ASSIGNMENT 2 FRONT SHEET Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5 Security Submission date December – 25 – 2021 Date Received 1st submission December – 25 – 202[.]
ASSIGNMENT FRONT SHEET Qualification BTEC Level HND Diploma in Computing Unit number and title Unit 5: Security Submission date December – 25 – 2021 Date Received 1st submission Re-submission Date December – 25 – 2021 Date Received 2nd submission Student Name Dang Tan Tai Student ID BSAF200013 Class PBIT16101_CNTT1 Assessor name Do Phi Hung Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism I understand that making a false declaration is a form of malpractice Student’s signature Grading grid P5 P6 P7 P8 M3 M4 M5 D2 D3 Tai Learning Outcomes and Assessment Criteria Pass Merit Distinction LO3 Review mechanisms to control organisational IT security P5 Discuss risk assessment procedures P6 Explain data protection processes and regulations as applicable to an organisation M3 Summarise the ISO 31000 risk management methodology and its application in IT security D2 Consider how IT security can be aligned with organisational policy, detailing the security impact of any misalignment M4 Discuss possible impacts to organisational security resulting from an IT security audit LO4 Manage organisational security P7 Design and implement a security policy for an organisation P8 List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion M5 Discuss the roles of stakeholders in the organisation to implement security audit recommendations D3 Evaluate the suitability of the tools used in an organisational policy Table of Contents I Discuss risk assessment procedures 04 Define a security risk and how to risk assessment 04 Define assets, threats and threat identification procedures and give examples 05 Explain the risk assessment procedures 05 List risk identification steps 05 II Explain data protection processes and regulations as applicate to an organization 06 Define data protection 06 Explain data protection process in an organization 06 Why are data protection and security regulation important 06 III Design and implement a security policy for an organization 07 Define security policy and discuss about it 07 Example for each of the policies 07 The most and should that must exist while creating a policy 07 Explain and write down elements of a security policy 08 Give the steps to design a policy 10 IV List the main components of an organizational disaster recovery plan justifying the reasons for inclusion 13 Discuss with explain about business continuity 13 List the components of recovery plan 13 Write down all the steps required in disaster recovery process 14 Explain some of the policies and procedures that are required for business continuity 15 References 17 I Discuss risk assessment procedures Define a security risk and how to risk assessment What is risk? Risk is something that we cannot predict what might happen in the future, but everything that happens has some positive and negative sides to it Although the risks can bring some financial and data loss, they also provide some opportunities for those who know how to turn from bad to good if we have studied risk Taking that risk and preparing a plan to deal with that situation will help us go far and develop more in the future What is risk assessment? Risk assessment is the assessment of the risks that will affect the company on each level from the most dangerous to the least risky Depending on the level of risk, we can arrange them in a priority order and evaluate those risks and offer solutions to avoid the most dangerous potential risks affecting our business company How to risk assessment? To be able to assess the level of risk for each case Follow the risk assessment matrix below Photo The matrix how to risk assessment Define assets, threats and threat identification procedures and give examples Content is any important data containing sensitive information of an organization or any business and sensitive information will contain business strategies, advertising strategies, decides the existence of a company or an organization, if one day these data is hacked or exposed to the outside, it will cause the business to suffer heavy losses An example: The company's computers, phones are also the content, important information of that company such as access to the system, access to information and business division, access to information customers A threat is any incident that negatively affects content - for example, if it is lost, stolen offline, or accessed by an unauthorized party The threat identification process checks for IT vulnerabilities and determines its ability to compromise the system This is a core part of the company's risk assessment policy Identifying risks helps companies take the next steps To block unauthorized users and avoid device breaches, you will get the data you need The threat identification process checks for IT vulnerabilities and identifies the potential to compromise your system This is a core part of the company's risk assessment policy Identifying risks helps companies take the next steps To block unauthorized users and avoid using your device, you'll get the data you need Explain the risk assessment procedures Risk assessment is a term used to describe an overall process or method in which you: - Identify hazards and potentially harmful risk factors (hazard identification) - Analyze and assess the risk associated with that risk (risk analysis and risk assessment) - Identify appropriate ways to eliminate the hazard, or control the risk when