1. Trang chủ
  2. » Luận Văn - Báo Cáo

btec level 5 hnd diploma in computing unit 5 security 2

98 0 0
Tài liệu đã được kiểm tra trùng lặp

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 98
Dung lượng 2,24 MB

Cấu trúc

  • 1. Risk (15)
    • 1.1 Negative school: risk is considered unlucky,loss, danger (0)
    • 1.2 The neutral school (16)
  • 2. Risk assetment (16)
  • 3. Asset (17)
  • 4. Vulnerability (22)
  • 5. Threat (23)
  • 6. Risk Identification Procedures (0)
  • 7. Risk assetment procedures (0)
  • 1. Data protection (35)
  • 2. Data protection (35)
    • 2.1 Assessment of network security risks (35)
    • 2.2 Raise awareness about data security for employees (36)
    • 2.3 Data security management (37)
    • 2.4 Troubleshooting and problem management (37)
    • 2.5 Configure the system securely (39)
    • 2.6 Ensure the network is divided into separate areas (39)
    • 2.7 Secure DN data by monitoring network security (39)
    • 2.8 Access control (39)
    • 2.9 Increased malware protection (41)
    • 2.10 Update patches regularly (41)
    • 2.11 Perform encryption (41)
  • 3. The important of data protection regulations (42)
    • 2.1 Purpose (47)
    • 2.2 Scope (47)
    • 2.3 Policy (47)
    • 2.4 Technical guidelines (49)
    • 2.5 Reporting requirements (50)
    • 3.1 Ensure that there is a policy on policies (51)
    • 3.2 Identify any overlap with existing policies (51)
    • 3.3 Don't develop the policy in a vacuum (51)
    • 3.4 Step back and consider the need (52)
    • 3.5 Use the right words so there is no misunderstanding intent (53)
    • 3.6 When possible, include an exceptions process (53)
    • 3.7 Allow some shades of gray (54)
    • 3.8 Define policy maintenance responsibility (55)
    • 3.9 Keep senior executives out of the routine when possible (55)
    • 3.10 Establish a policy library with versioning (55)
    • 4.1 Introduction (56)
    • 4.2 Security Policy Document (57)
    • 4.3 Introductory Elements (57)
    • 4.4 Purpose (58)
    • 4.5 Scope (59)
    • 4.6 Responsibilities (59)
    • 4.7 Objectives (59)
    • 4.8 Threat and Risk Assessment (59)
    • 4.9 Policy Attributes (60)
    • 4.10 Identification (61)
    • 4.11 Policy Statement (61)
    • 4.12 Elaboration (61)
    • 4.13 Threat addressed (61)
    • 4.14 Exceptions (61)
    • 4.15 Violations (62)
    • 4.16 References (63)
    • 4.17 History (63)
    • 4.18 Areas of Coverage (63)
    • 4.19 Physical Security Policies (63)
    • 4.20 Network Security Policies (63)
    • 4.21 Host Security Policies (64)
    • 4.22 User Security Policies (65)
    • 4.23 Document Security Policies (65)
    • 4.24 Documentation Policies (65)
    • 4.25 Incident Handling Policies (65)
    • 4.26 Audit Policies (66)
    • 4.27 Conclusion (67)
  • 5. The steps to design a policy (67)
  • 6. Step in policy development (71)
  • 2. The components of recovery plan (75)
  • 3. Steps to Building a Disaster Recovery Plan (79)
    • 3.1 Conduct an asset inventory (79)
    • 3.2 Perform a risk assessment (80)
    • 3.3 Define criticality of applications and data (81)
    • 3.4 Define recovery objectives (83)
    • 3.5 Determine the right tools and techniques (85)
    • 3.6 Get stakeholder buy-in (86)
    • 3.7 Document and communicate your plan (87)
    • 3.8 Test and practice your DR plan (87)
    • 3.9 Evaluate and update your plan (89)
  • 4. The policies and procedures that are required for business continuity (89)

Nội dung

Data protection...172.1 Assessment of network security risks...172.2 Raise awareness about data security for employees...172.3 Data security management...182.4 Troubleshooting and proble

Risk

The neutral school

Risk is uncertainty that can be quantified and is potentially linked to the occurrence of unanticipated events.

The risk's current value and outcome are uncertain.

Risk assetment

The process or procedure where you: +Identify hazards and risk factors that have the potential to cause harm is known as risk assessment (hazard identification).

+Examine and assess the risk connected to that danger (risk analysis, and risk evaluation).

Determine the best strategies to remove the risk or, if that is not possible, to control the risk (risk control).

- A risk assessment is a detailed examination of your workplace to find any elements, circumstances, procedures, etc that could be harmful, especially to humans Following identification, you assess the risk's likelihood and seriousness You can then decide what steps need to be taken to successfully eliminate or control the harm once this assessment has been made.

The following phrases are used in the CSA Standard Z1002 "Occupational health and safety - Hazard identification and elimination and risk assessment and control":

Risk assessment: The total procedure of risk analysis, risk assessment, and hazard identification. Risk assessment: The entire process of hazard identification, risk analysis, and risk assessment.

Risk analysis: A process for comprehending the nature of hazards and determining the level of risk.

Risk evaluation: The process of comparing an estimated risk against given risk criteria to determine the significance of the risk.

Risk control: The process of comparing an es琀椀mated risk against given risk criteria to determine the signi昀椀cance of the risk.

Asset

A resource having economic worth that a person, business, or nation possesses or controls with the hope that it would someday be useful is referred to as an asset In order to raise a company's value or benefit its operations, assets are acquired and recorded on the balance sheet of the company Whether it's manufacturing equipment or a patent, an asset can be viewed of as anything that, in the future, can generate cash flow, lower expenses, or increase sales.

An asset is a resource having economic worth that a person, organization, or nation owns or manages with the hope that it may someday be useful.

Assets are disclosed on a company's balance sheet and are acquired or produced in order to raise a company's value or improve the operations of a company.

An asset can be anything that, in the future, can increase sales, lower costs, or generate cash flow, whether it's a patent or manufacturing equipment.

An asset represents a financial resource for a business or access that other people or companies do not have A right or other access is legally enforceable, so it can be used however the corporation sees fit and its usage can be restricted or prohibited by the owner.

A corporation must have a right to an asset as of the date of the financial statements in order for it to be present A scarce resource with the capacity to increase financial inflows or decrease cash outflows is considered an economic resource.

Short-term (or current) assets, fixed assets, financial investments, and intangible assets are some basic categories for assets.

Personal assets are items with current or potential worth that belong to an individual or family Personal assets frequently comprise the following:

Cash and cash equivalents, CDs, checking and savings accounts, money market accounts, tangible cash, and Treasury notes are all examples of financial instruments.

Real estate, including any building permanently affixed to it.

Personal property includes boats, collectibles, furniture, jewelry, and automobiles.

Investments include equities, bonds, mutual funds, annuities, pensions, and life insurance policy cash values.

By deducting your liabilities from your assets, you may determine your net worth In essence, your liabilities are all of your debts, and your assets are everything you own If you have a positive net worth, your assets are worth more than your liabilities; if you have a negative net worth, your liabilities are more than your assets (in other words, you are in debt)

Assets are valuable items for businesses that support production and expansion Assets for a firm might include tangibles like machinery, real estate, raw materials, and inventory as well as intangibles like royalties, patents, and other forms of intellectual property.

