











Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
1623-System Security-Assignment 2 (Brief)
Typology: Summaries
1 / 19
This page cannot be seen from the preview
Don't miss anything!












Student Name/ID Number: Nguyen Bao Khang / GCS Unit Number and Title: Unit 5: Security Academic Year: 2021 – 2022 Unit Assessor: Van Ho Assignment Title: Security Presentation Issue Date: April 1st, 2021 Submission Date: 08/05/ Internal Verifier Name: Date: Submission Format: Format: ● The submission is in the form of an individual written report. This should be written in a concise, formal business style using single spacing and font size 12. You are required to make use of headings, paragraphs and subsections as appropriate, and all work must be supported with research and referenced using the Harvard referencing system. Please also provide a bibliography using the Harvard referencing system. Submission ● Students are compulsory to submit the assignment in due date and in a way requested by the Tutor. ● The form of submission will be a soft copy posted on http://cms.greenwich.edu.vn/. ● Remember to convert the word file into PDF file before the submission on CMS. Note: ● The individual Assignment must be your own work, and not copied by or from another student. ● If you use ideas, quotes or data (such as diagrams) from books, journals or other sources, you must reference your sources, using the Harvard style.
● Make sure that you understand and follow the guidelines to avoid plagiarism. Failure to comply this requirement will result in a failed assignment. Unit Learning Outcomes: LO3 Review mechanisms to control organizational IT security. LO4 Manage organizational security. Assignment Brief and Guidance: Assignment scenario You work for a security consultancy as an IT Security Specialist. A manufacturing company “Wheelie good” in Ho Chi Min City making bicycle parts for export has called your company to propose a Security Policy for their organization, after reading stories in the media related to security breaches, etc. in organizations and their ramifications. Task 1 In preparation for this task, you will prepare a report considering: The security risks faced by the company. How data protection regulations and ISO risk management standards apply to IT security. The potential impact that an IT security audit might have on the security of the organization. The responsibilities of employees and stakeholders in relation to security. Task 2 Following your report: You will now design and implement a security policy While considering the components to be included in disaster recovery plan for Wheelie good, justify why you have included these components in your plan. Task 3 In addition to your security policy, you will evaluate the proposed tools used within the policy and how they align with IT security. You will include sections on how to administer and implement these policies.
Figure 2 : Risk Assessment
2. Assets, Threats And Threat Identification Procedures 2.1. Assets Assets are resources that hold economic value and are owned by an individual or a business entity. Assets can be tangible or intangible and can be used to generate income or provide other benefits to the owner. Tangible assets are those that can be seen and touched, such as inventory, machinery, property, and equipment. These assets have a physical and measurable form and can be valued based on their market or replacement value. Intangible assets, on the other hand, are those that do not have a physical form and cannot be touched or seen but have economic value. Examples of intangible assets include patents, trademarks, copyrights, goodwill, and intellectual property. These assets can be difficult to value and are typically assessed based on the future economic benefits they are expected to provide. Assets are an important part of financial reporting and are typically listed on a company's balance sheet. The value of assets can influence a company's financial performance, borrowing capacity, and overall value. Figure 3 : Assets 2.2. Threats Threat is any potential danger, harm, or action that could compromise the confidentiality, integrity, or availability of an asset.
threat can come in various forms, including cyber attacks, physical attacks, theft, natural disasters, malicious insiders, and accidental incidents such as data entry errors. Threats can range from low risk to very high risk and may vary depending on the type of asset, industry, and location. Threats can be classified into different categories, including intentional threats, unintentional threats, internal threats, external threats, logical threats, and physical threats. Intentional threats involve malicious acts carried out by an attacker with the intention of causing harm or damage, while unintentional threats are often caused by human error or system failures. Figure 4 : Threats 2.3. Threat Identification Procedures Here are some steps that can be taken to identify potential threats: Step 1: Conduct a risk assessment A risk assessment is the first step in identifying potential threats. This involves identifying assets that need to be protected, assessing the threats to these assets, and determining the vulnerabilities of the assets. Step 2: Analyze industry-specific threats Different industries face different types of threats. Understanding industry-specific threats can help organizations assess their own risk level and take appropriate steps to mitigate those risks. Step 3: Stay up-to-date with emerging threats As technology evolves, so do the types of threats that organizations face. It is important to stay up-to-date with emerging threats and assess how they may impact the organization. Step 4: Gather threat intelligence Threat intelligence involves collecting information about potential threats from various sources, such as news outlets, industry reports, and other organizations. Step 5: Analyze past incidents Looking at past security incidents can help organizations identify patterns and determine potential future threats Step 6: Conduct vulnerability assessments Conducting vulnerability assessments can help identify weaknesses in systems and processes, which can be exploited by attackers.
