0% found this document useful (0 votes)
77 views

Unit 5 - Assignment 2 Frontsheet

This document summarizes the key steps and components of risk assessment procedures: 1. It defines risk and risk assessment, explaining that risk assessment involves identifying, assessing, and prioritizing possible risks to develop plans to address their impact. 2. It explains the concepts of assets, threats, and threat identification, providing examples of organizational assets and intentional and unintentional threats. 3. It outlines the risk assessment procedure, including clearly defining accidents, hazards, and risk, and noting that additional training may be required to adequately complete or reassess risk management. 4. It lists the main steps in risk identification as observing hazards, identifying who could be harmed, and evaluating risk severity to establish

Uploaded by

Long Hoang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
77 views

Unit 5 - Assignment 2 Frontsheet

This document summarizes the key steps and components of risk assessment procedures: 1. It defines risk and risk assessment, explaining that risk assessment involves identifying, assessing, and prioritizing possible risks to develop plans to address their impact. 2. It explains the concepts of assets, threats, and threat identification, providing examples of organizational assets and intentional and unintentional threats. 3. It outlines the risk assessment procedure, including clearly defining accidents, hazards, and risk, and noting that additional training may be required to adequately complete or reassess risk management. 4. It lists the main steps in risk identification as observing hazards, identifying who could be harmed, and evaluating risk severity to establish

Uploaded by

Long Hoang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

ASSIGNMENT FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date December – 23 – 2021 Date Received 1st submission December – 23 – 2021

Re-submission Date Date Received 2nd submission

Student Name Le Hong Nhat Huy Student ID BSAF200003

Class PBIT16101_CNTT Assessor name Do Phi Hung

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.

Student’s signature

Grading grid

P5 P6 P7 P8 M3 M4 M5 D2 D3
table of contents

I) P5 Discuss risk assessment procedures.

1. Define Risk & risk assessment .................................................................................... 3

2. Explain Asset, threat and threat identification procedure, give example ..................... 3

3. Explain the risk assessment procedure ....................................................................... 4

4. List risk identification steps ....................................................................................... 5

II) P6 Explain data protection processes and regulations as applicable to an organisation.

1. Define data protection .............................................................................................. 7

2. Explain data protection process with relations to organization ................................... 7

3. Why are data protection and regulation important ? .................................................. 8

III) P7 Design and implement a security policy for an organisation.

1. Define and discuss what is security policy .................................................................. 9

2. Give examples of policies .......................................................................................... 9

3. Give the most & should that must exist while creating policy. .................................... 10

4. Explain and write down the element of security policy ............................................... 13

5. Give the steps to design a policy ............................................................................... 17

IV) P8) List the main components of an organisational disaster recovery plan, justifying the reasons
for inclusion.

1. Discuss with explanation about business continuity .................................................... 19

2. List the components of recovery plan. ......................................................................... 19

3. Write down all the steps required in disaster recovery process ................................... 20

4. Explain some of the policies and procedures that are required for business continuity. 22
I) P5 Discuss risk assessment procedures.

1) Define Risk & risk assessment.

Define:

Risk is the process of identifying, assessing, prioritizing and dealing with possible risks Ensure that
you have a plan in place to deal with possible risks and affect them affect the Organization. office.

risk assessment:

There are two components to risk management methodology and risk identification

the Risk Methodology: is a description of how you will manage the risk and how to minimize it
and how you will respond to it in the event it occurs

risk identification: is that you will make a list of possible risks and plan to limit those risks

2) Explain Asset, threat and threat identification procedure, give example

Explanation of Assets: Content is any data, device, or other component in an organization's


systems that has value - usually because it contains sensitive data or can be used to access that
information.

For example, an employee's desktop, laptop, or corporate phone will be considered property, as
will the applications on those devices. Likewise critical infrastructure, such as servers and
support systems is an asset.

The most common asset of an organization is the information asset. These are things like
databases and physical files - i.e. the sensitive data you store.

A related concept is the information content container which is where such information is
stored. In the case of databases this would be the application used to create the database. For
physical files it will be the filing cabinet where the information is located.