The balance sheet outlines the assets of a firm and details how those assets are financed, including whether debt or stock issuance is used A company's balance sheet gives a quick overview of how effectively its management is managing its resources The two categories of assets that typically appear on a balance sheet are.

Assets that can be turned into cash within one fiscal year or one operating cycle are referred to as current assets Expenses and investments related to daily operations are made possible by current assets. Examples of current assets include:

Cash and cash equivalents: Cash, certificates of deposit, and Treasury bills.

Marketable securities: debt-related securities or liquid equity.

Accounts receivables: Customer debt that needs to be settled soon.

Inventory: Raw resources or marketed products.

Non-current assets, or fixed assets, are those that a business utilizes to produce goods and services and have a longer useful life Fixed assets are shown as property, plant, and equipment on the balance sheet (PP&E) Fixed assets are long-term investments that are categorized as tangible (i.e., touchable) assets because they are.

Examples of fixed assets include:

Vehicles (such as company trucks)

Non-current assets (like fixed assets) cannot be easily converted to cash to cover immediate operational costs or investments, which is one of the two main contrasts between personal assets and corporate assets

In contrast, it is anticipated that present assets will be liquidated within one fiscal year or one operating cycle.

Vulnerability

A vulnerability is a gap or a weak point in the application—it could be an implementation error or a design flaw—that allows an attacker to harm the application's stakeholders The owner of the application, application users, and other organizations that rely on the application are stakeholders.

Threat

Define: A potential for violation of security, which exists when there is an entity, circumstance, capability, action, or event that could cause harm

Cyber threats and vulnerabilities can occasionally be mistaken for one another The word with the most definitions is "potential." The threat is not a security issue with an organization or implementation As opposed to that, it is anything that could compromise security This is comparable to a vulnerability, which is a genuine weakness that can be used against the system Without respect to any precautions, the threat constantly exists However, there are ways to reduce the likelihood that it will come to pass.

According to the NIST definition above, a threat might be an occurrence or a state of affairs Natural disasters, fires, and power outages are all considered events in this context It is a pretty broad idea In the field of cybersecurity, dangers including viruses, Trojan horses, and denial-of-service attacks are more frequently discussed.

Phishing emails provide a social engineering risk that may result in the loss of sensitive data such as passwords, credit card numbers, and other personal information Data loss in terms of confidentiality, integrity, or availability can result from threats to information assets The CIA triumvirate is another name

The STRIDE threat model is built on the CIA triad and three additional well-known security ideas It is convenient to start with an established classification when listing potential dangers The most well-known categorization is STRIDE, which was suggested by Microsoft in 1999 Because the name is derived from the first letters of the several categories, it is also simpler to recall them.

Data protection is the process of defending sensitive information against loss, tampering, or corruption.

As data is created and stored at previously unheard-of rates, the significance of data protection grows Additionally, there is limited tolerance for downtime that can prevent access to crucial information.

As a result, a key component of a data protection plan is making sure that data can be swiftly restored after any loss or damage Other essential elements of data protection include safeguarding data privacy and preventing data breach.

You must specify precisely the data your company needs to secure before investing in data security Businesses frequently only partially or incorrectly understand what data has to be safeguarded.

2.1 Assessment of network security risks

Once your organization has all the data it needs, you must examine the threats that your corporate data may face:

- In case of a network security problem.

- In case of incidents of natural natural disasters such as fires, earthquakes, etc.

You must implement security measures for your organization's network system after performing risk identification for the data that must be protected This will enable you to precisely identify the security dangers that the overall organizational network and the data security of organizations in particular are currently experiencing Since then, deploying security solutions fit for models, finances, and organizational requirements or protecting the system by deploying patching methods.

2.2 Raise awareness about data security for employees

- The people element is one of the biggest potential threats to business data security Therefore, one of the best and most successful ways to secure data security in Your Business is to establish measures to educate and create awareness among agency personnel about data security.

- Businesses must regularly plan initiatives to raise awareness and train employees on network security and data security The most effective way to reduce company data breaches and avoid spending money on outside security services Enterprises (enterprises) need to have documents on data security policies and work procedures at the same time since they use data in their operations to implement management standards and guarantee safety.

There are always security dangers to company data Because of this, implementing security measures quickly is not viable; instead, it must be done often and continuously Each company should, if at all feasible, have a dedicated leader or employee who is knowledgeable about corporate data security and confidentiality and who is in charge of overseeing the application of security procedures and controls security of data This will assist in lowering the dangers of network security for companies and commercial data

In order to lessen the harm that network security incidents to the business cause, documentation of the process of responding to security incidents to the network and corporate data is crucial.

As an alternative, you can consider engaging specialized ANM assessment and troubleshooting units When accidents happen, these units will be in charge of consulting the reaction procedure and organizing troubleshooting This will assist your organization limit damage.

All internal components (including software and hardware) are set up to comply with security policy requirements and to take appropriate steps to protect your company's data.

2.6 Ensure the network is divided into separate areas

Separate network regions will aid in isolating and minimizing the harms brought on by network security concerns such as enterprise data leakage and ode infection poison The DMZ also aids in regulating access between various network regions by employing more firewalls between untrusted external network areas (internet zones) and intranet zones To make sure that access policies between network areas are always followed, conduct frequent intrusion testing assessments.

2.7 Secure DN data by monitoring network security

To regulate and identify network data abnormalities early and maximize detection and prevention, technologies to monitor network traffic both inside and outside the network are necessary early attacks blocking IDS (intrusion detection system), IPS (intrusion prevention system), and SIEM are the solutions that are frequently employed by enterprises nowadays (Network Security Surveillance System).

For a corporate network, decentralization and access control measures are essential Effective access control is made possible by these policies both inside and outside the system.

To accomplish this, you must only ask the user for the permissions required for them to perform their duties Priority accounts must be carefully limited to primary systems, database administration functions, or critical systems User activity must be carefully monitored and logged, especially when it involves sensitive data and a user's account Remember to protect your data by creating strong passwords at the same time.

Other crucial physical security features include security guards, magnetic card systems, commuters, sirens, and access control to corporate buildings and private workplaces access control for corporate data management

Data protection

Data protection is the process of defending sensitive information against loss, tampering, or corruption.

As data is created and stored at previously unheard-of rates, the significance of data protection grows Additionally, there is limited tolerance for downtime that can prevent access to crucial information.

As a result, a key component of a data protection plan is making sure that data can be swiftly restored after any loss or damage Other essential elements of data protection include safeguarding data privacy and preventing data breach.

Data protection

Assessment of network security risks

Once your organization has all the data it needs, you must examine the threats that your corporate data may face:

- In case of a network security problem.

- In case of incidents of natural natural disasters such as fires, earthquakes, etc.

You must implement security measures for your organization's network system after performing risk identification for the data that must be protected This will enable you to precisely identify the security dangers that the overall organizational network and the data security of organizations in particular are currently experiencing Since then, deploying security solutions fit for models, finances, and organizational requirements or protecting the system by deploying patching methods.

Raise awareness about data security for employees

- The people element is one of the biggest potential threats to business data security Therefore, one of the best and most successful ways to secure data security in Your Business is to establish measures to educate and create awareness among agency personnel about data security.

