
 Please note resubmission feedback is focussed only on the resubmitted work

Grade: Assessor Signature: Date:

Internal Verifier’s Comments:

Signature & Date:

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Pearson
Higher Nationals in
Computing
Unit 5: Security

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

General Guidelines

1. A Cover page or title page – You should always attach a title page to your assignment. Use previous page as your cover
sheet and make sure all the details are accurately filled.
2. Attach this brief as the first section of your assignment.
3. All the assignments should be prepared using a word processing software.
4. All the assignments should be printed on A4 sized papers. Use single side printing.
5. Allow 1” for top, bottom , right margins and 1.25” for the left margin of each page.

Word Processing Rules

1. The font size should be 12 point, and should be in the style of Time New Roman.
2. Use 1.5 line spacing. Left justify all paragraphs.
3. Ensure that all the headings are consistent in terms of the font size and font style.
4. Use footer function in the word processor to insert Your Name, Subject, Assignment No, and Page Number on each
page. This is useful if individual sheets become detached for any reason.
5. Use word processing application spell check and grammar check function to help editing your assignment.

Important Points:

1. It is strictly prohibited to use textboxes to add texts in the assignments, except for compulsory information. eg: Figures,
tables of comparison etc. Adding text boxes in the body except for the before mentioned compulsory information will
result in rejection of your work.
2. Avoid using page borders in your assignment body.
3. Carefully check the hand in date and the instructions given in the assignment. Late submissions will not be accepted.
4. Ensure that you give yourself enough time to complete the assignment by the due date.
5. Excuses of any nature will not be accepted for failure to hand in the work on time.
6. You must take responsibility for managing your own time effectively.
7. If you are unable to hand in your assignment on time and have valid reasons such as illness, you may apply (in writing)
for an extension.
8. Failure to achieve at least PASS criteria will result in a REFERRAL grade .
9. Non-submission of work without valid reasons will lead to an automatic RE FERRAL. You will then be asked to complete
an alternative assignment.
10. If you use other people’s work or ideas in your assignment, reference them properly using HARVARD referencing
system to avoid plagiarism. You must provide both in-text citation and a reference list.
11. If you are proven to be guilty of plagiarism or any academic misconduct, your grade could be reduced to A REFERRAL or
at worst you could be expelled from the course

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

STUDENT ASSESSMENT SUBMISSION AND

DECLARATION
When submitÝng evidence for assessment, each student must sign a declaration confirming that the work is
their own.
Student name: R.R.Sandali Assessor name: Mr.Beven
Sithmani Ariyakamal

Issue date: Submission date: Submitted on:

2024/10/12 2024/10/29

Programme:
BTEC Higher National Diploma in Computing

Unit: Unit 5 - Security

Assignment number and title: Managing Network Security for Colombo
Advanced College

Plagiarism
Plagiarism is a particular form of cheating. Plagiarism must be avoided at all costs and students who break the
rules, however innocently, may be penalised. It is your responsibility to ensure that you understand correct
referencing practices. As a university level student, you are expected to use appropriate references throughout
and keep carefully detailed notes of all your sources of materials for material you have used in your work,
including any material downloaded from the Internet. Please consult the relevant unit lecturer or your course
tutor if you need any further advice.

Student Declaration
Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the
consequences of plagiarism. I understand that making a false declaration is a form of
malpractice.

Student signature: Date:

R.R.Sandali Sithmani Ariyakamal 2024/10/29
[email protected]

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Assignment Brief
Student Name /ID Number R.R.Sandali Sithmani Ariyakamal (E221198)

Unit Number and Title Unit 5- Security

Academic Year 2024/25

Unit Tutor

Assignment Title Managing Network Security for Colombo Advanced College

Issue Date 2024/10/12

Submission Date 2024/10/29

IV Name & Date

Submission Format:
The assignment submission should be in the form of the following:
Formal Presentation: A 10-minute presentation (10–20 slides as a guide, with
supporting speaker notes) to communicate an evaluation of your investigation to a
non-technical audience. This should highlight key information regarding the range of
IT security risks that organizations in Sri Lanka face and the IT security solutions
available. The presentation will also include an assessment of current organizational
security procedures and an evaluation of both the physical and virtual security
countermeasures presented.
Briefing Paper: Produce a briefing paper that reviews the principles and the benefits of an ISMS
used in an organization like Colombo Advanced College and analyze the process of implementing such a
system.

Process Review Document: A review document (1,000–1,500 words) assessing

the existing risk assessment procedures in a selected Sri Lankan organization. This
document should summarize standard risk management approaches and
demonstrate how implementing IT security should align with the organization's
policies.
Written Report: A report (1,000–1,500 words) reviewing a security incident and

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

recommending a suitable security policy for the organization. The policy should
include all stakeholders to ensure an audit trail can be identified. The report will
evaluate the suitability of selected security tools to meet the needs of the business.
All work must be supported with research and referenced using the Harvard
referencing system. Use appropriate headings, paragraphs, and subsections.

Unit Learning Outcomes:

LO1 Assess risks to IT security.
LO2 Describe IT security solutions.
LO3 Review mechanisms to control organizational IT security.
LO4 Manage organizational security.

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Assignment Brief and Guidance:

Scenario

You have been employed as a Junior Network Security Specialist for TechSecure Solutions (Pvt) Ltd., a
leading provider of network security solutions for a variety of clients across different sectors in Sri Lanka.
TechSecure Solutions offers a range of services, including:

 Security audits of organizational networks

 Recommendations for improving network security
 Implementation of network security solutions
 Planning and designing Information Security Management Systems (ISMS) for organizations
 Continuous monitoring and incident response
 Compliance with international security standards like ISO/IEC 27001

Client Background: Colombo Advanced College

One of your prominent clients is Colombo Advanced College, a large educational institution specializing
in ICT, engineering, and business studies with over 2,500 students and 150 staff members. The college
has multiple departments, including Computer Science, Electrical Engineering, Business Management,
and Bioinformatics, each with dedicated labs and resources. The institution has a central data center that
houses critical applications, student records, research data, and administrative functions.

Recent Incident:
Recently, Colombo Advanced College experienced a ransomware attack that led to a significant loss of
data, causing major disruption in academic and administrative activities. The attack exploited
vulnerabilities in the college's outdated network infrastructure and lack of robust security policies.

Your Task:
You have been tasked with reviewing the current risk assessment procedures and developing a
comprehensive security policy to prevent future incidents. This involves conducting a thorough security
audit, identifying vulnerabilities, and recommending appropriate security measures tailored to the
college's needs.

Detailed Requirements:

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Security Audit and Risk Assessment:

 Conduct a comprehensive security audit of the college's network infrastructure,

including servers, workstations, and network devices.
 Assess the current security measures in place, such as firewalls, intrusion detection
systems (IDS), antivirus software, and access controls.
 Identify potential vulnerabilities and threats, including malware, phishing attacks,
unauthorized access, and physical security breaches.

