Assignment Front Sheet: Qualification BTEC Level 5 HND Diploma in Computing

ASSIGNMENT 2 FRONT SHEET
Qualification BTEC Level 5 HND Diploma in Computing
Unit number and title Unit 5: Security
Submission date 10/4/2024 Date Received 1st submission
Re-submission Date Date Received 2nd submission
Student Name TRUONG VAN DIEP Student ID BH00666
Class Se06203 Assessor name LUU VAN THUAN
Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature DIEP
Grading grid
P5 P6 P7 P8 M3 M4 M5 D2 D3
1
 Summative Feedback:  Resubmission Feedback:
Grade: Assessor Signature: Date:

Internal Verifier’s Comments:
Signature & Date:
0
Table of Contents
I. Introduction ............................................................................................................................................................... 2
II. Content ..................................................................................................................................................................... 3
Review risk assessment procedures in an organisation (P5) .................................................................................. 3
1. Define a security risk and how to do risk assessment .................................................................................... 3
2. Define assets, threats and threat identification procedures .......................................................................... 5
3.List risk identification steps .................................................................................................................................. 7
Explain data protection processes and regulations as applicable to an organisation (P6) ................................... 8
1. Define data protection ..................................................................................................................................... 8
2. Explain data protection process and regulations in an organization ............................................................. 8
3. Why are data protection and security regulation important? ....................................................................... 9
Design a suitable security policy for an organisation, including the main components of an organisational
disaster recovery plan (P7) .................................................................................................................................... 10
1. Define a security policy and discuss about it ................................................................................................ 10
2. example for each of the policies .................................................................................................................... 12
3.Give the must and should that must exist while creating a policy ............................................................... 12
4. Explain and write down elements of a security policy, including the main components of an
organisational disaster recovery plan ............................................................................................................... 13
5. steps to design a policy .................................................................................................................................. 14
Discuss the roles of stakeholders in the organisation in implementing security audits (P8) .............................. 15
1. Define stakeholders ....................................................................................................................................... 15
2. What are their roles in an organization?....................................................................................................... 15
3. Define security audit and state why you need it .......................................................................................... 16
4. Recommend the implementation of security audit to stakeholders in an organization ............................ 17
Figure 1 ......................................................................................................................................................................... 3
Figure 2 ......................................................................................................................................................................... 5
Figure 3 ......................................................................................................................................................................... 8
Figure 4 ....................................................................................................................................................................... 10
Figure 5 ....................................................................................................................................................................... 15
1
I. Introduction
Today, information security is always the top concern of businesses. Therefore, there are companies
that specialize in providing information security services and privacy policies
Work at a leading information security consulting company in Vietnam, specializing in consulting and
implementing technical solutions to address potential IT security risks for medium-sized companies.
Many of our customers have entrusted privacy policy issues to their companies due to a lack of in-house
technical expertise. A “Wheelie good” manufacturing company in Ho Chi Minh City that specializes in
manufacturing bicycle parts for export called their company to propose a Security Policy for their
organization after reading the stories. . in the media about security highlights, etc. in organizations and
their consequences.
In the report, I will review the risk assessment processes in a “Wheelie good” organization, Explain the
data protection processes and regulations that apply to an organization, Design appropriate security
policies for an organization, including the key components of the organization's disaster recovery plan.
Discuss the role of organizational stakeholders in performing a security audit.