- Businesses must regularly plan initiatives to raise awareness and train employees on network security and data security The most effective way to reduce company data breaches and avoid spending money on outside security services Enterprises (enterprises) need to have documents on data security policies and work procedures at the same time since they use data in their operations to implement management standards and guarantee safety.

Data security management

There are always security dangers to company data Because of this, implementing security measures quickly is not viable; instead, it must be done often and continuously Each company should, if at all feasible, have a dedicated leader or employee who is knowledgeable about corporate data security and confidentiality and who is in charge of overseeing the application of security procedures and controls security of data This will assist in lowering the dangers of network security for companies and commercial data

Troubleshooting and problem management

In order to lessen the harm that network security incidents to the business cause, documentation of the process of responding to security incidents to the network and corporate data is crucial.

As an alternative, you can consider engaging specialized ANM assessment and troubleshooting units When accidents happen, these units will be in charge of consulting the reaction procedure and organizing troubleshooting This will assist your organization limit damage.

Configure the system securely

All internal components (including software and hardware) are set up to comply with security policy requirements and to take appropriate steps to protect your company's data.

Ensure the network is divided into separate areas

Separate network regions will aid in isolating and minimizing the harms brought on by network security concerns such as enterprise data leakage and ode infection poison The DMZ also aids in regulating access between various network regions by employing more firewalls between untrusted external network areas (internet zones) and intranet zones To make sure that access policies between network areas are always followed, conduct frequent intrusion testing assessments.

Secure DN data by monitoring network security

To regulate and identify network data abnormalities early and maximize detection and prevention, technologies to monitor network traffic both inside and outside the network are necessary early attacks blocking IDS (intrusion detection system), IPS (intrusion prevention system), and SIEM are the solutions that are frequently employed by enterprises nowadays (Network Security Surveillance System).

Access control

For a corporate network, decentralization and access control measures are essential Effective access control is made possible by these policies both inside and outside the system.

To accomplish this, you must only ask the user for the permissions required for them to perform their duties Priority accounts must be carefully limited to primary systems, database administration functions, or critical systems User activity must be carefully monitored and logged, especially when it involves sensitive data and a user's account Remember to protect your data by creating strong passwords at the same time.

Other crucial physical security features include security guards, magnetic card systems, commuters, sirens,and access control to corporate buildings and private workplaces access control for corporate data management

Increased malware protection

Enterprises should also implement measures to reduce the danger of harmful code and safeguard data from it There are numerous ways to reduce the risk of malware infection at various levels right now, including user-specific anti-malware solutions, centralized anti-malware solutions, and anti-malware solutions at gateways However, your ability to find a workable option for your company depends on its size and financial standing.

Update patches regularly

No system can be said to be always secure because there are constantly being developed new attack techniques In order to protect corporate data and reduce the risk of assaults on enterprise systems, it is essential to update operating system and software patches Businesses must synchronize the deployment of numerous security solutions and the blending of various security policies in order to guarantee the maximum level of system security.

Perform encryption

Finally, before transferring the data, encrypt it To assist ensure the security of corporate data, this task is essential Encrypting the data helps you prevent sensitive information from falling into the hands of the attacker in the event of data loss (due to a network security attack or being compressed on the transmission line) Additionally, you must safeguard your data with robust encryption (preferably using asymmetric ciphers) Base64's insecure weak encryption techniques are simple for hackers to decrypt.

The important of data protection regulations

Purpose

Restricted, confidential, or sensitive material must be protected by against loss in order to preserve its reputation and prevent harm to its clients This policy supports a collection of international regulations (such as full as suitable>) that call for the protection of a wide range of data by limiting access to data stored on those particular devices Full disk encryption is necessary to prevent against exposure in the event of asset loss, as stated by several compliance standards and industry best practices This policy specifies the processes and requirements for full disk encryption protection as a control.

Scope

1 All desktop and laptop workstations from "Company X" (depending on the type of data you hold and physical security some organizations adjust this just to cover laptops).

2 All virtual computers owned by Company X.

3 Exemptions: Where a firm needs to be excused from this policy (because it would be too expensive, too complex, or would negatively affect other business requirements), a risk assessment must be carried out with security management's approval See the Risk Assessment procedure (reference your own risk assessment process).

Policy

1 Full disk encryption will be enabled on all of the devices in the scope.

2 Users shall be required by the Acceptable Use Policy (AUP) and security awareness training to report suspected violations of this policy in accordance with the AUP.

3 Users must be required to report any lost or stolen devices in accordance with the AUP and security awareness training.

4 Compliance with the encryption policy must be verified, and it must be managed To enable audit records to prove compliance as needed, machines must report to the central management infrastructure.

5 The device user must give IT a copy of the active encryption key in cases where management is not possible and a standalone encryption is configured (only after being approved by a risk assessment).

6 Is permitted to look into any encrypted device for maintenance, inquiry, or in the absence of a worker with primary file system access to spot unauthorized system access or other harmful activity.

9 In the event of a failure, forgotten credentials, or other business blocking needs, the help desk will be allowed to issue an out-of-band challenge/response to grant access to a system Only in the case that the

23 user's identity can be determined using the challenge and response attributes listed in the password policy will this challenge/response be sent.

10 (You can remove this if it's not a need for your firm; certain enterprises may have a requirement to apply a tiered approach to data security; this may involve a group of users who have particularly sensitive data and need extra security.) The limited data policy will let you identify a set of VIP users or users of sensitive data For key modifications or challenge responses, users in this group will need authorisation from a member of (such as Senior Management or IT) The help desk won't be allowed uninvited access to those systems These systems have a necessity for separation of duties and are recognized as having access to extremely sensitive, limited use data A system/user will be obliged to employ two factor authentications in line with the stated standard where indicated by the authentication and limited data policy The authentication will occur in the pre boot environment.

11 Configuration modifications must go via the change control procedure, which must be completed as necessary, identifying risks and significant implementation changes to security management.

Technical guidelines

Technical guidelines identify requirements for technical implementation and are typically technology specific.

1 is the standard product.

2 Strong, industry best practice defined cryptographic standards must be employed AES-256 is an approved implementation.

3 The BIOS will be configured with a secure password (as defined by password policy) that is stored by

IT The boot order will be fixed to the encrypted HDD If an override is required by a user for maintenance or emergency use, the helpdesk can authenticate the user and then provide the password for the BIOS The objective being to avoid an attacker cold booting and attacking the system.

4 Synchronization with Windows credentials will be configured so that the pre boot environment is matched to the user’s credentials and only one logon is required.

5 A pre boot environment will be used for authentication Credentials will be used to authenticate the user in compliance with password security policy (Some enterprises have a requirement to use two factor, and this shouldbe reflected here as required).

Reporting requirements

1 A monthly report showing the ratio of assets in scope to encrypted systems

2 A monthly report that lists the managed, encrypted systems' compliance status.

3 A weekly report that counts lost items and certifies that misplaced gadgets have been properly handled

3.The most and should that must exist while creating policy

Ensure that there is a policy on policies

Even when it comes to the creation of policies, it's crucial to work inside a previously established and widely accepted framework A crucial initial step in maturing policies is the creation of a straightforward policy on policies that outlines the organization's procedure for developing new policies This "meta policy" ought to provide instructions on when a new policy is necessary, the structure in which new policies should be written, and the procedures that must be adhered to for a new policy to be authorized Without a method and structure for creating policies, you run the danger of having major inconsistencies in the results and inconsistencies in the formulation, which can result in subpar or challenging enforcement.

