ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Vo Thi Minh Thu Student ID GCD210164

Class GCD1105 Assessor name Tran Thanh Truc

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.

Student’s signature Thu

Grading grid

P5 P6 P7 P8 M3 M4 M5 D2 D3
 Summative Feedback:  Resubmission Feedback:

Grade: Assessor Signature: Date:

Lecturer Signature:
Table of Contents
I - Review risk assessment procedures in an organisation (P5) ..................................................................... 4
1. Define a security risk and how to do risk assessment............................................................................. 4
2. Define assets, threats and threat identification procedures, and give examples ..................................... 5
2.1. Asset ................................................................................................................................................. 5
2.2. Threat ............................................................................................................................................... 6
2.3. Threat identification procedure ........................................................................................................ 6
3. List risk identification steps .................................................................................................................... 7
3.1. Identification .................................................................................................................................... 7
3.2. Assessment ....................................................................................................................................... 7
3.3. Mitigation ......................................................................................................................................... 8
3.4. Prevention ........................................................................................................................................ 8
4. Review risk assessment procedures in an organization .......................................................................... 8
II - Explain data protection processes and regulations as applicable to an organisation (P6) ........................ 9
1. Data protection ........................................................................................................................................ 9
2. Data protection process in an organization ........................................................................................... 10
2.1. Data Loss Prevention (DLP) .......................................................................................................... 10
2.2. Encryption & Pseudonymization ................................................................................................... 11
2.3. Third-party management ................................................................................................................ 11
3. Why are data protection and security regulation important? ................................................................ 11
III - Design a suitable security policy for an organisation, including the main components of an
organisational disaster recovery plan (P7) ................................................................................................... 12
1. Define and discuss a security policy ..................................................................................................... 12
2. Give an example for each of the policies .............................................................................................. 14
2.1. Firewall Rules Policy: .................................................................................................................... 14
2.2. Intrusion Prevention policy ............................................................................................................ 15
2.3. Secure Communication Policy ....................................................................................................... 16
2.4. Live Update policy ......................................................................................................................... 17
3. Give the must and should that must exist while creating a policy ........................................................ 18
 5. Give the steps to design a policy .......................................................................................................... 22
IV - Discuss the roles of stakeholders in the organisation in implementing security audits (P8) ................ 25
1. Define stakeholders............................................................................................................................... 25
2. What are their roles in an organization? ............................................................................................... 27
3. Define security audit and state why you need it ................................................................................... 28
4. Recommend the implementation of security audit to stakeholders in an organization ........................ 29
4.1. Policies for business continuity...................................................................................................... 29
4.2. Procedures for business continuity................................................................................................. 30
References .................................................................................................................................................... 31
TABLE OF FIGURE

Figure 1: Data protection ................................................................................................................................ 9

Figure 2: Security policy .............................................................................................................................. 13
Figure 3: Firewall Rules Policy .................................................................................................................... 14
Figure 4: Intrusion Prevention policy .......................................................................................................... 16
Figure 5: Secure Communication Policy ..................................................................................................... 17
Figure 6: LiveUpdate policy......................................................................................................................... 18
Figure 7: Determine the problem ................................................................................................................. 22
Figure 8: Problem Formulation .................................................................................................................... 23
Figure 9: Scenario Evaluation ..................................................................................................................... 24
Figure 10: Make a decision .......................................................................................................................... 25
Figure 11: Business continuity ..................................................................................................................... 26
I - Review risk assessment procedures in an organisation (P5)

1. Define a security risk and how to do risk assessment

The potential for loss or damage when a threat exploits a vulnerability is described as risk. Financial losses,
loss of privacy, reputational harm, legal ramifications, and even death are all examples of risk.

Risk can also be defined as follows: Risk = Threat x Vulnerability x Consequence. Reduce your potential
for risk by creating and implementing a Risk management plan. Here are the key aspects to consider when
developing your risk management strategy:

• Determine risk and requirements. Prioritizing the most significant breaches that must be handled is vital
when establishing and executing a risk assessment strategy. Although the frequency varies each
organization, this level of evaluation must be performed on a regular, repeating basis.

