ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date 22nd June, 2023 Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Le Anh Quan Student ID GCH211111

Class GCH1105 Assessor name Michael Omar

Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.

Student’s signature

Grading grid

P5 P6 P7 P8 M3 M4 M5 D2 D3
 Summative Feedback:  Resubmission Feedback:

Grade: Assessor Signature: Date:

Lecturer Signature:
Table of Contents
INTRODUCTION: ............................................................................................................................................................................................4
P5 DISCUSS RISK ASSESSMENT PROCEDURES. ...................................................................................................................................4
DEFINITION OF A SECURITY RISK:........................................................................................................................................................................................ 4
RISK ASSESSMENT PROCEDURES. ........................................................................................................................................................................................ 4
DEFINITION OF ASSETS: ........................................................................................................................................................................................................ 6
DEFINITION OF THREATS:..................................................................................................................................................................................................... 6
DISCUSSION ON THREAT IDENTIFICATION PROCEDURES WITH EXAMPLES:................................................................................................................. 7
Threat identification examples ............................................................................................................................................................................... 7
Threat identification procedures. .......................................................................................................................................................................... 8
EXPLANATION FOR THE RISK ASSESSMENT AND PROCEDURE: ....................................................................................................................................... 9
LIST OF RISK IDENTIFICATION AND STEPS: ..................................................................................................................................................................... 10
P6 EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN ORGANIZATION. ........... 12
DATA PROTECTION DEFINITION: ...................................................................................................................................................................................... 12
EXPLANATION FOR DATA PROTECTION PROCESS IN AN ORGANIZATION:................................................................................................................... 12
THE IMPORTANCE OF DATA PROTECTION AND SECURITY REGULATION..................................................................................................................... 18
The importance of data protection. ....................................................................................................................................................................18
The importance of security regulation. .............................................................................................................................................................18
P7 DESIGN AND IMPLEMENT A SECURITY POLICY FOR AN ORGANIZATION. ....................................................................... 19
DEFINITION OF A SECURITY POLICY AND DISCUSSION. .................................................................................................................................................. 19
Definition of security policy: ..................................................................................................................................................................................19
Discussion on policies: ..............................................................................................................................................................................................19
THE EXAMPLE FOR EACH OF THE POLICIES: .................................................................................................................................................................... 21
THE MOST AND SHOULD THAT MUST EXIST WHILE CREATING A POLICY. ................................................................................................................... 23
The three most common elements: .....................................................................................................................................................................24
The three most common elements: .....................................................................................................................................................................26
GIVE THE STEPS TO DESIGN A POLICY. ............................................................................................................................................................................. 26
P8 THE MAIN COMPONENTS OF AN ORGANIZATIONAL DISASTER RECOVERY PLAN, JUSTIFYING THE REASONS
FOR INCLUSION. .......................................................................................................................................................................................... 27
DISCUSSION AND EXPLANATION ABOUT BUSINESS CONTINUITY ................................................................................................................................. 27
THE COMPONENTS OF RECOVERY PLAN........................................................................................................................................................................... 28
ALL THE STEPS REQUIRED IN DISASTER RECOVERY PROCESS: ..................................................................................................................................... 29
THE POLICIES AND PROCEDURES THAT ARE REQUIRED FOR BUSINESS CONTINUITY: .............................................................................................. 31
CONCLUSION................................................................................................................................................................................................. 32
REFERENCES ................................................................................................................................................................................................. 33
Figure 1: Assets ..................................................................................................... 6
Figure 2: Threats ................................................................................................... 7
Figure 3: CIA Triad ................................................................................................ 14
Figure 4: AAA ....................................................................................................... 15
Figure 5: GDPR ..................................................................................................... 16
Introduction:
I work for a security consulting business as an IT Security Specialist. After hearing about
security breaches in the media, a "Bike Bling Store" manufacturing firm in Ho Chi Minh City
that develops bicycle components for export called my company to advise a Privacy Policy for
their company.

P5 Discuss risk assessment procedures.

Definition of a security risk:

A Security Risk Assessment (or SRA) is an assessment that involves identifying
the risks in your company, your technology and your processes to verify that
controls are in place to safeguard against security threats. Security risk
assessments are typically required by compliance standards, such as PCI-DSS
standards for payment card security. They are required by the AICPA as part of
a SOC II audit for service organizations and are also requirements for ISO
27001, HITRUST CSF and HIPAA compliance, just to name a few. Because of
this, security risk assessments can go by many names, sometimes called a risk
assessment, an IT infrastructure risk assessment, a security risk audit, or
security audit. (adserosecurity, 2023)

Risk assessment procedures.

➢ Identify hazards.

Survey the workplace and look at what could reasonably be expected to

cause harm. Identify common workplace hazards. Check the
manufacturer’s or suppliers’ instructions or data sheets for any obvious
hazards. Review previous accident and near-miss reports. Efficiently
identify hazards by using a hazard identification checklist. This ensures
 everything is discovered during risk assessment and hazard
identification which prevents risks from escalating.

➢ Evaluate the risks.

To evaluate a hazard’s risk, you have to consider how, where, how

much, and how long individuals are typically exposed to a potential
hazard. Assign a risk rating to your hazards with the help of a risk
matrix. Using a risk matrix can help measure the level of risk per hazard
by considering factors such as the likelihood of occurrence, and severity
of potential injuries. Meanwhile, performing an environmental analysis
lets you gauge potential risks and their impacts on your business
environment.

➢ Decide on control measures to implement.

After assigning a risk rating to an identified hazard, it’s time to come up

with effective controls to protect workers, properties, civilians, and/or
the environment. Follow the hierarchy of controls in prioritizing
implementation of controls.

