Unit 5 - Assignment 2 Frontsheet
Unit 5 - Assignment 2 Frontsheet
Submission date December – 23 – 2021 Date Received 1st submission December – 23 – 2021
Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature
Grading grid
P5 P6 P7 P8 M3 M4 M5 D2 D3
table of contents
2. Explain Asset, threat and threat identification procedure, give example ..................... 3
3. Give the most & should that must exist while creating policy. .................................... 10
IV) P8) List the main components of an organisational disaster recovery plan, justifying the reasons
for inclusion.
3. Write down all the steps required in disaster recovery process ................................... 20
4. Explain some of the policies and procedures that are required for business continuity. 22
I) P5 Discuss risk assessment procedures.
Define:
Risk is the process of identifying, assessing, prioritizing and dealing with possible risks Ensure that
you have a plan in place to deal with possible risks and affect them affect the Organization. office.
risk assessment:
There are two components to risk management methodology and risk identification
the Risk Methodology: is a description of how you will manage the risk and how to minimize it
and how you will respond to it in the event it occurs
risk identification: is that you will make a list of possible risks and plan to limit those risks
For example, an employee's desktop, laptop, or corporate phone will be considered property, as
will the applications on those devices. Likewise critical infrastructure, such as servers and
support systems is an asset.
The most common asset of an organization is the information asset. These are things like
databases and physical files - i.e. the sensitive data you store.
A related concept is the information content container which is where such information is
stored. In the case of databases this would be the application used to create the database. For
physical files it will be the filing cabinet where the information is located.
What is the threat: A threat is any incident that could negatively affect content - for example, if
it is lost stolen offline or accessed by an unauthorized party.
Threats can be classified as instances that compromise the security, integrity, or availability of a
content and can be intentional or unintentional.
Intentional threats include things like a criminal attack or a malicious insider stealing
information, while inadvertent threats often involve employee error, technical problems, or
malfunctions. event that causes physical damage, such as a fire or natural disaster.
The definition of risk assessment is a systematic process of identifying hazards and assessing any
associated risks in a workplace, and then implementing reasonable controls to eliminate or
reduce them. minimize them.
Risk is "the likelihood and severity of a negative event (injury, ill health, damage, loss) caused by a
hazard."
Additional training may be required if you need to complete or reassess your risk management
procedures. Completion of training such as our Level 2 Award-winning Risk Assessment Principles
course will help ensure the risk assessment is relevant and sufficiently detailed.
4) List risk identification steps
• Observation: Walking around your workplace and looking at what activities, tasks, processes
or substances used could harm your employees (or others)
• Looking back over past accidents and ill-health records as they may identify less obvious
hazards
• Checking manufacturers’ data sheets, instructions, information and guidance
• Consulting with employees (and others) who are carrying out the activities, tasks or
processes.
It may be useful to group hazards into five categories, namely physical, chemical, biological,
ergonomic and psychological.
Step 2. Identify who might be harmed by those hazards
Next, identify who might be harmed by those potential hazards. It should also be noted how they
could be affected, be it through direct contact or indirect contact. It is not necessary to list people by
name, rather by identifying groups including:
• Employees
• Contractors
Some hazards may present a higher risk to certain groups including children, young people, new or
expectant mothers, new employees, home workers, and lone workers.
The importance of data protection grows as the amount of data created and stored continues
to grow at an unprecedented rate. There's also very little tolerance for downtime that could
keep you from accessing important information.
therefore, a big part of a data protection strategy is demonstrating that data can be quickly
recovered from any damage or loss. Protecting data from compromise and providing data
privacy are other key components of data protection.
Setting up the Anti-Virus and Fireball system: Fireball (firewall) is the first line of defense
against intruders, to protect the internal network system for the entire enterprise. Firewalls
can be software or hardware based, using rules to control incoming and outgoing traffic.
Firewalls act as a barrier between the secure network and the insecure network. are
infiltrating and attacking computers. Anti-virus software can be upgraded over the internet to
prevent malware that is increasingly dangerous and sophisticated.
The clear decentralization of rights to access, use and share internal data will help protect
internal information effectively. At the same time, it is easy to find the source of the problem
and solve it quickly. The security policy according to each department and level also helps to
raise the awareness of individuals in protecting corporate data. Contingency plan, timely
remedy when there is an incident “Do not put all your eggs in the same basket”, the same
principle holds true in the case of data protection.
Besides classifying and dividing internal information management, we also need to back up
data to a backup source. This helps businesses not lose all important information when the
system is paralyzed, taking control.
Another easy data loss factor comes from the end user. Employees can accidentally leak
information or intentionally affect the business.
Therefore, it is necessary to raise the awareness of employees in the company about data
security to ensure data safety in the enterprise.