• Include a comprehensive stakeholder perspective. Stakeholders include business owners, staff, consumers,
and even vendors. All of these players have the ability to harm the organization (possible risks), but they
may also be useful in mitigating risk.

• Determine the proper financing amount for this activity and assign responsibility for risk management to
a core group of staff.

• Implement relevant policies and procedures, and ensure that any changes are communicated to the
appropriate end-users.

• Policy and control efficacy should be monitored and evaluated. Because the sources of risk are always
changing, your team must be ready to make any required changes to the framework. This may also entail
implementing new monitoring tools and methodologies.
2. Define assets, threats and threat identification procedures, and
give examples
2.1. Asset
An asset is any data, device, or other component of the environment that supports informationrelated
activities in information security, computer security, and network security. Hardware (e.g., servers and
switches), software (e.g., mission important applications and support systems), and private information are
examples of assets. Assets should be safeguarded against unauthorized access, use, disclosure, alteration,
destruction, and/or theft, which might result in loss to the organization.

Types of asset:

• Information assets:

This category includes all information regarding your organization. This data has been collected,
categorised, arranged, and stored in a variety of formats. Databases include data on your customers,
employees, production, sales, marketing, and finances. This information is important to your company's
success. Its secrecy, integrity, and availability are critical.

Data files: Transactional data that provides current information on each occurrence. Procedures for
operational and support: These have evolved over time and include thorough instructions on how to carry
out various operations.

Information from the past: Old information that may be required by law to be kept. Continuation plans and
fallback preparations would be devised to overcome any calamity and ensure company continuity. In the
absence of these, ad hoc decisions will be made during a crisis.

• Software assets:

Application software: Application software executes the organization's business rules. The development of
application software takes time. The integrity of application software is critical. Any defect in the application
software might have a negative influence on the business.
System software: An enterprise would invest in a variety of packaged software applications such as
operating systems, database management systems (DBMS), development tools and utilities, software
packages, office productivity suites, and so on.

• Physical assets: These are the visible and tactile items that may include:

Computer hardware: mainframe computers, servers, desktop computers, and laptop computers.

Modems, routers, EPABXs, and fax machines are examples of communication equipment. Magnetic tapes,
disks, CDs, and DATs are examples of storage medium. Power supply and air conditioners are examples of
technical equipment. Fixtures and furniture.

2.2. Threat
There are several risks out there, ranging from criminals sponsored by states, businesses, hackers, and even
those inside your own organization, to lone attackers. Motives for these threats include financial or political
gain, business or government espionage, and military benefit.

A threat that is repeated in response to a fresh or newly found occurrence that has the potential to harm a
system or your organization as a whole. Threats are classified into three types:

• Floods, storms, and tornadoes are examples of natural hazards.

• Unintentional dangers, such as an employee clearing the wrong information

• Spyware, malware, adware corporations, or the activities of a dissatisfied employee are examples of
intentional dangers.

2.3. Threat identification procedure

Every IT system environment is distinct. Some dangers will be part of a broader collection of threats
affecting all firms with public-facing web portals. Other vulnerabilities may be unique to your company. As
a result, we collaborate with your team and begin our review with a thorough grasp of your structure and
activities.

• Analyzing and comprehending the threat portfolio unique to your firm and its operations.
• Prioritizing the assessment of your system's vulnerabilities.

• determining how certain threat actors or behaviors may exploit those vulnerabilities

• Providing a full report of results that helps your firm to execute risk management activities in advance.

3. List risk identification steps

A security risk assessment finds, evaluates, and applies important application security measures. It is also
concerned with preventing application security flaws and vulnerabilities. A risk assessment enables an
organization to examine its application portfolio holistically—from the perspective of an attacker. It assists
managers in making educated decisions about resource allocation, tools, and security control
implementation. As a result, completing an assessment is an essential component of an organization's risk
management strategy. (adserosecurity, n.d.)

The depth of risk assessment models is affected by factors like as size, growth rate, resources, and asset
portfolio. When faced with money or time restrictions, organizations might conduct generic evaluations.
Generalized assessments, on the other hand, may not always give thorough mappings between assets, related
threats, recognized risks, effects, and mitigation mechanisms.

