K1.1 The role and types of preventative business control techniques in protecting the digital security of an organisation:

The Role of Preventative Controls

Preventative controls are proactive security measures that aim to stop threats or incidents before they happen. They are designed to reduce risks by blocking unauthorised access, preventing breaches, and maintaining system integrity.

In business environments, these controls help protect:

• Data

• Systems

• Physical equipment

• People and infrastructure

 Types of Preventative Control Techniques

Preventative controls fall into four main categories: Physical, Combined, Administrative, and Technical.

Physical Preventative Controls

These controls protect physical access to devices, servers, buildings, and data centres.

Combined (Managed Access) Controls

These combine physical and digital control methods to regulate who can access what and when.

Administrative Controls (Policies and Procedures)

These are organisational rules and practices that enforce secure behaviour.

These controls are often documented in Acceptable Use Policies (AUPs) and Security Procedures.

Technical Controls

These are software or system-based controls used to prevent cyber threats.

Design a Secure Office
Task:
You are working for a new tech company that wants to set up a secure office and server room. Use what you’ve learned to design a security plan that includes:

1. At least 2 physical preventative controls.
2. At least 1 combined control.
3. At least 1 administrative control.
4. At least 2 technical controls.

Instructions:
Present your plan as a poster or infographic.
Include a short description of each control.
Explain how it prevents a security threat.

Optional Tools: Canva, PowerPoint, Google Drawings, draw.io or Visio .

K1.2 The role and types of detective business control techniques in protecting the digital security of an organisation:

The Role of Detective Controls

Detective controls are security measures that aim to identify and alert an organisation to suspicious or harmful activity.
They can spot an incident:

• During the event (in progress)

• After the event has happened (retrospectively)

These controls don’t stop the incident from occurring – instead, they help organisations:

• Detect breaches

• Respond appropriately

• Gather evidence for investigation

• Improve future prevention

Types of Detective Control Techniques

Detective controls can be physical or administrative in nature.

Physical Detective Controls

These help identify unauthorised physical access or unusual movement in secured spaces.

These tools are especially important for data centres, server rooms, or any area storing critical digital infrastructure.

Administrative (Policies and Procedures)

These are human- or system-based logs and checks designed to detect abnormal activity.

Spot the Detective Controls
Scenario:
Your school is upgrading its IT security. The IT manager wants to install detective controls to help monitor and investigate incidents.

Task:
Identify three detective controls the school could use (at least one physical, one administrative).
For each, explain:
           How it works
           Why it's useful
           What it detects

Example (start):
                       Control: CCTV in the server room
                       What it detects: Unauthorised access
                       How it works: Video surveillance records people entering
                       Why it’s useful: Provides evidence if a breach occurs

Presentation Format: Paragraphs, posters, Canva Presentation or slides.

K1.3 The role and types of corrective business control techniques in protecting the digital security of an organisation:

The Role of Corrective Controls

Corrective controls are reactive security measures. They are used after an incident has occurred to:

• Limit the damage caused

• Restore systems and services back to normal

• Reduce the chance of the same incident happening again

They help an organisation recover quickly and learn from incidents so improvements can be made.

Types of Corrective Control Techniques

Corrective controls can be grouped into physical and administrative techniques.

Physical Corrective Controls

These help reduce damage from physical threats such as fire, smoke, or environmental hazards.

These systems limit physical damage to IT infrastructure, allowing quicker recovery.

Administrative Corrective Controls (Policies and Procedures)

These are planned response actions documented in company policies. They guide staff on what to do after an incident to reduce harm and avoid repetition.

These procedures help ensure safe, consistent, and quick responses.

Create a Fire Response Plan for a Server Room

Scenario:
A small business has just experienced a minor fire in its server room. You’ve been asked to help create a corrective plan to limit damage and prevent recurrence.

Task:
Identify one physical and one administrative corrective control that should be used.
For each control, describe:
    What it does
     How it helps limit damage or recovery time
     How it prevents the issue from happening again

Extension: Create a simple Standard Operating Procedure (SOP) for how staff should respond when a fire is detected in the server room.

Group Presentation - What an I Study Guide

Scenario: 
Working in small groups create a presentation that can be used as a study guide on one of the following control techniques: 
       Preventative. 
       Detective. 
       Corrective. 
       Deterrent. 
       Directive. 
       Compensating. 

The presentation should consider: 
        The role it plays in the protection of digital security. 

K1.4 The role and types of deterrent business control techniques in protecting the digital security of an organisation:

Deterrent controls are pre-emptive security measures that are designed to discourage or dissuade people from attempting to carry out harmful or unauthorised actions.

Rather than stopping or detecting threats directly, deterrents work by:

• Raising awareness that controls are in place

• Increasing the perceived risk of getting caught or punished

• Encouraging good behaviour and compliance

Think of deterrents as the organisation saying:
🗣️ "Don’t even think about it!"

Types of Deterrent Control Techniques

Deterrent controls can be physical or administrative.

Physical Deterrent Controls

These create a visible presence that discourages unauthorised access or behaviour.

These make people think twice before trying anything malicious, such as breaking in or tampering with equipment.

Administrative Deterrent Controls (Policies and Procedures)

These are organisational rules and formal expectations that discourage inappropriate or risky behaviour.

These controls create awareness and define clear consequences, which can discourage risky or harmful actions.

Design a Deterrent Plan for a School Computer Room

Scenario:
Your school wants to discourage students from misusing the computers and trying to access restricted files. You have been asked to create a deterrent plan.

Task:
Choose two physical and two administrative deterrent controls.

For each control, explain:
What it is
How it works as a deterrent
What behaviour it helps prevent

Example (start):
        Control: CCTV above computer stations
​​​​​​​        How it deters: Students are less likely to break rules if they know they’re being watched
        Prevents: Vandalism, unauthorised access, unplugging equipment

Optional Extension:
Write a short Acceptable Use Policy (AUP) for the computer lab/ room.

K1.5 The role and types of directive business control techniques in protecting the digital security of an organisation:

Directive controls are guidance-based measures that aim to influence and shape behaviour in a way that supports good security practices across an organisation.

They help promote a security-focused business culture by:

• Clearly communicating rules and expectations

• Encouraging the right actions

• Reinforcing a shared responsibility for security

• Helping to prevent risky or careless behaviour

These controls are about leading by example and building awareness rather than stopping threats directly.

📣 Types of Directive Control Techniques

Directive controls come in two main types: physical and administrative.

Physical Directive Controls

These are visible and practical tools that communicate or enforce expectations in a physical space.

These measures set the tone for secure behaviour and remind people what is expected.

 Administrative Directive Controls (Policies and Procedures)

These are formal rules, procedures, and training activities designed to guide behaviour and establish a consistent security culture.

These controls make sure everyone knows their responsibilities, understands the risks, and is trained to act appropriately.

Build a Security-Aware Workplace Culture

Scenario:
You’ve been hired to improve the cyber security culture in a company that recently suffered from a phishing attack. Many employees weren’t aware of basic security rules.

Task:
1. Choose two physical and two administrative directive controls to promote better security habits.
For each control, explain:

2. What it is
     How it helps promote security
     Who it targets (e.g. staff, visitors, IT users)

Optional Extension:
Design a security awareness poster to be displayed near staff workstations. Include:
      A short slogan (e.g. "Think Before You Click")
      A clear rule or reminder
      A visual icon or symbol

Many of these control techniques don’t apply to just one job role, they involve many IT professionals working together. 

• Outline the tasks an Infrastructure Engineer might undertake to protect an organisation. 

• What other digital job roles will play an important part in protecting the organisation?

K1.6 The role and types of compensating business control techniques in protecting the digital security of an organisation:

Compensating controls are backup or alternative security measures that are put in place when a primary (main) control fails, is unavailable, or isn’t fully effective.

They act as a safety net to maintain security if the original control:

• Is temporarily down

• Can’t be used due to cost, complexity, or compatibility

• Fails unexpectedly

These controls do not replace the original control, but reduce the risk until the primary control can be restored.

🛡️ Types of Compensating Control Techniques

Compensating controls can be physical or administrative.

Physical Compensating Controls

These are environmental or infrastructure-related measures that support the continuity of systems, especially in the event of failure.

Administrative Compensating Controls (Policies and Procedures)

These help guide people on how to react or adapt when the usual security controls are not available.

These policies ensure staff know how to maintain safety and security when the standard systems aren’t working correctly.

Backup Security Plan – When the Main Control Fails

Scenario:
A company’s main server cooling system fails, and the temperature begins to rise. You’ve been asked to put together a compensating control plan.
Task:

1. Choose one physical and one administrative compensating control.
2. For each:
          Describe what it is
          Explain how it helps reduce risk
          Identify when it should be used

Extension:
Write a short Standard Operating Procedure (SOP) for what IT staff should do if the environmental controls (like the cooling system) stop working.

