ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date 27/4/2023 Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Tran Quang Thang Student ID GCD210499

Class GCD1101 Assessor name Dang Quang Hien

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.

Student’s signature THANG

Grading grid

P5 P6 P7 P8 M3 M4 M5 D2 D3
❒ Summative Feedback: ❒ Resubmission Feedback:

Grade: Assessor Signature: Date:

Lecturer Signature:
Table of Contents
I. Discuss risk assessment procedures.....................................................................................................................4
1. Security risks assessment:................................................................................................................................4
1.1. Security risks definition...........................................................................................................................4
1.2. Security risks assessment definition.........................................................................................................4
1.3. The 4 steps of a successful security risk assessment model.....................................................................5
2. Assets, threats and threat identification procedures.........................................................................................5
2.1. Assets.......................................................................................................................................................5
2.2. Threat and vulnerability...........................................................................................................................6
2.3. Threat identification.................................................................................................................................6
3. Explain the risk assessment procedure.............................................................................................................8
4. List risk identification steps.............................................................................................................................9
4.1. Five steps in the risk assessment process.................................................................................................9
4.2. What problems does a security risk assessment solve?..........................................................................12
II. Explain data protection processes and regulation as applicable to an organization (P6)....................................13
1. Definition.......................................................................................................................................................13
2. Principles of data protection...........................................................................................................................13
3. Purposes of data protection............................................................................................................................14
4. Enterprise data protection strategies...............................................................................................................14
5. How to protect the data?................................................................................................................................16
6. Why are data protection and security regulation important?..........................................................................18
III. Design and implement a security policy for an organization (P7)..................................................................19
1. Security policy definition...............................................................................................................................19
2. The importance of security policy..................................................................................................................19
3. Types of security policies..............................................................................................................................20
4. Element of a security policy...........................................................................................................................21
5. Steps to design a policy..................................................................................................................................23
6. Security policy for company..........................................................................................................................24
6.1. Physical security policies.......................................................................................................................24
6.2. IT security policies.................................................................................................................................24
IV. List the main components of an organizational disaster recovery plan, justifying the reasons for inclusion
(P8) 25
1. Business continuity definition........................................................................................................................25
2. The importance of business continuity...........................................................................................................25
3. The components of a recovery plan...............................................................................................................26
3.1. Asset mapping........................................................................................................................................26
3.2. determining the criticality and context of your assets............................................................................27
3.3. completing a risk assessment.................................................................................................................27
3.4. Defining RTO and RPO.........................................................................................................................27
3.5. Selecting a disaster recovery setup.........................................................................................................27
3.6. budgeting for your setup........................................................................................................................28
3.7. testing and reviewing the plan................................................................................................................28
4. All the steps required in disaster recovery process.........................................................................................28
5. Explain some of the policies and procedures that are required for business continuity..................................29
5.1. Understanding the Organization: Business Impact Analysis (BIA)........................................................29
5.2. Risk assessment.....................................................................................................................................30
5.3. Determining the BCP Recovery Strategies............................................................................................30
5.4. Develop and Implement the BCP...........................................................................................................31
5.5. Exercising, Maintaining and Reviewing................................................................................................31
References................................................................................................................................................................. 32
I. Discuss risk assessment procedures
1. Security risks assessment:
1.1. Security risks definition
Risks are unanticipated uncertainties that arise in a company's business and manufacturing
processes and have a negative impact on the company's capacity to exist and expand. Conventional
wisdom defines risk as "damage, loss, danger, or factors associated with danger, difficulty, or
uncertainty that can happen to a person."

1.2. Security risks assessment definition

A risk assessment is a thorough investigation of your workplace to identify any aspects, events,
procedures, or other factors that could be dangerous, particularly to humans. Following identification,
you evaluate the risk's likelihood and severity. Following this assessment, you can determine what
steps must be performed to properly eliminate or control the harm.
1.3. The 4 steps of a successful security risk assessment model
- Identification: Determine all of the technological infrastructure's important assets. Next, examine
the sensitive data generated, stored, or sent by these assets. Make a risk profile for each one.
- Assessment: Implement a strategy for assessing the identified security risks for important assets.
Determine ways to effectively and efficiently deploy time and resources to risk reduction after
comprehensive evaluation and assessment. The assessment technique or approach must examine
the relationship between assets, threats, vulnerabilities, and mitigating controls.
- Mitigation: Define a risk mitigation strategy and implement security measures for each risk.
- Prevention: Implement tools and methods to prevent threats and vulnerabilities from occurring in
your firm's resources.

2. Assets, threats and threat identification procedures

2.1. Assets

An asset is any important data, gadget, or other component of an organization's systems, frequently
because it holds sensitive data or may be used to obtain such data.

An employee's desktop computer, laptop, or company phone, for example, would be regarded an asset,
as would the apps on such devices. Critical infrastructure, such as servers and support systems, is also
an asset.
The most common assets in an organization are information assets. These include databases and
physical files, which contain sensitive information.

The 'information asset container,' which is where the information is maintained, is a related idea. This
is the application that was used to construct the database in the case of databases. It is the filing cabinet
where the information is kept for physical files.

2.2. Threat and vulnerability

- Threat:
o A threat is any incident that could have a negative impact on an asset, such as if it is lost,
knocked offline, or accessed by an unauthorized party.
o Threats are defined as conditions that jeopardize the confidentiality, integrity, or
availability of an asset, and they can be either purposeful or unintentional.
o Criminal hacking or a malevolent insider stealing information are examples of intentional
threats, whereas accidental risks typically entail employee error, a technical breakdown, or
an occurrence that causes physical harm, such as a fire or natural disaster.
- Vulnerability:
o A vulnerability is a defect in an organization that can be used by a threat to destroy,
damage, or compromise an asset.
o Because of the intricacy of software and the regularity with which it is changed, you are
quite likely to encounter a vulnerability. These flaws, known as bugs, can be exploited by
criminal hackers to get access to sensitive information.
o Vulnerabilities, however, do not just refer to technology problems. Physical flaws, such as
a broken lock that allows unauthorized people into a restricted area of your property, or
poorly developed (or non-existent) processes that could lead to employees revealing
information, are examples of such flaws.
o Inherent human weaknesses, such as our vulnerability to phishing emails; structural
problems in the premises, such as a leaky pipe near a power outlet; and communication
blunders, such as employees transmitting information to the wrong person, are examples of
other vulnerabilities.

