ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date 16/4/2024 Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Phung Ba Quoc Anh Student ID BH00610

Class SE06202 Assessor name Le Van Thuan

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.

Student’s signature Anh

Grading grid

P5 P6 P7 P8 M3 M4 M5 D2 D3
❒ Summative Feedback: ❒ Resubmission Feedback:

Grade: Assessor Signature: Date:

Internal Verifier’s Comments:

Signature & Date:

 Table of Contents
I.Introduction...............................................................................................................................................................5
II.Contents................................................................................................................................................................... 6
P5.Review risk assessment procedures in an organisation......................................................................................6
5.1.Define a security risk and how to do risk assessment........................................................................................6
a. Define a security risk........................................................................................................................................6
b. how to do risk assessment...............................................................................................................................6
5.2. Define assets, threats and threat identification procedures, and give examples.............................................9
a. Define assets....................................................................................................................................................9
b. Define threats................................................................................................................................................10
c. threat identification procedures....................................................................................................................11
5.3. List risk identification steps.............................................................................................................................13
5.4. Review risk assessment procedures in an organisation..................................................................................14
P6.Explain data protection processes and regulations as applicable to an organisation.......................................15
6.1. Define data protection....................................................................................................................................15
a. Define data protection...................................................................................................................................15
b. Why is data protection important?................................................................................................................16
6.2. Explain data protection process and regulations in an organization..............................................................16
a. Explain the data protection process within an organization..........................................................................16
b. Explain data protection regulations within an organization..........................................................................17
6.3. Why are data protection and security regulation important?........................................................................18
a. Why is data protection important?................................................................................................................18
b. Why is security regulation important?...........................................................................................................18
P7. Design a suitable security policy for an organisation, including the main components of an organisational
disaster recovery plan...........................................................................................................................................18
7.1.What is Security Policy.....................................................................................................................................18
7.2. example for each of the policies.....................................................................................................................20
7.3. Give the must and should that must exist while creating a policy..................................................................22
a. Ensure that there is a policy on policies.........................................................................................................22
b. Identify any overlap with existing policies.....................................................................................................22
c.Don't develop the policy in a vacuum.............................................................................................................22
d. Use the right words so there is no misunderstanding intent.........................................................................23
 e. Policy Management Best Practices................................................................................................................23
7.4.Elements of security Policy..............................................................................................................................23
7.5. Disaster Recovery Plan (DRP)..........................................................................................................................24
7.6.The steps to design a policy.............................................................................................................................25
P8.Discuss the roles of stakeholders in the organisation in implementing security audits....................................26
8.1.Define stakeholders.........................................................................................................................................26
8.2.Roles of Stakeholders in an Organization:.......................................................................................................26
8.3. Define Security Audit and State. Why You Need It?.......................................................................................28
a. Define............................................................................................................................................................28
b. Why You Need It............................................................................................................................................28
8.4. Recommend the Implementation of Security Audits to Stakeholders in an Organization..............................29
III.Conclusion.............................................................................................................................................................31
IV.References.............................................................................................................................................................32

Table of Figure
Figure 1 : Define a security risk....................................................................................................................................6
Figure 2 : Define assets................................................................................................................................................9
Figure 3 : Define threats............................................................................................................................................11
Figure 4 : risk identification.......................................................................................................................................14
Figure 5 : data protection..........................................................................................................................................16
Figure 6 : Security Policy............................................................................................................................................18
Figure 7 : Define stakeholders...................................................................................................................................26
I.Introduction
In the digital age, where every byte of data holds immense value, the importance of robust security
measures cannot be overstated. As an IT Security Specialist at a prominent security consultancy, you find
yourself at the forefront of securing the digital realms of various enterprises. The latest assignment
beckons with a familiar urgency, yet unique in its context - devising a comprehensive Security Policy for
"Wheelie good," a manufacturing powerhouse nestled in the bustling streets of Ho Chi Minh City. Amidst
the ceaseless hum of bicycle parts production for global markets, the specter of potential security looms
large, prompting the company's proactive stance. In the wake of media narratives chronicling the
aftermath of security lapses within organizations, "Wheelie good" seeks not just protection but resilience
against the evolving threatscape. As you embark on this pivotal endeavor, the fusion of technical
expertise and strategic foresight becomes paramount in crafting a shield strong enough to secure
"Wheelie good's" digital assets against any onslaught.
II.Contents
P5.Review risk assessment procedures in an organisation.
5.1.Define a security risk and how to do risk assessment.
a. Define a security risk
A security risk can be defined as any potential event, action, or circumstance that could compromise the
confidentiality, integrity, or availability of an organization's information assets or information systems.
These risks can arise from a variety of sources, including human actions, natural disasters, technical
vulnerabilities, or malicious activities. Security risks can manifest in different forms, such as unauthorized
access to sensitive data, system breaches, data theft, malware infections, or disruptions to critical
services. Identifying and assessing security risks is crucial for organizations to implement effective
security measures and mitigate potential threats to their assets and operations.[1]

Figure 1 : Define a security risk

b. how to do risk assessment.

The HSE has recommended a five-step process for completing a risk assessment. This provides a useful
checklist to follow to ensure that the assessment is comprehensive and appropriate. It involves[1]:

Step 1. Identify potential hazards

It's important to first identify any potential workplace hazards that could harm anyone exposed to them.
They may not always be obvious so some simple steps you can take to identify hazards are:

 Observe: Walk around your workplace and look for activities, tasks, processes or substances used
that could harm your employees (or others)
 Look back at past accidents and illness records as they may identify less obvious hazards
 Check the manufacturer's data sheets, instructions, information and instructions
 Advise employees (and others) on activities, tasks, or processes.

