ASSIGNMENT FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date 31/12/2022 Date Received 1st submission 31/12/2022

Re-submission Date Date Received 2nd submission

Student Name Nguyen Huu Loi Student ID BS00219

Class IT17101 Assessor name Loi

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.

Student’s signature

Grading grid

P5 P6 P7 P8 M3 M4 M5 D2 D3
 Learning Outcomes and Assessment Criteria

Pass Merit Distinction

LO3 Review mechanisms to control organisational IT security

P5 Discuss risk assessment M3 Summarise the ISO 31000 D2 Consider how IT security
procedures. risk management methodology can be aligned with
and its application in IT security. organisational policy,
P6 Explain data protection detailing the security impact
processes and regulations as M4 Discuss possible impacts to of any misalignment.
applicable to an organisation. organisational security resulting
from an IT security audit.

LO4 Manage organisational security

P7 Design and implement a security M5 Discuss the roles of D3 Evaluate the suitability of
policy for an organisation. stakeholders in the organisation the tools used in an
to implement security audit organisational policy.
P8 List the main components of an recommendations.
organisational disaster recovery
plan, justifying the reasons for
inclusion.
 Table of content

Introduction…………………………………………………………………………………5

LO3 Review mechanisms to control organisational IT security……………………………6

P5 Discuss risk assessment procedures……………………………………………………..6

5.1 What is risk ?.....................................................................................................................6

5.2 What is risk assessment ?.................................................................................................6

5.3 The important of risk assessment……………………………………………………….6

5.4 The goal of the risk assessment…………………………………………………………7

5.5 Explain Asset, threat and threat identification procedure, give example………………7
5.6 Explain the risk assessment procedure…………………………………………………9
5.7 List risk identification steps……………………………………………………………9

P6 Explain data protection processes and regulations as applicable to an organization

……………………………………………………………………………………………..10

6.1 Define data protection…………………………………………………………………10

6.2 Explain data protection process with relations to organization………………………..11

6.3 Why are data protection and regulation important ?......................................................11
P7 Design and implement a security policy for an organization…………………………..12
7.1 Define and discuss what is security policy…………………………………………….12
7.2 Give examples of policies……………………………………………………………..13
7.3 Give the most and should that must exist while creating a policy…………………….14
7.4 Explain and write down the element of security policy………………………………..15

7.5 Give the steps to design a policy……………………………………………………….19

P8 List the main components of an organisational disaster recovery plan, justifying the
reasons for inclusion……………………………………………………………………….21

8.1 Discuss with explanation about business continuity…………………………………...21

8.2 List the components of recovery plan………………………………………………….22
8.3 Write down all the steps required in disaster recovery process…………………….…23

8.4 Explain some of the policies and procedures that are required for business
continuity…………………………………………………………………….……………25

Conclusion………………………………………………………………………..……….27

Reference………………………………………………………………………………….28

List of figures

Figure 1 Risk assessment…………………………………………………………………..6

Figure 2 Threat……………………………………………………………………………..8
Figure 3 Acceptable use policy (AUP)……………………………………………………..12
Figure 4 Elements of an Information Security Policy……………………………………..15
Figure 5 Business continuity……………………………………………………………….21
 INTRODUCTION

I discussed network security concepts including assessing IT risk security. In addition,

security solutions are discussed, including firewall policies and intrusion detection systems
(IDS), since these systems can detect wrongly set FIS firewalls. Network monitoring is
another instrument needed to strengthen systems. I provided the necessary explanations
when I discussed the advantages of implementing a network monitoring system. I also
looked at "trusted networks," and after weighing the benefits and drawbacks, I came to the
conclusion that FIS should incorporate "Trusted Networks" into its security plan.

In this assignment, I will complete two duties. The first duty is to evaluate techniques for
controlling corporate IT security. In this assignment, I will address risk assessment
procedures, as well as data protection and regulation. In addition, I will describe the ISO
3100 risk management approach and its application in IT security. Another prerequisite is to
examine the potential impact of a security audit on organizational security. The next job
involves designing and implementing a security strategy for a company, as well as
demonstrating the essential components of an organizational disaster recovery plan. Because
stakeholders are a part of the company, I will address their role in putting security audit
findings into action.
LO3 Review mechanisms to control organisational IT security.

