Page |1
ASSIGNMENT 2 FRONT SHEET
Qualification
BTEC Level 5 HND Diploma in Computing
Unit number and title
Unit 5: Security
Submission date
Date Received 1st submission
Re-submission Date
Date Received 2nd submission
Student Name
Kiều Hoàng Nam
Student ID
Class
1004
Assessor name
GCH200483
Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature
Grading grid
P5
P6
P7
P8
M3
M4
M5
D2
D3
Page |1
 Summative Feedback:
Grade:
Lecturer Signature:
 Resubmission Feedback:
Assessor Signature:
Date:
Page |2
Table Of Contents
Task 1 – Discuss risk assessment procedures (P5)................................................................................ 3
I. Define a security risk and how to do risk assessment.........................................................................3
II. Define assets, threats, and threat identification procedures, and give examples... ...........................4
III. List risk identification steps.... .................................................. ......................................................7
IV.Explain the risk assessment procedure……………………………………………………………..9
Task 2 – Explain data protection processes and regulations as applicable to an organization (P6)......10
I. Define data protection........... .................................................. ..........................................................10
II. Explain data protection process in an organization. ..........................................................................8
III. Why are data protection and security regulation important?..........................................................13
IV. Give examples of some data protection law or policies…………………………………………..13
Task 3 – Design and implement a security policy for an organization (P7)..........................................14
Task 4 – List the main components of an organizational disaster recovery plan, justifying the reasons for
inclusions (P8)... .................................................. ...............................................................................22
I. Discuss with explanation about business continuity.... ....................................................................22
II. List the components of recovery plan......... ....................................................................................25
III. Write down all the steps required in disaster recovery process..... ................................................27
IV. Explain some of the policies and procedures that are required for business continuity.................27
References.... .................................................. .....................................................................................28
Introduce
After assignment 1, we already knew about organizational security concerns, security processes, and some
strategies and instruments for dealing with threats. In assignment 2, we begin learning about risk
Page |3
assessment, security policies in businesses, and disaster recovery plans, as well as how to create a strategy
to cope with threats.
Task 1 – Discuss risk assessment procedures (P5)
I. Define a security risk and how to do risk assessment
1. Definition of Security Risk Assessment
A security risk assessment identifies, assesses, and implements crucial security controls in software. It also
emphasizes preventing vulnerabilities in application security. A risk assessment gives a business the
ability to look at its application portfolio holistically—from the perspective of a competitor. It aids
managers in making informed choices on the use of tools, resources, and security control implementation.
Completing an evaluation is therefore a crucial part of a company's risk management strategy.
2. How does a security risk assessment work?
When a business is short on resources like time or money, it could do wide analyses. Broad analyses,
however, might not always provide accurate mappings between assets, linked threats, known risks,
Page |4
consequences, and mitigation measures. Size, growth rate, resources, and asset portfolio are some aspects
that affect how in-depth risk assessment models are.
3. How to do risk assessment?
Identification: Identify all the key components of the technological infrastructure. Next, look at the
sensitive data that these assets produced, stored, or communicated. Create risk profiles for all of them.
Assessment: Determine how to effectively and efficiently devote time and money to risk reduction by
evaluating key assets. The evaluation technique or methodology must look at how assets, threats,
vulnerabilities, and mitigating controls are related to one another. Implement a plan for evaluating the
security risks to important assets.
Mitigation: For each risk, specify a risk mitigation strategy and implement security measures.
Prevention: Implement techniques and technologies to lessen the possibility of threats and vulnerabilities
affecting the resources of your company.
II. Define assets, threats, and threat identification procedures, and give
examples
1. What’s an asset?
Any significant information, apparatus, or other system component of an organization is considered an
asset, usually because it contains sensitive information. The software on a worker's laptop, desktop
computer, or company phone would all be regarded as assets. A valuable asset is critical infrastructure,
such as servers and support systems.
Page |5
Information assets, or the private information you possess, are the most common assets of a business. An
analogous concept is the "information asset container," which is the location where the information is
kept. In the case of databases, this is the program that was used to build the database. Information would
be stored in a filing cabinet for physical files.
2. What’s a threat?
Any event that can negatively affect an asset, such as if it is misplaced, knocked offline, or accessed by an
unauthorized person, is considered a danger. Threats can involve illicit hacking or insider stealing and
might be intentional or accidental. Accidental risks include, but are not limited to, employee error,
technological failure, or physical harm from a fire or other natural disaster.