2
II. Content
Review risk assessment procedures in an organisation (P5)
1. Define a security risk and how to do risk assessment
a, What are security risks?
A security risk is generally defined as a situation or person that poses a possible threat to the security of
something. In the context of information security, it encompasses anything that can threaten the
confidentiality, integrity, or availability of sensitive information. This might include risks related to physical
records, digital assets, systems and servers, as well as incidents in which information is lost, stolen, or
made temporarily unavailable
b, Risk assessment
Figure 1
To protect data, an organization must first identify its vulnerabilities. Therefore, conducting a Data Risk
Assessment should start from the inside out and consider all databases, shared drives, files, tools, and
applications of the organization to determine if they contain any sensitive data about employees,
customers, or the company.
There are several ways to do this:
• Hire Consultants: They often use specialized tools to assess data risks for your organization.
• Use Integrated Tools in Data Storage Platforms: This is not usually a good option as businesses may
lack an overall view of all data, and many of these tools lack important features of Data Risk
Assessment.
• Use a Dedicated Data Security Platform (DSP) Tool: This is the best option as these tools are
designed specifically to assess data risks, providing a comprehensive view and integrating
necessary features.
Identifying Potential Threats:
3
Once critical data has been identified, businesses need to assess risks associated with that data. Potential
threats and vulnerabilities could lead to data loss, theft, or misuse. This involves identifying weaknesses
or vulnerabilities in current security measures (e.g., access controls, swipe cards, surveillance systems,
encryption, and firewalls) and keeping up with external technological developments such as ransomware
and malware.
Prioritizing Risk Levels:
Deploying the same level of protection for all files and folders in your organization can be costly and
impractical. Organizations will need to assess which data poses the greatest risk and address any privacy
and security issues in a logical sequence. This starts with considering data with high risks, which could
cause the most serious consequences if compromised, while also considering data with the highest
likelihood of being breached.
Businesses' top priorities include:
• Misconfigurations across the entire system.
• Sensitive data accessible from anywhere globally.
• Sensitive data accessible to all employees.
• Administrators not using multi-factor authentication.
Lower priority risks might include:
• Files containing little or no sensitive information.
• Old user accounts.
• Passwords without expiry dates.
To prioritize data security, businesses need comprehensive information about their data and systems. Just
knowing where sensitive data resides is not enough to determine its risk level. Businesses need software
that can:
• Map all data and related resource permissions to identify stored data and who can access it.
• Find and classify data to determine its sensitivity level.
• Understand the basic operations of devices, data, and users to identify potential security
vulnerabilities.
One of the biggest risks organizations overlook when outlining their security priorities is the threat of
users mishandling (unintentionally or maliciously) internal data.
Conducting a Data Risk Assessment can help businesses prioritize high-risk factors such as leaked sharing
links (e.g., in SharePoint or OneDrive) or data that any employee can access.
According to Microsoft, an average organization has over 40 million unique permissions in their cloud
environment, and over 50% of these are high-risk permissions, potentially causing serious damage if
misconfigured.
4
After going through this risk prioritization phase, businesses can begin planning risk mitigation, from the
most critical to the least critical levels.
(Andales, 2023)
2. Define assets, threats and threat identification procedures
a, Assets
Figure 2
In the world of cybersecurity, identifying and securing assets is a crucial component of protecting an
organization’s infrastructure. Assets can take the form of hardware, software, and sensitive information.
The importance of securing assets can not be understated, as unauthorized access, use, modification, or
destruction of these assets can lead to significant financial and reputational damage for a company.
To better understand the importance of asset security, here are some key points to consider:
• Assets can include everything from physical equipment, to software programs, to intellectual
property and confidential information like customer data or financial records.
• All assets must be properly identified so they can be managed effectively. Organizations need to
have an accurate inventory of their assets in order to understand where they are most vulnerable.
• Security controls must be put in place to protect assets. This can include encryption, access
controls, and monitoring for any suspicious activity.
• Properly prioritizing assets is critical. Not all assets are created equal, and some require a higher
level of protection than others. For example, a company’s financial records may require more
robust security measures than a marketing brochure.
Ultimately, properly securing assets is a fundamental part of a comprehensive cybersecurity strategy. By
understanding what assets need to be protected and implementing the proper security measures,
organizations can better prevent cyber attacks and mitigate the risk of damage if an attack does occur.
5
b, threat
A cyber threat or cybersecurity threat is a malicious act intended to steal or damage data or disrupt the
digital wellbeing and stability of an enterprise. Cyber threats include a wide range of attacks ranging from