P5 Discuss risk assessment procedures.

5.1 What is risk ?

-Is problems that may endanger the stakeholders' products for the project. It is the potential
for a bad or undesired result. Risk is regarded as a prospective issue because it is something
that has never happened and may never happen.

5.2 What is risk assessment ?

- Risk assessment involves determining the damage that would result from an attack and the
likelihood that the vulnerability is a risk to the organization. Risk assessment can be done
using qualitative or quantitative risk calculation tools to help determine the risk likelihood
and risk impact.

Figure 6 Risk assessment

5.3 The important of risk assessment

- Risk evaluations are crucial because they are a crucial component of a management strategy
for occupational health and safety. They aid in: Raising people's awareness of risks and
hazards. Decide who might be at risk (e.g., employees, cleaners, visitors, contractors, the
public, etc.).

5.4 The goal of the risk assessment

- The aim of the risk assessment process is to identify hazards, remove them when needed,
or reduce the level of risk they pose by implementing management measures. You've made
the workplace safer and healthier by doing this.

5.5 Explain Asset, threat and threat identification procedure, give example
A. Asset

- An asset is any significant information, device, or other system element of an organization,

typically because it contains or has the potential to contain sensitive information.

-Examples of assets include a worker's desktop computer, laptop, or company phone, as well
as the apps on such devices. Servers and other essential infrastructure are also advantageous.

B.Threat

- A threat is something that could potentially harm an asset, such as if it were to get lost,go
offline, or be accessed by an unauthorized person.

-Threats are described as situations that endanger an asset's confidentiality, integrity, or

availability. These situations can either be intentional or unintentional.

- Intentional risks include staff error, a technology failure, or an event that results in physical
injury, such a fire or a natural disaster. Examples of unintentional risks include employee
error, a technological breakdown, or a malicious insider stealing information.
 Figure 7 Threat
C. Threat identification process.

- The threat identification approach looks into IT flaws and evaluates how likely they are to
allow access to your system. It is a crucial part of the risk management strategy for your
company. By recognizing threats, your business can take proactive action. Every stage that
is finished is recorded. The threat model for the application is in the created document.

• Step 1 - Identifying Threats

- The three sorts of dangers are man-made, technical, and natural threats. Threat categories
including Auditing & Logging, Authentication, Authorization, Configuration Management,
Data Protection in Storage and Transit, Data Validation, and Exception Management are
defined by the Application Security Frame (ASF) and can be used to classify threats.

• Step 2 - Profiling Threats and Developing a Community Profile

- Arranging threats that have been detected into profiles that provide more details, such as
the type of danger that has been recognized, the possibility that it will occur, any relevant
history, and the ramifications Preparation is key in threat assessments and emergency
management.

• Step 3 – Determining Vulnerability

- Implementing a countermeasure will address a vulnerability. The order of rescue priority
should be life, then necessary facilities, then important infrastructure, following the danger
analysis methods. The risk can be managed in one of three ways when the possible impact
has been identified: accept, eliminate, or decrease.

• Step 4 – Creating and Applying Scenarios

-The most hazardous and probable dangers are used to build emergency management
scenarios. The scenarios cover the initial alert, anticipated community impact, potential
trouble zones, damage response, limited resources, and potential consequences. These
hypothetical situations are continuously assessed using a variety of criteria and updated with
new data, ensuring that the threat analysis is always one step ahead of the actual threat.

5.6 Explain the risk assessment procedure

- The goal of the risk assessment process is to identify risks and, using the proper
management measures, eliminate or reduce the level of risk. You must therefore provide a
safer and healthier workplace that includes:

• Risk Assessment
➢ Identification of risks
➢ Risk evaluation
➢ Risk impact
➢ Recommendation of risk-reducing measures
• Risk Mitigation
➢ Risk avoidance
➢ Risk mitigation
➢ Risk acceptance
➢ Risk transference
➢ Risk assessment
• Evaluation and Assurance
➢ Continuous risk assessment
➢ Periodic assessment
➢ Regulatory adherence
5.7 List risk identification steps

- There are five essential parts to the process of risk identification and management. The
stages involved include risk identification, analysis, assessment, treatment, and monitoring.
• Risk Identification

-Finding out what, where, when, why, and how something can affect a company's ability
to function is the aim of risk identification. As an example, a business in central California
would list "the possibility of wildfire" as a potential event that could interfere with
business operations.