2.3. Threat identification

 Definition: The threat identification method analyses IT vulnerabilities and determines their
ability to compromise your system. It is a critical component of your organization's risk
management program. Identifying dangers allows your organization to take preventative measures.
You will acquire the information you require to obstruct unauthorized users and prevent system
 breaches. Ward IT Security Consulting Group provides the specialist expertise and experience
required for effective threat identification.
 Characteristics of threat identification: Each IT system environment is unique. Some threats
will in some ways be a part of a common set of threats to all organizations with public-facing web
portals. Other vulnerabilities may be specific only to your organization. That’s why we work
collaboratively with your staff and begin our evaluation with an in-depth understanding of your
organization and operations.
o Analyzing and comprehending the threat portfolio unique to your firm and its operations.
o Identifying how specific threat actors or behaviors may exploit those vulnerabilities.
o Providing a full report of findings that allows your firm to implement risk management
activities in advance.
 Threat Identification Procedures: The techniques provided below assist the Risk Integrated
Product Team (IPT), Program Manager (PM), and Systems Engineer in identifying project risks
during the course of a project. Procedures include:
o A list of potential risk items is identified by the Risk Integrated Product Team (IPT). There
are several approaches for identifying dangers. The following factors can be used to
identify risk:
 Lessons Learned
 Subject Matter Experts (SME)
 Prior Experiences
 Technology Readiness Level (TRL) determination
 Programmatic Constraints
 Brain Storming
 Work Breakdown Structure (WBS)
o Risks are classified as tolerable or unacceptable. Not all of the risk items listed in stage one
are acceptable.
o Accepted hazards should be documented and recorded in a Risk Register.
o Determine the root causes of each identified danger.
o Risk analysis should be performed on each identified risk to improve the risk description,
isolate the cause, quantify the effects, and assist in determining risk mitigation priorities
(Risk Reporting Matrix).
o Risk Mitigation Planning should include action items and due dates for each risk.
o The Risk Integrated Product Team (IPT) meets on a regular basis (every two weeks) to
analyze risks and, if necessary, add new risk items.
o Risks are closed when all necessary actions have been done. Some risk items are closed
immediately, while others remain open for an extended period of time. Some are classified
 watch items, and the action plan is not activated until specific unfavorable circumstances
occur.
o Closed hazards are kept in the database for future reference.

3. Explain the risk assessment procedure

The identification of threats that potentially have a negative influence on an organization's ability
to conduct business is known as risk assessment. These analyses aid in identifying these inherent
business risks and providing measures, processes, and controls to mitigate their influence on corporate
operations.

A risk assessment framework (RAF) can be used by businesses to prioritize and share the contents
of their risk assessment, including any hazards to their information technology (IT) infrastructure. The
RAF assists an organization in identifying prospective dangers, as well as any business assets put at
risk by these hazards, as well as potential impact if these risks occur.

Users utilize the risk assessment process to examine their companies in order to:

 Identify procedures and situations that have the potential to create harm, particularly to people.
 Determine the likelihood of each hazard occurring and the severity of the consequences.
 Determine what steps the organization can take to prevent or mitigate these threats from
occurring.

It's vital to know the difference between dangers and risks. Workplace accidents, crises, dangerous
substances, employee conflicts, stress, and other factors are all considered hazards. The risk of a
hazard, on the other hand, is the likelihood that it will cause harm. As part of your risk assessment
plan, you will identify risks, but you will also quantify the risk or likelihood of the hazards occurring.

A risk assessment plan's objective varies by industry, but in general, it helps firms prepare for and
combat risk. Other goals are as follows:

 Providing an assessment of potential threats.

 Keeping injuries and infections at bay.
 Complying with legal regulations.
 Raising awareness of hazards and risks.
 Making a complete inventory of accessible assets.
 Justifying the costs of risk management.
 Developing a budget for risk mitigation.
 Recognizing the return on investment.
4. List risk identification steps
4.1. Five steps in the risk assessment process
Step 1: Identify the hazard: The first stage in developing your risk assessment is determining
which threats your employees and organization face, such as:
o Natural disasters (flooding, tornadoes, hurricanes, earthquakes, fire, etc.)
o Biological hazards (pandemic diseases, foodborne illnesses, etc.)
o Workplace accidents (slips and trips, transportation accidents, structural failure, mechanical
breakdowns, etc.)
o Intentional acts (labor strikes, demonstrations, bomb threats, robbery, arson, etc.)
o Technological hazards (lost Internet connection, power outage, etc.)
o Chemical hazards (asbestos, cleaning fluids, etc.)
o Mental hazards (excess workload, bullying, etc.)
o Interruptions in the supply chain

Examine your workplace to see whether practices or activities may be detrimental to your firm.
Include all areas of employment, including remote workers and non-routine duties such as repair and
maintenance. You should also go over accident/incident reports to see what hazards have already
impacted your company.

Step 2: Determine who might be harmed and how: You must determine which groups of people
in your company may be damaged by physical assaults, threats, intimidation, or verbal abuse.
Consider all of the people who work in your office at any given time. Maintenance workers,
security guards, and other contractors are examples of personnel that do not have regular shifts or
work patterns. Customers, guests, and members of the general public must all be considered.

Certain people may be more at risk of experiencing work-related violence:

o Young workers and trainees may be more vulnerable since they have had less training in
dealing with irate customers, robbery, and sexual harassment. They may also struggle to
recognize risky circumstances due to a lack of expertise.
o Temporary workers may be more vulnerable since they have received less training or
information about workplace violence than permanent employees.
o Night/shift employees, notably those working late at night, are more vulnerable since more
violent incidents occur at night. Furthermore, certain days of the week or times of day are
more dangerous than others, such as opening and closing times. Key holders may feel
especially insecure, and delivery of items is a high-risk period.
 o Lone employees are more vulnerable because they lack the assistance of coworkers who
can act as a deterrent to a possible assailant or provide instant help and support if a problem
arises. In addition, if a violent incident occurs and a member of staff is harmed, it may take
longer for help to arrive. As a result, lone workers require special consideration in terms of
training and supervision, among other things.
Step 3: Evaluate the risks and take precautions:
The goal of this step is to consider ways to manage the risks of harm from workplace violence.
This can include avoiding a certain hazard entirely, minimizing its risk, or finding measures to
mitigate any harm that does occur. You must ensure that you have reduced hazards "to the greatest
extent reasonably practicable."
The risk is the possibility, high or low, that someone will be damaged by the hazards listed in step
1, as well as an indication of how serious the harm could be. A risk factor is something that
increases the likelihood of the hazard occurring.
At this level of your risk assessment, you must determine whether your company faces a
significant danger of violence. You can accomplish this in a variety of ways, but arguably the
simplest way to begin is to ask your employees and safety reps about their experiences. Sickness
absence numbers, personnel turnover, injury and illness records (especially occurrences of work-
related violence), stock losses, and police records can also be examined. Your local police
department may be willing to release crime data for your business to assist you in determining how
to combat violence and crime on your property. RIDDOR reports can also be a good source of
information, and crime mapping can assist you decide where to focus your efforts.
 Risk factors: Because of the nature of their business, licensed and retail establishments are
more likely to see violence. Among these are:
 Dealing with enormous sums of money or exchanging money.
 Your employees making direct eye contact with customers.
 Opening late at night or in the evening.
 Managing customer complaints and conflicts. Dealing with irate consumers in
disputes/complaints, such as over goods, services, and refunds, allegations of short-
changing or cash blunders, or non-authorization of card purchases, can result in
embarrassment and violence.
 Decide on precautions: The following stage is to determine whether there is anything else you
can do. Have you mitigated the hazards "to the greatest extent reasonably practicable"? To
accomplish this, you will need to:
 Examine your existing controls to check they are functioning properly.
 Consult with your employees about their suggestions. Employees have hands-on
knowledge and insight into their workplace, making them an excellent source of
information and ideas. Involving your employees will also inspire them to adopt and
own the arrangements you make. You should include your staff by having them:
 1. Participate in the development and implementation of procedures to reduce the
risk of violence.
2. Participate in the assessment of any control measures.
3. Share your on-the-job experiences to assist other employees in recognizing and
responding to violence.
 Compare your actions to current best practices, which are outlined in the Quick guide to
control measures.
 Determine any further control measures required to decrease the risk to the lowest
achievable level.
Step 4: Record your findings and implement them: At this point, you should have identified the
measures you are already taking to keep your employees safe, as well as activities you may take to
enhance things even more. You must determine how you will carry out these actions. Remember
that it is action, not paperwork, that protects people; risk assessment is a tool, not an end in itself.
You will need to prioritize, and you may wish to consider the following to help you do so:
o Can I use multiple measures? Combining measures may be more successful than
relying solely on one. Can I employ a combination of short and long-term methods to
achieve both 'instant wins' and long-term effectiveness?
o How will employees react to these measures? How do I illustrate the worth of the
metrics?
o What are the potential drawbacks of the measures, such as clothing rules, searches, and
severe return policies?
o What will these treatments cost in terms of effectiveness? Control methods do not
always have to be costly in order to be successful.

