Unit 5: Security

ASSIGNMENT 2

Learner’s name: Ninh Xuân Bảo Hưng

ID: GCS200058
Class: GCS0905A
Subject code: 1623
Assessor name: Nguyễn Ngọc Tú

Assignment due: 29/8/2022

Assignment submitted: 29/8/2022
 ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Ninh Xuân Bảo Hưng Student ID GCS200058

Class GCS0905A Assessor name Nguyễn Ngọc Tú

Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.

Student’s signature

Grading grid
P5 P6 P7 P8 M3 M4 M5 D2 D3
 Summative Feedback:  Resubmission Feedback:

Grade: Assessor Signature: Date:

Lecturer Signature:
 Assignment Brief 2 (RQF)
Higher National Certificate/Diploma in Computing

Student Name/ID Number:

Unit Number and Title: Unit 5: Security
Academic Year: 2021 – 2022
Unit Assessor: Nguyễn Ngọc Tú
Assignment Title: Security Presentation
Issue Date: April 1st, 2021
Submission Date:
Internal Verifier Name:
Date:

Submission Format:

Format:

● The submission is in the form of an individual written report. This should be written in a concise,
formal business style using single spacing and font size 12. You are required to make use of
headings, paragraphs and subsections as appropriate, and all work must be supported with research
and referenced using the Harvard referencing system. Please also provide a bibliography using the
Harvard referencing system.
Submission

● Students are compulsory to submit the assignment in due date and in a way requested by the
Tutor.
● The form of submission will be a soft copy posted on http://cms.greenwich.edu.vn/.
● Remember to convert the word file into PDF file before the submission on CMS.
Note:

● The individual Assignment must be your own work, and not copied by or from another student.

1
 ● If you use ideas, quotes or data (such as diagrams) from books, journals or other sources, you
must reference your sources, using the Harvard style.
● Make sure that you understand and follow the guidelines to avoid plagiarism. Failure to comply
this requirement will result in a failed assignment.

Unit Learning Outcomes:

LO3 Review mechanisms to control organizational IT security.

LO4 Manage organizational security.

Assignment Brief and Guidance:

Assignment scenario
You work for a security consultancy as an IT Security Specialist.
A manufacturing company “Wheelie good” in Ho Chi Min City making bicycle parts for export has called
your company to propose a Security Policy for their organization, after reading stories in the media related
to security breaches, etc. in organizations and their ramifications.
Task 1
In preparation for this task, you will prepare a report considering:
 The security risks faced by the company.
 How data protection regulations and ISO risk management standards apply to IT security.
 The potential impact that an IT security audit might have on the security of the organization.
 The responsibilities of employees and stakeholders in relation to security.
Task 2
Following your report:
 You will now design and implement a security policy
 While considering the components to be included in disaster recovery plan for Wheelie good,
justify why you have included these components in your plan.
Task 3
In addition to your security policy, you will evaluate the proposed tools used within the policy and how
they align with IT security. You will include sections on how to administer and implement these policies.

2
Learning Outcomes and Assessment Criteria (Assignment 1):
Learning Outcome Pass Merit Distinction
LO3 P5 Discuss risk M3 Summarise the D2 Consider how IT
assessment ISO 31000 risk security can be
procedures. management aligned with
methodology and its organisational policy,
P6 Explain data application in IT detailing the security
protection processes security. impact of any
and regulations as misalignment.
applicable to an M4 Discuss possible
organisation. impacts to
organisational security
resulting from an IT
security audit.
LO4 P7 Design and M5 Discuss the roles D3 Evaluate the
implement a security of stakeholders in the suitability of the tools
policy for an organisation to used in an
organisation. implement security organisational policy.
audit
P8 List the main recommendations.
components of an
organisational disaster
recovery plan,
justifying the reasons
for inclusion.

3
 Content Table

Introduction ...........................................................................................................................5
Task 1 - Discuss risk assessment procedures (P5) ......................................................................6
1. Define a security risk and how to do risk assessment ...........................................................6
2. Define assets, threats and threat identification procedures, and give examples .......................7
3. Explain the risk assessment procedure .............................................................................10
4.List risk identification steps .............................................................................................13
Task 2 - Explain data protection processes and regulations as applicable to an organisation (P6) ..15
5. Define data protection....................................................................................................15
6. Explain data protection process in an organization ............................................................16
7. Why are data protection and security regulation important? ...............................................17
Task 3 - Design and implement a security policy for an organisation (P7) ..................................17
8. Define a security policy and discuss about it ....................................................................17
9. Give an example for each of the policies ..........................................................................18
10. Give the most and should that must exist while creating a policy ......................................19
11. Explain and write down elements of a security policy......................................................21
12. Give the steps to design a policy ...................................................................................23
Task 4 - List the main components of an organisational disaster recovery plan, justifying the
reasons for inclusion (P8) ......................................................................................................26
13. Discuss with explanation about business continuity.........................................................26
14. List the components of recovery plan ............................................................................26
15. Write down all the steps required in disaster recovery process ..........................................28
16. Explain some of the policies and procedures that are required for business continuity .........30
Conclusion ..........................................................................................................................31

