ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Vo Thi Minh Thu Student ID GCD210164

Class GCD1105 Assessor name Tran Thanh Truc

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.

Student’s signature Thu

Grading grid

P5 P6 P7 P8 M3 M4 M5 D2 D3

1
 Summative Feedback:  Resubmission Feedback:

Grade: Assessor Signature: Date:

Lecture
r Signature:

1
Table of Contents
Task 1 - Review the risk assessment process in an organization (P5)........................................................................... 4
1. Identify security risks and how to perform a risk assessment ............................................................................... 4
1.1. Security risks .................................................................................................................................................. 4
1.2. Risk assessment .............................................................................................................................................. 4
2. Identify assets, threats, and threat identification and placement processes ........................................................... 4
2.1. Assets.............................................................................................................................................................. 4
2.2. Threats ............................................................................................................................................................ 6
2.3. Threat identification ....................................................................................................................................... 6
3. List risk identification steps................................................................................................................................... 6
3.1. Identification................................................................................................................................................... 7
3.2. Assessment ..................................................................................................................................................... 7
3.3. Mitigation ....................................................................................................................................................... 7
3.4. Prevention ....................................................................................................................................................... 7
4. Review risk assessment procedures in an organization ......................................................................................... 7
Task 2 - Explain data protection processes and regulations as applicable to an organisation (P6) ............................... 8
2. Explain data protection process ............................................................................................................................. 9
3. Why are data protection and security regulation important? ................................................................................... 10
Task 3 - Design a suitable security policy for an organisation, including the main components of an organisational
disaster recovery plan (P7) .......................................................................................................................................... 11
1. Define a security policy and discuss about it ...................................................................................................... 11
2. Give an example for each of the policies ............................................................................................................ 12
2.1. Firewall Rules Policy: .................................................................................................................................. 12
2.2. Intrusion Prevention policy .......................................................................................................................... 14
2.3. Secure Communication Policy ..................................................................................................................... 14
2.4. Live Update policy ....................................................................................................................................... 15
3. Give the must and should that must exist while creating a policy....................................................................... 16
4. Explain and write down elements of a security policy, including the main components of an organisational
disaster recovery plan .............................................................................................................................................. 18

2
 5. Give the steps to design a policy ......................................................................................................................... 20
Task 4 - Discuss the roles of stakeholders in the organisation in implementing security audits (P8) ......................... 23
1. Define stakeholders ............................................................................................................................................. 23
2. What are their roles in an organization? .............................................................................................................. 24
3. Define security audit and state why you need it .................................................................................................. 26
4. Recommend the implementation of security audit to stakeholders in an organization ....................................... 27
REFERENCES ............................................................................................................................................................ 29

Table of Figure
Figure 1: Data protection .............................................................................................................................................. 9
Figure 2: Security policy .............................................................................................................................................. 11
Figure 3: Firewall Rules Policy ..................................................................................................................................... 13
Figure 4: Intrustion Prevention policy ......................................................................................................................... 14
Figure 5: Secure Communication Policy ...................................................................................................................... 15
Figure 6: LiveUpdate policy ......................................................................................................................................... 16
Figure 7: Detemine the problem ................................................................................................................................. 21
Figure 8: Problem Formulation ................................................................................................................................... 21
Figure 9: Scenario Evaluation ...................................................................................................................................... 22
Figure 10: Make a decision .......................................................................................................................................... 23
Figure 11: Stakeholdes ................................................................................................................................................ 24

3
Task 1 - Review the risk assessment process in an organization (P5)

1. Identify security risks and how to perform a risk assessment

1.1. Security risks

Security risks are situations, events or conditions that may cause loss, pose a hazard or affect the security
of information, systems or organizations. This could be a hacker attack, data loss, a security vulnerability
in the system, or even a deficiency in information security policy or process.

1.2. Risk assessment

Risk assessment is the process of analyzing, evaluating, and quantifying potential or actual factors that
could have a negative impact on a target, project, or organization. It includes identifying risks, measuring
their impact, and assessing the likelihood of their occurrence in order to prepare measures to limit,
regulate or accept the risk. The ultimate goal is to help organizations better understand risks and prepare to
respond when they occur.

