ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name VU VIET DUNG Student ID BD00324

Class SE06203 Assessor name NGUYEN BAO QUOC

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.

Student’s signature VIET DUNG

Grading grid

P5 P6 P7 P8 M3 M4 M5 D2 D3

Perfomed Student: Vu Viet Dung

❒ Summative Feedback: ❒ Resubmission Feedback:

Grade: Assessor Signature: Date:

Internal Verifier’s Comments:

Signature & Date:

Perfomed Student: Vu Viet Dung

 TABLE OF CONTENT

Perfomed Student: Vu Viet Dung

 LIST OF TABLES AND FIGURES

Perfomed Student: Vu Viet Dung

 INTRODUCTION
The current digital era requires IT security. With the advancement of technology, their reliance
on network systems and processes has grown enormously. The increasing reliance on intrinsic
motivation may compromise the safety, accuracy, and accessibility of vital information.

The IT security field will begin with the pages of this report. Among the numerous subjects we
will concentrate on researching are learning the foundations of information security and
investigating complex networks, including the dangers and weaknesses that organizations
confront. We'll examine a few strategies used by businesses to safeguard their digital assets.

Perfomed Student: Vu Viet Dung

 LO3 Review mechanisms to control organizational IT
security.
1. Review risk assessment procedures in an organisation (P5)

1.1 Define a security risk and how to do risk assessment:

1.1.1 Security Risk:

Figure 1: Security Risk

A security risk is the possibility of a threat exploiting a vulnerability in an organization's

system or assets, leading to a potential loss or damage. We can express it mathematically as:

Risk = Threat x Vulnerability x Impact

 Here's a breakdown of the key terms:

- Threat: An action or event that could exploit a vulnerability. (e.g., hacking attempt,
malware infection, natural disaster)

Perfomed Student: Vu Viet Dung

 - Vulnerability: A weakness in a system, asset, or process. (e.g., software bug, weak
password, physical security lapse)

- Impact: The negative consequence of a successful attack. (e.g., data breach, financial
loss, reputational damage, operational disruption)

 Risk Assessment:

- A risk assessment is a systematic process of identifying, analyzing, and prioritizing

potential security risks. It helps organizations understand their security posture, make
informed decisions about resource allocation, and implement appropriate mitigation
strategies.

1.1.2 How to Conduct a Risk Assessment:

Figure 2: How to Conduct a Risk Assessment

Here's a breakdown of the key steps involved in a risk assessment:

 Identify Assets: Define the valuable resources your organization possesses. These can
be categorized as:

- Tangible Assets: Physical objects like computers, servers, equipment, and facilities.

Perfomed Student: Vu Viet Dung

 - Intangible Assets: Non-physical resources like customer data, intellectual property,
financial records, and brand reputation.

 Identify Threats: Recognize potential threats that could target your identified assets.
Consider:

- Internal Threats: Malicious or accidental actions by employees, contractors, or insiders.

- External Threats: Actions by unauthorized individuals or organizations, such as hackers,

cybercriminals, and competitors.

- Natural Disasters: Events like floods, fires, earthquakes, or power outages.

 Identify Vulnerabilities: Analyze your assets to pinpoint weaknesses that could be

exploited by identified threats. This involves looking at security controls and procedures in
place, such as:

- Network Security: Firewalls, intrusion detection systems, access controls.

- System Security: Operating system vulnerabilities, software bugs, patch management.

- Physical Security: Access control to buildings, data centers, and equipment.

- Data Security: Data encryption, access controls, user awareness training.

 Analyze Risk: Evaluate the likelihood of each threat occurring and the potential impact if
it succeeds. Use a risk scoring system to rank risks based on their severity.

 Develop Mitigation Strategies: Define actions to address the identified risks. This may
involve:

- Implementing security controls: Firewalls, intrusion detection systems, encryption

- Raising awareness: Training employees on security best practices

- Purchasing insurance: Mitigating financial losses

- Review and Monitor: Regularly review and update your risk assessment as your
organization and the threat landscape evolve.

1.2 Define assets, threats and threat identification procedures, and give examples

1.2.1 Assets:
Assets refer to the valuable resources, systems, or information that an organization or
individual possesses. These assets can include physical assets (such as buildings, equipment,
or vehicles), digital assets (such as data, software, or intellectual property), financial assets

Perfomed Student: Vu Viet Dung

(such as cash or investments), or human assets (such as skilled employees or key personnel).
Assets hold value and are critical to the functioning and success of an organization.