3. Threat Identification
The threat identification technique examines IT problems and assesses their risk to your system. It is an
essential component of your company's risk management approach. Detecting threats allows your business
to take preemptive actions. You'll learn how to keep undesirable users out of your system and avoid
security breaches. Ward IT Security Consulting Group provides the specialized knowledge and experience
necessary for effective threat identification (Group, 2021).
III. List risk identification steps
Interviews: Choose essential stakeholders. Prepare for the interviews. Define precise inquiries. Keep a
record of the interview outcomes (Hall, 2021).
Page |6
Brainstorming: I won't go into the rules of brainstorming here. However, I would make the following
proposal. Prepare your brainstorming questions ahead of time. Here are some of the questions I like to ask:
Project objectives: What are the most important risks associated with (project objective, which might be
time, money, quality, or scope)?
Project tasks: What are the most serious risks associated with (tasks like requirements, coding, testing,
training, and implementation)?
Checklists: Determine whether your organization has a list of the most common threats. If not, you may
desire to create one. Conduct a post-project review after each project to identify the most critical risks.
This list can be used for future projects. While checklists are important, no checklist can cover all of the
risks (Hall, 2021).
Assumption Analysis: An assumption is defined by the Project Management Body of Knowledge
(PMBOK) as "factors that are assumed to be true, actual, or certain without proof or demonstration."
Assumptions may be dangerous. "What assumptions do you have about this project?" project managers
should question stakeholders. Document these assumptions as well as the risks associated with them (Hall,
2021).
Cause and Effect Diagrams: These diagrams are very effective. This fundamental method can help project
managers discover causes—facts that give rise to hazards. Furthermore, by addressing the underlying
causes, we may reduce or eliminate the dangers. (Hall, 2021).
The Nominal Group Technique is foreign to many project managers (NGT). It's a whole new level of
brainstorming. The feedback is compiled and prioritized. NGT generates a prioritized list of risks (Hall,
2021).
Affinity Diagram: This practice is enjoyable, creative, and helpful. Participants are invited to generate risk
ideas. I have each person write each danger on a sticky note. The hazards are then classified or classified
by the participants. Finally, each group is given a name (Hall, 2021).
IV.Explain the risk assessment procedure
Risk assessments are critical because they are a component of an occupational health and safety
management strategy. They aid in:
Raise awareness of potential dangers and risks.
Page |7
Determine who may be at danger (e.g., employees, cleaners, visitors, contractors, the public, etc.).
Determine if a control program is needed for a certain danger.
Determine if current control measures are adequate or whether more should be done.
Preventing injuries or diseases is extremely important when done at the design or planning stages.
Determine the importance of dangers and control measures.
Meet all necessary legal requirements.
Task 2 – Explain data protection processes and regulations as applicable to
an organization (P6)
I. Define data protection
Page |8
Data protection is the process of guarding against the corruption, compromise, or loss of important data.
As the amount of data created and preserved rises at unprecedented rates, the necessity for data protection
grows. Downtime is tolerated to a limited extent, making access to essential information difficult. A key
component of a data security strategy is ensuring that data can be retrieved quickly after it has been
damaged or lost.
II. Explain data protection process in an organization
1. Media failure
Synchronous mirroring is one method for concurrently writing data to a local disk and a remote location.
The write is not considered complete until a confirmation from the remote site is received, guaranteeing
that the two sites are always identical. Mirroring requires a full capacity overhead and may result in data
loss.
Page |9
RAID protection is a less costly alternative with fewer overhead requirements. RAID stores the same data
on many disks in different places. As a result, I/O activities overlap in a balanced way, improving
performance and security. Advanced RAID controllers do not need to read the entire disk to recover data.
In scale-out storage situations, erasure coding is a common alternative to advanced RAID. With erasure
coding, all nodes in a storage cluster can participate in the replacement of a failed node. Another type of
data protection is replication, which involves copying data from one node to another or from several
nodes. It takes up at least twice the space of the protected data.
2. Data corruption
Most storage systems nowadays can track hundreds of snapshots without significantly hurting
performance. This technology enables regular photos to be preserved for extended periods of time. With
this technique, just a little quantity of data is lost, and recovery time is almost instant. When data is
accidentally damaged or erased, a snapshot can be mounted and the contents transferred back.