The risk assessment procedure:

3.1. Identification
Determine all of the technological infrastructure's important assets. Next, examine the sensitive data
generated, held, or sent by these assets. Make a risk profile for each one.

3.2. Assessment
Implement a strategy for assessing the identified security threats for important assets. Determine ways to
effectively and efficiently deploy time and resources to risk reduction after comprehensive review and
assessment. The assessment technique or strategy must examine the relationship between assets, threats,
vulnerabilities, and mitigating controls.
3.3. Mitigation
Define a risk mitigation strategy and implement security measures for each risk.

3.4. Prevention
Implement tools and practices to reduce the likelihood of threats and vulnerabilities occurring in your firm's
resources.

4. Review risk assessment procedures in an organization

The risk identification and management process consists of five key components. Risk identification, risk
analysis, risk appraisal, risk treatment, and risk monitoring are among the stages involved.

• Risk Identification: It is the process of determining what, where, when, why, and how something may
impair a company's capacity to function. For example, a company in central California would list "the
likelihood of wildfire" as an event that could disrupt operations.

• Risk Analysis: This phase entails determining the likelihood that a risk event will occur as well as the
probable outcomes of each occurrence. Using the California wildfire as an example, safety managers may
examine how much rain fell in the previous 12 months and the level of damage the organization could suffer
if a fire broke out.

• Risk Evaluation: Risk evaluation assesses the amount of each risk and ranks them based on prominence
and consequence. For example, the consequences of a potential wildfire may be balanced against the
consequences of a potential mudslide. Whichever event is assessed to have a larger likelihood of occurring
and causing harm ranks higher.

• Risk Management: Risk management is also known as risk response planning. Based on the estimated
value of each risk, risk mitigation techniques, preventative treatment, and contingency plans are developed
in this stage. In the case of a wildfire, risk managers may decide to keep extra network servers offsite so that
corporate activities may continue even if an onsite server is damaged. Employee evacuation plans may also
be developed by the risk management.
• Risk Monitoring: It is a continuous process that adjusts and develops over time. Repeating and
continuously monitoring the procedures can assist ensure that all known and unknown hazards are covered.

II - Explain data protection processes and regulations as

applicable to an organisation (P6)

1. Data protection
Data protection is the process of preventing critical information from being corrupted, compromised, or lost.
As the quantity of data generated and saved continues to expand at unprecedented rates, the need for data
protection grows. There is also minimal tolerance for downtime, which might make access to critical
information impossible. As a result, ensuring that data can be recovered rapidly after corruption or loss is
an important aspect of a data protection strategy. Data protection also includes safeguarding data against
compromise and preserving data privacy. (Crocetti, n.d.)

Figure 1: Data protection

Purpose of data protection:

• Data protection may be accomplished through the use of storage technologies such as a disk or tape backup,
which replicates specified information to a disk-based storage array or a tape cartridge device so that it can
be safely kept. Mirroring may be used to generate an exact clone of a website or files so that they are
accessible from many locations. Storage snapshots can produce a collection of pointers to information saved
on tape or disk automatically, allowing for speedier data recovery, whereas continuous data protection
(CDP) backs up all data in a business anytime a change is made.

2. Data protection process in an organization

2.1. Data Loss Prevention (DLP)
It is the technique of identifying and preventing sensitive data breaches, exfiltration, or deletion. DLP is
used by organizations to safeguard and secure their data while still complying with requirements.

The term data loss prevention (DLP) refers to safeguarding companies against both data loss and data
leakage prevention. Data loss refers to an occurrence in which critical corporate data is lost, such as in a
ransomware attack. Data loss prevention focuses on preventing data from being transferred outside the
corporate bounds.

