Download Data Protection and Security Regulations in Organizations: A Comprehensive Guide and more Papers Computer Security in PDF only on Docsity!
ASSIGNMENT 2 FRONT SHEET
Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5: Security Submission date Date Received 1st submission Re-submission Date Date Received 2nd submission Student Name Hồ Ngọc Khánh Student ID GCS Class GCD0901 Assessor name Trần Trọng Minh Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a false declaration is a form of malpractice. Student’s signature Khanh Grading grid
P 5 P 6 P 7 P 8 M 3 M 4 M 5 D 2 D 3
Summative Feedback: Resubmission Feedback:
Grade: Assessor Signature: Date: Lecturer Signature:
- A. Discuss risk assessment procedures (P5)
- I. Security Risk.......................................................................................................................................................
- II. Assets, threats and threat identification procedures........................................................................................
- Assets.............................................................................................................................................................
- Threat and threat identification procedures
- III. Explain risk assessment procedure
- IV. List risk identification steps
- B. Explain data protection processes and regulations as applicable to an organization (P6)
- I. Data protection and data protection in organizations
- II. Why are data protection and security regulation important?
- C. Design and implement a security policy for an organization (P7).......................................................................
- I. Security policy..................................................................................................................................................
- II. The “must” and “should” must exist while creating a policy
- III. Elements of a security policy
- IV. The steps to design a policy.........................................................................................................................
- V. Security policy for Wheelie Good
- I. Business continuity
- II. The components of recovery plan (Riskology, 2020)
- III. All the steps required in disaster recovery process (Anon., 2010)
- IV. Policies and procedures that are required for business continuity
- E. References
- Figure 1: SECURITY RISK FIGURES AND TABLES
- Figure 2: SECURITY THREATS
- Figure 3: EXAMPLE OF ATTACK TREE.............................................................................................................................
- Figure 4: A VULNERABILITIES SCANNER
- Figure 5: DATA PROTECTION
- Figure 6: BUSINESS CONTINUITY
A. Discuss risk assessment procedures (P5)
I. Security Risk
DEFINITION : A security risk assessment discovers, analyzes, and implements critical application security protocols. It is also concerned with preventing application security flaws and vulnerabilities. (Anon., 2020) A risk assessment enables an organization to view its application portfolio holistically—from the perspective of an attacker. It supports managers in making knowledgeable decisions about resource allocation, tools, and security control implementation. As a result, completing an assessment is an essential component of an organization's risk management strategy. (Anon., 2020) Figure 1 : SECURITY RISK HOW TO DO RISK ASSESSMENT (Anon., 2019)
**1. Identify the hazards
- Decide who might be harmed and how
- Evaluate the risks and decide on control measures
- Record your findings
- Review your assessment and update as and when necessary**
Physical security is the safeguarding of persons, hardware, software, networks, and data from physical acts and events that might result in severe loss or harm to a company, agency, or institution. This covers fire, flood, and natural catastrophe protection, as well as burglary, theft, vandalism, and terrorism. While most of these are covered by insurance, physical security's emphasis on damage prevention saves time, money, and resources that would otherwise be wasted as a result of these incidents. (Cobb, 2020)
- Services asset o Outsourced computing services provided by the organization. o Communication services such as voice communication, data communication, value added services, wide area networks, and so on are examples of communication services. o Heating, lighting, air conditioning, and power are examples of environmental conditioning services.
2. Threat and threat identification procedures
DEFINITION: A security threat is a hostile act committed with the intent of corrupting or data theft or destroying an organization's systems or the entire company. A security incident is an occurrence in which a company's data or network may have been compromised. A security incident is an occurrence that results in a data or network vulnerability. (Rosencrane, 2018) Figure 2 : SECURITY THREATS
THREAT IDENTIFICATION PROCEDURES:
Threat identification and evaluation entails learning about threat sources and vulnerabilities, as well as evaluating the potential for exploitation. This is notably more concentrated than the risk identification method outlined in the booklet's "Risk Identification" section. Threat identification and assessment information should be designed to drive protective and detective strategies and tactics in risk assessment and response. The rules, regulations, and procedures of the information security program, as well as the implementing technologies, are all part of the strategies. Threat signatures used for incident prevention and identification of threat behaviors are examples of strategies. (Anon.,
- Physical or cyber-attacks that are antagonistic.
- Errors of omission or intent generated by man
- Failures in the framework of organizationally regulated resources (e.g., hardware, software, and environmental controls).