data breaches, computer viruses, denial of service, and numerous other attack vectors. Anything with the
potential to cause serious harm to a computer system, networks, or other digital assets of an organization
or individual is a cyber threat. According to Techopedia, cyber threats look to turn potential vulnerabilities
into real attacks on systems and networks. Cybersecurity threats can include everything from trojans,
viruses, hackers to back doors. Most of the time, the term ‘blended cyber threat’ is more appropriate, as
a single threat may involve multiple exploits. For instance, a hacker may use a phishing attack to get
information and break into the network. Cyber threats also refer to a potential cyberattack that aims to
gain unauthorized access, disrupt, steal, or damage an IT asset, intellectual property, computer network,
or any other form of sensitive data. Threats can come from trusted users from within an enterprise and
remote locations by unknown external parties. It won’t be an exaggeration to say that cybersecurity
threats affect each aspect of our life. Cyber threats can, in fact, result in electrical blackouts, military
equipment failure, or breaches of national security secrets. They can disrupt computer and phone
networks or paralyze the systems, making data unavailable. They can also cause the theft of sensitive,
valuable data such as medical records and other personally identifiable information of consumers and
employees across the world.
c, threat identification procedures
Threat Identification Procedures in cybersecurity refer to the process of identifying and recognizing
potential threats and vulnerabilities that could be exploited by malicious actors. This process is critical as
it allows organizations and individuals to prioritize their security efforts and mitigate risk effectively.
Threat identification involves using a variety of tools and techniques to monitor and analyze the behavior
of computer systems and networks for signs of a potential attack or breach. This includes:
• Analyzing Network Traffic: Monitoring the data being transmitted over a network can help identify
any unusual or suspicious activity that could indicate a potential threat.
• Monitoring System Logs: System logs provide a record of events and transactions that have
occurred within a system. By monitoring these logs, potential security threats can be identified.
• Using Intrusion Detection Systems: These systems are designed to detect suspicious activities and
flag them for further investigation.
Here are some examples of threat identification procedures:
• A credit card company identifies a threat when the numbers and personal identification codes of
its customers are hacked and published.
• A bank identifies a threat when a hacker adds a zero to the amounts in bank transfers.
• A hospital identifies a threat when a ransomware attack makes it impossible to access its medical
records.
6
It’s important to note that cyber threats are constantly evolving, and attackers are becoming increasingly
sophisticated. To stay ahead of these threats, organizations must constantly update and upgrade their
technology and security protocols to identify new threats and vulnerabilities as they emerge.
3.List risk identification steps
Here are the steps typically involved in risk identification in cybersecurity:
• Perform a Data Audit and Prioritize Based on Value: This involves identifying what data you have,
where it’s stored, who has access to it, and the value of the data to your organization.
• Identify Cyber Threats and Vulnerabilities: This involves identifying potential threats and
vulnerabilities that could be exploited by malicious actors.
• Assess and Analyze Associated Risk: This involves assessing the likelihood and potential impacts of
various cybersecurity risks.
• Calculate the Probability and Impact of Different Cyber Risks: This involves determining the
probability of a threat exploiting a vulnerability and the potential impact of such an event.
• Implement Security Controls: This involves implementing appropriate security measures to
mitigate the identified risks.
• Prioritize Risks Based on a Cost-Benefit Analysis: This involves prioritizing risks based on their
potential impact and the cost of mitigating them.
• Monitor and Document Results: This involves continuously monitoring the effectiveness of the
security controls and documenting the results for future reference.
These steps form the basis of a cybersecurity risk assessment, which is a critical component of any
effective cybersecurity strategy. It’s important to note that this process should be ongoing, as new threats
and vulnerabilities can emerge at any time
4. Review risk assessment procedures in an organisation
Risk assessment is a crucial process in any organization to ensure safety and well-being. It involves
identifying, evaluating, and prioritizing potential risks in a workplace or activity. Here are the typical steps
involved in risk assessment procedures:
• Determine the Risk Context and Scope: Understand the organization’s objectives, processes, and
risk appetite.
• Identify the Hazards: Identify anything that has the potential to cause harm.
• Assess the Risks: Evaluate the likelihood and severity of the harm that could result from the
identified hazards.
• Risk Control: Implement controls or safeguards to mitigate the identified risks.
• Re-assess the Risk with Control in Place: Evaluate the effectiveness of the controls in reducing the
risk.
• Confirmation of Reduced Risk: Confirm that the risk has been reduced to an acceptable level.
7
• Record Your Findings: Document the process, findings, and actions taken.
• Review the Controls: Regularly review and update the risk assessment to ensure it remains relevant
and effective.
Remember, risk assessment is an ongoing process that should be part of the organizational culture. It helps
in creating safer working environments, preventing accidents, and increasing safety awareness
Explain data protection processes and regulations as applicable to an organisation (P6)