Identify any overlap with existing policies

This is an easy one Check to determine whether the policy you're trying to create already exists or if any of its components are already in other policies before you establish a new one If so, think about updating current policies as opposed to coming up with a completely new one.

Don't develop the policy in a vacuum

I've observed people working at their desks and coming up with whole independent policies that they felt were important This has mostly occurred in organizations without any form of structure for policy governance The majority of the time, the policies were biased against the organization and omitted important components However, as one might anticipate, the policies were beneficial to the individual who created them.

I think that those who will be impacted by policies should be involved in their development To reduce the possibility of unexpected consequences, it's critical that all stakeholders are heard, even though the final policy may not ultimately reflect all viewpoints Additionally, policies must be comprehensive, and different viewpoints can fill in any gaps that may present.

Step back and consider the need

Do you make policies because they are necessary or because someone did something you didn't like? There is a considerable difference and, again, I have seen policies put into place out of malice and as

25 punishment It goes without saying that such behavior would not occur in a rational company But it also won't occur in a tight policy-on-policies environment, as the policy will often go through several approval stages before being approved, and somewhere along the line, someone will take a step back and ask, "Why do we need this?"

When there is a clear need and a clear issue to be resolved, policies should be implemented.

Use the right words so there is no misunderstanding intent

To be effective, policies must be understood This attempt is aided by the use of precise and unambiguous grammar Make sure your terminology is clear and basic so that everyone can understand it In the body of the policy, use the words "must" or "will" instead of "should." The latter suggests that the action is voluntary, casting doubt on the necessity of the policy Use the word "should" when something is recommended but not when it is necessary.

Never use a person's name; always an office, department, unit, or job title Examples: "Contact the assistant to the CFO to "; "The office of the CIO is responsible for "

Email addresses used for correspondence should always be generic department addresses or links to websites with additional contact details To avoid the need for policy revisions when personnel changes take place, refrain from utilizing personal email addresses.

Subheadings and words that need to be stressed in a sentence shouldn't be underlined If a word needs to be stressed, bold or italicize subheadings instead When the policy is published online, terms that are italicized could be interpreted as links.

When possible, include an exceptions process

Every rule has an exception, at least most of the time It is much simpler to outline an exceptions process in advance, before the policy is put into effect Think twice before declaring "I will never allow exceptions." There will be a circumstance at some point that calls for an exception It's crucial that p p p exceptions are also given in a fair and equitable manner because policies are implemented to manage conduct and are intended to level the playing field The validity of the entire policy may be questioned if you abuse the exceptions process.

Allow some shades of gray

You've established an exceptions procedure that is unquestionable and produced a policy that is impenetrable in every way Although it's a worthy objective, not every policy will be able to achieve it Since policies are meant to produce egalitarian conditions, this is the argument that might face the most opposition However, I think that some laws should give room for some interpretation so that people can

26 decide for themselves However, it seems that there are just too many situations where people are permitted to use the justifications "that's policy" or "zero tolerance" to avoid acting morally This is not to say that the policy should simply enable people to do as they choose.

Define policy maintenance responsibility

To ensure that they remain applicable, most policies need to be reviewed on a regular basis In addition, someone needs to be prepared to provide clarification as queries regarding the policy are raised Make careful to always mention the office, not a specific person, as being in charge of the policy Since people come and go, you cannot identify them.

Keep senior executives out of the routine when possible

When possible, I emphasized the necessity to devise a policy exceptions procedure When I worked for one company, the CEO was inherently responsible for it That, in my opinion, was a waste of his time Someone within the company should be given the authority to manage exceptions through the implementation of an exceptions process Except as required by law or regulation, the designated person need not be a vice president or the company's chief executive officer Additionally, don't count on senior executives to create every policy However, it should be the leadership team's obligation to review new policies before they are implemented.

Establish a policy library with versioning

These days, you can keep versions of documents using a variety of platforms, including SharePoint Every employee should always have access to all pertinent policies How can you expect employees to adhere to policies if they cannot access them? When it comes to versioning, it's beneficial to view their history to understand what has changed over time as policies alter.

4.The element of security policy

Introduction

Like all organizations, small firms increasingly rely on networks and computer systems to conduct business For many small firms, email is becoming a vital tool for communication Websites are crucial sales producers for companies with eCommerce sites and crucial marketing platforms As our reliance on computer systems grows, so does the need to secure them, much as door locks and safes secure physical structures, valuables, and trade secrets of enterprises The Honeynet Project has investigated the security ramifications of connecting a computer to the Internet using a basic broadband connection, similar to those used by many small businesses Without security measures, Windows and Linux computers deployed were frequently inspected, attacked, and compromised within a week Additionally, the project experienced a

100% rise in scans from May 2000 to February 2001, demonstrating the growing threat to security These results point to a major threat to information security posed by links to the Internet, even if the conclusions are by an order of magnitude overly pessimistic.

Except for companies that provide computer consulting and security services, not many small businesses have an innate or special interest in network or other types of security Resources are used up in the pursuit of security and related activities These assets serve the business's objectives or stand in for the earnings the enterprise hopes to make The majority of information security is intangible, with even the most obvious components being less obvious than a door lock or a safe Greg Bassett outlines a strategy for persuading management of the need of computer security in a paper he wrote for GIAC certification This essay discusses the factors that should be taken into account when creating a security policy, which serves as the cornerstone of information security.

Security Policy Document

A security policy document serves a number of purposes Its name implies that security policies are documented It does more than merely record them It offers a structure within which policies can be created, altered, and evaluated The context connecting the policies to the business should also be included in a security policy document Outlines for security policy documents can be found in Internet Security Systems, Walker and Cavanaugh, and numerous more books and online resources They provide writing tips for introductions as well as specific security policies The precise subject matter and focus that each guideline recommends varies There should be a thorough introduction to every security policy document in addition to the specific security policies.

Introductory Elements

An introduction to a security policy document places the regulations in the context of the enterprise they are meant to safeguard The introduction should be customized to the company's needs, but it should at the very least cover the following topics: the document's goal, its scope, and its policies; specific organizational responsibilities; general and detailed organizational security policy objectives; and a threat and risk assessment.

Purpose

The extent to which a company deals with sensitive data, as well as the methods used to manage systems and networks—whether by in-house staff members with specialized knowledge, staff members who take on additional responsibilities, or outside contractors—can all have an impact on the purpose of a security policy document.

Scope

The scope description should define precisely what is protected by the policies and should clarify what is not A small business must determine whether the security rules include permitted use and disaster recovery strategies, in particular Numerous sources advise them to Small enterprises might not require these A small group of employees may decide what is permissible use by voting as a group The redundancy needed for a comprehensive disaster recovery or business continuity plan may be too expensive for some small organizations These policies, along with others, may serve as additional documentation for others, as the Joint Information Systems Committee in the UK advises.

Responsibilities

Every organization needs to think about and allocate roles for security Within an organization, responsibilities may be delegated to specific people or job roles.