It may be useful to group hazards into five categories, namely physical, chemical, biological, ergonomic
and psychological.

Step 2. Determine who could be harmed by those hazards

Next, determine who could be harmed by those potential dangers. It is also important to note how they
may be affected, whether through direct or indirect contact. It is not necessary to list people by name
but by identifying groups including:

 Workers
 Contractors

Some hazards may pose a higher risk to certain groups including children, teenagers, new or expectant
mothers, new employees, home workers, and laborers. single.

Step 3. Assess the severity of the risk and establish preventive measures

After identifying any hazards and who may be affected, it is important to assess the severity of the risk (if
it occurs) and establish control measures. appropriate and effective to reduce the level of this risk to a
level that is 'reasonably practicable'. This means that everything possible is done to ensure health and
safety taking into account all relevant factors, including:

 Potential harm may occur

 The extent of possible harm
 Knowledge of eliminating, minimizing or controlling hazards and risks
 Availability of control measures designed to eliminate, reduce or appropriately control or risk
 Costs associated with available control measures designed to eliminate, reduce or control as
appropriate or risk

Assessing the severity of a risk requires an assessment of how likely it is to occur and how significant the
consequences it could cause. Some factors that influence this assessment include duration and
frequency of exposure, number of people affected, capacity of those exposed, device type and condition,
and availability of providing first aid and/or emergency assistance.
Step 4. Make changes and record your findings

If the workplace has five or more individuals, the significant findings of the risk assessment must be
maintained electronically or in writing. Recording your findings in a risk assessment form is an easy way
to track risks and the controls put in place to mitigate identified risks. Forms include:

 The dangers have been found

 Affected person(s) or group
 Controls are in place to manage risks and who monitors them
 Who does the evaluation?
 On what date was the assessment performed?

It is sensible to ensure the risk assessment is proportionate to the activity or task being undertaken and
this can often be a simple process for common tasks.

Step 5. Review your assessment and reassess if necessary

Employers should periodically review and, if necessary, reassess any existing controls.

A useful guide to when you may need to review your processes is:

 After any significant change in the workplace or process in question

 After an accident or poor health incident
 After near misses were reported.

It's easy to forget to review your risk assessment, especially when you're trying to run a business. Don't
wait until it's too late, set a date to review the risk assessment as you conduct it and don't forget to put
that date in your diary.

What control measures are currently in place and information on any other control measures that may
be required

Any individual identified as being at particular risk.

There is no set period of time for which you must keep a risk assessment, but it is best practice to keep it
for as long as it is considered relevant to a particular task or activity.

5.2. Define assets, threats and threat identification procedures, and give examples
a. Define assets
Assets are valuable resources owned or controlled by individuals, businesses, or nations, with the
anticipation of future usefulness. They are recorded on balance sheets to enhance a company's value or
operational efficiency. These resources, ranging from manufacturing equipment to patents, have the
potential to generate cash flow, reduce expenses, or increase sales in the future.

Understanding assets involves recognizing them as financial resources or access rights not available to
others. Assets must be legally enforceable and possess the potential to increase financial inflows or
decrease cash outflows. They can be categorized into short-term (current) assets, fixed assets, financial
investments, and intangible assets.

Personal assets encompass items of current or potential worth owned by individuals or families,
including financial instruments, real estate, personal property, and investments. Calculating net worth
involves deducting liabilities from assets, where a positive net worth indicates asset value exceeding
liabilities, while a negative net worth signifies the opposite.

For businesses, assets are vital for supporting production and growth, including tangible assets like
machinery and real estate, as well as intangible assets like patents and royalties. The balance sheet
outlines a company's assets and their financing, providing insight into resource management
effectiveness. Current assets can be converted into cash within a year or operating cycle, while fixed
assets, such as vehicles and machinery, have longer useful lives and contribute to production but are less
liquid.

Figure 2 : Define assets

Examples :

Cash and cash equivalents: Cash, certificates of deposit, and Treasury bills.
Marketable securities: debt-related securities or liquid equity.

Accounts receivables: Customer debt that needs to be settled soon.

Inventory: Raw resources or marketed products.

Fixed Assets:

Non-current assets, or fixed assets, are those that a business utilizes to produce goods and services

and have a longer useful life. Fixed assets are shown as property, plant, and equipment on the

balance sheet (PP&E). Fixed assets are long-term investments that are categorized as tangible (i.e.,

touchable) assets because they are.

Examples of fixed assets include:

 Vehicles (such as company trucks)

 Office furniture
 Machinery
 Buildings
 Land

Non-current assets (like fixed assets) cannot be easily converted to cash to cover immediate

operational costs or investments, which is one of the two main contrasts between personal assets

and corporate assets. In contrast, it is anticipated that present assets will be liquidated within one

fiscal year or one operating cycle.

b. Define threats
Threats refer to potential or actual events, circumstances, or actions that have the capability to cause
harm, disruption, or damage to assets, individuals, organizations, or systems. In the context of security,
threats are often associated with risks to the confidentiality, integrity, or availability of information and
resources. These threats can arise from various sources, including human actions (such as malicious
insiders or external attackers), natural events (such as earthquakes or floods), technical vulnerabilities
(such as software flaws or misconfigurations), or other unforeseen occurrences. Understanding and
mitigating threats is essential for maintaining security and resilience in both physical and digital
environments.
 Figure 3 : Define threats

Examples of threats

Keep in mind that a danger is fairly broad. It does not specify how to accomplish it or even whether

it is feasible given the state of the system. Here are a few illustrations.

 A malicious user reads the files of other users.

 An attacker redirects queries made to a web server to his own web server.
 An attacker modifies the database.
 A remote attacker runs commands on the server.