• Risk Analysis

-In this phase, the likelihood of a risk event happening and the likely results of each
occurrence are both determined. Safety managers may look at the amount of rain that fell
in the previous 12 months and the extent of damage an organization may sustain if a fire
started, using the California wildfire as an example.

• Risk Evaluation

- According to importance and impact, each danger's level is compared and ranked. For
example, it may be necessary to weigh the effects of a potential mudslide against those
of a potential wildfire. The occurrence with the highest likelihood of occurring and
inflicting harm is ranked higher.

• Risk Treatment

- Risk response planning is another name for risk management. This step involves
developing risk mitigation strategies, preventative measures, and backup plans based on
the projected value of each risk. Risk managers may choose to store extra network servers
offshore in the event of a wildfire so that business operations can continue even if an
onsite server is damaged. The risk manager may also create plans for employee
assessments.

• Risk Monitoring

- Risk management is a continuous process that changes and grows over time. All known
and unknown threats can be covered by repeating and closely monitoring the procedures.

P6 Explain data protection processes and regulations as applicable to an organization

6.1 Define data protection

- Data protection is the process of protecting sensitive information from damage, loss, or
corruption. As the amount of data being created and stored has increased at an
unprecedented rate, making data protection increasingly important. [1]
6.2 Explain data protection process with relations to organization
- User privacy concerns, expanding regulation, and the requirement for identity and
access management (IAM) policies driven by business needs have motivated the
development of new standards for essential asset control in the new data world. To fully
protect their data, security measures must be made in three key areas:
• Intelligent Visibility
-By merging AI-driven solutions with automated monitoring technologies, businesses
can achieve unified supervision across data, cloud networks, and endpoints. This offers
crucial knowledge about assets that must be safeguarded as well as potential weak spots.
• Proactive Mitigation:
-Effective endpoint and application security solutions are required for enterprises to build,
deploy, and enforce security across data at scale, enabling proactive responses to possible
attacks
• Continuous Control
- Organizations must use complete security solutions that enable them to implement rules
at scale, maximize asset safeguards, and comply with regulatory requirements and
standards, allowing them to maintain continuous control over all operational assets. Full-
featured data protection, asset defense, and compliance strategy are no longer optional
initiatives for businesses of all sizes.
6.3 Why are data protection and regulation important ?
- When raw data is processed, it becomes data that needs privacy, security, and
cybersecurity. Furthermore, adequate data protection fosters trust and confidence in the
general public that you are a company that values the security of its stakeholders'
information.
- Vital information is available to every firm. Actually, one of a company's most valuable
assets is its data. Data security should therefore be a key priority for any firm. This entails
preserving the data's confidentiality, integrity (keeping it accurate and up-to-date), and
accessibility to personnel who need it (ensuring that it is only accessible to those who are
permitted). Customers actually demand that businesses protect their data when they
interact with or invest in them. Effective data governance encourages trust. By presenting
your brand as one that clients can trust with their data, it safeguards the reputation of your
business.
- The GDPR emphasized data security even further, making it not only a corporate
imperative but a legal one. According to the GDPR, a controller must "take suitable
technological and organizational means to guarantee and show that processing is done in
compliance with the Regulation." Security awareness training is an important component
of such measures: personnel must be aware of the need of adhering to data security rules
and processes. Headlines about, and inept responses to, a data breach, for example, may
demolish confidence built up over a decade in a matter of days.
P7 Design and implement a security policy for an organization
7.1 Define and discuss what is security policy
• Definition
- A security policy (also called an information security policy or IT security policy) is a
document that spells out the rules, expectations, and overall approach that an organization
uses to maintain the confidentiality, integrity, and availability of its data.[2]
- A company's security policy may provide guidelines for permissible usage. These show
how the company plans to teach asset protection to its employees. They also contain
information on how security measures will be put into place and enforced, as well as a
process for evaluating the effectiveness of the policy to make sure that any necessary
improvements are done.
• Discuss security policy
- A policy is a short written statement that the people in charge of an organization have
set as a course of action or direction. A policy comes from upper management and applies
to the entire organization
- A security policy helps all employees understand the assets and principles the
organization values. With a clear policy, your staff is more likely to respect the
organization’s assets. Remember, staff will take policies only as seriously as the
organization takes them.
a) Acceptable use policy (AUP)
- The AUP defines the actions that are and are not allowed with respect to the use of
organization-owned IT assets. This policy is specific to the User Domain and mitigates
risk between an organization and its employees.