2. Identify assets, threats, and threat identification and placement processes

2.1. Assets
An asset is any data, device, or other component of the environment that supports informationrelated
activities in information security, computer security, and network security. Hardware (e.g., servers and
switches), software (e.g., mission important applications and support systems), and private information are
examples of assets. Assets should be safeguarded against unauthorized access, use, disclosure, alteration,
destruction, and/or theft, which might result in loss to the organization.

4
Types of asset:

• Information assets:

This category includes all information regarding your organization. This data has been collected,
categorised, arranged, and stored in a variety of formats. Databases include data on your customers,
employees, production, sales, marketing, and finances. This information is important to your company's
success. Its secrecy, integrity, and availability are critical.

Data files: Transactional data that provides current information on each occurrence. Procedures for
operational and support: These have evolved over time and include thorough instructions on how to carry
out various operations.

Information from the past: Old information that may be required by law to be kept. Continuation plans and
fallback preparations would be devised to overcome any calamity and ensure company continuity. In the
absence of these, ad hoc decisions will be made during a crisis.

• Software assets:

Application software: Application software executes the organization's business rules. The development of
application software takes time. The integrity of application software is critical. Any defect in the
application software might have a negative influence on the business.

System software: An enterprise would invest in a variety of packaged software applications such as
operating systems, database management systems (DBMS), development tools and utilities, software
packages, office productivity suites, and so on.

• Physical assets: These are the visible and tactile items that may include:

Computer hardware: mainframe computers, servers, desktop computers, and laptop computers.

Modems, routers, EPABXs, and fax machines are examples of communication equipment. Magnetic
tapes, disks, CDs, and DATs are examples of storage medium. Power supply and air conditioners are
examples of technical equipment. Fixtures and furniture.

5
2.2. Threats
A threat is anything that may cause danger, loss, or risk to the assets, operations, or security of an
organization or individual. These can be events, conditions, or behaviors that can cause loss, deterioration,
or endangerment of an organization's systems, data, or processes. Threats can include cyber attacks,
security breaches, data loss, natural incidents such as fire or natural disasters, or even improper behavior
from employees.

A threat that is repeated in response to a fresh or newly found occurrence that has the potential to harm a
system or your organization as a whole. Threats are classified into three types:

Physical Threat: Includes any incident or hazard to the facility, such as fire, flood, natural disaster, or
mechanical failure.

Digital or cyber threats: Relates to any risks associated with computer systems and information, including
computer viruses, hacker attacks, data loss or system failure.

Threats to humans or society: Includes any threatening or harmful behavior from humans, such as fraud,
cybercrime, or national security risks.

2.3. Threat identification

Threat identification is the process of identifying and identifying factors, situations, or hazards that may
cause danger, loss, or negative consequences to systems, organizations, individuals, or the environment. In
the field of information security or risk management, threat identification is important to be able to put in
place more effective prevention and protection measures. This often involves analyzing different aspects
of a situation to identify and assess possible risks and find ways to respond to them.

3. List risk identification steps

A security risk assessment finds, evaluates, and applies important application security measures. It is also
concerned with preventing application security flaws and vulnerabilities. A risk assessment enables an
organization to examine its application portfolio holistically—from the perspective of an attacker. It assists
managers in making educated decisions about resource allocation, tools, and security control

6
implementation. As a result, completing an assessment is an essential component of an organization's risk
management strategy. (adserosecurity, n.d.)

The depth of risk assessment models is affected by factors like as size, growth rate, resources, and asset
portfolio. When faced with money or time restrictions, organizations might conduct generic evaluations.
Generalized assessments, on the other hand, may not always give thorough mappings between assets, related
threats, recognized risks, effects, and mitigation mechanisms.

The risk assessment procedure:

3.1. Identification
Determine all of the technological infrastructure's important assets. Next, examine the sensitive data
generated, held, or sent by these assets. Make a risk profile for each one.

3.2. Assessment
Implement a strategy for assessing the identified security threats for important assets. Determine ways to
effectively and efficiently deploy time and resources to risk reduction after comprehensive review and
assessment. The assessment technique or strategy must examine the relationship between assets, threats,
vulnerabilities, and mitigating controls.