➢ Document your findings.

It is important to keep a formal record of risk assessments. This can

help your organization keep track of hazards, risk, and control
measures. Documentation may include a detailed description of the
process in assessing the risk, an outline of evaluations, and detailed
explanations on how conclusions were made.

➢ Review your assessment and update if necessary.

Follow up with your assessments and see if your recommended controls

have been put in place. If the conditions in which your risk assessment
was based on change significantly, use your best judgment to determine
if a new risk assessment is necessary. (safetyculture, 2023)
Definition of assets:
An asset is any resource or good used to generate cash flow, reduce
expenses, or provide future economic benefits for an individual, government,
or business. Assets contain economic value and can benefit a company’s
operations, increase the value of a business, or raise an individual’s net worth.

Personal assets refer to those owned by an individual, while business assets

refer to those owned by a corporation or company. Assets can be physical or
intangible, currently available to sell or available for long-term sale, or used
for the daily operation of a business. You can calculate a company’s equity,
solvency, or financial health by subtracting its liabilities—meaning outstanding
debts or accounts payable—from the value of its total assets. (MasterClass,
2021)

Figure 1: Assets

Definition of threats:
In cybersecurity, the most common understanding of a threat is anything that
could exploit a vulnerability, which could affect the confidentiality, integrity or
availability of your systems, data, people and more. (Confidentiality, integrity
and availability, sometimes known as the CIA triad, is another fundamental
concept of cybersecurity.)

A more advanced definition of threat is when an adversary or attacker has the

opportunity, capability and intent to bring a negative impact upon your
operations, assets, workforce and/or customers. Examples of this can include
malware, ransomware, phishing attacks and more — and the types of threats
out there will continue to evolve. (Kidd, 2022)
 Figure 2: Threats

Discussion on Threat identification procedures with

examples:
Threat identification examples
Threat detection is commonly defined as an activity that involves identifying
dangers within an organization. This work is frequently at least partially
automated and includes vast amounts of data processing, especially in bigger
environments. In reality, for enhanced threat detection in most modern
enterprises, automation is becoming a need.

Common examples of cyber threats include:

• Malware: Malware breaches the network through vulnerabilities, and

includes spyware, ransomware, viruses, and worms.

• Privilege misuse: Utilize the privileges associated with a particular

account to do harm in the company network.

• Social Engineering: Attackers deceive users into divulging confidential

information that can be used for fraudulent purposes
.
 • Denial of service (DoS): DoS floods systems, servers or networks with
traffic to exhaust resources and bandwidth, making systems unavailable
to legitimate requests.

• Human error: Unintentional actions - or lack of action - by users that

cause or allow a breach to occur, usually misconfigurations, mis
deliveries or publishing errors.

• Advanced persistent threats: An adversary gets access to the network

and remains there undetected for an extended period of time - giving
them time to plant their attack.

• Ransomware: Encrypts the victim's files and demands a ransom to

restore access to the data. (logpoint, 2020)

Threat identification procedures.

When performing threat modeling, several processes and aspects should be
included. Failing to include one of these components can lead to incomplete
models and can prevent threats from being properly addressed.

Five key steps in the threat identification process:

➢ Apply threat intelligence.

This area includes information about types of threats, affected systems,

detection mechanisms, tools and processes used to exploit
vulnerabilities, and motivations of attackers.

➢ Identify assets.

Teams need a real-time inventory of components, credentials, and data

in use, where those assets are located, and what security measures are
in use. This inventory helps security teams track assets with known
vulnerabilities. A real-time inventory enables security teams to gain
visibility into asset changes. For example, getting alerts when assets are
added with or without authorized permission, can potentially signal a
threat.

➢ Identify mitigation capabilities.

 Mitigation capabilities generally refer to technology to protect, detect,
and respond to a certain type of threat, but can also refer to an
organization’s security expertise and abilities, and processes. Assessing
your existing capabilities will help you determine whether you need to
add additional resources to mitigate a threat. For example, if you have
enterprise-grade antivirus, you have an initial level of protection against
traditional malware threats. You can then determine if you should invest
further, for example, to correlate your existing AV signals with other
detection capabilities.

➢ Assess risks.

Risk assessments correlate threat intelligence with asset inventories and

current vulnerability profiles. These tools are necessary for teams to
understand the current status of their systems and to develop a plan for
addressing vulnerabilities. Risk assessments can also involve the active
testing of systems and solutions. For example, penetration testing to
verify security measures and patching levels are effective.

➢ Perform threat mapping.

Threat mapping is a process that follows the potential path of threats

through your systems. It is used to model how attackers might move
from resource to resource and helps teams anticipate where defences
can be more effectively layered or applied. (Gonzalez, 2022).

Explanation for the risk assessment and procedure:

Risk assessment is the identification of hazards that could negatively impact an
organization's ability to conduct business. These assessments help identify
these inherent business risks and provide measures, processes and controls to
reduce the impact of these risks to business operations. (Cole, 2023)

The risk assessment process is a systematic method for detecting, assessing,

and evaluating possible hazards and dangers to persons, organizations, or
systems. It assists stakeholders in understanding hazards and risks,
determining their severity, and determining management actions and priorities.
List of risk identification and steps:
Risk assessment steps:

• Step 1: Identify the hazards. The first step in a risk assessment is to

identify any potential hazards that, if they were to occur, would
negatively influence the organization's ability to conduct business.
Potential hazards that could be considered or identified during risk
assessment include natural disasters, utility outages, cyberattacks and
power failure.

• Step 2: Determine what, or who, could be harmed. After the hazards

are identified, the next step is to determine which business assets would
be negatively influenced if the risk came to fruition. Business assets
deemed at risk to these hazards can include critical infrastructure, IT
systems, business operations, company reputation and even employee
safety.