Once you've decided what steps to take to keep your employees secure, you must put them into
action. Remember that documentation alone will not protect people; only when actions are
performed will they be protected.

o Appoint someone to be in charge of ensuring that the actions are carried out.
o Make certain that the measures are reasonable and agreed upon within certain
timeframes.
o Determine how you will effectively and consistently communicate, instruct, and train
your employees on your measurements.
Step 5: Review your risk assessment and update if necessary:

Nothing remains constant indefinitely. You can determine whether your control methods are
effective by speaking with your employees and monitoring incident rates and control measures.
Managers and staff must be given responsibility for overseeing the process and developing
 reporting methods, as well as debating and assisting in the implementation of solutions and
assessing their efficacy.

Your risk assessment should be revisited on a regular basis to confirm that the risk of employee
harm from workplace violence has not altered and that no further control measures are required. It
should also be evaluated if there are any changes in your business that may enhance the risk of
violence, such as lone working or changes in the type of the work you undertake.

There is no legal time limit for reviewing your risk assessment. It is up to you to decide when a
review is appropriate, but the risk assessment is a living document that should be recorded and
updated as your company's experiences evolve. As a general rule, risk assessments should be
revisited on an annual basis.

4.2. What problems does a security risk assessment solve?

A comprehensive security assessment enables a company to:

 Identify the organization's assets (e.g., network, servers, apps, data centers, tools, and so
on).
 Create individual risk profiles for each asset.
 Learn about the data that these assets store, transport, and generate.
 Determine the asset's importance in terms of business operations. This includes the total
influence on revenue, reputation, and the likelihood of a company being exploited.
 Determine the risk ranking of assets and prioritize them for evaluation.
 Based on the assessment results, implement mitigation controls for each asset.

It is critical to recognize that a security risk assessment is not a one-time security exercise. Rather,
it is a constant action that should be carried out at least every other year. Continuous assessment
gives a current and up-to-date snapshot of the threats and risks to which a business is exposed.

Synopsys recommends annual examinations of important assets with a high impact and risk of
failure. The assessment process generates and collects a wealth of useful data. Here are a few
examples:

 Making a portfolio of all current applications, tools, and utilities.

 Creating documentation for security needs, policies, and procedures.
 Creating a collection of system architectures, network diagrams, system data stored or
delivered, and interfaces with external services or vendors.
 Creating a physical asset inventory (e.g., hardware, network, and communication
components and peripherals).
  Keeping track of information about operating systems (for example, PC and server
operating systems).

 Information about:
 Data repositories (for example, database management systems, files, and so on).
 Security controls in place (for example, authentication systems, access control
systems, antivirus, spam controls, network monitoring, firewalls, intrusion detection
and prevention systems).
 Current baseline operations and security standards for regulating bodies'
compliance.
 Assets, risks, and vulnerabilities (including the consequences and likelihood of
occurrence).
 Previous technical and procedural assessments of applications, policies, network
systems, and so on.
 Mapping of mitigation controls for each asset risk identified.

II. Explain data protection processes and

regulation as applicable to an organization
(P6)
1. Definition
Data protection is the process of preventing critical information from being corrupted, compromised,
or lost.

As the amount of data created and saved continues to expand at unprecedented rates, the need of data
protection grows. There is also minimal tolerance for downtime, which might make access to critical
information impossible.

As a result, ensuring that data can be restored rapidly after corruption or loss is an important aspect of
a data protection strategy. Data protection also includes safeguarding data against compromise and
preserving data privacy.
2. Principles of data protection
The main principles of data protection are to protect and make data available in all circumstances.
Data protection refers to both operational data backup and business continuity/disaster recovery
(BCDR). Data security techniques are advancing in two directions: data availability and data
management.

Data availability ensures users have the data they need to conduct business even if the data is damaged
or lost.

The two basic parts of data management used in data protection are data lifecycle management and
information lifecycle management.

 The process of automating the movement of vital data to online and offline storage is known as
data lifecycle management.
 Information lifecycle management (ILM) is a complete strategy for valuing, categorizing, and
safeguarding information assets from application and user failures, malware and virus attacks,
equipment failure, and facility outages and interruptions.

Data management has lately expanded to include developing ways to extract corporate value from
otherwise dormant copies of data for reporting, test/dev enablement, analytics, and other applications.

3. Purposes of data protection

A disk or tape backup is a data storage technology that transfers specified information to a disk-based
storage array or a tape cartridge. Tape backup is an excellent alternative for data protection against
cyber threats. Although access to tapes can be slow, they are portable and naturally offline when not
put into a drive, making them immune to network hazards.

Mirroring allows businesses to produce an exact clone of a website or files so that they are accessible
from many locations.

Storage snapshots can generate a set of pointers to information saved on tape or disk automatically,
allowing for speedier data recovery, whereas continuous data protection (CDP) backs up all data in a
business anytime a change is made.

4. Enterprise data protection strategies

Modern data security for primary storage involves the use of a built-in system that supplements or
replaces backups and protects against the possible issues listed below:
 Media failure: The idea is to keep data accessible even if a storage device fails. Synchronous
mirroring is one way in which data is simultaneously written to a local disk and a remote site. The
write is not deemed complete until the distant site sends a confirmation, guaranteeing that the two
sites are always identical. Mirroring necessitates a 100% capacity overhead.

RAID protection is a less expensive option that requires less overhead capacity. RAID combines
physical drives into a logical unit that appears to the operating system as a single hard drive. RAID
stores the same data on many drives in separate locations. As a result, I/O activities overlap in a
balanced manner, improving performance and security.