Development of a Security Policy:

 Create a detailed security policy that addresses identified risks and vulnerabilities.
This should include guidelines for data protection, user access management, incident
response, and regular security audits.
 Develop procedures for handling sensitive information, including encryption
standards, data backup protocols, and secure communication methods.
 Design a disaster recovery plan outlining steps to restore operations in case of a
security breach or data loss.

Implementation of Security Measures:

 Recommend and implement advanced security solutions, such as next-generation

firewalls, endpoint protection platforms, and multi-factor authentication (MFA).
 Set up network segmentation to isolate critical systems and minimize the impact of
potential attacks.
 Implement regular patch management processes to ensure all systems are up to date
with the latest security updates.

Training and Awareness Programs:

 Develop and conduct training sessions for staff and students on cybersecurity best
practices, including recognizing phishing attempts, safe internet usage, and secure
password management.
 Create awareness campaigns to promote a culture of security within the college,
emphasizing the importance of individual responsibility in maintaining a secure
environment.

Continuous Monitoring and Improvement:

 Establish a continuous monitoring system to detect and respond to security incidents

in real-time.
 Regularly review and update the security policy and procedures to adapt to evolving
threats and technological advancements.
 Conduct periodic security drills and simulations to test the effectiveness of the
incident response plan.

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Future Prospects:
As part of the long-term strategy, Colombo Advanced College is considering the implementation of a
hybrid learning model, integrating more online and remote learning options. This transition will require
additional security measures to protect online learning platforms, secure remote access, and ensure the
privacy of students and faculty members.

Activity 1: Formal Presentation

Produce a formal presentation (with supporting notes) on a review of the range of IT security threats
that are faced by an organization like Colombo Advanced College, describe and evaluate the range of
countermeasures, both physical and virtual.

Your presentation should include a section on security risks, including:

 A discussion of the different types of security risks to Colombo Advanced College and similar
organizations.

 An assessment of the organizational security procedures presented in the given scenario.

 An analysis, with reasons, of the benefits of implementing network monitoring systems.

Your presentation should go on to discuss a range of security countermeasures for the identified risks,
including the following:

 A discussion of the potential security impact of incorrect configuration of:

o Firewall policies

o Third-party VPN clients and servers.

 A discussion, using a specific example from either your research or the Colombo Advanced
College scenario, of how implementing each of the following can improve network security:

o A De-Militarized Zone (DMZ)

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

o A Static IP

o Network Address Translation (NAT).

 A proposal for a method to assess and treat IT security risks.

 An evaluation of the range of countermeasures that can be employed to ensure that an

organization’s integrity is not compromised. Organizational integrity could be either Data Security
or Operational Continuance. Make sure you include both physical and virtual security
countermeasures.

Support any points you make in the presentation with well-chosen examples from any research you have
carried out on related sectors or security scenarios.

Activity 2: Briefing Paper

Produce a briefing paper that reviews the principles and the benefits of an ISMS used in an organization
like Colombo Advanced College, and analyze the process of implementing such a system.

Your paper should include a section on an ISMS framework, including the following:

 An examination of the key principles of an ISMS and its relevance to the successful operation in
Colombo Advanced College.

 An analysis of the benefits that an effective ISMS can have on Colombo Advanced College.

 An assessment and critical analysis of the elements and processes required for Colombo
Advanced College to establish and maintain a more robust ISMS, ensuring that the key principles
are met.

 A justification of the steps required for Colombo Advanced College in order to implement an
ISMS.

Support any points you make in the presentation with well-chosen examples from any research you have
carried out on related sectors or ISMS scenarios.

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Activity 3: Process Review Document

Produce a process review document that assesses the current mechanisms and legislation for data
security within an organization.

Your review should include the following:

 A review of the current risk assessment procedures in Colombo Advanced College.

 An explanation of data protection processes and regulations applied to Colombo Advanced

College.

 A summary of an appropriate risk-management strategy or applied ISO standard and its

application to IT security at Colombo Advanced College.

 An analysis of the possible impact on security at Colombo Advanced College, following the results
of an IT security audit.

 A recommendation, with supported reasons, on how the IT security at Colombo Advanced

College can be aligned with its organizational policy. Detail explicitly the security impact if there is
a misalignment.

Support any points you make in the report with well-chosen examples from any research you have
carried out on related sectors or ISMS scenarios.

Activity 4: Written Report

Present a written report to appraise an ISMS for Colombo Advanced College and design a suitable
security policy, based on the supplied evidence and operational requirements.

Your report should include the following:

 A plan of the design of an ISMS for Colombo Advanced College, including an implementation
map, taking into consideration functional and non-functional requirements of the digital systems.

 A suitable security policy, including the main components of a disaster recovery plan for the
college.

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

 Identification and discussion of the stakeholders and their roles in implementing a security audit.

 Justification, with reasons, for the designed security plan, including the selected physical, virtual,
and policy elements.

 An appraisal of and justification for the planned ISMS design, against the new IT security
landscape in Colombo Advanced College, auditing the different stages of the process followed.

 An analysis of the relationship between ISO and international ISMS standards and the
establishment of an effective ISMS for Colombo Advanced College.

 An evaluation of the suitability of the tools used in the security policy designed for Colombo
Advanced College in terms of how it meets their needs.

 A critical examination of the advantages and disadvantages of the planned ISMS for the college,
against key and international standards.

Support any points you make in the report with well-chosen examples from any research you have
carried out on related sectors or projects, as well as the existing scenario and any associated
documentation.

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Acknowledgement

I am Sandali Sithmani Ariyakamal and I am a student of Esoft Metro Campus, Kandy HND Batch 100. I
want to sincerely thank every one of them and my lecture Mr.Beven.

My lecture’s programming concept has greatly influenced me to have a deeper understanding of my learning
journey. I would also like to acknowledge my fellow students who have enriched my experiences in
collaborative spirit and thought-provoking discussions.

Finally, I appreciate Mr.Beven mentoring and the opportunity to learn under the goodwill of my peers. This
assignment reflects not only my individual efforts but also the collective knowledge shared in our
programming community.

