Higher Nationals in Computing

Security
ASSIGNMENT
No.1

Learner's Name: DINH NAM DUONG

Assessor Name: NGUYEN NGOC TU

Class: GCS0903B
ID: GCS200284
Assignment due: 30 A p r i l 202 2
Assignment submitted: 30 A p r i l 2 0 2 2

Page 1
 ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Dinh Nam Duong Student ID GCS200284

Class GCS0903B Assessor name Nguyen Ngoc Tu

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a
false declaration is a form of malpractice.

Student’s signature Duong

Grading grid

P5 P6 P7 P8 M3 M4 M5 D2 D3

Page 2
 Summative Feedback:  Resubmission Feedback:

Grade: Assessor Signature: Date:

Lecturer Signature:

Page 3
 Assignment Brief 1 (RQF)
Higher National Certificate/Diploma in Computing

Student Name/ID Number: Dinh Nam Duong / GCS200284

Unit Number and Title: Unit 5: Security
Academic Year: 2021 – 2022
Unit Assessor: Nguyen Ngoc Tu
Assignment Title: Security Presentation
Issue Date: April 30th , 2021
Submission Date:
Internal Verifier Name:
Date:

Submission Format:

Format:

● The submission is in the form of an individual written report. This should be written in a concise,
formal business style using single spacing and font size 12. You are required to make use of
headings, paragraphs and subsections as appropriate, and all work must be supported with research
and referenced using the Harvard referencing system. Please also provide a bibliography using the
Harvard referencing system.

Submission

● Students are compulsory to submit the assignment in due date and in a way requested by the
Tutor.
● The form of submission will be a soft copy posted on http://cms.greenwich.edu.vn/.
● Remember to convert the word file into PDF file before the submission on CMS.
Note:

● The individual Assignment must be your own work, and not copied by or from another student.
● If you use ideas, quotes or data (such as diagrams) from books, journals or other sources, you
must reference your sources, using the Harvard style.
● Make sure that you understand and follow the guidelines to avoid plagiarism. Failure to comply
this requirement will result in a failed assignment.

Unit Learning Outcomes:

Page 4
LO1 Assess risks to IT security.

LO2 Describe IT security solutions.

Assignment Brief and Guidance:

Assignment scenario

You work for a security consultancy as an IT Security Specialist.

A manufacturing company “Wheelie good” in Ho Chi Min City making bicycle parts for export has called
your company to propose a Security Policy for their organization, after reading stories in the media related
to security breaches, etc. in organizations and their ramifications.

Task 1
In preparation for this task, you will prepare a report considering:
• The security risks faced by the company.
• How data protection regulations and ISO risk management standards apply to IT security.
• The potential impact that an IT security audit might have on the security of the organization.
• The responsibilities of employees and stakeholders in relation to security.
Task 2
Following your report:
• You will now design and implement a security policy
• While considering the components to be included in disaster recovery plan for Wheelie good,
justify why you have included these components in your plan.
Task 3
In addition to your security policy, you will evaluate the proposed tools used within the policy and how
they align with IT security. You will include sections on how to administer and implement these policies.

Page 5
Learning Outcomes and Assessment Criteria (Assignment 1):
Learning Outcome Pass Merit Distinction
LO3 P5 Discuss risk M3 Summarise the D2 Consider how IT
assessment ISO 31000 risk security can be
procedures. management aligned with
methodology and its organisational policy,
application in IT detailing the security
P6 Explain data security. impact of any
protection processes misalignment.
and regulations as
applicable to an M4 Discuss possible
organisation. impacts to
organisational security
resulting from an IT
security audit.
LO4 P7 Design and M5 Discuss the roles D3 Evaluate the
implement a security of stakeholders in the suitability of the tools
policy for an organisation to used in an
organisation. implement security organisational policy.
audit
recommendations.
P8 List the main
components of an
organisational disaster
recovery plan,
justifying the reasons
for inclusion.

Page 6
 Table of Contents
I. Discuss risk assessment procedures (P5) ...................................................................... 9
1. Risk assessment definition ....................................................................................................................9
2. Risk assessment steps ............................................................................................................................9
3. The goal of risk assessments ...............................................................................................................10
4. The importance of risk assessment ....................................................................................................11
5. Asset ......................................................................................................................................................11
5.1. Asset definition .......................................................................................................................... 11
5.2. Understanding Assets................................................................................................................ 12
5.3. Types of assets ......................................................................................................................... 12
6. Threat ...................................................................................................................................................13
6.1. Threat definition ......................................................................................................................... 13
6.2. Where Do Cyber Threats Come From? ..................................................................................... 14
6.3. Examples of Cyber Threats ....................................................................................................... 14
6.4. Protect Against and Identify Cyber Threats ................................................................................ 15
II. Explain data protection processes and regulations as applicable to an organisation
(P6) 16
1. Data protection ....................................................................................................................................16
2. Data protection process in an organization.......................................................................................16
3. The importance of data protection.....................................................................................................19
III. Summarise the ISO 31000 risk management methodology and its application in IT
security (M3) ........................................................................................................................... 19
1. Define ISO 31000 management methodology ...................................................................................20
2. Benefits of ISO 31000 ..........................................................................................................................21
3. Example of apply ISO 31000 in organization ...................................................................................22
IV. Discuss possible impacts to organisational security resulting from an IT security
audit (M4) ............................................................................................................................... 22
1. Security audit definition......................................................................................................................22
2. Benefits of IT Security Audit ..............................................................................................................22
3. Types of IT Security Audit .................................................................................................................22
4. How does Security Audit impact to an organization? ......................................................................23
V. Discuss the roles of stakeholders in the organization to implement security audit
recommendations. (M5) ......................................................................................................... 24
1. Stakeholder definition .........................................................................................................................24
2. Understanding Stakeholders ..............................................................................................................24

Page 7
 3. The roles of stakeholders in the organization ...................................................................................25
VI. Design and implement a security policy for an organisation (P7) ........................... 25
1. Define security policy ..........................................................................................................................25
2. Understanding Security Policy ...........................................................................................................25
3. Security policy examples .....................................................................................................................26
4. The most and should that must exist while creating a policy ..........................................................26
5. Elements of an Information Security Policy .....................................................................................27
6. Steps to design a policy........................................................................................................................29
VII. List the main components of an organisational disaster recovery plan, justifying
the reasons for inclusion. (P8) ............................................................................................... 30
1. Disaster Recovery Plan .......................................................................................................................30
2. 7 Components That Make A Great Disaster Recovery Plan ...........................................................30
3. The importance of Disaster Recovery Plan .......................................................................................31
3.1. Cost-Efficiency .......................................................................................................................... 31
3.2. Increased Employee Productivity ............................................................................................... 32
3.3. Greater Customer Retention ...................................................................................................... 32
3.4. A Better Understanding of Scalability ......................................................................................... 32
VIII. Reference ..................................................................................................................... 32