K1.7 The role and implementation of a disaster recovery plan in protecting the digital security of an organisation:

A Disaster Recovery Plan (DRP) is a formal set of procedures and controls used by an organisation to recover and restore IT services after a disaster such as:

• Cyber attacks (e.g. ransomware)

• Natural disasters (e.g. fire or flood)

• Technical failures (e.g. server breakdown)

• Power outages or building evacuations

The main role of a DRP is to:

• Recover critical systems and services

• Maintain service availability to users

• Protect data integrity

• Ensure that business operations continue with minimal interruption

It is usually supported by a broader Business Continuity Plan (BCP), which outlines how the whole organisation continues to function during and after a crisis.

🛠️ Components of a Disaster Recovery Plan

DRP controls can be both physical and administrative in nature.

Physical Components

These refer to infrastructure and hardware-based protections to help restore operations.

These ensure that even if the main system is destroyed or damaged, data and services can be restored from another location.

Administrative Components (Policies and Procedures)

These are organisational strategies and tasks that ensure services are restored efficiently and securely.

These policies ensure a coordinated response and help maintain control over resources during recovery.

Build a Disaster Recovery Plan for a Small Business

Scenario:
A small business has just suffered a fire that destroyed its main server room. As the IT support consultant, you must help create a Disaster Recovery Plan.

Task:
Choose two physical and three administrative DRP components.

For each:
     Explain what it is
     How it helps restore or maintain service
     Why it’s important for digital security

Extension Task:
Create a checklist of actions IT staff should take in the first 24 hours following a disaster, including who to contact, what systems to prioritise, and how to document actions.

"Part 1 - Those that fail to plan, plan to fail"

Scenario: The college/school have realised that they do not have DRP (disaster recovery plan)

Tasks: 
Determine the scope of the plan (for example, the computing department or the whole college). 
Gather relevant information (for example, historic outage, equipment). 
Identify risk (threats, vulnerabilities, impact and probability). 

K1.8 How a disaster recovery plan (DRP) works:

A Disaster Recovery Plan (DRP) is a documented process that outlines how an organisation will recover its IT services and data following a disruption such as a cyber attack, fire, flood, hardware failure or power outage.

The goal of a DRP is to:

• Recover services

• Maintain business continuity

• Protect digital security

• Minimise downtime and data loss

How a Disaster Recovery Plan Works

A DRP is built step-by-step to ensure it’s thorough, effective, and ready to be used when needed. Below is the full process:

Define the Scope of the Plan

Before writing a DRP, the organisation must define what areas the plan will cover.

This step ensures nothing important is missed in the recovery plan.

Gather Relevant Information

To create a useful DRP, the organisation needs to collect essential data about its systems and past issues.

Having the right people and tools listed makes the response much faster and more accurate.

Risk Assessment

A DRP must be based on a proper risk assessment to understand what needs to be protected and how.

This step helps prioritise what should be restored first in the event of a disaster.

Creating the DRP

With the scope, information, and risks identified, the actual plan is developed.

Key Elements to Include:

• Objectives: Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)

• Roles & Responsibilities: Who does what during recovery

• Resources Required:

  • Systems (e.g. backup servers, cloud platforms)

  • Equipment (e.g. replacement PCs, mobile devices, routers)

The plan should be written clearly so anyone on the IT team can follow it in an emergency.

Plan Approval

Once the plan is created, it must be formally approved.

Approval ensures that the plan is trusted, understood, and adopted by the wider organisation.

Testing the DRP

The plan must be tested regularly to ensure it works in practice.

Testing Steps:

1. Identify the scope of the test – will it simulate a total server failure or just user access loss?

2. Identify the resources needed – people, hardware, test environment.

3. Determine testing frequency – e.g. every 6 months, annually.

4. Implement the test – simulate an incident and follow the DRP steps.

5. Review and document the outcome – identify what went well and what didn’t.

6. Amend the plan – update procedures based on test results.

Testing ensures the plan remains current and effective as systems, staff, and threats change.

Continuous Improvement

After testing, the plan should continue to evolve through ongoing reviews.

Continuous improvement ensures the plan is always ready when needed – not just written and forgotten.

"Part 2 - Those that fail to plan, plan to fail"

Scenario:
Your College/school’s network has gone down due to a power failure. You’ve been asked to help create a DRP.

Your Task:
1. Define the scope of the DRP (e.g. whole school? just IT services?)
2. Identify key assets and risks (e.g. school server, student logins)
3. List resources needed for recovery (e.g. backup server, laptops)
4. Create a step-by-step plan for restoring systems
5.Explain how you would test the plan and improve it over time

Extension: Create a checklist or flowchart based on the seven stages above.

Class discussion: Tutor led discussion exploring types of impacts that can occur within an organisation as a result of threats and vulnerabilities, including: 
Danger to life. 
Privacy. 
Property and resources. 
Economic. 
Reputation. 
Legal. 

K1.9 The types of impacts that can occur within an organisation as a result of threats and vulnerabilities

When organisations face threats (e.g. cyberattacks, natural disasters, insider threats) or vulnerabilities (e.g. weak passwords, unpatched software, poor access control), the impacts can be serious and wide-ranging.

Below are the main types of impacts, with examples and explanations.

Danger to Life

🔐 Impact:

Breaches in health and safety policies can result in injury or even death, especially when IT systems are involved in critical areas such as healthcare, manufacturing, or security.

🧾 Example:

• A hacker disables a smart fire alarm system, delaying emergency response.

• A system error in a hospital causes incorrect dosages of medication to be given.

📌 Key Point:

IT systems increasingly control physical systems—when they fail, human life can be put at risk.

Privacy Impact

Impact:

Confidential and personal data can be exposed through data breaches, leaks, or unauthorised access.

Example:

• Employee records containing names, addresses, and bank details are stolen.

• A cybercriminal gains access to customer login information and sells it online.

Includes:

• Identity theft

• Business espionage

• Loss of customer trust

Property and Resources

Impact:

Attacks or errors can cause physical damage to equipment or IT resources, or make systems inaccessible.

Example:

• Malware corrupts the central server, making all systems unusable.

• An intruder physically damages the network cabinet in a data centre.

 Can include:

• Hardware damage

• Software/data corruption

• Loss of access to cloud platforms or network systems

Economic Impact

Impact:

Organisations can face financial losses from system downtime, ransom demands, fraud, or lost business.

Example:

• A company pays a ransom to restore encrypted data.

• An online retailer loses thousands of pounds due to a website outage during peak sales.

Consequences include:

• Cost of system recovery

• Loss of sales/revenue

• Increased insurance premiums

Reputational Impact

Impact:

Security incidents can damage trust in the business, affecting how customers, partners, and the public view the organisation.

Example:

• News spreads that a company has lost customer data due to poor cyber security.

• Negative media coverage leads to customer cancellations and drop in stock value.

Effects:

• Brand damage

• Loss of customer loyalty

• Decline in public confidence

Legal Impact

Impact:

Failing to meet legal responsibilities (e.g. GDPR, health and safety laws) can lead to prosecution, fines, or other penalties.

Example:

• A company fails to report a data breach within the legal timeframe and is fined.

• An employer is prosecuted after a preventable cyber-physical safety incident harms a worker.

Covers:

• Data protection laws

• Regulatory compliance

• Employee protection laws

K1.10 The potential vulnerabilities in critical systems:

A vulnerability is a weakness in a system that can be exploited by a threat actor (such as a hacker) or caused by human error, poor design, or lack of security controls.

In critical systems—such as servers, network infrastructure, and secure workstations—vulnerabilities can lead to data loss, downtime, and serious security breaches.

Below are some of the key vulnerabilities found in organisations.

Unauthorised Access to Network Infrastructure

What it is:

When people (inside or outside the organisation) gain unauthorised access to core components like switches, routers, firewalls, or servers.

Why it’s a risk:

• Allows attackers to monitor, manipulate, or redirect network traffic

• May expose internal systems to external attacks

Example:

• Weak router admin password is guessed, giving full control to an attacker

Mitigation:

• Use strong passwords

• Apply network segmentation

• Limit access using Access Control Lists (ACLs)

Unauthorised Physical Access to Network Ports

What it is:

When someone physically connects a device (e.g. laptop or USB stick) to network ports without permission.

Why it’s a risk:

• Attackers could connect to the network bypassing firewalls

• Could be used to install malware or spyware

Example:

• An unauthorised visitor plugs into a network socket in a meeting room

Mitigation:

• Lock unused ports

• Use port security settings on switches

• Implement visitor access policies

Single Point of Failure

What it is:

A single component (like a server or router) that, if it fails, causes the entire system or service to stop working.

