IT Security and Disaster Recovery Planning: A Comprehensive Guide - Prof. Pham, Study notes of Computer Vision

assignment 1 security assignment 1 security

Typology: Study notes

2019/2020

Uploaded on 10/07/2021

nam-nguyen-21
nam-nguyen-21 🇻🇳

4.9

(15)

10 documents

1 / 34

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Assignment Brief 2 (RQF)
Higher National Certificate/Diploma in Computing
Student Name/ID Number:
Unit Number and Title:
Unit 5: Security
Academic Year:
2021 2022
Unit Assessor:
Van Ho
Assignment Title:
Security Presentation
Issue Date:
April 1st, 2021
Submission Date:
Internal Verifier Name:
Date:
Submission Format:
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22

Partial preview of the text

Download IT Security and Disaster Recovery Planning: A Comprehensive Guide - Prof. Pham and more Study notes Computer Vision in PDF only on Docsity!

Assignment Brief 2 (RQF)

Higher National Certificate/Diploma in Computing

Student Name/ID Number: Unit Number and Title: Unit 5: Security Academic Year: 2021 – 2022 Unit Assessor: Van Ho Assignment Title: Security Presentation Issue Date: April 1st, 2021 Submission Date: Internal Verifier Name: Date: Submission Format:

Format: ● The submission is in the form of an individual written report. This should be written in a concise, formal business style using single spacing and font size 12. You are required to make use of headings, paragraphs and subsections as appropriate, and all work must be supported with research and referenced using the Harvard referencing system. Please also provide a bibliography using the Harvard referencing system. Submission ● Students are compulsory to submit the assignment in due date and in a way requested by the Tutor. ● The form of submission will be a soft copy posted on http://cms.greenwich.edu.vn/. ● Remember to convert the word file into PDF file before the submission on CMS. Note: ● The individual Assignment must be your own work, and not copied by or from another student. ● If you use ideas, quotes or data (such as diagrams) from books, journals or other sources, you must reference your sources, using the Harvard style. ● Make sure that you understand and follow the guidelines to avoid plagiarism. Failure to comply this requirement will result in a failed assignment. Unit Learning Outcomes: LO3 Review mechanisms to control organizational IT security. LO4 Manage organizational security. Assignment Brief and Guidance:

LO4 P7^ Design^ and implement a security policy for an organisation. P8 List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion. M5 Discuss the roles of stakeholders in the organisation to implement security audit recommendations. D3 Evaluate the suitability of the tools used in an organisational policy.

CONTENTS

INTRODUCTION:………………………………………………………………………………..

I) Discuss risk assessment procedures:………………………………………………………

  1. Define a security risk and how to do risk assessment:……………………………....
  2. Define assets, threats and threat identification procedures, and give examples….
  3. Explain the risk assessment procedure………………………………………………..
  4. List risk identification steps:…………………………………………………………….. II) Explain data protection processes and regulations as applicable to an organisation (P6)……..
  5. Define data protection:…………………………………………………………………..
  1. Explain data protection process in an organization:………………………………….
  2. Why are data protection and security regulation important?:……………………….. III) Design and implement a security policy for an organisation (P7):…………………………….
  3. Define a security policy and discuss about it:…………………………………………
  4. Give an example for each of the policies:……………………………………………..
  5. Give the most and should that must exist while creating a policy:………………….
  6. Explain and write down elements of a security policy:……………………………….
  7. Give the steps to design a policy:……………………………………………………… IV) List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion (P8):…………………………………………………………………………………………
  8. Discuss with explanation about business continuity:……………………………………
  9. List the components of recovery plan:……………………………………………………
  10. Write down all the steps required in disaster recovery process:………………………
  11. Explain some of the policies and procedures that are required for business continuity:…………………………………………………………………………………… INTRODUCTION As Web utilize is creating, increasingly companies are opening their data framework to their accomplices and providers. In this manner, it is fundamental to know which of the company's assets require securing and to control framework get to and the client rights of the data framework. The same is genuine when opening company get to on the Internet.

match the company and scope, they typically take 30-60+ days and contain the phases outlined below:

Initial Discussion

Adsero schedules a conference call to discuss your company, your procedures and what your goals are during the Risk Assessment process.

Onsite Discovery

Next our team of experts will spend time at your facility to perform an onsite review of your technology and processes.

Analysis

Adsero Security's analysts then take the information gathered during the onsite visit and begin identifying risks and controls you may have in place already.

The Report

Once all the analysis is complete, you will receive a complete Risk Assessment report that outlines all your assets, vulnerabilities and risks. The report includes recommendations on how to improve your overall security and compliance.