Objectives

The triangle of confidentiality, integrity, and availability of information resources is frequently used to describe the overarching goal of security and security policy The European ITSEC security requirements from 1991 contain this concept, however its core ideas date back far further The objectives of a security strategy for a particular firm should be stated as being confidentiality, integrity, and accessibility of particular resources that are crucial to the business.

Threat and Risk Assessment

One of the most crucial parts of the security strategy document is the threat and risk assessment What the policies are meant to defend against is determined by the threat assessment Some hazards are commonplace, such as the danger of Internet attacks and what the Honeynet Project research reveals Small organizations may be less concerned about other types of dangers, such as those coming from within The risk assessment enables management to prioritize the security concerns, enabling a small organization to make the most of its scarce security resources It offers a foundation for the document's audit All policies should take into account the threats listed in this section If rules are created that fail to address threats, greater threat assessment is required Contrarily, some threats may not be justified by policies if their hazards are minimal The risk assessment is highly tailored to the company and its particular circumstances.

Policy Attributes

Each policy should specify a set of properties that are universal The firm should establish what characteristics each policy should have, and it should develop a model for security policies that outlines these characteristics The parts that follow go over qualities that are frequently used The details of these

29 attributes may be altered to suit the preferences of the company, but the security policy document must contain the data they contain.

Identification

Each security policy should have a unique identity The security policy document, extra external documents, and audit tools like coverage matrices all need to make it simple to refer to policies Policy IDs can be textual, numeric, or alphanumeric A written name and a distinct number are frequently used in papers to distinguish each policy.

Policy Statement

The policy is described in the policy statement It must be unambiguous, succinct, and clear While expressing management's intention, the statement shouldn't be overly vague.

Elaboration

In the policy statement, the policy is described It needs to be clear, concise, and without ambiguity The remark shouldn't be excessively ambiguous, even though it expresses management's purpose.

Threat addressed

At least one danger found in the threat and risk assessment should be mapped to each policy Many policies deal with many dangers, however if a policy cannot be linked to at least one known threat, it should either be dropped or the threats should be reevaluated.

Exceptions

Like many business policies, security policies are not necessarily absolute The policy should identify any foreseeable exceptions The circumstances of exceptions should be clearly defined, as should the limits.

Violations

Every company should think about what to do when security regulations are broken A method for recording the responses to infractions should be provided by the policy framework The severity of the punishment for breaking a certain security policy should be taken into consideration, and guidelines for handling violations should be included alongside them, even though disciplinary policies belong in a personnel manual rather than the security policy document.

References

Certain laws can stand on their own Some policies can only be meaningful when they replace, expand upon, or harmonize with other policies The framework ought to offer a uniform method of recording these connections.

History

The policy framework must provide tracking of specific policy changes because policies might evolve over time For audits, the modification history of policies is crucial.

Areas of Coverage

The topics covered in a security policy document should line up with the dangers listed in the introduction.Individual policies, however, are considerably more tightly defined, and a single threat can justify a number of different policies There are many rules that can be used to specify what topics security policies for businesses should include The SANS Top Twenty Internet security vulnerabilities and the National Infrastructure Protection Center's tips both highlight topics that should be taken into account when drafting any security policy document Although each security policy document will be unique, the areas listed in the following sections are likely to be covered in most of them.

Physical Security Policies

Physical access to server rooms, computers, and other resources that can be usurped are covered by physical security policies These regulations can encompass administrator password escrow notebooks as well as the protection of media like backup tapes, emergency recovery diskettes, and printouts Printouts, CDs, and diskettes might need to be handled carefully and disposed of in organizations that deal with extremely sensitive documents, according to the policies.

Network Security Policies

Since networks are susceptible to both internal and external dangers if they are not effectively secured, network security policies are frequently the most numerous and significant Firewalls, Virtual Private Networks, wireless access, modem usage, device installation on the network, and everything else related to connections to the network are all covered by network security regulations These regulations might also cover network logging, intrusion detection, and monitoring.

Host Security Policies

Network security policies may include rules governing how certain hosts or computer systems should be configured, although these rules typically stand out enough to merit their own classification Host policies

31 can specify how servers should be set up, how workstations should be uniform, what software is acceptable and necessary, such as anti-virus software, and what data can be stored on what kinds of hosts Since taking over a host computer without authorization is a common security risk, host policies may take into account both intrusion detection, which can identify when a host has been compromised, and backup policies, which can help recover from a compromise Host security policies may span a wide spectrum, from what data is allowed to be carried on laptops while traveling to high risk servers exposed on the Internet.

User Security Policies

Both what is expected of users in terms of conduct that improves security and how users are treated may be covered by user security rules The effectiveness of security rules can be significantly impacted by user behaviors, such as selecting strong passwords and preventing their unintentional disclosure A user's access to systems and documents, as well as how they are categorized for security, should be covered by user security policies.

Document Security Policies

Document classification will often be cited in other security regulations for any business that deals with sensitive information Policies for document management might also be required Document security standards might include encryption rules.

Documentation Policies

Although appropriate process and network documentation considerably improves the ability to implement policy, audit for security, and ensure that policy implementation stays successful when personnel change, documentation is not always recognized as a key component of security policy.

Incident Handling Policies

The ability to implement policy, audit for security, and ensure that policy implementation remains successful when personnel change are all significantly improved by appropriate process and network documentation; however, documentation is not always acknowledged as a key component of security policy.

Audit Policies

The frequency and rigor of various security audit types are specified by audit policies The process of security is ongoing Threats, security countermeasures, the network, and the company all evolve over time. Reassessments on a regular basis are required to adjust to these changes The security policy document itself has to be evaluated occasionally To make sure they are providing the security intended, systems and

32 practices put in place to implement security policies should be audited Who will conduct various audits, whether internal or external auditors, should also be specified in audit policies.

Conclusion

Security practices and procedures are established on top of the security policy paper It must be a dynamic document that evolves over time as threats and business activity develop A solid document foundation and usable security policy templates make it easier to create an extensive, practical security policy document and provide you the flexibility and control you need to make changes that actually function To match the demands of the company and the security resources available with the threats, small businesses must have the flexibility to create and adjust security policies.

The steps to design a policy

There are 10 steps to design a successful security policy:

1st step: Identify your risks

What risks could arise from inappropriate use? Do you possess knowledge that should be kept to yourself?

Do you send or receive a lot of huge attachments and files? Are there any possibly objectionable attachments circulating? Maybe there is no problem Alternatively, it may cost you hundreds of dollars each month in lost productivity or staff computer downtime A useful technique to categorize your risks can be through the use of tracking or reporting devices Many providers of firewalls and Internet security systems permit evaluation periods for their products If these objects have reporting information, using these evaluation intervals to identify the risks may be helpful But if this is something you want to pursue, it's critical to let your staff members know that you will record their behavior for risk assessment purposes.Many employees will view it as a privacy infringement if it is attempted without their permission.

2nd step: Learn from others

It's interesting to check what other businesses like yours are doing because there are many types of security strategies You can spend several hours searching online, or you can buy a book like Information Security Policies Made Simple by Charles Cresson Wood, which has more than 1,200 policies that are ready to be customized Speak with the salespeople from several security software companies as well They always appreciate specifics.

3rd step: Make sure the policy conforms to legal requirements

Depending on your data holdings, jurisdiction, and location, especially if your organization stores personal information, you might be required to follow a set of minimal requirements to safeguard the privacy and integrity of your data Having a workable security policy in place and documented is one method to minimize numerous dangers you can face in the case of a security incident.