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Table of Contents
Plagiarism.................................................................................................................................5

Client Background: Colombo Advanced College................................................................8

Recent Incident:.....................................................................................................................8

Your Task:...............................................................................................................................8

Detailed Requirements:.........................................................................................................9

Future Prospects:.................................................................................................................10

1 Activity 01........................................................................................................................17

2 Activity 02........................................................................................................................22

2.1 Introduction.....................................................................................................................22

2.2 The Principles of an ISMS..............................................................................................23

2.3 Benefits of an effective Information Security Management System (ISMS).................23

2.4 Elements & Processes for a Robust ISMS......................................................................24

2.5 Steps to Implement an ISMS..........................................................................................25

2.6 Conclusion......................................................................................................................25

3 Activity 03........................................................................................................................26

3.1 Risk Management...........................................................................................................26

3.1.1 Importance in Risk Management.............................................................................26

3.2 ISO 31000 Risk Management Framework......................................................................27

3.2.1 Colombo Advanced College Application Form......................................................29

3.3 Audit................................................................................................................................29

3.3.1 Types of Audit.........................................................................................................29

3.3.2 Possible Impacts of IT Security Audits...................................................................30

3.4 Stakeholders in IT Security Audits at Colombo Advanced College...............................31

R.R.Sandali Ariyakamal(E221198) Security P a g e 16 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

3.5 Risk Assessment.............................................................................................................31

3.6 Type of Risk Assessment................................................................................................32

3.7 Current Risk Assessment Mechanisms at Colombo Advanced College.........................32

3.8 Data Protection Processes and Regulations at Colombo Advanced College..................33

3.9 Conclusion and Recommendations.................................................................................34

4 Activity 04........................................................................................................................35

4.1 Disaster Recovery Plan & Business Continuity Planning..............................................35

4.1.1 Disaster Recovery Plan (DRP)................................................................................35

4.1.2 Business Continuity Planning (BCP).......................................................................35

4.2 Disaster Recovery Plan (DRP) and Incident Response Plan (IRP) for Colombo
Advanced College......................................................................................................................36

4.3 Implement security polices.............................................................................................37

4.4 International Security Standards (ISO/IEC 27001)........................................................38

4.4.1 Benefits to Colombo Advanced College.................................................................39

4.5 Implementation Map for ISMS.......................................................................................39

4.6 Stakeholders and their role in security audits.................................................................40

4.7 ISMS Design Evaluation.................................................................................................40

4.8 Conclusion......................................................................................................................40

5 References........................................................................................................................41

Table of Figures
Figure 1 Slide 01............................................................................................................................19
Figure 2 Slide 02............................................................................................................................20
Figure 3 Slide 03............................................................................................................................20

R.R.Sandali Ariyakamal(E221198) Security P a g e 17 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Figure 4 Slide 04............................................................................................................................21

Figure 5 Slide 05............................................................................................................................21
Figure 6 Slide 06............................................................................................................................22
Figure 7 Slide 07............................................................................................................................22
Figure 8 Slide 08............................................................................................................................23
Figure 9 Slide 09............................................................................................................................23
Figure 10 Slide 10..........................................................................................................................24

R.R.Sandali Ariyakamal(E221198) Security P a g e 18 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

1 Activity 01

Figure 1 Slide 01

Figure 2 Slide 02

R.R.Sandali Ariyakamal(E221198) Security P a g e 19 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Figure 3 Slide 03

Figure 4 Slide 04

R.R.Sandali Ariyakamal(E221198) Security P a g e 20 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Figure 5 Slide 05

Figure 6 Slide 06

R.R.Sandali Ariyakamal(E221198) Security P a g e 21 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Figure 7 Slide 07

Figure 8 Slide 08

R.R.Sandali Ariyakamal(E221198) Security P a g e 22 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Figure 9 Slide 09

Figure 10 Slide 10

R.R.Sandali Ariyakamal(E221198) Security P a g e 23 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Figure 11 Slide 11

Figure 12 Slide 12

R.R.Sandali Ariyakamal(E221198) Security P a g e 24 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Figure 13 Slide 13

Figure 14 Slide 14

R.R.Sandali Ariyakamal(E221198) Security P a g e 25 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Figure 15 Slide 15

Figure 16 Slide 16

R.R.Sandali Ariyakamal(E221198) Security P a g e 26 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Figure 17 Slide 17

Figure 18 Slide 18

R.R.Sandali Ariyakamal(E221198) Security P a g e 27 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

1.1 Introduction to IT Security

IT security is a set of cybersecurity strategies that prevent unauthorized access to corporate assets
such as computers, networks, and data. It maintains the integrity and confidentiality of sensitive
information and blocks access by sophisticated hackers.

IT security is often associated with cyber security. While IT provides the overall technological
infrastructure of an organization, including security hardware systems, software applications, and
endpoints such as laptops and mobile devices. IT security also protects the network of companies
and its various components, such as physical and cloud-based data centers.

Types of IT Security:
 Network Security
 Internet Security
 Endpoint Security
 Cloud Security
 Application Security
 Operational Security

“IT security describes the precautions taken to protect computers and networks from
unauthorized access. These processes are designed to keep out agents who might seek to
steal or otherwise disrupt system data.

Quality IT security focuses on:

 Protecting the integrity of the data

 Maintaining the confidentiality of the information stored in the network

 Ensuring those who need the data have access to it

 Authenticating users attempting to access computer networks” (Team, 2021)

R.R.Sandali Ariyakamal(E221198) Security P a g e 28 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

1.2 Key Security Principles

CIA Triad
 CIA is basically a model or a framework.

C- Confidentiality
Confidentiality refers to an organization’s effort to ensure that data is kept confidential or
private. To accomplish this, access to information must be controlled to prevent unauthorized
sharing of data-whether intentional or accidental. A key aspect of maintaining confidentiality is
to make sure that individuals are prevented from accessing important assets to your business
without proper permission.
Solution: Data inscription

“Confidentiality means that only authorized individuals/systems can view sensitive or

classified information. The data being sent over the network should not be accessed by
unauthorized individuals. The attacker may try to capture the data using different tools
available on the Internet and gain access to your information. A primary way to avoid this is to
use encryption techniques to safeguard your data so that even if the attacker gains access to
your data, he/she will not be able to decrypt it. Encryption standards include AES (Advanced
Encryption Standard) and DES (Data Encryption Standard). Another way to protect your data
is through a VPN tunnel. VPN stands for Virtual Private Network and helps the data to move
securely over the network.” (geeksforgeeks, 2023)

I-Integrity

Integrity is about making sure your data is reliable and free of tampering. The integrity of your
data is maintained only if the data is authentic, accurate and reliable. To protect the integrity of
your data, you may use hashing, encryption, digital certificates, or digital signatures. For
websites, you can employ reliable certification authorities (CAs) that verify the veracity of
your site so that visitors know that they are getting the website they intend to visit.