- Natural and man-made disasters, accidents, and failures beyond the organization's control
III. Explain risk assessment procedure
RISK ASSESSMENT PROCEDURE
- Asset identification o Inventory the assets Inventory assets are completed items, components, or raw materials that an organization wants to sell. A company's inventory is recorded as a current asset on its balance sheet in accounting. Inventory assets in manufacturing act as a buffer in the event of a surge in demand. o Record assets attribute o Determine the asset’s relative value
- Threat identification
applications. It's worth noting that the same technology may be used proactively by system administrators as well as maliciously by cyber attackers. Figure 4 : A VULNERABILITIES SCANNER
- Risk assessment o Estimate impact of vulnerability on organization All facilities are at some amount of danger due to numerous threats. These risks may be the consequence of natural occurrences, accidents, or malicious activities intended to do harm. Regardless of the nature of the hazard, facility owners must restrict or manage the risks posed by these threats to the greatest degree practicable. o Calculate loss expectancy o Estimate probability of the vulnerability will occur We discovered that there is a lot of interest in applying probability in a more traditional risk analysis. This part introduces some fundamental ideas of probability and demonstrates how to incorporate probability into process 7 operations. o Decide what to do with the risk
IV. List risk identification steps
The process of detecting and identifying vulnerabilities to a company, its operations, and its employees is known as risk identification. Assessing IT vulnerabilities such as malware and ransomware, as well as accidents, natural catastrophes, and other highly harmful occurrences that might interrupt company operations, are examples of risk identification. (Anon., 2019)
1. Risk Identification The objective of risk identification is to establish what, where, when, why, and how something could influence a company's capacity to function. 2. Risk Analysis This phase entails evaluating the probability of a risk event occurring as well as the possible results of each incident. Using the California wildfire as an example, safety managers might evaluate how much rain has fallen in the last 12 months and the level of damage the firm could suffer if a fire breaks out. 3. Risk Evaluation The size of each vulnerability is compared and ranked according to prominence and consequence in risk appraisal. For example, the consequences of a potential wildfire may be assessed against the implications of a potential mudslide. 4. Risk Treatment Risk management is defined as risk response planning. Based on the estimated value of each risk, risk mitigation measures, preventative services, and contingency plans are developed in this phase. 5. Risk Monitoring Risk management is a never-ending procedure that evolves and develops over time. Repeating and constantly monitoring the procedures can enable ensure that all known and unknown threats are covered.
Any processing of personal data must be legitimate and equitable. Individuals should be aware that personal data about them is being collected, utilized, consulted, or otherwise processed, as well as the degree to which the personal data is or will be treated.
- Purpose Limitation Personal data should only be gathered for specific, explicit, and legitimate objectives, and should not be treated in a way that contradicts those aims.
- Data Minimization Personal data processing must be sufficient, relevant, and constrained to what is necessary for the purposes for which they are processed.
- Accuracy Controllers requires ensuring that personal data are correct and, when needed, preserved up to date; taking all reasonable steps to ensure that incorrect personal data, in relation to the purposes for which they are processed, are erased or rectified as soon as possible.
- Storage Limitation Personal information shall only be retained in a framework that makes data subjects to be recognized for as long as is essential for the purposes for which the personal data are processed.
- Integrity and Confidentiality Personal data should be processed in a way that provides added security and confidentiality.
- Accountability Controllers must accept responsibility for their personal data processing and how they comply with the GDPR, and they must be able to confirm compliance (by suitable records and procedures). **DATA PROTECTION PROCESS IN AN ORGANIZATION
- Risk Assessments**
The riskier the data, the more the security required. Sensitive data should be protected as much as possible, whereas low-risk data can be granted less security. The main rationale for these evaluations is the financial benefit since stronger data security means higher costs.
2. Backups Backups are a way of preventing data loss, which can occur as a result of user mistake or technological failure. Low-importance data does not need to be backed up as frequently as sensitive data. Tape storage technologies are still (by two-thirds) less expensive than hard drives. 3. Encryption Every step of the process, high-risk data is the best choice for encryption. Data that has been properly encrypted is fundamentally safe; even in the event of a data breach, the data will be rendered worthless and irrecoverable by attackers. The GDPR specifically mentions encryption as a technique of data security. 4. Pseudonymization Pseudonymization is another way advised in the GDPR that improves data security and individual privacy. It works effectively with bigger data sets and consists of removing identifiable information from data snippets. In the event of pseudonymized data breaches, the notification obligations have been drastically eased. 5. Access Controls The lower the danger of (inadvertent) data leak or loss, the fewer persons who have access to the data. Maintain a regular schedule of preceding data handling education courses and refreshers. Create a data protection policy that is clear and unambiguous. 6. Destruction For sensitive data, on-site data deletion is suggested. Degaussing is the most common method for destroying hard drives. Paper papers, CDs, and tape drives are shred into small fragments. Encrypted data may be readily erased by removing the decryption keys.
of your security measures. This type of monitoring allows you to discover whether someone is attempting to avoid your precautions. (Anon., 2016) EXAMPLE OF EACH POLICY:
- Access policy o Access to resources is restricted depending on work requirements. o IT user roles are defined by IT system characteristics and the IT management organization. o The IT job set must have at least three degrees of data access: no access, read- only, and read-write.