the hazard cannot be eliminated (risk control) List risk identification steps Step 1: Identify risk – Identifying risk is the first step in risk management like some example: Tsunami, lost energy, broken database,… To analyst the risks, We need to building some plan and solution for each case Step 2: Assess the risks - At this step, we need to assess risks at different levels, in which priority should be given to assessing the risks of problems with high probability and accompanying great potential risks affecting operations company's business and prioritize them and have solutions for them Step 3: Plan risk response - In this step, we need to have a plan after we have assessed the risk in step 2, these plans are the plans that have been planned and rehearsed in that situation if the unfortunate happens, we will react quickly to such risks to limit the impact on the business Step 4: Implement risk responses - After having a plan, we need to implement the proposed options and choose the most optimal and least expensive option Step 5: Control and monitor risk responses - Risk monitoring control is the process of monitoring identified risks, tracking outstanding risks and identifying new risks, ensuring implementation of risk plans and evaluating their effectiveness in risk reduction II Explain data protection processes and regulations as applicate to an organization Define data protection Information security is the protection of personal and organizational data to avoid "stealing and stealing" by bad guys or hackers Information security as well as information security in general Good security of data and information will avoid unnecessary risks for yourself and your business Explain data protection process in an organization Data security governance within an organization refers to the group of individuals responsible for planning, designing, implementing, and monitoring the organization's security plan Before you can form an administrative group, your organization must determine the contents of its information After your organization identifies and records assets, you should assign responsibility for each asset to a person or position Once you have a list of assets and know who is responsible for each of them, you can form a team This governance team then determines the sensitivity of each asset so that it can plan how to secure each asset accordingly Why are data protection and security regulation important? All data should always be carefully protected Because customer, personal data, partner information or business secrets are all important assets They have the ability to determine the survival of the business This is also the reason hackers try to threaten business information If they can steal this block of data, they can make a huge amount of money Such lurking dangers should businesses need to pay more attention to information protection The security governance team handles the planning, design, implementation, and monitoring of your organization's security program Several types of documentation are needed to provide the input the security administration team needs to make the best decisions to secure an asset The most common documentation requirements include: • List of sensitive assets — What asset security measures must the organization take? The the list can include computers, network components, databases, documents and any assets can be vulnerable • Organizational security processes — How they all work? • Rights of those responsible for security — Which administrator is responsible or authorized for what assets and for what actions? • Policies, procedures and guidelines adopted by the organization — What information should be communicated, how and when it should be communicated? The security management team gathers all the pieces to ensure the organization adheres to the stated policies An organization must adhere to rules about two level: • Regulatory compliance — The organization must comply with the law and the government regulations • Organizational compliance — The organization must adhere to its own policies, conditions, culture and standards III Design and implement a security policy for an organization Define security policy and discuss about it A security policy is a statement that explains how the company collects, processes, stores, shares, and protects customers' personal information and sensitive information collected through our interactions customers with the website Example for each of the policies For example: In a company, We have policies for hiring freelancer in outside for a project The policies are: - First, The employees need to follow the policy “Do not show the data in outside” - Second, The employees need to daily meet up, give the file “event log” for company to control them and config the IP to access the sever of company At the first policy, If the employees have had show the data of company, They would have broke the law and are punished according to the law based on the contract specified between the lessee and the lessee At the second policy, - If employees not daily meet, They will disciplined If in the project has some problem about source code, or something is out of the ordinary, We would required them to give their file “event log” to check - If they use server of company for a bad purpose, they should punish according to the law The most and should that must exist while creating a policy a Make sure there is a policy on policies It may sound a bit redundant, but it's important to work within a predefined and agreed upon framework even when