4
 Figure of Table

Figure 1 Security Risk ............................................................................................................6

Figure 2 Asset ........................................................................................................................7
Figure 3 Risk assessment ......................................................................................................10
Figure 4 Risk Identification Steps ..........................................................................................13
Figure 5 Data Protection .......................................................................................................15
Figure 6: 4 step to deign a policy............................................................................................23
Figure 7: 4 step to deign a policy............................................................................................24
Figure 8 :4 step to deign a policy............................................................................................25
Figure 9 : 4 step to deign a policy ...........................................................................................25
Figure 10: 8 Step Disaster Recovery Plan................................................................................28

5
Introduction

I work for a security consulting company as an information security expert. A “Wheelie

good” manufacturing company in Ho Chi Minh City that manufactures bicycle parts for
export called my company to propose a Privacy Policy for the organization.

Task 1 - Discuss risk assessment procedures (P5)

1. Define a security risk and how to do risk assessment

a) security risk
A security risk assessment identifies, assesses, and implements key security controls in
applications. It also focuses on preventing application security defects and vulnerabilities.
Carrying out a risk assessment allows an organization to view the application portfolio
holistically—from an attacker’s perspective. It supports managers in making informed
resource allocation, tooling, and security control implementation decisions. Thus,
conducting an assessment is an integral part of an organization’s risk management process.

Security Risk Assessments are performed by a security assessor who will evaluate all
aspects of your companies systems to identify areas of risk. These may be as simple as a
system that allows weak passwords, or could be more complex issues, such as insecure
business processes. The assessor will typically review everything from HR policies to
firewall configurations while working to identify potential risks.

Figure 1 Security Risk

6
b) how to do risk assessment
The HSE has recommended a five-step process for completing a risk assessment. This
provides a useful checklist to follow to ensure that the assessment is suitably
comprehensive. It involves:

1. Identifying potential hazards

2. Identifying who might be harmed by those hazards
3. Evaluating risk (severity and likelihood) and establishing suitable precautions
4. Implementing controls and recording your findings
5. Reviewing your assessment and re-assessing if necessary.

2. Define assets, threats and threat identification procedures, and give examples

a) Asset
An asset is any data, device or other component of an organisation’s systems that is valuable
– often because it contains sensitive data or can be used to access such information.
An organisation’s most common assets are information assets. These are things such as
databases and physical files – i.e. the sensitive data that you store.

Figure 2 Asset

7
A related concept is the ‘information asset container’, which is where that information is
kept. In the case of databases, this would be the application that was used to create the
database. For physical files, it would be the filing cabinet where the information resides.

- For example:
An employee’s desktop computer, laptop or company phone would be considered an asset,
as would applications on those devices. Likewise, critical infrastructure, such as servers and
support systems, are assets.

b) Threats
A threat is any incident that could negatively affect an asset – for example, if it’s lost,
knocked offline or accessed by an unauthorised party.
Threats can be categorised as circumstances that compromise the confidentiality, integrity
or availability of an asset, and can either be intentional or accidental.
Intentional threats include things such as criminal hacking or a malicious insider stealing
information, whereas accidental threats generally involve employee error, a technical
malfunction or an event that causes physical damage, such as a fire or natural disaster.
- For Example:
+ Environment: (e.g., flood, light, storm, earthquake, etc.)
+ Compromise of intellectual property (for example, soft is pirate or copyright infringed)
+ Organizational deficits (ill-defined responsibilities, etc.)
+ Human errors (wrong e-mail address, missing important date, password note on sticker,
wrong file
deletion, etc.)
+ Hardware failure or errors (for example, firewall blocks all network traffic).
+ Software attacks (virus, worm, or denial of service compromise hardware o or software,
etc.)
+ Software failure or errors (for example, bug prevents program from properly loading).