Figure 8 Acceptable use policy (AUP)

b) Security awareness policy

- This policy defines how to ensure that all personnel are aware of the importance of
security and behavioral expectations under the organization’s security policy. This policy
is specific to the User Domain and is relevant when you need to change organizational
security awareness behavior.

c) Threat assessment and monitoring

- This policy defines an organization-wide threat assessment and monitoring authority. You
should also include specific details regarding the LAN-to-WAN Domain and AUP
compliance in this policy.

7.2 Give examples of policies

a. Human Resources Policy
- The term "human resource management" refers to intentional organizational activities to
boost personnel administration and productivity through the use of techniques including
hiring, compensation, performance evaluation, training, record-keeping, and compliance.
For crucial HR management functions, HR rules addressing eight generally agreed tasks
should be defined:
• Benefits and compensation
• Relations between labor and management
• Relations between labor and management
• Diversity in the workplace
• Health, safety, and security
• Information systems for human resources
• Human resource research
• Training and development
b. Incidence Response Policy
-The following is the Incident Response policy:
• In order to respond to security incidents in a timely, efficient, and systematic manner,
management responsibilities and procedures should be established.
• The organization's priorities for handling security incidents should be understood by
those in charge of security incident management, and management should agree on
the objectives for that management.
• The appropriate management channels should be alerted as soon as is practical about
security incidents.
 • Any observed or suspected security weakness or vulnerability in the organization's
information systems or services must be reported by employees and contractors who
utilize them.
• Events involving security and privacy should be assessed to determine whether they
qualify as security or privacy incidents. Events involving security and privacy should
be assessed to determine whether they qualify as security or privacy incidents.
• Incidents involving security or privacy should be handled in line with established
Incident Response protocols.
• The knowledge acquired from investigating and resolving Security and Privacy
Occurrences should be applied to lessen the possibility or effect of future incidents.
• Procedures for the identification, gathering, acquisition, and preservation of
information that can be used as evidence should be developed and implemented.
Topics such as: - The advantages of a systematic, consistent approach to Incident
Management should be made known (personal and organizational)
• How to Report Security and Privacy Incidents and Who to Contact
• Non-disclosure Agreement Restriction
c. Acceptable use policy (AUP)
-The consequences of policy infractions are generally described in AUPs. Depending on
the relationship between the user and the company, these violations are dealt with
consequences. Schools and universities frequently respond by dismissing the offender's
employment and, if the act is illegal, calling the appropriate authorities, such as the local
police.
-Employers will occasionally terminate an employee's service, however this happens
more frequently when the employee's actions threaten security or the employer as a
whole.
-American Internet service provider Earthlink has a very explicit policy on breaking the
rules. The company divides violations into six categories of reaction:
• Issue written or spoken warnings - Suspend the Member's newsgroup posting
privileges24
• Suspend the account of the Member
• Close the Member's account
• Up to the Member for administrative and/or reactivation fees
• File a legal action to stop violations and/or recover any damages caused by
noncompliance.
7.3 Give the most and should that must exist while creating a policy
- Security experts must consider a number of issues while creating a security policy.
These are some of them:
 • Cloud and mobile
-Enterprises must consider how they use the cloud and mobile apps when developing
security standards. Through a company's network, data is being swiftly spread across a range
of devices. The growing number of vulnerabilities that a distributed network of devices
introduces must be taken into consideration.
• Data classification
-Inadequate data classification could result in the exposure of important assets or the wasting
of resources protecting information that is not necessary.
• Continuous updates
-As a business grows, sectors shift, and cybersecurity threats evolve, so do the dangers to
which it is exposed and its IT infrastructure. Security regulations must change in order to
reflect these advances.
7.4 Explain and write down the element of security policy.
- A security policy can be as comprehensive as you like, including everything from physical
asset protection to IT security, but it must be fully implemented. Some important elements
to think about when developing an information security policy are included in the list below.