Each of these examples can easily be mapped to a category in STRIDE. Other examples would be

malware, trojans and worms.

c. threat identification procedures

Threat identification procedures involve systematic processes to recognize and categorize potential
threats that could pose risks to an organization's assets, operations, or objectives. Here's an overview of
common steps in threat identification procedures:

Asset Identification: Begin by identifying and cataloging the assets within the organization that need
protection. This includes physical assets (such as buildings, equipment), information assets (such as data,
intellectual property), personnel, and other critical resources.

Threat Sources: Identify potential sources of threats that could target the identified assets. These
sources can include individuals (such as employees, contractors, or external attackers), groups (such as
hacker collectives or organized crime syndicates), natural events (such as floods or earthquakes),
technological factors (such as software vulnerabilities or hardware failures), or other external entities.

Threat Categories: Categorize threats into different types or categories based on their nature and
characteristics. Common threat categories include cyber threats (such as malware, phishing, or denial-of-
service attacks), physical threats (such as theft, vandalism, or natural disasters), human threats (such as
insider threats or social engineering), operational threats (such as supply chain disruptions or equipment
failures), and regulatory or compliance-related threats.

Threat Analysis: Analyze each identified threat to understand its potential impact on the organization's
assets and operations. Assess the likelihood of each threat occurring and the severity of its potential
consequences. Consider factors such as the vulnerability of assets, the capabilities of threat actors, and
the effectiveness of existing security controls.

Scenario Development: Develop hypothetical scenarios or use case studies to illustrate how each
identified threat could manifest and impact the organization. This helps stakeholders visualize the
potential risks and understand the need for proactive mitigation measures.

Risk Assessment: Evaluate the risks associated with each identified threat by considering the likelihood
of occurrence, the potential impact, and the organization's tolerance for risk. Prioritize threats based on
their risk levels and focus mitigation efforts on addressing the most critical or high-priority risks.

Continuous Monitoring: Establish mechanisms for ongoing monitoring and review of the threat
landscape to identify new or emerging threats. Stay informed about industry trends, security advisories,
and incident reports to adapt threat identification procedures accordingly and maintain situational
awareness.

Example: Threat identification process in a technology company

Risk Assessment:

 The process begins by performing a comprehensive risk assessment, focusing on aspects such as
physical, network, application, and personnel.
 A team of security experts and other functions within the organization are involved in identifying
potential risk factors, including consideration of potential attacks, data loss, and threats. legal
mechanism.

Vulnerability Scanning:

 Use automated tools to scan systems, applications, and networks to identify potential security
vulnerabilities.
  Update the list of vulnerabilities and prioritize them based on severity and potential business
impact.

Threat Intelligence Analysis (Threat information analysis):

 Perform monitoring of threat intelligence sources such as security bulletins, industry reports, and
information from national security agencies.
 Analyze new attack trends, attack patterns, and other potential threats that may impact the
organization's environment.

5.3. List risk identification steps

Step 1: Determine the context

Determining context is the first important step in the risk management process. The organization must
understand the context in which the rest of the risk management process will take place. Additionally,
the organization should establish the criteria it will use to assess potential risks and define its analytical
structure.

Step 2: Identify risks

The organization must identify potential risks that could negatively affect a specific organizational
process or project.

Step 3: Analyze risks

Once specific types of potential risks have been identified, the organization must consider the rate at
which that potential risk will occur and what consequences it will bring. The goal of risk analysis is to
better understand each specific risk scenario, and how it affects projects and business goals.

Step 4: Assess risks

Once the risk analysis is completed, a risk assessment needs to be conducted. The organization further
evaluates each potential risk after determining how likely it is that the potential risk will occur and what
consequences it will bring. This allows the company to decide whether a risk is acceptable and whether
they are willing to accept the risk.

Step 5: Handle and respond to risks

In this step, the company will review its highest ranked risks and develop a plan to mitigate these risks
using specific risk controls. Those plans include risk mitigation processes, risk prevention tactics, and
contingency plans to handle risks should they occur.
Step 6: Monitor risks

It is important to note that risk management is a continuous process and does not end when risks have
been identified and mitigated. The organization's risk management policies and plans need to be
reviewed annually to ensure the policies are always updated and appropriate.

Figure 4 : risk identification

5.4. Review risk assessment procedures in an organisation

Assessment of Documentation: Begin by reviewing the existing documentation related to risk
assessment procedures. This includes risk management policies, procedures, guidelines, templates, and
any other relevant documents. Evaluate the clarity, comprehensiveness, and relevance of these
documents.
Stakeholder Consultation: Engage with key stakeholders involved in the risk assessment process, such as
risk managers, project managers, department heads, and frontline staff. Gather feedback on their
experiences with the current procedures, including any challenges or areas for improvement.
Compliance Check: Assess whether the existing risk assessment procedures comply with relevant
regulations, industry standards, and best practices. Ensure that the procedures adequately address the
organization's legal and regulatory obligations.
Gap Analysis: Conduct a gap analysis to identify any shortcomings or areas where the current risk
assessment procedures fall short. Compare the existing procedures against leading practices in risk
management and identify areas for enhancement.
Effectiveness Evaluation: Evaluate the effectiveness of the current risk assessment procedures in
identifying, assessing, and managing risks. Consider factors such as the frequency of risk assessments,
the quality of risk identification, the accuracy of risk assessments, and the appropriateness of risk
mitigation strategies.
Risk Culture Assessment: Assess the organization's risk culture to determine whether it supports
effective risk assessment practices. Evaluate factors such as risk awareness, risk communication, risk
tolerance, and accountability for managing risks.
Data and Information Analysis: Analyze data and information gathered through the risk assessment
process to identify trends, patterns, and areas of concern. Evaluate the reliability and accuracy of the
data used in risk assessments and identify any data gaps or limitations.
Technology Review: Evaluate the technology tools and systems used to support risk assessment
activities. Assess whether these tools meet the organization's needs and whether there are opportunities
to leverage technology for more efficient and effective risk assessment.
Training and Capability Assessment: Assess the training and capability of personnel involved in the risk
assessment process. Determine whether staff have the necessary skills, knowledge, and resources to
perform risk assessments effectively.
Feedback Mechanisms: Evaluate the feedback mechanisms in place for soliciting input from stakeholders
on the effectiveness of risk assessment procedures. Ensure that there are channels for continuous
improvement based on feedback received.
P6.Explain data protection processes and regulations as applicable to an organisation.
6.1. Define data protection
a. Define data protection
Data protection is the process of defending sensitive information against loss, tampering, or corruption.
As data is created and stored at previously unheard-of rates, the significance of data protection grows.
Additionally, there is limited tolerance for downtime that can prevent access to crucial information.
As a result, a key component of a data protection plan is making sure that data can be swiftly restored
afterany loss or damage. Other essential elements of data protection include safeguarding data privacy
and preventing data breach.[3]
 Figure 5 : data protection