it comes to policy formation Create a simple policy of defined policies The process of creating a new organizational policy is an important first step in the policy finalization process "This meta policy" should include guidance on what situations constitute the need for a new policy, format which new policy should be used and the process that needs to be followed in order for the new policy to be approved If you don't have a process and framework in place around policy formation, you run the risk of getting into trouble inconsistent and inconsistent results in production, which can lead to poor or difficult enforcement b Identify any overlap with existing policies This is simple Before creating a new policy, check that the policy you intend to create is already exists or if part of it exists in other policies If so, consider revising existing policies rather than create a new brand c Do not build policy in a vacuum I have seen individuals sit behind desks and create policies that they feel are necessary and have been developed entirely on their own Usually, this has happened in organizations lacking any form of the governance structure In most cases, policies lack key elements and are skewed in different ways that is not positive for the organization As you might expect, the policies did good things for who developed them, though I think policies need to be developed with input from those that will be affected by surname While the final policy may not reflect all opinions, it is important that all stakeholders heard to reduce the possibility of unintended consequences Furthermore, policies need to be improved and Additional comments can help close any gaps that may exist d Step back and consider the need Are you creating a policy because a policy is necessary or because someone did something you don't like? There is a big difference and again, I see the policies being applied despite and as retribution Obviously, that kind of activity wouldn't happen in a reasonable organization But it won't happen in an agency that has a strict policy on policy, as a policy will often go through several levels to be approved and somewhere along the way, someone will step back and ask, "Why we need this?" Policies should be enacted when there is a clear need and a clear problem to be addressed e Use appropriate words so that there is no intention of misunderstanding Policies must be understood to be effective Use clear and unambiguous grammar aids in this effort Use simple and specific terms that people can easily understand Use the words "must" or "will" instead of "should" in the body of the policy The following implies that the action is optional, makes the need for policy questionable If something is optional, use the word "should" - but no when it's a request Always use an office, department, unit, or title instead of an individual's name Example: "CIO's the office is responsible for ";" Contact the assistant CFO to " The contact email should always be a general department address or Web site providing additional contact information information Avoid using individual email addresses to prevent the policy from needing to be updated when personnel change occurs Do not underline subheadings or stressed words in a sentence Set subtitles instead bold or italic if a word needs stress Underlined words can be confused with hyperlinks when The policy is posted online f When possible, include an exception procedure To every rule, there is an exception at least in most cases Predetermining the path is much easier an exception process must be active before the policy goes into effect Before you say, "I would never allow exception, "think again At some point, a situation will arise that requires an exception Due to policies implemented to control behavior and level the playing field, it is important that Exceptions are also granted fairly and equally If you play loosely with exceptions process, the whole policy can be called question g Allow some shades of gray So you have created a completely airtight policy and defined an exception process that no one can question That is a good goal, but difficult to achieve for all policies This is the point that can be obtained mostly criticized for policies that are supposed to facilitate equality But I believe that h Allow some shades of gray So you have created a completely airtight policy and defined an exception process that no one can question That is a good goal, but difficult to achieve for all policies This is the point that can be obtained mostly criticized for policies that are supposed to facilitate equality But I believe some policies need to leave a bit of ambiguity for people to make decisions That doesn't mean policy let people whatever they want, but there seem to be too many cases people who are allowed to use "government policy" or "zero tolerance" to avoid doing the right thing If your policy is a bit gray so one person can make a quick decision, that's okay i Define responsibility for maintaining the policy Most policies require periodic review to ensure their continued applicability Furthermore, as the question raised about the policy, someone should be able to provide clarification Make sure you always identify the office - not the individual - responsible for the policy You not identify individuals since they come and go j Keep senior executives out of the habit when possible I mentioned the need to define an exception procedure for policies when possible In one The organization I worked for automatically fell into the hands of the CEO Honestly, it