3.3. Mitigation
Define a risk mitigation strategy and implement security measures for each risk.

3.4. Prevention
Implement tools and practices to reduce the likelihood of threats and vulnerabilities occurring in your firm's
resources.

4. Review risk assessment procedures in an organization

The risk identification and management process consists of five key components. Risk identification, risk
analysis, risk appraisal, risk treatment, and risk monitoring are among the stages involved.

7
• Risk Identification: It is the process of determining what, where, when, why, and how something may
impair a company's capacity to function. For example, a company in central California would list "the
likelihood of wildfire" as an event that could disrupt operations.

• Risk Analysis: This phase entails determining the likelihood that a risk event will occur as well as the
probable outcomes of each occurrence. Using the California wildfire as an example, safety managers may
examine how much rain fell in the previous 12 months and the level of damage the organization could suffer
if a fire broke out.

• Risk Evaluation: Risk evaluation assesses the amount of each risk and ranks them based on prominence
and consequence. For example, the consequences of a potential wildfire may be balanced against the
consequences of a potential mudslide. Whichever event is assessed to have a larger likelihood of occurring
and causing harm ranks higher.

• Risk Management: Risk management is also known as risk response planning. Based on the estimated
value of each risk, risk mitigation techniques, preventative treatment, and contingency plans are developed
in this stage. In the case of a wildfire, risk managers may decide to keep extra network servers offsite so that
corporate activities may continue even if an onsite server is damaged. Employee evacuation plans may also
be developed by the risk management.

• Risk Monitoring: It is a continuous process that adjusts and develops over time. Repeating and
continuously monitoring the procedures can assist ensure that all known and unknown hazards are covered.

Task 2 - Explain data protection processes and regulations as applicable to an organisation (P6)
Data protection is the process of protecting critical data from corruption, compromise, or loss, and
providing the ability to restore data to a functional state if something happens to make the data
inaccessible. accessible or unusable. Data protection ensures that data is not corrupted, is accessible only
for authorized purposes, and complies with applicable legal or regulatory requirements. Protected data
must be available when needed and usable for the intended purpose. However, the scope of data protection
goes beyond the concept of data availability and usability to include includes areas such as data
immutability, preservation, and deletion/destruction. Roughly speaking, data protection includes three

8
main types, namely traditional data protection (such as backups and restores). recovery), data security and
data privacy. The processes and technologies used to protect and secure data can be considered data
protection mechanisms and business practices to achieve the overall goal of continuous availability and
immutability. of critical business data. (SNIA, 2023)

Figure 1: Data protection

2. Explain data protection process

 The data protection process includes a series of steps and measures taken to ensure the safety,
security and integrity of data throughout its use. Below is a description of the data protection
process:
 Evaluate and Classify Data: Identify and classify data based on sensitivity, value, and importance
to the organization. This step helps prioritize data protection efforts based on the importance of
each type of data.
 Risk Assessment: Evaluate potential threats and vulnerabilities that could affect data. Includes risk
analysis from internal and external sources that could lead to data compromise, unauthorized
access, or data loss.

9
  Implement Security Measures: Based on risk assessment, deploy appropriate security measures and
tools to protect data. May include encryption, access controls, firewalls, antivirus software, and
periodic updates.
 Data Preservation and Destruction: Establish policies and procedures for data preservation and
destruction. Remove data that is no longer needed securely and in compliance with legal
requirements.
 Monitoring and Incident Response: Implement monitoring tools and processes to detect any
suspicious activity or security breaches. Develop a response plan to immediately remediate any
security breach or incident.

3. Why are data protection and security regulation important?

To begin with, the goal of personal data protection is to protect people's basic rights and freedoms in relation
to their data, not simply their data. It is possible to ensure that people's rights and freedoms are not
compromised while preserving personal data. For example, inaccurate personal data processing may result
in a person being passed over for a job chance or, worse, losing their present employment.

Second, failing to comply with personal data privacy standards can lead to much worse consequences, such
as removing all funds from a person's bank account or even causing a lifethreatening scenario by altering
health information.