Organizations typically use DLP to:

• Protect Personally Identifiable Information (PII) and comply with relevant regulations

• Protect Intellectual Property critical for the organization

• Achieve data visibility in large organizations

• Secure mobile workforce and enforce security in Bring Your Own Device (BYOD) environments

• Secure data on remote cloud systems

2.2. Encryption & Pseudonymization
Pseudonymization is a tough term to spell and even harder to say. It is defined as "the processing of personal
data in such a manner that the data can no longer be ascribed to individual data subjects without the use of
extra information" (GDPREU.org). This sophisticated, difficult-topronounce term may refer to field level
encryption in databases, encryption of complete data stores at rest, and encryption for data in use and in
transit.

The GDPR "advises" but does not mandate pseudonymization. However, if a security event happens,
investigators will look at whether the firm responsible for the breach has adopted these sorts of technological
controls and technology.

2.3. Third-party management

It refers to the process by which businesses monitor and manage interactions with all external parties with
whom they have a connection. Contractual and non-contractual parties may be included. Third-party
management is done largely to analyze the continuous behavior, performance, and risk that each third-party
connection represents to a corporation. Supplier and vendor information management, corporate and social
responsibility compliance, Supplier Risk Management, IT vendor risk, anti-bribery/anti-corruption (ABAC)
compliance, information security (infosec) compliance, performance measurement, and contract risk
management are all areas of monitoring.] Third-party risk management became more important in 2013
when the US Office of the Comptroller of the Currency mandated that all regulated banks monitor the risk
of all its third parties.

3. Why are data protection and security regulation important?

To begin with, the goal of personal data protection is to protect people's basic rights and freedoms in relation
to their data, not simply their data. It is possible to ensure that people's rights and freedoms are not
compromised while preserving personal data. For example, inaccurate personal data processing may result
in a person being passed over for a job chance or, worse, losing their present employment.
Second, failing to comply with personal data privacy standards can lead to much worse consequences, such
as removing all funds from a person's bank account or even causing a lifethreatening scenario by altering
health information.

Third, data protection rules are required to ensure fair and consumer-friendly commerce and service
offering. Personal data protection legislation create a system in which, for example, personal data cannot be
freely traded, giving consumers more control over who makes them offers and what type of offers they
make.

III - Design a suitable security policy for an organisation,

including the main components of an organisational disaster
recovery plan (P7)

1. Define and discuss a security policy

A security policy is a written document that outlines how a corporation intends to secure its physical and
information technology (IT) assets. Security policies are dynamic documents that are constantly updated
and modified as technology, vulnerabilities, and security needs evolve. An acceptable usage policy may be
included in a company's security policy. These indicate how the organization intends to educate its staff
about asset protection. They also include a description of how security measures will be implemented and
enforced, as well as a method for reviewing the policy's efficacy to ensure that required adjustments are
made. (Ben Lutkevich, n.d.)
 Figure 2: Security policy

Security policies are crucial because they safeguard an organization's physical and digital assets.

They identify all of the company's assets as well as any risks to those assets.

• Physical security rules are designed to safeguard a company's physical assets, such as buildings and
equipment, such as computers and other IT equipment. Data security rules safeguard intellectual property
from expensive incidents such as data breaches and data leaks.

Physical security rules safeguard an organization's physical assets, which include buildings, cars,
inventories, and machinery. IT equipment such as servers, computers, and hard drives are examples of these
assets.

IT physical asset protection is very critical since physical equipment carry firm data. If a physical IT asset
is compromised, the data it stores and manages is jeopardized. To keep firm data safe, information security
policies rely on physical security standards.
Why Should Security Policies Be Implemented?

Breach of security is unavoidable. Critical judgments and defensive actions must be made quickly and
precisely. A security policy specifies what must be done to safeguard data kept on computers. A well-written
policy defines the "what" to accomplish so that the "how" may be recognized, assessed, or evaluated.

Without a security policy, any company is vulnerable to the outside world. It is vital to note that in order to
define your policy requirements, you must first do a risk assessment. This may need an organization defining
levels of sensitivity for information, processes, procedures, and systems.

2. Give an example for each of the policies

2.1. Firewall Rules Policy:
When a person joins to an unsecured, open network like the Internet, he opens the door to prospective
assaults. Employing firewalls at the connection point end is one of the finest ways to fight against
exploitation from an unsecured network, since it is a must to preserve their private networks and
communication facilities.