1. Definition of data protection
Figure 3
Data protection is the process of protecting sensitive information from damage, loss, or corruption.
As the amount of data being created and stored has increased at an unprecedented rate, making data
protection increasingly important. In addition, business operations increasingly depend on data, and even
a short period of downtime or a small amount of data loss can have major consequences on a business.
The implications of a data breach or data loss incident can bring organizations to their knees. Failure to
protect data can cause financial losses, loss of reputation and customer trust, and legal liability,
considering most organizations today are subject to some data privacy standard or regulation. Data
protection is one of the key challenges of digital transformation in organizations of all sizes.
Therefore, most data protection strategies have three key focuses:
• Data security – protecting data from malicious or accidental damage
• Data availability – Quickly restoring data in the event of damage or loss
• Access control – ensuring that data is accessible to those who actually need it, and not to anyone
else
2. Explain data protection process and regulations in an organization
Data protection in an organization involves a series of processes and regulations designed to safeguard
sensitive information from damage, loss, or corruption1. Here’s a detailed explanation:
• Data Security: Protecting data from malicious or accidental damage is the first step. This involves
implementing security measures such as firewalls, encryption, and secure passwords.
8
• Data Availability: Ensuring that data can be quickly restored in the event of damage or loss is
crucial. This often involves creating regular backups of data.
• Access Control: It’s important to ensure that data is accessible only to those who actually need it.
This involves setting up user permissions and authentication protocols.
• Compliance with Data Protection Regulations: All organizations are legally obliged to comply with
data privacy regulations such as the EU General Data Protection Regulation (GDPR), UK Data
Protection Act 2018, Brazil LGPD, Thailand PDPA or the Singapore PDPA2. These laws set out the
minimum requirements to preserve personal information confidentiality, integrity, and availability.
• Inventory Personal Data: Organizations need to know what data they have, where it’s stored, and
who has access to it.
• Audit Data Processing Activities: Regular audits should be conducted to ensure data is being
processed in compliance with relevant laws.
• Update User Consent Forms: Consent forms should be updated to reflect current data collection
and usage practices.
• Create a Recordkeeping System: A system should be in place to track what data is collected, how
it’s used, and when it’s deleted.
• Designate Compliance Leads: Individuals or teams should be designated to oversee data
protection efforts.
• Draft a Data Privacy Policy: A clear policy should be drafted outlining how the organization collects,
uses, and protects data.
• Ensure Third-Party Partners are Compliant: If third parties process data on the organization’s
behalf, they must also be compliant with relevant data protection laws.
• Build a Process for Data Protection Impact Assessments: Organizations should have a process in
place to assess the potential impact of new technologies or practices on data privacy.
• Implement a Data Breach Response Plan: A plan should be in place detailing how the organization
will respond to a data breach.
• Make it Easy for Data Subjects to Exercise Their Rights: Individuals have the right to access their
data, correct inaccuracies, and opt out of data collection.
• Deploy Information Security Measures: This includes measures such as encryption, anonymization,
and pseudonymization.
Remember, data protection is not a one-time task but an ongoing process that requires regular review
and updating
3. Why are data protection and security regulation important?
Data protection and security regulations are crucial for several reasons:
• Prevent Fraudulent Activities: Data protection prevents an organization’s information from
fraudulent activities, hacking, phishing, and identity theft.
9
• Safeguard Sensitive Information: Data protection laws and regulations make it illegal to store or
share some types of information about people without their knowledge or permission1. These laws
provide individuals with the right to see data held about themselves and to require correction.
• Maintain Trust: Good data protection practices can help maintain the trust of customers and
stakeholders, which is beneficial for an organization’s reputation and brand.
• Legal Compliance: Compliance with data protection and privacy laws has gone from an
afterthought to a mandate among multinational companies. Any violation of these regulations can
result in highly publicized and serious fines, which are costly in themselves, irrespective of the
financial loss from the resulting damage to a once trusted brand’s reputation.
• Promote Transparency: The public has been calling for greater transparency and security of
collecting and processing sensitive data, putting increased pressure on legislatures to act.
• Protect Consumer Rights: The primary purpose of data protection regulations is to ensure no
ambiguity about security and privacy expectations, the party responsible for the data, and the
rights consumers have.
In summary, data protection and security regulations are essential to safeguard sensitive information,
maintain trust with customers and stakeholders, ensure legal compliance, promote transparency, and
protect consumer rights
Design a suitable security policy for an organisation, including the main components of an organisational
disaster recovery plan (P7)
1. Definition of security policy
Figure 4
10
A security policy is a document that outlines the rules, expectations, and overall approach that an
organization uses to maintain the confidentiality, integrity, and availability of its data. It includes general
security goals and covers specific issues like remote access, acceptable use, and data collection1. It is used
with other documents, like standard operating procedures, to help achieve security goals.
Security policies are necessary for organizations to meet strict security and data privacy requirements.
Furthermore, well-designed security policies enhance organizational efficiency by promoting consistency,
avoiding duplication of effort, and providing clear guidance for policy exceptions.
Here are some reasons why a security policy is important:
• Guides the Implementation of Technical Controls: A security policy spells out the intentions and
expectations of senior management in regard to security. It’s then up to the security or IT teams to
translate these intentions into specific technical actions.
• Enhances Organizational Efficiency: A good security policy can enhance an organization’s
efficiency. Its policies get everyone on the same page, avoid duplication of effort, and provide
consistency in monitoring and enforcing compliance.
• Compliance with Data Protection Regulations: All organizations are legally obliged to comply with
data privacy regulations such as the EU General Data Protection Regulation (GDPR), UK Data
Protection Act 2018, Brazil LGPD, Thailand PDPA or the Singapore PDPA3. These laws set out the
minimum requirements to preserve personal information confidentiality, integrity, and availability.
protection efforts.
11
data, correct inaccuracies, and opt out of data collection4.
Remember, data protection is not a one-time task but an ongoing process that requires regular review
and updating.
2. example
here are examples of each type of security policy:
• Network Security Policy: This policy outlines how an organization’s network should be protected.
It may include rules about firewalls, intrusion detection systems, and secure configurations12. For
example, a network security policy might state that all traffic must pass through a firewall, and any
suspicious activity must be logged and reviewed regularly.
• Data Security Policy: This policy outlines how an organization’s data should be protected. It may