Why it’s a risk:

• A single failure can lead to major downtime

• Makes the organisation less resilient

Example:

• Only one database server handles all staff records – if it crashes, the service goes down

Mitigation:

• Use redundancy (backup systems)

• Set up load balancing and failover systems

System Failure

What it is:

A system crash or malfunction caused by hardware issues, software bugs, or poor maintenance.

Why it’s a risk:

• Could result in data loss, service interruption, or security exposure

Example:

• An old, unpatched server operating system crashes and cannot reboot

Mitigation:

• Keep systems updated and patched

• Perform regular health checks and monitoring

• Maintain service-level agreements (SLAs) for critical hardware

Open Port Access

What it is:

When input/output ports on devices (e.g. USB, CD drives, or wireless) are unrestricted, allowing for unauthorised data transfer or malware infection.

Why it’s a risk:

• Can be used to exfiltrate data, introduce viruses, or bypass network restrictions

Includes:

Mitigation:

• Disable unused ports

• Use endpoint security tools

• Apply device control policies

• Ensure Wi-Fi networks use strong encryption (e.g. WPA3)

Secure the Network – Spot the Vulnerability

Scenario:
You’ve been asked to assess the computer network at a local business. During your visit, you notice:

- A USB stick left in a PC
- An unlocked server cabinet
- Only one file server being used
- Guest Wi-Fi with no password

Task:
1. Identify the vulnerabilities
2. Explain the risks for each
3. Recommend one solution per vulnerability

Extension:
Create a network security checklist that an IT team could use during a weekly inspection.

K1.11 The impact of measures and procedures that are put in place to mitigate threats and vulnerabilities:

Organisations face cybersecurity threats and technical vulnerabilities that can lead to serious problems like downtime, data loss, financial damage, and reputational harm. To reduce these risks, businesses put in place measures (performance targets) and procedures (operational processes) that help manage and recover from incidents.

These tools help ensure the organisation stays secure, responsive, and resilient.

Measures to Mitigate Threats

Recovery Time Objective (RTO)

Definition:
The maximum amount of time a system, service, or process can be offline after a failure before serious damage occurs.

Impact:

• Helps set recovery deadlines

• Defines urgency in a disaster recovery plan

• Drives investment in faster recovery tools

🧾 Example: If the RTO for the customer order system is 2 hours, the business must restore that system within 2 hours to avoid disruption.

Recovery Point Objective (RPO)

Definition:
The maximum amount of data loss (in time) that is acceptable during an incident.

Impact:

• Helps define back-up frequency

• Reduces data loss risk

• Influences back-up technology and storage strategy

Example: If the RPO is 15 minutes, data must be backed up at least every 15 minutes to avoid unacceptable loss.

Mean Time Between Failure (MTBF)

Definition:
The average time between one failure and the next for a system or piece of equipment.

Impact:

• Used to assess system reliability

• Helps with hardware replacement planning

• Reduces unexpected downtime

Example: If a hard drive has an MTBF of 50,000 hours, it is expected to work reliably for that period before likely failing.

Mean Time to Repair (MTTR)

Definition:
The average time it takes to fix a failed system or component and restore it to full operation.

Impact:

• Helps assess the speed of response and repair

• Encourages improvement in support and maintenance services

Example: If the MTTR for the web server is 30 minutes, then any failures should typically be resolved within that timeframe.

Procedures to Mitigate Threats

Standard Operating Procedure (SOP)

Definition:
Step-by-step documented instructions to ensure correct and secure performance of tasks.

SOPs ensure consistency, reliability, and compliance across the organisation.

Service Level Agreement (SLA)

Definition:
A formal contract between a service provider and a customer (internal or external) that defines performance expectations.

SLAs help ensure that IT services meet business needs and that providers are held to agreed standards.

Security by the Numbers

Scenario:
A business is suffering from frequent system crashes and slow support responses. You've been asked to recommend measures and procedures to help improve security and recovery times.

Task:
- Choose two measures (e.g. RTO, MTTR) and explain how they could improve the organisation’s security response.
- Choose one SOP and one SLA feature and describe how they would help mitigate future incidents.
- Create a table showing the measure/procedure, what it covers, and what problem it solves.

Extension:
Write a short SOP for backing up a company database, including when, where, and how often backups should be done.

K1.12 The process of risk management:

Risk management is the process of identifying, assessing, and controlling risks that could affect an organisation’s information systems, people, assets, or business operations.

The purpose is to reduce the chance of something bad happening or reduce the impact if it does.

The Risk Management Process

Risk management follows a step-by-step process to ensure risks are understood, prioritised, and addressed effectively.

Identification

What it is:

Spotting possible risks, threats, or vulnerabilities that could harm the organisation.

Examples:

• Weak passwords (vulnerability)

• Malware infection (threat)

• Power outage affecting the server room (risk)

This step creates a list of potential issues that need to be monitored or controlled.

Probability

What it is:

Estimating how likely each risk is to occur.

Categories often used:

• High (almost certain to happen)

• Medium (may happen occasionally)

• Low (unlikely but possible)

Example:
There’s a high chance staff will forget to lock their computers when leaving desks.

This step helps identify the most urgent risks to focus on.

Impact

What it is:

Evaluating how much damage the risk could cause to systems, data, reputation, finances, or people.

Factors to consider:

• Value of the asset at risk

• Sensitivity of the data

• Importance of the system or service

Example:
Losing access to payroll software could delay staff payments and create serious financial and reputational issues.

Impact is often measured as:

• High

• Medium

• Low

Prioritisation

What it is:

Using both probability and impact to determine which risks should be dealt with first.

A risk with high probability and high impact is a top priority.

Includes:

• Assigning risk owners (the people responsible for managing each risk)

• Planning how to reduce or accept the risk

Example:
If phishing attacks are both likely and damaging, then they get top priority and are assigned to the IT security team to manage.

Mitigation

What it is:

Putting in place measures or controls to reduce the probability of the risk occurring or the impact if it does.

Types of mitigation:

• Preventative (e.g. firewalls, staff training)

• Detective (e.g. monitoring, logs)

• Corrective (e.g. backups, disaster recovery)

Example:
To mitigate the risk of data loss:

• Backups are taken daily

• Only trained staff can delete files

• Backup recovery is tested monthly

Mitigation is ongoing – risks must be monitored and controls updated regularly.

Example Risk Matrix with RAG Ratings

🔴 Red – High Risk → Immediate action required

🟠 Amber – Medium Risk → Plan to control or reduce risk

🟢 Green – Low Risk → Monitor regularly

Risk Scoring Grid

Example Risk Entries Using the Matrix

Review and Reflect

Working in small groups to look at an existing risk matrix, explore probability, impact and RAG ratings.

Manage the Risk

Scenario:
You're helping a local business review its IT security. You’ve identified the following possible risks:

Staff using weak passwords
Fire in the server room
Public Wi-Fi access by visitors

Your Task:
1. For each risk, estimate the probability and impact (High/Medium/Low).
2. Prioritise the risks from most to least critical.
3. Suggest one mitigation method for each.

Extension:
Create a visual heat map showing probability vs. impact for each risk.

K1.13 Approaches and tools for the analysis of threats and vulnerabilities:

To protect digital systems effectively, organisations must analyse the threats and vulnerabilities they face. This helps them decide what to prioritise, what action to take, and how much risk is acceptable.

There are two main approaches to risk analysis and a range of tools used to support each one.

Risk Analysis Approaches

Qualitative Risk Analysis – Non-numerical Approach

This method focuses on describing risks and ranking them based on expert judgement, opinion, and relative severity rather than numbers.

How it works:

• Each risk is assessed using a RAG rating:

  • 🔴 Red – High risk (needs immediate action)

  • 🟠 Amber – Medium risk (monitor and plan control)

  • 🟢 Green – Low risk (no immediate action needed)

Example:

If a risk could seriously damage reputation but is unlikely, it may still be rated Amber due to the high impact.

Used when:

• There's limited numerical data

• Decisions need to be made quickly or visually

Quantitative Risk Analysis – Numerical Approach

This approach uses numbers, data, and formulas to calculate the cost, likelihood, and effect of risks. It gives more precise information for financial or technical decisions.

How it works:

• Assign values to:

  • Probability (% chance of risk)

  • Impact (e.g. financial loss, time delays)

• Calculate potential loss, downtime, or resource usage

Example:

“If a cyberattack has a 25% chance per year of causing £40,000 in damage, the annual expected loss is £10,000.”

Used when:

• There’s enough data and resources to support detailed analysis

• Results are needed for budgeting, insurance, or audit purposes

Tools for Threat and Vulnerability Analysis

Below is a breakdown of key tools used in both qualitative and quantitative approaches.