Figure 3: Firewall Rules Policy

There should be rules and enforcement policies that change depending on the kind of firewall and network
resource deployment, such as:

• In the case of dedicated server access, an application proxy firewall must be installed between the remote
user and the dedicated server to conceal the server's identity.

• Second, if traffic filtering is required based on source and destination IP/Port addresses, packet-filtering
firewall placement is highly beneficial and improves transmission speed.

• When speed is not an issue, state table (stately inspection firewall) filters configuration at the network is a
good choice since it dynamically checks the connection and passes the packet.

• Furthermore, NAT should be used because it supplements the usage of firewalls in providing an additional
level of security for an organization's internal network, particularly in avoiding DDOS or multiple SYN
flooding assaults.

• IP packet filtering can be used if you want a higher level of control than that provided by prohibiting an
IP address from talking with your server.

2.2. Intrusion Prevention policy

This policy identifies and stops network and browser assaults automatically. It also safeguards apps against
vulnerabilities. It examines the contents of one or more data packages and detects malware that has entered
the system legally.
 Figure 4: Intrusion Prevention policy

2.3. Secure Communication Policy

Unencrypted data passing via several channels on the network, including a switch and routers, is subject to
many attacks, including spoofing, SYN flooding, sniffing, data manipulation, and session hijacking.
Although you have no control over the devices via which your data may transit, you can safeguard sensitive
data or prevent the communication route from being data accessible to some extent. As a result, the use of
various ciphering techniques such as SSL, TLS, IP-Sec, PGP, and SSH can encrypt all types of
communication such as POP, HTTP, POP3 or IMAP, and FTP because SSL packets can pass through
firewalls, NAT servers, and other network devices with no special considerations other than ensuring the
proper ports are open on the network device.
 Figure 5: Secure Communication Policy

2.4. Live Update policy

There are two sorts of policies in this policy. The first is the LiveUpdate Content Policy, and the second is
the LiveUpdate Setting Policy. The LiveUpdate policy contains the parameter that controls when and how
client computers get LiveUpdate content updates. We may specify which computer customers contact to
check for updates, as well as when and how frequently their computers check for updates.
 Figure 6: LiveUpdate policy

3. Give the must and should that must exist while creating a policy
• Make certain that there is a policy on policies.

A basic policy on policies that specifies the organization's procedure for developing new policies is an
important initial step in policy maturation. This "meta policy" should include instructions on what conditions
necessitate the creation of a new policy, the structure for new policies, and the approval procedure for new
policies. Without a policy development process and structure, you risk severe variation in results and
inconsistency in creation, which can lead to poor or difficult enforcement.
• Determine whether there is any overlap with existing policies.

This one is straightforward. Check to determine whether the policy you intend to write already exists or if
pieces of it exist in other policies before creating a new one. If this is the case, consider tweaking current
policies rather than developing whole new ones.

• Policy should not be created in a vacuum.

Policies, in my opinion, should be designed with input from people who will be affected by them. While the
final policy may not represent all perspectives, it is critical that all stakeholders be heard in order to reduce
the possibility of unexpected consequences. Furthermore, policies must be thorough, and various
perspectives can assist fill any holes that may emerge.

• Take a step back and assess the situation.

Is it your intention to create a policy because one is required, or because someone did something you didn't
like? There is a significant difference, and I have seen policies implemented out of spite and retaliation.
Obviously, such behavior would not occur in a rational company. However, it will not happen in a company
that has a tight policy on policies, since the policy will normally go through numerous layers of approval,
and somewhere along the road, someone will stand back and ask, "Why do we need this?"

• Allow for some grayscale.

Because policies are designed to produce egalitarian circumstances, this is the argument that may face the
most criticism. However, I feel that certain policies should leave some ambiguity in order for individuals to
make judgments. That is not to suggest that the policy should just let individuals to do anything they want,
but there appear to be far too many occasions when people are allowed to use "that's policy" or "zero
tolerance" excuses to avoid doing the right thing.

• When feasible, keep top executives out of the routine.