Table of Figures
Figure 1: Risk assessment step ......................................................................................................................... 10
Figure 2: IT assets............................................................................................................................................. 12
Figure 3: IT threat ............................................................................................................................................. 13
Figure 4: Data protection .................................................................................................................................. 16
Figure 5: ISO 31000 template .......................................................................................................................... 21

Page 8
I. Discuss risk assessment procedures (P5)
1. Risk assessment definition
The identification of threats that potentially have a negative influence on an organization's ability to
conduct business is known as risk assessment. These evaluations aid in the identification of these inherent
business risks, as well as the implementation of procedures, processes, and controls to mitigate their
influence on corporate operations.
A risk assessment framework (RAF) can be used by businesses to prioritize and share the contents of
their evaluation, including any threats to their information technology (IT) infrastructure. The RAF assists
a company in identifying prospective hazards, as well as any business assets that may be put at risk as a
result of these hazards, as well as the potential consequences if these risks materialize.
The Chief Risk Officer (CRO) or a Chief Risk Manager is usually in charge of the risk assessment
process in large corporations.
2. Risk assessment steps
The method used to conduct a risk assessment varies greatly depending on the risks specific to the type
of business, the industry in which the business operates, and the compliance rules that apply to that
particular business or industry. Regardless of the sort of business or industry, there are five broad measures
that companies can take.
• Step 1: Determine the dangers. The first stage in a risk assessment is to identify any potential
risks that would have a negative impact on the organization's capacity to conduct business if they
occurred. Natural catastrophes, utility outages, cyberattacks, and power outages are all potential
dangers that could be evaluated or discovered during a risk assessment.
• Step 2: Determine what could be injured or who could be harmed. After the risks have been
determined, the following stage is to assess which business assets would be harmed if the risk
materialized. Critical infrastructure, IT systems, business operations, company reputation, and
even employee safety are all considered to be at risk from these hazards.
• Step 3: Assess the hazards and devise countermeasures. A risk analysis can assist in determining
how hazards will affect business assets, as well as the steps that can be implemented to reduce
or eliminate the effects of these hazards on business assets. Property damage, company
interruption, financial loss, and legal penalties are all possible risks.
• Step 4: Make a note of your results. The company's risk assessment findings should be
documented and filed as formal records that are easily accessible. Details on potential dangers,
their related risks, and plans to avoid the hazards should be included in the records.
• Step 5: Regularly review and update the risk assessment. In today's business world, potential
dangers, risks, and the controls that go along with them can alter quickly. It is critical for
businesses to update their risk assessments on a frequent basis in order to keep up with these
changes.

Page 9
 Figure 1: Risk assessment step
Distinct sectors have different risk assessment tools, such as risk assessment templates. They could be
valuable for firms who are creating their first risk assessments or upgrading older ones.
3. The goal of risk assessments
The particular goals of risk assessments will likely differ based on industry, business type, and relevant
compliance laws, similar to risk assessment phases. In an information security risk assessment, for example,
weaknesses in the organization's IT security architecture should be identified, as well as compliance with
information security-specific laws, mandates, and regulations.
The following are some common goals and objectives for conducting risk assessments across industries
and business types:

Page 10
 • Developing a risk profile that provides a quantitative analysis of the types of threats the
organization faces.
• Developing an accurate inventory of IT assets and data assets.
• Justifying the cost of security countermeasures to mitigate risks and vulnerabilities.
• Developing an accurate inventory of IT assets and data assets.
• Identifying, prioritizing and documenting risks, threats and known vulnerabilities to the
organization's production infrastructure and assets.
• Determining budgeting to remediate or mitigate the identified risks, threats and vulnerabilities.
• Understanding the return on investment, if funds are invested in infrastructure or other business
assets to offset potential risk.

4. The importance of risk assessment

Risk assessments are crucial because they are a key component of any occupational health and safety
management strategy. They assist in:
• Make people aware of potential dangers and risks.
• Determine who might be at risk (e.g., employees, cleaners, visitors, contractors, the public, etc.).
• Determine if a specific hazard necessitates the implementation of a control scheme.
• Determine whether the current controls are adequate or if more should be done.
• Preventing injuries or diseases is easier when done early in the design or planning process.
• Determine the order in which dangers and control measures should be addressed.
• Where applicable, adhere to legal regulations.

5. Asset
5.1. Asset definition
A resource with economic worth that an individual, corporation, or country possesses or controls
with the hope of future gain is referred to as an asset. Assets are bought or developed to raise a
company's value or benefit its operations, and they are reported on the balance sheet. Whether it's
manufacturing equipment or a patent, an asset can be looked of as something that can create cash flow,
cut expenses, or increase sales in the future.

Page 11
 Figure 2: IT assets
5.2. Understanding Assets
An asset represents a company's economic resource or access that other individuals or firms do not
have. A right or other access is legally enforceable, which means that economic resources can be used
at the discretion of a company and can be prohibited or limited by an owner.
A company must have a right to an asset as of the date of the financial statements in order for it to
be present. An economic resource is something that is limited in supply and has the potential to generate
economic benefit by increasing cash inflows or decreasing cash outflows.
5.3. Types of assets
• Current assets: Current assets are highly liquid assets that can be sold and converted into
currency in a short period of time. Cash, bonds, mutual funds, stocks, and other marketable
securities are regarded the most liquid current assets, which means they can be sold easily and
rapidly without impacting their value. Cash, accounts receivable, inventory, and prepaid
expenses are examples of current assets for firms.
• Fixed assets: Fixed assets, also known as hard assets or long-term assets, can take a long time
to produce cash value and are often deemed low-liquidity, which means they can't be sold fast
at the appropriate price. Buildings, land, furniture, and any other item that is not planned for
sale within the year are examples of fixed assets.
• Tangible assets: Inventory, real estate, machinery, currency, and furniture are examples of
tangible assets that are physically tangible and often in the owner's hands. The majority of
tangible assets are also regarded as current assets.
• Intangible assets: Intangible assets are items or goods that exist only in theory and not in
reality. Permits, intellectual property, patents, brand reputation, and trademarks are examples
of intangible assets that increase in value as a result of successful use.

Page 12
 • Operating assets: Operating assets are any assets that create money and help maintain
workflow through day-to-day business operations. Copyrights, licenses, inventory, and
machinery are examples of operating assets.
• Non-operating assets: Non-operating assets, such as unoccupied property or short-term
investments, are goods owned by a company that create revenue but are not required for daily
operations.

6. Threat
6.1. Threat definition
A threat is any event that may have a negative impact on an asset, such as if it is lost, taken offline,
or accessed by an unauthorized party.
Threats are defined as events that jeopardize an asset's confidentiality, integrity, or availability, and
might be purposeful or unintentional.
Employee error, a technical malfunction, or an event that causes physical damage, such as a fire or
natural disaster, are examples of intentional threats, whereas accidental threats typically involve
employee error, a technical malfunction, or an event that causes physical damage, such as a fire or
natural disaster.