3. Storage system failure
P a g e | 10
With snapshot replication, only changed data blocks are copied from the primary storage system to an offsite secondary storage system. To protect itself against recurrent disk failures or other extreme
occurrences, data centers rely on replication solutions based on snapshots. Snapshot replication is also
used to backup data to a secondary storage system in case the first storage system fails.
4. Full-on data center failure
Businesses have several options for securing their data in the event of a data center failure. One technique
is snapshot replication, which replicates data to a backup server, although the cost might be too expensive.
A company can use replication in conjunction with cloud backup products and services to maintain the
most recent copies of essential data.
III. Why are data protection and security regulation important?
A disk or tape backup is a type of data storage technique that transmits data to a disk-based storage array
or a tape cartridge. Tape backup is an effective option for protecting data from cyber dangers. Although
access to tapes is slow, they are portable and intrinsically offline when not placed on a drive, making them
immune to network assaults.
Mirroring enables organizations to create an exact clone of a website or files so that they may be accessed
from many places.
Storage snapshots can generate a collection of pointers to information preserved on tape or disk
automatically, allowing for faster data recovery, whereas continuous data protection (CDP) backs up all
data in an organization whenever a change is made.
IV. Give examples of some data protection law or policies
GDPR law.
• GDPR stands for General Data Protection Regulation. This regulation requires businesses to secure the
personal data and privacy of EU citizens in transactions between EU member states.
The process of complying with GDPR will bring many problems for the security team of enterprises. For
example, the elements that make up the GDPR term "personally identifiable information" are much
broader, including personal IP addresses or cookie data.
Of course, there are many requirements in the GDPR that are not directly related to information security.
However, system and process changes will more or less affect existing security protocols and systems.
P a g e | 11
• Why was GDPR born?
Because of privacy requirements and concerns.
• What types of privacy does GDPR protect?
- Basic identification information such as name, address, ID number
- Browsing data, such as location, IP address, cookies and RFID tags.
- Health and genetic information
- Biometric data
- Race/ethnicity
- Political views
- Sexual orientation
Task 3 – Design and implement a security policy for an organization (P7)
I. Define a security policy
A security policy is a written document that defines how to protect an organization against risks such as
computer security threats and how to deal with problems when they develop (Techopedia, 2017).
A security policy must identify all of a company's assets as well as any potential hazards to those assets.
Employees must be kept up to date on the company's security practices. Policies should be amended on a
P a g e | 12
frequent basis as well (Techopedia, 2017).
II. Give the steps to design a policy
There are several current tools and strategies to help the Open Policy Making process; however, this
Toolbox focuses on a novel approach - utilizing open data to accelerate the collecting of policy evidence
and the time to policy implementation. This is accomplished by employing sophisticated policy
visualizations. The process begins with four important phases in the policy design cycle: 1) issue
definition, 2) policy development, 3) scenario analysis, and 4) decision.
• Step 1: Problem setting
The first stage in policy design is to formulate the issue to be addressed in order to legitimize it as a
community-identified concern. Typically, the public raises a problem in response to a need or a gap in
service delivery. The investigation of current policies to identify how they have dealt with the
problem/issue to date is therefore a useful starting point. Furthermore, identifying the stakeholders and
actors affected by the issue aids in understanding the magnitude of the problem and who to involve in
collaborative problem solution (PoliVisu, 2019).
P a g e | 13
Among the key actions are:
• Analyzing existing policies and their consequences in order to determine their efficacy in dealing with
the problem;
• Identifying important stakeholders and, if feasible, their perspectives;
• Finding a link between the problem and a likely cause;
• Developing the problem's quantitative components - 1) problem description, 2) overall policy goals, 3)
particular policy objectives
Step 2: Problem formulation
Once the problem has been recognized, the hypotheses have been proven, and the aims and objectives
have been determined and communicated with the greater community, policy formation may begin. Policy
formulation seeks to identify and mobilize a set of solution alternatives in connection to the issue, as well
as to assess which option is most suited to handle the problem in light of available resources and existing
restrictions. The creation of scenarios (both written and visual) can aid in the comprehension and
development of alternate methods and actions (PoliVisu, 2019).