Figure 9 Elements of an Information Security Policy

A .Purpose

- First, state the policy's aim, which might be to:

• Create a comprehensive strategy to information security.

 • Detect and prevent data security breaches such as network, data, application, and
computer system misuse.
• Maintain the organization's reputation while adhering to ethical and legal obligations .
• Customer rights must be respected, including how to respond to enquiries and
complaints regarding noncompliance.

B. Audience

-Establish who the information security policy's target market is. You can also choose which
groups of people are not included in the policy's scope (for instance, employees of a different
business unit whose security is managed separately might not be in the policy's reach).

C.Information security objectives

-Help your management team to set a clear strategy and security goals. The following are
the main objectives of information security:

➢ Confidentiality: Only authorized persons should have access to data and

information assets.
➢ Integrity: Data should be intact, accurate and complete, and IT systems must be
kept operational.
➢ Availability: Users should have access to information or systems when they need
it

D. Authority and access control policy.

➢ Hierarchical pattern: A senior manager might be able to decide who gets access
to what information and to whom. The security policy of a senior manager may be
different from that of a lower employee. The scope of each organizational job's
control over data and IT systems should be outlined in the policy.
➢ Network security policy: Only specific logins requiring authentication, such as
passwords, biometrics, ID cards, or tokens, can grant users access to company
networks and servers. All systems need to be watched over, and every login attempt
needs to be documented.

E. Data classification.

- Data should be divided into categories like "top secret," "secret," "confidential," and
"public" according to the policy. Your objective while classifying data is:
+ Limiting access to sensitive data by those with lower clearance levels

+ To protect crucial data while avoiding the needless use of security measures for trivial
data.

F. Data support and operations.

➢ Data protection regulations:

-Data protection requirements require that systems that contain personal or sensitive data
adhere to organizational standards, best practices, industry compliance standards, and related
statutes. Most security requirements demand encryption, a firewall, and anti-malware
protection as a bare minimum.

➢ Data backup:

-According to accepted industry standards, encrypt backup data. Backup media must be
transported to a secure cloud storage facility or kept there safely.

➢ Movement of data:

-Only use secure methods to send data. Encrypt any data copied to portable devices or sent
over a public network.

G. Security awareness and behavior.

-Inform your staff of the rules governing IT security. Training sessions should be held to
inform personnel about your security procedures and controls, such as data.

➢ Social engineering:

-Stress the risks of social engineering attacks (such as phishing emails). Such assaults should
be identified, stopped, and reported, and employees should be held responsible.

➢ Policy on clean desks:

-A cable lock can be used to secure laptops. Documents that are no longer needed should be
shredded. Keep printer locations tidy to avoid papers falling into the wrong hands.

➢ Policy for acceptable Internet usage:

-Define the appropriate level of Internet regulation. Do you permit social media sites like
YouTube? You can block undesired websites by using a proxy.

H. Encryption Policy.

-Data must be encrypted in order to be made unavailable to or hidden from unauthorized

parties. It contributes to the security of data while it is at rest and in transit, preserving the
privacy of sensitive, confidential, and proprietary data. It might improve the security of
client-server communication. An encryption policy helps businesses define:

+ The devices and media that must be encrypted by the organization

+ When encryption is required

+ The minimal requirements for the encryption software used

I. Data Backup Policy.

-A data backup policy lays out the rules and procedures for making data backup copies. It is
crucial to a thorough approach to data protection, business continuity, and disaster recovery.
The main goals of a data backup policy are as follows:

+ Identifies all of the data that the company needs to back up.

+ Determines backup frequency, such as when to execute an initial full backup and when to
do incremental backups.

+ Defines a backup data storage location.

+Lists all roles in charge of backup procedures, such as backup administrators and IT team
members.