Figure 3: IT threat

Page 13
6.2. Where Do Cyber Threats Come From?
• Hostile Nation-States National cyber warfare programs provide emerging cyber threats
ranging from propaganda, website defacement, espionage, key infrastructure disruption, and
loss of life. When compared to other threat actors, government-sponsored programs are
becoming more sophisticated and pose advanced threats. Their growing capabilities have the
potential to cause widespread, long-term harm to the national security of many countries,
including the United States. Hostile nation-states pose the greatest risk due to their ability to
use technology and tools effectively against the most difficult targets, such as classified
networks and critical infrastructure such as electricity grids and gas control valves.
• Terrorist Groups Terrorist organizations are increasingly employing cyber attacks to harm
national interests. They are less sophisticated in cyber attacks and have a lower proclivity to
use cyber means than nation-states. Terrorist organizations are likely to pose significant cyber
threats as more technically competent generations join their ranks.
• Corporate Spies and Organized Crime Organizations Corporate Spies and organized crime
groups pose a threat because of their ability to conduct industrial espionage to steal trade secrets
or large-scale monetary theft. In general, these parties are interested in profit-based activities,
either making a profit or disrupting a business's ability to make a profit by attacking
competitors' key infrastructure, stealing trade secrets, or gaining access and blackmailing
material.
• Hacktivists’ activities cover a wide range of political ideals and issues. Most hacktivist
organizations are more concerned with spreading propaganda than with causing damage to
infrastructure or disrupting services. Instead of causing maximum damage to an organization,
their goal is to support their political agenda.
• Disgruntled Insiders Insiders who are dissatisfied with their jobs are a common source of
cybercrime. Insiders don't always need a high level of computer knowledge to expose sensitive
data because they may be authorized to access it. Insider threats also include third-party vendors
and employees who may introduce malware into systems unintentionally or who may log into
a secure S3 bucket, download its contents, and share it online, resulting in a data breach. If you
don't check your S3 permissions, someone else will.
• Hackers Malicious intruders may use a zero-day exploit to gain unauthorized access to data.
Hackers may break into computer systems for the sake of a challenge or bragging rights.
Previously, this required a high level of skill. Today, sophisticated attacks can be made simple
by downloading automated attack scripts and protocols from the Internet.
• Natural Disasters Natural disasters pose a cyber threat because they can disrupt your critical
infrastructure in the same way that a cyber attack can.
• Accidental Actions of Authorized Users An authorized user may fail to configure S3 security
correctly, resulting in a potential data leak. Poor configuration, rather than hackers or
disgruntled insiders, has been responsible for some of the most serious data breaches.

6.3. Examples of Cyber Threats

• Malware
• Spyware
• Phishing Attacks
• Distributed Denial of Service (DDoS) Attacks
Page 14
 • Ransomware
• Zero-Day Exploits
• Advanced Persistent Threats
• Trojans
• Wiper Attacks
• Intellectual Property Theft
• Theft of Money
• Data Manipulation
• Data Destruction
• Man-in-the-Middle Attack (MITM Attack)
• Drive-by Downloads
• Malvertising
• Rogue Software
• Unpatched Software
• Data Centre Disrupted by Natural Disaster

6.4. Protect Against and Identify Cyber Threats

The National Institute of Standards and Technology's (NIST) Cybersecurity Framework (NIST
Cybersecurity Framework) and a cyber threat intelligence exercise are good places to start when
learning how to protect your organization from cyber threats.
When cyber threat information is collected, evaluated, and analyzed, it becomes cyber threat
intelligence. Cyber threat intelligence improves your understanding of cyber threats and enables you
to identify similarities and differences between different types of cyber threats in a timely and accurate
manner.
The intelligence cycle is a cyclical process that produces cyber threat intelligence. Data collection
is planned, implemented, and evaluated in the intelligence cycle to produce a report, which is then
disseminated and reevaluated in light of any new information.
The process is cyclical because you may identify cybersecurity gaps, unanswered questions, or be
prompted to collect new requirements and restart the intelligence cycle during the gathering or
evaluation process.
The analysis is based on the triad of actors, intent, and capability, as well as their tactics, techniques,
and procedures (TTPs), motivations, and access to the intended targets.
It is possible to make informed strategic, operational, and tactical assessments by studying the triad
of actors:
• Strategic Assessments
Strategic evaluations Inform decision-makers on broad and long-term issues, as well as
provide timely threat warnings. Strategic cyber threat intelligence provides insight into the
intent and capabilities of malicious cyber attackers, as well as the cyber threats they may
pose.
• Operational Assessments

Page 15
 Operational assessments identify potential incidents related to events, investigations, or
activities and advise on how to respond to them. For instance, what to do if a computer
becomes infected with malware.
• Tactical Assessments
Tactical assessments are real-time evaluations of events, investigations, and activities
that support day-to-day operations.
Cyber threat intelligence, when used correctly, provides insights into cyber threats and
promotes a faster, more targeted response. It can help decision-makers determine acceptable
cybersecurity risks, controls, and budget constraints in equipment and personnel, as well as
support incident response and post-incident response activities.

II. Explain data protection processes and regulations as applicable to an organisation

(P6)
1. Data protection
The interaction between the collecting and dissemination of data and technology, the public perception
and expectation of privacy, and the political and legal frameworks surrounding that data is all part of data
protection. Its goal is to achieve a balance between individual privacy rights and the ability to use data for
commercial purposes.
Data security is often referred to as data privacy or information security.

Figure 4: Data protection

2. Data protection process in an organization
➢ Cybersecurity risk assessment

Page 16
 After you've absorbed all of your company's information. Administrators must analyze the
threats that an enterprise's data may be exposed to:
• In the case of a cyber-attack on the network.
• Natural disasters, such as fires, earthquakes, and other events, result in data loss.
• Only solutions to protect enterprise data from cyber threats will be discussed in this article.