RAID protection must compute parity, a technique that determines if data has been lost or
overwritten as it is transferred from one storage location to another. This calculation uses up
compute resources.

The time it takes to return to a protected state is the cost of recovering from a media failure.
Mirrored systems can quickly restore to a protected state; RAID systems take longer since all
parity must be recalculated. When doing a drive rebuild, advanced RAID controllers do not need to
read an entire drive to retrieve data. They merely have to rebuild the data on that drive. Given that
most drives operate at roughly one-third capacity; clever RAID can drastically cut recovery times.

Erasure coding is a popular alternative to sophisticated RAID in scale-out storage environments.

Erasure coding, like RAID, employs parity-based data protection schemes, writing both data and
parity across a cluster of storage nodes. Because erasure coding allows all nodes in a storage
cluster to participate in the replacement of a failing node, the rebuilding process is not CPU-
constrained and occurs faster than it would in a standard RAID array.

Another data protection option for scale-out storage is replication, which involves mirroring data
from one node to another or numerous nodes. Although replication is less complicated than erasure
coding, it requires at least twice the capacity of the protected data.

 Data corruption: Snapshots can be used to restore data that has been corrupted or mistakenly
erased. Most storage systems today can track hundreds of snapshots without affecting performance
much.
Storage systems that use snapshots can collaborate with platforms like Oracle and Microsoft SQL
Server to capture a clean copy of data while the snapshot is taking place. This method allows for
frequent snapshots that can be stored for lengthy periods of time.
When data is corrupted or erased by mistake, a snapshot can be mounted and the data copied back
to the production volume, or the snapshot can replace the existing volume. This method loses very
little data and recovers data fairly instantly.
 Storage system failure: Data centers rely on replication technologies built on snapshots to protect
against multiple disk failures or other significant events.
Only altered blocks of data are replicated from the primary storage system to an off-site secondary
storage system with snapshot replication. Snapshot replication is also used to copy data to onsite
secondary storage for recovery in the event that the original storage system fails.

 Full-fledged data center failure: Protecting against data center failure necessitates a
comprehensive disaster recovery plan. Organizations, like in the other failure scenarios, have
several options. Snapshot replication, which duplicates data to a secondary site, is one option. The
cost of running a secondary site, on the other hand, can be too expensive.
Another option is to use cloud services. In the event of a severe disaster, an organization can
employ replication in conjunction with cloud backup products and services to retain the most
recent copies of critical data and to instantiate application images. As a result, in the case of a data
center failure, recovery is quick.

5. How to protect the data?

1. Data encryption: Data encryption isn't only for computer experts; contemporary solutions allow
everyone to encrypt emails and other data. Encryption was formerly the unique domain of geeks
and mathematicians, but times have changed. Various freely available programs, in particular, have
taken the mystery out of encrypting (and decrypting) email and files. For example, GPG for Mail is
an open source plug-in for Apple Mail that makes it simple to encrypt, decode, sign, and validate
emails using the OpenPGP standard. In addition, current versions of Apple's OS X operating
system have FileVault, an application that encrypts a computer's hard disk. A comparable tool is
available for those who use Microsoft Windows. This software will jumble your data but will not
protect you from government agents requesting your encryption key under the Regulation of
Investigatory Powers Act (2000), which is why TrueCrypt, a tool with some extremely intriguing
features, is recommended by some experts.
2. Data backup: Backing up your data is one of the simplest, yet often forgotten, data protection
measures. Essentially, this produces a duplicate copy of your data so that if a device is lost, stolen,
or compromised, you do not lose your critical information. According to the US Chamber of
Commerce and insurance provider Nationwide, 68% of small firms, according to Nationwide, do
not have a disaster recovery strategy. The issue is that the longer it takes to retrieve your data; the
more money you will lose. According to Gartner, this downtime can cost businesses up to
$300,000 per hour.
3. Make the hard drives of your old PCs unreadable: Much information can be obtained from
obsolete computing devices, but you can preserve your personal data by formatting hard drives
 before discarding them. "Make the hard drives of old computers unreadable." After backing up
your data and transferring the files elsewhere, you should sanitize the disk by destroying it,
magnetically cleaning it, or wiping it clean using software. "Shred old computer disks and backup
tapes," advises the Florida Attorney General's Office.

4. Secure your wireless network at your home or business: It is usually recommended to

safeguard your wireless network with a password, which is a great recommendation for both small
business owners and individuals or families. This stops unauthorized users in the area from
hijacking your wireless network. Even if they're only looking for free Wi-Fi, you don't want to
accidentally disclose private information with other people who are using your network without
authorization. "If your workplace has a Wi-Fi network, make sure it is secure, encrypted, and
hidden." Set up your wireless access point or router so that it does not broadcast the network name,
also known as the Service Set Identifier (SSID), to hide your Wi-Fi network. "Protect router access
with a password," states FCC.gov in a post offering data security guidelines for small enterprises.
5. Firewall: Firewalls aid in the prevention of malicious applications, viruses, and malware from
infiltrating your system. Various software firms provide firewall protection, but hardware-based
firewalls, such as those found in network routers, give a higher level of security.
6. Encrypt data on USB drives and SIMS cards: Encrypting your data on removable storage
devices makes it more difficult (though not impossible) for criminals to understand your personal
data if your device is lost or stolen. USB drives and SIM cards are two examples of detachable
storage devices that may be put into another device to access all of the data stored on them. Unless
it's encrypted, of course. Your USB drive might be easily stolen and inserted into another
computer, where they could steal all of your contents and even install malware or viruses onto your
flash drive, infecting every computer it was plugged into. Encrypt your SIM card in case your
phone is ever stolen, or remove it before selling your old phone.
7. Disable file and media sharing if you don’t need it: You may find it convenient to share files
between PCs if you have a home wireless network with many devices connected. However, there
is no need to make files public if it is not absolutely necessary. Make sure that certain of your
folders are only shared on your local network. If you don't need your files to be visible to other
machines, turn off file and media sharing entirely.
8. Create encrypted folders for portable, private files: HowToGeek provides a series of articles
containing tips, methods, and tools for encrypting files or groups of data using various programs
and tools. This article describes how to create an encrypted volume to easily move private,
sensitive data to numerous computers.
9. Overwrite deleted file: removed information on a digital device is rarely truly removed
permanently. Often, this data remains on disk and can be recovered by someone who knows what
they're doing (for example, a skilled criminal looking for your personal information). Overwriting
your previous data is the only way to truly assure that it is gone forever. Fortunately, there are tools
 available to help with this. PCWorld discusses a program and procedure for erasing outdated data
on Windows operating systems.
10. Delete old files from cloud backup: You're on the right track if you're careful about backing up
your data and use a safe cloud storage solution to do it. However, cloud backups, like any other
type of data backup, add an extra step when it comes to erasing old data. Remember to delete files
from backup services in addition to those you erase (or overwrite) on local devices. If you back up
your data to the cloud, keep in mind that even if you erase them from your computer or mobile
device, they remain in your cloud account. To completely delete the file, you must also delete it
from your backup cloud account.