8
c) Vulnerability
A vulnerability is an organisational flaw that can be exploited by a threat to destroy, damage
or compromise an asset.
You are most likely to encounter a vulnerability in your software, due to their complexity
and the frequency with which they are updated. These weaknesses, known as bugs, can be
used by criminal hackers to access to sensitive information.
Vulnerabilities don’t only refer to technological flaws, though. They can be physical
weaknesses, such as a broken lock that lets unauthorised parties into a restricted part of your
premises, or poorly written (or non-existent) processes that could lead to employees
exposing information.
Other vulnerabilities include inherent human weaknesses, such as our susceptibility to
phishing emails; structural flaws in the premises, such as a leaky pipe near a power outlet;
and communication errors, such as employees’ sending information to the wrong person

- For Example:
I have an example of a network of router devices in the university of greenwich. Router
devices are the place for all students and faculty in the school to connect to the network.
In this example:
- Assets are routers and all information of students and faculty in the university of
greenwich.
- Threats are caused by virus attack and hardware failure
- Security vulnerabilities: Security holes caused by students or faculty clicking on phishing
emails
-In this example, through risk assessment and analysis, we identified the risk that
information about faculty members or students could be disclosed to a malicious person.
This risk greatly affects the school

d) Threat identification
The threat identification process examines IT vulnerabilities and determines their capacity
to compromise your system. It’s a key element of your organization’s risk management
program. Identifying threats allows your organization to take preemptive actions.
You receive the information you need to obstruct unauthorized users and prevent system
breaches. At Ward IT Security Consulting Group, we provide the specialized knowledge
and the experience necessary for effective threat identification.

9
Threat identification is an ongoing, ongoing activity that occurs throughout the risk
management process and project lifecycle. Each step in the risk management process should
include some level of risk identification. Project activities such as programming Identify
new and existing project risks through technical meetings, risk analysis, risk planning,
teleconferences, and reviews.
- Effectively prioritizing the evaluation of your system vulnerabilities.
- Determining how those vulnerabilities may be exploited by a specific threat actor or
actions.

3. Explain the risk assessment procedure

a) What is a risk assessment?

Figure 3 Risk assessment

Risk assessment is a term used to describe the overall process or method where you:
+Identify hazards and risk factors that have the potential to cause harm (hazard
identification).
+Analyze and evaluate the risk associated with that hazard (risk analysis, and risk
evaluation).
+ Determine appropriate ways to eliminate the hazard, or control the risk when the hazard
cannot be eliminated (risk control).
A risk assessment is a thorough look at your workplace to identify those things, situations,
processes, etc. that may cause harm, particularly to people. After identification is made, you

10
analyze and evaluate how likely and severe the risk is. When this determination is made,
you can next, decide what measures should be in place to effectively eliminate or control the
harm from happening.

The CSA Standard Z1002 "Occupational health and safety - Hazard identification and
elimination and risk assessment and control" uses the following terms:
Risk assessment – the overall process of hazard identification, risk analysis, and risk
evaluation.
Hazard identification – the process of finding, listing, and characterizing hazards.
Risk analysis – a process for comprehending the nature of hazards and determining the
level of risk.
Risk evaluation – the process of comparing an estimated risk against given risk criteria to
determine the significance of the risk.
Risk control – actions implementing risk evaluation decisions.

b) Why is risk assessment important?

Risk assessments are very important as they form an integral part of an occupational health
and safety management plan. They help to:
+ Create awareness of hazards and risk.
+ Identify who may be at risk (e.g., employees, cleaners, visitors, contractors, the public,
etc.).
+ Determine whether a control program is required for a particular hazard.
+ Determine if existing control measures are adequate or if more should be done.
+ Prevent injuries or illnesses, especially when done at the design or planning stage.
+ Prioritize hazards and control measures.
+ Meet legal requirements where applicable.

c) What is the goal of risk assessment?

The aim of the risk assessment process is to evaluate hazards, then remove that hazard or
minimize the level of its risk by adding control measures, as necessary. By doing so, you
have created a safer and healthier workplace.

11
d) When should a risk assessment be done?
There may be many reasons a risk assessment is needed, including:
+ Before new processes or activities are introduced.
+ Before changes are introduced to existing processes or activities, including when
products, machinery, tools, equipment change or new information concerning harm
becomes available.
+ When hazards are identified.

e) How do you plan for a risk assessment?

In general, determine:
+ What the scope of your risk assessment will be (e.g., be specific about what you are
assessing such as the lifetime of the product, the physical area where the work activity takes
place, or the types of hazards).
+ The resources needed (e.g., train a team of individuals to carry out the assessment, the
types of information sources, etc.).
+ What type of risk analysis measures will be used (e.g., how exact the scale or parameters
need to be in order to provide the most relevant evaluation).
+ Who are the stakeholders involved (e.g., manager, supervisors, workers, worker
representatives, suppliers, etc.).
+ What relevant laws, regulations, codes, or standards may apply in your jurisdiction, as
well as organizational policies and procedures.

f) How is a risk assessment done?

Assessments should be done by a competent person or team of individuals who have a good
working knowledge of the situation being studied. Include either on the team or as sources
of information, the supervisors and workers who work with the process under review as
these individuals are the most familiar with the operation.
In general, to do an assessment, you should:
+ Identify hazards.
+ Determine the likelihood of harm, such as an injury or illness occurring, and its severity
+ Identify actions necessary to eliminate the hazard, or control the risk using the hierarchy
of risk control methods.