Data cybersecurity threats can be assessed by the organization's professional cybersecurity

personnel. It is also possible to seek the help of network security professionals in other instances.
They have sufficient expertise and experience to alert you to such dangers. There are threats to your
business data that you aren't aware of.
After determining the threats to the data that needs to be secured. You must do security
evaluations on your company's network. This will enable you to understand exactly what security
threats exist and may have occurred in the company network in general, as well as the enterprise's
data security in specific. After that, implement security measures or deploy security solutions to
secure the system. The amount of solutions available will be determined by the model, budget, and
requirements.
➢ Cybersecurity risk assessment

Human error is one of the most serious threats to organizational data security. As a result,
implementing measures to train and promote awareness of data security among agency employees is
one of the most important and effective ways to secure data security in the workplace. It's your
company.
Periodic data security awareness and training programs for organizations and network security
are required. It's the most essential option for reducing company data breaches and saving money on
security services outsourcing. Simultaneously, firms must have a data security strategy and processes
in place for dealing with and using data in the company, utilizing data management and assurance
standards such as ISO 27001 and PCI DSS. These documents will also be utilized for data security
policy adoption and awareness training inside the company.
➢ Raise awareness about data security for employees

Enterprise data security risks are constantly present. As a result, rather than deploying security
measures once, it is important to do so on a regular basis. Each company should have a leader or a
specialist expert with understanding of corporate data security and privacy who is in charge of
overseeing the installation of security measures, processes, and procedures, if at all possible. protect
the safety of data This will assist organizations and their data in reducing cybersecurity risks.
➢ Data security management

It is critical to document protocols for responding to network and data security events. They
aid in the reduction of network security damage to enterprises.
Alternatively, you could consider employing expert ANM assessment and troubleshooting
units. These units will be in charge of consulting the response process and coordinating incident
handling, assisting your company in minimizing damage in the event of an incident.
➢ Troubleshoot and manage problems

Page 17
 All system components (including software and hardware) are set to fulfill the security policy's
standards, which is an effective approach for ensuring the security of your business data.
Normally, before bringing a device into operation, firms should have configuration rules in
place. These policies can include passwords, accounts, services, and system setup, among other
things.
Some companies have a propensity of installing pre-installed versions on all of their devices.
Pre-installed versions, on the other hand, frequently have old vulnerabilities that haven't been fixed
in a long time, leaving the system susceptible to hackers. Furthermore, the security of these
installations is unknown. It's conceivable that the installation originally had viruses or flaws.
➢ Configure the system safely

Separating separate network zones will assist isolate and limit the impact caused by network
security threats such as leaking company data, infecting code, poisoning, and so on in the event of a
network security disaster.
Between untrusted external network zones and internal network zones, use extra firewalls. The
DMZ also aids in access management between various network zones. From there, connections from
hazardous network locations to safe network areas can be prevented.
Review penetration testing on a regular basis. This is to ensure that the network zone access
policy is always correctly executed.
➢ Make sure the network is divided into separate zones

Separating separate network zones will assist isolate and limit the impact caused by network
security threats such as leaking company data, infecting code, poisoning, and so on in the event of a
network security disaster.
Between untrusted external network zones and internal network zones, use extra firewalls. The
DMZ also aids in access management between various network zones. From there, connections from
hazardous network locations to safe network areas can be prevented.
Review penetration testing on a regular basis. This is to ensure that the network zone access
policy is always correctly executed.
➢ Secure Enterprise Data with Cybersecurity Monitoring

It's critical to use network traffic monitoring tools both inside and outside the network to help
regulate and detect irregularities in network data as soon as possible, maximizing detection and
prevention. Prevent attacks as soon as possible. IDS, IPS, and SIEM systems are the most prevalent
solutions used by businesses today. In this case, IDS and IPS stand for intrusion detection and
prevention systems. SIEM (Security Information and Event Management) is a network monitoring
solution.
➢ Control access

For enterprise networks, decentralization and access control measures are essential. These
policies aid in the effective control of access into and out of the system.

Page 18
 To accomplish this, you must need users to be given only the access privileges they need to
complete their tasks. Preferred accounts should only be used for critical systems, database
administrator positions, or critical systems. User activity, especially when it involves sensitive
information, necessitates the recording and tight management of data and the user's account. At the
same time, you must always keep in mind – To protect data, create a strong password.
Physical security measures connected to access control to corporate premises and personal
offices (travel employees, sirens and magnetic card systems, security guards, and so on) are critical
in managing enterprise data access.
➢ Enhanced malware protection

Enterprises should implement methods to avoid and protect data from dangerous malware.
There are numerous options available today to reduce the risk of malware infection on various levels.
User-specific anti-malware solutions, centralized anti-malware solutions, gateway anti-malware
solutions, and so on. Choose a realistic solution for your business based on your financial situation.
➢ Update patches regularly

As new attack methods emerge, no system can be considered completely secure. As a result,
keeping operating systems and software updates up to date is critical for protecting company data
and reducing the risk of cyber-attacks on enterprise systems. Of course, for the sake of providing the
highest level of system security. Enterprises must install a variety of security solutions that combine
security rules in a timely manner.
➢ Perform encryption of critical data

Finally, before transferring the data, encrypt it. This is an important job that contributes to the
protection of corporate data. In the event that data is lost due to a network assault or compressed
transmission line listening. Data encryption will assist you in preventing sensitive information from
getting into the wrong hands. To protect your data, you should also employ robust encryption. Weak
base64 encoding protections are unsafe and easily decrypted.

3. The importance of data protection

Data protection is critical because it protects an organization's information from fraudulent activities
such as hacking, phishing, and identity theft. Any organization that wishes to function effectively must
ensure the security of its information by implementing a data protection plan. The importance of data
protection grows in tandem with the amount of data stored and created. Data breaches and cyberattacks can
have catastrophic consequences. Organizations must protect their data proactively and update their security
measures on a regular basis.
Finally, the key principle and importance of data protection is safeguarding and protecting data from
various threats and under various conditions. The following article goes into greater detail about data
protection and its significance.

III. Summarise the ISO 31000 risk management methodology and its application in IT
security (M3)

Page 19
1. Define ISO 31000 management methodology
The international standard for risk management is BS ISO 31000. What is the definition of risk
management? Through thorough standards and concepts, this standard assists companies in analyzing and
assessing risk. The BS ISO 31000 standard can be applied to all business activities, including planning,
operations management, and information transfer processes, whether you operate in a public, private, or
community organization. This international standard is used to develop management skills and ensure
workplace safety and security to a certain extent in order to control risks to a certain amount. It's referred
to as risk management.
You may manage risk and increase your organization's performance, stakeholder confidence, and reduce
harm by following the concepts and recommendations of BS ISO 31000. This worldwide standard also aids
in the improvement of organizational performance and safety, laying the groundwork for proactive
decision-making and management across the board.

Page 20
 Figure 5: ISO 31000 template

2. Benefits of ISO 31000

• Boost operational effectiveness and governance.
• Boost stakeholder trust in your risk management strategies.
• Improve operational controls, such as required and voluntary reporting.
• Boost your company's productivity, crisis management, and organizational resiliency.
• As your company grows, you must be able to adapt to change and defend it.