Third, data protection rules are required to ensure fair and consumer-friendly commerce and service
offering. Personal data protection legislation create a system in which, for example, personal data cannot be
freely traded, giving consumers more control over who makes them offers and what type of offers they
make.

10
Task 3 - Design a suitable security policy for an organisation, including the main components of an
organisational disaster recovery plan (P7)

1. Define a security policy and discuss about it

A security policy is a written document that outlines how a corporation intends to secure its physical and
information technology (IT) assets. Security policies are dynamic documents that are constantly updated
and modified as technology, vulnerabilities, and security needs evolve. An acceptable usage policy may be
included in a company's security policy. These indicate how the organization intends to educate its staff
about asset protection. They also include a description of how security measures will be implemented and
enforced, as well as a method for reviewing the policy's efficacy to ensure that required adjustments are
made. (Ben Lutkevich, n.d.)

Figure 2: Security policy

Security policies are crucial because they safeguard an organization's physical and digital assets.

They identify all of the company's assets as well as any risks to those assets.

11
• Physical security rules are designed to safeguard a company's physical assets, such as buildings and
equipment, such as computers and other IT equipment. Data security rules safeguard intellectual property
from expensive incidents such as data breaches and data leaks.

Physical security rules safeguard an organization's physical assets, which include buildings, cars,
inventories, and machinery. IT equipment such as servers, computers, and hard drives are examples of these
assets.

IT physical asset protection is very critical since physical equipment carry firm data. If a physical IT asset
is compromised, the data it stores and manages is jeopardized. To keep firm data safe, information security
policies rely on physical security standards.

Why Should Security Policies Be Implemented?

Breach of security is unavoidable. Critical judgments and defensive actions must be made quickly and
precisely. A security policy specifies what must be done to safeguard data kept on computers. A well-written
policy defines the "what" to accomplish so that the "how" may be recognized, assessed, or evaluated.

Without a security policy, any company is vulnerable to the outside world. It is vital to note that in order to
define your policy requirements, you must first do a risk assessment. This may need an organization defining
levels of sensitivity for information, processes, procedures, and systems.

2. Give an example for each of the policies

2.1. Firewall Rules Policy:

When a person joins to an unsecured, open network like the Internet, he opens the door to prospective
assaults. Employing firewalls at the connection point end is one of the finest ways to fight against
exploitation from an unsecured network, since it is a must to preserve their private networks and
communication facilities.

12
 Figure 3: Firewall Rules Policy

There should be rules and enforcement policies that change depending on the kind of firewall and network
resource deployment, such as:

• In the case of dedicated server access, an application proxy firewall must be installed between the remote
user and the dedicated server to conceal the server's identity.

• Second, if traffic filtering is required based on source and destination IP/Port addresses, packet-filtering
firewall placement is highly beneficial and improves transmission speed.

• When speed is not an issue, state table (stately inspection firewall) filters configuration at the network is a
good choice since it dynamically checks the connection and passes the packet.

• Furthermore, NAT should be used because it supplements the usage of firewalls in providing an additional
level of security for an organization's internal network, particularly in avoiding DDOS or multiple SYN
flooding assaults.

• IP packet filtering can be used if you want a higher level of control than that provided by prohibiting an
IP address from talking with your server.

13
2.2. Intrusion Prevention policy
This policy identifies and stops network and browser assaults automatically. It also safeguards apps against
vulnerabilities. It examines the contents of one or more data packages and detects malware that has entered
the system legally.

Figure 4: Intrustion Prevention policy

2.3. Secure Communication Policy

Unencrypted data passing via several channels on the network, including a switch and routers, is subject to
many attacks, including spoofing, SYN flooding, sniffing, data manipulation, and session hijacking.
Although you have no control over the devices via which your data may transit, you can safeguard sensitive
data or prevent the communication route from being data accessible to some extent. As a result, the use of
various ciphering techniques such as SSL, TLS, IP-Sec, PGP, and SSH can encrypt all types of
communication such as POP, HTTP, POP3 or IMAP, and FTP because SSL packets can pass through
firewalls, NAT servers, and other network devices with no special considerations other than ensuring the
proper ports are open on the network device.