12
+ Evaluate to confirm if the hazard has been eliminated or if the risk is appropriately
controlled.
+ Monitor to make sure the control continues to be effective.
+ Keep any documents or records that may be necessary. Documentation may include
detailing the process used to assess the risk, outlining any evaluations, or detailing how
conclusions were made.

4.List risk identification steps

Figure 4 Risk Identification Steps

Step 1: Identify the Risk

The initial step in the risk management process is to identify the risks that the business is
exposed to in its operating environment.
There are many different types of risks:
+ Legal risks
+ Environmental risks

13
+ Market risks
+ Regulatory risks etc.
It is important to identify as many of these risk factors as possible. In a manual
environment, these risks are noted down manually. If the organization has a risk
management solution employed all this information is inserted directly into the system.

Step 2: Analyze the Risk

Once a risk has been identified it needs to be analyzed. The scope of the risk must be
determined. It is also important to understand the link between the risk and different factors
within the organization. To determine the severity and seriousness of the risk it is necessary
to see how many business functions the risk affects.

Step 3: Evaluate the Risk or Risk Assessment

Risks need to be ranked and prioritized. Most risk management solutions have different
categories of risks, depending on the severity of the risk. A risk that may cause some
inconvenience is rated lowly, risks that can result in catastrophic loss are rated the highest.
It is important to rank risks because it allows the organization to gain a holistic view of the
risk exposure of the whole organization. The business may be vulnerable to several low-
level risks, but it may not require upper management intervention. On the other hand, just
one of the highest-rated risks is enough to require immediate intervention.

Step 4: Treat the Risk

Every risk needs to be eliminated or contained as much as possible. This is done by
connecting with the experts of the field to which the risk belongs. In a manual environment,
this entails contacting each and every stakeholder and then setting up meetings so everyone
can talk and discuss the issues.

Step 5: Monitor and Review the Risk

Not all risks can be eliminated – some risks are always present. Market risks and
environmental risks are just two examples of risks that always need to be monitored. Under
manual systems monitoring happens through diligent employees. These professionals must
make sure that they keep a close watch on all risk factors. If any factor or risk changes, it is
immediately visible to everyone. Computers are also much better at continuously
monitoring risks than people

14
Task 2 - Explain data protection processes and regulations as applicable to an
organisation (P6)

5. Define data protection

Data protection is the process of safeguarding important information from corruption,

compromise or loss.
The importance of data protection increases as the amount of data created and stored
continues to grow at unprecedented rates. There is also little tolerance for downtime that can
make it impossible to access important information.
Consequently, a large part of a data protection strategy is ensuring that data can be restored
quickly after any corruption or loss. Protecting data from compromise and ensuring data
privacy are other key components of data protection.

Figure 5 Data Protection

15
6. Explain data protection process in an organization

Organisations should understand the terms of these data protection laws as far as they apply
to how the business uses and processes data. Now the regulations have been in play for
more than four years, there are no excuses for businesses not to have understood how
GDPR applies to processes and systems.
From establishing a data protection officer (DPO) to processing subject access requests
(SARs), there are various measures that your business might need to take – and it helps to
understand why and how.
a) Investigate your own organisation
Conducting a thorough probe into your business and the data it collects and processes is key
to fuelling how your DPP will be framed. By speaking with the relevant stakeholders, you’ll
gather the right information to form a set of guidelines around which you can mould your
data protection policy to be as accurate and effective as possible.
b) Identifying sensitive data
Specifically taking inventory of all the sensitive data your business is a good way to ensure
you have a handle on where exactly sensitive corporate data is being held.
The process of identifying this data should analyse any data held by the HR department as
well as unstructured data that lives in company hardware, any remote servers and even
email accounts.

c) Monitor access to sensitive data

Access controls need to be managed, and nobody who doesn’t need to access data should be
able to. Your business should audit who has access to what, and whether that level of access
is necessary.
d) Protecting data not just virtually – but physically
An often overlooked element of cyber security is actually the physical security of business
assets and critical data. Who has physical access to business networks and systems matters
just as much as who can access these using remote terminals.

16
7. Why are data protection and security regulation important?

Data protection is important, since it prevents the information of an organization from

fraudulent activities, hacking, phishing, and identity theft. Any organization that wants to
work effectively need to ensure the safety of their information by implementing a data
protection plan. As the amount of data stored and created increases, so does the importance
of data protection. Data breaches and cyberattacks can cause devastating damages.
Organizations need to proactively protect their data and regularly update their protective
measures.