What is the threat: A threat is any incident that could negatively affect content - for example, if
it is lost stolen offline or accessed by an unauthorized party.

Threats can be classified as instances that compromise the security, integrity, or availability of a
content and can be intentional or unintentional.
Intentional threats include things like a criminal attack or a malicious insider stealing
information, while inadvertent threats often involve employee error, technical problems, or
malfunctions. event that causes physical damage, such as a fire or natural disaster.

threat identification proceduresAssured evidence for threat identification is primarily obtained


from the use of relevant checklists and from traceability links between elements of the
integrated systems model. The individual threat identification strategies (vulnerability argument,
entry point argument, threat argument, and vulnerability argument) all provide unique
perspectives on the threat. Guaranteed threat identification is accomplished by cross-correlating
the results of these approaches. In addition, identified components of threats are linked to
system components, which allows for additional cross-correlation. (If a given system element is
associated with one of the threat components, are all similar elements associated with the
threat component as well?) An additional argument in favor relies on the use of qualified and
experienced personnel to perform threat identification.

3) Explain the risk assessment procedure

The definition of risk assessment is a systematic process of identifying hazards and assessing any
associated risks in a workplace, and then implementing reasonable controls to eliminate or
reduce them. minimize them.

When completing a risk assessment, it is important to clearly define a few keywords:

An accident is 'an unplanned event that results in loss'

A hazard is "something potentially harmful"

Risk is "the likelihood and severity of a negative event (injury, ill health, damage, loss) caused by a
hazard."

Additional training may be required if you need to complete or reassess your risk management
procedures. Completion of training such as our Level 2 Award-winning Risk Assessment Principles
course will help ensure the risk assessment is relevant and sufficiently detailed.
4) List risk identification steps

Step 1. Identify potential hazards


It is important to firstly identify any potential hazards within a workplace that may cause harm to
anyone that comes into contact with them. They may not always be obvious so some simple steps
you can take to identify hazards are:

• Observation: Walking around your workplace and looking at what activities, tasks, processes
or substances used could harm your employees (or others)
• Looking back over past accidents and ill-health records as they may identify less obvious
hazards
• Checking manufacturers’ data sheets, instructions, information and guidance
• Consulting with employees (and others) who are carrying out the activities, tasks or
processes.
It may be useful to group hazards into five categories, namely physical, chemical, biological,
ergonomic and psychological.
Step 2. Identify who might be harmed by those hazards
Next, identify who might be harmed by those potential hazards. It should also be noted how they
could be affected, be it through direct contact or indirect contact. It is not necessary to list people by
name, rather by identifying groups including:

• Employees
• Contractors
Some hazards may present a higher risk to certain groups including children, young people, new or
expectant mothers, new employees, home workers, and lone workers.

Step 3. Evaluate risk severity and establish precautions


After identifying any hazards and who might be affected, it is important to evaluate the severity the
risk may present (should it occur) and establish suitable and effective controls to reduce this level of
risk as far as is ‘reasonably practicable’. This means that everything possible is done to ensure health
and safety considering all relevant factors including:

• Likelihood that harm may occur


• Severity of harm that may occur
• Knowledge about eliminating, reducing or controlling hazards and risks
• Availability of control measures designed to eliminate, reduce or suitably control or the risk
• Costs associated with available control measures designed to eliminate, reduce or suitably
control or the risk
Assessing the severity of a risk requires an evaluation of the likelihood of an occurrence and how
substantial the consequences that it may cause. Some factors affecting this evaluation include the
duration and frequency of exposure, number of persons affected, competence of those exposed, the
type of equipment and its condition, and availability of first-aid provision and/or emergency support.

Step 4. Implement changes and record your findings


If a workplace has five or more individuals, significate findings of the risk assessments are required
to be kept either electronically or in writing. Recording your findings on a risk assessment form is an
easy way to keep track of the risks and control measures put in place to reduce the identified risk.
The form includes:
• What hazards were found
• Person(s) or groups affected
• The controls put in place to manage risks and who is monitoring them
• Who carried out the assessment
• On what date the assessment was done.
It is sensible to ensure the risk assessment is proportionate to the activity or task being carried out
and this can often be a straightforward process for generic tasks.