b. Why is data protection important?

To keep your organization safe from data theft, leaks, and loss, data protection is vital. This process
involves using privacy policies that meet compliance regulations and prevent damage to the
organization's reputation.

A data protection strategy includes monitoring and protecting data in your environment, while
maintaining ongoing control over data visibility and access.

When developing a data protection policy, your organization can define risk tolerances for every data
category and comply with applicable regulations. This policy also helps you set up authentication and
authorization – defining who needs access to what information and why.[3]

6.2. Explain data protection process and regulations in an organization

a. Explain the data protection process within an organization

Risk assessment: Organizations need to assess the risks associated with their data, including identifying
the types of critical data, where they are stored and how they could be attacked or misused.

Establish security policies: Based on risk assessment, organizations need to establish detailed security
policies to guide how data is processed, stored, and accessed. This includes rules on passwords, access
rights and data management.

Implement technology security measures: Technology security measures such as Firewall systems, data
encryption, anti-virus software and intrusion detection software need to be deployed to protect data
from threats. Cyberbullying.
Employee training: All employees should be trained on the organization's security policies and measures.
This includes education on how to recognize and respond to security threats, as well as the need for
them to handle critical data securely.

Monitoring and evaluation: Organizations need to continuously monitor their systems and data to detect
any unusual activity early. Systems should also be periodically tested to ensure effectiveness and security
policy compliance.

Respond and recover from incidents: If an attack or security breach occurs, the organization needs a plan
to respond and recover quickly. This may include isolating infected systems, restoring data from backup,
and enhancing security measures to prevent future attacks.

b. Explain data protection regulations within an organization

Data protection regulations within an organization are the principles, guidelines, and laws established to
ensure that an organization's data is protected securely and in compliance with relevant legal
regulations. regarding information security. These regulations may be applied internally or in accordance
with legal regulations set out by a regulatory body or industry standards organization.

Information security policy: This is a document that describes specific principles and instructions on how
the organization processes, stores and protects data. This policy often includes specific security
measures, data access regulations, password management and risk management.

Data access rights: Data access regulations determine who is allowed to access data, as well as the rights
they have when accessing it. This may include providing tiered access to data, limiting access to groups
of users, or providing access on a "need to know" basis.

Data encryption: Provisions for the use of encryption to protect important data when it is stored or
transmitted. Data encryption helps ensure that data can only be read by those with the appropriate
decryption key.

Risk management: Risk management regulations define processes to assess, investigate and mitigate
risks related to data security. This includes identifying potential risks, estimating the level of risk, and
implementing appropriate security measures.

Legal compliance: Data protection regulations also require compliance with laws related to information
security, including laws on privacy, personal data protection and breach reporting.

Auditing and monitoring: Organizations need to establish regulations to audit and monitor compliance
with data protection policies and regulations. This includes regular audits, tracking security incidents,
and reporting violations to appropriate management departments.

6.3. Why are data protection and security regulation important?

a. Why is data protection important?
Data protection is important because it prevents an organization's information from fraud, hacking,
phishing, and identity theft. Any organization that wants to operate effectively needs to keep its
information secure by implementing a data protection plan.
As the amount of data stored and generated increases, so does the importance of data protection. Data
breaches and cyber attacks can cause serious damage. Organizations need to proactively protect their
data and regularly update protection measures.
Ultimately, the main principle and importance of data protection is to protect and defend data from
different threats and under different circumstances.
b. Why is security regulation important?
Network system management is extremely important for every business because if unfortunately a
business is attacked by data, in addition to the cost of restoring the basic system and affected devices.
Businesses also have to bear costs of up to tens, hundreds, and trillions of dong due to the risk of losing
business opportunities, stagnating operations, affecting reputation, image, and core strategies. even the
sustainable existence of the business
Therefore, first of all, each Enterprise needs to implement good data security measures for their
Enterprise to prevent data theft and avoid unnecessary consequences.
P7. Design a suitable security policy for an organisation, including the main components of an
organisational disaster recovery plan.
7.1.What is Security Policy
A security policy is a documented set of rules, guidelines, and practices put in place by an organization to
protect its information technology (IT) systems, data, and resources. It serves as a roadmap for ensuring
the confidentiality, integrity, and availability of an organization's information assets. Security policies are
crucial for preventing unauthorized access, protecting against cyber threats, and maintaining regulatory
compliance. Here's a discussion on the components and importance of a security policy:

Figure 6 : Security Policy

Components of a Security Policy:

  Introduction and Purpose: This section provides an overview of the policy's objectives, scope, and
the importance of security within the organization.
 Roles and Responsibilities: Clearly define the roles and responsibilities of individuals and
departments involved in maintaining and enforcing security measures. This includes
management, IT staff, employees, and any third-party contractors.
 Access Control: Define procedures for granting and revoking access to information systems,
networks, and physical facilities. This includes user authentication, authorization levels, and
access restrictions based on job roles.
 Data Classification and Handling: Classify different types of data based on their sensitivity level
(e.g., confidential, sensitive, public) and outline appropriate handling procedures, storage
methods, and encryption requirements for each classification.
 Security Awareness and Training: Establish a program for educating employees about security
risks, best practices, and their responsibilities in safeguarding company assets. Regular training
sessions and awareness campaigns can help mitigate human error.
 Incident Response and Reporting: Define protocols for detecting, responding to, and reporting
security incidents such as data breaches, malware infections, or unauthorized access attempts.
Include escalation procedures and contact information for relevant authorities.
 Physical Security: Outline measures to secure physical assets such as buildings, servers, and
storage facilities. This may include access controls, surveillance systems, and procedures for
handling visitors or equipment removal.
 Network Security: Detail policies and procedures for securing network infrastructure, including
firewalls, intrusion detection/prevention systems, and encryption protocols. Address remote
access, wireless networks, and secure configuration guidelines.
 Software Development and Maintenance: Establish secure coding practices, testing procedures,
and version control policies to mitigate software vulnerabilities. Include guidelines for patch
management and regular updates.
 Compliance and Legal Requirements: Ensure that the security policy aligns with relevant industry
regulations, legal standards, and contractual obligations. Regular audits and assessments can help
verify compliance.
Importance of a Security Policy:
 Risk Management: A security policy helps identify, assess, and mitigate potential security risks
and vulnerabilities within an organization's systems, networks, and processes. By establishing
clear guidelines and procedures, the policy enables proactive risk management and reduces the
likelihood of security breaches.
 Protection of Assets: Assets such as sensitive data, intellectual property, infrastructure, and
reputation are vital to an organization's success. A security policy outlines measures to safeguard
these assets from unauthorized access, theft, or damage, thereby preserving their value and
integrity.
 Compliance Requirements: Many industries are subject to regulatory requirements and legal
standards related to data privacy, confidentiality, and security. A security policy ensures that an
 organization complies with these regulations by defining appropriate security controls,
procedures, and documentation.
 Prevention of Security Incidents: A well-defined security policy helps prevent security incidents
such as data breaches, malware infections, insider threats, and physical intrusions. By
establishing access controls, encryption protocols, and incident response procedures, the policy
minimizes the likelihood and impact of such incidents.
 Employee Awareness and Training: Security policies educate employees about security risks, best
practices, and their responsibilities in maintaining a secure work environment. By raising
awareness and providing training, organizations empower employees to recognize and respond
to security threats effectively.
 Consistency and Standardization: A security policy promotes consistency and standardization in
security practices across an organization. By defining uniform guidelines and procedures, the
policy ensures that security measures are implemented consistently across departments,
locations, and systems.
 Customer Trust and Confidence: Customers and business partners expect organizations to protect
their sensitive information and privacy. A robust security policy demonstrates a commitment to
security and instills trust and confidence in stakeholders, enhancing the organization's reputation
and competitiveness.
 Business Continuity and Resilience: In the event of a security incident or disruptive event, a
security policy provides guidance for maintaining business continuity and resilience. By
establishing disaster recovery plans, backup procedures, and incident response protocols, the
policy helps minimize downtime and mitigate financial losses.