2) Define assets, threats and threat identification procedures, and give examples:

To make your risk assessment easier, you can use a sheet with assets, threats and vulnerabilities in columns; you should also include some other information like risk ID, risk owners, impact and likelihood, etc. I found it the easiest to start listing items column by column, not row by row – this means you should list all of your assets first, and only then start finding a couple of threats for each asset, and finally find a couple of vulnerabilities for each threat. So, let’s see what this matching of the three components could look like – for example:

 Asset: paper document:

threat : fire; vulnerability : document is not stored in a fire-proof cabinet (risk related to the loss of availability of the information)  threat : fire; vulnerability : there is no backup of the document (potential loss of availability)  threat : unauthorized access; vulnerability : document is not locked in a cabinet (potential loss of confidentiality)

 Asset: digital document:

threat : disk failure; vulnerability : there is no backup of the document (potential loss of availability)  threat : virus; vulnerability : anti-virus program is not properly updated (potential loss of confidentiality, integrity and availability)  threat : unauthorized access; vulnerability : access control scheme is not properly defined (potential loss of confidentiality, integrity and availability)

Hazard identification is the process of identifying all hazards at risk in your work environment. Many hazards exist in the workplace. Some of these can be easily identified such as manual handling, but others are less obvious and may not even show up on accident reports or injury logs. Consider how people work with plant equipment to identify hidden hazards that could cause harm without being detected by existing records (such as a new cleaning solution). Identifying what hazardous substances are used is also important when thinking about potential health risks for workers who use them regularly or come into contact during maintenance operations. For example, many workplaces contain asbestos which poses severe dangers if inhaled over time due to its link to respiratory illnesses like lung cancer. Four risk categories to be use to identify hazards: Extreme, High, Moderate, and Low. Risk assessment Matrix

2. Assess the risk.

Once you have identified what hazards may be present. decide how likely it is that someone could be harmed by these and to what extent if so. This is assessing the level of risk for your business premises or workplace environment with regard to those potential hazards. Decide: who might be harmed; what action you’re already taking in order to reduce this harm happening again (control measures); any further steps needed-who will carry out this necessary action; when they need to do it by Risk matrix (Risk assessment matrix) With all the risks that are out there, a risk matrix can be an easy way to assess the risk. The Risk Matrix is an incredible tool for quickly calculating the risk of a project. It helps identify what could go wrong (likelihood) and how much damage it would cause if these outcomes occurred (severity). This makes prioritizing issues quick and simple so you know which ones need attention. Guidelines for assessing Severity Major: Environmental Loss (Major pollution affecting life outside site), People (Fatality or Permanent disability.) Serious: Environmental Loss (Major pollution confined to the inside site), People (Long term absence / Offsite treatment) Moderate: Environmental Loss (Significant pollution causing a shutdown of unit/s), People (Moderate treatment / Shot term absence) Minor: Environmental Loss (Pollution above limits / Small spills, emissions), People (First aid case / No significant injury) Guidelines for assessing Likelihood Very unlikely : Little or no chance of occurrence Unlikely : Could occur, less than 50 / 50 chance Possible : 50 / 50 chance Probable : More likely to occur than not more than 50 / 50 chance

3. Put controls/safe guards in place.

In order to ensure that risks are eliminated as much as possible, it is important for any potential hazards or dangers to be identified and evaluated. This will help determine the best way of handling them – whether by eliminating their source completely or controlling how they affect people most at risk (e.g., through engineering).

4. Re-assess the risk with control in place.

If you’re already doing something in your workplace. ask yourself if there are ways to control or reduce the risks so that harm is unlikely. Ask these questions:

It's important your policy addresses each of these points and explains how the organisation will guarantee each is respected. That covers how you will ensure the data is lawfully obtained, how it's kept up to date if any changes are made, how your company plans on keeping the data safe from unauthorised access, how the data will be removed when it's no longer needed and how you will guarantee the data is removed from all systems. The GDPR also adds a new principle - that of accountability - so it's pivotal you highlight whose responsibility it is to enforce these policies upon your organisation as well. You'll also need to ensure the document explains how you will guarantee your whole staff complies with these policies, and any procedures your business has in place if staff fails to do so.

2)Why are data protection and security regulation important?

Following proper data protection procedures is also crucial to help prevent cybercrimes by ensuring details, specifically banking, addresses and contact information are protected to prevent fraud. For instance, your clients' or customers’ bank accounts being hacked into. A breach in your data protection can be costly. And affected customers and staff, in some cases can pursue compensation against your business. You can also leave yourself open to punishments for failing to comply with data protection. III) Design and implement a security policy for an organisation.

1)Define a security policy and discuss about it:

● A network security policy ( NSP ) is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment.[1]^ The document itself is usually several pages long and written by a committee. ● A security policy a very complex document, meant to govern data access, webbrowsing habits, use of passwords and encryption, email attachments and more. It specifies these rules for individuals or groups of individuals throughout the company.[2] ● Security policy should keep the malicious users out and also exert control over potential risky users within an organization. The first step in creating a policy is to understand what information and services are available (and to which users), what the potential is for damage, and whether any protection is already in place to prevent misuse.

● In addition, the security policy should dictate a hierarchy of access permissions; that is, grant users access only to what is necessary for the completion of their work. ● While writing the security document can be a major undertaking, a good start can be achieved by using a template. National Institute of Standards and Technology provides a security-policy guideline. ● The policies could be expressed as a set of instructions that could be understood by special purpose network hardware dedicated for securing the network.