was a waste of his time The Exception procedures in place should empower someone in the organization to handle it exceptions The person identified does not need to be a Vice President or Chief Executive Officer, unless requested by regulations or laws Furthermore, don't expect senior executives to develop every policy That said, sunbaenim team responsible for reviewing new policies before they go into production k Set up a policy library with versioning Today, there are all kinds of tools, such as SharePoint, that allow you to store versions of documents All employees should have access to all applicable policies at all times If the employee cannot access the policies, how can they be expected to abide by them? When it comes to versioning, like policies evolve, it's good to see their history to keep track of what's changed over time Explain and write down elements of a security policy a Introduction Small businesses, like all businesses, increasingly depend on computer systems and networks to business Email has become an important communication tool for many small businesses Websites are important marketing channels and for businesses with eCommerce sites important sales makers With an ever-increasing reliance on computer systems and an ever-increasing need to protect them, just such as door locks and safes protect bricks and mortar as well as valuables and trade secrets Project C99 studied the security implications of connecting computers to the Internet through a modest broadband connection of the kind used by many small businesses b Privacy Policy Document A privacy policy document has several functions As the term suggests, it documents privacy policies It doesn't just record them It provides a framework within which policies can be written, revised and evaluated The privacy policy document should also provide context regarding enterprise policies Internet Security Systems, Walker and Cavanaugh, etc available in books or on the Internet that provide outlines for privacy policy documents They give instructions to write the introduction as well as the personal privacy policy The guidelines differ on specific content and emphasis they recommend Any privacy policy document should have an extensive introduction like as well as personal privacy policies c Product element The preamble to the privacy policy document places policies in the context of the business they are intended to protect The introduction should be relevant to the business, but should at least cover the following areas: the purpose of the document; the scope of the document and the policy; separate organizational responsibilities; the organization's general and specific objectives for policy security; and threat and risk assessment d Purpose The purpose of a privacy policy document, although somewhat standard, can be influenced by the extent to which the business handles confidential information and the means by which systems and networks are managed, or by employees full-time in-house, additional duties for other employees, or outsourced e Goals The scope definition should clearly describe what is covered in the policies and needs to be addressed vague about what is not covered In particular, a small business must decide whether policies include an acceptable use policy and a disaster recovery policy Many sources recommend they For small businesses, these may not be necessary For a small group of employees, use may be acceptable determined by group consensus For some small businesses, backup is essential for an entire disaster Recovery plans or business continuity plans are financially taboo For others, these and other policies may be supplementary, as suggested by the General Information Systems Commission in the UK f Responsibility Every organization must review and assign responsibility for security Possible Responsibilities assigned to individuals or to positions within the organization I have steps give the steps to design a policy: Policies/Purpose Identify and define the problem or problem needed for policy formulation Designate a person or person(s) to coordinate policy development Establish a policy development process Describe Policies/Purpose The organization also needs to know and understand the purpose of the policies and realize that the problem or problem can be effectively addressed by creating or modifying the policy Policy development can take several months There needs to be someone or perhaps a committee "running" this process This process entails research, consultation, and policy writing tasks The coordinator should Conduct research Prepare a discussion Consultation - Phase Prepare a draft policy Consultation - Phase develop a plan of what needs to be done, by whom and when • Read policy documents produced by other organizations on the same topic • Researching the law on the Internet • Conduct meetings with staff and other experienced people • Survey participants or a specific group of participants such as coaches • Read minutes of management committee meetings (if allowed) • Read other documents such as annual reports or event reports • Read industry magazines and journals • Seek legal advice The purpose of the discussion paper is to explain the nature of the problem or problem, summarize the information gained from the research, and suggest some policy options The discussion paper will be an important tool in the consultation process Communicating the discussion paper to all stakeholders (interested parties) is the first step in the consultation process It may also be necessary to phone stakeholders