Page 21
 3. Example of apply ISO 31000 in organization
IFC has 15 years of experience in investment, research and development, equipment design and
production, solution offering, service implementation, and operation and maintenance, having been founded
in 2004. AMR (electronic meter data acquisition system), SCADA/EMS/DMS (supervisory control and
data acquisition system), SmartLight (urban lighting system control), and high-quality large-scale system
operation and management In Vietnam, high quality.
IFC becomes a sustainable development company, leading the market in the fields of automation,
electronics, and information technology in Vietnam, thanks to the application of ISO 31000: 2018 under
the National Quality Productivity program (under Decision 712), which was consulted by productivity
experts from the Center for Information - Communication, Standards, and Quality Measurement. In keeping
with the industrial revolution 4.0 movement, the IFC has established information infrastructure and smart
apps to help the country industrialize and modernize. Supporting local and international enterprises and
consumers in achieving energy management goals, optimizing resources, and connecting ideas in order to
generate valuable goods in the value chain that benefit people.

IV. Discuss possible impacts to organisational security resulting from an IT security

audit (M4)
1. Security audit definition
A comprehensive review of an organization's security posture and IT infrastructure is an IT security
audit. An IT security audit enables businesses to identify and assess risks in their IT networks, connected
devices, and applications. It allows you to close security gaps and meet compliance requirements.
Vulnerability scans, for example, are used to identify security flaws in IT systems. Performing
penetration testing on systems, apps, and networks to gain unauthorized access. Finally, after completing
all of the appropriate steps, the penetration testing results are delivered to the company for additional
analysis and action.
2. Benefits of IT Security Audit
An IT security audit, as previously said, identifies underlying weaknesses and security threats in an
organization's IT assets. Identifying hazards, on the other hand, has a beneficial impact on the security of
the organization as a whole. How? We'll go over each one individually below:

• With the audit results, it helps you create a benchmark for your organization by weighing your
present security structure and practices.
• Hacker risks are reduced by detecting probable hacker entry points and security weaknesses
ahead of time.
• Verifies your IT infrastructure's compliance with leading regulatory authorities and assists you
in complying.
• Finds gaps in your company's security training and awareness and assists you in making informed
decisions to improve it.

3. Types of IT Security Audit

An IT security audit can be classified in a variety of ways. In general, it's been divided into categories
based on the strategy, methodology, and so on. The following are some examples of common
classifications:

Page 22
 ➢ Approach Based
• Black Box Audit: In this type of audit, the auditor only has access to publicly available
information on the business being examined.
• White Box Audit: In this sort of security audit, the auditor is given detailed information
about the organization being audited (such as source code, personnel access, and so on).
• Grey Box Audit: To begin the auditing process, the auditor is given certain information
in a grey box audit. Although the auditors might acquire this information themselves, it
is provided to save time.
➢ Methodology Based
• Penetration Tests: The auditor tries to break into the organization’s infrastructure.
• Compliance Audits: Only certain parameters are checked to see if the organization is
complying with security standards.
• Risk Assessments: An analysis of critical resources that may be threatened in case of a
security breach.
• Vulnerability Tests: Necessary scans are performed to find possible security risks.
Many false positives may be present.
• Due Diligence Questionnaires: Used for an analysis of existing security standards in the
organization.

4. How does Security Audit impact to an organization?

Each system used by an organization may be checked for vulnerabilities in the following areas during a
security audit:
• Network vulnerabilities: Auditors search for flaws in any network component that an attacker
could use to gain access to systems or information, or inflict harm. Information is especially
susceptible as it travels between two sites. Network traffic, including emails, instant messaging,
files, and other communications, is tracked through security audits and regular network
monitoring. This section of the audit also looks at network availability and access points.
• Security controls: The auditor examines the effectiveness of a company's security controls in
this section of the audit. This involves assessing how well a company has implemented the
rules and procedures it has put in place to protect its data and systems. An auditor, for example,
may look to verify if the company still has administrative control over its mobile devices. The
auditor examines the company's controls to ensure that they are working properly and that it is
adhering to its own rules and procedures.
• Encryption: This section of the audit ensures that a company's data encryption methods are
under control.
• Software systems: Software systems are evaluated here to ensure that they are functioning
properly and giving reliable data. They're also checked to see whether there are any restrictions
in place to prevent unauthorized people from accessing private information. Data processing,
software development, and computer systems are among the fields investigated.
• Architecture management capabilities: Auditors check that IT management has put in place
organizational structures and procedures to provide a controlled and efficient information
processing environment.

Page 23
 • Telecommunications controls: Telecommunications controls are tested on both the client and
server sides, as well as the network that connects them, by auditors.
• Systems development audit: Audits in this area ensure that any systems in development fulfill
the organization's security objectives. This component of the audit is also carried out to ensure
that systems in development adhere to established guidelines.
• Information processing: These audits ensure that security mechanisms for data processing are
in place.

V. Discuss the roles of stakeholders in the organization to implement security audit

recommendations. (M5)
1. Stakeholder definition
A stakeholder is someone who has an interest in a firm and can influence or be influenced by it. Investors,
employees, customers, and suppliers are the major stakeholders in a normal firm.
However, as corporate social responsibility has gained traction, the notion has been expanded to
encompass communities, governments, and trade groups.
2. Understanding Stakeholders
Stakeholders can be both inside and external to a company. Internal stakeholders are those who have a
direct interest in a firm, such as through employment, ownership, or investment.
External stakeholders are persons who do not work for a company but are impacted by its actions and
consequences in some way. External stakeholders include suppliers, creditors, and public organizations.
• Example of an Internal Stakeholder
Internal stakeholders who are considerably impacted by the linked concern and its performance
are known as investors. If a venture capital firm invests $5 million in a technological startup in
exchange for 10% ownership and significant influence, the firm becomes an internal shareholder
of the company.
The success or failure of the startup determines the return on the venture capitalist firm's
investment, hence the firm has a vested interest.
• Example of an External Stakeholder
Internal stakeholders have a direct link with the company, but external stakeholders do not. An
external stakeholder, on the other hand, is typically a person or organization who is impacted by
the company's operations. When a corporation exceeds its carbon emission limit, for example,
the town where it is located is considered an external stakeholder because it is affected by the
additional pollution.
External stakeholders, on the other hand, can have a direct impact on a company even if they
don't have a direct relationship with it. For example, the government is an external stakeholder.
When the government modifies its policies on carbon emissions, it has an impact on the business
operations of any firm with higher carbon levels.