6. Why are data protection and security regulation important?

With the rise of user-generated data and the exponential industrial value of data, government
authorities' ability to defend individuals' data rights is becoming increasingly important. Data
protection legislation safeguards individuals' personal data by governing the collection, use, transfer,
and disclosure of such information. They also give individuals access to their data, impose
accountability norms on organizations that collect personal data, and provide remedies for
unauthorized or detrimental processing.

Data security is critical because it protects "Wheelie good" company information from fraudulent
activities like hacking, phishing, and identity theft. In order to function correctly, this company needs
ensure the security of their information by developing a data protection plan. The importance of data
protection develops in lockstep with the amount of data stored and generated. Data breaches and
cyberattacks can have disastrous repercussions. This organization must secure their data proactively
and regularly upgrade their security techniques.

Finally, the basic concept and relevance of data protection is safeguarding and protecting data from
various hazards and under diverse conditions. The following article goes into greater information
regarding data protection and its significance. All information at the firm "Wheelie good" must be kept
completely confidential at all times. Because consumer information, partner information, and company
secrets are all significant assets. They have the power to determine the company's survival. This is also
why hackers aim to compromise corporate information. They can make a lot of money if they can steal
this piece of info. Because such a threat exists, the company "Wheelie good" must emphasize
information security.’
III.Design and implement a security policy for an
organization (P7)
1. Security policy definition
A security policy is a written document that outlines how a corporation intends to protect its physical
and information technology (IT) assets. Security policies are dynamic documents that are constantly
updated and modified as technology, vulnerabilities, and security requirements evolve.

An acceptable usage policy may be included in a company's security policy. These indicate how the
organization intends to educate its staff about asset protection. They also include a description of how
security measures will be implemented and enforced, as well as a method for reviewing the policy's
efficacy to ensure that required corrections are made.

2. The importance of security policy

Security policies are crucial because they safeguard an organization's physical and digital assets. They
identify all of the company's assets as well as any threats to those assets.

There are two type of security policies: Physical security policies and data security policies.

 Physical security policies

Physical security policies secure all physical assets in a business, including buildings, cars,
merchandise, and machines. These assets include IT equipment such as servers, computers, and hard
drives.

IT physical asset protection is very critical since physical equipment carry firm data. If a physical IT
asset is compromised, the data it stores and manages is jeopardized. To keep firm data safe,
information security policies rely on physical security policies.

Physical security policies include the following information:

- Buildings, rooms, and other locations of an organization that are sensitive.

- Who has access to, handles, and moves physical assets.

- Procedures and other guidelines for gaining access to, monitoring, and managing these assets.

- Individuals' responsibilities for the physical assets they access and manage.
 Physical assets are safeguarded by security guards, entry gates, and door and window locks. Other,
more advanced methods are also utilized to safeguard physical assets. A biometric verification system,
for example, can restrict access to a server room. Anyone entering the room would use a fingerprint
scanner to verify their identity.

 Data security policies

Since data breaches and other incidents involving information security can have a detrimental impact
on an organization's reputation. These policies serve to assure data security, integrity, and availability,
also known as the CIA trinity. They're frequently utilized to safeguard sensitive client data and
personally identifying information.

Ensure legal and regulatory compliance: Many legal and regulatory obligations are geared at security
sensitive information. The Payment Card Industry Data Security Standard, for example, governs how
businesses handle customer payment card information. The Health Insurance Portability and
Accountability Act specifies how businesses must handle protected health information. Violations of
these rules can be costly.

Establish employee roles: Every employee generates information that may constitute a security risk.
Security policies outline the actions that must be taken to safeguard data and intellectual property.
Determine the vulnerabilities of third-party vendors. Some vulnerabilities arise as a result of
interactions with entities that may have differing security standards. Security policies aid in identifying
potential security holes.

3. Types of security policies

Security policies are classified into three types based on their scope and purpose:

 Organizational: These policies serve as the master plan for the security program of the entire
organization.
 System-specific: A system-specific policy governs the security of an information system or
network.
 Issue-specific policies: These policies focus on certain parts of the wider organizational policy.
The following are some examples of issue-related security policies:
o Acceptable use policies establish the guidelines for employee use of company assets.
o Which personnel have access to which resources is determined by access control policies.
o Change management policies define methods for changing IT assets while minimizing
negative consequences.
o Disaster recovery policies ensure business continuation following a disruption in service.
These policies are often implemented after an incident has caused significant damage.
 o event response policies specify how to respond to a security breach or event when it occurs.

4. Element of a security policy

1. Purpose:
o Create a comprehensive strategy to information security.
o Detect and prevent data security breaches such as network, data, application, and computer
system misuse.
o Maintain the organization's reputation while adhering to ethical and legal obligations.
o Customer rights must be respected, including how to respond to enquiries and complaints
regarding noncompliance.
2. Audience: Define the audience for whom the information security policy applies. You can also
define which audiences are not covered by the policy (for example, employees in another business
unit that handles security separately may not be covered by the policy).
3. Information security objectives: Assist your management team in developing well-defined
strategy and security objectives. The primary goals of information security are as follows:
o Confidentiality - Only authorized individuals have access to data and information assets.
o Integrity - Data must be intact, correct, and complete, and IT systems must remain
operating.
o Availability - Users should have access to information or systems when they need it.
4. Authority and access control policy:
o A senior manager may have the authority to select what data may and cannot be shared and
with whom. A senior manager's security policy may differ from that of a junior employee.
The policy should specify the level of authority each organizational job has over data and
IT systems.
o Users can only access company networks and servers through unique logins that require
authentication, such as passwords, biometrics, ID cards, or tokens. All systems should be
monitored and all login attempts should be recorded.
5. Data classification: The policy should categorize data into categories such as "top secret",
"secret", "confidential", and "public". The objective you have in data classification is:
o To prevent those with lesser clearance levels from accessing sensitive data.
o To safeguard critical data while avoiding unnecessary security measures for insignificant
data.
6. Data support and operations:
o Data protection requirements require that systems that store personal or sensitive data be
protected in accordance with organizational standards, best practices, industry compliance
 standards, and relevant regulations. Most security requirements demand encryption, a
firewall, and anti-malware protection as a bare minimum.
o Data backup – Encrypt backup data in accordance with industry standard practices. Backup
media should be securely stored or moved to secure cloud storage.
o Data movement – Only transfer data using secure protocols. Encrypt any data copied to
portable devices or sent over a public network.
7. Security awareness: Share your company's IT security policies with your employees. Conduct
training sessions to educate staff about your security protocols and mechanisms, such as data
protection, access control, and sensitive data categorization.
o Social engineering – Emphasize the risks of social engineering assaults (such as phishing
emails). Employees should be held accountable for detecting, preventing, and reporting
such assaults.
o Clean desk policy – Use a cable lock to secure computers. Documents that are no longer
needed should be shredded. Keep printer locations tidy to avoid papers falling into the
wrong hands.
o Acceptable Internet usage policy—define how access to the Internet should be limited. Do
you allow YouTube and other social media websites? Using a proxy, you may block
undesirable websites.
8. Encryption policy: Encryption is the process of encrypting data in order to make it inaccessible or
concealed from unauthorized parties. It aids in the protection of data at rest and in transit between
places, ensuring that sensitive, confidential, and proprietary information remains private. It can
help increase client-server communication security. An encryption policy assists companies in
defining:
o When encryption is required for devices and media, the organization must encrypt them.
o The minimal requirements for the encryption software used.
9. Data backup policy: A data backup policy establishes the guidelines and methods for creating
backup copies of data. It is an essential part of a comprehensive data security, business continuity,
and disaster recovery strategy. The following are the primary purposes of a data backup policy:
o Identifies all information that the company must back up.
o Determines backup frequency, such as when to execute an initial full backup and when to
do incremental backups.
o Defines the location of backup data storage.
o Lists all roles in charge of backup procedures, such as backup administrators and IT team
members.
10. Responsibilities, rights, and duties of personnel: Appoint personnel to do user access checks,
education, change management, incident management, security policy execution, and periodic
updates. As part of the security policy, responsibilities should be clearly specified.
11. System hardening benchmarks: The information security strategy should include security
benchmarks that the firm will utilize to harden mission important systems, such as the Center for
Information Security (CIS) benchmarks for Linux, Windows Server, AWS, and Kubernetes.
12. References to regulations and compliance standards: The information security policy should
include references to relevant rules and compliance standards, such as GDPR, CCPA, PCI DSS,
SOX, and HIPAA.