• Step 3: Evaluate the risks and develop control measures. A risk analysis
can help identify how hazards will impact business assets and the
measures that can be put into place to minimize or eliminate the effect
of these hazards on business assets. Potential hazards include property
damage, business interruption, financial loss and legal penalties.

• Step 4: Record the findings. The risk assessment findings should be

recorded by the company and filed as easily accessible, official
documents. The records should include details on potential hazards,
their associated risks and plans to prevent the hazards.

• Step 5: Review and update the risk assessment regularly. Potential

hazards, risks and their resulting controls can change rapidly in a
modern business environment. It is important for companies to update
their risk assessments regularly to adapt to these changes. (Cole,
2023).
 List of risk:

Risk Likelihood Impact Mitigation

Natural Medium High Conduct risk assessments,

disaster create emergency plans,
put early warning systems
in place, reinforce
infrastructure, protect
ecosystems, promote
public awareness, and put
public finance mechanisms
in place. Work on your
recuperation. By putting
these mitigation measures
in place, society may
better prepare for
catastrophes, safeguard
lives and property, and
encourage long-term
development in disaster-
prone areas.
Security Risks Medium High Implement robust
cybersecurity measures,
conduct regular security
audits, train employees on
best practices.
Supply Chain High/Medium High/Medium Maintain financial
Risks discipline, conduct
thorough financial
analysis, establish
financial risk management
strategies
Technological Medium High/Medium Regularly update
Risks technology infrastructure,
conduct security audits,
implement backup
systems
Cybersecurity High High Implement robust
Risk cybersecurity measures,
such as firewalls, antivirus
software, encryption, and
regular system updates.
Conduct regular security
audits, provide employee
training on cybersecurity
best practices, and
establish incident
response plans.

P6 Explain data protection processes and

regulations as applicable to an organization.

Data protection definition:

Data protection is the process of protecting data and involves the relationship
between the collection and dissemination of data and technology, the public
perception and expectation of privacy and the political and legal underpinnings
surrounding that data. It aims to strike a balance between individual privacy
rights while still allowing data to be used for business purposes. (Rouse, 2022)

Data protection is also known as data privacy or information privacy.

Explanation for data protection process in an

organization:
Data protection is a critical aspect of ensuring the confidentiality, integrity, and
availability of sensitive information within an organization. The data protection
process involves implementing measures to safeguard data from unauthorized
access, loss, or corruption. Here is an overview of the data protection process
in an organization:
CIA Triad:

• Confidentiality
Confidentiality means that only authorized individuals/systems can view
sensitive or classified information. The data being sent over the network
should not be accessed by unauthorized individuals. The attacker may
try to capture the data using different tools available on the Internet
and gain access to your information. A primary way to avoid this is to
use encryption techniques to safeguard your data so that even if the
attacker gains access to your data, he/she will not be able to decrypt it.
Encryption standards include AES(Advanced Encryption Standard) and
DES (Data Encryption Standard). Another way to protect your data is
through a VPN tunnel. VPN stands for Virtual Private Network and helps
the data to move securely over the network.

• Integrity
The next thing to talk about is integrity. Well, the idea here is to make
sure that data has not been modified. Corruption of data is a failure to
maintain data integrity. To check if our data has been modified or not,
we make use of a hash function.
We have two common types: SHA (Secure Hash Algorithm) and
MD5(Message Direct 5). Now MD5 is a 128-bit hash and SHA is a 160-
bit hash if we’re using SHA-1. There are also other SHA methods that
we could use like SHA-0, SHA-2, and SHA-3.

• Availability
This means that the network should be readily available to its users.
This applies to systems and to data. To ensure availability, the network
administrator should maintain hardware, make regular upgrades, have a
plan for fail-over, and prevent bottlenecks in a network. Attacks such as
DoS or DDoS may render a network unavailable as the resources of the
network get exhausted. The impact may be significant to the companies
and users who rely on the network as a business tool. Thus, proper
measures should be taken to prevent such attacks. (geeksforgeeks,
2023)
 Figure 3: CIA Triad

AAA

• Authentication
The process by which it can be identified that the user, which wants to
access the network resources, valid or not by asking some credentials
such as username and password. Common methods are to put
authentication on console port, AUX port, or vty lines.
As network administrators, we can control how a user is authenticated if
someone wants to access the network. Some of these methods include
using the local database of that device (router) or sending
authentication requests to an external server like the ACS server. To
specify the method to be used for authentication, a default or
customized authentication method list is used.

• Authorization
It provides capabilities to enforce policies on network resources after the
user has gained access to the network resources through authentication.
After the authentication is successful, authorization can be used to
determine what resources is the user allowed to access and the
operations that can be performed.

• Accounting
 It provides means of monitoring and capturing the events done by the
user while accessing the network resources. It even monitors how long
the user has access to the network. The administrator can create an
accounting method list to specify what should be accounted for and to
whom the accounting records should be sent. (saurabhsharma56, 2021)

Figure 4: AAA

GDPR

The General Data Protection Regulation (GDPR) is legislation that updated and
unified data privacy laws across the European Union (EU). GDPR was approved
by the European Parliament on April 14, 2016 and went into effect on May 25,
2018.

The purpose of the GDPR is to protect individuals and the data that describes
them and to ensure the organizations that collect that data do so in responsible
manner. The GDPR also mandates that personal data is maintained safely; in
part, the regulation says personal data must be protected against "unauthorized
or unlawful processing, and against accidental loss, destruction or damage."
(Castagna, 2021)
 Figure 5: GDPR

Data protection entails safeguarding sensitive information so that enterprises

may utilize it for commercial reasons without jeopardizing customer privacy. As
a result, a data protection program is the multi-step process of putting such
security measures in place. An efficient data security program reduces your
sensitive data footprint while also assisting in keeping business-critical and
regulated data secure and out of the hands of attackers.

