



























































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
In this Assignment, you will learn about computer security and get Distinction point for your assignment.
Typology: Assignments
1 / 67
This page cannot be seen from the preview
Don't miss anything!




























































Qualification BTEC Level 5 HND Diploma in Computing
Unit number and title Unit 5: Security
Submission date Date Received 1st submission
Re-submission Date Date Received 2nd submission
Student Name Phan Minh Tiến Student ID GCD
Class GCD1001^ Assessor name Trần^ Trọng Minh
Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a false declaration is a form of malpractice.
Student’s signature Tiến
Grading grid
Grade: Assessor Signature: Date:
Lecturer Signature:
VIII. THE ROLES OF STAKEHOLDERS IN ORGANIZATION TO IMPLEMENT SECURITY AUDIT RECOMMENDATIONS (M5)
Figure 1: Risk
A security risk assessment identifies, assesses, and implements key security controls in applications. It also focuses on preventing application security defects and vulnerabilities.
Figure 2: Risk Assessment
Conducting a risk assessment allows an organization to view the application portfolio holistically—from an attacker’s perspective. It supports managers in making informed resource allocation, tooling, and
security control implementation decisions. Thus, conducting an assessment is an integral part of an organization’s risk management process
An asset is any data, device or other component of an organization’s systems that is valuable – often because it contains sensitive data or can be used to access such information. For example, an employee’s desktop computer, laptop or company phone would be considered an asset, as would applications on those devices. Likewise, critical infrastructure, such as servers and support systems, are assets. An organization’s most common assets are information assets. These are things such as databases and physical files – i.e., the sensitive data that you store.
A threat is any incident that could negatively affect an asset – for example, if it is lost, knocked offline or accessed by an unauthorized party. Threats can be categorized as circumstances that compromise the confidentiality, integrity, or availability of an asset, and can either be intentional or accidental. Intentional threats include things such as criminal hacking or a malicious insider stealing information, whereas accidental threats generally involve employee error, a technical malfunction, or an event that causes physical damage, such as a fire or natural disaster
The threat identification process examines IT vulnerabilities and determines their capacity to compromise the system. It is a key element of the organization’s risk management program. Identifying threats allows organizations to take preemptive actions. The organization receives the information need to obstruct unauthorized users and prevent system breaches.
In the threat identification procedure, each of the threats identified so far has the potential to attack any of the assets protected. This will quickly become more complex and overwhelm the business plan. Therefore, to make this part of the process manageable, each step in the threat identification and the vulnerability identification process is managed separately and then coordinated at the end of the process.
With the risk assessment process, users take a look at their organizations to:
Identify the hazards
The first step to creating your risk assessment plan is determining what hazards your employees and your business face, including:
Natural disasters (flooding, tornadoes, hurricanes, earthquakes, fire, etc.) Biological hazards (pandemic diseases, foodborne illnesses, etc.)
Workplace accidents (slips and trips, transportation accidents, structural failure, mechanical breakdowns, etc.) Intentional acts (labor strikes, demonstrations, bomb threats, robbery, arson, etc.) Technological hazards (lost Internet connection, power outage, etc.) Chemical hazards (asbestos, cleaning fluids, etc.) Mental hazards (excess workload, bullying, etc.) Interruptions in the supply chain
Take a look around your workplace and see what processes or activities could potentially harm your organization. Include all aspects of work, including remote workers and non-routine activities such as repair and maintenance. You should also look at accident/incident reports to determine what hazards have impacted your company in the past.
Determine who might be harmed and how
As you look around your organization, think about how your employees could be harmed by business activities or external factors. For every hazard that you identify in step one, think about who will be harmed should the hazard take place.
Evaluate the risks and take precautions
Now that you have gathered a list of potential hazards, you need to consider how likely it is that the hazard will occur and how severe the consequences will be if that hazard occurs. This evaluation will help you determine where you should reduce the level of risk and which hazards you should prioritize first.
Record your findings
If you have more than five employees in your office, you are required by law to write down your risk assessment process. Your plan should include the hazards you’ve found, the people they affect, and how you plan to mitigate them. The record—or the risk assessment plan—should show that you:
Conducted a proper check of your workspace
Determined who would be affected Controlled and dealt with obvious hazards Initiated precautions to keep risks low Kept your staff involved in the process Review assessment and update if necessary
Your workplace is always changing, so the risks to your organization change as well. As new equipment, processes, and people are introduced, each brings the risk of a new hazard. Continually review and update your risk assessment process to stay on top of these new hazards.
There are five core steps within the risk identification and management process:
Risk Identification: The purpose of risk identification is to reveal what, where, when, why, and how something could affect a company’s ability to operate. Risk Analysis: This step involves establishing the probability that a risk event might occur and the potential outcome of each event. Risk Evaluation: Risk evaluation compares the magnitude of each risk and ranks them according to prominence and consequence. Whichever event is determined to have a higher probability of happening and causing damage, it would rank higher. Risk Treatment: Risk treatment is also referred to as Risk Response Planning. In this step, risk mitigation strategies, preventative care, and contingency plans are created based on the assessed value of each risk. Risk Monitoring: Risk management is a non-stop process that adapts and changes over time. Repeating and continually monitoring the processes can help assure maximum coverage of known and unknown risks.