When feasible, I stressed the necessity to define an exceptions mechanism for policies. That was the CEO's
responsibility in one organization I worked for. That was, frankly, a waste of his time. The exceptions
procedure should enable someone inside the business to handle exceptions. Except as required by rule or
law, the designated individual does not need to be a VP or the CEO. Also, don't expect top executives to
create every policy. However, the leadership team should be in charge of examining new policies before
they go into effect.

4. Explain and write down elements of a security policy, including the main components of an organisational
disaster recovery plan

A security policy may be as comprehensive as you want it to be, but it must be enforced in its whole,
including everything from IT security to the protection of connected physical assets. The following list
contains some critical factors to consider while building an information security policy. Purpose:

• Create a comprehensive information management plan.

• Detect and avoid information security breaches such as network usage, data, applications, and computer
systems.

• Maintain the organization's reputation while adhering to ethical and legal obligations.

• Customer rights must be respected, including how to respond to noncompliance inquiries and complaints.

Audience: Define the security group to which the Security Policy applies. You can also define which
audiences are not covered by the policy (for example, personnel in another business unit that controls
security independently may not be covered by the policy).

Information security objectives:

• Individuals with access to data and information assets must maintain confidentiality.

• Data should be intact, correct, and complete, and IT systems should be kept operational.

• Users should be able to access information or systems if necessary.

Authority and access control policy:

• A senior manager may have the authority to decide with whom and what data can be shared
in a hierarchical manner. A senior manager's vocabulary for security rules may differ from that of a junior
employee. The policy should define the amount of power over data and IT systems for each organizational
role.

• Users can access corporate networks and servers only through specialized logins that require
authentication, such as passwords, biometrics, ID cards, or tokens. You should monitor all systems and log
all attempts to log in.

Data classification: The policy should categorize data into categories such as "top secret," "secret,"
"confidential," and "public." Your goal in categorizing data is to:

• guarantee that sensitive material is not accessible to those with lesser clearance levels;

• secure very important data while avoiding unnecessary security procedures for inconsequential data.

Data support and operations:

• Data security legislation – systems that hold personal or sensitive data must be safeguarded in accordance
with operational guidelines, best practices, industry enforcement requirements, and relevant regulations.
Encryption, a firewall, and virus protection are among the security needs.

• Data backup-encrypt data backup in accordance with industry best standards. Securely store media, or
migrate backup to safe cloud storage.

• Only data communication over secure protocols is allowed for file movement. Encrypt all information
copied to portable devices or delivered over a public network.

Security awareness and behavior:

• Social engineering—emphasize the hazards of social engineering assaults (such as phishing emails).
Employees should be held accountable for detecting, preventing, and reporting such assaults.17

• Clean desk policy—use a cable lock to protect computers. Documents that are no longer needed should be
shredded. Keep printer locations tidy to avoid papers falling into the wrong hands.
• Internet usage policy that is acceptable—define how the Internet should be regulated. Do you allow
YouTube and other social media websites? Using a proxy, you may block undesirable websites.

Responsibilities, rights, and duties of personnel: Appoint personnel to do user access checks, education,
change management, incident management, security policy execution, and periodic updates. As part of the
security policy, responsibilities should be clearly specified.

5. Give the steps to design a policy

Step 1: Determine the problem:

The first stage in policy design is to formulate the problem to be addressed in order to legitimize it as a
community-wide concern. Typically, the public raises a problem in response to a need or a gap in service
delivery. The investigation of current policies to identify how they have dealt with the problem/issue to date
is therefore a useful starting point. Furthermore, identifying the stakeholders and actors affected by the issue
aids in understanding the magnitude of the problem and who to involve in collaborative problem-solving.

Figure 7: Determine the problem

Step 2: Problem Formulation

Once the problem has been recognized, the hypotheses have been proven, and the goals and objectives have
been determined and discussed with the greater community, policy formulation may begin. Policy
formulation seeks to identify and mobilize a set of solution alternatives in connection to the issue, with the
goal of determining which option is best suited to handle the problem in light of available resources and
current restrictions. The creation of scenarios (both written and visual) can aid in the comprehension and
development of alternate methods and actions.