Step 5. Review your assessment and reassess if necessary


Employers should periodically review the assessment and if necessary, re-assess any controls in
place.
A good guide as to when you may need to review your processes are:

• After any significant change within the workplace or process in question


• After an accident or ill-health incident has occurred
• After near-misses have been reported.

II) P6 Explain data protection processes and regulations as applicable to an organisation.

1. Define data protection

Data protection is the process of protecting important information from corruption,


compromise, or loss.

The importance of data protection grows as the amount of data created and stored continues
to grow at an unprecedented rate. There's also very little tolerance for downtime that could
keep you from accessing important information.

therefore, a big part of a data protection strategy is demonstrating that data can be quickly
recovered from any damage or loss. Protecting data from compromise and providing data
privacy are other key components of data protection.

2. Explain data protection process with relations to organization

Setting up the Anti-Virus and Fireball system: Fireball (firewall) is the first line of defense
against intruders, to protect the internal network system for the entire enterprise. Firewalls
can be software or hardware based, using rules to control incoming and outgoing traffic.
Firewalls act as a barrier between the secure network and the insecure network. are
infiltrating and attacking computers. Anti-virus software can be upgraded over the internet to
prevent malware that is increasingly dangerous and sophisticated.

Develop a security policy for each department and level

The clear decentralization of rights to access, use and share internal data will help protect
internal information effectively. At the same time, it is easy to find the source of the problem
and solve it quickly. The security policy according to each department and level also helps to
raise the awareness of individuals in protecting corporate data. Contingency plan, timely
remedy when there is an incident “Do not put all your eggs in the same basket”, the same
principle holds true in the case of data protection.
Besides classifying and dividing internal information management, we also need to back up
data to a backup source. This helps businesses not lose all important information when the
system is paralyzed, taking control.

Guide and train staff in basic knowledge of internal system security

Another easy data loss factor comes from the end user. Employees can accidentally leak
information or intentionally affect the business.

Therefore, it is necessary to raise the awareness of employees in the company about data
security to ensure data safety in the enterprise.

Enterprises can organize periodic data security and network security training programs, have
documents on data security policies, data usage processes, and apply management and
assurance standards. data security such as ISO 27001, PCI D.SSSoftware and programs to
support enterprise data system security Use professional archiving software To avoid risks of
internal data privacy, businesses should use professional storage software. One thing is for
sure, software that is provided from a reputable company, and has a reasonable fee will bring
better security performance.

3. Why are data protection and regulation important ?


Data privacy concerns apply to all sensitive information an organization processes, including
that of customers, shareholders and employees. Often, this information plays a vital role in
business, development, and financial performance.

Data privacy helps ensure that sensitive data is accessible only to approved parties. It
prevents criminals from maliciously using data and helps ensure that organizations meet
regulatory requirements.

Data privacy is enforced by data protection regulations. Failure to comply may result in fines
or loss of trademark rights. You can learn more about the regulations in our article on Stay up
to date with data protection regulations.
III) P7 Design and implement a security policy for an organisation.

1) Define and discuss what is security policy

Confidentiality policy is a statement that explains how the company collects, processes, stores,
shares, protects customers' personal information and how the information is collected through
customer interactions. with website.

Every website interacts and decimals their merchandise in one way or another, but this applies
even more when it comes to an e-commerce store. E-commerce sites typically collect personal
data such as name, email address, IP address, active version and payment details.

Therefore, a privacy policy is important as it is not only seen as a sign of trust and confidence, but
also ensures that website owners are protected along with their customers, and at the same time
Follow their tricks.

2) Give examples of policies

Huawei Technology Co., Ltd. and its affiliates (collectively, "Huawei"), ensuring the security of
customer data is always a top priority because it is the company's reputation and respect for
customers.

This policy describes how Huawei processes your personal data, but cannot address all possible
data processing scenarios. Huawei may notify you of product or service-specific data collection
through additional policies or notices provided prior to collection.