Enterprises can organize periodic data security and network security training programs, have
documents on data security policies, data usage processes, and apply management and
assurance standards. data security such as ISO 27001, PCI D.SSSoftware and programs to
support enterprise data system security Use professional archiving software To avoid risks of
internal data privacy, businesses should use professional storage software. One thing is for
sure, software that is provided from a reputable company, and has a reasonable fee will bring
better security performance.
Data privacy helps ensure that sensitive data is accessible only to approved parties. It
prevents criminals from maliciously using data and helps ensure that organizations meet
regulatory requirements.
Data privacy is enforced by data protection regulations. Failure to comply may result in fines
or loss of trademark rights. You can learn more about the regulations in our article on Stay up
to date with data protection regulations.
III) P7 Design and implement a security policy for an organisation.
Confidentiality policy is a statement that explains how the company collects, processes, stores,
shares, protects customers' personal information and how the information is collected through
customer interactions. with website.
Every website interacts and decimals their merchandise in one way or another, but this applies
even more when it comes to an e-commerce store. E-commerce sites typically collect personal
data such as name, email address, IP address, active version and payment details.
Therefore, a privacy policy is important as it is not only seen as a sign of trust and confidence, but
also ensures that website owners are protected along with their customers, and at the same time
Follow their tricks.
Huawei Technology Co., Ltd. and its affiliates (collectively, "Huawei"), ensuring the security of
customer data is always a top priority because it is the company's reputation and respect for
customers.
This policy describes how Huawei processes your personal data, but cannot address all possible
data processing scenarios. Huawei may notify you of product or service-specific data collection
through additional policies or notices provided prior to collection.
3) Give the most & should that must exist while creating policy.
It sounds a little redundant, but it's important to work within a predefined and agreed upon
framework even when it comes to policy formation. Creating a simple policy on policies that
defines the organization's process for creating new policies is an important first step in maturing
policies. This "meta policy" should include guidance as to what situations constitute the need for
a new policy, the format that new policies should use, and the process that needs to be followed
for a new policy to be approved. If you don't have a process and framework around policy
formation, you risk having significant inconsistency in the outcomes and inconsistency in the
creation, which can lead to poor or difficult enforcement.
This one is simple. Before you create a new policy, check to see if the policy you're planning to
create already exists or if portions of it exist in other policies. If so, consider revising existing
policies rather than creating a brand new one.
I've seen individuals sit behind their desks and create policies that they felt were necessary and
that were developed wholly on their own. Most often, this has happened in organizations lacking
any kind of policy governance structure. In most cases, the policies lacked key factors and were
slanted in ways that were not positive for the organization. As you might expect, the policies did
good things for the person developing them, though.
I'm of the opinion that policies need to be developed with input from those that will be affected
by them. While the final policy may ultimately not reflect all opinions, it's important that all
stakeholders be heard to minimize the potential for unintended consequences. Further, policies
need to be complete and additional opinions can help close any gaps that may exist.
Are you creating a policy because one is needed or because someone did something you didn't
like? There is a big difference and, again, I have seen policies put into place out of spite and as
retribution. Obviously, that kind of activity wouldn't happen in a reasonable organization. But it
also won't happen in one that has a strict policy on policies, as the policy will generally go
through multiple levels for approval and somewhere along the way, someone will step back and
ask the question, "Why do we need this?"
Policies should be enacted when there is a clear need and a clear problem to solve.
Policies must be understood to be effective. Use of clear and unambiguous grammar aids in this
effort. Use simple and specific terminology that can be easily understood by everyone. Use the
words "must" or "will" rather than "should" in the body of the policy. The later implies that the
action is optional, which makes the need for the policy questionable. If something is optional, use
the word "should" -- but not when it's a requirement.
Always use an office, department, unit, or job title instead of an individual's name. Examples:
"The CIO's office is responsible for..."; "Contact the assistant to the CFO to..."
Contact emails should always be general department addresses or a Web page that gives further
contact information. Avoid using individual email addresses to prevent the policy from needing
updates when personnel changes occur.
Do not underline subheadings or words that need to be stressed in a sentence. Rather, set
subheadings in bold or italics if a word needs to be stressed. Underlined words can be mistaken
for hyperlinks when the policy is posted online.
For every rule, there is an exception... at least in most cases. It's much easier to define in advance
how an exceptions process is to operate before the policy goes into force. Before you say, "I will
never allow exceptions," think again. At some point, a situation will arise that requires an
exception. Since policies are implemented to control behavior and are supposed to level the
playing field, it's critical that exceptions also be granted in a way that is fair and equitable. If you
play loose with the exceptions process, the entire policy could be called into question.
So you've created an absolutely airtight policy and defined an exceptions process that no one can
question. That's a good goal, but it's tough to get there for every policy. This is the point that
might get the most criticism since policies are supposed to create equitable conditions. But I
believe that some policies need to leave a little ambiguity for people to make decisions. That's
not to say that the policy should just let people do whatever they want, but it seems that there
are simply too many instances in which people are allowed to use "that's policy" or "zero
tolerance" excuses to avoid doing the right thing. If your policy leaves a little bit a gray so that a
person can make an on-the-fly decision, that's okay.