7.2. example for each of the policies

Introduction and Purpose:
Overview: This policy outlines the security measures and guidelines implemented by Wheelie Good to
protect its digital and physical assets, ensuring the confidentiality, integrity, and availability of sensitive
information.
 Scope: This policy applies to all employees, contractors, vendors, and any other individuals who
have access to Wheelie Good's resources.
 Importance: Ensuring a robust security framework is essential to safeguarding Wheelie Good's
reputation, minimizing risks associated with data breaches, and maintaining compliance with
relevant regulations.
Policy Statement:
Commitment: Wheelie Good is committed to maintaining a secure environment for its employees,
customers, and stakeholders by implementing appropriate security measures and fostering a culture of
awareness and accountability.
• Objectives: The objectives of this policy are to protect sensitive information, mitigate security risks, and
ensure compliance with legal and regulatory requirements.
Roles and Responsibilities:
  Management: Responsible for establishing security policies, providing resources for
implementation, and overseeing compliance.
 IT Staff: Responsible for implementing security measures, monitoring systems for vulnerabilities,
and responding to security incidents.
 Employees: Responsible for adhering to security policies, reporting security incidents, and
participating in security awareness training.
 Third-party Contractors: Responsible for complying with Wheelie Good's security policies and
guidelines while accessing its resources or handling its data.
Access Control Policy:
 User Account Creation: Access to systems and data is provisioned based on job roles and
responsibilities. Upon employment, employees are assigned access rights aligned with their
duties.
 Password Policies: Employees are mandated to create robust passwords, which should be
changed periodically, and never shared with others. Additionally, multi-factor authentication may
be enforced for sensitive systems.
 User Privileges: Access privileges are granted according to the principle of least privilege,
meaning employees are only given access to the resources necessary for their job functions.
Regular reviews are conducted to ensure appropriateness and alignment with current roles.
Data Protection and Classification:
 Data Classification: Data is categorized based on sensitivity, with corresponding security
measures applied to each classification level.
 Encryption: Sensitive data is encrypted during transmission and storage using industry-standard
encryption algorithms to thwart unauthorized access.
 Data Backup Procedures: Critical data is regularly backed up to secondary storage locations to
ensure availability in the event of data loss or corruption.
Incident Response Plan:
 Detection: Wheelie maintains systems and protocols for continuous monitoring of network
activity and system logs to promptly detect security incidents.
 Response: A dedicated incident response team is responsible for responding to security incidents
in a timely manner. Their duties include containing the incident's impact and initiating
appropriate countermeasures.
 Recovery: Following an incident, comprehensive recovery procedures are executed,
encompassing data restoration and system patching to fortify defenses against future
occurrences.
Physical Security:
 Access Control: Physical access to Wheelie's facilities is tightly controlled, typically through
measures such as keycard access systems and onsite security personnel.
 Server Security: Servers are housed in secure, access-controlled locations with environmental
controls to prevent unauthorized access and maintain optimal operating conditions.
Network Security:
 Firewalls: Firewalls are deployed to monitor and regulate incoming and outgoing network traffic,
effectively blocking unauthorized access attempts and mitigating potential threats.
 Intrusion Detection Systems (IDS): IDS are employed to detect and respond to suspicious network
activity, issuing alerts for further investigation.
 Wireless Network Security: Robust authentication and encryption protocols are implemented to
safeguard wireless networks from unauthorized access attempts.
Training and Awareness:
 Security Awareness Training: Wheelie mandates regular security awareness training sessions for
all employees to educate them on security best practices, common threats, and their roles in
upholding a secure work environment.
 Reporting Procedures: Employees are trained to recognize and promptly report security
incidents, ensuring swift response and mitigation efforts.
Compliance and Legal Requirements:
 Regulatory Compliance: Wheelie Good meticulously adheres to relevant laws and regulations
governing data protection, privacy, and security, such as GDPR, HIPAA, or PCI DSS.
 Industry Standards: Wheelie Good maintains alignment with industry standards and best
practices in information security, continuously evaluating and updating its security measures to
keep pace with evolving threats and regulations.
7.3. Give the must and should that must exist while creating a policy
a. Ensure that there is a policy on policies
When creating policies, it's vital to operate within an established and widely accepted framework. An
essential first step in policy development is crafting a clear policy on policies. This "meta policy" should
outline the organization's procedure for creating new policies, including when they are necessary, how
they should be structured, and the approval process. Without a method and structure for policy
creation, inconsistencies may arise, leading to subpar or challenging enforcement.
b. Identify any overlap with existing policies
This is an easy one. Check to determine whether the policy you're trying to create already exists or if any
of its components are already in other policies before you establish a new one. If so, think about
updating current policies as opposed to coming up with a completely new one.
c.Don't develop the policy in a vacuum
I've observed people working at their desks and coming up with whole independent policies that they
felt were important. This has mostly occurred in organizations without any form of structure for policy
governance. The majority of the time, the policies were biased against the organization and omitted
important components. However, as one might anticipate, the policies were beneficial to the individual
who created them.
I think that those who will be impacted by policies should be involved in their development. To reduce
the possibility of unexpected consequences, it's critical that all stakeholders are heard, even though the
final policy may not ultimately reflect all viewpoints. Additionally, policies must be comprehensive, and
different viewpoints can fill in any gaps that may present.
d. Use the right words so there is no misunderstanding intent
To be effective, policies must be understood. This attempt is aided by the use of precise and
unambiguous grammar. Make sure your terminology is clear and basic so that everyone can understand
it. In the body of the policy, use the words "must" or "will" instead of "should." The latter suggests that
the action is voluntary, casting doubt on the necessity of the policy. Use the word "should" when
something is recommended but not when it is necessary. Never use a person's name; always an office,
department, unit, or job title Examples: "Contact the assistant to the CFO to..."; "The office of the CIO is
responsible for..." Email addresses used for correspondence should always be generic department
addresses or links to websites with additional contact details. To avoid the need for policy revisions when
personnel changes take place, refrain from utilizing personal email addresses. Sub headings and words
that need to be stressed in a sentence shouldn't be underlined. If a word needs to be stressed, bold or
italicize subheadings instead. When the policy is published online, terms that are italicized could be
interpreted as links.
e. Policy Management Best Practices
Define policy maintenance responsibility: Ensure regular review and clarification of policies by
designating an office, rather than specific individuals, for policy oversight to accommodate personnel
changes.
Keep senior executives out of routine tasks: Establish a policy exceptions procedure managed by
designated personnel within the company, excluding senior executives unless legally required.
Leadership should review new policies before implementation.
Establish a policy library with versioning: Maintain a policy library accessible to all employees, utilizing
platforms like SharePoint for version control. Access to updated policies fosters adherence, while version
history aids in understanding policy changes over time.
7.4.Elements of security Policy
Objective and Scope:
This describes the main objective of the security policy and its scope of application within the
organization. It explains the reason for the policy and what it tries to achieve.
Access Management:
Includes principles and processes for managing access to an organization's systems, applications, and
data. This includes how to create, manage, and revoke user accounts.
Data Protection and Classification:
Identify measures to protect data, including classifying data by sensitivity level and implementing
appropriate safeguards.
Risk Management:
Provides principles and processes to identify, assess and manage security risks within the organization.