Figure 3: Assets

1.2.2 Threats:
Threats are potential dangers or risks that can exploit vulnerabilities in assets and cause
harm or damage. Threats can come in various forms, including natural disasters (such as
earthquakes or floods), human actions (such as theft or sabotage), technological failures (such
as system crashes or power outages), or cyber threats (such as hacking, malware, or phishing
attacks). Threats pose a risk to the availability, integrity, and confidentiality of assets.

Perfomed Student: Vu Viet Dung

 Figure 4: Threats

1.2.3 Threat Identification Procedures:

Figure 5: Threat Identification Procedures

Threat identification procedures involve the systematic process of identifying and assessing
potential threats to assets. It helps organizations understand the risks they face and develop
effective strategies to mitigate those risks. Here are some common steps involved in threat
identification:

Perfomed Student: Vu Viet Dung

 - Asset Inventory: Identify and document all the assets within the organization, including
physical, digital, financial, and human assets.

- Threat Sources: Identify potential sources or origins of threats that could target the
organization's assets. This may include internal sources (such as employees or
contractors) or external sources (such as competitors, hackers, or natural disasters).

- Threat Assessment: Evaluate the likelihood and potential impact of each identified threat
on the organization's assets. Consider factors such as the vulnerability of assets, the
capabilities of threat sources, and the potential consequences of successful attacks.

- Threat Documentation: Create a comprehensive list or database of identified threats,

including their characteristics, potential impacts, and likelihood of occurrence.

- Risk Prioritization: Prioritize the identified threats based on their potential impact and
likelihood. This helps allocate resources effectively and focus on addressing the most
critical threats first.

- Countermeasures: Develop and implement appropriate countermeasures or risk

mitigation strategies to minimize the vulnerabilities and potential impacts associated with
identified threats. This can include physical security measures, cybersecurity protocols,
emergency response plans, or employee training programs.

 Examples:

- Asset: A company's customer database containing personal information, such as names,

addresses, and credit card details.

- Threat: A cybercriminal attempting to hack into the company's network and steal
customer data.

- Threat Identification Procedure: The organization conducts regular vulnerability

assessments, penetration testing, and monitors network activity to identify potential cyber
threats and vulnerabilities.

- Countermeasure: The company implements firewalls, intrusion detection systems,

encryption protocols, and employee cybersecurity training to protect the customer
database from unauthorized access and data breaches.

Perfomed Student: Vu Viet Dung

1.3 List risk identification steps

Figure 6: Steps to identify risks

Risk identification is an essential process in risk management that involves identifying and
understanding potential risks that could affect an organization or project. Here are some
common steps involved in risk identification:

- Establish the Context: Define the scope and objectives of the risk identification process.
Understand the organization's or project's context, including its goals, stakeholders, and
external factors that could impact its success.

- Gather Information: Collect relevant information about the organization or project,

including documentation, reports, historical data, lessons learned, and expert opinions.
This information provides valuable insights into potential risks.

- Identify Risks: Brainstorm and identify potential risks that could affect the organization or
project. Encourage input from stakeholders, project team members, subject matter
experts, and other relevant parties. Use various techniques such as checklists, interviews,
workshops, and analysis of past incidents to identify risks.

- Categorize Risks: Group similar risks into categories or types to facilitate analysis and
prioritization. Common risk categories include financial risks, operational risks, technical
risks, legal and regulatory risks, and external risks.

- Assess Probability and Impact: Evaluate the likelihood or probability of each identified risk
occurring and assess its potential impact on the organization or project. This can be done
through qualitative assessment (using descriptive terms like low, medium, high) or
quantitative assessment (assigning numerical values to probability and impact).

- Analyze Risk Interdependencies: Consider how risks may be interconnected or have

dependencies on each other. Identify potential scenarios where the occurrence of one
risk could trigger or exacerbate other risks.

Perfomed Student: Vu Viet Dung

 - Document Risks: Maintain a comprehensive list or register of identified risks, including
their descriptions, potential consequences, and any relevant contextual information. This
documentation serves as a reference for further risk analysis and management activities.

- Review and Validate: Review the identified risks with stakeholders and subject matter
experts to ensure their accuracy and relevance. Validate the risks based on available
data, expert opinions, and historical information.

- Update and Maintain the Risk Register: Regularly review and update the risk register as
new risks are identified or existing risks change in probability or impact. Ensure that the
risk register remains current and reflective of the evolving risk landscape.