The primary activities are as follows:
•Defining pertinent tactics - closely tied to political decisions
•Defining potential actions - operationalization of strategy•Calculating the effect - the probable systemic
consequences of adopting the choices approach
Step 3: Scenario analysis
Once scenarios are created to reflect several policy alternatives for dealing with the identified problem, the
optimal option in terms of strategies and actions may be selected. Scenarios analysis also includes the
(re)tuning of current policy acts, which is done through short experiments (pilot tests) and public debate.
On-the-ground experiments often aim to test various solutions on a small scale in order to determine
potential implications, which may be a time-consuming and costly operation. In many circumstances, it
may be able to simulate visualisations for various policy alternatives in order to investigate the
implications digitally. For example, anticipating how traffic flow and density will vary when road access
changes, or how public transportation will cope with demand surges (PoliVisu, 2019).
The following are the primary actions associated with scenario analysis:
P a g e | 14
•Identifying the most effective tactics;
•Identifying the optimal actions;
•Impact estimation
Step 4: Decision
To make a decision, a clear description of the problem, the policy and its scenario, and public acceptance
of the policy must be prepared for presentation and discussion within the public unit accountable for the
decision. The process narrative is relevant to the decision: how the problem was explored, how data was
collected and used, how goals and objectives were identified and translated into strategies and actions,
how impacts were simulated and computed, why some options were preferred over others, and what the
public's contribution to the entire process was. The policy implementation cycle can begin after a decision
has been taken and the policy is ready to be converted into an implementation plan (PoliVisu, 2019).
the entire procedure
III. Elements of a security policy
Purpose
First, state the policy's goal, which might be to:
•Create a robust data security plan (Cassetto, 2019).
•Detect and avoid data security breaches, such as network, data, application, and computer system misuse
(Cassetto, 2019).
•Maintain the reputation of the company while adhering to ethical and legal responsibilities (Cassetto,
2019).
•Respect consumer rights, including how to handle noncompliance inquiries and complaints (Cassetto,
2019).
Audience: Define the target audience for the information security policy. You may also define which
audiences are not covered by the policy (for example, employees in another business unit that controls
security separately may not be covered by the policy) (Cassetto, 2019).
Information security objectives: Assist your management team in developing a clear strategy and security
goals. The three primary purposes of information security are as follows:
P a g e | 15
•Only authorized people should have access to data and information assets (Cassetto, 2019).
•Integrity means that data must be complete, accurate, and undamaged, and that IT systems must continue
to function (Cassetto, 2019).
•Users should have access to information or systems anytime they require it (Cassetto, 2019).
Authority and access control policy:
In a hierarchical system, a senior management may be able to select what data may be shared and with
whom. The security policy of a senior management may differ from that of a junior employee. The policy
should specify the amount of accountability for data and IT systems for each organizational job (Cassetto,
2019).
According to network security policy, users can only access company networks and servers through
unique logins that need authentication, such as passwords, biometrics, ID cards, or tokens. You should
monitor all systems and record all login attempts (Cassetto, 2019).
Data categorization: The policy should categorize data into categories such as "top secret," "secret,"
"confidential," and "public." Your goal in data classification is:
•To prevent those with lesser clearance levels from accessing sensitive data.
•To safeguard critical data while avoiding unnecessary security procedures for inconsequential data.
Data support and operation: When storing personal or other sensitive data, data protection rules—
organizational standards, best practices, industry compliance requirements, and associated regulations—
must all be followed. Most security standards need encryption, a firewall, and anti-malware protection
(Cassetto, 2019).
Encrypt backup data in line with industry best standards. Backup media should be stored securely, or
backups should be relocated to a secure cloud storage site (Cassetto, 2019).
Data movement—only utilize secure data transfer protocols. Any data copied to portable devices or sent
via a public network should be encrypted (Cassetto, 2019).
Security awareness and behavior: Your IT security practices should be communicated to your personnel.
Provide personnel with training on your security rules and methods, such as data protection, access
control, and sensitive data classification (Cassetto, 2019).
•Special consideration should be given to the risks of social engineering attacks (such as phishing emails).
P a g e | 16
Employees must accept responsibility for recognizing, preventing, and reporting such assaults (Cassetto,
2019).
•Clean desk policy—protect PCs with a cable lock. No longer required documents should be destroyed.