Key Elements of Data Protection

One very important data protection model is the CIA triad, where the three letters of the
name represent the three elements of data protection: confidentiality, integrity, and
availability. This model was developed to help individuals and organizations develop a
holistic approach to data protection. The three elements are defined as follows:
+ Confidentiality: The data is retrieved only by authorized operators with appropriate
credentials.
+ Integrity: All the data stored within an organization is reliable, precise, and not subject to
any unjustified changes.
+ Availability: The data stored is safely and readily available whenever needed.

Task 3 - Design and implement a security policy for an organisation (P7)

8. Define a security policy and discuss about it

a) Security policy
A security policy is a document that states in writing how a company plans to protect its
physical and information technology (IT) assets. Security policies are living documents that
are continuously updated and changing as technologies, vulnerabilities and security
requirements change.
A company's security policy may include an acceptable use policy. These describe how the
company plans to educate its employees about protecting the company's assets. They also
include an explanation of how security measurements will be carried out and enforced, and
a procedure for evaluating the effectiveness of the policy to ensure that necessary
corrections are made.

17
9. Give an example for each of the policies

a) Acceptable use policy (AUP)

An AUP is used to specify the restrictions and practices that an employee using
organizational IT assets must agree to in order to access the corporate network or systems. It
is a standard onboarding policy for new employees, ensuring that they have read and signed
the AUP before being granted a network ID. A template for the AUP policy template is
available at SANS for your use.
b) Data breach response policy
The goal of the data breach response policy is to describe the process of handling an
incident and remediating the impact on business operations and customers. This policy
typically defines staff roles and responsibilities in handling an incident, standards and
metrics, incident reporting, remediation efforts, and feedback mechanisms. A template for
the data breach response policy is available at SANS for your use
c) Disaster recovery plan
A disaster recovery plan is developed as part of the larger business continuity plan, which
includes both cybersecurity and IT teams’ recommendations. The CISO and assigned teams
will then manage an incident through the data breach response policy. However, the
business continuity plan is activated only when the incident has a significant impact on the
organization. A template for the disaster recovery plan is available at SANS for your use.
d) Business continuity plan
A business continuity plan (BCP) describes how the organization will operate in an
emergency and coordinates efforts across the organization. Additionally, BCP will work in
conjunction with the disaster recovery plan to restore hardware, applications, and data that
are considered essential for business continuity.

e) Remote access policy

According to an IBM study, remote work during COVID-19 increased data breach costs in
the United States by $137,000. Organizations can implement a remote access policy that
outlines and defines procedures to remotely access the organization’s internal networks.
Organizations require this policy when there are dispersed networks with the ability to
extend into unsecured network locations, such as home networks or coffee shops.
f) Access control policy
An access control policy (ACP) defines the standards for user access, network access
controls, and system software controls. Additional supplementary items often include

18
techniques for monitoring how systems are accessed and used, how access is removed when
an employee leaves the organization, and how unattended workstations should be secured.

10. Give the most and should that must exist while creating a policy

Ensure that there is a policy on policies

Creating a simple policy on policies that defines the organization’s process for creating new
policies is an important first step in maturing policies. This “meta policy” should include
guidance as to what situations constitute the need for a new policy, the format that new
policies should use, and the process that needs to be followed for a new policy to be
approved.

Identify any overlap with existing policies

This one is simple. Before you create a new policy, check to see if the policy you’re
planning to create already exists or if portions of it exist in other policies.

Don’t develop the policy in a vacuum

Most often, this has happened in organizations lacking any kind of policy governance
structure. In most cases, the policies lacked key factors and were slanted in ways that were
not positive for the organization.

Step back and consider the need

There is a big difference and, again, I have seen policies put into place out of spite and as
retribution. Obviously, that kind of activity wouldn’t happen in a reasonable organization.
But it also won’t happen in one that has a strict policy on policies, as the policy will
generally go through multiple levels for approval

Use the right words so there is no misunderstanding intent

Policies must be understood to be effective. Use of clear and unambiguous grammar aids in
this effort.
Always use an office, department, unit, or job title instead of an individual’s name.

When possible, include an exceptions process

19
 It’s much easier to define in advance how an exceptions process is to operate before the
policy goes into force. At some point, a situation will arise that requires an exception. Since
policies are implemented to control behavior and are supposed to level the playing field, it’s
critical that exceptions also be granted in a way that is fair and equitable.

Establish a policy library with versioning

There are all kinds of tools out there these days, such as SharePoint, that enable you to store
versions of documents. Every employee should be able to access all appropriate policies all
the time.

When possible, include an exceptions process

For every rule, there is an exception… at least in most cases. It’s much easier to define in
advance how an exceptions process is to operate before the policy goes into force. Since
policies are implemented to control behavior and are supposed to level the playing field, it’s
critical that exceptions also be granted in a way that is fair and equitable. If you play loose
with the exceptions process, the entire policy could be called into question.