Solution: Hashing

Ex: MDE, SHA

R.R.Sandali Ariyakamal(E221198) Security P a g e 29 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

“The next thing to talk about is integrity. Well, the idea here is to make sure that data has not
been modified. Corruption of data is a failure to maintain data integrity. To check if our data
has been modified or not, we make use of a hash function.
We have two common types: SHA (Secure Hash Algorithm) and MD5 (Message Direct 5).
Now MD5 is a 128-bit hash and SHA is a 160-bit hash if we’re using SHA-1. There are also
other SHA methods that we could use like SHA-0, SHA-2, and SHA-3.” (geeksforgeeks, 2023)

A-Availability

Availability refers to the ability to access and use information should be available to authorized
users when they need it, and that systems and networks should be reliable and accessible. Even
if data is kept confidential and its integrity is maintained, it is often useless if is not available to
those in the organization and to the customers they serve. This means systems, networks and
applications as they should be and when they should be done. Also, people who have access to
specific information should be able to consume it when needed and it should not take on
unlimited amount of time to obtain the data.

Ex:

o Natural Disasters- Major loss of data

o Human- Initiated Threats
o Internet Failures

“This means that the network should be readily available to its users. This applies to systems
and to data. To ensure availability, the network administrator should maintain hardware,
make regular upgrades, have a plan for fail-over, and prevent bottlenecks in a network.
Attacks such as DoS or DDoS may render a network unavailable as the resources of the
network get exhausted. The impact may be significant to the companies and users who rely
on the network as a business tool. Thus, proper measures should be taken to prevent such
attacks.” (geeksforgeeks, 2023)

R.R.Sandali Ariyakamal(E221198) Security P a g e 30 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

1.3 Security Weakness in Colombo advanced collage

Following the ransomware attack at The Colombo Advanced Collage, several weaknesses in its
IT infrastructure were revealed. These vulnerabilities led to the attack and pose a significant
risk for future events if not addressed. The identified basic security vulnerabilities are as
follows.

1. Outdated Network Infrastructure

The college does not maintain network infrastructure and does not appear to have modern
security features. This creates an environment in which attackers can exploit the known
vulnerabilities of old software and hardware, such as the use of stray routers and switches.

2. Lack of robust security policies

Firewall of this Colombo Advanced Collage is not equipped with security features. Attackers
can easily enter the network as before. In addition, there is no system to detect suspicious
network traffic and intrusions.

3. Poor access controls can be identified.

Due to the poor access to the networks of the Colombo High School, the attackers were able to
access the network very easily.

4. Lack of Staff and Student Cybersecurity Awareness

The lack of knowledge of staff and students of Colombo High School of cybersecurity best
practices, including phishing attempt detection, safe internet use and secure password
management, appears to have provided an easy accessible route for attackers.

The above mentioned weaknesses were the main reasons for the recent ransomware attack at
Colombo Advanced Collage. This resulted in significant loss of data and great disruption to
academic and administrative activities.

R.R.Sandali Ariyakamal(E221198) Security P a g e 31 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

1.4 Potential Security Risks

1. Malware
Malware is an abbreviation for "malicious software" that includes viruses, worms, Trojans,
spyware, and ransomware, which are the most common type of cyber-attack. Malware enters a
system, usually through a link or email to an unreliable website, or an unwanted software
download. It can be deployed on the target system, sensitive data collection, manipulating and
blocking access to network components, and destroying data or shutting down the system
altogether. Malware is an acronym for "malicious software" that includes viruses, worms,
Trojans, spyware, and ransomware, which are the most common type of cyber-attack. Malware
enters a system, usually through a link or email to an unreliable website, or an unwanted
software download. It can deploy on the target system, collect sensitive data, manipulate and
block access to network components, and destroy data or shut down the system altogether.

“Short for malicious software, malware is any kind of code or software intentionally designed to
cause harm to computer systems. Malware can compromise a system’s security and privacy by
gaining unauthorized access, stealing, altering, encrypting, or destroying data.

Malware comes in many forms:

 Viruses are self-replicating malware tools that attach themselves to legitimate files and
spread to other files and systems when executed.
 Worms self-replicate exponentially across networks or devices without the need for a
host file.
 Rootkits are malicious programs that conceal their presence and get administrator-level
access to a computer’s operating system or other assets.
 Trojan horses are disguised as legitimate software tools that spread using social
engineering techniques.
 Ransomware is a sophisticated malware platform that encrypts the victim’s data or
system. It’s used to demand a ransom in exchange for the decryption key.
 Spyware secretly monitors user activity and transmits sensitive data to hackers without
the victim’s knowledge or consent.

R.R.Sandali Ariyakamal(E221198) Security P a g e 32 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

 File less malware operates in computer memory rather than on a device's hard drive,
making it difficult to detect and eradicate.
 Scareware is deceptive software that tricks users into believing their computer is
infected or has serious issues, prompting them to purchase fake or unnecessary security
software.
 Adware displays unwanted advertisements on web browsers to generate revenue for the
adware creators.
 Key logger secretly records a user's keystrokes to capture sensitive data like login
credentials.
 Crypto jacking malware is used to illegally mine cryptocurrencies in a victim’s
system.” (Jayaraman, 2023)

2. Password Attack
Password attacks are various methods used by hackers to maliciously verify, enter, and steal
data from password protected accounts. Typically, these attacks are carried out by exploiting
the system's vulnerabilities and using software to speed up the password-crack process.

“A hacker can gain access to the password information of an individual by ‘sniffing’ the
connection to the network, using social engineering, guessing, or gaining access to a password
database. An attacker can ‘guess’ a password in a random or systematic way.
Password attacks include:
 Brute-force password guessing — an attacker uses software to try many different
passwords, in hopes of guessing the correct one. The software can use some logic to
trying passwords related to the name of the individual, their job, their family, etc.
 Dictionary attack — a dictionary of common passwords is used to gain access to the
computer and network of the victim. One method is to copy an encrypted file that has the
passwords, apply the same encryption to a dictionary of regularly used passwords, and
contrast the findings.

R.R.Sandali Ariyakamal(E221198) Security P a g e 33 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

 Pass-the-hash attack — an attacker exploits the authentication protocol in a session and

captures a password hash (as opposed to the password characters directly) and then
passes it
 Golden ticket attack — a golden ticket attack starts in the same way as a pass-the-hash
attack, where on a Kerberos (Windows AD) system the attacker uses the stolen password
hash to access the key distribution center to forge a ticket-granting-ticket (TGT) hash.
Mimi Katz attacks frequently use this attack vector.” (Orion, 2023)

MitM Attack

R.R.Sandali Ariyakamal(E221198) Security P a g e 34 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

2 Activity 02

Information Security Management System (ISMS)

2.1 Introduction

An information security management system is defining policies, methods, processes, and tools
to ensure sustainable information security in companies and government agencies. It introduces
specific procedures and implements organizational and technical actions that must be
continuously controlled, monitored, and improved. It explains your organization's approach to
information security and privacy.
ISMS generally uses a holistic, risk-based, flexible approach, which is beneficial for businesses
of all sizes and in many sectors. Such a system can provide organizations with a competitive
advantage by improving attack surface visibility and providing guidance for asset management,
risk management, and risk remediation.