3. The Risk Assessment Procedure
Identify any weaknesses or vulnerabilities that could be exploited by the threats. This may include physical security vulnerabilities, policy gaps, software flaws, or inadequate training. Step 4: Assess The Risks Analyze the intersection of threats and vulnerabilities to determine the level of risk for each asset. Use a risk matrix to score each risk based on likelihood and impact. Step 5: Prioritize The Risks Prioritize the risks based on their level of severity and their potential impact on the organization. Consider the resources available to mitigate each risk, the likelihood of the risk occurring, and the potential impact on the organization. Step 6: Document The Risks Document the identified risks and their associated likelihood, impact, and mitigation strategies. This information can be used to develop a risk management plan. Step 7: Review And Update Regularly Risks can change over time due to internal or external factors such as new technologies, new regulations, or changes in business priorities. Regularly review and update your risk identification process to ensure the ongoing effectiveness of your risk management plan. ii. - Explain data protection processes and regulations as applicable to an organisation (P6)
1. Definition Data Protection Data protection refers to the set of processes and regulations that are designed to protect personal or sensitive data form unauthorized access, use disclosure, or destruction. This can include data relate to individuals, such as their name, address, date of birth, financial information, or health record, as well as other sensitive information that a company may possess, such as trade secrets or confidential business information. 2. Data Protection Process In An Organization. The process of implementing data protection practices in an organization can be broken down into several steps: Step1: Identify Sensitive Data The first step in the data protection process is to identify the sensitive data that needs to be protected. This includes any personally identifiable information (PII), healthcare data, trade secrets, or other confidential information. Step 2: Assess Risks Once sensitive data has been identified, the organization should conduct a risk assessment, evaluating the level of risk associated with each type of data and identifying potential vulnerabilities. Step 3: Develop Policies and Procedures Based on the risk assessment, the organization should develop policies and procedures outlining data protection practices. These policies should include guidelines for data access, handling, storage, encryption, backups, and destruction. Step 4: Train Employees
All employees who handle sensitive data should be trained on data protection policies and procedures. This includes training on how to recognize and respond to security incidents, password policies, and best practices for securing data. Step 5: Implement Technical Controls The organization should implement a variety of technical controls to protect data, including firewalls, intrusion detection and prevention, anti-malware and antivirus software, and encryption tools. Strong authentication and access controls, such as multi-factor authentication and granular access controls, should also be implemented. Step 6: Monitor and Test Data protection practices should be continually monitored and tested to identify any vulnerabilities or risks. This includes proactive monitoring of network traffic, evaluation of access logs, and regular vulnerability testing. Step 7: Respond to Incidents In the event of a security incident, the organization should have a plan in place outlining how to respond and contain the incident. This includes incident response plans, disaster recovery plans, and business continuity plans.
3. The Important Of Data Protection And Security Regulation. 3.1. The Important of Data protection Some of the important reasons why data protection and security regulations are critical: a. Protecting Confidential Information: Data protection regulations help organizations protect their confidential and proprietary information from being accessed or stolen by unauthorized people. This can include sensitive information about clients, business partners, employees, and other stakeholders. b. Maintaining Compliance: Regulations such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) require businesses to ensure that they are maintaining the highest level of data protection and are protecting their clients' privacy and personal information. Failure to comply with these regulations can lead to significant legal and financial consequences. c. Preventing Data Breaches : Data protection and security regulations require businesses to take proactive measures to protect their information systems and networks from cyber threats such as ransomware, Malware, and phishing attacks. This reduces the risk of data breaches and protects the company's reputation. d. Building Consumer Trust: When customers know that their personal information is being handled and protected responsibly, it builds trust in the organization. This trust can lead to increased customer loyalty, which is essential for long-term business success. e. Business Continuity: In today's digital world, data is often the lifeblood of a business. Data protection regulations help ensure that critical information can be recovered quickly in the event of a disaster or security breach, helping businesses to maintain continuity and minimize downtime. 3.2. Security regulation
Table 1 : Policy Must and Should Statement (Ciampa, M. , 2015)