• Define sensitive data: Sensitive data is any data that, if lost, stolen, or
exposed, could financially hurt your organization, cause reputational
damage, or harm the data owner. The first step in creating a data
protection program is to determine which information your organization
collects meets the definition of sensitive. This will clarify exactly which
data needs to be protected and the legal regulations that cover it.

• Understand the data lifecycle: To protect your sensitive data most

effectively, you need to understand its lifecycle. The data lifecycle
stages include creating, storing, using, sharing, archiving, and
destroying. Knowing the stage of each piece of sensitive data
determines in large part which policies and tools you should implement
to best protect it at each point of its lifecycle.

• Know which sensitive data regulations you are subject to: Compliance is
the other major factor influencing the policies and tools you implement
to protect your organization’s data. For example, storage practices must
 include encryption and firewalls to comply with data privacy regulations.
They also call for access controls and audit logs to trace data use and
sharing back to an individual. Lastly, regulations often require data to
be disposed of in a timely and secure manner, so policies need to be
implemented to ensure compliance.

• Decide who can access the information: Access to sensitive data should
only be given to employees needing it to fulfil their job responsibilities.
To ensure this, require authentication and authorization permissions to
access certain data. All authenticated individuals should have permission
roles assigned to them. Not everyone needs modification abilities, and
only those requiring this access should be allowed. Assigning roles such
as viewer, editor, and administrator can help limit opportunities for
sensitive data misuse.

• Involve all employees in security awareness: Your organization must

educate all individuals, even those who don’t touch any sensitive data,
about the data security responsibilities attached to certain roles.
Everyone should understand that their actions regarding sensitive data
can directly affect the organization’s success and reputation, as this will
help employees recognize and call out improper handling of sensitive
data, as well as prevent any inadvertent sharing of it.

• Conduct regular backups: In addition to fortifying your data’s storage

locations, be prepared to back up that data as often as needed and have
different, yet just as secure, places available to store it. For example, if
your primary storage is cloud-based, consider backing up to a physical
location. In the case of a breach, you can use these backups to restore
lost or corrupted data, which can ultimately lessen the financial blow to
your organization.

• Document any processes using sensitive data: Many data privacy

regulations require you to be able to share with consumers how their
sensitive data is being used in your organization’s business processes.
By documenting the types of data collected, contexts of use, and
collection, storage, and sharing methods, you uphold compliance while
also gaining a clearer picture of the data you possess and how it’s
handled. In the unfortunate case of a compromise, you can audit this
documentation to identify where in your organization’s process or
infrastructure (or with whom) a vulnerability resides.
 • Take inventory of your data: Everything — from security to compliance
— begins with locating your sensitive data. To find it, look at cloud
repositories, physical file servers, computer hard drives, HR databases,
your CMDB or eGRC platform, and any other system of record. Once you
identify sensitive data, you know exactly what to protect to uphold
compliance and reduce the risk of data breaches. You’re able to apply
increased security measures for all existing data at the various stages of
its lifecycle and will be better prepared to handle the creation of new
data moving forward.

• Plan to organize the data you want to protect: To protect data and meet
compliance requirements, you must classify data according to its level of
sensitivity. Classification systems help you set those use and
modification access controls we mentioned earlier, acting as a natural
next step to protect data once discovery is complete. Classification
schemes you can use include role-based, dataoriented, access- or
location-based, and hybrid. Most organizations categorize or bucket data
as variations of a four-level data classification schema — public, private,
confidential, and restricted. (SPIRION, 2021)

The importance of data protection and security

regulation.
The importance of data protection.
Data protection is of utmost importance for organizations due to its significant
impact on various aspects of their operations. It ensures the confidentiality,
integrity, and availability of sensitive information, thereby safeguarding
individuals' privacy rights. Compliance with data protection regulations helps
organizations avoid legal consequences and maintain a positive reputation.
Effective data protection practices contribute to building trust with customers
and partners, enhancing business continuity, protecting intellectual property,
and mitigating financial and legal risks. By prioritizing data protection,
organizations can create a secure environment, foster customer confidence and
loyalty, and maintain a competitive advantage in today's data-driven landscape.

The importance of security regulation.

Security regulations play a vital role in safeguarding sensitive information,
mitigating risks, promoting cybersecurity, building trust, and avoiding legal and
reputational consequences. They provide guidelines and standards for
 protecting data, establishing security measures, and ensuring compliance. By
adhering to security regulations, organizations can demonstrate their
commitment to protecting valuable assets, maintaining the trust of
stakeholders, and contribute to a secure and resilient environment. Compliance
with these regulations fosters a culture of security, reduces vulnerabilities, and
enhances overall protection against threats in today's digital landscape.

P7 Design and implement a security policy

for an organization.

Definition of a security policy and discussion.

Definition of security policy:
A security policy is a document that states in writing how a company plans to
protect its physical and information technology (IT) assets. Security policies are
living documents that are continuously updated and changing as technologies,
vulnerabilities and security requirements change.