5. Steps to design a policy

 Step 1: Assessing the company's risk The most effective method for identifying a "Wheelie good"
company's threat is to employ "Wheelie good" monitoring or reporting technology. Employees of
the "Wheelie Good" organization should be advised that their activities will be logged for risk
assessment purposes. Consider the following questions instead. Do you frequently send or receive
large files and attachments through email? Is it possible that irritating attachments are generating
loops? Or, in your opinion, what are the hazards of wrong usage?
 Step 2: Adopt a "Wheelie good" approach about your company's privacy policies. Connecting with
workers is critical at this stage in order to build a strategy for implementing security measures.
Maintaining a risk-appropriate degree of security is critical. The amount of safety protocols
employed should be commensurate to the actual threat. Furthermore, the insurance must fulfill all
legal requirements.
 Step 3: Appointing a Data Protection Officer is a wise idea. A Data Protection Officer (DPO) is in
charge of how your company gathers and stores personal information. If you conduct large-scale
online tracking, the GDPR, or the General Data Protection Regulation, requires you to appoint
a DPO and give information. The contact information for the DPO is available in the Privacy
Policy.
 Step 4: Agreement on Data Processing According to Article 28 of the General Data Protection
Regulation (GDPR), if you engage a data processor (such as Shopify) to manage customer data,
you must set rigorous contractual limitations on how they may use and process such data as a data
controller. A Data Processing Supplemental Agreement, or DPA, is commonly used to do this.
 Step 5: Description Implement the security policy of the "Wheelie good" organization. Ensure that
all workers follow the "Wheelie good" privacy policy of the organization. Assure that all
employees adhere to it rigorously.
 Step 6: The sixth stage is to inform and train employees to be "wheelie good." Employees who
have not received adequate training may be ignorant of how their activities may jeopardize
security. As a result, personnel training is required to put the privacy policy in place at "Wheelie
good."
6. Security policy for company
I'll utilize two sorts of security policies in this section: physical security policies and IT security
policies. These privacy policies apply to the corporation's whole "Wheelie good" division.

6.1. Physical security policies

 Physical access to "Wheelie good" organization server rooms/areas must be strictly controlled, and
servers must be stored on secured server racks.
 Only authorized Systems and Operators will have access to the servers. Everyone else who wants
to work on development servers will only be able to do so via Remote Desktop Connection with
Limited User Accounts.
 Critical backup vehicles must be kept in a secure off-site vault.
 Security perimeters will be built around information systems to prevent illegal physical access,
corruption, and intervention.
 For places where information systems are hosted, employee access lists with appropriate
authorization credentials must be preserved. On a regular basis, authorized personnel will review
and approve access lists and authorization information.

6.2. IT security policies

 Employees preserve their safety and security when working remotely during Covid-19 by utilizing
public Wi-Fi, avoiding accessing important information in public locations, and storing devices in
a secure location.
 All "Wheelie good" branches must have a secure Wi-Fi system that meets WP2 requirements, and
staff are only permitted to use it during working hours.
 Each department at "Wheelie great" will have its own VLAN, making administration and area
separation easier while also preventing hackers from infiltrating the company.
 The computer in the design area will not be integrated with software that may transfer data outside
to avoid information being exposed during the construction of a new wheel design.
 Customer information, future wheel designs, spending, and transaction metrics must all be stored,
encrypted, and backed up on the company's servers.
IV. List the main components of an organizational
disaster recovery plan, justifying the reasons
for inclusion (P8)
1. Business continuity definition
Business continuity refers to an organization's capacity to keep vital functions running during and after
a crisis. Business continuity planning sets risk management methods and procedures with the goal of
preventing disruptions to mission-critical services and restoring full organization operation as fast and
easily as feasible.

The most fundamental requirement for business continuity is to maintain critical functions operational
during a crisis and to recover with as little downtime as possible. Natural catastrophes, fires, disease
outbreaks, cyberattacks, and other external hazards are all included in a business continuity strategy.

Business continuity is vital for firms of all sizes, but it may not be feasible for any but the largest
enterprises to retain all services during a crisis. According to many experts, the first stage in business
continuity planning is determining which operations are critical and allocating the available funds
appropriately. Administrators can put failover procedures in place once critical components have been
identified.

Disk mirroring, for example, allows an organization to keep up-to-date copies of data at
geographically distributed sites other than the core data center. This allows data access to continue
uninterrupted if one location is deactivated and safeguards against data loss.

2. The importance of business continuity

Business continuity is crucial at a time when downtime is unacceptable. Downtime may come from a
multitude of places. Some hazards, such as cyberattacks and harsh weather, appear to be worsening. It
is critical to have a business continuity strategy in place that accounts for any potential operational
disruptions.

During a crisis, the strategy should allow the organization to function at a bare minimum. Business
continuity aids an organization's resilience by allowing it to respond rapidly to an interruption. Strong
business continuity saves money, time, and the reputation of the organization. A prolonged outage
poses a financial, personal, and reputational danger.
Business continuity necessitates a business examining itself, analyzing possible areas of vulnerability,
and gathering important information – such as contact lists and technical schematics of systems – that
can be valuable outside of catastrophe scenarios. An organization may strengthen its communication,
technology, and resilience by implementing business continuity planning.

Business continuity may also be required for legal or regulatory reasons. It's critical to understand
which rules apply to a certain organization, especially in an era of rising regulation.

3. The components of a recovery plan

Any solid disaster recovery strategy has seven basic components:

 asset mapping.
 determining the criticality and context of your assets.
 completing a risk assessment.
 defining your recovery objectives.
 selecting a disaster recovery setup.
 budgeting for your setup.
 testing and reviewing the plan.