3. Elements of a security policy. A comprehensive security policy should include the following elements: a. Purpose And Scope: This defines the reasons for the security policy and the scope of its application. b. Roles And Responsibilities: This identifies the roles and responsibilities of employees, management, and stakeholders in implementing and enforcing the security policy. c. Access Control: This specifies procedures for granting or denying access to various system resources, devices, and networks. d. Password Policies: This defines rules for creating and managing strong passwords, such as complexity, length, and frequency of changes. e. Mobile Device Security: This outlines the procedures for securing mobile devices that access the organization's networks or hold sensitive data. f. Data Classification: This defines the criteria for classifying organizational data based on sensitivity and identifying the controls necessary for each classification level. g. Incident Response: This establishes a documented plan for detecting, investigating, and responding to security threats to minimize the impact of a security incident. 4. The steps to design a policy. Step 1: Define the problem or issue The first step in designing a policy is to clearly define the problem or issue that the policy is intended to address. This may involve gathering data and conducting research to identify the root cause of the problem. Step 2: Define and consult with stakeholders Identify the stakeholders who are affected by the policy and involve them throughout the process. This may include employees, customers, suppliers, regulators, and other relevant parties. Step 3: Set goals and objectives Establish clear goals and objectives that the policy will achieve. These should be specific, measurable, achievable, relevant, and time-bound (SMART). Step 4: Develop the policy Develop the policy itself, including the policy statement, objectives, scope, and definitions. Consider including procedures, guidelines, and other supporting documents to assist with implementation. Step 5: Review and revise Review the policy draft and revise as necessary. This may involve seeking input from stakeholders and subject matter experts. Step 6: Approve and implement Once the policy is finalized, obtain approval from relevant stakeholders and implement the policy. Establish metrics to measure the effectiveness of the policy. Step 7: Communicate and train
Communicate the new policy to all relevant parties and provide training as necessary to ensure understanding and compliance. Step 8: Monitor and evaluate Monitor the policy implementation and evaluate the effectiveness of the policy over time. Revise the policy as necessary to ensure ongoing effectiveness. iv. -List The Main Components Of An Organisational Disaster Recovery Plan, Justifying The Reasons For Inclusion (P8)
1. Business continuity Business continuity is the process of creating a plan for how an organization will continue operating during and after a disaster, such as a natural disaster, cyber-attack, or other disruptive event. The goal of business continuity planning is to minimize the impact of disruptions to the organization’s operations and ensure that essential services and functions can continue to be delivered to customers and clients. **Figure 5 : Business Continuity
Conduct a post-mortem evaluation of the disaster recovery process to identify any areas that can be improved. Make recommendations for enhancing the DRP and updating documentation based on lessons learned. Figure 6 : The steps required in disaster recovery process.
4. The policies and procedures that are required for business continuity. a. Business Impact Analysis (BIA) Policy: This policy outlines the process for conducting a BIA to identify and prioritize critical business functions, systems, and data. A BIA helps identify the potential impacts of a disruption to these critical areas of the business. b. Business Continuity Planning (BCP) Policy: This policy outlines the process for developing and maintaining a comprehensive business continuity plan that addresses the identified critical business functions, systems, and data. A BCP should include emergency response procedures, recovery strategies, and communication plans. c. Disaster Recovery (DR) Policy: This policy outlines the process for recovering critical systems and data following a disruption. A DR plan should include procedures for restoring systems and data from backups and alternative locations. d. Crisis Management Policy: This policy outlines the processes and procedures for managing a crisis situation, including who is responsible for making decisions, how to communicate with stakeholders, and how to manage business operations during a crisis. e. Communication Policy: This policy outlines the process for communicating with employees, customers, suppliers, and other stakeholders during a disruption. Communication plans should include contact information for key personnel, communication channels, and messaging templates. f. Training and Testing Policy: This policy outlines the process for training employees and testing business continuity plans to ensure that they are effective and up-to-date. Training
should include an introduction to the business continuity program, employee roles and responsibilities, and procedures for reporting incidents and escalating issues.
Fastdo P. M. Q. (2023, January 9). Business Continuity Plan là gì? Tất tần tật về BCP trong tổ chức. Fastdo - Nền tảng quản trị công việc cho SMEs. https://fastdo.vn/business-continuity- plan-la-gi/(Access in May 07 , 2023)
11. 8 must-have components of an effective disaster recovery plan. (n.d.). Arcserve. Retrieved May 7, 2023, from https://www.arcserve.com/blog/8-must-have-components-effective-disaster- recovery-plan (Access in May 07 , 2023) 12. Disaster recovery: 4 key features & building your DR plan. (2019, November 25). Cloudian. https://cloudian.com/guides/disaster-recovery/disaster-recovery-5-key-features-and-building- your-dr-plan/ (Access in May 07 , 2023) 13. Sullivan, E. (2022). What is a business continuity policy? - definition from Techtarget.com. Disaster Recovery; TechTarget. https://www.techtarget.com/searchdisasterrecovery/definition/business-continuity-policy (Access in May 07 , 2023) 14. Ciampa, M. (201 5 ). CompTIA Security+ Guide to Network Security Fundamentals. Cengage Learning. https://www.scribd.com/document/466477649/Mark-Ciampa-CompTIA-Security- Guide-to-Network-Security-Fundamentals-600-724# (Access in May 10 , 2023)