This policy describes:

1. How we collect and use your personal data

2. Cookies & Equivalent Technology

3. How we disclose personal data

4. How we access and control your personal data

5. How we protect your personal data

6. How we handle children's personal data


7. Third-party vendors and their services

8. Transfer your personal data abroad

9. Update This Policy

10. Ways to contact us

3) Give the most & should that must exist while creating policy.

Ensure that there is a policy on policies

It sounds a little redundant, but it's important to work within a predefined and agreed upon
framework even when it comes to policy formation. Creating a simple policy on policies that
defines the organization's process for creating new policies is an important first step in maturing
policies. This "meta policy" should include guidance as to what situations constitute the need for
a new policy, the format that new policies should use, and the process that needs to be followed
for a new policy to be approved. If you don't have a process and framework around policy
formation, you risk having significant inconsistency in the outcomes and inconsistency in the
creation, which can lead to poor or difficult enforcement.

Identify any overlap with existing policies

This one is simple. Before you create a new policy, check to see if the policy you're planning to
create already exists or if portions of it exist in other policies. If so, consider revising existing
policies rather than creating a brand new one.

Don't develop the policy in a vacuum

I've seen individuals sit behind their desks and create policies that they felt were necessary and
that were developed wholly on their own. Most often, this has happened in organizations lacking
any kind of policy governance structure. In most cases, the policies lacked key factors and were
slanted in ways that were not positive for the organization. As you might expect, the policies did
good things for the person developing them, though.
I'm of the opinion that policies need to be developed with input from those that will be affected
by them. While the final policy may ultimately not reflect all opinions, it's important that all
stakeholders be heard to minimize the potential for unintended consequences. Further, policies
need to be complete and additional opinions can help close any gaps that may exist.

Step back and consider the need

Are you creating a policy because one is needed or because someone did something you didn't
like? There is a big difference and, again, I have seen policies put into place out of spite and as
retribution. Obviously, that kind of activity wouldn't happen in a reasonable organization. But it
also won't happen in one that has a strict policy on policies, as the policy will generally go
through multiple levels for approval and somewhere along the way, someone will step back and
ask the question, "Why do we need this?"

Policies should be enacted when there is a clear need and a clear problem to solve.

Use the right words so there is no misunderstanding intent

Policies must be understood to be effective. Use of clear and unambiguous grammar aids in this
effort. Use simple and specific terminology that can be easily understood by everyone. Use the
words "must" or "will" rather than "should" in the body of the policy. The later implies that the
action is optional, which makes the need for the policy questionable. If something is optional, use
the word "should" -- but not when it's a requirement.

Always use an office, department, unit, or job title instead of an individual's name. Examples:
"The CIO's office is responsible for..."; "Contact the assistant to the CFO to..."

Contact emails should always be general department addresses or a Web page that gives further
contact information. Avoid using individual email addresses to prevent the policy from needing
updates when personnel changes occur.
Do not underline subheadings or words that need to be stressed in a sentence. Rather, set
subheadings in bold or italics if a word needs to be stressed. Underlined words can be mistaken
for hyperlinks when the policy is posted online.

When possible, include an exceptions process

For every rule, there is an exception... at least in most cases. It's much easier to define in advance
how an exceptions process is to operate before the policy goes into force. Before you say, "I will
never allow exceptions," think again. At some point, a situation will arise that requires an
exception. Since policies are implemented to control behavior and are supposed to level the
playing field, it's critical that exceptions also be granted in a way that is fair and equitable. If you
play loose with the exceptions process, the entire policy could be called into question.

Allow some shades of gray

So you've created an absolutely airtight policy and defined an exceptions process that no one can
question. That's a good goal, but it's tough to get there for every policy. This is the point that
might get the most criticism since policies are supposed to create equitable conditions. But I
believe that some policies need to leave a little ambiguity for people to make decisions. That's
not to say that the policy should just let people do whatever they want, but it seems that there
are simply too many instances in which people are allowed to use "that's policy" or "zero
tolerance" excuses to avoid doing the right thing. If your policy leaves a little bit a gray so that a
person can make an on-the-fly decision, that's okay.