Part 1Approaches to Analysing Threats and Vulnerabilities
In pairs discuss the approches available (qualitative and quantitative) you will then be assigned one or more of the tools for Analysing Threats and Vulnerabilies, with this pairing use the discussion points provided. At the end of the discussion you will present (Verbally) your thoughts and views to the rest of the group.


Qualitative vs Quantitative Analysis
Discussion Prompts:
What are the advantages of using qualitative analysis (e.g. RAG ratings) in fast-paced business environments?
Why might some organisations prefer quantitative analysis when managing high-risk systems (e.g. financial or healthcare sectors)?
In what scenarios is it useful to combine both approaches?
How could relying only on opinion (qualitative) lead to biased risk prioritisation?
How might limited access to data make quantitative analysis harder?

Part 2 Approaches to Analysing Threats and Vulnerabilities
Discussion Points: Tools for Threat & Vulnerability Analysis

Fault Tree Analysis (FTA)
Discussion Prompts:
How does visually mapping failure chains help organisations understand risk better?
Can FTA be used for both technical systems (e.g. servers) and human behaviours (e.g. clicking phishing emails)?
What are the limitations of this tool in complex IT environments?

Impact Analysis
Discussion Prompts:
How do we measure the impact of a threat that affects reputation but not money?
Should emotional or public confidence factors be included in impact analysis?
Can impact analysis help justify spending on cyber security to senior management?

Failure Mode Effect and Criticality Analysis (FMECA)
Discussion Prompts:
Why is it important to think about the probability, consequences, and detectability of a failure?
How useful is FMECA in planning system maintenance or upgrades?
What challenges exist when applying FMECA to software or cloud-based environments?
​​​​​​​
Annualised Loss Expectancy (ALE)
Discussion Prompts:
How accurate do you think ALE is when predicting financial loss from cyber threats?
How could ALE be used when budgeting for cyber security defences?
Can ALE help organisations choose between different security technologies?
​​​​​​​
CRAMM (CCTA Risk Analysis and Management Method)
Discussion Prompts:
Why might a government-developed tool like CRAMM be more trusted in public sector environments?
Is CRAMM too complex for small organisations, or can it be simplified?
How might CRAMM differ from general commercial risk analysis tools?

​​​​​​​SWOT Analysis
Discussion Prompts:
How can identifying opportunities and strengths help in a risk analysis session?
Should SWOT analysis be updated regularly, and by whom?
What are the dangers of overestimating strengths or ignoring weaknesses?

Risk Register
Discussion Prompts:
What are the benefits of having a “living document” that tracks risk?
Who should be responsible for updating the risk register – IT team, management, or everyone?
How can the RAG ratings in a risk register help teams plan actions?

Risk Matrix
Discussion Prompts:
How can a simple 3×3 or 5×5 risk matrix make complex risk decisions easier to understand?
What are the risks of subjectivity when assigning probability and impact levels?
How might teams disagree on the severity of risks—and how can they resolve those differences?

Extension Task:
​​​​​​​Select two tools or approaches and respond to:
- Where would you use each tool?
- Which is more useful in an organisation with limited staff and budget?
- Which helps best with long-term planning?

K1.14 Factors involved in threat assessment for the mitigation of threats and vulnerabilities:

Threat assessment involves analysing all the possible internal and external risks that may affect an organisation’s information systems. By identifying the type, source, and impact of threats, organisations can plan how to prevent or reduce them (mitigation).

These factors fall into four main categories:

Environmental Threats

Environmental threats are natural or environmental conditions that can damage or disrupt IT operations.

Mitigation Example: Install temperature and humidity sensors; keep servers in a climate-controlled room.

Manmade Threats

Internal (from inside the organisation)

Mitigation: Role-based access control, staff training, clear acceptable use policies.

External (from outside the organisation)

Mitigation: Firewalls, antivirus, regular risk assessments of suppliers, staff awareness training.

Technological Threats

Technology Failures & Faults (Infrastructure)

Device Failures (e.g. Laptops, Desktops, Servers)

System Failures

Mitigation Across All: Regular updates, health checks, backups, robust IT maintenance schedules.

Impact of Technical Change

Mitigation: Change management processes, testing before deployment, rollback plans.

Political Threats

Mitigation: Stay updated on regulations, consult legal experts, adjust policies accordingly.

In a Flash - 
Create flash cards on one of the following topics: 
Environment (for example, weather, natural disasters) 
Manmade (for example, malware, virus, social engineering) 
Technological (for example, faults, failures, incorrect configurations, data corruption) 
Political (for example, changes in legislation) 

K1.15 The purpose of risk assessment in a digital infrastructure context:

• purpose:

o to identify and reduce risk by:

â–ª implementing Health and Safety Executive (HSE) guidelines to projects (for example installing

a new uninterruptible power supply (UPS) system into a server room and identifying risks to

the installers)

â–ª investigating risks within the project environment (for example undertaking a PESTLE

analysis)

â–ª internal and external risk identification (for example implementing a supply chain assessment)

â–ª quantification of impact on asset value (for example financial loss as a result of downtime)

K1.16 Types of risk response within a digital infrastructure context:

When risks are identified in a digital infrastructure (e.g. networks, servers, software systems), organisations must decide how to respond. The chosen response depends on the severity, probability, cost, and business impact of the risk.

There are four common types of risk response:

Accept the Risk

Definition:

The organisation chooses to do nothing about the risk because:

• The cost of responding is greater than the cost of the risk

• The impact is low and considered manageable

• It’s not practical to control

Example in Digital Infrastructure:

• A legacy printer may crash once a month but restarting it fixes the issue easily. The business accepts the minor disruption.

Key Point:

You must still monitor the risk, even if it’s accepted.

Avoid the Risk

Definition:

The organisation eliminates the risk entirely by changing plans, tools, or actions.

Example in Digital Infrastructure:

• Instead of building a custom cloud storage solution (which could fail due to lack of expertise), a company uses a trusted third-party cloud provider.

Key Point:

Avoiding risk usually means changing the original scope, technology, or method of a project.

Mitigate the Risk

Definition:

The organisation reduces the chance of the risk happening or minimises the impact if it does.

Example in Digital Infrastructure:

• To mitigate the risk of data loss, automated cloud backups are set up daily.

• To reduce the risk of phishing, staff receive regular cybersecurity training.

Key Point:

Mitigation uses controls, policies, or systems to lower the level of risk.

Transfer the Risk

Definition:

The organisation passes the responsibility for the risk to a third party (usually through a contract).

Example in Digital Infrastructure:

• Cybersecurity insurance is purchased so the company is covered for financial losses due to a breach.

• A managed service provider (MSP) is hired to manage network security and ensure compliance.

Key Point:

Risk is not removed—it’s just handled by someone else, often at a cost.

What is the purpose of a risk assessment and how does it identify and reduces risks through HSE guidelines and different responses to risks: 
Accept. 
Avoid. 
Mitigate. 
Transfer. 

Research health and safety at work guidelines and create a poster that could be used in the workplace.

K1.17 The process of penetration testing within digital infrastructure:

Penetration testing is carried out in 5 key phases, each with a specific purpose and outcome:

Planning and Reconnaissance

What it is:

This phase defines the scope and goals of the test and gathers information to understand the target system.

Key Activities:

• Agreeing the scope (e.g. test only web servers or full network)

• Defining goals (e.g. find data access flaws, test firewall resilience)

• Reconnaissance: Collecting publicly available information (e.g. WHOIS records, social media, IP ranges)

Example: The tester finds out which software versions are being used on the company’s web server.

Scanning

What it is:

The tester uses tools to scan systems for weaknesses and understand how they respond to different inputs.

Types of Scanning:

• Static Analysis – Reviewing code or system structure without running it

• Dynamic Analysis – Testing live systems while they’re operating

Example: Running a port scanner (like Nmap) to see which ports are open and what services are running on them.

Gaining Access

What it is:

This is the active phase of trying to exploit identified vulnerabilities to gain access to the system.

Techniques:

• SQL Injection – inserting malicious SQL code to gain database access

• Backdoors – using a hidden method to access a system

• Cross-Site Scripting (XSS) or password cracking

Example: Exploiting a weak admin login form to access sensitive data.

Maintaining Access

What it is:

Once access is gained, the tester checks if they can stay inside the system undetected or move deeper.

Purpose:

To understand how long an attacker could remain without being noticed, and how much damage they could cause.

Example: Using a known vulnerability to create a user account with admin rights for future access.

Analysis and WAF Configuration

What it is:

This is the final phase, where results are analysed and reported to the organisation. Findings are used to strengthen defences.