3.1. Asset mapping

You must first outline out all of your assets to determine which will require security. Assets could
include:

 Network equipment
 Hardware
 Software
 Cloud services
 Critical data

Creating a list of assets, albeit time-consuming, can help you to gain a thorough grasp of your
company's processes. Regularly update your list when assets are added, withdrawn, or updated, and
use it to purge superfluous data.
3.2. determining the criticality and context of your assets
After you've taken inventory of your assets, you should examine them in context. How does your
company make use of these assets? Which assets, if compromised or lost, would have the greatest
impact in the event of a disaster? Go through all of your mapped assets and categorize them from high
to low effect.

It is not always possible to back up all of your data. Understanding the significance of each asset and
how they interact can help you choose which should be prioritized in your disaster recovery strategy.

3.3. completing a risk assessment

Not all threats are the same. What are the most serious dangers to your company as a whole? Which
assets are these threats most likely to attack? Because critical systems workers are aware of the most
likely possible reasons of service interruption, their advice at this point is important. You cannot
predict every potential risk, but you can develop an effective strategy by considering the likelihood
and magnitude of each.

3.4. Defining RTO and RPO

Recovery objectives should be divided into two categories: recovery time objectives (RTO) and
recovery point objectives (RPO). RTO is the period of time your assets may be down before being
recovered, while RPO is the quantity of data you are prepared to lose. These goals should be
determined early in the development of your disaster recovery strategy so that an appropriate
arrangement may be selected.

Consult with your company's top management and operations employees to discuss the prospective
disruption's impact for as little as one minute, up to one day, or even longer. This information will help
you to set your RTO and RPO, as well as how frequently your data needs to be backed up.

3.5. Selecting a disaster recovery setup

At this point, you have a thorough grasp of your assets, risks, and RTO and RPO. You may construct
your disaster recovery configuration using this knowledge. Some questions you may have at this point
include:

 Will you have a catastrophe recovery location to host?

 Where will it be situated? Will it be hosted on the cloud? Is it self-hosted?
 Which backups will you keep? What will their location be?

A remote data storage solution is vital for protecting your assets from cyber-attacks and natural
calamities that may cause physical harm. After you've laid out your needed configuration, choose the
cloud services, software, hardware, and partners you'll need to complete it.

3.6. budgeting for your setup

Regardless of their resources, all firms should have a disaster recovery strategy. Senior management
should be reminded of the need of catastrophe recovery, but multiple solutions with varying price
points should be presented.

Higher budgets will include a disaster recovery plan with improved RTOs and RPOs, more generous
support for more essential services, and may be part of a larger business continuity strategy. Each
company's disaster recovery plan requirements will differ, and with the appropriate information,
business can assess risk and investment in disaster recovery plan technologies to achieve the correct
balance.

3.7. testing and reviewing the plan

The disaster recovery plan will need to be tested and reviewed in the final step to guarantee it is ready.
All employees must understand their responsibilities in the event of a crisis. Conduct a catastrophe
exercise to put the strategy to the test and to see how employees react to the danger. If things don't go
as smoothly as you'd want, make changes to the plan.

A catastrophe recovery strategy is never complete. It should be examined on a regular basis, ideally
every six months or so, to verify that it is still effective. Assets, organizational structure, and IT
configuration will all change over time, and the disaster recovery plan must be updated to reflect these
changes.

4. All the steps required in disaster recovery process

a. Define the company's scope "Wheelie good": First and foremost, you must comprehend your
final objective. If the "Wheelie good" firm relies on rapid and simple data access to continue in
business, their IT disaster recovery strategy should emphasize keeping your private data safe and
secure even if their on-premises hardware fails. For the great majority of small businesses, this
means looking into offsite data storage solutions like public cloud storage and/or data center
locations.
b. Reviewing the IT Vulnerabilities of the “Wheelie Good” Company: Following the
announcement of your company's ultimate aims, you must have a thorough awareness of its most
evident weaknesses, with a particular focus on current disaster risks in the company's locations.
While the greatest catastrophe recovery plans attempt to safeguard as many assets as possible,
you'll almost certainly have to make difficult priority decisions in order to keep the company's
"Wheelie good" intact.
c. Conduct a risk assessment: You should now be aware of the firm's flaws and have implemented
measures to defend against them, however you may be unaware of how these protections will
react. as though in a crisis This is when risk assessment comes into play.
d. Determine recovery techniques: Following the stress-testing of your preventative measures, the
next stage is to determine the most successful and cost-effective recovery techniques. This estimate
should ideally take into consideration both your most critical IT vulnerabilities and the
effectiveness of your defenses throughout your risk analysis.
e. Planning: You are now ready to start designing a comprehensive business IT disaster recovery
strategy. This will require compiling the information you've obtained and organizing it in a logical,
linear order.
f. Analyze the company's disaster recovery plan. "Wheelie great": IT disaster recovery planning
is a positive step that may put a "Wheelie good" firm ahead of many of its rivals, but it's vital to
keep an eye on it even after you believe you've got it all figured out. Examine your strategy to
ensure that each stage is executed as planned. After all, the best time to test whether your disaster
recovery strategy will work is before the occurrence, not after.
g. Members of the coaching staff include: When you're satisfied with your strategy, tell the rest of
the "Wheelie good" crew about it. Although you should have consulted with key personnel during
the previous six steps, depending on how collaborative your planning process is, it is your
responsibility to ensure everybody in the "Wheelie good" company can comprehend what can be
expected in the event of a flood, storm, wildfire, or other disaster.
h. Update and revise the company's "Wheelie good" strategy: While we all hope that we never
have to use our IT disaster recovery plan, it's a good idea to review it on a regular basis and, if
required, revise it. Is it still feasible to modify the way your firm operates?

5. Explain some of the policies and procedures that are required

for business continuity
5.1. Understanding the Organization: Business Impact Analysis (BIA)
The process of determining, measuring, and evaluating the possible effects of a company's
fundamental activities, functions, and procedures being impacted or stopped as a result of an accident,
crisis, or disaster is known as business impact analysis (BIA). It is a means of assessing the potential
and probable implications of these disruptions, frequently from the position of the worst-case scenario.
The BIA is seen as critical to disaster recovery preparation, especially in terms of risk mitigation in the
event of operational failures or disruptions caused by natural disasters and similar incidents.

 Each department is responsible for determining its own MEFs and essential resources.
Services, programs, or activities that are crucial to the department's continuing operations and
 would have a direct impact on the department's success if they were halted for an extended
length of time are considered essential functions. MEFs will provide as a road map for
resuming operations after a disaster or substantial disruption. Four to six basic functions should
be included in general, with more if the department or unit is highly complicated.
 Each department is in charge of administering university MEFs, and they must be as specific as
possible when developing standards and relationships for each function. Consider how the
function would have to be altered or amended if one of the main hazards noted in the risk
assessment caused a significant interruption.
 Each department is responsible for carrying out a BIA for each MEF in order to analyze and
document the potential implications and negative consequences of a disaster or large
interruption. A business impact analysis (BIA) is conducted for each mission-critical function
to assess and document the possible repercussions and negative ramifications of a disaster or
severe interruption. By examining dependencies, peak periods, negative repercussions, and
financial considerations (RTOs), a BIA can assist in determining recovery priorities and
recovery time targets.
 Each department must examine the human and technological resources needed to guarantee
that operations run smoothly.
 Each department is responsible for setting and fulfilling RTOs, which are the amount of time
necessary to recover a process or function and return corporate operations to normal, or as near
to normal as feasible.