14
 Figure 5: Secure Communication Policy

2.4. Live Update policy

There are two sorts of policies in this policy. The first is the LiveUpdate Content Policy, and the second is
the LiveUpdate Setting Policy. The LiveUpdate policy contains the parameter that controls when and how
client computers get LiveUpdate content updates. We may specify which computer customers contact to
check for updates, as well as when and how frequently their computers check for updates.

15
 Figure 6: LiveUpdate policy

3. Give the must and should that must exist while creating a policy
When creating a policy, especially a security policy, there are important elements that must be present to
ensure its effectiveness:

Required Ingredients:

 Objective and Scope: Clearly define the objective of the policy and its scope of application. They
need to specify what the policy is intended to achieve and the areas it covers within the
organization.

16
  Roles and Responsibilities: Outline the roles and responsibilities of individuals or departments
related to the policy. Clearly identify who is responsible for various aspects of policy compliance
and implementation.

 Acceptable Use: Set clear guidelines for the use of resources, technology and data within the
organization. Determine what actions are allowed and what actions are prohibited.

 Data Protection and Disposal: Establish protocols to protect sensitive data, including encryption,
access control, storage and disposal of data when no longer needed.

 Access Control and Authentication: Identify measures to control access to systems, applications,
and data. Includes guidance on user authentication, password management, and access rights.

 Case Response Plan: Develop a plan that describes the steps to take when a security incident or
breach occurs. Includes reporting procedures, control steps, investigation and recovery processes.

 Legal and Regulatory Compliance: Ensure policy compliance with laws, regulations and industry
standards applicable to the organization's operations.

Recommended Ingredients:

 Employee Training and Awareness: Provide training and awareness programs to educate
employees about the policy, its importance, and their responsibilities.

 Periodic Review and Updates: Schedule periodic reviews of the policy to ensure it remains
relevant and effective. Update policies as needed to respond to new threats or regulatory changes.

17
  Implementation and Consequences: Clearly identify the consequences of policy violations and
implementation measures. This may include disciplinary action or legal consequences for non-
compliance.

 Documentation and Communication: Policy documentation needs to be created carefully and

ensure that it is communicated effectively within the organization. Make sure it is easily accessible
for all stakeholders.

 Support from Senior Management: Ensure support from senior management, demonstrating
commitment to policy implementation. This helps build a culture of compliance throughout the
organization.

4. Explain and write down elements of a security policy, including the main components of an
organisational disaster recovery plan
A security policy may be as comprehensive as you want it to be, but it must be enforced in its whole,
including everything from IT security to the protection of connected physical assets. The following list
contains some critical factors to consider while building an information security policy. Purpose:

• Create a comprehensive information management plan.

• Detect and avoid information security breaches such as network usage, data, applications, and computer
systems.

• Maintain the organization's reputation while adhering to ethical and legal obligations.

• Customer rights must be respected, including how to respond to noncompliance inquiries and complaints.

Audience: Define the security group to which the Security Policy applies. You can also define which
audiences are not covered by the policy (for example, personnel in another business unit that controls
security independently may not be covered by the policy).

Information security objectives:

18
• Individuals with access to data and information assets must maintain confidentiality.

• Data should be intact, correct, and complete, and IT systems should be kept operational.

• Users should be able to access information or systems if necessary.

Authority and access control policy:

• A senior manager may have the authority to decide with whom and what data can be shared

in a hierarchical manner. A senior manager's vocabulary for security rules may differ from that of a junior
employee. The policy should define the amount of power over data and IT systems for each organizational
role.

• Users can access corporate networks and servers only through specialized logins that require
authentication, such as passwords, biometrics, ID cards, or tokens. You should monitor all systems and log
all attempts to log in.

Data classification: The policy should categorize data into categories such as "top secret," "secret,"
"confidential," and "public." Your goal in categorizing data is to:

• guarantee that sensitive material is not accessible to those with lesser clearance levels;

• secure very important data while avoiding unnecessary security procedures for inconsequential data.

Data support and operations:

• Data security legislation – systems that hold personal or sensitive data must be safeguarded in accordance
with operational guidelines, best practices, industry enforcement requirements, and relevant regulations.
Encryption, a firewall, and virus protection are among the security needs.