Maintain a clean printer area to avoid documents getting into the wrong hands (Cassetto, 2019).
•Acceptable Internet usage policy—define how access to the Internet should be limited. Do you allow
YouTube and other social media websites? Using a proxy, you may block undesired websites (Cassetto,
2019).
Responsibilities, rights, and duties of personnel: Appoint personnel to do user access checks, education,
change management, incident management, security policy execution, and periodic updates. As part of the
security policy, responsibilities should be clearly specified (Cassetto, 2019).
IV. Give best practices for creating a policy
Information and data classification: It determines the success or failure of your security effort. Because of
a lack of understanding and data classification, your systems may be open to attacks. Furthermore,
inadequate resource management may result in overhead costs. By developing a clear categorization
approach, organizations may gain control over the deployment of their security assets (Cassetto, 2019).
IT operations and administration: should collaborate in order to achieve compliance and security needs
Failure to collaborate between departments may result in configuration issues.To decrease risks,
collaborative teams may coordinate risk assessment and identification across all departments (Cassetto,
2019).
Security incident response plan: During security occurrences, it aids with the initiation of appropriate
corrective actions. A security incident strategy provides as a road map for early threat detection,
prioritization, and appropriate corrections (Cassetto, 2019).
SaaS and cloud policy: gives explicit cloud and SaaS adoption standards to the firm, which can serve as
the foundation for a unified cloud ecosystem This strategy can assist to reduce ineffective complexities
and poor cloud resource use (Cassetto, 2019).
Acceptable use policies (AUPs): helps to avoid data breaches caused by misuse of organizational
resources Transparent AUPs assist all employees in making proper use of the firm's technology resources
(Cassetto, 2019).
Identity and access management (IAM) regulations: Allow IT administrators to approve systems and apps
to the appropriate users, and teach workers how to use and generate passwords securely. A straightforward
P a g e | 17
password strategy can help to prevent identity and access threats (Cassetto, 2019).
Data security policy: defines the organization's technical operations and permissible usage in compliance
with the Payment Card Industry Data Security Standard (PCI DSS) (Cassetto, 2019).
Privacy regulations: End-user privacy is protected by government-enforced legislation such as the General
Data Protection Regulation (GDPR). Organizations who do not respect their users' privacy risk losing their
power and being penalized (Cassetto, 2019)
Personal and mobile devices: The majority of enterprises have now moved to the cloud. Companies that
enable employees to access company software assets from any location risk introducing risks through
personal devices like laptops and cellphones. Creating a strategy for the proper security of personal
devices can assist in the prevention of hazards associated with employee-owned assets (Cassetto, 2019).
V. Design a security policy
Security Policy of Wheelie Good
CHAPTER 1: GENERAL PROVISIONS
1. Objectives
The goal of this document is to guarantee that proper safeguards are in place to secure firm information
and "Wheelie good" -owned or utilized information systems, services, and equipment known as Weeboo.
The Information Security Policy has the following objectives:
To safeguard Weeboo's and its customers' property from theft, fraud, intentional or accidental damage,
privacy or security breaches, and to protect "Wheelie good" and its customers from harm or liability
arising from the use of its facilities or services for reasons other than those intended.
2. Scope
This policy applies to all Wheelie good workers, customers, and other associated individuals, however it is
not utilized by "Wheelie good."
CHAPTER II: MAIN PROVISIONS
1. Staff, Customer and Associate Access
P a g e | 18
"Wheelie good" gives its workers and clients access to computing and communications services to help
them with their commercial and administrative tasks, including email and/or Internet connection.
When an employee or client is given a system login or password, they are accountable for the usage and
security of that user ID as well as any actions linked with that ID.
2. Contract / Temporary Access
When temporary access is necessary for a specific reason, such as contract employees or 'test' accounts,
the user's expiry date is depending on the fulfillment of the activities to be utilized. Use to guarantee that
temporary account access is no longer available after that date.
3. Acceptable Usage
Identification of permissible (or inappropriate) network, communication, and Internet service usage.
4. Network Usage
Wheelie excellent delivers computer and communications services to workers, consumers, and colleagues
to support business and administrative solutions.
The user undertakes to comply with all policies directly relevant to the use of these facilities by signing
the required papers to get access to the Weeboo systems or accepting the compliance button online.