Allow some shades of gray

So you’ve created an absolutely airtight policy and defined an exceptions process that no
one can question. That’s a good goal, but it’s tough to get there for every policy. This is the
point that might get the most criticism since policies are supposed to create equitable
conditions. But I believe that some policies need to leave a little ambiguity for people to
make decisions.

Define policy maintenance responsibility

Most policies require periodic review to ensure their continued applicability. Further, as
questions are raised about the policy, someone needs to be able to provide clarifying
information. Make sure that you always identify the office — not the individual person —
that is responsible for the policy. You don’t identify individuals since they come and go.

20
11. Explain and write down elements of a security policy

If your organization is just getting started with your information security policy, you may
want to break the policy down into discrete, manageable chunks. You can develop one at a
time, polishing each one and leaving open the option to add new information as you think of
it. Even if this isn't your first time developing such a policy, you'll still want to be sure you
have the cornerstones in place.
Here are eight critical elements of an information security policy:
a) Purpose
The first essential component of an information security policy is a defined purpose.
Broadly, the purpose of your information security policy is to protect your company's
essential digital information. The purpose of your information security policy might be any
one or a combination of the following objectives:
+ Clarifying your approach to organizational information security
+ Creating a template for information security throughout your organization
+ Forestalling the compromise of your organization's sensitive information
+ Detecting information security breaches caused by misuse of data, networks, computer
systems, or applications or by improper third-party use
+ Responding to information security breaches swiftly and effectively

b) Audience and scope

The next essential element of your information security policy is its audience and scope. Be
sure your business specifies the reach of its policy — that is, which users the policy will
apply to and which it will not apply to.

c) Information security objectives

You will want to consider your company's information security objectives as you craft a
data security policy. The IT industry generally recognizes three main principles, often
known as the CIA triad, of information security policies:
+ Confidentiality
+ Integrity
+ Availability

21
d) Authority and access control policy
An information security policy should also indicate what members of your organization
have the authority to limit access to data. These people should be trustworthy employees
with enough data security insights to make correct decisions about what information is
shareable and what is not.

e) Data classification
Data classification is an essential element of your information security policy. You'll want
to classify your data by security level . You could also break down your data in a hierarchy
as follows:

Level 1: Information available to the public

Level 2: Information that is meant to remain confidential but would not cause serious harm
if it became public
Level 3: Information that could potentially cause harm to your company or your clients if it
became public
Level 4: Information that could potentially cause serious harm to your company or your
clients if it became public
Level 5: Information that would undoubtedly cause serious harm to your company or your
clients if it became public

f) Data support and operations

Data support and operations include the measures your company will implement for
handling each level of classified data. These are the three primary categories of data support
operations:
+ Data protection regulations
+ Data backup requirements
+ Movement of data

22
g) Security awareness and behavior
Your organization will need to implement strategies to heighten its security awareness and
prevent breaches. It may need to encourage specific employee behaviors to bolster that
awareness and thwart attacks and losses.
These are a few components you should include in your security training to boost security
awareness and promote responsible behavior:
+ Social engineering
+ A clean-desk policy
+ Internet use policy

12. Give the steps to design a policy

- Policy Design is the first phase to be undertaken when creating a new policy .This could
be identifying a brand new problem to be solved or fixing an existing policy or service.

4 steps to design a policy

Figure 6: 4 step to deign a policy

Step 1: Problem setting:

The first step of policy design consists in formulating the issue to be faced, to legitimise it
as a common problem recognised by a community. Usually an issue is raised by the public

23
in response to a need or a gap in service delivery. A good starting point is then the
exploration of existing policies to see how they have been dealing with the problem/issue to
date. In addition the identification of the stakeholders and actors affected by the issue
help’s understand the scope of the issue and who to engage for collaborative problem
solving. Key actions include:
+ Analysing existing policies and their impacts to investigate their effectiveness in dealing
with the problem;
+ Mapping key stakeholders and if possible their opinion;
+ Finding correlation with possible cause of the problem;
+ Building the quantitative dimensions of the problem – 1) problem description, 2)
overarching policy goals, 3) specific policy objectives

Figure 7: 4 step to deign a policy

Step 2: Problem Formulation:

Policy formulation aims to define and mobilise a set of solution options in relation to the
issue and determine which option is best able to address the problem considering available
resources and existing constraints. The construction of scenarios (written and visual) can
help support the understanding and formulation of alternative strategies and actions. The
main activities include:
+ Defining relevant strategies – strictly related to the political decision
+ Defining possible actions – operational translation of the strategies
+ Calculating impacts – potential systemic results of implementing the options strategy

24
 Figure 8 :4 step to deign a policy

Step 3: Scenario Analysis:

Once scenarios are produced to represent different policy options for dealing with the
identified problem, it is possible to choose the best one among the options they represent in
terms of strategies and actions. Analysing scenarios includes also the (re)tuning of existing
policy actions which is also carried out through small experiments (pilot tests) and public
debate. The main activities related to scenario analysis are:
+ Defining best strategies;
+ Defining best actions;
+ Estimating impacts.