- Communicate and Disseminate: Share the identified risks and associated information with
key stakeholders, decision-makers, and relevant parties. Effective communication
ensures that everyone is aware of the risks and can contribute to risk management
efforts.

1.4 Review risk assessment procedures in an organisation

Risk assessment procedures in an organization involve systematically evaluating and
analyzing potential risks to determine their likelihood and potential impact. Here are some key
steps typically included in risk assessment procedures:

- Establish the Risk Assessment Framework: Define the objectives, scope, and
methodology for conducting risk assessments within the organization. Establish the
criteria for evaluating risks, such as likelihood, impact, and risk tolerance levels.

- Identify Hazards and Risks: Identify and document the potential hazards or sources of
risks within the organization. This can involve conducting site visits, reviewing processes
and procedures, analyzing historical data, and engaging with relevant stakeholders.

- Assess Likelihood and Impact: Evaluate the likelihood of each identified risk occurring
and the potential impact it would have on the organization. This can be done through
qualitative assessments (using descriptive terms like low, medium, high) or quantitative
assessments (assigning numerical values to likelihood and impact).

- Evaluate Risk Levels: Combine the likelihood and impact assessments to determine the
overall risk level for each identified risk. This can be represented in a risk matrix or other
visual representation that helps prioritize risks based on their severity.

- Analyze Existing Controls: Evaluate the effectiveness of existing controls or mitigation

measures in place to address identified risks. Determine if the controls are adequate or if
additional measures are needed to reduce the risk to an acceptable level.

Perfomed Student: Vu Viet Dung

 - Prioritize Risks: Prioritize the identified risks based on their severity, potential
consequences, and risk tolerance levels. This helps allocate resources effectively and
focus on addressing the most critical risks first.

- Risk Treatment: Develop and implement risk treatment strategies for each prioritized risk.
This may involve implementing additional controls, transferring the risk through insurance
or contracts, accepting the risk within defined tolerance levels, or avoiding the risk
altogether.

- Monitor and Review: Continuously monitor and review the effectiveness of risk treatments
and controls. Regularly reassess risks to account for changes in the organization's
environment, operations, or new emerging risks.

- Communication and Reporting: Communicate the results of risk assessments to relevant

stakeholders, management, and decision-makers. Provide clear and concise reports that
outline the identified risks, their assessment results, and recommended risk treatment
strategies.

- Documentation and Record Keeping: Maintain comprehensive documentation of the risk

assessment process, including the identified risks, assessment results, risk treatment
plans, and any changes or updates made over time. This documentation serves as a
reference for future risk management activities and audits.

Figure 7: Rrisk assessment procedures within an organization

Perfomed Student: Vu Viet Dung

2. Explain data protection processes and regulations as applicable to an organisation
(P6)

2.1 Define data protection

Figure 8: data protection

Data protection refers to the practices, measures, and regulations designed to safeguard
sensitive and personal data from unauthorized access, use, disclosure, alteration, or destruction.
It involves the implementation of security controls and policies to ensure the confidentiality,
integrity, and availability of data throughout its lifecycle.

Data protection is crucial in today's digital age, where organizations and individuals generate
and handle vast amounts of data. This data can include personally identifiable information (PII),
financial information, health records, intellectual property, trade secrets, and other sensitive
information.

 The primary objectives of data protection are:

- Confidentiality: Ensuring that data is accessible only to authorized individuals or entities

who have a legitimate need to access it. This involves implementing access controls,
encryption, and other measures to prevent unauthorized disclosure or data breaches.

- Integrity: Maintaining the accuracy, consistency, and reliability of data by preventing

unauthorized modification, deletion, or tampering. Data integrity controls, such as
checksums, digital signatures, and audit trails, help detect and prevent unauthorized
changes.

- Availability: Ensuring that data is accessible and usable by authorized individuals or

systems when needed. This involves implementing backup and disaster recovery
mechanisms to protect against data loss or disruptions.

- Compliance: Adhering to relevant laws, regulations, and industry standards pertaining to

data protection and privacy. This includes complying with data protection regulations such

Perfomed Student: Vu Viet Dung

 as the EU General Data Protection Regulation (GDPR) or the California Consumer
Privacy Act (CCPA).

 Data protection encompasses various practices and measures, including:

- Data Privacy Policies: Establishing clear policies and procedures that define how data is
collected, processed, stored, and shared. These policies provide guidelines for handling
data in a privacy-conscious manner.