III. THE ISO 31000 RISK MANAGEMENT METHODOLOGY
AND ITS APPLICATION IN IT SECURITY (M3)
ISO 31000 is an international standard published in 2009 that provides principles and guidelines for effective risk management. It outlines a generic approach to risk management, which can be applied to different types of risks (financial, safety, project risks) and used by any type of organization. The standard
Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured and timely Based on the best available information Tailored Takes human and cultural factors into account Transparent and inclusive Dynamic, iterative and responsive to change Facilitates continual improvement and enhancement of the organization
The organization’s risk management process should involve the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk.
Figure 5: The ISO 31000 risk management
The main purpose of the risk management process is to enable the organization to assess the existing or potential risks that may be faced, evaluate the risks by comparing the risk analysis results with the established risk criteria, and treat such risks using the risk treatment options. The organization should use such process in the decision-making process. The fundamental processes that need to be developed which make up the full risk management process are: Establishing the context : When establishing the context, the organization needs to consider the organization’s external environment (political, social, etc.) and internal environment (objectives, strategies, structures, ethics, discipline, etc.). The organization’s context must be understood before the full range of risks can be identified. While establishing the context, the organization should define the purpose and scope of its risk management activities and determine the objectives of the risk management process and the specific objectives of risk assessment. Furthermore, the organization should define the scope and boundaries related to the risk management process and identify all the constraints that affect the scope. After identifying the constraints, the organization should define the risk criteria which will be used during the whole process. This is the key consideration that most security risk management practitioners fail to understand. We need to fully appreciate the internal organizational makeup and the business objectives to be achieved or maintained if we are to build an effective plan. The external environment where the organization operates is just as important to understand to. Having a fully informed picture of all upstream and downstream stakeholders will provide a richer contextual foundation upon which to build a strong treatment plan and define the risk criteria that reflects the organizations values and objectives. Risk identification : The identification of risks should be a formal, structured process that includes risk sources, events, their causes and their potential consequences. Simply said, risk identification is about the creation of a comprehensive list of risks (both internal and external) that the organization faces and can involve input from sources such as historical data, theoretical analysis, expert options, and stakeholder’s needs. The risk identification process enables the organization to identify its assets, risk sources, risk events, existing measures and consequences. By identifying such elements, the organization will be ready to begin the risk analysis process. Analysis risk : The organization should analyze each risk that was identified in the previous step. Based on the level of risk that is determined after the risk analysis, the organization can define whether the risk is acceptable or not. As so, if the risk turns out to be unacceptable, the organization can take actions to modify the risk to correspond to the acceptable level of risk. The organization should use a formal technique to consider the consequence and likelihood of each risk, and these techniques can be qualitative, semi-quantitative, quantitative, or a combination thereof, based on the circumstances and the intended use.
owners, control assurance, taking on board new information that becomes available, and learning lessons about risks and controls from the analysis of successes and failures.
While all organizations manage risk to some degree, ISO 31000 establishes the eleven principles that need to be met for effective risk management outlined above. The principles provide guidance on the following:
The rationale for managing risk effectively (e.g., risk management creates and protects value). The characteristics of risk management that enable risk management to be effective, e.g., second principle, which specifies that risk management is an integral part of all organizational processes.
In ISO 31000, each principle is summarized in a few words by its heading, with the supporting text providing explanation and detail. All eleven principles should be considered when designing the organization’s risk management objectives. However, the significance of individual principles may vary according to the part of the framework under consideration and tailored to their specific application. The successful implementation of these principles will determine both the effectiveness and efficiency of risk management in the organization. All eleven principles should be kept in mind at all times, even though the significance of individual principles may vary according to the part of the framework under consideration. Although the principles are expressed succinctly, the implications of each need to be thoroughly understood in order to give effect to them on a continuing basis. Afterward, the results of this kind of analysis should be reflected in the design or enhancement of the framework (e.g., in the allocation of accountabilities, provision of training, communication with stakeholders, and the design of ongoing monitoring and review of risk management performance).
Actively improve operational efficiency and governance. Build stakeholder confidence in your use of risk techniques. Apply management system control to risk analysis to minimize losses. Improve management system performance and resilience. Respond to change your efficiency and protect your business as you grow
Scope of application of the project
Focus on fully applying according to system requirements ISO 31000 in departments and production units: Human Resources Department, Department Administration, Testing Room, Logistics Department of Workshop making bicycle parts for "Wheelie good" company. Method and content of project implementation work. Methods of implementation: The implementation method is mainly based on practice, steps performed below is largely concerned with the initial assessment, corporate training, the practice of risk management systems, performance evaluation and improvement. The theoretical basis of this method is PDCA cycle (plan; do; check/evaluate; improve) next). In this method, the project team is directly business representatives practice improvement tools in place, measure practice results before and after improvement to determine the level of improvement quantitative progress. Implementation content Step 1. Contact with businesses and assess the situation survey Business activities:
IV. DATA PROTECTION PROCESSES AND REGULATION AS
APPLICABLE TO AN ORGANIZATION (P6)
Data protection is the process of protecting data. It involves the relationship between the collection and dissemination of data and technology, the public perception and expectation of privacy, and the political and legal underpinnings surrounding that data. It aims to balance individual privacy rights while still allowing data to be used for business purposes.
Figure 6: Data protection
The GDPR sets out seven principles for the lawful processing of personal data. Processing includes the collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data. Broadly, the seven principles are:
Lawfulness, fairness and transparency Collecting the personal data, the fairness and transparency are essential to not be used unexpectedly and must be processed lawfully when selling and/or transfer the personal data. The principal key of the law for personal data protection is that the data must be collected and processing respecting the legal process. Purpose limitation Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the