Figure 9 : 4 step to deign a policy

25
Step 4: Decision:
In order for a decision to be made, a clear description of the problem, of the policy and its
scenario, and of the policy acceptance by the public has to be prepared for the presentation
and discussion inside the public unit responsible for the decision.

Task 4 - List the main components of an organisational disaster recovery plan,

justifying the reasons for inclusion (P8)

13. Discuss with explanation about business continuity

a) business continuity
Business continuity is the advance planning and preparation undertaken to ensure that an
organization will have the capability to operate its critical business functions during
emergency events. Events can include natural disasters, a business crisis, pandemic,
workplace violence, or any event that results in a disruption of your business operation. It is
important to remember that you should plan and prepare not only for events that will stop
functions completely but for those that also have the potential to adversely impact services
or functions.
b) Why is business continuity important?
Some threats, such as cyberattacks and extreme weather, seem to be getting worse. It's
important to have a business continuity plan in place that considers any potential disruptions
to operations.
The plan should enable the organization to keep running at least at a minimal level during a
crisis. Business continuity helps the organization maintain resiliency, in responding quickly
to an interruption. Strong business continuity saves money, time and company reputation.
An extended outage risks financial, personal and reputational loss.

14. List the components of recovery plan

One way your organization can prepare and protect itself from disasters is to create and
implement a disaster recovery plan (DRP). Organizations should create a disaster recovery
plan that can address any type of disaster. The plan should be easy to follow and understand,
and be customized to meet the unique needs of the organization. Typical elements in a
disaster recovery plan include the following:
a) Create a disaster recovery team. The team will be responsible for developing,
implementing, and maintaining the DRP. A DRP should identify the team members, define
each member’s responsibilities, and provide their contact information. The DRP should also

26
identify who should be contacted in the event of a disaster or emergency. All employees
should be informed of and understand the DRP and their responsibility if a disaster occurs.
b) Identify and assess disaster risks. Your disaster recovery team should identify and
assess the risks to your organization. This step should include items related to natural
disasters, man-made emergencies, and technology related incidents. This will assist the team
in identifying the recovery strategies and resources required to recover from disasters within
a predetermined and acceptable timeframe.
c) Determine critical applications, documents, and resources. The organization must
evaluate its business processes to determine which are critical to the operations of the
organization. The plan should focus on short-term survivability, such as generating cash
flows and revenues, rather than on a long term solution of restoring the organization’s full
functioning capacity. However, the organization must recognize that there are some
processes that should not be delayed if possible. One example of a critical process is the
processing of payroll.
d) Specify backup and off-site storage procedures. These procedures should identify
what to back up, by whom, how to perform the backup, location of backup and how
frequently backups should occur. All critical applications, equipment, and documents
should be backed up. Documents that you should consider backing up are the latest financial
statements, tax returns, a current list of employees and their contact information, inventory
records, customer and vendor listings. Critical supplies required for daily operations, such
as checks and purchase orders, as well as a copy of the DRP, should be stored at an off-site
location.
e) Test and maintain the DRP. Disaster recovery planning is a continual process as risks
of disasters and emergencies are always changing. It is recommended that the organization
routinely test the DRP to evaluate the procedures documented in the plan for effectiveness
and appropriateness. The recovery team should regularly update the DRP to accommodate
for changes in business processes, technology, and evolving disaster risks.

27
15. Write down all the steps required in disaster recovery process

Figure 10: 8 Step Disaster Recovery Plan

Step 1 Determine the Scope of Your Project

First, you need to understand what your end goal is. If you’re a company that’s completely
dependent on quick and easy access to your data to stay in business, your IT disaster
recovery plan should focus on ensuring your proprietary information is kept safe and
secure—even if your onsite hardware experiences critical failures. For most small and mid-
sized businesses, this means exploring offsite data storage options like public cloud storage
and/or data center colocation.

Step 2 Consider Your IT Vulnerabilities

After articulating your end goal, you need to develop a comprehensive understanding of
your most glaring vulnerabilities, paying particular attention to the historical disaster risks
in your geographic region.

28
Step 3 Conduct Risk Analysis
At this juncture, you should already know what your vulnerabilities are and have put
safeguards in place to counteract them, but you might not know exactly how these
safeguards will respond in a crisis.