include rules about data encryption, backup, and access controls3. For example, a data security
policy might require that all sensitive data be encrypted both at rest and in transit, and that backups
be created regularly and stored off-site.
• User Security Policy: This policy outlines the responsibilities of users in maintaining security. It may
include rules about password complexity, software updates, and reporting security incidents. For
example, a user security policy might require that all users create strong, unique passwords, keep
their software up to date, and report any suspected security incidents immediately.
When creating these policies, it’s important to ensure they are clear, concise, and regularly reviewed and
updated to ensure they remain effective
3.the must and should that must exist while creating a policy
When creating a security policy for an organization like “Wheelie Good”, there are several “musts” and
“shoulds” to consider:
Musts:
• Policy Purpose: Each security policy should only cover one specific subject. The purpose section
explains why the security policy exists and what it governs1.
• Scope and Applicability: It is imperative that you detail the scope of your security policy — the
boundaries of what the security policy does and does not cover and where its rules do and do not
apply1.
• Policy Guidelines: This is the body of the policy. It should clearly list what various actors
(employees, contractors, etc.) should and should not do.
• Policy Compliance: A policy is only as good as the feedback mechanism associated with it1.
• Use the words “must” or “will” rather than “should” in the body of the policy: The later implies
that the action is optional, which makes the need for the policy questionable.
12
Shoulds:
protection efforts.
data, correct inaccuracies, and opt out of data collection.
Remember, a security policy is not a one-time task but an ongoing process that requires regular review
and updating. It’s also important to note that a security policy is only as good as its enforcement. Regular
training and awareness programs should be conducted to ensure all employees understand and follow the
policy.
4. Explain and write down elements of a security policy, including the main components of an
organisational disaster recovery plan
Here’s a high-level overview of the elements of a security policy and the main components of an
organizational disaster recovery plan for “Wheelie Good”.
Security Policy:
A security policy is a set of rules and procedures designed to protect an organization’s information and
technology assets. Here are the key elements:
• Purpose: The purpose of the policy, which should align with the organization’s mission and
objectives.
13
• Scope: The areas, assets, and individuals covered by the policy.
• Roles and Responsibilities: Defines who is responsible for implementing and maintaining the
policy.
• Policy Enforcement: Details the consequences of non-compliance.
• Review and Maintenance: Specifies how often the policy will be reviewed and updated.
Disaster Recovery Plan:
A disaster recovery plan is a documented process to recover and protect a business IT infrastructure in
the event of a disaster. Here are the main components:
• Disaster Recovery Team: Identifies the individuals responsible for executing the disaster recovery
procedures.
• Risk Assessment: Identifies potential threats and vulnerabilities.
• Disaster Recovery Procedures: Detailed steps to be taken before, during, and after a disaster.
• Data Backup and Recovery: Outlines how data will be backed up regularly and how it will be
recovered in the event of a disaster.
• Testing and Maintenance: Regular testing and updating of the plan to ensure its effectiveness.
For “Wheelie Good”, the security policy and disaster recovery plan should be tailored to its specific needs,
considering factors such as the nature of its business, the types of data it handles, and its regulatory
environment. It’s also important to provide training to all employees to ensure they understand and follow
the policies.
5. Steps to design a policy