Page 24
 3. The roles of stakeholders in the organization
• Direct the Management: Stakeholders can join the board of directors and thereby assist in
decision-making. They can take over and oversee certain departments, such as customer service,
human resources, or research & development, to ensure success.
• They Bring in Money: Stakeholders are the company's major investors, and they have the ability
to bring money in and out at any moment. The financial performance of the company will
influence their selection. As a result, they might exert pressure on management to provide
financial reports and, if necessary, modify methods. Some stakeholders can even increase or
decrease their investment in order to influence the market share price and so improve their
situation.
• Help in Decision Making: The board of directors includes major stakeholders. As a result, they
make choices in collaboration with other board members. They have the ability to sway decisions
as well. They continue to bring forward new ideas and threaten management to obey them.
Stakeholders also have complete control over senior management appointments. As a result, they
are present in every important decision-making area. They make decisions about liquidations and
acquisitions as well.
• Corporate Conscience: Large stakeholders are the company's primary stakeholders, and they
have overseen all of the company's major actions. They have the power to compel the corporation
to follow human rights and environmental regulations. They also keep an eye on outsourcing
activities and have the power to vote against any business action that may jeopardize the
company's long-term objectives.
• Other Responsibilities: The company's primary stakeholders have been watching over all of the
company's major actions. They have the power to compel the corporation to follow human rights
and environmental regulations. They also keep an eye on outsourcing activities and have the
power to vote down any business decision that may jeopardize the company's long-term
objectives.

VI. Design and implement a security policy for an organisation (P7)

1. Define security policy
A security policy is a written document that outlines how to defend an organization from dangers, such
as computer security threats, and how to address issues when they arise.
All of a company's assets, as well as all potential threats to those assets, must be identified in a security
policy. Employees must be constantly informed about the company's security policies. The policies should
also be revised on a regular basis.
2. Understanding Security Policy
A security policy should specify the critical assets in an organization that must be safeguarded. This
could encompass the company's network, as well as its physical location. It should also include a description
of any potential dangers to those things. If the material is about cyber security, risks could come from within
the firm, such as angry employees stealing sensitive information or launching an internal virus onto the
network. A hacker from outside the firm, on the other hand, could get access to the system and cause data
loss, change, or theft. Finally, computer systems may sustain physical damage.

Page 25
 Once the threats have been identified, the likelihood of them occurring must be calculated. A corporation
must also figure out how to avoid those dangers. A few protections could include establishing particular
personnel policies as well as strong physical and network security. There must also be a plan in place for
what to do if a threat materializes. The company's security policy should be distributed to everyone, and
the method for preserving data should be reviewed and modified on a regular basis as new employees join.
3. Security policy examples
Insider threat incidences caused by human error cost businesses an average of $3.8 million each year —
that's a lot of money! Improved cybersecurity rules (and their dissemination) can enable employees in better
understanding how to keep data and apps secure. Here are some security policy examples to consider when
you construct a mature security program:

• Acceptable use policy (AUP) An AUP is a document that specifies the limits and procedures
that employees who use organizational IT assets must agree to in order to access the network or
systems. It's common onboarding procedure for new workers, requiring them to read and sign
the AUP before being given a network ID. SANS has a template for the AUP policy template
that you can use.
• Data breach response policy The data breach response policy's purpose is to establish the
procedure for dealing with a data breach and minimizing the impact on business operations and
consumers. Staff roles and duties in addressing an incident are typically defined in this policy, as
well as standards and metrics, incident reporting, remediation activities, and feedback systems.
SANS has a template for a data breach response policy that you can utilize.
• Disaster recovery plan A disaster recovery plan is created as part of a bigger business continuity
strategy that incorporates advice from both the cybersecurity and IT departments. Following that,
the CISO and assigned teams will handle the event according to the data breach response policy.
The business continuity plan, on the other hand, is only launched if the incident has a severe
impact on the organization. SANS provides a disaster recovery plan template that you can utilize.
• Business continuity plan A business continuity plan (BCP) outlines how the company would
operate in the event of a disaster and coordinates activities across the board. Furthermore, BCP
will work in tandem with the disaster recovery plan to restore hardware, software, and data that
are critical to business continuity.
• Remote access policy Remote labor during COVID-19 raised data breach expenses in the United
States by $137,000, according to an IBM analysis. A remote access policy, which specifies and
sets procedures for remotely accessing the organization's internal networks, can be implemented.
When scattered networks having the ability to expand into insecure network locations, such as
home networks or coffee shops, organizations require this strategy.
• Access control policy The criteria for user access, network access restrictions, and system
software controls are all defined by an access control policy (ACP). Techniques for monitoring
how systems are accessed and used, how access is terminated when an employee departs the
organization, and how unattended workstations should be secured are common additional
supplementary features.

4. The most and should that must exist while creating a policy
• Purpose: The policy's aims and expectations are well-defined.

Page 26
 • Policy Compliance: Some security policy requirements may be influenced by federal and state
rules, so it's important to keep track of them.
• Last Tested Date: Policies must be a dynamic document that is examined and challenged on a
regular basis.
• Policy Last Updated Date: To react to changes in the company, outside threats, and technology,
security policy texts must be updated.
• Contact: All individuals inside a company are expected to read, understand, and follow
information security policies, thus there must be an owner if there are any questions.

Questions to Ask When Creating Your Security Policy

It helps to ask questions when building a security policy because you will understand what is
important to your business and the resources you'll need to create and maintain your security policy by
answering them. To get you started, here are a few questions:
• Who will you need to persuade to buy-in?
• Who is going to be in charge of this security policy?
• Who is this policy's intended audience?
• What rules (such as GLBA, HIPAA, Sarbanes-Oxley, and others) apply to your industry?
• Who needs access to the data in your company?
• Who controls the data you're in charge of? What is the name of your company? Who are your
clients?
• How many requests for data access are received each week?
• What methods are used to fulfill these requests?
• When and how is access checked?
• How can you be confident that no container will be accessible to a global access group
(Everyone, Domain Users, Authenticated Users, etc.) unless the data owner(s) and authorized
management have given their explicit permission?
• What method will be used to record and audit all access provisioning activity?
• How will data that hasn't been accessed in 18 months be recognized and restricted so that only
the data owner(s) have access until another individual requests access?
• How will you link your security policy with the organization's commercial goals?

5. Elements of an Information Security Policy

• Purpose
First, state the policy's goal, which could be to:
o Create a comprehensive strategy to data security.
o Detect and prevent data security breaches, including network, data, application, and
computer system misuse.
o Maintain the organization's reputation while adhering to ethical and legal obligations.
o Respect customer rights, including how to respond to noncompliance queries and
complaints.
• Audience