Step 4 Identify Recovery Strategies

After stress testing your safeguards, the next move is to identify the most efficient and cost-
effective recovery strategies. Ideally, this calculus will take account of both your most
pressing IT vulnerabilities and the performance of your safeguards during your risk
analysis.

Step 5 Draw up a Plan

At this point, you’re ready to begin assembling your IT disaster recovery plan in earnest.
This will involve collecting the insights you’ve gathered and codifying them in an easy-to-
understand, sequential guide.

Step 6 Test Your Disaster Recovery Plan

Drawing up an IT disaster recovery plan is a step in the right direction—and, as illustrated
above, probably puts you ahead of many of your competitors—but once you think you have
everything in place, it’s important to test your plan to ensure that each step unfolds as
intended.

Step 7 Train Team Members

Once you’re confident in your plan, it’s time to introduce it to your team. Ideally, you’ve
been consulting with key personnel throughout the previous six steps, but regardless of the
degree of collaboration in your planning process, it’s incumbent on you to ensure that
everyone in your organization knows what will happen in the event of a flood, hurricane,
wildfire, or any other catastrophe.

Step 8 Update and Revise Your Plan

For course, while we all hope we never have to put our IT disaster recovery plan into action,
it’s worthwhile to regularly revisit and, if necessary, revise your plan.

29
16. Explain some of the policies and procedures that are required for business
continuity

A business continuity policy is the set of standards and guidelines an organization enforces
to ensure resilience and proper risk management. Business continuity policies vary by
organization and industry and require periodic updates as technologies evolve and business
risks change.
The goal of a business continuity policy is to document what is needed keep an organization
running on ordinary business days as well as times of emergency. When the policy is well-
defined and clearly adhered to, the company can set realistic expectations for business
continuity and disaster recovery (BC/DR) processes. This policy can also be used to
determine what went wrong so the problems can be addressed.
a) Business continuity BC
Business continuity helps the organization maintain resiliency, in responding quickly to an
interruption. Strong business continuity saves money, time and company reputation. An
extended outage risks financial, personal and reputational loss.

b) Disaster recovery DR
Disaster recovery (DR) is an organization's ability to respond to and recover from an event
that negatively affects business operations. The goal of DR methods is to enable the
organization to regain use of critical systems and IT infrastructure as soon as possible after a
disaster occurs. To prepare for this, organizations often perform an in-depth analysis of their
systems and create a formal document to follow in times of crisis. This document is known
as a disaster recovery plan.

c) Disaster recovery plan DRP

A disaster recovery plan (DRP) is a formal document created by an organization that
contains detailed instructions on how to respond to unplanned incidents such as natural
disasters, power outages, cyber attacks and any other disruptive events. The plan contains
strategies on minimizing the effects of a disaster, helping an organization to quickly resume
key operations or continue to operate as if there was no disruption.

30
Conclusion

Through the report, I continued to learn more about the concepts of assessment, data
protection, disaster recovery planning for an organization, design and implementation of a
security policy for a functional organization.

31
 Reference
synopsys.com (2022). Security Risk Assessment .[online] Available at :
https://www.synopsys.com/glossary/what-is-security-risk-assessment.html [Accessed 29
August 2022]
adserosecurity.com (2022). SECURITY RISK ASSESSMENT.[online] Available at :
https://www.adserosecurity.com/security-learning-center/what-is-a-security-risk-
assessment/ [Accessed 29 August 2022]
vigilantsoftware.co.uk (2022). Risk terminology.[online] Available at :
https://www.vigilantsoftware.co.uk/blog/risk-terminology-understanding-assets-threats-and-
vulnerabilities [Accessed 29 August 2022]
warditsecurity.com (2022). THREAT IDENTIFICATION.[online] Available at :
https://warditsecurity.com/threat-identification/ [Accessed 29 August 2022]
worksmart.org.uk (2022). What are the five steps to risk assessment? .[online] Available at
: https://worksmart.org.uk/health-advice/health-and-safety/hazards-and-risks/what-are-five-
steps-risk-assessment [Accessed 29 August 2022]
blog.box.com (2022). Information security policy: Core elements .[online] Available at :
https://blog.box.com/information-security-policy-core-elements [Accessed 29 August 2022]
riskware.com.au (2022). 6 Key Components Of A Disaster Recovery Plan.[online]
Available at : https://www.riskware.com.au/risk-management-blog/6-key-components-of-a-
disaster-recovery-plan [Accessed 29 August 2022]
mha-it.com (2022). What is Business Continuity .[online] Available at : https://www.mha-
it.com/2017/08/01/what-is-business-continuity/ [Accessed 29 August 2022]
techtarget.com (2022). business continuity policy .[online] Available at :
https://www.techtarget.com/searchdisasterrecovery/definition/business-continuity-policy
[Accessed 29 August 2022]

32