A company's security policy may include an acceptable use policy. These

describe how the company plans to educate its employees about protecting the
company's assets. They also include an explanation of how security
measurements will be carried out and enforced, and a procedure for evaluating
the effectiveness of the policy to ensure that necessary corrections are made.
(Lutkevich, 2021)

Discussion on policies:
1) Human resource policy (HR):
HR policies are a written source of guidance on how a wide range of issues
should be handled within an organization. They include a description of
principles, rights and responsibilities for managers and employees. They play
a key role in supporting fairness and consistency across an organization, as
well as potentially helping to protect the organization against legal claims.
However, no matter how well any policy is written, it’s their effective
communication and implementation, particularly by line managers, that’s
crucial in ensuring their effectiveness.
 HR policies provide general and practical advice and guidance for managers
and staff on a range of employment issues. (FACTSHEET, 2022)

2) Incidence response policy (IR):

An incident response policy is a detailed document that specifies how an
organization prepares itself for cybersecurity incidents. It defines the
organization’s approach and strategy to incident response, the resources
allocated to incident response, those responsible for incident response in the
organization, relevant tools and resources and how to implement an incident
response operation in the company.

Part of an incident response policy is a detailed plan outlining how incident

responders should detect, contain, and eradicate cyber threats, known as an
incident response plan. (bluevoyant, 2023)

3) Disaster recovery policy (DR):

The purpose of a disaster recovery policy is to identify critical business
assets, and define activities needed to ensure their continuity in a disaster.
The policy can cover any assets essential for business operations—
equipment, software, physical facilities, and even employees—and
determines what steps the business will take to protect and recover them.

A disaster recovery policy defines, concretely, how the organization will

behave when a disaster occurs. A disaster recovery plan alone cannot
guarantee business continuity without a practical policy that is well
understood and practiced by all relevant stakeholders. (cloudian, 2023)

4) Security policy (SP):

A security policy is a written document in an organization outlining how to
protect the organization from threats, including computer security threats,
and how to handle situations when they do occur. A security policy must
identify all of a company's assets as well as all the potential threats to those
assets. Company employees need to be kept updated on the company's
security policies. The policies themselves should be updated regularly as
well. (Rouse, 2022)

5) Acceptable use policy (AUP).

An acceptable use policy (AUP) is a document that specifies the restrictions
and procedures that a user must follow in order to get access to a business
network, the internet, or other resources. Before being awarded a network
 ID, many companies and educational institutions ask employees or students
to sign an AUP. (Kirvan, 2022)

The example for each of the policies:

Policy Example
Human Resource Policy • Employees must comply with all
applicable laws, regulations, and
company policies relevant to their
job responsibilities.
• Any illegal activities or actions that
violate laws or regulations may
lead to disciplinary action,
including termination of
employment.
• company information, customer
data, and any proprietary or
classified information.
• Unauthorized disclosure, misuse,
or access to confidential
information is strictly prohibited
Incidence Response Policy • All employees must promptly
report any suspected or observed
security incidents to the designated
incident response team or the IT
department.
• Incidents should be reported
through the official incident
reporting channels, ensuring that
necessary details, such as the
date, time, location, and
description of the incident, are
provided.
• Incidents will be classified based
on severity and potential impact to
prioritize response efforts.
• Incident classification levels, such
as low, medium, and high, will be
defined, with corresponding
response actions for each level.
Disaster Recovery Policy • Regular backups of critical data will
be performed and stored in secure
off-site locations.
• Backup procedures will be
documented, including the
frequency of backups, storage
locations, and verification
processes.
• Procedures for data restoration will
be established and regularly tested
to ensure data integrity and
accessibility during recovery.
Security Policy • Access to information systems,
networks, and data will be granted
based on the principle of least
privilege, ensuring that users have
only the necessary access rights
for their job functions.
• User accounts and access
privileges will be regularly
reviewed and revoked promptly
upon termination of employment or
contract.
• Confidential and sensitive data will
be protected using appropriate
encryption methods during
storage, transmission, and
processing.
Acceptable use policy • Do not use someone else's
account or share personal
accounts with others.
• Do not install or use unauthorized
software or software without proper
licensing.
• Do not perform any actions that
may cause harm to the system,
such as network attacks or virus
infections.
The most and should that must exist while creating a
policy.
When your policy contains the following characteristics, you know it's good:

• It is written in simple terms and clear language.

• It has well-defined procedures. The procedures should clearly indicate
how instructions in the policy should be carried out.
• The policy takes into consideration the benefits of the employees,
making sure the rules are fair.
• It is easy to understand so that employees can easily adhere to the
rules.
• It isn’t totally restrictive. Where possible, your policy should present the
employees with options. Making people choose gives them a sense of
ownership.
Knowing what to do and what not to do while developing a policy is critical for
avoiding costly blunders. The following are some things you should and should
not do:

• Policies should be written in formats that are standardized: An

important feature that every policy should have is that it must be easily
read and understood. A standard writing format and writing style makes
it easy for your employees to search the policy – its sections and
subsections – and get whatever they need without difficulty.

• It should be written by an expert familiar with the organization: There

are different policies for different issues. Your organization’s policy
should be written by an expert who is well versed in the subject your
policy focuses on. The expert should also be familiar with the goals of
your organization, how it is run, and its processes at the time the policy
is written.

• Do not leave your employees out of the policy development process:

Representatives of the staff should be present during the policy
development process, especially at the beginning stage. Your employees
will be much more receptive to the policy if they feel they played a role
in the decision-making process. This creates a positive attitude
throughout the organization.
 • Do not neglect policy review: Just as writing a policy is important, so too
is reviewing it. Your organization’s policy should be reviewed regularly
as changes within the organization occur. With these basic rules in
mind, it is time to consider the first steps to take after you decide your
organization needs a policy.

The elements of a security policy.