Most policies require periodic review to ensure their continued applicability. Further, as
questions are raised about the policy, someone needs to be able to provide clarifying
information. Make sure that you always identify the office -- not the individual person -- that is
responsible for the policy. You don't identify individuals since they come and go.
There are all kinds of tools out there these days, such as SharePoint, that enable you to store
versions of documents. Every employee should be able to access all appropriate policies all the
time. If employees can't get access to policies, how can they be expected to follow them? When
it comes to versioning, as policies evolve, it's good to see their history to track what has changed
over time.
Purpose
First state the purpose of the policy which may be to:
Hierarchical pattern—a senior manager may have the authority to decide what data can be
shared and with whom. The security policy may have different terms for a senior manager vs. a
junior employee. The policy should outline the level of authority over data and IT systems for
each organizational role.
Network security policy—users are only able to access company networks and servers via
unique logins that demand authentication, including passwords, biometrics, ID cards, or tokens.
You should monitor all systems and record all login attempts.
Data classification
The policy should classify data into categories, which may include “top secret”, “secret”,
“confidential” and “public”. Your objective in classifying data is:
To ensure that sensitive data cannot be accessed by individuals with lower clearance levels.
To protect highly important data, and avoid needless security measures for unimportant data.
Data support and operations
Data protection regulations—systems that store personal data, or other sensitive data, must be
protected according to organizational standards, best practices, industry compliance standards
and relevant regulations. Most security standards require, at a minimum, encryption, a firewall,
and anti-malware protection.
Data backup—encrypt data backup according to industry best practices. Securely store backup
media, or move backup to secure cloud storage.
Movement of data—only transfer data via secure protocols. Encrypt any information copied to
portable devices or transmitted across a public network.
Security awareness and behavior
Share IT security policies with your staff. Conduct training sessions to inform employees of your
security procedures and mechanisms, including data protection measures, access protection
measures, and sensitive data classification.
Social engineering—place a special emphasis on the dangers of social engineering attacks (such
as phishing emails). Make employees responsible for noticing, preventing and reporting such
attacks.
Clean desk policy—secure laptops with a cable lock. Shred documents that are no longer
needed. Keep printer areas clean so documents do not fall into the wrong hands.
Acceptable Internet usage policy—define how the Internet should be restricted. Do you allow
YouTube, social media websites, etc.? Block unwanted websites using a proxy.
Responsibilities, rights, and duties of personnel
Appoint staff to carry out user access reviews, education, change management, incident
management, implementation, and periodic updates of the security policy. Responsibilities
should be clearly defined as part of the security policy.
The policyholder, who is responsible for the content of the policies and procedures, as well as
implementation, will draw up a plan that includes phases and timelines, such as;
• Analysis
• Research
• Drafting
• Consultation
• Review
• Revision
• Editing
• Finalizing
• Implementation
The policyholder will then identify the main stakeholders for the consultation process. Most
policy developers require that the policy development team comprise of people who will be
affected directly by the policies and procedures.
Development stage
Documentation of all policy and procedure statements with regards to the research stage is done
in this stage. The policy statements should meet the following criteria:
Consultation
The policyholder will present the draft policy and procedure document to the appropriate
stakeholders, such as government, human resources department, financial department,
marketing department and other stakeholders affected by the policies and procedures for review
and feedback.
Feedback review
The policyholder will then organize a sit down with the policy and procedure development
team to review the feedback and make the necessary revisions. The document will then be sent
to the legal department for review if required.
Review
This stage will include a review of the draft policies and procedure document, as well as
recommendations and approval. The format of the draft document will be classified and
numbered by the administrative services analyst. Once the administrative services analyst
completes the classification and numbering, they will return it to the policyholder with the
required revisions.
The policyholder may require the approval of the draft document from the board of governors,
especially if it contains policies and procedures touching on governance.
Implementation
Once the board of governors approves the draft document, it is returned to the administration
services analyst, who will generate a final copy of the policy and procedure document. The
policyholder will then sign the document. The administration services analyst will retain final
copies of the policies and procedures and note the dates approved by the executive team and
board of governors.
The administrator and the policyholder will communicate the policies and procedures and ensure
that those impacted by them comprehend the content. This will require in-depth consultation
with the communication department, as well as employees.
Once employees have understood the policies and procedures, all the approved policies and
procedures will be posted on the business or company website (on the policy and procedure
page). The document will also be available in PDF format.
Final review
The administrator will ensure compliance with the policies and procedures by monitoring their
implementation. If issues come up when monitoring implementation, further clarification,
training, and communications may be initiated.
