


























Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
assignment 1 security assignment 1 security
Typology: Study notes
1 / 34
This page cannot be seen from the preview
Don't miss anything!



























Student Name/ID Number: Unit Number and Title: Unit 5: Security Academic Year: 2021 – 2022 Unit Assessor: Van Ho Assignment Title: Security Presentation Issue Date: April 1st, 2021 Submission Date: Internal Verifier Name: Date: Submission Format:
Format: ● The submission is in the form of an individual written report. This should be written in a concise, formal business style using single spacing and font size 12. You are required to make use of headings, paragraphs and subsections as appropriate, and all work must be supported with research and referenced using the Harvard referencing system. Please also provide a bibliography using the Harvard referencing system. Submission ● Students are compulsory to submit the assignment in due date and in a way requested by the Tutor. ● The form of submission will be a soft copy posted on http://cms.greenwich.edu.vn/. ● Remember to convert the word file into PDF file before the submission on CMS. Note: ● The individual Assignment must be your own work, and not copied by or from another student. ● If you use ideas, quotes or data (such as diagrams) from books, journals or other sources, you must reference your sources, using the Harvard style. ● Make sure that you understand and follow the guidelines to avoid plagiarism. Failure to comply this requirement will result in a failed assignment. Unit Learning Outcomes: LO3 Review mechanisms to control organizational IT security. LO4 Manage organizational security. Assignment Brief and Guidance:
LO4 P7^ Design^ and implement a security policy for an organisation. P8 List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion. M5 Discuss the roles of stakeholders in the organisation to implement security audit recommendations. D3 Evaluate the suitability of the tools used in an organisational policy.
I) Discuss risk assessment procedures:………………………………………………………
match the company and scope, they typically take 30-60+ days and contain the phases outlined below:
Adsero schedules a conference call to discuss your company, your procedures and what your goals are during the Risk Assessment process.
Next our team of experts will spend time at your facility to perform an onsite review of your technology and processes.
Adsero Security's analysts then take the information gathered during the onsite visit and begin identifying risks and controls you may have in place already.
Once all the analysis is complete, you will receive a complete Risk Assessment report that outlines all your assets, vulnerabilities and risks. The report includes recommendations on how to improve your overall security and compliance.
To make your risk assessment easier, you can use a sheet with assets, threats and vulnerabilities in columns; you should also include some other information like risk ID, risk owners, impact and likelihood, etc. I found it the easiest to start listing items column by column, not row by row – this means you should list all of your assets first, and only then start finding a couple of threats for each asset, and finally find a couple of vulnerabilities for each threat. So, let’s see what this matching of the three components could look like – for example:
threat : fire; vulnerability : document is not stored in a fire-proof cabinet (risk related to the loss of availability of the information) threat : fire; vulnerability : there is no backup of the document (potential loss of availability) threat : unauthorized access; vulnerability : document is not locked in a cabinet (potential loss of confidentiality)
threat : disk failure; vulnerability : there is no backup of the document (potential loss of availability) threat : virus; vulnerability : anti-virus program is not properly updated (potential loss of confidentiality, integrity and availability) threat : unauthorized access; vulnerability : access control scheme is not properly defined (potential loss of confidentiality, integrity and availability)
Hazard identification is the process of identifying all hazards at risk in your work environment. Many hazards exist in the workplace. Some of these can be easily identified such as manual handling, but others are less obvious and may not even show up on accident reports or injury logs. Consider how people work with plant equipment to identify hidden hazards that could cause harm without being detected by existing records (such as a new cleaning solution). Identifying what hazardous substances are used is also important when thinking about potential health risks for workers who use them regularly or come into contact during maintenance operations. For example, many workplaces contain asbestos which poses severe dangers if inhaled over time due to its link to respiratory illnesses like lung cancer. Four risk categories to be use to identify hazards: Extreme, High, Moderate, and Low. Risk assessment Matrix
Once you have identified what hazards may be present. decide how likely it is that someone could be harmed by these and to what extent if so. This is assessing the level of risk for your business premises or workplace environment with regard to those potential hazards. Decide: who might be harmed; what action you’re already taking in order to reduce this harm happening again (control measures); any further steps needed-who will carry out this necessary action; when they need to do it by Risk matrix (Risk assessment matrix) With all the risks that are out there, a risk matrix can be an easy way to assess the risk. The Risk Matrix is an incredible tool for quickly calculating the risk of a project. It helps identify what could go wrong (likelihood) and how much damage it would cause if these outcomes occurred (severity). This makes prioritizing issues quick and simple so you know which ones need attention. Guidelines for assessing Severity Major: Environmental Loss (Major pollution affecting life outside site), People (Fatality or Permanent disability.) Serious: Environmental Loss (Major pollution confined to the inside site), People (Long term absence / Offsite treatment) Moderate: Environmental Loss (Significant pollution causing a shutdown of unit/s), People (Moderate treatment / Shot term absence) Minor: Environmental Loss (Pollution above limits / Small spills, emissions), People (First aid case / No significant injury) Guidelines for assessing Likelihood Very unlikely : Little or no chance of occurrence Unlikely : Could occur, less than 50 / 50 chance Possible : 50 / 50 chance Probable : More likely to occur than not more than 50 / 50 chance
In order to ensure that risks are eliminated as much as possible, it is important for any potential hazards or dangers to be identified and evaluated. This will help determine the best way of handling them – whether by eliminating their source completely or controlling how they affect people most at risk (e.g., through engineering).