Define policy maintenance responsibility

Most policies require periodic review to ensure their continued applicability. Further, as
questions are raised about the policy, someone needs to be able to provide clarifying
information. Make sure that you always identify the office -- not the individual person -- that is
responsible for the policy. You don't identify individuals since they come and go.

Keep senior executives out of the routine when possible


I mentioned the need to identify an exceptions process for policies when that's possible. In one
organization I worked for, that automatically fell to the CEO. Frankly, that was a waste of his time.
The exceptions process that is put into place should empower someone within the organization
to handle exceptions. The identified person does not need to be a VP or the CEO, except when it's
required due to regulation or law. Further, don't expect senior executives to develop every policy.
That said, the senior team should hold responsibility for reviewing new policies before they go
into production.

Establish a policy library with versioning

There are all kinds of tools out there these days, such as SharePoint, that enable you to store
versions of documents. Every employee should be able to access all appropriate policies all the
time. If employees can't get access to policies, how can they be expected to follow them? When
it comes to versioning, as policies evolve, it's good to see their history to track what has changed
over time.

4. Explain and write down the element of security policy

Purpose
First state the purpose of the policy which may be to:

Create an overall approach to information security.


Detect and preempt information security breaches such as misuse of networks, data,
applications, and computer systems.
Maintain the reputation of the organization, and uphold ethical and legal responsibilities.
Respect customer rights, including how to react to inquiries and complaints about non-
compliance.
Audience
Define the audience to whom the information security policy applies. You may also specify
which audiences are out of the scope of the policy (for example, staff in another business unit
which manages security separately may not be in the scope of the policy).

Information security objectives


Guide your management team to agree on well-defined objectives for strategy and security.
Information security focuses on three main objectives:

Confidentiality—only individuals with authorization canshould access data and information


assets
Integrity—data should be intact, accurate and complete, and IT systems must be kept
operational
Availability—users should be able to access information or systems when needed
Authority and access control policy

Hierarchical pattern—a senior manager may have the authority to decide what data can be
shared and with whom. The security policy may have different terms for a senior manager vs. a
junior employee. The policy should outline the level of authority over data and IT systems for
each organizational role.
Network security policy—users are only able to access company networks and servers via
unique logins that demand authentication, including passwords, biometrics, ID cards, or tokens.
You should monitor all systems and record all login attempts.
Data classification
The policy should classify data into categories, which may include “top secret”, “secret”,
“confidential” and “public”. Your objective in classifying data is:

To ensure that sensitive data cannot be accessed by individuals with lower clearance levels.
To protect highly important data, and avoid needless security measures for unimportant data.
Data support and operations

Data protection regulations—systems that store personal data, or other sensitive data, must be
protected according to organizational standards, best practices, industry compliance standards
and relevant regulations. Most security standards require, at a minimum, encryption, a firewall,
and anti-malware protection.
Data backup—encrypt data backup according to industry best practices. Securely store backup
media, or move backup to secure cloud storage.
Movement of data—only transfer data via secure protocols. Encrypt any information copied to
portable devices or transmitted across a public network.
Security awareness and behavior
Share IT security policies with your staff. Conduct training sessions to inform employees of your
security procedures and mechanisms, including data protection measures, access protection
measures, and sensitive data classification.

Social engineering—place a special emphasis on the dangers of social engineering attacks (such
as phishing emails). Make employees responsible for noticing, preventing and reporting such
attacks.
Clean desk policy—secure laptops with a cable lock. Shred documents that are no longer
needed. Keep printer areas clean so documents do not fall into the wrong hands.
Acceptable Internet usage policy—define how the Internet should be restricted. Do you allow
YouTube, social media websites, etc.? Block unwanted websites using a proxy.
Responsibilities, rights, and duties of personnel
Appoint staff to carry out user access reviews, education, change management, incident
management, implementation, and periodic updates of the security policy. Responsibilities
should be clearly defined as part of the security policy.

5. Give the steps to design a policy

It starts with a plan

The policyholder, who is responsible for the content of the policies and procedures, as well as
implementation, will draw up a plan that includes phases and timelines, such as;

• Analysis
• Research
• Drafting
• Consultation
• Review
• Revision
• Editing
• Finalizing
• Implementation
The policyholder will then identify the main stakeholders for the consultation process. Most
policy developers require that the policy development team comprise of people who will be
affected directly by the policies and procedures.