The policies and procedures will be reviewed time after time-based on the time frames
established in the development stage. The appropriate number of times policies and procedures
should be review is once every five years.
Furthermore, review periods should be seen as an opportunity to update policy and procedures.
Minor changes to the policies and procedures need not go through the review and approval
process. The policyholder can make them. However, all the revised changes must be sent to the
executive team to determine the next steps.
IV) P8) List the main components of an organisational disaster recovery plan, justifying the reasons
for inclusion.
The widespread development of technology, rapidly evolving processes and emerging ventures
can lead to risks of failure and may affect the health of the business. To stay competitive,
organizations cannot tolerate prolonged downtime, slow response times, high system upgrade
costs, or inflexible processes.
Furthermore, competitive pressures and market demands, coupled with an increasing reliance on
technology for core business processes, are redefining the need for effective business continuity,
on the basis of risk control.
1 out of 5 businesses experience business interruption each year. Given the growth pattern seen
in the service industry and the degree of stability in the manufacturing sector, Business
Continuity is quite important today. The success or failure of a business enterprise is highly
dependent on its ability to maintain critical operations, its ability to recover during and after
disruptions, and the speed at which full business functions can be re-established. .
Create a disaster recovery team. The team will be responsible for developing, implementing,
and maintaining the DRP. A DRP should identify the team members, define each member’s
responsibilities, and provide their contact information. The DRP should also identify who
should be contacted in the event of a disaster or emergency. All employees should be
informed of and understand the DRP and their responsibility if a disaster occurs.
Identify and assess disaster risks. Your disaster recovery team should identify and assess the
risks to your organization. This step should include items related to natural disasters, man-
made emergencies, and technology related incidents. This will assist the team in identifying
the recovery strategies and resources required to recover from disasters within a
predetermined and acceptable timeframe.
Determine critical applications, documents, and resources. The organization must evaluate its
business processes to determine which are critical to the operations of the organization. The
plan should focus on short-term survivability, such as generating cash flows and revenues,
rather than on a long term solution of restoring the organization’s full functioning capacity.
However, the organization must recognize that there are some processes that should not be
delayed if possible. One example of a critical process is the processing of payroll.
Specify backup and off-site storage procedures. These procedures should identify what to
back up, by whom, how to perform the backup, location of backup and how frequently
backups should occur. All critical applications, equipment, and documents should be backed
up. Documents that you should consider backing up are the latest financial statements, tax
returns, a current list of employees and their contact information, inventory records, customer
and vendor listings. Critical supplies required for daily operations, such as checks and purchase
orders, as well as a copy of the DRP, should be stored at an off-site location.
Test and maintain the DRP. Disaster recovery planning is a continual process as risks of
disasters and emergencies are always changing. It is recommended that the organization
routinely test the DRP to evaluate the procedures documented in the plan for effectiveness
and appropriateness. The recovery team should regularly update the DRP to accommodate for
changes in business processes, technology, and evolving disaster risks.
4) Explain some of the policies and procedures that are required for business continuity.
What is your business' most important product or service? Take a look at the following criteria:
The amount of goods that have a need to use that product or service; and
Terms that fail if delivery is not possible: positive financial performance, profitability and
reputation.
How long can your business withstand disruptions? Businesses need these
important?
Use the 4P framework to do this. Actions that need to help businesses reduce risks for businesses
Your business will communicate more remotely (WhatsApp calls, Zoom meetings,
etc.). Make sure you have an accurate and up-to-date list of all stakeholders
important important.
ACADEMY, B. k. I., 2014. Securing the Local Area Network. Bach khoa IT ACADEMY ed. Ha Noi: Bach khoa IT
ACADEMY.
AtheNa, t. t. d. t. m., 2005. CCNA CiscoCertìied Network Associate. trung tam dao tao mang AtheNa ed. TPHCM:
trung tam dao tao mang AtheNa.
David kim, M. G., 2018. Fundamenttals of information System Security. David kim, Mchael G.solomon ed. USA:
Jones & Bartlett Learning, LLC, an Ascend Learning Company.
Mark Ciampa, P., 2015. CompTIA Security+ SY0-401 Examination Objectives. Mark Ciampa, Ph.D. ed. Australia:
Nelson Education, Ltd..
p.pfleeger, c., January 2015. Security in Computing. Charles P. Pfleeger ,Shari Lawrence Pfleeger,Jonathan
Margulies ed. New York: Pearson Education, Inc..
Tran Van Tao, T. T. L., 2015. Giao trinh An toan Bao mat du lieu. Tran Duc Su ed. TPHCM: Tran Duc Su.
VNPRO, T. T. t. h., 2016. CCNA SECURITY – CISCO CERTIFIED NETWORK ASSOCIATE SECURITY. Trung Tam tin hoc
VNPRO ed. TPHCM: Trung Tam tin hoc VNPRO.