Figure 8: Problem Formulation

Step 3: Scenario Evaluation

Once scenarios are created to reflect several policy alternatives for dealing with the identified problem, the
optimal option in terms of strategies and actions may be selected. Scenarios analysis also includes the
(re)tuning of current policy acts, which is done through short experiments (pilot tests) and public debate.
On-the-ground experiments often aim to test various solutions on a small scale in order to determine
potential implications, which may be a time-consuming and costly operation. In many circumstances, it may
be able to simulate visualisations for various policy alternatives in order to investigate the implications
digitally.
 Figure 9: Scenario Evaluation

Step 4: Make a decision

To make a decision, a clear description of the problem, the policy and its scenario, and public acceptance of
the policy must be prepared for presentation and discussion within the public unit accountable for the
decision. The process narrative is relevant to the decision: how the problem was explored, how data was
collected and used, how goals and objectives were identified and translated into strategies and actions, how
impacts were simulated and computed, why some options were preferred over others, and what the public's
contribution to the entire process was. When a decision has been made and the policy is ready for
implementation.
 Figure 10: Make a decision

IV - Discuss the roles of stakeholders in the organisation in

implementing security audits (P8)

1. Define stakeholders
Business continuity refers to an organization's capacity to keep vital functions running during and after a
crisis. Business continuity planning sets risk management methods and procedures with the goal of
preventing disruptions to mission-critical services and re-establishing full organization operation as fast and
easily as feasible. The most fundamental requirement for business continuity is to maintain critical functions
operational during a crisis and to recover with as little downtime as possible. Natural catastrophes, fires,
disease outbreaks, cyberattacks, and other external hazards are all included in a business continuity strategy.
(Sullivan, n.d.)
 Figure 11: Business continuity

Business continuity is critical for firms of all sizes, but it may not be feasible for any but the largest
enterprises to sustain all services during a crisis. Many experts believe that the first stage in business
continuity planning is determining which operations are critical and allocating the available funds
appropriately. Administrators can implement failover solutions after critical components have been
identified.

Digital business interruptions are caused by a range of situations. Just because you are not at danger of a
certain apocalyptic calamity does not mean that countless other incidents will not knock you offline:

• Disasters: Natural and Local

• Network Disruptions

• Cybersecurity

• Human error
2. What are their roles in an organization?
Plan of communication and role allocations

• When dealing with a disaster, communication is essential. A strategy is vital because it guarantees that all
employees are on the same page and that all correspondence is clearly defined.

• Employee contact information should be updated in documentation, and staff should understand their
responsibilities in the days after the incident. If you don't have any type of technological equipment to assist
you sort everything out, duties like setting up workstations, analyzing damage, diverting phones, and other
activities would be required.

Make a plan for your equipment.

• When a large storm is approaching, it is critical that you have a strategy in place to safeguard your
equipment. All equipment must be taken off the floor, relocated to a room with no windows, and securely
wrapped in plastic so that no water may get to it. Clearly, completely sealing equipment is the best way to
protect it from flooding, but in many circumstances of severe flooding, this is not a problem.

Backup verification

• As part of your disaster preparation approach, ensure that your backup works and that you conduct an extra
full local backup on all servers and data. Run them as far in advance as feasible, and make sure they are
backed up to a place that will not be affected by the disaster. It's also a good idea to have your backup on an
external hard drive that you can carry with you if something goes wrong, just in case.

Plan for vendor communication and service restoration

• After a storm, you'll want to keep running as quickly as possible. As part of your plan, make sure you
provide contact information for vendors. Check with your local power provider to determine the risk of
power spikes or outages while the region is being fixed. You should also check with your phone and internet
providers for repair and access.

System of data continuity

• When developing a rehabilitation strategy for the catastrophe, you should consider what a business requires
to function. You must comprehend the organization's organizational, economic, supply, and communication
requirements. Whether you're a large consumer business that needs to fulfill shipments and communicate
with their customers about those shipments, or a small business-to-business organization with multiple
employees, you should document your needs so that you can make backup and business continuity plans
and have a complete understanding of the needs and logistics surrounding those plans.