Any infringement of these policies will be taken as such and may result in suspension of access rights or,
in extreme situations, cancellation of the account / service.
5. Electronic Communications:
“Wheelie good” encourages employees, customers and associates to make reasonable use of electronic
communications to achieve their business and / or administrative tasks and goals. Weeboo encourages
the use of electronic communication to share information, improve communication and exchange ideas.
Given that the internet places a high value on conveying open ideas, including new and controversial
ideas, Wheelie good intention is to maximize the freedom of communication for further expansion
purposes within a commune. Assembly, as long as no law is broken.
6. Internet Usage
"Wheelie good" encourages its workers, customers, and clients to utilize the internet to further their
P a g e | 19
business's strategic and operational goals or administrative responsibilities. Weeboo promotes the use of
the Internet for information sharing, communication improvement, and idea exchange. Improper use of
Internet media, such as access to or publishing of discriminating, defamatory, offensive, or objectionable
information, may produce or convey a poor image. Wheelie pole is excellent.
7. Logical Security
Using computerized logic processes and controls to create a suitable environment to secure the integrity,
availability, and security of "Wheelie good" and its customers' data.
8. Software Security
The access and protection of software packages given by and for use by Wheelie good's computer service
infrastructure is directly connected to software security. User Accounts are offered to all Wheelie good
system users in order to authenticate and allocate suitable access permissions to network facilities,
including software solutions. Access to such network facilities and software is also restricted by secure
passwords that must be changed on a regular basis.
All Wheelie good workers' PCs and laptops must be equipped with inactive screen savers, require a unique
password to revive the session below, and have a maximum idle time of 10 minutes before being enabled.
Use an application deployment tool to allocate software packages suited for certain users. Individuals or
organizations may be granted access to various applications and services based on their activities and
requirements via their user accounts.
9. End-Point Security and Antivirus Software
All Wheelie decent PCs and laptops must run antivirus software and automatically lock the machine after
10 minutes of inactivity. The operating system must be configured to automatically update so that vendor
updates lessen the risk or risk of operating system vulnerabilities on a regular basis. This is done to
guarantee that the software is up to date with the most recent threats. There are also on-site anti-virus
systems that scan all incoming email as well as emails that circulate within the firm.
10. Passwords
Those who want access to the Wheelie good computer system must be given a unique login and password.
If this password is not disclosed or used by another person, it will be deemed a major breach of system
security, which may result in account cancellation. The employee password will be made complicated.
Complex restrictions will include minimum password lengths, character limitations, and acceptable
password expiration durations. Password reset requests can be performed with the authorization of an
authorized customer contact point if access is necessary for "Wheelie good" data or customer data, which
is saved under a specific user id and password and the individual is not accessible to access the data due to
unforeseen circumstances. This will be considered only after all other options for data access have been
P a g e | 20
exhausted. When the necessary data access job is done, the password MUST be changed and the relevant
person alerted as soon as possible.
11. Patch Management
The Central Patch Management Server is utilized to ensure that all Wheelie goods controlled systems and
apps are always up to current and up to date. This service distributes any operating system and/or software
upgrades necessary to resolve any known software vulnerabilities to Weeboo systems.
These updates will be provided at the option of Wheelie Goods and will occur on a daily basis to reduce
the risk of future zero-day vulnerabilities.
CHAPTER III: IMPLEMENTATION
The project begins in August 2022, with Kieu Hoang Nam in charge of implementation. If he violates, he
will be shut out of his account or, worse, fined between $ 100 and $ 200 for his actions.
Task 4 – List the main components of an organizational disaster recovery
plan, justifying the reasons for inclusions (P8)
I. Discuss with explanation about business continuity
1. Definition
Business continuity refers to the ability to maintain vital functions during and after a catastrophe. The
most basic necessity for business continuity is to keep important functions running during a crisis and to
recover as quickly as feasible. A business continuity plan takes into account a wide range of unforeseen
events, such as natural catastrophes, fires, disease outbreaks, and cyberattacks.
P a g e | 21
Business continuity is vital for businesses of all sizes, but sustaining all services for the duration of a crisis
may be impossible for all except the largest corporations. The first step in business continuity planning is
identifying which operations are vital and allocating available funds accordingly.Once key components
have been identified, administrators can implement failover procedures.