Key Actions:

• Compile a detailed report of vulnerabilities and how they were exploited

• Recommend fixes

• Update or reconfigure WAF (Web Application Firewall) settings to block future attacks

Example: The report shows SQL injection was possible – the WAF is updated to block similar patterns in input forms.

Pen Testing Example Table

Plan Your Own Penetration Test

Scenario:
Your organisation has asked you to conduct a penetration test on a company website.

Your Task:
1. Write a step-by-step plan that includes each phase of the pen test.
2. For each step, list:
    - One tool or technique you'd use
    - What result you would expect
    - How that result could help improve security

Extension:
Research a real pen testing tool (e.g. Kali Linux, Burp Suite) and summarise how it supports one of the test phases.

Using any of the tools found on Pen Test tools website explore any website for its vulnerabilitieshttps://pentest-tools.com/

K1.18 The considerations in the design of a risk mitigation strategy:

A risk mitigation strategy outlines how an organisation plans to reduce or control risks to its digital systems and services. To be effective, it must be carefully designed with several key factors in mind.

Risk Response

You must first decide the type of response for each identified risk. This forms the foundation of the mitigation strategy.

User Profile

Consider the users involved in or affected by the mitigation plan. Different users have different needs and ability levels.

Make sure security measures (e.g. password policies, multi-factor authentication) are appropriate and accessible for the intended users.

Cost and Benefit

Analyse the cost of mitigation against the potential impact of the risk. This helps justify whether it’s worth implementing.

Use cost-benefit analysis to support decision-making.

Assign an Owner of the Risk

Each risk should have a clearly defined risk owner – the person or team responsible for:

• Monitoring the risk

• Ensuring the mitigation actions are followed

• Updating the risk’s status

| Example | A network administrator is assigned as the owner of the risk of firewall misconfiguration. |

This adds accountability and ensures the risk isn’t ignored.

Escalation to the Appropriate Authority

If a risk becomes too severe or cannot be resolved at a lower level, it should be escalated to management or another senior decision-maker.

| Example | A system vulnerability cannot be patched without budget approval, so it’s escalated to the IT Director. |

Escalation ensures critical decisions are made by those with the correct authority.

Planning Contingencies

Develop backup plans in case mitigation fails or the risk becomes reality. This includes:

• Failover systems

• Alternative access routes

• Manual procedures

| Example | If the primary server fails, a contingency plan switches operations to a cloud-based backup server. |

Contingency planning reduces downtime and disruption.

 Monitoring and Reviewing Process

Once a risk mitigation strategy is in place, it must be monitored and reviewed regularly to ensure it still works and is up to date.

Threats evolve – risk strategies must adapt too.

Design a Risk Mitigation Strategy

Scenario:
You’re designing a mitigation plan for the following risk: “Unsecured USB ports allow malware infections.”

Task:
1. Choose a risk response.

2.Consider:
   - Who the users areCost vs benefit
   - Who will own the risk
   - What the escalation route would be
   - What your contingency plan is
   - How the plan will be monitored

Extension: Create a short presentation outlining your strategy to a management board.

Class discussion on encryption as a risk mitigation technique, including different types of encryption, including data at rest and in transit.

Back it up, pack it in, let me begin

In small groups of 2-3 create a collaborative presentation that considers back-up techniques that will support risk mitigation.
Your presentation should identify:
    - The purpose of backups. 
    - Back up criteria (for example, frequency and storage). 
    - Type of backup (for example, full or incremental).  

K1.19 The purpose of technical security controls as risk mitigation techniques and their applications to business risks within a digital infrastructure context:

Technical security controls are automated or configured defences put in place to prevent, detect, or respond to cyber threats. They are essential in mitigating business risks within any digital infrastructure.

Technical Security Controls and Their Applications

Cyber Essentials – 5 Core Controls

Cyber Essentials is a government-backed certification scheme in the UK that outlines five key technical controls that help protect organisations from common cyber attacks.

Additional Technical Security Controls

These extend beyond Cyber Essentials and provide deeper protection within larger or more complex digital infrastructures.

Device Hardening

Reducing the attack surface of a device by removing unnecessary components.

Segmentation

Dividing the network or systems into isolated sections to reduce the impact of a breach.

Hardware Protection

Using dedicated hardware or protective software to secure devices and data.

Multi-Factor Authentication (MFA)

Using two or more factors to verify user identity.

Remote Monitoring and Management (RMM)

Monitoring systems and devices remotely to detect issues early and apply fixes.

Vulnerability Scanning

Regular scanning of devices, ports, and networks to identify weaknesses.

Match the Control
Instructions:
You’re an IT support technician asked to advise on technical controls for a new college network.

1. Match each threat below to the most appropriate technical control:
Malware infection
Unauthorised access to admin tools
Weak student Wi-Fi password
Outdated firewall firmware
USB device spreading a virus

2. Explain how each control helps reduce or eliminate the threat.
Extension: Create a visual mind map showing all the controls and what threats they help to prevent.

Discuss the relationship between organisational policies and procedures and risk mitigation. Explore different policies that might be developed to alleviate risk, such as BYOD, password policy and software usage. Also, explore HSE policies, such as lone working, manual handling or fire safety.  Consider how these are monitored and checked for compliance.

K1.20 The purpose and types of encryption as a risk mitigation technique and their applications:

The purpose of encryption is to store and transfer data securely using cryptography techniques, so that it cannot be read or accessed by unauthorised users.

Encryption helps protect:

• Personal and sensitive information (e.g. passwords, bank details)

• Confidential business data (e.g. financial records, customer data)

• Communications across networks (e.g. websites, emails)

What Is Encryption?

Encryption is the process of converting readable data (plaintext) into a scrambled, unreadable format (ciphertext), which can only be turned back into readable data (decrypted) using a special key.

Types of Encryption and Their Applications

Asymmetric Encryption

Uses two different keys: a public key to encrypt and a private key to decrypt.

Useful for secure sharing over untrusted networks.

Symmetric Encryption

Uses one shared key to encrypt and decrypt data.

Faster than asymmetric encryption but requires secure key sharing.

Data at Rest Encryption

Protects stored data (e.g. on hard drives or USBs) so that even if the device is stolen, the data is unreadable.

Full Disk Encryption

Hardware Security Module (HSM)

Trusted Platform Module (TPM)

Data in Transit Encryption

Protects moving data (e.g. between computers or over the internet) from being intercepted.

Secure Sockets Layer (SSL) (older but still known)

Transport Layer Security (TLS) (SSL’s modern replacement)

TLS is more secure and widely used than SSL.

Encryption Explorer

Instructions:
Choose three types of encryption from the list above. For each:

1. Describe what it protects
2. Give a real-world example
3. Explain how it reduces digital risk

Extension: Create a simple infographic or flowchart showing the difference between data at rest and data in transit encryption.

K1.21 The purpose, criteria and types of back-up involved in risk mitigation:

To maintain an up-to-date copy of data that can be used to restore systems or information in the event of:

• Full disaster recovery (e.g. flood, ransomware attack)

• Partial data loss (e.g. accidental deletion, corrupted file)

Back-ups help organisations recover quickly and continue operating with minimal disruption.

Back-Up Criteria

When designing a back-up strategy, organisations must consider the following key criteria:

The more frequent and reliable the back-up, the less data the organisation will lose in a disaster.

Types of Back-Up

Organisations use different types of back-up depending on how much data they have, how often it changes, and how fast they need to recover.

Full Back-Up

A complete copy of all selected data is made every time a back-up is run.

Best for weekly back-ups or before big changes.

Incremental Back-Up

Only backs up data that has changed since the last back-up (whether full or incremental).

✅ Good for daily/hourly back-ups where storage space is limited.

Differential Back-Up

Backs up all changes made since the last full back-up (ignores previous differential back-ups).

Balances speed and space — often used mid-week between full back-ups.

Mirror Back-Up

Creates an exact real-time duplicate (mirror) of the source data.

Ideal for systems that require near-zero downtime (e.g. financial services).

Example Scenario

A college IT department backs up student data as follows:

• Sunday: Full back-up to cloud

• Monday to Friday: Incremental back-up to network-attached storage (NAS)

• Every hour: Mirror back-up of assessment system for real-time restoration

This layered strategy balances storage, recovery speed, and security.

Design a Back-Up Strategy

Scenario:
You are responsible for designing a back-up solution for a small business that uses cloud systems, in-house servers, and allows remote work.

Task:
1. Choose a combination of back-up types (e.g. full + incremental).

2. Decide on:
  - Frequency of each back-up
  - Source data (files, systems, email)
  - Destination (e.g. cloud, external hard drive)
  - Storage method (e.g. LTO, disk)

3. Justify why your strategy will protect the business in case of:
  - Accidental deletion
  - Cyberattack
  - Hardware failure

Extension: Create a diagram to visually show the back-up schedule.