S/N Security policy must Security policy should
1 All employees must sign a Employees should use strong,
confidentiality agreement to protect unique passwords and enable multi-
sensitive company information. factor authentication for accessing
company systems.
2 Access to critical systems and data Regular security awareness training
must be granted based on the should be conducted to educate
principle of least privilege. employees about common security
threats and best practices.
3 Encryption must be used for the Regular vulnerability assessments
transmission and storage of and penetration testing should be
sensitive data. conducted to identify and address
security weaknesses.
4 Regular backups of critical data Mobile devices should be protected
must be performed to ensure data with strong passwords, encryption,
integrity and availability and remote wipe capabilities.
5 Incident response procedures must Employees should report any
be established and followed in the suspected security incidents or
event of a security breach. policy violations to the appropriate
authorities.

The three most common elements:

• The first component of a privacy policy is to explicitly state the policy's aim
and scope. This involves establishing the policy's major objectives as well as
the extent of its applicability. Protecting information assets, guaranteeing the
security of systems and networks, complying with relevant laws and
regulations, and assuring the safety and security of personnel and the
company are all possible goals. office.
 • A security policy should provide precise security regulations and methods to
protect the organization's systems and information. This may include
provisions for access rights management, password management, data
encryption, network restrictions, sensitive information handling, and security
incident response and preventative procedures.

• A security policy must include compliance management and monitoring. It

entails designing systems and processes to guarantee policy compliance and
monitoring the efficacy of deployed security measures. This may involve
compliance testing, system monitoring, security testing, risk assessment, and
the implementation of appropriate modifications or improvements.

The elements of a password policy.

S/N password policy must password policy should
1 Passwords must meet a minimum Passwords should be unique and not
length requirement (e.g., 8 used for multiple accounts.
characters).
2 Passwords must include a Users should be encouraged to create
combination of uppercase and complex and strong passwords.
lowercase letters, numbers, and
special characters.
3 Passwords must not be reused Passwords should not be written down
within a specified number of or shared with others.
previous passwords.
4 Passwords must be changed at Multi-factor authentication (MFA) should
regular intervals (e.g., every 90 be implemented for additional security.
days).
5 Failed login attempts must be Users should be educated about
limited, and temporary lockouts phishing attacks and the importance of
should be implemented after a protecting their passwords.
certain number of unsuccessful
attempts
The three most common elements:
• A password security policy should specify the complexity requirements for
passwords. This includes guidelines for creating strong passwords that are
resistant to guessing or brute-force attacks. Common requirements include a
minimum password length, the use of a combination of uppercase and
lowercase letters, numbers, and special characters. The policy may also
prohibit the use of easily guessable or commonly used passwords.

• A password security policy should outline best practices for managing

passwords. This includes guidelines for regularly changing passwords to
mitigate the risk of password compromise. The policy may also recommend
not reusing passwords across different systems or accounts and discouraging
the sharing of passwords. Additionally, it may require the use of password
management tools to securely store and generate complex passwords.

• A password security policy should address the storage and protection of

passwords within the organization's systems and databases. This may include
requirements for securely storing passwords using encryption or hashing
techniques to protect them from unauthorized access. The policy may also
address the handling of temporary or default passwords and the procedures
for resetting or recovering forgotten passwords.

Give the steps to design a policy.

• Assess the need: Determine the reasons why the policy is necessary,
considering factors like regulations, corporate demands, and consumer
expectations.

• Establish the policy's scope: Clearly define the boundaries of the policy and
ensure that it covers all relevant areas.

• Formulate a policy team: Select a group of knowledgeable specialists to

develop the policy, ensuring they have expertise in the subject matter.

• Develop the policy: Create a clear, concise, and easily understandable policy
document that meets the requirements.

• Conduct policy review: Review the policy to ensure compatibility with existing
policies and alignment with corporate goals.
 • Seek feedback: Share the proposed policy with stakeholders and incorporate
their input and suggestions as appropriate.

• Obtain approval: Seek approval from top management after reviewing the
policy and making any necessary revisions.

• Communicate the policy: Distribute the approved policy and procedures to

relevant staff, ensuring their understanding of the policy and its implications.

• Monitor compliance: Regularly monitor compliance with the policy and take
corrective action if needed.

• Review and update: Periodically review and update the policy to maintain its
relevance and effectiveness.

P8 The main components of an

organizational disaster recovery plan,
justifying the reasons for inclusion.

Discussion and explanation about business continuity

Business continuity is an organization's ability to maintain essential functions during
and after a disaster has occurred. Business continuity planning establishes risk
management processes and procedures that aim to prevent interruptions to mission-
critical services and reestablish full function to the organization as quickly and
smoothly as possible.

The most basic business continuity requirement is to keep essential functions up and
running during a disaster and to recover with as little downtime as possible. A
business continuity plan considers various unpredictable events, such as natural
disasters, fires, disease outbreaks, cyberattacks and other external threats.
Business continuity is important for organizations of any size, but it might not be
practical for any but the largest enterprises to maintain all functions for the duration
of a disaster. According to many experts, the first step in business continuity planning
is deciding what functions are essential and allocating the available budget
accordingly. Once crucial components have been identified, administrators can put
failover mechanisms in place. (Sullivan, 2020)

The components of recovery plan

There are seven main components of any good disaster recovery plan. These include
mapping out your assets, identifying your assets’ criticality and context, conducting
a risk assessment, defining your recovery objectives, choosing a disaster recovery
setup, budgeting for your setup, and testing and reviewing the plan.

• Take Inventory of IT Assets: You’ll first need to map out all your assets to
identify which will need protection. Assets might include Network equipment,
Hardware, Software, Cloud services, Critical data Building a list of assets,
though tedious, will allow for a comprehensive understanding of your
business’s systems. Update your list regularly as assets are added, removed,
or modified, and use it as an opportunity to clean out unnecessary data.