Designing a security policy involves several key steps. Here’s a general outline for “Wheelie Good”:
• Understand the Business: Understand the nature of “Wheelie Good’s” business, the types of data
it handles, and its regulatory environment. This will help in identifying what needs to be protected.
• Risk Assessment: Identify potential threats and vulnerabilities that could impact the business. This
could include anything from cyber attacks to natural disasters.
• Define Roles and Responsibilities: Clearly define who is responsible for implementing and
maintaining the policy. This could include IT staff, management, and even all employees.
• Develop Policy Statements: Develop clear, concise policy statements for each area of concern
identified in the risk assessment. These statements should define the purpose of the policy, its
scope, and the roles and responsibilities associated with it.
• Policy Enforcement: Define the consequences of non-compliance. This could range from retraining
to disciplinary action.
• Training and Education: All employees should be trained on the policy to ensure they understand
and follow it.
14
• Review and Update: The policy should be reviewed and updated regularly to ensure it remains
effective and relevant.
Remember, a good security policy is tailored to the specific needs of the organization and is a living
document that evolves with the organization and the changing threat landscape. I hope this helps! If you
need more detailed information or assistance with other aspects, feel free to ask
Discuss the roles of stakeholders in the organisation in implementing security audits (P8)
1. Definition of stakeholders
Figure 5
A Stakeholder is an individual, group, or entity with a vested interest in a project, organisation, or business.
They can significantly impact or be impacted by the outcomes and decisions related to the project or
business. They often have diverse interests, needs, and perspectives. Their involvement can range from
financial investments to regulatory concerns. This makes them essential contributors to the success and
direction of the endeavour.
2. What are their roles in an organization?
The primary Roles of Stakeholders encompass a wide range of functions that are pivotal to the success
and direction of a project or business. These Roles can be summarised as follows:
• Managers: Stakeholders actively participate in the strategic management of the organisation,
shaping its overall direction, setting goals, and formulating policies that influence the entire
operation. Their involvement is integral to defining the organisation's identity and mission.
• Decision makers: Stakeholders act as decision-makers. They offer valuable insights and expertise
to guide choices related to project strategies, resource allocation, risk management, and overall
governance. Their input ensures that decisions are well-informed and aligned with the
organisation's goals.
• Catalysts of growth: Stakeholders are instrumental in propelling the growth and expansion of the
project or business. They actively contribute to this process by providing crucial support,
15
investments, and necessary resources. Their involvement is a driving force for progress and
innovation.
• Acting as corporate conscience: Some Stakeholders serve as a moral compass within the
organisation. They ensure ethical and responsible business practices, holding the organisation
accountable for its actions. Their vigilance upholds the principles and values that define the
organisation's integrity.
• Business supporter: Stakeholders offer critical support in various forms, including financial
investments, industry expertise, and advocacy. These forms of backing are essential for the
sustained success and prosperity of the project or business. Their support extends beyond
monetary contributions, encompassing the guidance and endorsement that help the organisation
thrive.
These primary roles exemplify the multifaceted nature of Stakeholders and underscore their immense
significance in steering the course of any business or project. Their active participation and commitment
to these roles contribute to the general success and sustainability of the endeavour at hand.
3. Define security audit and state why you need it
Audits:
Audits involve a systematic evaluation of an organization's information systems, applications, and security
controls to assess their efficiency and effectiveness. They can be internal or external. Internal audits are
conducted by the organization's own audit team to review processes and policies, while external audits
are performed by third-party entities to provide an unbiased assessment of the organization's security
posture.
An example of an internal audit is a review of a company's data protection policy by its internal audit team
to ensure compliance with regulatory requirements and adherence by employees. An example of an
external audit is a third-party auditor evaluating an e-commerce company's compliance with PCI DSS
standards to ensure secure handling of credit card information.
Security audits are essential for several reasons:
• Identifying Vulnerabilities: Audits help to uncover weaknesses, gaps, and vulnerabilities in an
organization's security infrastructure, including its networks, applications, and data systems. By
identifying these vulnerabilities, organizations can take corrective actions to mitigate potential
security risks before they are exploited by malicious actors.
• Ensuring Compliance: Audits verify whether the organization's security practices adhere to relevant
laws, regulations, industry standards, and internal policies. Compliance with these standards is
essential for protecting sensitive data, avoiding legal penalties, and maintaining trust with
customers, partners, and stakeholders.
• Validating Security Measures: Audits validate the effectiveness of security controls, policies, and