2)Give an example for each of the policies:

 Who to contact with privacy concerns Your policy should also provide contact information for those responsible for maintaining your confidentiality procedures. Consider creating a special address for this purpose – for example, Your Privacy @ yourcompanyname.com 3 )Give the most and should that must exist while creating a policy: Security policy should also be a living document routinely updated as new technology and procedures are established to support the mission of the organization. Additionally, organization should aware that the development of a security policy should be a collaborative effort with security officials, management, and those who have a thorough understanding of the business rules of the organization. It is important to acknowledge that a security policy should not impede an organization from meeting its mission and goals. However, a good policy will provide the organization with the assurance and the acceptable level of asset protection from external and internal threats. When designing a security policy, many organizations follow a standard set of principles. These principles, which can be divided into what a policy must do and what a policy should do, are summarized in: The team should first decide on the scope and goals of the policy. The scope should be a statement about who is covered by the policy, while the goals outline what the policy attempts to achieve. The team also must decide on how specific to make the policy (remembering that a security policy is not meant to be a detailed plan regarding how to implement the policy).

Share IT security policies with your staff. Conduct training sessions to inform employees of your security procedures and mechanisms, including data protection measures, access protection measures, and sensitive data classification.

  • Social engineering: place a special emphasis on the dangers of social engineering attacks (such as phishing emails). Make employees responsible for noticing, preventing and reporting such attacks.
  • Clean desk policy: secure laptops with a cable lock. Shred documents that are no longer needed. Keep printer areas clean so documents do not fall into the wrong hands.
  • Acceptable Internet usage policy: define how the Internet should be restricted. Do you allow YouTube, social media websites, etc.? Block unwanted websites using a proxy. 5 )Give the steps to design a policy: You might have an idea of what your organization’s security policy should look like. But if you want to verify your work or additional pointers I’ve looked through them and also scoured the internet for what a good security policy looks like – here’s what all good policies have:  Purpose: Clear goals and expectations of the policy.  Policy Compliance: Federal and State regulations might drive some requirements of a security policy, so it’s critical to list them.  Last Tested Date: Policies need to be a living document and frequently tested and challenged.  Policy Last Updated Date: Security policy documents need to be updated to adapt to changes in the organization, outside threats, and technology.  Contact: Information security policies are supposed to be read, understood and followed by all individuals within an organization and so if there are questions, there needs to be an owner. IV) List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion (P8):

1)Discuss with explanation about business continuity:

Business continuity is an organization's ability to maintain essential functions during and after a disaster has occurred. Business continuity planning establishes risk management processes and procedures that aim to prevent interruptions to mission-critical services, and reestablish full function to the organization as quickly and smoothly as possible. The most basic business continuity requirement is to keep essential functions up and running during a disaster and to recover with as little downtime as possible. A business continuity plan considers various unpredictable events, such as natural disasters, fires, disease outbreaks, cyberattacks and other external threats.

Business continuity is important for organizations of any size, but it might not be practical for any but the largest enterprises to maintain all functions for the duration of a disaster. According to many experts, the first step in business continuity planning is deciding what functions are essential and allocating the available budget accordingly. Once crucial components have been identified, administrators can put failover mechanisms in place. Technologies such as disk mirroring enable an organization to maintain up-to-date copies of data in geographically dispersed locations, not just in the primary data center. This enables data access to continue uninterrupted if one location is disabled and protects against data loss.

Why is business continuity important?

At a time when downtime is unacceptable, business continuity is critical. Downtime comes from a variety of sources. Some threats, such as cyberattacks and extreme weather, seem to be getting worse. It's important to have a business continuity plan in place that considers any potential disruptions to operations. The plan should enable the organization to keep running at least at a minimal level during a crisis. Business continuity helps the organization maintain resiliency, in responding quickly to an interruption. Strong business continuity saves money, time and company reputation. An extended outage risks financial, personal and reputational loss. Business continuity requires an organization to take a look at itself, analyze potential areas of weakness and gather key information -- such as contact lists and technical diagrams of systems -- that can be useful outside of disaster situations. In undertaking the business continuity planning process, an organization can improve its communication, technology and resilience. Business continuity might even be a requirement for legal or compliance reasons. Especially in an era of increased regulation, it's important to understand which regulations affect a given organization.

What does business continuity include?

Business continuity is a proactive way to ensure mission-critical operations proceed during a disruption. A comprehensive plan includes contact information, steps for what to do when faced with a variety of incidents and a guide for when to use the document.

Business continuity standards

Table 1 lists the standards in the ISO 223XX Series that apply to business continuity and related activities. The ISO 22398 and 22399 standards are also worth a look. Table 1 Table 2 lists the Business Continuity Institute's Good Practice Guidelines. The guidelines provide a comprehensive foundation for understanding the business continuity process, and they map closely to the ISO 22301 standard.

Table 2 Table 3 provides a partial listing of standards, regulations and good practices developed in the U.S. by several different organizations such as ASIS International, the National Fire Protection Association, the Federal Financial Institutions Examination Council, the Information Systems Audit and Control Association, the Financial Industry Regulatory Authority, the Federal Emergency Management Agency and the National Institute for Standards and Technology.