• Sort Assets According to Criticality and Context: Now that you’ve taken
inventory of your assets, you need to look at them contextually. How does
your business use these assets? In the case of a disaster, which assets would
have the most significant impact if compromised or lost? Go through all your
mapped assets and classify them according to impact, from high to low.

• Assess Potential Risks: Not all threats are created equal. What are the biggest
threats to your business as a whole? Which assets are these threats likely to
target? Critical systems staff are knowledgeable about the most likely
potential causes of service disruption, so getting their input at this stage is
invaluable. You can’t anticipate all potential threats, but you can build an
effective plan by weighing the probability and scale of each.

• Define Your RTO and RPO: Recovery objectives should be categorized into
recovery time objectives (RTO) and recovery point objectives (RPO). RTO
refers to the amount of time your assets can be down before recovery, and
RPO refers to how much data you are willing to lose. These objectives should
be defined in the early stages of your disaster recovery plan so that a proper
setup can be chosen accordingly.
 • Select A Disaster Recovery Setup: Having a remote data storage solution is
essential to protect your assets from cyber-attacks and natural disasters that
may physically damage your assets. With your required setup mapped out,
select the cloud services, software, hardware, and partners that you’ll need to
achieve this setup.

• Propose A Budget: All businesses should have a disaster recovery plan,

regardless of the resources they have available. Stress the importance of
disaster recovery to senior management, but present several options based on
different price points.

• Test and Review: In the final stage, the disaster recovery plan will need to be
tested and reviewed to ensure it’s ready. All staff members must understand
what their role is in the case of an actual disaster. Conduct a disaster drill to
test the plan itself and analyse how staff act and respond to the threat. If it
doesn’t go as smoothly as you’d like, modify the plan accordingly. (GUERRA,
2020)

All the steps required in disaster recovery process:

It’s clear that businesses must plan for the worst. Human and mechanical disasters
are inevitable and can cause all sorts of mayhem unless a robust disaster recovery
plan has been set in place.

Here are seven essential steps to creating a successful disaster recovery plan.

• Create your disaster recovery contingency planning team.

Your first step is to select the employees who will form your contingency
planning team.

You’ll need a good mix here, so consider choosing people who can bring a
variety of perspectives on the company’s vulnerabilities to the table. Make
sure you include representatives from all the main departments within your
business, including HR, facilities and high-level managers.

• List all names and contact details.

Next, create a list of all employees’ names with all methods of communication
for each one, ensuring that this is regularly updated. You may need to access
this info quickly, so it needs to be accurate. Communication should include
personal and work contact details.

• Determine a chain of command.

 A system disaster is a high stress event. This means that a clear chain of
command and authority needs to be put in place well in advance to determine
who’s in charge if and when any key personnel are missing.

During a critical incident, this will help your whole team understand who’s in
charge in the chaos that may ensue after a disaster has taken place.

• Consider your risk assessment.

When creating your disaster recovery plan, preparation is everything. So
review as many potential disaster scenarios as you can, and create a checklist
of things that might possibly go wrong. Then consider how each one of those
situations would affect your core business, your revenue streams, your
customer service and your employees.

• Do you have a ‘Plan B’?

Your ‘Plan B’ planning is when you think about what’ll happen if your primary
disaster recovery plan is not actionable.

For example, if your usual premises are unavailable, you’ll need to consider if
employees can work from home or if you can share the facilities of another
company temporarily. Your top priority may well be keeping your revenue
flowing, in which case you’ll need to consider what people, equipment, space,
supplies, or services are needed to avoid any downtime?

• Protect your company data.

Data loss can have a huge impact on your business. Data protection and
recovery is a key aspect of all disaster recovery planning, so getting on top of
them will result in good business continuity.

Bare Machine Recovery (BMR) provides a complete protection solution,

assisting in the rapid recovery of machines to a pre-disaster state. Replication
software can also help you quickly clone your systems to another
environment, for example a virtual network or into the cloud.

• Test, test and test again!

We suggest that you run a regular testing drill to make sure your new disaster
recovery plan actually works. And scheduling regular recovery simulations
ensures that your systems are up and running before the CEO – and your
customers – even notice!
(cristie, 2022)
The policies and procedures that are required for
business continuity:
Policies and procedures are essential elements of disaster recovery planning.
They provide ideas and guidelines for creating and implementing business
continuity strategies. The following are some important policies and procedures
that are commonly required for business continuity:

• Business Continuity Policy: This policy demonstrates the organization's

dedication to ensuring business continuity in the case of interruptions. It
defines the program's goal, scope, and objectives and sets the tone for the
whole planning and execution process.

• Business Impact Analysis (BIA) Procedures: The process of undertaking

a detailed examination of the impact of interruptions on important business
operations is guided by BIA protocols. They explain the approach for analysing
disruptions' financial, operational, and reputational implications and
prioritizing recovery actions based on their criticality.

• Incident Response and Management Procedures: These protocols detail

the measures to be done during and soon following an event. They outline
incident response teams' duties and responsibilities, the procedure for
activating the response plan, and cooperation with essential parties such as
emergency services and regulatory authorities.

• Crisis Communication Procedures: Communication is critical during a

crisis, and these protocols provide best practices for communicating with
internal and external stakeholders. For various circumstances, they describe
the communication routes, important messages, and accountable persons or
teams. They also describe the procedure for disseminating information,
dealing with media enquiries, and providing frequent updates.

• IT Disaster Recovery Procedures: These processes are aimed at restoring

IT systems and infrastructure. They include the procedures for data backup
and restoration, system recovery, and restoring important IT services. They
also involve the testing and upkeep of IT recovery strategies and processes.