Page 27
 Define the target audience for the information security policy. You can also select which
audiences are excluded from the policy's coverage (for example, staff in another business unit which
manages security separately may not be in the scope of the policy).
• Information security objectives
Assist your management team in defining well-defined strategy and security objectives. The
three main goals of information security are:
o Confidentiality - Only authorized individuals should have access to data and
information assets.
o Integrity - Data must be complete, accurate, and undamaged, and IT systems must
remain operating.
o Availability - Users should be able to access information or systems whenever they
need them.
• Authority and access control policy
o Hierarchical pattern - A senior manager might be able to decide what data can be shared
and with whom. A senior manager's security policy may differ from that of a junior
employee. Each organizational role's level of authority over data and IT systems should be
specified in the policy.
o Network security policy - Users can only access company networks and servers through
one-of-a-kind logins that require authentication, such as passwords, biometrics, ID cards, or
tokens. You should keep an eye on all systems and keep track of all login attempts.
• Data classification
Data should be classified into categories such as "top secret," "secret," "confidential," and
"public," according to the guideline. When it comes to data classification, your goal is to:
o To make sure that people with lower clearance levels can't access important
information
o To safeguard highly sensitive data while avoiding unnecessary security measures for
less sensitive data
• Data support and operations
o Data protection regulations - Organizational standards, best practices, industry
compliance requirements, and relevant regulations must all be followed while storing
personal data or other sensitive data. Encryption, a firewall, and anti-malware protection are
all required by most security standards.
o Data backup - Encrypt data backups in accordance with industry standards. Backup media
should be kept in a secure location, or backups should be moved to a secure cloud storage
location.
o Movement of data - Only use secure protocols to send data. Any information copied to
portable devices or transmitted over a public network should be encrypted.
• Security awareness and behavior
Your employees should be aware of your IT security procedures. Conduct training sessions
for staff to learn about your security policies and mechanisms, such as data protection, access
control, and sensitive data classification.
o Social engineering - Particular attention should be paid to the threats of social
engineering attacks (such as phishing emails). Employees should be held accountable
for detecting, preventing, and reporting such assaults.

Page 28
 o Clean desk policy - A cable lock is a good way to keep laptops safe. Documents that
are no longer needed should be shredded. Maintain a tidy printer area to prevent
documents from falling into the wrong hands.
o Acceptable Internet usage policy - Specify how the Internet should be governed. Do
you allow YouTube, social media websites, and other similar sites? Using a proxy,
you can block websites that you don't want to visit.
• Encryption policy
Encryption is the process of encrypting data in order to make it inaccessible to or invisible to
unauthorized parties. It aids in the protection of data at rest and in transit between places, ensuring
that sensitive, confidential, and proprietary information remains private. It can also make client-
server communication more secure. An encryption policy aids businesses in defining:
o The devices and media that the company needs to encrypt
o When encryption is required
o The minimal requirements for the encryption program you've chosen.
• Data backup policy
A data backup policy establishes the rules and methods for creating data backup copies. It's an
important part of your entire data security, business continuity, and disaster recovery plan. The
following are some of the most important features of a data backup policy:
o Identifies all data that the company needs to back up.
o Determines the backup frequency, such as when to make a full backup and when to do
incremental backups.
o Defines the place where backup data is stored.
o Lists all positions responsible for backup processes, such as backup administrators and
IT team members.
• Responsibilities, rights, and duties of personnel
Appoint personnel to conduct user access evaluations, education, change management, incident
management, security policy execution, and periodic updates. As part of the security policy,
responsibilities should be clearly specified.
• System hardening benchmarks
The information security policy should include security benchmarks for Linux, Windows
Server, AWS, and Kubernetes that the organization will employ to harden mission-critical systems,
such as the CIS benchmarks for Linux, Windows Server, AWS, and Kubernetes.
• References to regulations and compliance standards
Regulations and compliance requirements that affect the organization, such as GDPR, CCPA,
PCI DSS, SOX, and HIPAA, should be referenced in the information security policy.

6. Steps to design a policy

➢ Identify need
➢ Identify who will take lead responsibility
➢ Gather information
➢ Draft policy
➢ Consult with appropriate stakeholders
➢ Finalise / approve policy
➢ Consider whether procedures are required

Page 29
 ➢ Implement
➢ Monitor, review, revise

VII. List the main components of an organisational disaster recovery plan, justifying
the reasons for inclusion. (P8)
1. Disaster Recovery Plan
Any solid disaster recovery strategy has seven basic components. These include asset mapping,
determining the criticality and context of your assets, completing a risk assessment, defining your recovery
objectives, selecting a disaster recovery setup, funding for your setup, and testing and reviewing the plan.
2. 7 Components That Make A Great Disaster Recovery Plan
➢ Take Inventory of IT Assets
To begin, make a list of all your assets and decide which ones need to be safeguarded. Here are
some examples of assets:
o Network equipment
o Hardware
o Software
o Cloud services
o Critical data
Though time-consuming, compiling a list of assets can provide you with a comprehensive
understanding of your company's processes. Update your list on a regular basis as assets are
added, removed, or modified, and use it to purge unnecessary information.
➢ Sort Assets According to Criticality and Context
Now that you've taken inventory of your assets, you need to consider them in context. How
does your company put these assets to use? In the event of a disaster, which assets, if
compromised or lost, would have the greatest impact? Examine all of your mapped assets and
classify them from high to low impact.
Backing up all of your data is not always possible. Understanding the importance of each asset
and how they interact will allow you to prioritize which assets to prioritize in your disaster
recovery plan.
➢ Assess Potential Risks
Not all threats are created equal. What are the most serious threats to the overall health of your
company? Which assets are most likely to be targeted by these threats? Because critical systems
personnel are familiar with the most likely causes of service disruption, their input at this stage
is invaluable. You can't foresee every possible threat, but you can devise an effective plan by
weighing the likelihood and magnitude of each.
➢ Define Your RTO and RPO
There are two types of recovery objectives: recovery time objectives (RTO) and recovery point
objectives (RPO) (RPO). RTO refers to the amount of time your assets can be down before being
recovered, and RPO refers to the amount of data you are willing to lose. These objectives should
be defined early in the development of your disaster recovery plan in order to select an appropriate
setup.
Consult with your company's senior management and operations personnel for as little as one
minute, up to one day, or even longer, to discuss the potential disruption's impact. This data will

Page 30
 enable you to define your RTO and RPO, as well as how frequently your data should be backed
up.
➢ Select A Disaster Recovery Setup
It is critical to have a remote data storage solution in place to protect your assets from cyber-
attacks and natural disasters that may cause physical damage. After you've mapped out your
required setup, select the cloud services, software, hardware, and partners you'll require to finish
it.
➢ Propose A Budget
All businesses, regardless of size or resources, should have a disaster recovery plan. Senior
management should be reminded of the importance of disaster recovery, but several options at
different price points should be presented.
Higher budgets will include a disaster recovery plan with improved RTOs and RPOs, more
generous support for critical services, and may be part of a larger business continuity plan. Each
company's disaster recovery plan requirements will vary, and with the right information,
management can balance risk and investment in disaster recovery plan technology to find the
right balance.
➢ Test and Review
To ensure that the disaster recovery plan is ready, it will need to be tested and reviewed in the
final stage. In the event of a disaster, all employees must be aware of their responsibilities.
Conduct a disaster drill to test the plan and see how employees react to the threat. Make changes
to the plan if things don't go as smoothly as you'd like.
A disaster recovery plan can never be fully implemented. It should be reviewed on a regular
basis, preferably every six months or so, to ensure that it remains effective. Assets, organizational
structure, and IT configuration will all change over time, necessitating the updating of the disaster
recovery plan.