Development stage
Documentation of all policy and procedure statements with regards to the research stage is done
in this stage. The policy statements should meet the following criteria:

• They should be clear


• concise
• and specific
The language used in the policy statements should be simple for everyone to understand. The
policy and procedure document should spell out what the policies and procedures are, as well as
the expectations of the people who will use them. It should also enhance readability. So, the
policyholder must use headers and numbers in the document.

Consultation
The policyholder will present the draft policy and procedure document to the appropriate
stakeholders, such as government, human resources department, financial department,
marketing department and other stakeholders affected by the policies and procedures for review
and feedback.

Feedback review
The policyholder will then organize a sit down with the policy and procedure development
team to review the feedback and make the necessary revisions. The document will then be sent
to the legal department for review if required.

Drawing up an ambitious implementation and communications strategy


After the feedback review, the policyholder, in conjunction with the communication department,
will draw up an ambitious plan to roll out the policies and procedures.

Review

This stage will include a review of the draft policies and procedure document, as well as
recommendations and approval. The format of the draft document will be classified and
numbered by the administrative services analyst. Once the administrative services analyst
completes the classification and numbering, they will return it to the policyholder with the
required revisions.

The policyholder may require the approval of the draft document from the board of governors,
especially if it contains policies and procedures touching on governance.

Implementation
Once the board of governors approves the draft document, it is returned to the administration
services analyst, who will generate a final copy of the policy and procedure document. The
policyholder will then sign the document. The administration services analyst will retain final
copies of the policies and procedures and note the dates approved by the executive team and
board of governors.

The administrator and the policyholder will communicate the policies and procedures and ensure
that those impacted by them comprehend the content. This will require in-depth consultation
with the communication department, as well as employees.

Once employees have understood the policies and procedures, all the approved policies and
procedures will be posted on the business or company website (on the policy and procedure
page). The document will also be available in PDF format.

Final review

The administrator will ensure compliance with the policies and procedures by monitoring their
implementation. If issues come up when monitoring implementation, further clarification,
training, and communications may be initiated.

The policies and procedures will be reviewed time after time-based on the time frames
established in the development stage. The appropriate number of times policies and procedures
should be review is once every five years.
Furthermore, review periods should be seen as an opportunity to update policy and procedures.
Minor changes to the policies and procedures need not go through the review and approval
process. The policyholder can make them. However, all the revised changes must be sent to the
executive team to determine the next steps.

IV) P8) List the main components of an organisational disaster recovery plan, justifying the reasons
for inclusion.

1) Discuss with explanation about business continuity

The widespread development of technology, rapidly evolving processes and emerging ventures
can lead to risks of failure and may affect the health of the business. To stay competitive,
organizations cannot tolerate prolonged downtime, slow response times, high system upgrade
costs, or inflexible processes.

Furthermore, competitive pressures and market demands, coupled with an increasing reliance on
technology for core business processes, are redefining the need for effective business continuity,
on the basis of risk control.

1 out of 5 businesses experience business interruption each year. Given the growth pattern seen
in the service industry and the degree of stability in the manufacturing sector, Business
Continuity is quite important today. The success or failure of a business enterprise is highly
dependent on its ability to maintain critical operations, its ability to recover during and after
disruptions, and the speed at which full business functions can be re-established. .

2) List the components of recovery plan.

a. Create an inventory list


b. Establish a recovery timeline
c. Communication
d. Back up data
e. Consider insurance
f. Test your disater recovery plan
3) Write down all the steps required in disaster recovery process