Incident Response and Recovery:

Describes the processes and measures to respond to and recover from a security incident such as
detecting, reporting, and handling incidents.
Physical Security:
Includes physical security measures to protect an organization's physical assets such as buildings,
servers, and equipment.
Network security:
Refers to network security measures such as firewall installation, intrusion detection, data encryption,
and wireless network security management.
Training and Awareness:
Provides for training employees in information security and providing them with guidance to recognize
and report on security threats.
Compliance and Legal:
Describes how the organization maintains compliance with legal regulations and standards related to
information protection and security.
Testing and Evaluation:
Includes processes to test, evaluate, and improve security policy performance through performing
security audits, risk assessments, and compliance reviews.
7.5. Disaster Recovery Plan (DRP)
Now, moving on to the main components of an organizational Disaster Recovery Plan (DRP). A DRP is a
structured approach to respond to and recover from unplanned incidents that affect the IT infrastructure
and data of an organization. Here are the key elements:
 Goals and Scope: Define the goals of the DRP, including expected recovery time and level of data
and service recovery. The scope of the plan should be clearly defined to include all critical
systems, applications and services.
 Risk Classification and Impact Assessment: Identify and assess potential risks and their impact on
the organization's operations. Risks may include hardware/software failures, power outages, or
natural disasters.
 Recovery Process: Describes the steps required to recover systems and services after a failure.
This may include restoring data from backup, recreating the working environment, and
implementing temporary measures to maintain operations.
 Assign Responsibilities: Identify and assign roles and responsibilities to incident recovery team
members. Each person needs to know their duties and how to operate in an emergency situation.
 Communications and Information: Determine how to communicate and communicate with
stakeholders, including employees, partners, and customers, during recovery from an incident.
Ensure that communication is accessible and maintained over time.

 Inspection and Maintenance: Propose a periodic inspection and maintenance plan to ensure the
effectiveness of the DRP plan. These steps may include testing and updating backups, testing
resiliency, and training employees.
  Post-Incident Assessment: Specifies steps to evaluate and learn from after recovery from an
incident. Lessons from previous incidents can be used to improve DRP planning and increase
preparedness for the future.
7.6.The steps to design a policy.
Identify Objectives: The first step is to identify the main objectives of the policy. This may include
protecting sensitive information, ensuring legal compliance, or enhancing system security. Objectives
should reflect the specific needs and goals of the organization.

Research and Information Collection: Next is to collect relevant information from various sources,
including legal regulations, industry standards, and similar policies of other organizations. This helps
define the scope and requirements of the policy.

Identify Audience and Stakeholders: Identify those who will be affected by the policy and those who can
influence its implementation and enforcement. This can include employees, management, and the IT
department.

Content Development: Based on information collected and identified goals, develop the content of the
policy including specific principles, regulations, and instructions. Content should be clear, easy to
understand and applicable in practice.

Validation and Approval: Before implementation, the policy needs to be validated and approved by
relevant departments and stakeholders. This ensures that the policy is agreed upon and supported by all
sides.

Deployment and Enforcement: Once the policy is approved, deploy it into the organization's systems.
This may include notification, staff training, and installation of technical measures.

Review and Update: The policy should be periodically evaluated to ensure that it remains effective and
reflects changes in the organization's operating environment. If necessary, the policy can be updated to
reflect new changes.

P8.Discuss the roles of stakeholders in the organisation in implementing security audits.

8.1.Define stakeholders
A stakeholder is either an individual, group or organization that’s impacted by the outcome of a project
or a business venture. Stakeholders have an interest in the success of the project and can be within or
outside the organization that’s sponsoring the project. Stakeholders are important because they can
have a positive or negative influence on the project with their decisions. There are also critical or key
stakeholders, whose support is needed for the project to exist.

A stakeholder is a person, like any other member of the project, and some are easier to manage than
others. You’ll have to learn to use stakeholder mapping techniques to identify who your key stakeholders
are and make sure you meet their requirements.

igure 7 : Define stakeholders

8.2.Roles of Stakeholders in an Organization:

Employees:

Role: Frontline employees serve as the frontline defense in implementing and upholding security
protocols within their daily operations. Their responsibilities encompass executing security measures
diligently, recognizing and promptly reporting any security incidents, thus playing an indispensable role
in safeguarding organizational assets and sensitive information.

Management and Leadership:

Role: Executives and managers wield substantial influence in shaping the organizational ethos towards
security. They are entrusted with the task of delineating strategic directives, allocating requisite
resources, and fostering a culture where security is not just a priority but ingrained into the very fabric of
the organization's operations.

Owners and Shareholders:

Role: Shareholders, as stakeholders with vested financial interests, exert sway over pivotal decisions
pertaining to security by means of voting on policies and strategic initiatives. Their support and
alignment with robust security measures are instrumental in fortifying the organization's resilience
against potential threats.

Board of Directors:

Role: The Board of Directors assumes a pivotal oversight role in governance, exercising authority in
approving security policies, scrutinizing risk management frameworks, and ensuring adherence to
regulatory mandates. Their astute governance practices contribute significantly to maintaining the
organization's integrity and trustworthiness.

Customers:

Role: Customers entrust organizations with their sensitive data and rightfully demand assurance of its
security. Their preferences and expectations exert indirect influence, compelling organizations to uphold
stringent security standards to meet market demands for secure products and services.

Suppliers and Vendors:

Role: External entities providing goods and services are integral cogs in the organizational machinery,
necessitating adherence to stringent security requisites. Their collaboration in maintaining a robust
security posture across the supply chain is indispensable for mitigating potential vulnerabilities and
safeguarding organizational interests.

Government and Regulatory Bodies:

Role: Regulatory authorities wield authority in delineating requisite standards and frameworks that
organizations must abide by. Their oversight ensures adherence to legal mandates, thereby fostering a
regulatory environment conducive to bolstering security resilience.

Communities:

Role: Local communities serve as stakeholders directly impacted by the organization's security practices,
especially concerning environmental and safety considerations. Their advocacy for responsible and
secure operations underscores the imperative of fostering community-centric security initiatives.