• Data backup-encrypt data backup in accordance with industry best standards. Securely store media, or
migrate backup to safe cloud storage.

• Only data communication over secure protocols is allowed for file movement. Encrypt all information
copied to portable devices or delivered over a public network.

19
Security awareness and behavior:

• Social engineering—emphasize the hazards of social engineering assaults (such as phishing emails).
Employees should be held accountable for detecting, preventing, and reporting such assaults.17

• Clean desk policy—use a cable lock to protect computers. Documents that are no longer needed should be
shredded. Keep printer locations tidy to avoid papers falling into the wrong hands.

• Internet usage policy that is acceptable—define how the Internet should be regulated. Do you allow
YouTube and other social media websites? Using a proxy, you may block undesirable websites.

Responsibilities, rights, and duties of personnel: Appoint personnel to do user access checks, education,
change management, incident management, security policy execution, and periodic updates. As part of the
security policy, responsibilities should be clearly specified.

5. Give the steps to design a policy

Step 1: Determine the problem:

The first stage in policy design is to formulate the problem to be addressed in order to legitimize it as a
community-wide concern. Typically, the public raises a problem in response to a need or a gap in service
delivery. The investigation of current policies to identify how they have dealt with the problem/issue to date
is therefore a useful starting point. Furthermore, identifying the stakeholders and actors affected by the issue
aids in understanding the magnitude of the problem and who to involve in collaborative problem-solving.

20
 Figure 7: Detemine the problem

Step 2: Problem Formulation

Once the problem has been recognized, the hypotheses have been proven, and the goals and objectives have
been determined and discussed with the greater community, policy formulation may begin. Policy
formulation seeks to identify and mobilize a set of solution alternatives in connection to the issue, with the
goal of determining which option is best suited to handle the problem in light of available resources and
current restrictions. The creation of scenarios (both written and visual) can aid in the comprehension and
development of alternate methods and actions.

Figure 8: Problem Formulation

Step 3: Scenario Evaluation

Once scenarios are created to reflect several policy alternatives for dealing with the identified problem, the
optimal option in terms of strategies and actions may be selected. Scenarios analysis also includes the

21
(re)tuning of current policy acts, which is done through short experiments (pilot tests) and public debate.
On-the-ground experiments often aim to test various solutions on a small scale in order to determine
potential implications, which may be a time-consuming and costly operation. In many circumstances, it may
be able to simulate visualisations for various policy alternatives in order to investigate the implications
digitally.

Figure 9: Scenario Evaluation

Step 4: Make a decision

To make a decision, a clear description of the problem, the policy and its scenario, and public acceptance of
the policy must be prepared for presentation and discussion within the public unit accountable for the
decision. The process narrative is relevant to the decision: how the problem was explored, how data was
collected and used, how goals and objectives were identified and translated into strategies and actions, how
impacts were simulated and computed, why some options were preferred over others, and what the public's
contribution to the entire process was. When a decision has been made and the policy is ready for
implementation.

22
 Figure 10: Make a decision

Task 4 - Discuss the roles of stakeholders in the organisation in implementing security audits (P8)

1. Define stakeholders
A stakeholder is an individual, group or organization affected by the outcome of a project or business
activity. Stakeholders have an interest in the success of the project and may be inside or outside the
organization sponsoring the project. Stakeholders are important because they can have a positive or
negative influence on the project with their decisions. There are also important or key stakeholders whose
support is needed for the project to survive. A stakeholder is an individual, just like any other member of
the project, and some are easier to manage than others. You will have to learn how to use stakeholder
mapping techniques to identify who your key stakeholders are and ensure you meet their requirements.
(Landau, 2022)

23
 Figure 11: Stakeholdes

2. What are their roles in an organization?

In an organization, stakeholders have different roles that contribute to the organization's operations,
development and success:

 Investors/Shareholders:

Provide financial resources for the organization.

Influence strategic decisions and expect benefits from their investments.

 Staff:

Perform daily activities and tasks.

Contribute skills, knowledge and efforts to achieving organizational goals.