Create a disaster recovery team. The team will be responsible for developing, implementing,
and maintaining the DRP. A DRP should identify the team members, define each member’s
responsibilities, and provide their contact information. The DRP should also identify who
should be contacted in the event of a disaster or emergency. All employees should be
informed of and understand the DRP and their responsibility if a disaster occurs.
Identify and assess disaster risks. Your disaster recovery team should identify and assess the
risks to your organization. This step should include items related to natural disasters, man-
made emergencies, and technology related incidents. This will assist the team in identifying
the recovery strategies and resources required to recover from disasters within a
predetermined and acceptable timeframe.
Determine critical applications, documents, and resources. The organization must evaluate its
business processes to determine which are critical to the operations of the organization. The
plan should focus on short-term survivability, such as generating cash flows and revenues,
rather than on a long term solution of restoring the organization’s full functioning capacity.
However, the organization must recognize that there are some processes that should not be
delayed if possible. One example of a critical process is the processing of payroll.
Specify backup and off-site storage procedures. These procedures should identify what to
back up, by whom, how to perform the backup, location of backup and how frequently
backups should occur. All critical applications, equipment, and documents should be backed
up. Documents that you should consider backing up are the latest financial statements, tax
returns, a current list of employees and their contact information, inventory records, customer
and vendor listings. Critical supplies required for daily operations, such as checks and purchase
orders, as well as a copy of the DRP, should be stored at an off-site location.
Test and maintain the DRP. Disaster recovery planning is a continual process as risks of
disasters and emergencies are always changing. It is recommended that the organization
routinely test the DRP to evaluate the procedures documented in the plan for effectiveness
and appropriateness. The recovery team should regularly update the DRP to accommodate for
changes in business processes, technology, and evolving disaster risks.
4) Explain some of the policies and procedures that are required for business continuity.

Step 1: Identify your product or service itself

What is your business' most important product or service? Take a look at the following criteria:

Revenue from that product or service;

The amount of goods that have a need to use that product or service; and

Terms that fail if delivery is not possible: positive financial performance, profitability and
reputation.

Step 2: Set goals for your business's BCP

What do you want to achieve by building BCP for your business?

Step 3: Assess the impact of the disruption on businesses and workers

How long can your business withstand disruptions? Businesses need these

resources and suppliers, partners and contractors to conduct business activities

important?

Step 4: Step 4: List actions to protect your business

Use the 4P framework to do this. Actions that need to help businesses reduce risks for businesses

factors: People, Process, Profit and Partnership (4Ps).

People: the lives of workers and their families

Process: operation of the business

Profit (Profit): generate revenue

Partnership: the environment in which to conduct business activities

Step 5: Set up contact list

Your business will communicate more remotely (WhatsApp calls, Zoom meetings,

etc.). Make sure you have an accurate and up-to-date list of all stakeholders

important important.

Step 6: Maintain, review and continuously update your BCP


Here's an example of how a small business owner built a BCP for his business
References
ACADEMY, B. K. I., 2014. Implementing Firewall Technologies. Bach Khoa IT ACADEMY ed. Ha Noi: Bach Khoa IT
ACADEMY.

ACADEMY, B. k. I., 2014. Securing the Local Area Network. Bach khoa IT ACADEMY ed. Ha Noi: Bach khoa IT
ACADEMY.

AtheNa, t. t. d. t. m., 2005. CCNA CiscoCertìied Network Associate. trung tam dao tao mang AtheNa ed. TPHCM:
trung tam dao tao mang AtheNa.

David kim, M. G., 2018. Fundamenttals of information System Security. David kim, Mchael G.solomon ed. USA:
Jones & Bartlett Learning, LLC, an Ascend Learning Company.

Mark Ciampa, P., 2015. CompTIA Security+ SY0-401 Examination Objectives. Mark Ciampa, Ph.D. ed. Australia:
Nelson Education, Ltd..

p.pfleeger, c., January 2015. Security in Computing. Charles P. Pfleeger ,Shari Lawrence Pfleeger,Jonathan
Margulies ed. New York: Pearson Education, Inc..

Tran Van Tao, T. T. L., 2015. Giao trinh An toan Bao mat du lieu. Tran Duc Su ed. TPHCM: Tran Duc Su.

VNPRO, T. T. t. h., 2016. CCNA SECURITY – CISCO CERTIFIED NETWORK ASSOCIATE SECURITY. Trung Tam tin hoc
VNPRO ed. TPHCM: Trung Tam tin hoc VNPRO.

You might also like