3. Define security audit and state why you need it

Step 1. Form a team for disaster recovery and contingency planning.

The first stage is to choose the members of your contingency planning team.

You'll need a solid mix here, so look for people who can bring a range of viewpoints on the company's
weaknesses to the table. Include representatives from all of your company's major departments, including
HR, facilities, and top-level executives.

Step 2. List all names and contact information.

Next, make a list of all workers' names, as well as all ways of communication for each one, and keep it up
to date. You may need to retrieve this information fast, so it must be correct. Personal and professional
contact information should be included in communication.

Step 3. Establish a command structure.

A system disaster is an extremely stressful situation. This implies that a clear chain of command and
authority must be established ahead of time to ascertain who is in control if and when important employees
go missing.

During a crucial crisis, this will assist your whole team realize who is in command in the pandemonium that
may erupt following a calamity.

Step 4. Think about your risk assessment

Preparation is everything when developing a disaster recovery strategy. So look over as many potential
disaster scenarios as you can and make a list of things that may go wrong. Then examine how each of those
scenarios might impact your main business, income sources, customer service, and staff.

Step 5. Do you have a backup plan?

Your 'Strategy B' planning is when you consider what will happen if your primary disaster recovery plan is
rendered ineffective.

Step 6. Safeguard your company's data

Data loss may have a significant impact on your company. Data protection and recovery are critical
components of any disaster recovery plans, thus keeping them up to date will result in strong business
continuity.

Step 7. Test, test, and test some more!

We recommend that you conduct frequent testing drills to ensure that your new disaster recovery strategy is
functional. And scheduling frequent recovery simulations assures that your systems are operational before
the CEO – and your customers – notice!

4. Recommend the implementation of security audit to stakeholders

in an organization
4.1. Policies for business continuity
a) Critical Functions

Critical functions are those that are necessary to life, health, safety and security of the campus community.
These functions must continue at a normal or increased level during an incident. The life, health, safety and
security functions will never close and will always require people on campus.

b) Disaster Recovery (DR) / Disaster Recovery Plans

DR plans usually refers to specialized planning for computer and IT systems including plans for restoring
critical IT services and equipment. This is a specialized sub-group of business continuity planning.

c) Emergency Operations Plan (EOP)

For the purpose of this policy, the term EOP also refers to the university's Comprehensive Emergency
Management Plan (CEMP)

d) Business Continuity Plan (BCP)

BCP is a document that offers instructions and recovery steps for a given feature or process over a defined
period of time. It is written in sufficient detail so that the plan can be implemented with minimal delay by
those needed. This is a set of tools, activities, procedures and information created, tested and kept ready for
use in the event of a major operational disruption

e) Business Continuity Planning

Business continuity planning is the process of developing prior arrangements and procedures that enable
VCU to respond to an interrupting event in such a manner that critical business functions can continue within
planned levels of disruption. The end result of this activity is an effective business continuity plan (BCP).

4.2. Procedures for business continuity

Many businesses must take multiple steps to create a good BCP. They are as follows:

• Business Impact Analysis: Here, the company will identify time-sensitive tasks and resources. (More on
this later.)24

• Recovery: The firm must identify and undertake procedures to regain important business

functions in this section.

• Organization: It is necessary to form a continuity team. This group will design a strategy to

deal with the interruption.

• Education: The continuity staff must be educated and tested. Team members should also
do activities that review the plan and strategy

References
adserosecurity, n.d. SECURITY RISK ASSESSMENT. [Online]

Available at: https://www.adserosecurity.com/security-learning-center/what-is-a-security-risk-assessment/

Ben Lutkevich, n.d. security policy. [Online]

Available at: https://www.techtarget.com/searchsecurity/definition/security-policy

Crocetti, P., n.d. What is data protection and why is it important?. [Online]

Available at: https://www.techtarget.com/searchdatabackup/definition/data-protection

Sullivan, E., n.d. What is business continuity and why is it important?. [Online]

Available at: https://www.techtarget.com/searchdisasterrecovery/definition/business-continuity