Organizations are increasingly depending on technology to ensure that up-to-date copies of their data are
available at locations other than the central data center. This enables for continuous data access even if one
site is unavailable, and it safeguards against data loss.
2. Why is business continuity important?
When downtime is intolerable, business continuity is critical. Some threats, such as cyberattacks and
severe weather, appear to be becoming worse. A lengthy outage is a financial, personal, and reputational
risk. Business continuity contributes to an organization's resilience by allowing it to respond quickly to a
disruption.
Business continuity requires a firm to examine itself, identify potential areas of weakness, and gather
important information. A company's communication, technology, and resilience may all be improved by
implementing business continuity planning. Legal or compliance considerations may necessitate business
continuance. It is vital to know which regulations apply to a certain firm.
3. What does business continuity include?
Business continuity is a proactive approach of ensuring that mission-critical operations continue even if
they are disrupted. Contact information as well as processes for dealing with various incidents are
included in a comprehensive strategy. There should be no ambiguity about how to respond when the
moment comes. Customers, employees, and the company itself may all be threatened.
In the event of a major crisis, such as a power outage or cyber-attack, it is vital to be upfront and honest
P a g e | 22
about your company's recovery time and recovery point goals. Because not everything is mission-critical,
it is crucial to specify what must stay functioning and what may be restored later.
Collaboration between an organization's IT and security teams to preserve business continuity in the event
of a catastrophic disaster may be extremely beneficial. The process involves the entire organization, from
top management on down. Obtaining management support and delivering vital information to the whole
organization is critical. Everyone should be informed of how the organization intends to respond at the
very least.
4. Three key components of a business continuity plan
The resilience of an organization may be strengthened by building critical services and infrastructures
with many disaster scenarios in mind, such as people rotations, data redundancy, and maintaining a
surplus of capacity. Assuring resilience against various contingencies can also help businesses sustain
important services on and off-site without interruption.
It is vital to recover rapidly following a disaster in order to restart business operations. Setting recovery
time targets for different systems, networks, or applications can help prioritize which components must be
restored first. Resource inventories, agreements with third parties to assume business duties, and the usage
of customized premises for mission-critical functions are some further recovery strategies.
A contingency plan comprises procedures for a variety of external situations, as well as a chain of
command that distributes responsibilities inside the organization. These responsibilities may include
repairing gear, leasing emergency office space, analyzing damage, and enlisting the assistance of thirdparty suppliers.
II. List the components of recovery plan
1. Take Inventory of IT Assets
You must first map out all your assets to determine which will require security. Assets may include:
• Network equipment
• Hardware
• Software
• Cloud services
P a g e | 23
• Critical data
Creating a list of assets, while time-consuming, may assist you in gaining a complete understanding of
your company's procedures. Regularly update your list when assets are added, removed, or modified, and
use it to delete redundant data.
2. Sort Assets According to Criticality and Context
Which of your company's assets would have the biggest impact if destroyed or lost in the event of a major
disaster? Examine all of your mapped assets and rank them from high to low impact. How is your
organization utilizing these resources?
Backing up all of your data is not always possible. Understanding the importance of each asset and how
they interact will enable you to select which assets should be prioritized in a disaster recovery strategy.
3. Assess Potential Risks
What are the most severe threats to your entire company? Which assets are these threats most likely to
target? Personnel responsible for critical systems are aware with the most likely causes of service
disruption. You can't forecast every conceivable danger, but you may develop an effective strategy by
taking the likelihood and size of each into account.
4. Define Your RTO and RPO
Recovery objectives should be established early in the creation of a disaster recovery strategy in order to
pick a suitable arrangement. There are two types of recovery objectives: recovery time and recovery point.
RTO is the amount of time your assets may be down before being restored; RPO is the amount of data you
are willing to lose.
Contact your company's IT and operations personnel to discuss the effects of a potential outage that might
last anywhere from a minute to a day or longer. This information will assist you in determining your RTO
and RPO, as well as how frequently your data should be backed up.
5. Select A Disaster Recovery Setup
You now have a complete understanding of your assets, risks, and RTO and RPO. You may use this
information to build your disaster recovery setup.
P a g e | 24
It is vital to have a remote data storage solution in place to protect your assets from cyber-attacks and
natural disasters that may cause physical harm. After you've mapped out your required setup, select the
cloud services, software, hardware, and partners you'll require to finish it.