and send notices to prompt stakeholders to read the discussion paper Then it is important to get as much feedback from stakeholders as possible This can be done through seminars, open meetings, your website and meetings with individuals It may take several months to ensure that this consultation phase is comprehensive Once sufficient time has been provided for the consultation processes to be completed, the next step is to prepare a draft policy Once the draft policy is finalized, it should be communicated to key stakeholders, published in newsletters and the organization's website, and discussed in subsequent meetings and forums At this stage, help should be sought from stakeholders to refine the wording, clarify its meaning, and make adjustments to the policy before it is finalized 9 Adoption 10 Communication 11 Reviews and Reviews Once the policy coordinator is reasonably satisfied that all policy issues and concerns have been addressed and addressed, it is time to finalize the policy The final policy document should be formally approved by the organization's leadership (management committee) with an appropriate record incorporated into the minutes Once the policy is formally adopted, it should be widely communicated throughout the organization and its stakeholders Training sessions may be necessary to ensure that the organization's employees are well informed and able to implement the policy If the policy is not communicated well, it can fail Policy implementation should be monitored The policy may still require further adjustment, and furthermore the reason for its existence may change It is common practice to set a date for the policy to be reviewed, which can be once a year or every three years It just depends on the nature of the policy IV List the main components of an organizational disaster recovery plan justifying the reasons for inclusion Discuss with explain about business continuity Business continuity is an organization's ability to ensure its operations and core business functions are not severely impacted by an unplanned disaster or failure that causes critical systems to fail discontinuity List the components of recovery plan We have steps: 1.1 Create an inventory list 1.2 Establish a recovery timeline 1.3 Communication 1.4 Back up data 1.5 Consider insurance 1.6 Test your disater recovery plan Write down all the steps required in disaster recovery process Create an inventory list Every company should know exactly which IT resources - systems, hardware and software - are used to run the business Beyond a simple inventory management system, it can be helpful to add different scenarios to your IT disaster recovery plan Ask yourself, which systems will be affected in the event of a flood, storm, fire, or power failure at your facility? Establish a recovery timeline Once you've documented your IT inventory, you can decide on an acceptable recovery goal and the timeframe within which certain systems need to be back up and running Industries like healthcare can have a recovery time of just a few minutes, while others can have a longer period Communication Before disaster strikes, get information from key stakeholders Everyone should understand which IT operations are likely to be affected, what will happen next, and who will be responsible for resolving the issues Ask employees how their work will be affected if certain systems or networks become unavailable for a while You should also have a plan to communicate with your employees in the event of a power outage or Internet outage Backup your data Your options for data backup include cloud storage, off-site internal data backup, and vendorsupported backup Maintaining your backups on-site is unacceptable due to the risk of disaster Both physical and cloud backups are risky Working with a trusted managed service partner can help you weigh the issue and decide which option is better for your situation Data backup and recovery should be an integral part of your business continuity plan and IT disaster recovery plan Developing a data backup strategy begins with determining what data to back up, selecting and implementing hardware and software backup procedures, scheduling and performing backups, and validating data periodically to ensure data has been properly stored3 Consider insurance Buying disaster insurance as part of a disaster recovery plan can be an interesting option if you are concerned about the cost of recovery This not only means replacing your IT equipment, but also considering the broader consequences and losses following a disaster If this idea appeals to you, consult an insurance professional 6 Test your disaster recovery plan Your IT disaster recovery plan should be checked at least once and preferably twice per year After not testing their packages for several years, one of our customers discovered that all of their drives were unrecoverable If this happens during a real disaster, the data will be lost forever Any vulnerabilities that you identify during this inspection should be fully documented for future investigation and mitigation Work with a trusted managed service provider to learn about your options for remediation4 From the examples above, it is clear that DRP is an essential element that every company must have when using Ultimately, a DRP can save a company from disaster by providing a quick and effective recovery plan as well as demonstrating high professionalism and business etiquette Explain some of the policies and procedures that are required for business continuity Photo VCU BCP Life Cycle This