5.2. Risk assessment

Each university department will identify, assess, and rank various hazards based on their probability of
event and the level of disturbance to department operations, as well as how each hazard can impact
property, business, and people who work in the department and any clients that they serve, as well as
the university at large, during the risk assessment step. The Director of Emergency Preparedness will
study dangers and give context through the use of language, current events, and potential threat
scenarios. This will have a multitude of consequences, some of which will need extensive BIA as well
as the development and implementation of recovery programs. University departments will review the
risk assessment data to develop a prioritized list of MEFs, with the most critical at the top.

5.3. Determining the BCP Recovery Strategies

Other ways for restarting operations at a minimum acceptable level after a business interruption
include recovery plans, which are prioritized by the RTO generated during the business impact
research. People, structures, equipment, resources, and technologies are all necessary for recovery
tasks. Each department must perform an analysis of the resources needed to carry out recovery
operations in order to identify gaps. Every division is responsible for:
  Conduct a risk assessment and strategy for risk management in all company sectors. Internal
causes for dependency include commercial linkages, telecommunication/information
technology interconnections, and/or shared resources.
 Document strategies and procedures to ensure the continuity, continuation, and recovery of
critical organizational activities and processes.
 Describe the immediate steps to be taken during an event to minimize the harm caused by a
disruption, as well as the recovery actions.

5.4. Develop and Implement the BCP

VEOCI, a crisis management and software solution, can be applied to create and maintain university
business continuity strategies, ensuring mission-critical operations are prepared throughout campus.
Following the completion of the preparation (BIA and risk assessment) and meetings, the relevant
department designee will submit each Business Continuity Plan (BCP) to VEOCI. To gain access to
VEOCI, contact the VCU director of emergency preparation. There is guidance offered. Each
department is in charge of:

 Describe the kind of events that might occur prior to the public declaration of a disruption, as
well as how to invoke the BCP.
 Set the format of the BCP, including the executive overview, objectives and scope, outcomes
summary, and recovery activities.

5.5. Exercising, Maintaining and Reviewing

After the BCP is completed, the director of emergency preparation will conduct training and testing to
verify that all department employees are familiar with it. The director of emergency preparation will
convene a continuity planning group of people who will be involved immediately following a disaster
or severe disruption. Each division will make any required revisions to the BCP after training and/or
real-world situations:

 Timely Evaluation and Maintenance: Each department plan administrator will be in charge
of yearly reviewing and maintaining all BCPs and related documentation. The goal of
reviewing is to verify that the plan is recent and kept up to date while staying ready. The VCU
director of disaster preparation will oversee the upkeep of this program.
 Training and Exercises: The disaster preparation director will oversee all departments' annual
testing. Testing strategies range from the simplest (no notice activities) to the most complicated
(full scale). Each has its own set of features, goals, and rewards. The sort of testing should be
defined by the organization's expertise with business continuity preparation, as well as the
complexity, scope, and nature of its operations. Tabletop exercises, functional exercises, and
full scale exercises are examples of testing procedures with increasing complexity.
References
acqnotes.com. [Online] Available at: https://acqnotes.com/acqnote/tasks/risk-identification-procedures
[Accessed 19 04 2023].

axiom.tech. [Online] Available at: https://www.axiom.tech/7-components-that-make-a-great-disaster-

recoveryplan/#:~:text=There%20are%20seven%20main%20components,testing%20and%20reviewing
%20the%20 plan. [Accessed 26 04 2023].

chas.co.uk. [Online] Available at: https://www.chas.co.uk/blog/5-steps-to-risk-assessment/ [Accessed 19

04 2023].

exabeam.com. [Online] Available at: https://www.exabeam.com/information-security/information-

securitypolicy/#:~:text=Information%20security%20objectives,- Guide%20your
%20management&text=Confidentiality%20%E2%80%94%20Only%20individuals%20with%
20authorization,information%20or%20systems%20when [Accessed 26 04 2023].

hse.gov.uk. [Online] Available at: https://www.hse.gov.uk/violence/toolkit/riskdetail3.htm [Accessed 19

04 2023].

hse.gov.uk. [Online] Available at: https://www.hse.gov.uk/violence/toolkit/riskdetail2.htm [Accessed 19

04 2023].

hse.gov.uk. [Online] Available at: https://www.hse.gov.uk/violence/toolkit/riskdetail4.htm [Accessed 19

04 2023].

lucidchart.com. [Online] Available at: https://www.lucidchart.com/blog/risk-assessment-process

[Accessed 19 04 2023].

pecb.com. [Online] Available at: https://pecb.com/article/why-is-data-protectionimportant#:~:text=Data

%20protection%20is%20important%2C%20since,implementing%20a%20data%20 protection%20plan.
[Accessed 26 04 2023].

projectmanager.com. [Online] Available at: https://www.projectmanager.com/blog/what-is-a-

stakeholder [Accessed 26 04 2023].

synopsys.com. [Online] Available at: https://www.synopsys.com/glossary/what-is-security-

riskassessment.html#:~:text=A%20security%20risk%20assessment%20identifies,holistically
%E2%80%94from %20an%20attacker%27s%20perspective. [Accessed 19 04 2023].
techtarget.com. [Online] Available at: https://www.techtarget.com/searchsecurity/definition/risk-
assessment [Accessed 19 04 2023].

zevenet.com. [Online] Available at: https://www.zevenet.com/blog/10-importance-of-information-

security-audit/ [Accessed 26 04 2023].

Crocetti, P., 2021. techtarget.com. [Online] Available at:

https://www.techtarget.com/searchdatabackup/definition/data-protection [Accessed 26 8 2023].

Gillis, A. S., 2020. techtarget.com/. [Online] Available at:

https://www.techtarget.com/searchcio/definition/security-audit [Accessed 26 04 2023].

Irwin, L., 2020. vigilantsoftware.co.uk. [Online] Available at:

https://www.vigilantsoftware.co.uk/blog/risk-terminology-understanding-assets-threatsand-
vulnerabilities [Accessed 19 04 2023].

Lutkevich, B., 2021. techtarget.com. [Online] Available at:

https://www.techtarget.com/searchsecurity/definition/security-policy [Accessed 26 04 2023].

Sullivan, E., 2021. techtarget.com. [Online] Available at:

https://www.techtarget.com/searchdisasterrecovery/definition/businesscontinuity#:~:text=Business
%20continuity%20is%20an%20organization%27s,after%20a%20disaster%20h as%20occurred. [Accessed
26 04 2023].