The Information Security Management System is important to protect the Colombo Advanced
College from ransomware attacks as well as other attacks.

“An information security management system (ISMS) is a set of policies and procedures for
systematically managing an organization's sensitive data. The goal of an ISMS is to minimize
risk and ensure business continuity by proactively limiting the impact of a security breach.

An ISMS typically addresses employee behavior and processes as well as data and technology. It
can be targeted toward a particular type of data, such as customer data, or it can be implemented
in a comprehensive way that becomes part of the company's culture.” (Yasar)

R.R.Sandali Ariyakamal(E221198) Security P a g e 35 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

2.2 The Principles of an ISMS

1. Risk Management: Identifying and assessing risks for informational assets. A critical
component of ISMS is the identification and assessment of information security risks. This
includes conducting a thorough analysis of the organization's assets, weaknesses, and potential
threats. By understanding the risks, the information here can prioritize their security efforts and
allocate resources effectively. Regular risk assessments help identify emerging threats and
ensure that safety measures are up to date.
2. Constant improvement: All staff and students should regularly review and improve safety
measures. Necessary steps should be taken to protect the records, financial data and other
internal data of the students of this Colombo Advanced College and these security measures
should be improved.
3. Compliance: Compliance with legal, regulatory and contractual obligations. Organizations
must comply with changing regulatory requirements and ensure that their ISMS align with
relevant laws. This can include conducting regular compliance audits, implementing specific
controls, and documenting evidence of compliance. Engaging legal and regulatory experts can
help organizations navigate complex compliance landscapes.
These principles have the potential to inculcate a culture of security in the Colombo Advanced
College and thereby actively manage information security.

2.3 Benefits of an effective Information Security Management System

(ISMS)

“ISMS provides a holistic approach to managing the information systems within an

organization. This offers numerous benefits, some of which are highlighted below.

 Protects sensitive data. An ISMS protects all types of proprietary information assets
whether they're paper-based, preserved digitally or reside in the cloud.

 Meets regulatory compliance. ISMS helps organizations meet all regulatory

compliance and contractual requirements and provides a better grasp on legalities
surrounding information systems.

R.R.Sandali Ariyakamal(E221198) Security P a g e 36 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

 Provides business continuity. When organizations invest in an ISMS, they automatically

increase their level of defense against threats.

 Reduces costs. An ISMS offers a thorough risk assessment of all assets.

 Enhances company culture. An ISMS provides an all-inclusive approach for security and
asset management throughout the organization that isn't limited to IT security.

 Adapts to emerging threats. Security threats are constantly evolving.” (Yasar)

The benefits of implementation of ISMS for Colombo Advanced College are as follows:
 Improved security: Protected from breaches and data loss.
 Reputation Management: Builds trust among stakeholders through proven commitment
to safety.
 Operational Efficiency: Streamlines processes for incident response and compliance.

Implementation of ISMS for Colombo Advanced College not only improves data security but
also improves the operational capabilities of the organization.

2.4 Elements & Processes for a Robust ISMS

1. Leadership commitment: Leadership buying and support is crucial to the success of ISMS.
Top management should demonstrate a strong commitment to information security and allocate
the resources needed to implement and maintain ISMS. Make sure that top management
supports security initiatives.
2. Policy Development: Clear and comprehensive policies and procedures should act as a guide
for staff and students to follow. These documents should address various aspects of information
security, including data classification, acceptable use of technical resources, incident response,
and data retention. Policies and procedures should be communicated to all staff and students
and reviewed regularly to ensure they are relevant and effective.

R.R.Sandali Ariyakamal(E221198) Security P a g e 37 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

3. Training and awareness: Staff and students play a crucial role in maintaining information
security. They should be aware of security policies, trained in best practices and aware of
emerging threats.
Establishing the elements of this Colombo Advanced College is very important to maintain
effective ISMS.

2.5 Steps to Implement an ISMS

1. Scope Definition: Determine the boundaries of ISMS.

2. Risk Assessment: Identifying and Evaluating Security Risks.
3. Implementation of controls: Establishing safety controls to minimize identified risks.

This step ensures that ISMS has been prepared in accordance with the specific needs and risks
of The Colombo Advanced College.

2.6 Conclusion

As a result of advances in the digital age, Colombo Advanced Collage faced their sensitive
information threats. Implementation of an Information Security Management System (ISMS) is
essential to protect valuable data, ensure compliance with regulations, and maintain the trust of
staff and students. Therefore, it is clear that ISMS is very important for securing information
assets and ensuring a secure study environment at Colombo Advanced Collage. By following
these principles and processes, the college can significantly improve its defensive posture and
resilience against future threats.

R.R.Sandali Ariyakamal(E221198) Security P a g e 38 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

3 Activity 03

3.1 Risk Management

Risk management is the systematic process of identifying, assessing, and mitigating threats or
uncertainties that can adversely affect your organization's goals. In the context of IT security,
risk management is essential to prevent data breaches, ransomware attacks, and other cyber
threats. This includes analyzing the probability and impact of risks, developing strategies to
minimize harm, and monitoring the effectiveness of measures.

“Risk management is the process of identifying, assessing and controlling threats to an

organization's capital, earnings and operations. These risks stem from a variety of sources,
including financial uncertainties, legal liabilities, technology issues, strategic management errors,
accidents and natural disasters.

A successful risk management program helps an organization consider the full range of risks it
faces. Risk management also examines the relationship between different types of business
risks and the cascading impact they could have on an organization's strategic goals.” (Tucci)

3.1.1 Importance of Risk Management

If an unexpected event captures your organization unawares, the effect may be minor, i.e. a small
impact on your high costs. In the worst case scenario, however, it can be catastrophic and have
serious effects.

To reduce risk, an organization must deploy resources to minimize, monitor, and control the
impact of negative events while maximizing positive events. A consistent, systemic, and
integrated approach to risk management can help determine how best to identify, manage, and
mitigate significant risks. It also protects the reputation of the organization, minimizes losses,
encourages innovation and growth, improves decision-making, etc.

R.R.Sandali Ariyakamal(E221198) Security P a g e 39 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

“Risk management has perhaps never been more important to business success than it is now.
The risks that modern organizations face have grown more complex, fueled by the rapid pace of
globalization. New risks constantly emerge, often related to and generated by the now-pervasive
use of technology. Climate change has been dubbed a "threat multiplier" by risk experts.

The COVID-19 pandemic quickly became an existential threat for businesses in various
industries. Many made rapid adjustments to manage the risks posed by the pandemic. But, going
forward, they're still grappling with some of those risks, including the ongoing need to manage
remote or hybrid work environments and what can be done to make supply chains less
vulnerable to disruptions.” (Tucci)

3.2 ISO 31000 Risk Management Framework

ISO 31000 states that the success of risk management depends on the effectiveness of the
management framework, which provides foundations and provisions that are embedded
throughout the organization at all levels.