K1.22 The relationship between organisational policies and procedures and risk mitigation:
 

Organisational policies and procedures help reduce risk by setting clear rules, responsibilities, and standard practices for staff and systems.
They support digital security, health and safety, and legal compliance.

By following these structured rules, organisations can:

• Prevent incidents

• Detect issues early

• Respond quickly to minimise damage

Key Organisational Policies and Their Role in Risk Mitigation

Digital Use Policy

Outlines how technology should be used by employees. It contains standard operating procedures (SOPs) that protect digital infrastructure and reduce human error.

Impact: These policies reduce digital threats by limiting how systems are accessed and used.

Health and Safety Policy

Protects staff from physical harm and reduces business liability. It also ensures compliance with health and safety laws.

Impact: These procedures help maintain a safe working environment for IT professionals and users.

Change Procedure

Controls how changes to IT systems (like updates, installations or network adjustments) are approved and recorded.

Without this, rushed or undocumented changes could introduce vulnerabilities or system failures.

Auditing of Policies and SOPs

Regularly checks whether policies and procedures are being followed.

For example, audits might uncover that users aren’t updating their passwords – prompting training or automation.

Policy to Protection

Scenario:
You’ve joined a company as an IT technician. You need to help a new employee understand how company rules help protect systems and people.

Task:
1. Match each risk below to the correct policy or procedure:
Risk of data theft from personal phones
Risk of injury when lifting a server
Risk of staff ignoring update reminders
Risk of applying a faulty update to live systems

2. For each match, explain how the policy or SOP helps reduce the risk.

Extension: Suggest one new policy that could help mitigate a modern threat like AI phishing or deepfake fraud.

A Game of Risk

Peer review the risk strategy and update following feedback. All risk strategies collected in and each one discussed in turn, highlighting security controls that could be implemented and how that would mitigate the risk (for example, software removal or reduces web access). Task to be tutor led to ensure all following are explored: 

 - Boundary firewalls and gateways. 
 - Secure configurations. 
 - Malware protection. 
 - Patch management. 
 - Access control. 

K1.23 The purpose and application of legislation, industry standards and regulatory compliance, and industry best practice guidelines for the security of information systems within digital infrastructure.

Organisations need to follow legal rules, meet industry standards, and apply best practice guidelines to:

• Keep information systems secure

• Protect personal data and business assets

• Stay compliant and avoid legal/financial penalties

• Build trust with customers, users and partners

Legislation – The Legal Framework

UK General Data Protection Regulation (UK GDPR)

Purpose:

Sets legal rules on how personal data is collected, stored, used and shared. It protects people's right to privacy.

Applications in Digital Infrastructure:

Example: A company encrypts customer data and only keeps it for as long as needed — fulfilling Article 5.

Data Protection Act (DPA) 2018

Purpose:

The UK’s legal implementation of UK GDPR — makes data protection rules enforceable by law.

Key Applications:

Computer Misuse Act 1990

Purpose:

Protects against unauthorised access and cybercrime.

Applications:

Violating this Act can lead to prosecution and imprisonment.

Industry Standards & Regulatory Compliance

ISO 27001 – Information Security Management

Purpose:

A global certification standard for managing information security in a business.

Applications:

• Helps organisations comply with UK GDPR/DPA

• Requires security policies, risk assessments, access control, and incident response plans

• Encourages regular penetration testing and auditing

Used by banks, healthcare, cloud services to prove they're protecting data properly.

PCI DSS – Payment Card Industry Data Security Standard

Purpose:

A worldwide standard to protect cardholder data and reduce payment fraud.

Applications:

Essential for any business that processes debit or credit cards.

Industry Best Practice Guidelines

NCSC – 10 Steps to Cyber Security

Purpose:

Developed by the UK’s National Cyber Security Centre to guide organisations on improving digital security.

Applications in Digital Infrastructure:

Helps businesses of any size build a layered cyber defence.

OWASP – Open Web Application Security Project

Purpose:

A global community improving the security of web applications through tools, resources and training.

Applications:

• Provides tools like ZAP for testing security

• Maintains the Top 10 Web Application Threats list (e.g. SQL injection, XSS)

• Offers training resources for developers and IT professionals

• Encourages secure coding practices from the start

Used by developers and security analysts to build safer web systems.

Law & Standards in Action

Task:
1. Match each real-world scenario to the relevant law or standard:
    - Encrypting a customer database
    - Detecting a malware attack and alerting users
    - Restricting access to online payment processing software
    - Reporting a phishing attack on a school network
2. For each, explain:
    - Which law/standard/guideline applies
    - How it mitigates risk
    - What would happen if it was ignored

Extension: Research one more industry standard used in healthcare, education, or finance and explain its role.

Working in groups, each group assigned one of the topics above and to create a leaflet providing guidance for a new digital business.

K1.24 Principles of network security and their application to prevent the unauthorised access, misuse, modification or denial of a computer, information system or data:

Network security is about using policies, tools, and controls to protect systems and data from cyber threats, unauthorised users, and damage or loss.

The CIA Triad

The CIA triad forms the foundation of all digital security practices. It helps protect networks from attack, misuse, and failure.

Example: If a user cannot access a system due to a DDoS attack, availability has been compromised.

IAAA – Identification, Authentication, Authorisation, Accountability

These four principles are used together to ensure only the right people can access systems, and that all actions are tracked and controlled.

Together, these reduce the chances of unauthorised access or abuse of privileges.

Practical Applications in Network Security

These principles are put into action using tools and policies that help secure the network further.

Directory Services (e.g. Active Directory)

Centralised systems that manage users, devices, permissions, and access rights.

Use Case:

• Allows IT teams to control which users can access which folders, applications or devices

• Supports group policies for password control and software permissions

Links directly to identification, authentication, and authorisation.

Security Authentication Process

Validates users trying to access systems.

Examples:

• Single sign-on (SSO): Log in once to access many systems

• Multi-factor authentication (MFA): Combines password + something you have (e.g. phone)

• Biometrics: Fingerprint, face scan

Strengthens authentication by requiring more than just a password.

Use of Passwords and Security Implications

Passwords must be strong, unique, and regularly updated to stay effective.

Best Practices:

• Minimum 12 characters

• Use of symbols, numbers, upper/lower case

• No reuse across systems

Risks if not followed:

• Easy password guessing or brute-force attacks

• Credential stuffing using leaked passwords

Weak password policies can break confidentiality and authorisation.

Identification and Protection of Data

Know what data exists, where it is, and how it must be protected.

Actions:

• Classify data (e.g. personal, sensitive, public)

• Encrypt sensitive files

• Limit who can access/edit them

Supports confidentiality and integrity of the data.

Information Asset Register

A live inventory of all IT assets (hardware, software, databases, etc.)

Purpose:

• Know what you have

• Monitor who owns it

• Understand which assets are most critical

• Helps in risk management and disaster recovery

Ensures accountability, availability, and supports decision-making during a cyber incident.

Discuss network security and its application to prevent unauthorised access or misuse.

Discuss in small groups the CIA triad and IAAA.

Create a poster for the CIA triad (confidentiality, integrity and availability) showing how this is applied to security and how it helps protect against cyber attacks. 

Secure the School Network
Scenario:
You are part of the IT team at a college. You need to protect the network from unauthorised access and maintain the confidentiality, integrity and availability of systems.
Task:
1. Identify three risks (e.g. weak passwords, unknown devices, unauthorised app installation).
2. For each, explain:
        Which CIA principle is at risk
        Which IAAA principle is needed to fix it
        What policy, process or tool should be used to help
Extension:
Draw a diagram showing how a user logs in, is authenticated, is granted access, and has their activity monitored.

K1.25 Methods of managing and controlling access to digital systems and their application within the design of network security architecture:

Network security architecture is the structure and strategy used to protect a digital system.
A key part of this is controlling who and what has access — ensuring only the right users, devices, and services are allowed through.

Authentication

Definition:
The process by which a system verifies the identity of a user before allowing access.

Application:

• Passwords, PINs, biometrics, multi-factor authentication (MFA)

• Used at login portals, VPN access, or system logins

Ensures only authorised users get into the system

Firewall

Definition:
A barrier between a trusted internal network and an untrusted external network, such as the internet.

Application:

• Can allow or block specific types of traffic (e.g. HTTP, FTP)

• Can be hardware-based (e.g. routers) or software-based

Controls which services are exposed, protecting against unauthorised external access

Intrusion Detection System (IDS)

Definition:
A system that monitors network or system activity for signs of suspicious behaviour or attacks.

Application:

• Detects brute-force attacks, unauthorised logins, malware activity

• Sends alerts to admins for further investigation

Helps identify threats in progress (but does not stop them)

Intrusion Prevention System (IPS)

Definition:
Like IDS, but it can also block malicious activity as it is happening.