Partners and Alliances:

Role: Collaborative endeavors with partners and alliances necessitate the exchange of information and
resources, thereby mutually influencing each other's security postures. Upholding robust security
protocols fosters trust and resilience in these symbiotic relationships.
Media:

Role: The media's portrayal of an organization's security practices can significantly shape public
perception. Negative publicity resulting from security breaches underscores the imperative of
implementing stringent security measures to safeguard reputation and public trust.

8.3. Define Security Audit and State. Why You Need It?

a. Define
A security audit is a systematic evaluation of an organization's security measures, policies, procedures,
and controls to assess their effectiveness in mitigating risks and protecting assets, including physical
assets, data, intellectual property, and reputation. The primary goal of a security audit is to identify
vulnerabilities, weaknesses, and areas of non-compliance with regulatory requirements or industry
standards.

b. Why You Need It

Risk Assessment: Security audits help identify potential security risks and threats to the organization's
assets. By assessing vulnerabilities, organizations can prioritize resources and efforts to address high-risk
areas effectively.

Compliance: Many industries are subject to regulatory requirements and standards regarding security
practices. Security audits ensure that organizations comply with these regulations, avoiding legal
penalties and reputational damage.

Protection of Assets: Assets such as data, intellectual property, and physical infrastructure are vital to an
organization's operations. Security audits help identify weaknesses in security measures and ensure
these assets are adequately protected from theft, misuse, or damage.

Prevention of Breaches: Security audits can uncover weaknesses in security controls that could be
exploited by attackers. By identifying and remedying these vulnerabilities proactively, organizations can
reduce the likelihood of security breaches and their associated costs and damages.

Continuous Improvement: Security is an ongoing process that requires regular review and updates to
adapt to evolving threats and technologies. Security audits provide insights into areas for improvement,
allowing organizations to refine their security posture continuously.

8.4. Recommend the Implementation of Security Audits to Stakeholders in an Organization

Subject: Recommendation for Implementing Security Audits
Dear [Stakeholder's Name],

I am writing to propose the implementation of regular security audits within our organization as a
strategic measure to enhance our overall security posture and mitigate potential risks. As stakeholders
invested in the success and sustainability of our organization, it's imperative that we take proactive steps
to safeguard our assets, reputation, and stakeholder trust.

Background: With the ever-evolving landscape of cyber threats and regulatory requirements, ensuring
the effectiveness of our security measures is paramount. Security audits serve as a systematic evaluation
of our security controls, policies, and procedures, providing valuable insights into vulnerabilities and
areas for improvement.

Key Benefits:

 Risk Mitigation: By identifying and addressing vulnerabilities proactively, security audits help
mitigate potential risks and minimize the likelihood of security breaches, thereby safeguarding
our organization's assets and reputation.
 Compliance Assurance: Regular security audits ensure that we remain compliant with relevant
regulatory requirements and industry standards, reducing the risk of legal penalties and
reputational damage.
 Cost Savings: Investing in preventive measures through security audits can ultimately save costs
associated with security breaches, including financial losses, legal fees, and damage to brand
reputation.
 Continuous Improvement: Security audits provide valuable insights into areas for improvement,
enabling us to refine our security policies, procedures, and controls continuously.

Recommendation:

 I recommend that we establish a formal framework for conducting regular security audits,
encompassing the following key components:

 Define objectives and scope of audits based on organizational priorities and risk factors.
 Select qualified internal or external auditors with expertise in cybersecurity and regulatory
compliance.
 Develop audit methodologies and protocols tailored to our organization's unique needs and
challenges.
 Establish clear timelines and schedules for conducting audits on a regular basis, considering the
dynamic nature of security threats.
 Allocate necessary resources and support from leadership to ensure the success and
effectiveness of security audit initiatives.
III.Conclusion
In today's dynamic IT landscape, robust security measures are paramount. This exploration covers risk
assessment, data protection, IT security, disaster recovery planning, and stakeholder involvement,
highlighting their interconnected nature.

Risk assessment procedures underscore the importance of identifying and mitigating threats, aligning
organizational strategies with risk management practices. Data protection, crucial in the digital age,
ensures legal adherence and fosters responsibility in handling sensitive information.

Integration of ISO standards enhances resilience against threats, as illustrated by practical examples. IT
security audits play a pivotal role in assessing security postures, aiding in vulnerability identification and
defense fortification.

A comprehensive security policy and disaster recovery plan are essential for business continuity.
Stakeholder involvement fosters a culture of security awareness, making security a collective
responsibility.

In conclusion, embracing a holistic security strategy is imperative for organizational success amidst
advancing technology. This proactive approach fortifies defenses, adapts to emerging threats, and
ensures resilience and responsiveness.

IV.References
1.British Safety Council (2023). Risk Assessment and Management: a Complete Guide | British Safety
Council. [online] British Safety Council. Available at:
https://www.britsafe.org/training-and-learning/informational-resources/risk-assessments-what-they-
are-why-they-re-important-and-how-to-complete-them.

2. isocert.org.vn. (n.d.). Quản trị rủi ro là gì? 6 bước của quy trình quản trị rủi ro. [online] Available at:
https://isocert.org.vn/quan-tri-rui-ro-la-gi-6-buoc-cua-quy-trinh-quan-tri-rui-ro.

3. SNIA (n.d.). What is Data Protection? | SNIA. [online] www.snia.org. Available at:
https://www.snia.org/education/what-is-data-protection.

4.Landau , P. (2022). What Is a Stakeholder? [online] Project Manager. Available at:

https://www.projectmanager.com/blog/what-is-a-stakeholder.