The Framework:
 Assists in effective management of risk through the application of the risk management
process
 Ensures that the risk information obtained from the risk management process is
adequately reported
 This ensures that this information is used as a basis for decision-making and
accountability at all relevant organizational levels.
 This section describes the necessary components of the framework for managing risk and
how they relate to each other in an iterative way.

Mandate and Commitment: Risk management policy should demonstrate a strong and
sustainable commitment to risk management by defining objectives, ensuring legal and
regulatory compliance, ensuring the allocation of resources required for risk management,
communicating the benefits of risk management to all stakeholders.

R.R.Sandali Ariyakamal(E221198) Security P a g e 40 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Designing framework for managing risk: Before implementation, the organization must create
a framework for managing risk. This includes:
 Understanding of the organization and its context
 Establishing Risk Management Policies
 Ensure accountability, authority and appropriate competence for risk management

Monitoring and reviewing the framework: To ensure the effectiveness of risk management,
the organization must measure the performance and progress of risk management, review
whether the risk management framework, policy and plan is still appropriate, and review the
effectiveness of the risk management framework.

Continuous improvement of the framework: Based on the results of monitoring and review,
decisions should be made on how the risk management framework, policy and plan can be
improved.

Risk Assessment: Risk assessment is the entire process of risk identification, analysis, and
evaluation.
 Risk Identification: Through the application of risk detection tools and techniques, the
organization should identify sources of risk, areas of impact, events and causes, and their
potential consequences.
 Risk analysis: Risk analysis provides input on developing an understanding of risk,
considering causes and sources of risk, their positive and negative consequences, the
likelihood that those consequences may occur, evaluating risks and deciding whether
risks should be treated, and more appropriate risk treatment strategies and methods.

Risk treatment: Risk treatment options should be selected based on the outcome of the risk
assessment, the expected cost for implementing and benefiting from these options.

R.R.Sandali Ariyakamal(E221198) Security P a g e 41 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

3.2.1 Colombo Advanced College Application Form

• Risk identification: The College can identify risks such as outdated systems, unauthorized
access, or poor encryption standards.
• Risk Assessment: THE ISO 31000 helps classify these risks based on its potential impact on
critical systems, such as student records or research data.
• Risk treatments: Implement controls such as multi-factor validation (MFA) and regular patch
updates to reduce exposure.
• Monitoring and review: Conducting regular audits and reviews of security controls to ensure
their effectiveness over time.

3.3 Audit
Auditing is the evaluation process that assesses the effectiveness of processes and controls in
checking a company's accounts, such as financial reports and other financial information. In the
context of IT security, audits focus on assessing an organization's cybersecurity posture,
compliance with policies, and risk management processes. There are many types of audits that
can be done in the company's accounts by internal parties such as internal auditors, or by external
parties such as external auditors and tax officers.

3.3.1 Types of Audit

1. Internal Audit
Internal audit is the process of independently evaluating the company's risk management and
control in order to improve business operations and add value to the company. In addition, it
helps to ensure that the company complies with internal policies, relevant laws and regulations.
2. External Audit
External audit is the process of independently evaluating a company's financial statements by an
external auditor, who is a qualified independent third party.
3. Compliance audit
Compliance audits are usually performed by internal auditors, so that they usually perform as
part of an internal audit. In this type of audit, auditors usually review and examine various laws

R.R.Sandali Ariyakamal(E221198) Security P a g e 42 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

and regulations as well as internal policies and compare them with actual practices to make sure
that the company's staff follows the rules, regulations, and different policies that the company
has.
4. Operations audit
Operations audit is the process of testing business operations and controls in order to improve its
efficiency and efficiency, as well as to minimize risks that may hinder the company from
reaching its goal. The main purpose of an operational audit is usually to add value to the
company.

Comparison:
• Internal audits provide immediate insight but may lack objectivity compared to External
audits that provide an independent review.
• Compliance audits ensure compliance with industry standards and focus on Operational
audit system efficiency.

3.3.2 Possible Impacts of IT Security Audits

“First and foremost, a comprehensive IT security audit enables you to verify the security status
of all your company’s infrastructure: hardware, software, services, networks and data centers.

An audit can help you answer the following critical questions:

 Are there any weak spots and vulnerabilities in your current security?
 Are there any extraneous tools or processes that don’t perform a useful security function?
 Are you equipped to fend off security threats and recover business capabilities in the
event of a system outage or data breach?
 If you have discovered security flaws, what concrete actions can you take to address
them?
 A thorough audit can also help you remain in compliance with data security laws. Many
national and international regulations, such as GDPR and HIPAA, require an IT security
audit to ensure that your information systems meet their standards for the collection,
usage, retention and destruction of sensitive or personal data.” (Tierney, 2020)

R.R.Sandali Ariyakamal(E221198) Security P a g e 43 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

• Improved security posture: Audits help identify security gaps, enabling the organization to
resolve them before they are breached.

• Improved compliance: Regular audits ensure compliance with industry standards, reduce legal
and financial risks.

• Operational disruptions: Without proper planning, audits can cause temporary disruptions,
especially if they involve critical systems.

3.4 Stakeholders in IT Security Audits at Colombo Advanced College

The following stakeholders should be involved in conducting an IT security audit at The

Colombo Advanced College.

 Department of Information Technology: Responsible for managing network

infrastructure and applying technical controls.

 Administrative staff: users of information systems that handle sensitive student and
research data.

 Data Protection Officer: Ensures that the organization complies with data protection
laws such as the Data Protection Act of Sri Lanka.

 External auditors: Independent third-party professionals who assess compliance with

international standards.

 Executive Management: Key decision makers who approve security policies and
allocate resources for implementation.

R.R.Sandali Ariyakamal(E221198) Security P a g e 44 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

3.5 Risk Assessment

“A risk assessment is a systematic process used to identify potential hazards and risks in a
situation, then analyze what would happen should these hazards take place. As a decision-
making tool, risk assessment aims to determine which measures should be implemented to
eliminate or control those risks, as well as specify which of them should be prioritized according
to their likelihood and impact on the business.

Risk assessment is one of the major components of a risk analysis. Risk analysis is a process
with multiple steps that intends to identify and analyze all of the potential risks and issues that
are detrimental to the business or enterprise.” (Andales, 2024)

Risk assessment refers to identifying, evaluating, and prioritizing risks for an asset, loan, or
investment in an organization. Risk assessment is essential to determine how valuable a specific
investment is, and the best process to minimize risk. Risk assessment is important to determine
the rate of return an investor should earn in order to treat potential risk as a valuable investment.