Application:

• Works with firewalls to automatically prevent known threats

• Can stop malware or hacking attempts in real-time

Helps maintain system integrity and availability by blocking attacks

Network Access Control (NAC)

Definition:
Controls access to a network based on an organisation’s security policies.

Application:

• Devices must meet certain requirements (e.g. antivirus installed, updated OS)

• Used in business environments to prevent rogue or insecure devices connecting

Ensures only compliant devices connect to the network

Access Control Models

Access control defines who can access what, under what conditions.

Mandatory Access Control (MAC)

Definition:
Access is granted based on a strict classification and security level hierarchy.

Application:

• Common in military/government systems

• Users cannot change permissions

• Examples: Confidential, Secret, Top Secret levels

High-security environments where access must be centrally controlled

Discretionary Access Control (DAC)

Definition:
Access is controlled by the owner of the resource.

Application:

• The owner (e.g. file creator) decides who gets access

• Found in many operating systems (Windows, macOS)

More flexible, but less secure than MAC – suitable for collaborative environments

Attribute-Based Access Control (ABAC)

Definition:
Access is granted based on user attributes (e.g. job title, location, time of access).

Application:

• Complex environments needing dynamic, flexible control

• Example: A manager can access payroll systems during office hours from within the building

Allows fine-grained control based on multiple factors

Role-Based Access Control (RBAC)

Definition:
Access is granted based on a user's job role.

Application:

• Employees are grouped into roles (e.g. admin, HR, technician)

• Each role has specific permissions

• A technician may access service tickets, but not payroll

Simplifies management and enforces least privilege principle

Design a Secure Network Access Plan

Scenario:
You're designing access control for a school's network. Staff, students, and guests use the network daily.

Task:
1. For each group (staff, students, guests):
      - Choose 1 access control model (e.g. RBAC for staff)
      - Choose 1 supporting method (e.g. firewall, NAC)
2. Justify your decisions based on:
      - The level of access needed
      - The risks involved
      - How you'll protect against misuse

Extension:
Draw a diagram of how a device is authenticated and granted access through a firewall, NAC, and RBAC.

Class discussion: Discuss in small teams common vulnerabilities. Each team is to select 3 of the following and the impact of this, including any security control: 

Missing patches, firmware and security updates. 
Password vulnerabilities. 
Insecure BIOS/UEFI. 
Misconfigurations. 
Lack of protection software. 
Disposal of data/devices. 
Inadequate back up process. 
DHCP Spoofing. 
VLAN attacks. 
Misconfigured firewalls or ACL’s. 
Exposed services or ports. 
Ineffective network design. 
Unprotected devices.

K1.26 Physical and virtual methods of managing and securing network traffic and their application

within the design of network security architecture:

• physical (for example server management, firewalls and cabling):

o software defined networking (SDN):

â–ª transport layer security (TLS) (for example used in banking websites)

o screened subnet

o air gapping

• virtual:

o virtual LAN (VLAN):

o subnets:

o virtual private network (VPN) (for example intranet, file systems, local network systems)

o virtual routing and forwarding (VRF)

o IP security (IPSec)

o air gapping

K1.27 The principles and applications of cyber security for internet-connected devices, systems and

networks:

• the CIA (confidentiality, integrity and availability) triad – applied to assess the impact on security of

systems (for example a data breach):

o protection and prevention against a cyber attack through secure configuration of a network

o limiting the network or system exposure to potential cyber attacks

o detection of cyber attacks and effective logging/auditing to identify impacts

o appropriate segregation of devices, networks and resources to reduce the impact of a cyber

attack

K1.28 Techniques applied to ensure cyber security for internet-connected devices, systems and networks:

Wireless Security

• What it is: Methods to secure Wi‑Fi networks and prevent unauthorised access.

• Key Method:
  WPA2 (Wi‑Fi Protected Access 2):
  A strong encryption protocol for Wi‑Fi traffic.
  Example: College Wi‑Fi is configured with WPA2 so that only authorised staff and students with the correct password can connect.

• Extra Layer:
  End‑to‑end security:
  Encrypts data from the device to the access point or service.
  Example: A user’s laptop sends encrypted data via WPA2 so even if intercepted, the data is unreadable.

Device Security

• What it is: Measures to protect individual devices from misuse or theft of data.

• Methods:
  Strong passwords or PINs
  Biometric authentication (fingerprint, facial recognition)

• Application:
  A company issues tablets to staff that require fingerprint login, reducing risk if a device is lost.

Encryption

• What it is: Converting data into unreadable code without the correct key.

• Application:
  Data at rest: Full disk encryption on laptops to protect stored files.
  Data in transit: SSL/TLS encryption for online transactions.
  Example: A business uses TLS on its website so customer card details are secure when entered online.

Virtualisation

• What it is: Running multiple virtual systems on one physical machine, isolating environments.

• Application:
  Test environments are created on virtual machines so malware cannot spread to the live network.
  Virtual desktops allow employees to access a secure corporate system from home without saving sensitive data locally.

Penetration Testing

• What it is: Ethical hacking to identify vulnerabilities before attackers do.

• Application:
  A school hires a cyber‑security firm to simulate an attack on its student portal and fix any weaknesses found.

Malware Protection

• What it is: Tools and practices that stop malicious software.

• Application:
  Anti‑malware software scans files on download.
  Example: Email attachments are scanned automatically to block ransomware.

Anti‑Virus Protection

• What it is: A subset of malware protection specifically targeting viruses.

• Application:
  Regular updates ensure new virus signatures are recognised and quarantined before harm is done.

Software Updates and Patches

• What it is: Keeping operating systems, applications and firmware current.

• Application:
  A college’s IT department installs the latest patch for its firewall to fix a critical vulnerability.
  Prevents exploitation by attackers using known bugs.

Multi‑Factor Authentication (MFA)

• What it is: Requires two or more verification steps.

• Application:
  Staff log in with a password and a code sent to their phone.
  Even if a password is stolen, access is blocked without the second factor.

Single Logout (SLO)

• What it is: Logs the user out of all connected sessions and services at once.

• Application:
  A teacher logs out of the central portal, automatically ending sessions on email, storage and HR systems.
  Reduces risk of an unattended active session being exploited.

Lockdown
Scenario: 
You are asked to secure a new network for a small business.

Task:
1. Select three techniques from the list above.
2. For each technique:
   - Explain how it protects against threats (e.g. unauthorised access, malware).
   - Give an example of how you would implement it in the network design.

Extension:
Design a simple diagram of the network showing where each technique would be applied (e.g. firewall at perimeter, MFA at user login, virtualisation on server).

K1.29 The importance of cyber security to organisations and society:

Cyber security is vital for protecting systems, data and people. Without effective cyber security, organisations and society are at risk from data breaches, financial loss, reputational damage and legal action.

Below we look at how it affects organisations and society.

Importance to Organisations

Modern organisations rely on digital infrastructure to run daily operations. Cyber security ensures:

Protection of all systems and devices

• Servers, laptops, mobile devices and IoT equipment are secured against unauthorised access, malware and data loss.

• Example: A company installs endpoint protection on all laptops to stop ransomware infections.

Protection of cloud services and their availability

• Many businesses use cloud services for storage, email, and collaboration.

• If these services are compromised, productivity stops.

• Example: A school ensures its cloud‑based student records system uses secure logins and encryption to prevent downtime or hacking.

Protection of company data and information

• Commercially sensitive data (e.g. financial records, intellectual property) must be kept confidential.

• Example: A business uses encryption and access controls so only senior management can view strategic plans.

Protection of personnel data and data subjects

• Employee and customer personal data must be handled securely to avoid breaches.

• Example: HR systems store employee addresses and bank details; strong passwords and MFA protect this information.

Password protection policies for users and systems

• Enforcing strong, regularly updated passwords prevents easy account compromise.

• Example: Staff must change passwords every 60 days and use complex passphrases.

Adherence to cyber security legislation

• Compliance with UK GDPR and DPA 2018 avoids fines and reputational harm.

• Example: A company that mishandles customer data could face a substantial ICO penalty.

Protection against cybercrime

• Prevents financial loss, fraud, phishing attacks, and ransomware.

• Example: A retail company blocks card skimmers and uses PCI DSS standards to protect transactions.

Importance to Society

Cyber security is not just an organisational issue — it protects individuals and the wider community.

Protection of personal information

• Prevents unauthorised use of sensitive data.

• Maintains privacy and security online.

• Protects people from prejudices or discrimination (e.g. medical or employment data being leaked).

• Ensures equal opportunities by safeguarding sensitive records.

• Example: Encryption of hospital patient records stops them being sold on the dark web.