- Data Encryption: Using encryption techniques to secure data both in transit (e.g., during
transmission over a network) and at rest (e.g., when stored on servers or devices).
Encryption ensures that even if data is intercepted or accessed by unauthorized parties, it
remains unreadable and unusable.

- Access Controls: Implementing mechanisms to control and restrict access to data based
on user roles, privileges, and the principle of least privilege. Access controls help prevent
unauthorized access and ensure that only authorized individuals can view or modify data.

- Data Backup and Recovery: Regularly backing up data and implementing disaster
recovery plans to ensure data availability in case of system failures, natural disasters, or
other disruptions. Backups help restore data to a previous state and minimize the impact
of data loss.

- Security Monitoring and Incident Response: Deploying security monitoring tools and
processes to detect and respond to security incidents, such as data breaches or
unauthorized access attempts. Incident response plans outline the steps to be taken in
case of a data breach or other security incident.

- Employee Training and Awareness: Providing training and awareness programs to

employees to educate them about data protection best practices, security protocols, and
their role in safeguarding data. This helps create a security-conscious culture within the
organization.

2.2 Explain data protection process and regulations in an organization

Data protection is the process of protecting sensitive information from unauthorized access,
use, disclosure, interruption, modification or destruction. Organizations that collect and process
personal data are responsible for protecting that data and complying with relevant data
protection regulations.

Perfomed Student: Vu Viet Dung

 Figure 9:data protection processes and regulations within an organization

 Data Protection Process:

- Data Identification: Identify all the data your organization collects and stores. This
includes personal data (e.g., names, addresses, phone numbers, email addresses),
financial data, and intellectual property.

- Data Classification: Classify the data based on its sensitivity. Higher sensitivity requires
stricter protection measures.

- Implementation of Controls:

- Technical controls: Firewalls, encryption, access controls, intrusion detection systems.

- Physical controls: Secure storage facilities, access control to devices and buildings.

- Organizational controls: Data protection policies, user training, incident response

procedures.

- Data Access Management: Define who has access to the data and what level of access
they need (read-only, edit, etc.). Implement access controls to enforce these restrictions.

- Data Retention: Define a data retention policy that outlines how long data will be stored
and the process for secure disposal when it's no longer needed.

- Data Breach Response: Develop a data breach response plan to identify, contain, and
report data breaches promptly.

 Data Protection Regulations:

- Many countries and regions have implemented data protection regulations that dictate
how organizations must handle personal data. Some prominent examples include:

Perfomed Student: Vu Viet Dung

 • General Data Protection Regulation (GDPR): A regulation in EU law on data protection
and privacy in the European Union (EU) and the European Economic Area (EEA).

• California Consumer Privacy Act (CCPA): Regulates the collection and use of consumer
data by businesses in the State of California.

• Health Insurance Portability and Accountability Act (HIPAA): A federal law in the United
States that protects sensitive patient health information.

2.3 Why are data protection and security regulation important.

Data protection and security regulations are important for several key reasons:

 Individual Privacy Protection:

- Safeguards personal information: These regulations establish rules on how organizations

collect, store, and use personal data. This helps protect individuals from unauthorized
access, misuse, or exploitation of their personal information.

- Empowers individuals: Regulations often grant individuals rights to control their data. This
can include the right to access, rectify, or erase their data, giving them more control over
their privacy.

Figure 10: Individual Privacy Protection

 Organizational Benefits:

- Builds trust with customers: By demonstrating a commitment to data protection,

organizations can build trust and confidence with customers who are increasingly
concerned about their privacy.

Perfomed Student: Vu Viet Dung

 - Reduces risk of data breaches: Regulations often require organizations to implement
security measures to protect data. This helps reduce the risk of costly data breaches,
which can lead to financial losses, reputational damage, and legal penalties.

- Ensures compliance: Regulations provide a clear framework for organizations to follow

regarding data handling. Compliance avoids legal repercussions and fines for
mishandling data.

Figure 11: Organizational Benefits:

 Societal Advantages:

- Protects vulnerable populations: Regulations often offer additional protections for

sensitive data categories like health information or children's data.

- Promotes responsible data practices: Regulations establish standards for data collection
and use, encouraging responsible practices that benefit society as a whole.

- Levels the playing field: Regulations create fair competition by ensuring all organizations
adhere to similar data protection standards.

Figure 12: Societal Advantages

Perfomed Student: Vu Viet Dung

3. Design a suitable security policy for an organisation, including the main components
of an organisational disaster recovery plan (P7)

Perfomed Student: Vu Viet Dung