3.5.1 Type of Risk Assessment

1. Quantitative Risk Assessment

A quantitative risk assessment of risk focuses on building risk models and simulations to enable
the user to assign numerical values to risk.
2. Qualitative Risk Assessment
A qualitative risk assessment of risk is an analytical method that does not rely on numerical or
mathematical analysis. Rather, it uses an individual's subjective judgment and experience to
build a theoretical model of risk for a given situation. A qualitative analysis of a company can
include an assessment of the company's management, its relationship with its vendors, and the
public's perception of the company.
3. Hybrid Risk Assessment
Hybrid risk assessment combines both quantitative and qualitative aspects for a more
comprehensive assessment.

R.R.Sandali Ariyakamal(E221198) Security P a g e 45 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

3.6 The current Risk Assessment mechanisms used by Colombo advanced

collage
At present, the Colombo Advanced College does not have a formal risk assessment mechanism,
which contributed to the recent ransomware incident. Informal assessments based on the
intuition of the IT team were carried out, but security vulnerabilities were not systematically
identified or addressed. There is no evidence of risk scans, penetration tests, or documented
safety reviews.
Recommended mechanisms:
 Risk scanning: Automated tools for identifying security gaps in the college network.
 Penetration testing: Simulated attacks to test how college security can withstand cyber
threats.
 Risk Register: A documented record of identified risks, their impact, and mitigation
strategies.

3.7 Quantitative Risk Assessment on Colombo Advanced Collage

In order to conduct a quantitative risk assessment, the college can apply the following procedure:
1. Asset assessment:
Estimate the value of critical assets (e.g., student reports, research data) based on their
significance and recovery costs.
o Example: Value of student database = $200,000.
2. Threat analysis:
Identify potential threats and the probability of their occurrence (e.g., 20% probability of a
ransomware attack).
3. Calculate the expected loss:
 Annual loss expectation (ALE) = asset value × probability of occurrence.
 ALE for ransomware on student database = $200,000 × 0.2 = $40,000.
4. Cost-benefit analysis:
Compare the cost of implementing safety measures (e.g., New Firewall, MFA) with the financial
loss that may result from the breach. If defense investment is lower than ALE, it is a financially
sound decision.

R.R.Sandali Ariyakamal(E221198) Security P a g e 46 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

3.8 Data Protection Processes and Regulations at Colombo Advanced

College

The Colombo Advanced College must comply with several key regulations and processes for
data protection:
 Sri Lanka's Data Protection Act: mandates the safe handling of personal information,
including encryption, data reduction, and secure communication protocols.
 ISO/IEC 27001: Provides a framework for establishing ISMS that is critical to protecting
sensitive data and ensuring compliance with global standards.
By complying with these regulations, the College:
 Reduce security risks: Proper encryption, access control, and regular security audits
reduce the likelihood of data breaches.
 Ensure data integrity and availability: Implementing secure backup processes and disaster
recovery plans to make data accessible and protected from unauthorized modifications.
 Enhance reputation and trust: Adherence to international standards demonstrates the
organization's commitment to data security, building trust with students, staff, and
partners.

3.9 Conclusion and Recommendations

 Review current risk assessment procedures: There is currently no formal risk

assessment mechanism at The Colombo Advanced College. This gap contributed to the
recent ransomware attack.
 Data Protection Processes and Regulations: Compliance with Sri Lanka's Data
Protection Act and ISO/IEC 27001 is critical to improving data security and reducing
risks.
 Risk Management Strategy: Adherence to ISO 31000 and ISO 27001 frameworks will
improve the college's risk management and safety posture by providing structured,
proactive approaches to it security risk management.
 Impact of IT security audits: Regular audits will strengthen compliance and expose
vulnerabilities, helping the college avoid future violations and disruptions.

R.R.Sandali Ariyakamal(E221198) Security P a g e 47 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

 Recommendation: Colombo Advanced College should align its IT security practices

with ISO standards and its institutional policies. Misunderstanding can lead to continued
exposure to threats, non-compliance with data protection laws, and damage to reputation
and operations.
By addressing these areas, Colombo Advanced College can strengthen its IT security, protect
sensitive data, and reduce risks associated with cyber threats.

R.R.Sandali Ariyakamal(E221198) Security P a g e 48 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

4 Activity 04

4.1 Disaster Recovery Plan & Business Continuity Planning

4.1.1 Disaster Recovery Plan (DRP)
A Disaster Recovery Plan (DRP) is a detailed document that describes how an organization
responds effectively to an unplanned event and resumes business operations. Here the focus is on
restoring critical IT functions after an event. DRPs help ensure that businesses are prepared to
deal with various types of disasters, including power outages, ransomware and malware attacks,
natural disasters, and more.

“An IT disaster recovery plan (DRP) is a written document that spells out the policies, step-by-
step procedures, and responsibilities to recover an organization's IT systems and data and get IT
operations back up and running when a disaster happens. This plan is a sub-component of the
organization's Business Continuity Plan (BCP).

Once developed, the DR plan must be tested (or exercised) to ensure that the IT team can fully
recover the organization's IT systems regardless of the type of disaster.

Disasters arrive unannounced, so it is essential to get an IT DR plan in place as soon as possible.

A fully operational plan will help minimize risk exposure, reduce disruption, and ensure
economic stability. It will also reduce insurance premiums and potential liability, and ensure
your organization complies with regulatory requirements. Most importantly, a well-executed
plan can save your organization thousands – even hundreds of thousands – of dollars in the event
of a disaster.” (Acronis, 2023)

4.1.2 Business Continuity Planning (BCP)

Business continuity planning describes the process of documenting a holistic set of protocols and
procedures to help businesses maintain a certain minimum level of functioning when a crisis
occurs. The result of that planning process is a business continuity plan. It is a strategy designed
to help businesses continue without minimal disruption in the event of a sabotage event.

R.R.Sandali Ariyakamal(E221198) Security P a g e 49 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

“A business continuity plan (BCP) is a system of prevention and recovery from potential threats
to a company. The plan ensures that personnel and assets are protected and are able to function
quickly in the event of a disaster.

KEY TAKEAWAYS

 Business continuity plans (BCPs) are prevention and recovery systems for potential
threats, such as natural disasters or cyber-attacks.
 BCP is designed to protect personnel and assets and make sure they can function quickly
when disaster strikes.
 BCPs should be tested to ensure there are no weaknesses, which can be identified and
corrected.” (Kenton, 2024)

4.2 Disaster Recovery Plan (DRP) and Incident Response Plan (IRP) for
Colombo Advanced College

The DRP for Colombo Advanced College includes proactive and reactive measures.
Proactive Steps:
 Regular data backups are stored securely, both on-site and offline.
 Network fragmentation to isolate critical systems from threats.
 Regular system patches and updates to close security vulnerabilities.
 Multi-factor authentication (MFA) and encryption for sensitive data.
 Continuous monitoring with Intrusion Detection Systems (IDS).
Reactive steps:
 Activated incident response team (IRT) in case of a violation.
 Immediate isolation of affected systems to prevent further damage.
 Restore data from recent backups.
 Communicate with stakeholders to raise awareness about violations and recovery
measures.