4th step: Level of security = level of risk

Avoid being too zealous Too much defense might be just as harmful as not enough Since you have a responsible, mature workforce, you can discover that you don't have any concerns with proper use in addition to keeping the bad folks out The most important thing in these circumstances is a codified code of behavior Make sure you don't overprotect yourself because it can become a barrier to efficient business operations.

5th step: Include staff in policy development

Nobody prefers a plan that is predetermined from above Include employees in the process of assessing appropriate usage As laws are created and enforcement tools are deployed, keep employees informed If people understand the necessity of a responsible security policy, they would be much more inclined to comply.

6th step: Train your employees

Staff training is typically disregarded or undervalued as part of the AUP implementation process But it's unquestionably among the most advantageous phases of operation Along with assisting with employee education and policy comprehension, it also motivates you to consider the policy's probable, practical effects End users frequently have the opportunity to ask questions or provide examples in a training forum, which may be highly gratifying You can describe and modify the policy in more detail to make it more beneficial by using these questions.

7th step: Get it in writing

Ensure that each team member has read, signed, and comprehended the policy All new hires should sign the policy when they are hired, and they should be required to review it and affirm their comprehension of it at least once a year Use digital tools to track and distribute document signatures among huge organizations Some technologies additionally include frameworks for quizzing users to gauge their understanding of policies.

8th step: Set clear penalties and enforce them

Network security is a serious matter Your protection policy is a requirement of your job, not a list of optional rules Have a detailed set of rules in place that spell out the consequences of breaking the security

34 policy then enforce them A security policy that is implemented carelessly is just as harmful as having no policy at all.

9th step: Upgrade your staff

A security policy is a complicated document since the network itself is always evolving People can come and go Databases are created and destroyed There are increasing threats to safety Updating security procedures is challenging enough, but informing employees of any changes that can affect their daily work is far more challenging Transparent communication is the key to success.10th step: Install the tools you need

10th step: Install the tools you need

Having a plan is one thing; putting it into action is quite another No matter how complicated your policy is, security technologies for Internet and email content with customisable rule sets will guarantee that it is followed The purchase of tools to carry out your protection strategy is possibly one of the most economical expenditures you will ever make.

Step in policy development

1 Iden琀椀fy and de昀椀ne the problem or issue that necessitates the development of a policy The organization must also be aware of the goals of policies and recognize that they can be created or changed to address a problem or issue in an efficient manner.

2 Appoint a person or person(s) to co-ordinate the policy development process

The process of developing a policy could take several months The procedure needs to be

"driven" by someone or even a committee.

3 Establish the policy development process

Tasks related to research, consulting, and policy writing are required A schedule of the tasks that must be completed, by whom, and when should be created by the coordinator.

Read policy documents created by other organisa琀椀ons on the same topic p y y g 琀椀 p

Research legisla琀椀on on the Internet

Conduct a mee琀椀ng with sta昀昀 and other people with experience

Survey par琀椀cipants or a par琀椀cular group of par琀椀cipants such as coaches Read minutes of management commi琀琀ee mee琀椀ngs (if allowed)

Read other documents such as annual reports or event reports

Read industry magazines and journals

The discussion paper's objectives are to describe the nature of the problem or issue, to summarize the facts obtained through research, and to offer a variety of policy solutions The discussion paper will be a crucial instrument in the consultation process.

6 Consulta琀椀on - Stage 1

One of the first steps in the consultation process is to distribute the discussion paper to all stakeholders (interested parties) It can also be required to call and notify stakeholders to remind them to read the discussion document Then, it's critical to get as much input as you can from all relevant parties This can be accomplished through workshops, public gatherings, your website, and one-on-one encounters To make sure that this round of consultation is exhaustive, several months may be needed.

7 Prepare a dra昀琀 policy

The next stage is to create a draft policy once the consultation processes have had enough time to be finished.

8 Consulta琀椀on - Stage 2

The draft policy should be sent to important stakeholders after completion, published on the organization's website and newsletter, and discussed at additional meetings and forums Before the policy is finalized, it is vital to enlist the assistance of stakeholders to polish the language, define key terms, and make required changes.

It is time to finalize the policy once the process coordinator for developing the policy is reasonably comfortable that all questions and concerns have been brought up and addressed The organization's management (management committee) must formally endorse the final policy paper, and a suitable entry must be made in the minutes.

The policy should be widely disseminated among all stakeholders in the organization after being formally adopted To make sure that organization staff members are completely informed and capable of implementing the policy, training sessions may need to be held The policy could fail if it is poorly explained.

Monitoring the policy's application is necessary The policy might still need to be adjusted, and its justifications for being in place might also alter Setting a date for the policy's review is a standard procedure; this date may be once a year or every three years Simply said, it depends on the type of policy.

P8 List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion

The capacity of an organization to prevent operations and fundamental business functions from being negatively impacted by a disaster or unanticipated incident that takes critical systems offline is known as business continuity Business continuity planning is the interdepartmental process of putting into action the strategies needed to resume regular business operations in a predetermined amount of time, define the level of data loss that the company considers acceptable, and communicate crucial information to organizational stakeholders both during and after incidents This process is frequently led by information technology.

For all but the largest firms, implementing redundant IT infrastructure and backup plans used to be prohibitively expensive However, new affordable, on-demand cloud technologies are making effective business continuity strategies accessible to millions of businesses.

Cloud data backups, cloud-based disaster recovery as a service (DRaaS) for infrastructure failures, and managed security strategies that defend against more sophisticated cyberattacks are common technology services created for business continuity.

The components of recovery plan

-Communication plan and role assignments.

In the event of a calamity, communication is crucial A strategy is necessary because it unifies the team and ensures that all communications are spelled out in detail Employee contact information should be current in all documents, and everyone should be clear on their responsibilities in the days following a crisis If you don't have access to some form of technical resource to help you go through everything, you'll need assignments for things like setting up workstations, analyzing damage, redirecting phones, and other activities.

When a severe storm is on the horizon, it's critical that you have a strategy in place to safeguard your equipment To ensure that no water can reach the equipment, you must take all equipment off the floor,

37 into a room without windows, and securely wrap everything in plastic Although it's essential to totally seal equipment to protect it from flooding, this isn't always possible during extremely heavy flooding.

You should investigate precisely what your company needs in order to function when you develop your disaster recovery plan You must fully comprehend the operational, financial, supply, and communication requirements for your company You should document your needs so that you can make plans for backup and business continuity and have a complete understanding of the needs and logistics surrounding those plans, regardless of whether you're a small business to business organization with multiple employees or a large consumer business that needs to fulfill shipments and communicate with their customers about those shipments.

A comprehensive local backup should also be performed on all servers and data as part of your disaster recovery plan Make sure your backup is active Make careful to run them as far in advance as you can and to backup to a location that won't be affected by the calamity It's also a good idea to store that backup on an external hard drive that you can take with you when you leave the office, just in case.

You should include a thorough inventory of the workstations, their parts, servers, printers, scanners, phones, tablets, and other technology that you and your staff regularly use in your disaster readiness plan

By giving your adjuster a straightforward list (with images) of any inventory you may have, this will enable you to quickly refer to it while filing insurance claims in the wake of a significant tragedy.