Preventing identity theft

• Secure handling of names, addresses, national insurance numbers, and financial details stops criminals using someone’s identity for fraud.

Individuals’ rights under the DPA 2018

Cyber security measures help ensure that these rights are respected:

• Be informed about how data is used

• Access personal data

• Have incorrect data updated

• Have data erased (right to be forgotten)

• Restrict processing of data

• Data portability (reuse data across services)

• Object to certain processing

Example: A social media platform must have secure systems so users can safely download or delete their own data.

Protection against cybercrime

• Society benefits when fewer people are victims of fraud, phishing or online harassment.

• Example: Strong online banking security reduces large‑scale fraud.

Why It Matters

The Advisor
Scenario:
You are advising a local business on why they should invest in stronger cyber security.

Task:
Write a short report with two sections:
For the organisation: Explain three reasons cyber security is important and give an example for each.

For society: Explain two reasons why good cyber security helps the wider community, with examples.

Extension:
Identify one recent real‑world cybercrime incident and describe how it affected both the organisation and its customers or the public.

In pairs collaborate and create a presentation on the following  (Each topic must be covered).  The presentation will be delivered to the class: 

Managing and controlling access to systems.  This should consider things like authentication, detection and prevention, firewalls, and the various types of access control. 

Physical and virtual methods of managing and securing network traffic. This should consider things like software defined networking, screened subnet, virtual LANs and subnets. 

Techniques applied to ensure cyber security for internet connected devices. This should consider wireless security, device security, encryption, virtualisation, penetration testing, protection, updates and authentication. 

Importance of cyber security to organisations and society. This should consider the protection of systems and data on the organisation and society. 

The fundamentals of network topologies.  This should include topologies, OSI and TCP/IP models. 

The application of cyber security principles.  This should include the management of risks to security and the network (identification), development and application of control measures (protection), implementation of protection and resources to identify issues (detection), reaction to security (respond) and restoration (recover). 

K1.30 The fundamentals of network topologies and network referencing models and the application of cyber security principles:

Fundamentals of Network Topologies

A network topology describes how devices (nodes) are connected and how data travels through the network.

Network Referencing Models

These models explain how data travels through network layers.

OSI Model (7 Layers)

TCP/IP Model (4 Layers)

Comparison:
The TCP/IP model is simpler (4 layers) and more widely used today, while the OSI model is more detailed (7 layers) and is often used as a teaching reference.

Applying Cyber Security Principles to Network Architecture

Modern network design must include minimum cyber security standards to protect users, systems and data.
These are based on five key principles:

Identify

Manage risks to network security, users and devices.

• Assign a cyber security lead.

• Perform risk assessments to find vulnerabilities.

• Document configurations and responses to threats.

Example:
An IT team maintains a configuration log for all routers and performs regular threat assessments.

Protect

Apply controls to minimise potential risks.

• Implement anti‑virus software and firewalls.

• Reduce the attack surface (disable unused services/ports).

• Use trusted, supported operating systems.

• Decommission old, vulnerable systems.

• Carry out regular security audits.

• Encrypt data at rest and in transit.

• Assign minimum access (least privilege).

• Provide staff with cyber security training.

Example:
All staff accounts use multi‑factor authentication and only have access to resources relevant to their role.

Detect

Identify security issues quickly.

• Apply monitoring tools and procedures.

• Review audit logs and event logs.

• Monitor network activity for anomalies.

Example:
A company uses an IDS (Intrusion Detection System) to alert admins to unusual network traffic.

Respond

React to contain and minimise the impact of incidents.

• Have a defined incident response plan.

• Contain the threat, isolate affected systems.

Example:
If ransomware is detected, the affected server is immediately taken offline to stop spread.

Recover

Restore systems and data and improve for the future.

• Maintain up‑to‑date backups.

• Document and review incidents for lessons learned.

Example:
After a cyber attack, IT restores files from cloud backups and updates their policies to prevent recurrence.

One Vision
Scenario: You are designing a secure network for a small organisation.

Task:
1. Choose one topology (e.g. star) and explain why it suits the business.
2. Map the network using either the OSI or TCP/IP model.
3. Apply the five cyber security principles (identify, protect, detect, respond, recover) to your chosen topology and justify each step.

Extension:
Draw a labelled diagram showing:

  - Your chosen topology
  - Where you would implement firewalls, IDS/IPS, and access controls.

K1.31 Common vulnerabilities to networks, systems and devices and the application of cyber security controls:

Below is each vulnerability with its risk and control measures.

Missing Patches, Firmware and Security Updates

Risk:
Outdated systems contain known flaws that attackers exploit.

Controls:

• Patch manager software to deploy updates automatically across devices.

• Tracking network traffic to spot unusual activity that might exploit old vulnerabilities.

• Test groups/devices used to test updates before full rollout.

Password Vulnerabilities

(e.g. missing, weak, or default passwords; no lockout against brute force attacks)

Risk:
Attackers gain unauthorised access with minimal effort.

Controls:

• Enforce minimum password requirements (length, complexity, special characters) following NCSC guidance.

• Apply a password reset policy (e.g. mandatory reset if compromise suspected).

• Enable account lockout after repeated failed attempts.

Insecure BIOS/UEFI Configuration

Risk:
Attackers bypass OS-level security by modifying boot settings.

Controls:

• Review BIOS/UEFI settings to disable unused ports and secure boot.

• Update BIOS/UEFI regularly to fix firmware vulnerabilities.

Misconfiguration of Permissions and Privileges

Risk:
Users or services have excessive rights, increasing attack surfaces.

Controls:

• Regularly test permissions and access rights to match job roles.

• Scheduled auditing (e.g. immediately remove access for leavers or role changes).

Unsecure Systems (Lack of Protection Software)

Risk:
Malware infections such as viruses, worms, trojans or ransomware.

Controls:

• Install and maintain anti-malware and endpoint protection.

• Regularly update and monitor security software.

• Mitigate buffer overflow risks through updates and secure coding practices.

Insecure Disposal of Data and Devices

Risk:
Sensitive data recovered from discarded equipment.

Controls:

• Follow WEEE Directive 2013 for safe hardware disposal.

• Check and wipe all storage before disposal (e.g. degaussing, shredding drives).

Inadequate Back‑Up Management

Risk:
Loss of critical data after incidents.

Controls:

• Set back‑up frequency (daily, weekly) according to business needs.

• Use appropriate types of back‑up (full, incremental, differential).

DHCP Spoofing

Risk:
Attackers provide fake IP configurations to intercept traffic.

Controls:

• Enable DHCP snooping on network switches to validate legitimate servers.

VLAN Attacks and VLAN Hopping

Risk:
Attackers jump between VLANs to reach protected resources.

Controls:

• Conduct implementation testing of VLANs.

• Schedule regular monitoring to detect unusual VLAN activity.

Misconfigured Firewalls

Risk:
Improper rules allow unwanted traffic through.

Controls:

• Test firewall rules against policy requirements.

• Apply scheduled monitoring and updates to firewall firmware and policies.

Exposed Services and Ports

(e.g. plugging into an open Ethernet port)

Risk:
Unauthorised devices access the internal network.

Controls:

• Apply physical security controls (e.g. lock ports, secure rooms).

• Monitor network traffic for unknown devices or services.

Misconfigured Access Control Lists (ACLs)

Risk:
Traffic allowed or denied incorrectly, exposing sensitive resources.

Controls:

• Regularly monitor and review ACLs to match security policy.

Ineffective Network Topology Design

(e.g. poor placement of firewalls or screened subnets)

Risk:
Increases exposure to external threats.

Controls:

• Perform a full design review before implementation.

• Carry out implementation testing to ensure correct segmentation.

Unprotected Physical Devices

Risk:
Devices without proper software or hardening are vulnerable.

Controls:

• Install correct security software and apply configuration best practices (e.g. disable unused ports, encrypt disks).

Its Dangerous out there
Scenario:
You are a network security consultant reviewing a company’s infrastructure.

Task:
1. Pick three vulnerabilities from the list above.

2. For each:
Explain why it’s a risk.
Describe two controls you would apply to mitigate it.

Extension:
Create a checklist for the company to follow during their next security audit.

Discuss with the rest of the class the common vulnerabilities, reflect on each of the following and the impact of this, including any security control: 

  - Missing patches, firmware and security updates. 
- Password vulnerabilities. 
- Insecure BIOS/UEFI. 
- Misconfigurations. 
- Lack of protection software. 
- Disposal of data/devices. 
- Inadequate back up process. 
- DHCP Spoofing. 
- VLAN attacks. 
- Misconfigured firewalls or ACL’s. 
- Exposed services or ports. 
- Ineffective network design. 
- Unprotected devices