• Alternate Site and Facility Procedures: These procedures guide the shift
to other sites or facilities when the principal site or facility is unavailable. They
describe how to relocate activities, put up interim infrastructure, and ensure
the availability of critical resources.
 • Training and Awareness Procedures: During a disruptive incident, these
processes guarantee that personnel are fully briefed on business continuity
policies, procedures, and their roles and responsibilities. They establish the
training needs, timing, and delivery methods. They also handle awareness
initiatives to foster an organizational culture of company continuity.

Conclusion.
In summary, in this exercise, I discussed key topics such as the risk assessment
process, explained data protection procedures and regulations as they apply to an
organization, and the design and implementation of data protection regulations.
declares the organization's security policy, lists the key components of the
organization's disaster recovery plan, and demonstrates their inclusion.
References
adserosecurity, 2023. SECURITY RISK ASSESSMENT. [Online]
Available at: https://www.adserosecurity.com/security-learning-center/what-is-a-security-
risk-assessment/
[Accessed 18 06 2023].

bluevoyant, 2023. What is an Incident Response Policy and How to Create One. [Online]
Available at: https://www.bluevoyant.com/knowledge-center/what-is-an-incident-response-
policy-and-how-to-create-one
[Accessed 18 06 2023].

Castagna, R., 2021. General Data Protection Regulation (GDPR). [Online]

Available at: https://www.techtarget.com/whatis/definition/General-Data-Protection-
Regulation-GDPR
[Accessed 18 06 2023].

cloudian, 2023. Disaster Recovery Policy: Essential Elements and Best Practices. [Online]
Available at: https://cloudian.com/guides/disaster-recovery/disaster-recovery-policy-
essential-elements-and-best-practices/
[Accessed 18 06 2023].

Cole, B., 2023. What is risk management and why is it important?. [Online]
Available at: https://www.techtarget.com/searchsecurity/definition/risk-assessment
[Accessed 18 06 2023].

cristie, 2022. 7 Steps to a Successful Disaster Recovery Plan. [Online]

Available at: https://www.cristie.com/news/7-steps-to-a-successful-disaster-recovery-plan-
2/
[Accessed 18 06 2023].

FACTSHEET, 2022. HR policies. [Online]

Available at: https://www.cipd.org/uk/knowledge/factsheets/hr-policies-factsheet/
[Accessed 18 06 2023].

geeksforgeeks, 2023. CIA Triad. [Online]

Available at: https://www.geeksforgeeks.org/the-cia-triad-in-cryptography/
[Accessed 18 06 2023].

gibraltarsolutions, 2022. Crafting the Perfect Password Policy: 11 Must-Have Elements.

[Online]
Available at: https://gibraltarsolutions.com/blog/password-
policy/#:~:text=Password%20policies%20outline%20requirements%20such,accessing%20
your%20accounts%20and%20systems.
[Accessed 18 06 2023].
Gonzalez, C., 2022. Top 8 Threat Modeling Methodologies and Techniques. [Online]
Available at: https://www.exabeam.com/information-security/threat-modeling/
[Accessed 18 06 2023].

GUERRA, B., 2020. 7 Components That Make A Great Disaster Recovery Plan. [Online]
Available at: https://www.axiom.tech/7-components-that-make-a-great-disaster-recovery-
plan/
[Accessed 18 06 2023].

Kidd, C., 2022. Security 101: Vulnerabilities, Threats & Risk Explained. [Online]
Available at: https://www.splunk.com/en_us/blog/learn/vulnerability-vs-threat-vs-risk.html
[Accessed 18 06 2023].

Kirvan, P., 2022. acceptable use policy (AUP). [Online]

Available at: https://www.techtarget.com/whatis/definition/acceptable-use-policy-
AUP#:~:text=An%20acceptable%20use%20policy%20(AUP)%20is%20a%20document%2
0stipulating%20constraints,being%20granted%20a%20network%20ID.
[Accessed 18 06 2023].

logpoint, 2020. logpoint. [Online]

Available at: https://www.logpoint.com/en/blog/what-is-threat-detection/
[Accessed 18 06 2023].

Lutkevich, B., 2021. DEFINITION security policy. [Online]

Available at: https://www.techtarget.com/searchsecurity/definition/security-policy
[Accessed 18 06 2023].

MasterClass, 2021. What Is an Asset? Definition and Types of Assets. [Online]

Available at: https://www.masterclass.com/articles/what-is-an-asset
[Accessed 18 06 2023].

Rouse, M., 2022. Data Protection. [Online]

Available at: https://www.techopedia.com/definition/29406/data-protection
[Accessed 18 06 2023].

Rouse, M., 2022. Security Policy. [Online]

Available at: https://www.techopedia.com/definition/4099/security-
policy#:~:text=A%20security%20policy%20is%20a,situations%20when%20they%20do%2
0occur.&text=A%20security%20policy%20must%20identify,potential%20threats%20to%2
0those%20assets.
[Accessed 18 06 2023].

safetyculture, 2023. Risk Assessment. [Online]

Available at: https://safetyculture.com/topics/risk-assessment/
[Accessed 18 06 2023].

saurabhsharma56, 2021. Computer Network | AAA (Authentication, Authorization and

Accounting). [Online]
Available at: https://www.geeksforgeeks.org/computer-network-aaa-authentication-
authorization-and-accounting/
[Accessed 18 06 2023].

SPIRION, 2021. en Steps to an Effective Data Protection Program. [Online]

Available at: https://www.spirion.com/blog/ten-steps-to-an-effective-data-protection-
program/
[Accessed 24 06 2023].

Sullivan, E., 2020. What is business continuity and why is it important?. [Online]
Available at: https://www.techtarget.com/searchdisasterrecovery/definition/business-
continuity
[Accessed 18 06 2023].