24
  Customer:

Consuming or purchasing the organization's products/services.

Provide feedback, demand quality and influence product/service development.

 Supplier/Partner:

Provide necessary resources, materials or cooperation.

Support the production process or provide services.

 Government/Regulatory Agencies:

Establish guidelines, regulations and compliance standards.

Ensure legal and regulatory compliance within the organization.

 Community:

Reside or operate within close proximity of the organization.

May be influenced by organizational activities and expect responsible corporate behavior.

 Manager/Director:

Lead and direct activities, develop strategies and set goals.

Responsible for overall decisions and management.

 Board of manager:

Provide strategic oversight and guidance.

25
Ensure the organization operates in the best interests of shareholders and stakeholders.

 Partners/Associations:

Collaborate with the organization to achieve common goals.

Share resources, knowledge or expertise for the common good.

 Competitors:

Influence market dynamics and competition.

Drive innovation and market response.

3. Define security audit and state why you need it

Security Audit is the process of comprehensively assessing and evaluating an organization's systems,
processes, policies, and security measures. Through testing, evaluation, and auditing, security audits
provide an overall view of the security level of an information system.

Reasons for needing security testing:

 Detect vulnerabilities and risks: Auditing helps detect security vulnerabilities in organizational
systems or processes, thereby identifying potential risks that can be attacked or violated.

 Ensure compliance and regulatory compliance: Provides an assessment of compliance with

security regulations, industry standards, and legal regulations related to information security.

 Enhance system security: Provide necessary information to improve security measures, adjust
policies and procedures, thereby improving the overall security level of the organization.

26
  Preventing attacks and information loss: By identifying and remediating vulnerabilities, auditing
helps prevent potential attacks and reduces the risk of loss of important information.

 Identify unusual events and respond quickly: Audits provide the opportunity to develop incident
response plans, helping organizations respond quickly and effectively when a security incident
occurs.

 Building trust from customers and partners: There is evidence that the organization places high
security in information deployment and management, thereby creating trust from customers and
partners.

4. Recommend the implementation of security audit to stakeholders in an organization

Proposal to deploy security audits to stakeholders in the organization requires a convincing plan and
argument. Here are some steps and tips to make this suggestion effective:

Understanding Stakeholders:

 Understand clearly the roles, interests, and perspectives of each stakeholder in the organization.
 Assess how implementing security audits will affect them and the benefits they can gain.

Identify Specific Benefits:

 Suggest how implementing security audits will improve organizational security.

 Focus on explaining how security audits help reduce risk, increase regulatory compliance, and
protect information.

Combined with Overall Strategy:

 Link the proposal to the organization's overall strategy and goals.

 Show that implementing security audits is an important part of achieving long-term strategic goals.

27
Proving Practical Benefits:

 Use specific examples or case studies to illustrate the specific benefits that security audits have
brought to similar organizations.
 Evaluate success cases and learning points from organizations that have successfully implemented
security audits.

Use Appropriate Language:

 Use language appropriate to each stakeholder. For example, with the engineering department, the
focus is on methods and technology; with management, focusing on strategic risks and benefits.

Proposed Specific Plan:

 A detailed description of how to implement a security audit, including steps, required resources,
and implementation plan.
 Propose an implementation plan based on standard procedures and effective testing methods.

Budget Proposal and Risks:

 Provide an estimate of the budget required for implementing security audits and the expected
benefits from the investment.
 Analyze risks and responses, and estimate the importance of performing security audits versus not
implementing them.

Create Opportunities for Discussion and Feedback:

 Invite relevant parties to participate in the discussion, give opinions or feedback on the proposal.
 Be willing to answer additional questions or provide additional information to build trust and
support from stakeholders.

28
REFERENCES
adserosecurity, n.d. SECURITY RISK ASSESSMENT. [Online]

Available at: https://www.adserosecurity.com/security-learning-center/what-is-a-security-risk-assessment/

SNIA, 2023. What is Data Protection?. Available at: https://www.snia.org/education/what-is-data-

protection

Ben Lutkevich, n.d. security policy. [Online]

29
Available at: https://www.techtarget.com/searchsecurity/definition/security-policy

30