If you’re already doing something in your workplace. ask yourself if there are ways to control or reduce the risks so that harm is unlikely. Ask these questions:
It's important your policy addresses each of these points and explains how the organisation will guarantee each is respected. That covers how you will ensure the data is lawfully obtained, how it's kept up to date if any changes are made, how your company plans on keeping the data safe from unauthorised access, how the data will be removed when it's no longer needed and how you will guarantee the data is removed from all systems. The GDPR also adds a new principle - that of accountability - so it's pivotal you highlight whose responsibility it is to enforce these policies upon your organisation as well. You'll also need to ensure the document explains how you will guarantee your whole staff complies with these policies, and any procedures your business has in place if staff fails to do so.
Following proper data protection procedures is also crucial to help prevent cybercrimes by ensuring details, specifically banking, addresses and contact information are protected to prevent fraud. For instance, your clients' or customers’ bank accounts being hacked into. A breach in your data protection can be costly. And affected customers and staff, in some cases can pursue compensation against your business. You can also leave yourself open to punishments for failing to comply with data protection. III) Design and implement a security policy for an organisation.
● A network security policy ( NSP ) is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment.[1]^ The document itself is usually several pages long and written by a committee. ● A security policy a very complex document, meant to govern data access, webbrowsing habits, use of passwords and encryption, email attachments and more. It specifies these rules for individuals or groups of individuals throughout the company.[2] ● Security policy should keep the malicious users out and also exert control over potential risky users within an organization. The first step in creating a policy is to understand what information and services are available (and to which users), what the potential is for damage, and whether any protection is already in place to prevent misuse.
● In addition, the security policy should dictate a hierarchy of access permissions; that is, grant users access only to what is necessary for the completion of their work. ● While writing the security document can be a major undertaking, a good start can be achieved by using a template. National Institute of Standards and Technology provides a security-policy guideline. ● The policies could be expressed as a set of instructions that could be understood by special purpose network hardware dedicated for securing the network.
Who to contact with privacy concerns Your policy should also provide contact information for those responsible for maintaining your confidentiality procedures. Consider creating a special address for this purpose – for example, Your Privacy @ yourcompanyname.com 3 )Give the most and should that must exist while creating a policy: Security policy should also be a living document routinely updated as new technology and procedures are established to support the mission of the organization. Additionally, organization should aware that the development of a security policy should be a collaborative effort with security officials, management, and those who have a thorough understanding of the business rules of the organization. It is important to acknowledge that a security policy should not impede an organization from meeting its mission and goals. However, a good policy will provide the organization with the assurance and the acceptable level of asset protection from external and internal threats. When designing a security policy, many organizations follow a standard set of principles. These principles, which can be divided into what a policy must do and what a policy should do, are summarized in: The team should first decide on the scope and goals of the policy. The scope should be a statement about who is covered by the policy, while the goals outline what the policy attempts to achieve. The team also must decide on how specific to make the policy (remembering that a security policy is not meant to be a detailed plan regarding how to implement the policy).
Share IT security policies with your staff. Conduct training sessions to inform employees of your security procedures and mechanisms, including data protection measures, access protection measures, and sensitive data classification.
Business continuity is an organization's ability to maintain essential functions during and after a disaster has occurred. Business continuity planning establishes risk management processes and procedures that aim to prevent interruptions to mission-critical services, and reestablish full function to the organization as quickly and smoothly as possible. The most basic business continuity requirement is to keep essential functions up and running during a disaster and to recover with as little downtime as possible. A business continuity plan considers various unpredictable events, such as natural disasters, fires, disease outbreaks, cyberattacks and other external threats.
Business continuity is important for organizations of any size, but it might not be practical for any but the largest enterprises to maintain all functions for the duration of a disaster. According to many experts, the first step in business continuity planning is deciding what functions are essential and allocating the available budget accordingly. Once crucial components have been identified, administrators can put failover mechanisms in place. Technologies such as disk mirroring enable an organization to maintain up-to-date copies of data in geographically dispersed locations, not just in the primary data center. This enables data access to continue uninterrupted if one location is disabled and protects against data loss.
At a time when downtime is unacceptable, business continuity is critical. Downtime comes from a variety of sources. Some threats, such as cyberattacks and extreme weather, seem to be getting worse. It's important to have a business continuity plan in place that considers any potential disruptions to operations. The plan should enable the organization to keep running at least at a minimal level during a crisis. Business continuity helps the organization maintain resiliency, in responding quickly to an interruption. Strong business continuity saves money, time and company reputation. An extended outage risks financial, personal and reputational loss. Business continuity requires an organization to take a look at itself, analyze potential areas of weakness and gather key information -- such as contact lists and technical diagrams of systems -- that can be useful outside of disaster situations. In undertaking the business continuity planning process, an organization can improve its communication, technology and resilience. Business continuity might even be a requirement for legal or compliance reasons. Especially in an era of increased regulation, it's important to understand which regulations affect a given organization.
Business continuity is a proactive way to ensure mission-critical operations proceed during a disruption. A comprehensive plan includes contact information, steps for what to do when faced with a variety of incidents and a guide for when to use the document.
Table 1 lists the standards in the ISO 223XX Series that apply to business continuity and related activities. The ISO 22398 and 22399 standards are also worth a look. Table 1 Table 2 lists the Business Continuity Institute's Good Practice Guidelines. The guidelines provide a comprehensive foundation for understanding the business continuity process, and they map closely to the ISO 22301 standard.
Table 2 Table 3 provides a partial listing of standards, regulations and good practices developed in the U.S. by several different organizations such as ASIS International, the National Fire Protection Association, the Federal Financial Institutions Examination Council, the Information Systems Audit and Control Association, the Financial Industry Regulatory Authority, the Federal Emergency Management Agency and the National Institute for Standards and Technology.