3. The importance of Disaster Recovery Plan

3.1. Cost-Efficiency
There are numerous components to disaster recovery plans. The following are the most important
elements:
o Preventative measures that reduce the likelihood of a man-made disaster occurring
o Detective measures aimed at quickly identifying unwelcome events
o Post-disaster recovery measures that allow for the restoration of lost data and the resumption
of business processes

To achieve these objectives, you will need to A) conduct an analysis of potential threats, B) keep IT
systems in good working order, and C) seek innovative solutions that will ensure business continuity
while focusing on cybersecurity.
On-time updates and the use of more innovative hardware and software can save businesses a lot of
money in the long run. Furthermore, an even larger shift is being observed, with an increasing number
of organizations adopting cloud-based data management over local storage and operations. As part of
disaster recovery planning, this pivot can reduce the cost of archive maintenance and the creation of
comprehensive backups.

Page 31
 3.2. Increased Employee Productivity
A disaster recovery plan must be carried out by the appropriate individuals. When specific roles and
responsibilities are assigned ahead of time, both effectiveness and productivity improve.
In some cases, disaster recovery planning may imply having at least two people who can handle the
same task. Such redundancies can be extremely beneficial in the long run. When multiple employees
are capable of handling a given task, organizations can gain peace of mind about the network's overall
integrity. Furthermore, if someone is on vacation or sick leave, there will still be a qualified individual
within the organization who can handle the relevant task.
Likewise, the same cross-training rule applies when an employee leaves the company. These are
just a couple of scenarios that could be anticipated and addressed in a disaster planning strategy.
3.3. Greater Customer Retention
Clients nowadays expect nothing less than perfection and dependability. In the event of a failure or
downtime, they are unforgiving. Clients will simply move on to another service provider if a company
fails to meet their expectations.
Disaster recovery planning enables businesses to maintain a high level of service quality in the face
of adversity. Regaining an old customer after an IT disaster can be nearly impossible – a disastrous
effect that many businesses have firsthand.
Downtime will have a significant impact on customers in some industries. This is especially true for
business-to-business (B2B) service providers. The integrity of your company will have an impact on
the integrity of your clients' businesses. As a result, a chain reaction can result in the failure of multiple
businesses and a tarnished reputation.
By lowering the risk of downtime and data loss, your clients can be confident that they will receive
adequate service even if disaster strikes. As a result, investing in disaster recovery planning is a must
when it comes to long-term customer retention.
3.4. A Better Understanding of Scalability
Identifying innovative solutions is one of the most important things you'll have to do when planning
disaster recovery. Cloud-based data storage and backups, for example, simplify archive maintenance,
improve backup effectiveness, and lower disaster recovery costs.
Because cloud options are easily scalable, they provide more flexibility than onsite or offsite data
center maintenance. A switch can be completed long before a disaster strikes (if at all), and as the
company's technical demands change, so will the storage solution.
Disaster recovery planning begins with extensive research and comparison of options. Businesses
that engage in such a strategic process can quickly discover a data storage solution that makes far more
sense than the one currently in use and that can be tweaked on the fly.

VIII. Presentation
Link: https://bitly.com.vn/m4t10n

IX. Reference
SearchCompliance. (2022). What is a Risk Assessment? - Definition from WhatIs.com. [ONLINE]
Available at: https://searchcompliance.techtarget.com/definition/risk-assessment. [Accessed 29 April 2022].

Page 32
 CCOHS. (2022). Risk Assessment : OSH Answers . [ONLINE] Available at:
https://www.ccohs.ca/oshanswers/hsprograms/risk_assessment.html#:~:text=Risk%20assessments%20are%
20very%20important,the%20public%2C%20etc. [Accessed 29 April 2022].
Investopedia. (2022). Asset Definition. [ONLINE] Available at:
https://www.investopedia.com/terms/a/asset.asp. [Accessed 29 April 2022].
Techopedia. (2022). What is Data Protection? - Definition from Techopedia. [ONLINE] Available at:
https://www.techopedia.com/definition/29406/data-protection. [Accessed 29 April 2022].
SecurityBox. (2022). Hướng dẫn 11 bước bảo mật dữ liệu cho doanh nghiệp. [ONLINE] Available at:
https://securitybox.vn/1281/huong-dan-tung-buoc-bao-mat-du-lieu-cho-doanh-nghiep/. [Accessed 29 April
2022]
QMS International. (2022). ISO 31000 - Risk Management | QMS International. [ONLINE] Available at:
https://www.qmsuk.com/iso-standards/iso-31000. [Accessed 29 April 2022].
VietQ. (2022). ISO 31000:2018: Thành công từ mô hình của IFC. [ONLINE] Available at:
https://vietq.vn/iso-310002018-giup-cong-ty-co-phan-dau-tu-va-phat-trien-ha-tang-vien-thong-han-che-rui-
do-va-lang-phi-d173192.html. [Accessed 29 April 2022].
Varghese, J. (2022). IT Security Audit: Importance, Types, and Methodology. [ONLINE] Available at:
https://www.getastra.com/blog/security-audit/it-security-audit/. [Accessed 29 April 2022].
SearchCIO. (2022). What is a security audit?. [ONLINE] Available at:
https://www.techtarget.com/searchcio/definition/security-
audit#:~:text=Security%20audits%20will%20help%20protect,and%20can%20catch%20new%20vulnerabilit
ies. [Accessed 29 April 2022].
Investopedia. (2022). Stakeholder Definition. [ONLINE] Available at:
https://www.investopedia.com/terms/s/stakeholder.asp. [Accessed 29 April 2022].
Techopedia. (2022). What is Security Policy? - Definition from Techopedia. [ONLINE] Available at:
https://www.techopedia.com/definition/4099/security-policy .[Accessed 29 April 2022].
SecurityScorecard. (2022). 6 Examples of Essential Cybersecurity Policies… | SecurityScorecard.
[ONLINE] Available at: https://securityscorecard.com/blog/cybersecurity-policy-examples . [Accessed 29
April 2022].
VARONIS. (2022). How to Create a Good Security Policy. [ONLINE] Available at:
https://www.varonis.com/blog/how-to-create-a-good-security-policy. [Accessed 29 April 2022].
Exabeam. (2022). Information Security Policy - Everything You Should Know | Exabeam. [ONLINE]
Available at: https://www.exabeam.com/information-security/information-security-policy/ . [Accessed 29
April 2022].

Page 33
 Axiom. (2022). 7 Components That Make A Great Disaster Recovery Plan - Axiom. [ONLINE]
Available at: https://www.axiom.tech/7-components-that-make-a-great-disaster-recovery-
plan/#:~:text=There%20are%20seven%20main%20components,testing%20and%20reviewing%20the%20pl
an. [Accessed 29 April 2022].

Page 34