J. Responsibilities, right and duties of personnel.

-Employers should be hired to do user access checks, education, change management,

incident management, the implementation of security policies, and recurring upgrades.
Responsibilities should be expressly outlined in the security policy.

K. System hardening benchmarks.

-The company should use security benchmarks like the CIS benchmarks for Linux, Windows
Server, AWS, and Kubernetes to harden mission-critical systems, which should be included
in the information security strategy.

L. References to regulations and compliance standards.

-Regulations and compliance requirements that have an influence on the company, such as
GDPR, CCPA, PCI DSS, SOX, and HIPAA, should be mentioned in the information security
policy.

7.5 Give the steps to design a policy

Step 1: Identify and define the problem or issue that necessitates the development of a policy.

-The business must also be aware of the goals of its policies and understand that they could
change in order to resolve a problem or issue.

Step 2: Appoint a person or person(s) to co-ordinate the policy development.

-A policy's development could take several months. The process needs to be "driven" by
someone, or even a committee.

Step 3: Establish the policy development process

-Research, consultation, and policy drafting are all needed tasks. The coordinator should
prepare a schedule of the tasks that must be accomplished, by whom, and when.

Step 4: Conduct research.

-Read the policy documents on the subject from different organizations. Search the internet
for legal issues. Call a meeting with staff members and other industry experts.Survey
respondents or a subset of respondents, such as coaches.

-Read the management committee meeting minutes (if allowed). Check out more documents,
including yearly reports or reports from events. Read magazines and trade journals. Obtain
legal counsel.

Step 5: Prepare a discussion paper.

-The definition of the problem or issue, the presentation of the findings from the research,
and the provision of a wide range of policy solutions are the objectives of the discussion
paper. A key component of the consultation process will be the discussion paper.

Step 6: Consultation stage 1.

-The distribution of the discussion paper to all stakeholders is one of the initial phases in the
consultation process (interested parties). It may also be necessary to contact and alert
stakeholders in order to remind them to read the discussion material. Then, obtain as much
feedback as possible from all relevant stakeholders. This may be done through seminars,
public meetings, your website, and one-on-one interactions. Several months may be required
to ensure that this round of engagement is thorough.

Step 7: Prepare a draft policy.

-Once the consultation processes have concluded, the next step is to develop a draft policy.

Step 8: Consultation stage 2.

-When finished, the draft policy should be distributed to important parties, advertised on the
organization's website and newsletter, and discussed at upcoming forums and meetings. It is
crucial to enlist the assistance of stakeholders before publishing the policy in order to
improve the language, clarify key terms, and make required changes.

Step 9: Adoption.

-When the policy development process coordinator is reasonably comfortable that all issues
and concerns regarding the policy have been addressed, it is time to finalize the policy. The
final policy statement must be formally accepted by the organization's management
(management committee), with an appropriate record kept in the minutes.

Step 10: Communication.

-The policy should be widely advertised to all company stakeholders after being formally
accepted. It could be necessary to hold training sessions to guarantee that every employee of
the firm is knowledgeable about and competent in using the policy. The policy could fail if
it is not properly stated.

Step 11: Review and Evaluate.

-Monitoring the policy's application is essential. The policy may still require adjustment, and
its justifications for existing may alter. It is usual practice to set a date for the policy review;
this may be done once a year or once every three years. Simply said, it depends on the
insurance type.

P8 List the main components of an organisational disaster recovery plan, justifying the
reasons for inclusion.

8.1 Discuss with explanation about business continuity

-Business continuity can be defined as the ability of an organization to maintain its
operations and services in the face of a disruptive event. This event could be as basic as an
electrical outage or as catastrophic as a Category 5 hurricane. The most fundamental
requirement for business continuity is to maintain critical functions operational during a
crisis and to recover with as little downtime as possible. A business continuity plan takes
into account a variety of unforeseeable situations such as natural disasters, fires, disease
outbreaks, cyberattacks, and other external threats.

Figure 10 Business continuity

➢ What are some important of Business Continuity ?