-Pictures of the o昀케ce and equipment (before and a昀琀er prep)

To demonstrate that the o昀케ce and your equipment were being used by your employees and that you took the necessary precau琀椀ons to move your equipment out of harm's way in prepara琀椀on for the storm, you should also take photos of the o昀케ce and your equipment in addi琀椀on to the photos of individual inventory items.

-Vendor communica琀椀on and service restora琀椀on plan.

When a storm has passed, you should start running as soon as you can Make certain that your plan includes vendor communication To determine the risk of power surges or outages while the damage is being fixed in the area, check with your local power provider You should also inquire about access and restoration with your phone and internet service providers.

These factors are a fantastic starting point for a comprehensive disaster recovery plan, but be sure to pay close attention to the specifics of each element of your plan Along with the fuzzier specifics of how you'll communicate with vendors, account for your assets, and guarantee that you're back up and running as quickly as possible, the practicalities of testing backups and performing as many backups as you can before the storm are also crucial If you feel a little overburdened by all of these details, you can enlist the aid of a third party to assist you in creating a disaster plan so that you are ready for any storms that may affect us during hurricane season.

Steps to Building a Disaster Recovery Plan

Conduct an asset inventory

An inventory of all your IT assets should always be the first step in any disaster recovery strategy To sort through your environment's complexity, you must do this List all the resources that fall under IT administration at first, including all servers, storage devices, software, data, network switches, access points, and network appliances Next, draw a map showing the physical location of each asset, the network it is on, and any dependencies Here's an illustration:

Figure 7 conduct an asset inventory

Perform a risk assessment

Following the mapping of all your IT resources, networks, and dependencies, make a list of all the internal and external threats to each resource Consider every possibility, and be thorough Typical IT malfunctions or natural calamities could be among these threats.

Include the likelihood that the event will occur as well as the expected effects it will have if it does How would each of the possible outcomes impact business continuity? Additionally, this is a wonderful opportunity to ask your coworkers for assistance Just keep in mind to underline how much more regularly banal events occur than natural disasters Talk less about storms and earthquakes and more on how likely it is that the area would encounter a power outage or IT hardware failure Here's an illustration:

Define criticality of applications and data

You must categorize your data and applications based on their criticality before constructing your IT disaster recovery plan To start, ask your coworkers and the support team how crucial each program and data collection is.

Look for commonalities and arrange them into groups based on how important they are to your business continuity, how often changes occur, and your retention policy You shouldn't use a separate approach for every single application or dataset you have You can use a less complicated recovery technique if you divide your data into classes with comparable traits.

Making assumptions-based classifications of data in a vacuum could end up costing you Make sure you include support personnel and other business management in this planning process To reduce the number of data types you have, you will surely have to make some trade-offs The recommended range for the number of classes for medium-sized businesses is between three and five Here's an illustration:

Figure 9 Define criticality of applications and data

Define recovery objectives

Different sessions will have various goals for recovering For instance, a crucial e-commerce database can have very aggressive recovery objectives since the company simply cannot afford to lose any transactions or be down for an extended period of time A historic internal system, on the other hand, can have less strict recovery objectives and be less crucial to recover as the data doesn't change very frequently and it's less critical to come back online.

Numerous IT experts fail at this stage The number one source of misalignment is setting recovery objectives without consulting the company line managers You must include them in this process if you want to make sure that the company can recover from a tragedy effectively.

Here is a sample list of questions you can ask your business colleagues:

What software and information does your department use?

How much downtime can you tolerate for each?

How much data loss are you willing to accept for each?

Are there instances where customers, partners, or workers do not use these applications?

If data was more than 90 days old, would you ever need to restore it? Possibly six months old? Let's say one year old.

Are there any demands on the company to keep the data for a specific amount of time, either internally or outside (i.e industry or regulatory)?

Do any internal or external (i.e., industry or governmental) constraints preclude us from transferring the data to another location?

Understanding business requirements and offering a differentiated level of service availability based on priority are crucial in this situation Now that you have that knowledge at your disposal, you must translate it into recovery objectives for your disaster plan.

RTO: Recovery Time Objective What is the maximum amount of time that any of your production or data systems can be down? Your goal for recovery time is this Consider how much money your company would lose if an application was down for a specific period of time when determining the RTO How much, for instance, would you lose if your client portal was unavailable for a day or an hour? How much would it cost if your staff couldn't work because email wasn't working?

Determine the characteristics your data protection systems and products must have by calculating your RTO In contrast, if your RTO is very low (as in just a few minutes), you must employ host-based replication or a disk-based backup with continuous data protection capabilities If your RTO is very large, for instance, say more than four hours, you will likely have time to back up from tape.

What is the maximum quantity of data your organization can tolerate losing? This is known as the recovery point objective (RPO) That is the goal of your recovery point Recovery point objectives (RPOs) might range from hours to days if your company has a high tolerance for data loss Your RPO will be seconds if your company can't afford to lose any data at all or very little The minimum frequency for backing up your data is determined by the RPO you choose Data should be backed up at least once an hour if you can only afford to lose an hour's worth In this manner, you can restore the 2:00 p.m backup and satisfy the RPO requirement even if an outage starts, say, at 2:30 p.m.

Determine the right tools and techniques

It's time to decide which tools and procedures to employ after you have identified all of your IT assets, defined their relationships, and classified them according to their criticality and recovery goals.

The good news is that there are many options available on the market right now Just be certain that whatever you purchase delivers the proper level of security Overprotection can add extra complexity and cost the business money Complexity will probably make human error more likely and is the enemy of productivity Under-protection might be just as harmful because it could endanger the continuity of your firm.

For low-impact data, typical (file-based) nightly backups are more than adequate, however they wouldn't be ideal for high-impact data and applications High-impact data and systems benefit greatly from a CDP solution, although production servers and storage costs may increase as a result.

Offsite protection is arguably the most important part of your backup and disaster recovery plan Regardless of the kind of data backup technique you pick, this should be used The technique (whether cloud replication or a tape vaulting service) should be appropriate for your recovery goals Make sure the place to which your data is transported is sufficiently remote so as not to be in the same area of geographic risk This is typically at least 25 miles from the main location.

As much as you can, automate and streamline the recovery procedure Key IT personnel might be unavailable in a disaster Automation reduces the possibility of human error as well.

Get stakeholder buy-in

Include important stakeholders in all of your business divisions outside of the data center (i.e application owners and business managers) They must take part in the planning process They should also concur with you over the priorities of the organization and the service level agreements (SLAs) that your team will deliver.

To ensure you're getting the most out of your DR solution and/or services, talk to your key partners and vendors The IT personnel at the Orleans Parish in New Orleans hadn't been in close communication with

42 the parish's cloud backup / DRaaS supplier when two servers failed, resulting in the loss of crucial conveyance and mortgage information dating back to the 1980s The vendor in charge of DreamHost's data center was informed of the issue when there was an outage by the web hosting provider Avoid doing that and maintain regular communication with any vendor you hire.

After consulting with all of the important parties, find an executive-level sponsor who will support you and the project It is impossible to overstate how crucial executive support, collaboration, and consensus are to the success of your catastrophe plan.

Document and communicate your plan

You need a written plan on how to resume operations in the event of a crisis It is important to write this paper with its intended audience in mind.