procedures implemented by the organization. This validation ensures that security measures are
adequately designed, implemented, and maintained to protect against potential threats and risks.
16
• Detecting Security Breaches: Audits can help detect security breaches or unauthorized activities
within the organization's systems and networks. By monitoring and analyzing security logs, audit
trails, and other indicators, auditors can identify suspicious behavior or unauthorized access
attempts that may indicate a security incident.
• Improving Security Posture: The findings and recommendations resulting from security audits
provide valuable insights for improving the organization's overall security posture. Organizations
can use audit reports to prioritize security investments, implement necessary security controls, and
enhance security awareness and training programs.
In summary, security audits are essential for assessing, validating, and improving an organization's
security posture by identifying vulnerabilities, ensuring compliance, validating security measures,
detecting security breaches, and driving continuous improvement in security practices.
4. Recommend the implementation of security audit to stakeholders in an organization
To stakeholders in an organization, I recommend the implementation of a thorough security audit based
on the following key points:
Regulatory Compliance Assurance: Highlight the importance of compliance with relevant regulations such
as HIPAA, GDPR, or industry-specific standards. A security audit ensures that the organization meets the
necessary requirements to avoid legal penalties and maintain trust with customers and stakeholders.
Risk Identification and Mitigation: Emphasize the need to identify and mitigate potential risks and
vulnerabilities within the organization's information systems. A security audit helps to proactively assess
the security posture, detect weaknesses, and implement measures to reduce the likelihood and impact of
security breaches.
Protection of Sensitive Data: Address the significance of safeguarding sensitive data, including customer
information, intellectual property, and financial records. A security audit evaluates the effectiveness of
data protection measures, such as encryption, access controls, and data backup procedures, to prevent
unauthorized access or data breaches.
Enhancement of Security Practices: Advocate for the continuous improvement of security practices and
procedures. A security audit provides insights into areas where security controls can be strengthened,
policies can be updated, and employee training can be enhanced to foster a culture of security awareness
and compliance.
Third-Party Assurance: Assure stakeholders, including clients, partners, and investors, of the
organization's commitment to security by conducting external audits or assessments. Third-party audits
provide independent validation of security measures and help build trust by demonstrating adherence to
industry best practices and standards.
Business Continuity and Resilience: Stress the importance of maintaining business continuity and
resilience in the face of cybersecurity threats and incidents. A security audit evaluates the organization's
readiness to respond to security incidents, recover critical systems and data, and minimize disruptions to
operations.
Cost-Effective Risk Management: Highlight the cost-effectiveness of investing in security audits compared
to the potential financial and reputational losses resulting from security breaches or non-compliance. A
17
proactive approach to risk management through regular security audits can help save costs associated
with incident response, regulatory fines, and damage control.
Overall, by recommending the implementation of a comprehensive security audit, stakeholders can
ensure that the organization is well-equipped to address cybersecurity challenges, protect sensitive
information, and maintain trust and credibility in an increasingly digital and interconnected world.
18
III. Conclusion
The document provides a comprehensive overview of various aspects related to security in an
organization, including risk assessment procedures, data protection processes and regulations, the design
of a security policy, and the roles of stakeholders in implementing security audits. It emphasizes the
importance of these elements in safeguarding sensitive information, maintaining trust with customers and
stakeholders, ensuring legal compliance, and promoting transparency. The document also outlines the key
components of a security policy and an organizational disaster recovery plan, highlighting the need for
ongoing review and updating of these policies. Additionally, it defines stakeholders and their roles in an
organization, as well as the significance of security audits in identifying vulnerabilities, ensuring
compliance, and improving the overall security posture. Overall, the document provides valuable insights
into the critical aspects of security within an organization.
19
IV. References
Andales, J., 2023. risk-assessment. [Online]
Available at: https://safetyculture.com/topics/risk-assessment/
[Accessed 8 4 2024].
20

Assignment Front Sheet: Qualification BTEC Level 5 HND Diploma in Computing

Uploaded by

Copyright:

Available Formats

Assignment Front Sheet: Qualification BTEC Level 5 HND Diploma in Computing

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Assignment Front Sheet: Qualification BTEC Level 5 HND Diploma in Computing

Uploaded by

Copyright:

Available Formats

ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date 10/4/2024 Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name TRUONG VAN DIEP Student ID BH00666

Class Se06203 Assessor name LUU VAN THUAN

Student’s signature DIEP

Grade: Assessor Signature: Date:

Signature & Date:

Explain data protection processes and regulations as applicable to an organisation (P6)

5. Steps to design a policy

You might also like