- Password management o Passwords for access must be updated at least twice a year. o System, network, and other administrative passwords must be written down and kept in a safe.
- Cryptography policy o Only secure connections, such as VPN connections, SSL / HTTPS connections, and encrypted mail messages, should be used to access internal network resources over the public network and to transmit private data across the public network. o All confidential data on computers transported beyond the corporate perimeter (laptops, home employees' PCs), as well as all confidential data on hard drives, must be encrypted. Encryption keys must be replicated and stored in a secure location. o For symmetric encryption, the minimum permissible key length is 256 bits.
- Logging and log reviewing policy o Logs must be able to distinguish between permitted and illegal attempts to access resources, as well as the exact time and location of origin. o A random system and networking log check must be done at least once a week following the corresponding occurrences. o All logs must be kept for a minimum of four weeks.
- Removal policy o All unneeded paper documents containing confidential data (see 4.1.2.1-4.1.2.6) must be destroyed. o Retired and/or abandoned archival storage medium must be physically destroyed. o Secure deletion must be utilized to destroy state secrets or highly sensitive data from disk.
- Work environment o Before being used, new software must be evaluated and proven to be acceptable. o For testing and demonstrations, no real data must be utilized.
- Legality policy o All assets must be legitimately obtained. o All uses of assets must be legal.
II. The “must” and “should” must exist while creating a policy
THE “MUST” WHICH EXIST TO CREATE A POLICY
- Be able to put it into action and enforce it Security policies are designed to be directive in character, guiding and governing staff conduct. It is critical that everyone, from the CEO to the newest staff, follow the policies. Users must be exposed to security policies numerous times before the message sinks in and they comprehend the policy's "why." According to many security rules, noncompliance with the policy can result in administrative proceedings up to and including termination of employment. Employee behavior is not steered toward productive and secure computer habits if the policy is not implemented.
- Be succinct and simple to grasp.
- Protect yourself whilst being productive. THE “SHOULD” WHICH EXIST TO CREATE A POLICY
o Storage places such as on-premises and cloud o Devices such as Internet of Things (IoT) devices, routers, and switches o Accounts and access for users, including regular and privileged accounts
- Establish a cybersecurity policy Your cybersecurity policy is a written document that describes your organization's best practices in terms of cybersecurity. Before creating your policy, your company should do a risk assessment to determine the measures that will be employed to manage cyber risk.
- Continuously monitoring controls Malicious actors' threat techniques are always evolving, which implies that the measures you put in place today may not defend your environment tomorrow. To safeguard your business and demonstrate that you are doing all possible, you must constantly review your cybersecurity controls.
- Create an incident response process Data security mishaps are unavoidable in today's cybersecurity landscape. Creating, testing, and assessing your incident response protocols demonstrates that you are taking the necessary steps to become resilient.
- Create an audit trail Your audit trail is the evidence that proves your company is doing what it claims it is doing. Almost every cybersecurity or privacy regulation requires firms to have their programs evaluated independently. SEPERATION OF DUTIES: Multiple regulations might be included in a separation of duties policy. Two or more roles must be indicated for each rule. The number of roles to which a user can belong is determined by the number of roles allowed in the rule. The number of coexisting roles must be one less than the total number of roles in the list.
You might, for example, define a rule that excludes procurement and order approval. The rule's allowable number of roles must be one, implying that a user can only have one role. You can enable up to three jobs if you add extra responsibilities, such as invoicing and finance. Each user can have three separate roles, each with its own set of system capabilities. (Anon., 2021)
- Demand that the person in responsible for the information security report to the chairman of the audit committee.
- Use a third party to monitor security, do surprise security audits, and execute security testing. They report to the board of directors or the audit committee chairman.
- Have a person in charge of information security (CISO) report to the board of directors.
- Allow the employee in charge of information security (CISO) to report to internal audit as long as internal audit does not report to the executive in control of money, such as the CFO. NEED TO KNOW: One of the greatest ways to keep information private is to control who has access to it. Only employees whose job functions rely on knowing the material are granted access.
- Acceptable Encryption and Key Management Policy
- Acceptable Use Policy
- Clean Desk Policy
- Data Breach Response Policy
- Disaster Recovery Plan Policy
- Personnel Security Policy
- Data Backup Policy
- User Identification, Authentication, and Authorization Policy
- Incident Response Policy
- End User Encryption Key Protection Policy
- Risk Assessment Standards and Procedures
- Remote Access Policy