R.R.Sandali Ariyakamal(E221198) Security P a g e 50 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Justification for disaster:

 Ransomware attacks: common in educational institutions; Critical data backup and
isolation protocols are required.
 Natural disasters (floods, power outages): Backup data centers and excessive power
supply ensure operational integrity.
 Hardware failure: Backup and redundant systems will reduce downtime risk.

4.3 Implement security polices

To ensure corporate security, the following security policies are implemented:

Policy name: Password policy

Scope of the policy: Applicable to all users including staff and students.
Policy:
 Passwords must be at least 12 characters long and include upper/lowercase letters,
numbers, and symbols.
 Passwords should be changed every 90 days.
 MFA will be mandatory for access to critical systems.
Stakeholders: Department of Information Technology, Information Security Officer.

Policy name: Access Control Policy

Scope of the policy: Controls access to network resources.
Policy:
 Role-based access controls (RBAC) are implemented, limiting access based on user roles.
 Access logs are audited regularly.
 Access to critical data centers will require physical verification (e.g., keyboards,
biometrics).
Stakeholders: Department of Information Technology, Network Administrators.

Policy name: Data Encryption Policy

Scope of policy: Protects sensitive information at transition and at rest.

R.R.Sandali Ariyakamal(E221198) Security P a g e 51 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

Policy:
 All sensitive data must be encrypted using AES-256.
 Encrypted communication (TLS/SSL) will be required for data sharing.
 VPN should be used with mobile devices and remote access encryption.
Stakeholders: Department of Information Technology, Data Protection Officer.

Policy name: Incident Response Policy

Scope of policy: Shows response procedures for security incidents.
Policy:
 Any violations must be reported to the IRT immediately.
 IRT will investigate, control and minimize incidents.
 Post-event reviews are conducted to improve response planning.
Stakeholders: Event Response Team, Senior Management.

Policy name: Backup and Data Retention Policy

Scope of policy: Ensures that data is regularly backed and stored securely.
Policy:
 Critical data is backed up daily.
 Backups are stored in an offline location and periodically checked for integrity.
 Data will be retained according to legal and academic requirements.
Stakeholders: Department of Information Technology, Legal Compliance Officer.

4.4 International Security Standards (ISO/IEC 27001)

ISO/IEC 27001 is the world's most famous standard for Information Security Management
Systems (ISMS). It defines the requirements that ISMS must meet.

The ISO/IEC 27001 standard provides companies of any size and all aspects of activity with
guidance on establishing, implementing, maintaining, and continuously improving an
information security management system.

R.R.Sandali Ariyakamal(E221198) Security P a g e 52 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

“ISO 27001 is the leading international standard focused on information security. It was
published by the International Organization for Standardization (ISO), in partnership with
the International Electro technical Commission (IEC). Both are leading international
organizations that develop international standards.
For better understanding of ISO 27001 meaning, it’s important to know that this standard is part
of a set of standards developed to handle information security: the ISO/IEC 27000 series. ISO
27001 is the most important part of that set because it describes how to manage all aspects of
security, and its full name is “ISO/IEC 27001 – Information security, cybersecurity and privacy
protection — Information security management systems — Requirements.”” (Kosutic)

4.4.1 Benefits to Colombo Advanced College

 Risk Reduction: ISO 27001 helps to identify and manage security risks more effectively.
 Compliance: Aligns with legal and regulatory requirements that are essential for the
protection of student and research data.
 Continuous improvement: The standard ensures that ISMS evolves with changing threats
and technologies.
 Stakeholder Trust: Achieving THE ISO certification demonstrates a commitment to
safety, enhances trust among students, staff, and partners.

4.5 Implementation Map for ISMS

ISMS for Colombo Advanced College:

1. Risk assessment and auditing: identifying vulnerabilities, assessing current safety, and
establishing safety requirements.
2. Policy Development and Training: Drafting and implementing security policies. Conduct
cyber security awareness programs for staff and students.
3. Security improvement: deploying next-generation firewalls, IDS, endpoint protection,
MFA and network fragmentation.
4. Monitoring and incident response: Implementing continuous monitoring systems.
Establish an event response team and procedures.

R.R.Sandali Ariyakamal(E221198) Security P a g e 53 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

5. Disaster Recovery and BCP: Backup systems, setting recovery plans, and conducting
regular exercises.
6. ISO 27001 Certification: Aligning and certifying ISMS with ISO 27001 standards.

4.6 Stakeholders and their role in security audits

 Department of Information Technology: Oversees technical implementations and daily
security operations.
 Information Security Officer: Manages ISMS and ensures compliance with policies.
 Senior Management: Policy approval, resource allocation and monitoring of incident
response.
 Data Protection Officer: Ensures adherence to data protection rules and the safe handling
of sensitive data.
 External Auditors: Periodically review ISMS to comply with ISO 27001 and other
standards.

4.7 ISMS Design Evaluation

ISMS designed for Colombo Advanced College is designed to meet technical and institutional
security requirements. This system includes risk management, disaster recovery, and compliance
with ISO standards. Its main advantages include improved data security, improved resilience to
cyber threats, and compliance with legal requirements.
However, challenges such as implementation costs and the need for continuous updating to stay
ahead of evolving threats need to be considered.

4.8 Conclusion
ISMS for Colombo Advanced College will significantly improve the security posture of the
institute and ensure data security, business continuity and compliance with international
standards. By implementing a combination of policies, advanced security tools, and regular
audits, the college can protect its network infrastructure from future attacks and ensure
uninterrupted academic and administrative operations.

R.R.Sandali Ariyakamal(E221198) Security P a g e 54 | 55

Downloaded by Hanna Davis ([email protected])

 lOMoARcPSD|51488188

5 References
Acronis. (2023, January 16). https://www.acronis.com/en-us/blog/posts/disaster-recovery-plan/.
Andales, J. (2024, September 12). https://safetyculture.com/topics/risk-assessment/.
Kenton, W. (2024, August 18). https://www.investopedia.com/terms/b/business-continuity-
planning.asp.
Kosutic, D. (n.d.). https://advisera.com/27001academy/what-is-iso-27001/.
Tierney, M. (2020, April 09). https://blog.netwrix.com/2020/04/09/it-security-audit/.
Tucci, L. (n.d.). https://www.techtarget.com/searchsecurity/definition/What-is-risk-management-
and-why-is-it-important.
Yasar, K. (n.d.). https://www.techtarget.com/whatis/definition/information-security-
management-system-ISMS.

R.R.Sandali Ariyakamal(E221198) Security P a g e 55 | 55

Downloaded by Hanna Davis ([email protected])