-When downtime is intolerable, business continuity is essential. The plan should enable the
organization to operate at its most basic level during a crisis. By enabling an organization to
react promptly to an interruption, business continuity increases a company's resilience.
Strong business continuity protects the organization's reputation while saving money and
time. A protracted outage is risky for your finances, reputation, and personal safety.
Continuity of business operations may also be necessary for legal or regulatory reasons.
Knowing which laws apply to a particular organization is essential, especially in an era of
expanding regulation.
8.2 List the components of recovery plan.
A. Disaster Recovery Plan (DRP)
- A DRP is a written document that details the process for restoring IT resources following
an event that causes a significant disruption in service. A business continuity strategy must
include a disaster recovery plan (DRP) (BCP). It speaks of the organizational components
that depend on an effective IT infrastructure. In order to continue operating in the wake of
an event, even at a minimal level, a DRP works to help an organization resolve data loss and
recover system functionality.

B. Test and maintain the DRP.

- Since the risks associated with disasters and emergencies are constantly evolving, disaster
recovery planning is a continuous process. The company should regularly test the DRP to
determine the effectiveness and suitability of the procedures indicated in the plan. To take
into account modifications to business procedures, advancements in technology, and rising
catastrophic risks, the recovery team should regularly update the DRP.

C. Define Your RTO and RPO

- Recovery time objectives (RTO) and recovery point objectives (RPO) should be used to
categorize recovery objectives (RPO). RTO is the potential downtime before asset recovery,
whereas RPO is the amount of data you are willing to lose. Your disaster recovery strategy
should have these objectives established early on so that the right configuration may be
chosen. Discuss the ramifications of the prospective interruption with your company's top
management and operational staff for as little as one minute, up to one day, or even longer.
You can use this information to determine your RTO, RPO, and how frequently your data
needs to be backed up.

D. Sort Assets According to Criticality and Context.

- You need to assess your assets contextually after taking an inventory of them. How does
your organization utilize these resources? Which assets would be most affected by a disaster
if they were damaged or lost? Sort all of your mapped assets from high to low effect by going
through each one.
-Not all of your data can always be backed up. It will be possible for you to decide which
assets should be prioritized in your disaster recovery strategy after you have an
understanding of the importance of each asset and how they relate to one another.

E. Propose A Budget.

- All firms, regardless of their resources, should have a disaster recovery strategy.While
highlighting the necessity of catastrophe recovery, senior management should also be shown
a variety of options at various price ranges. A disaster recovery plan with improved RTOs
and RPOs, more generous support for more vital services, and maybe inclusion in a larger
business continuity strategy are all included in higher budgets. With the right information,
management can evaluate risk and investment in disaster recovery plan technologies to strike
the right balance. Each company's disaster recovery plan requirements will be different.

8.3 Write down all the steps required in disaster recovery process.

• Step 1: Identify

- Inventory and map the location of all of your company's IT assets. Keep an eye out for
and specify dependents as you go. Determine which IT-related business operations are
crucial to being operational, since they will be the first to be considered when developing
your plan.

- This step must be completed carefully because it will affect the rest of the planning
process. Each of the important business functions you defined in step one will receive
recovery time objectives (RTOs) and recovery point objectives (RPOs) in step two.

• Step 2: Assess

- Assign a tier to each of the IT business processes that were identified in step one. The
highest-value applications and systems fall under the Tier 1 category. Tier 3 processes
would have the lowest priorities, followed by Tier 2 processes, which would be of
medium priority.

-Next, assign the proper recovery point goal (RPO) and recovery time objective (RTO)
to each tier's elements (RTO). Determine the actual cost of downtime for each of your
processes and systems. By doing so, you may better organize your priorities and
hopefully get the backing of management for a disaster recovery plan.
• Step 3: Customize

- After considering dependencies, layers, and the previously described RPOs and RTOs,
decide how certain business functions will be restored in the event of an interruption. The
third step of the process is the most challenging and time-consuming. However, you need
to have a well defined plan that can be implemented to ensure the continuity of your
important systems after a crisis (to the letter). This suggests that everything, including
floor plans, utility diagrams, system settings, and any other relevant information, should
be inventoried and mapped. Be sure to thoroughly test the user plan because it is unique.
After a tragedy, you don't want to realize that one of the key elements of your plan was
missing.