Share your strategy All too frequently, there is only one person in the organization who truly has the full picture, making the company susceptible if that person is not accessible in the event of a tragedy Additionally, make sure to keep your DR plan accessible during a disaster rather than on a public share in your Exchange files It should ideally be printed and placed in several places.

Test and practice your DR plan

It's a common adage that "practice makes perfect." "Practice makes progress" might be a more appropriate adage No organization's disaster plan is ever perfect, but with practice, you can identify and fix any issues with your plan and execute it more quickly and correctly Even if you hold them on certain days of the week, like Saturdays, make sure that everyone who has a part to play shows up to the practice sessions.Every time, you do not need to practice carrying out the entire disaster recovery plan To test specific portions of your plan, feel free to do so Here's an illustration:

Figure 10 Test and practice your DR plan

Evaluate and update your plan

A DR plan ought to be an ongoing project Given the shifting sands of an ever-changing business climate, it is especially crucial to routinely assess your plan Data loss and downtime may no longer be tolerated as much Key individuals may be let go or have their employment terminated New hardware or operating systems may be adopted by IT The business might buy out another business Your planning must take into account the organization's existing situation.

The policies and procedures that are required for business continuity

This policy establishes a uniform procedure for VCU's initial reaction, business continuity, and business recovery plans to be created, tested, and maintained The following business continuity plan (BCP) lifecycle elements are included in this policy:

1 Risk Assessment During the risk assessment step, each university department will identify, assess and rank various hazards based on the probability of occurrence and the level of disruption that will be caused to the department's operation, and consider how each hazard may affect property, business, and people working in the department and any clients they may serve, as well as the university at large Hazards will be reviewed by the Director of Emergency Preparedness who will provided context though definitions, recent events, and various threat scenarios This will result in a range of outcomes that may require significant business impact analysis (BIA) and recovery strategies to be developed and supported with resources The mission essential functions (MEFs) will be ranked in priority order by importance by university departments, who will analyze the risk assessment data.

2 Understanding the Organization: Business Impact Analysis (BIA) The word "BIA" refers to the procedure of identifying, analyzing, and evaluating the potential repercussions of a disruption or cessation of the business's crucial operations, functions, and processes as a result of an emergency, tragedy, or accident It is a methodical approach to anticipating the probable and likely effects of these disruptions, typically from the standpoint of the worst-case scenario The BIA is seen as the focal point of disaster recovery planning, notably for the reduction of risks in the event of operational delays or disruptions brought on by catastrophes and similar incidents. a/ The MEFs and key resources for each department must be identified The success of the department would be significantly impacted if one or more of its essential services, programs, or activities were to cease operations for an extended period of time MEFs will act as a manual for how to resume operations after a catastrophe or significant disruption If it is a highly complicated department or unit, there should generally be more than the standard four to six fundamental functions. b/ The administration of university MEFs is the responsibility of each department, and they are required to be as detailed as possible in defining the needs and determining interdependencies for each function. be as detailed as possible in defining the needs and determining interdependencies for each function

Think about how the function might need to be changed or modified if one of the major risks included in the risk assessment caused a large interruption. c/ Each department is required to carry out a BIA for each MEF in order to evaluate and record any potential negative effects of a disaster or significant disruption on the function Each mission-critical function has a BIA done to help assess and document potential negative effects of a disaster or significant disruption on the function By considering dependencies, peak times, negative effects, and financial risks, completing a BIA also aids in establishing recovery priorities and recovery time objectives (RTOs).

45 d/ Each department must take into account the human and technological resources needed to keep operations at their best. e/ Each department is responsible for establishing and finalizing RTOs, or the amount of time required to recover a process or function and resume regular, or nearly normal, commercial activities.

3 Determining the BCP Recovery Strategies The RTO created during the business impact analysis prioritizes recovery plans, which are alternative ways to return business operations to a minimally acceptable level following a business disruption Recovery plans need a range of resources, including personnel, infrastructure, tools, supplies, and IT Each department must do an analysis of the resources needed to carry out recovery measures in order to find any gaps Each department must: a/ Create risk treatment plans across all business areas after performing a risk identification Determine internal reasons of interdependencies, such as shared resources, telecommunications/IT links, and line of business dependencies. b/ Maintain, resume, and recover important business operations and processes by documenting your strategy and practices. c/ Describe the immediate actions that must be performed during an event to reduce the harm from a disruption and the processes required to recover.

4 Develop and Implement the BCP To create and maintain university business continuity plans,

VEOCI, a crisis management and software solution, will be employed This will guarantee the preparedness of mission-critical functions across the university The responsible department designee will enter each Business Continuity Plan (BCP) into VEOCI after the planning (BIA and risk assessment) and meetings are finished For access to VEOCI, get in touch with the VCU director of emergency preparedness Training is offered Each department must: a/ Describe the steps involved in triggering the BCP as well as the kinds of circumstances that might result in the official announcement of a disruption. p b/ Establish the BCP's structure, including its executive summary, objectives and scope, summary of results, and recovery activities.

5 Exercising, Maintaining and Reviewing The head of emergency preparation will conduct training and testing after the BCP is finished to make sure every member of the department is familiar with it The director of emergency preparedness will establish a continuity planning group made up of individuals who would be involved before, during, and after a disaster or significant disruption After training and/or actual events, each department will modify the BCP as necessary.

46 a/ Timely Review and Maintenance: Each department's plan owner is accountable for annually reviewing all BCPs and associated documentation Reviewing is done to make sure the plan is still relevant and current and to keep everything in a condition of preparedness The VCU director of disaster preparedness will be in charge of monitoring the maintenance schedule. b/ Training and Exercises: The head of emergency preparation will organize annual testing for all departments The range of testing techniques includes the simplest (no notice drills) and most sophisticated (full scale) Each has distinct traits, goals, and advantages The size, complexity, and nature of the company's operation should all be taken into consideration when choosing the testing strategy Testing techniques include tabletop exercises, functional exercises, and full-scale exercises, in that sequence of increasing complexity.

Anon., 2013 Associated programme on Flood Management [Online]

Available at: floodmanagement.info/what-are-the-benefits-of-stakeholder-participation

Available at: https://www.cityofglasgowcollege.ac.uk/sites/default/files/hs-risk-assessment-procedure.pdf [Accessed 26 8 2022].

Anon., 2017 Canadian Centre for Occupational Health & Safety [Online]

Available at: https://www.ccohs.ca/oshanswers/hsprograms/risk_assessment.html

Anon., 2020 Virginia Commonwealth University Integrity and Compliance Office Policy Program [Online]

Available at: https://policy.vcu.edu/universitywide-policies/policies/business-continuity-management.html [Accessed 26 8 2022].

Available at: https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzamv/rzamvdevelopsecpol.htm

Available at: https://entechus.com/7-key-elements-of-a-business-disaster-recovery-plan/

Available at: http://leoisaac.s446.sureserver.com/policy/top132.htm

Available at: https://securitybox.vn/1281/huong-dan-tung-buoc-bao-mat-du-lieu-trong-doanh-nghiep/ [Accessed 26 8 2022].

Anon., n.d The Open Web Application Security Project [Online]

Available at: https://owasp.org/www-community/vulnerabilities/

Available at: https://searchdatabackup.techtarget.com/definition/data-protection

Ngày đăng: 08/05/2024, 12:45