policy provides a standard process for developing, testing, and maintaining initial response, business continuity, and business recovery plans at VCU This policy incorporates all aspects of the business continuity plan (BCP) lifecycle as follows: Risk assessment: In the risk assessment step, each department will plan to assess whether the risk is dangerous or not? If it is really dangerous and has a high potential for business impact, a response plan must be established to minimize that impact on the company's business Business Impact Analysis: In this step of business analysis, at the business strategy department, it is necessary to have enough documents as well as data including revenue, net profit, net profit, advertising expenses, electricity, from there make an accurate business plan and bring a lot of sales for the company BCP Strategy: From the step of analyzing the activities of the business analysis department, we need to make a clear policy and plan to ensure that it can be done within a specified period of time and achieve the goal to avoid causing loss of money for the company At the same time, the established policy must be accompanied by discipline If this plan is written by someone but cannot be implemented, it will be handled Develop, Implement: At the implementation step (development) we need to have contingency plans for the worst case scenario that leads to data from our business strategy being leaked to the outside, so it is necessary to have a response plan and implement them, and implement the previously established plans and execute them Exercise, maintain review: In the last step, we need to announce to the employees in the company about the policies that the company has updated as well as the plans for each goal to ensure the achievement of sales and above all the development policy These will be the responsibility of the IT department and keep them confidential References Leoisaac.com n.d Policy development: Steps in policy development [ONLINE] Available at: http://www.leoisaac.com/policy/top132.htm [Accessed 13 December 2021] Vigilant Software - Compliance Software Blog 2020 Risk terminology: Understanding assets, threats and vulnerabilities [ONLINE] Available at: https://www.vigilantsoftware.co.uk/blog/risk-terminologyunderstanding-assets-threats-and-vulnerabilities [Accessed 23 December 2021] Kketoan.duytan.edu.vn n.d Bài viết - ThS Lê Anh Tuấn - RESEARCH FACTORS AFFECTING TO DECIDE TO USE THE QR CODE SERVICE IN PAYMENT OF INDIVIDUAL CUSTOMERS AT COMMERCIAL BANKS: EXPERIMENTAL SURVEY ON DA NANG CITY - Bài viết - Khoa Kế Toán - Đại học Duy Tân [ONLINE] Available at: https://kketoan.duytan.edu.vn/Home/ArticleDetail/vn/132/3019/bai-viet-ths.-le-anh-tuanresearch-factors-affecting-to-decide-to-use-the-qr-code-service-in-payment-of-individual-customers-atcommercial-banks-experimental-survey-on-da-nang-city [Accessed 23 December 2021] Data Security! A brief introduction n.d Data Security! A brief introduction [ONLINE] Available at: https://hachinet.com/blogs/data-security-a-brief-introduction [Accessed 23 December 2021] Coursehero.com n.d To summarize here are the top challenges in cloud computing Page 39 Distributed | Course Hero [ONLINE] Available at: https://www.coursehero.com/file/p6lblu3o/To-summarize-here-arethe-top-challenges-in-cloud-computing-Page-39-Distributed/ [Accessed 23 December 2021] Quizlet.com n.d Captcha Challenge… [ONLINE] Available at: https://quizlet.com/53681953/nt2580chapter-6-flash-cards/ [Accessed 23 December 2021] TechRepublic n.d 10 things to consider when creating policies - TechRepublic [ONLINE] Available at: https://www.techrepublic.com/blog/10-things/10-things-to-consider-when-creating-policies/ [Accessed 23 December 2021] TechRepublic n.d 10 things to consider when creating policies - TechRepublic [ONLINE] Available at: https://www.techrepublic.com/blog/10-things/10-things-to-consider-when-creating-policies/ [Accessed 23 December 2021] Quizlet.com n.d Captcha Challenge… [ONLINE] Available at: https://quizlet.com/379498071/chapter-6information-systems-flash-cards/ [Accessed 23 December 2021] Fao.org n.d [ONLINE] Available at: https://www.fao.org/3/i2195e/i2195e03.pdf [Accessed 23 December 2021] David Kim | Michael G Solomon, n.d Fundamentals of Information Systems Security 3rd Edition ed s.l.:s.n Anon., 2020 Virginia Commonwealth University [Online] Ready.gov n.d Access Denied [ONLINE] Available at: https://www.ready.gov/it-disaster-recovery-plan [Accessed 23 December 2021] Mulligan, B., 2019 10-Step Disaster Recovery Plan for Your IT Department [ONLINE] Available at: https://www.linkedin.com/pulse/10-step-disaster-recovery-plan-your-department-brianmulligan?trk=public_profile_article_view [Accessed 23 December 2021] Policy.vcu.edu n.d Policies - Business Continuity Management - Virginia Commonwealth University [ONLINE] Available at: https://policy.vcu.edu/universitywide-policies/policies/businesscontinuity-management.html [Accessed 23 December 2021] ... application in IT security D2 Consider how IT security can be aligned with organisational policy, detailing the security impact of any misalignment M4 Discuss possible impacts to organisational security. .. Information security is the protection of personal and organizational data to avoid "stealing and stealing" by bad guys or hackers Information security as well as information security in general Good security. .. 06 Why are data protection and security regulation important 06 III Design and implement a security policy for an organization 07 Define security policy and discuss about it