• Step 4: Blend

- For the most important workloads, supplement secure, cloud-based backup with on-
premises backup. There is no such thing as a one-size-fits-all solution to catastrophe
recovery; anyone who claims differently should be avoided. Because your organization's
demands are unique, a hybrid approach is most likely the best option.

- This approach is used by Carbonite's E2 hybrid backup solution, which is offered by

Cybriant and is part of the EVault line of products. Secure cloud backup is crucial because
it protects your data off-site, away from any potential natural disaster. However, in
situations where the damage is more virtual than real, local hardware like E2 can offer a
faster recovery.

- Furthermore, E2 and services that use comparable equipment provide you with the
added benefit of redundant backup. When it comes to your disaster recovery strategy, you
can never be too cautious.

• Step 5: Repeat

- Any catastrophe recovery strategy must include testing and adapting. not only during
the initial stages of planning. As your business and systems grow, so will your disaster
recovery needs. For organizations of any size, conditions and objectives are constantly
shifting, and your DR strategy will only be effective if it is regularly updated to reflect
changes.
- According to a recent poll of IT professionals, just 40% of businesses evaluate their
disaster recovery strategies on a yearly basis. Surprisingly, another 28% test their
strategies relatively infrequently, if at all.

8.4 Explain some of the policies and procedures that are required for business continuity.

A. Risk Assessment.

- Each department will identify, appraise, and rate potential dangers throughout the risk
assessment process. The Director of Emergency Preparedness will review the hazards.
This will result in a variety of consequences that may need extensive business impact
analysis (BIA) and recovery methods.

B. Determining the BCP Recovery Strategies

- The RTO created during the business impact analysis prioritizes recovery plans, which
are alternative ways to return business operations to a minimally acceptable level
following a business disruption. Recovery plans need a range of resources, including
personnel, infrastructure, tools, supplies, and IT. Each department must do an analysis of
the resources needed to carry out recovery measures in order to find any gaps.

C. Develop and Implement the BCP

- To ensure the readiness of mission-critical activities across the institution, university

business continuity plans will be created and maintained using VEOCI, a crisis
management and software solution. Each Business Continuity Plan (BCP) will be
submitted into VEOCI by the relevant department designee after the planning (BIA and
risk assessment) and meetings are finished. Contact the VCU director of emergency
planning for access to VEOCI. Training is readily available.

D. Exercising, Maintaining and Reviewing

- When the BCP is finished, the director of emergency preparation will train and test
everyone in the department to make sure they are all familiar with it. A continuity
planning committee made up of those involved before, during, and after a catastrophe or
significant interruption will be established by the director of emergency planning. Each
department will modify the BCP as necessary after training or actual situations.
• Regular Review and Upkeep
• Exercises and training

E. Understanding the Organization: Business Impact Analysis (BIA).

- Analysis of Business Impact (BIA). The business impact analysis (BIA) is the process
of determining, analyzing, and evaluating the possible impacts of an interruption or
suspension of important company activities, functions, and processes due to an accident,
emergency, or disaster. It is a methodical approach of estimating the possible and likely
repercussions of these disturbances, generally from the perspective of the worst-case
scenario.
 Conclusion

In my most recent project, I discovered how to define security risks and carry out risk
analyses. Explain the risk assessment process, define assets, risks, and threat identification
techniques, and list the procedures for risk identification. I also learnt how to define data
protection, describe how data protection works in organizations, and explain the need for
data protection and security laws.

Finally, describe why business continuity is important. List the elements of the recovery
plan, make a list of all the steps required for disaster recovery, and mention some of the
policies and procedures crucial for business continuity.
 References

[1] Learning Center. (n.d.). What is Data Protection | Principles, Strategies & Policies |
Imperva. [online] Available at: https://www.imperva.com/learn/data-security/data-
protection/#:~:text=Data%20protection%20is%20the%20process [Accessed 27 Dec. 2022].

[2] Grimmick, R. (2022). What is a Security Policy? Definition, Elements, and Examples.
[online] www.varonis.com. Available at: https://www.varonis.com/blog/what-is-a-security-
policy.