6. Propose A Budget
Every company, regardless of its resources, should have a disaster recovery strategy.Senior management
should be reminded of the need of disaster recovery, but several pricing points should be provided. Higher
budgets will contain a Disaster Recovery Plan with more stringent RTOs and RPOs, more liberal coverage
for more critical services, and may be part of a bigger business continuity plan. With the appropriate
knowledge, management can strike the optimal balance between risk and investment in disaster response
systems.
7. Test and Review
In order to ensure that the disaster recovery plan is ready, it must be tested and reviewed in the last phase.
In the case of a crisis, all employees must be informed of their obligations. Conduct a disaster simulation
to put the approach to the test and watch how workers react to the threat. Change the strategy if things
don't go as smoothly as you'd want.
A disaster recovery plan is never complete. It should be checked on a regular basis, ideally every six
months or so, to ensure that it is still working properly. Assets, organizational structure, and IT setup will
all change over time, necessitating the updating of the disaster recovery plan.
III. Write down all the steps required in disaster recovery process
1. Create an inventory
Every company should be aware of the IT resources (systems, hardware, and software) that are being
used. Consider which systems might be affected if your property had a flood, hurricane, fire, or power
outage. Aside from a simple inventory, include many scenarios in your IT disaster recovery strategy may
be advantageous.
2. Establish a recovery timeline
Some businesses may need a recovery period of minutes, while others may need a lengthier timetable.
After you've documented your IT inventory, you may set reasonable recovery targets and timelines for
recovering certain systems.
P a g e | 25
The concepts of Recovery Time Objective (RTO) and Recovery Point Objective (RPO) will come in
handy here:
• RTO (Recovery Time Objective): The time it should take for your IT systems to recover.
• RPO (Recovery Point Objective): The maximum time permitted for your IT systems to recover since the
most recent data backup.
3. Communicate, communicate, and communicate
Inquire with employees about how certain systems or networks might affect their jobs if they were down
for a lengthy period of time. Create a plan for communicating with your staff in the event of a power
outage or Internet outage. Everyone should be informed of which IT operations may be impacted and who
will be held responsible for resolving the issues.
4. Back up your data
Cloud storage, off-site data backups, and vendor-supported backups are all alternatives for data
backups. Working with a reputable managed services provider can assist you in weighing the options
and determining which is the best fit for your specific situation.
Choose data that is static and unchanging, as you may not need to backup it more than once. You
should also identify which apps and information are mission-critical during the inventory step. It is
not necessary to back up all your data.
5. Consider physical damages
You may feel that relocating to the cloud has insulated you from calamity, but physical damage to your
facilities and equipment must still be planned for. Power outages and broken wiring may bring your
business to its knees. In the event of a disaster, make sure you have a backup generator ready to go.
6. Consider the human factor
Employees should be trained to recognize phishing emails, which are the quickest way into a network and
one of the most common causes of data breaches. Target suffered a significant data breach in 2013 when
attackers obtained access to the company's network via a third-party HVAC vendor. Maintain control over
who has administrative access to your systems.
7. Consider insurance
If you are concerned about recovery costs, obtaining catastrophe insurance as part of a disaster recovery
plan may be an intriguing option. This entails not just restoring your IT infrastructure, but also researching
the bigger ramifications and losses caused by a disaster. If this idea appeals to you, speak with an
insurance professional.
P a g e | 26
8. Test your disaster recovery plan
A disaster recovery strategy for information technology should be assessed at least once a year, preferably
twice. After not testing their strategy for several years, one of our clients discovered that when they
attempted to restore their disks, all of them failed. If this had occurred during a true disaster, the data
would have been irreversibly destroyed. Learn about your remediation options by working with a
respected MSP.
9. Combine DR and BC
Working with an MSP may be advantageous if you want to obtain another set of eyes on your disaster
recovery plan or expert advice on how to build one. Disaster recovery cannot be set and forgotten; it must
be actively controlled over time.
IV. Explain some of the policies and procedures that are required for business
continuity
1. Business Continuity Plan (BCP)
A Business Continuity Plan (BCP) is a complete recovery strategy that is implemented in the event of a
major disaster, such as an earthquake, tsunami, or terrorist attack. It is given in sufficient detail so that
those who are required may carry out the plan as soon as possible. A business continuity plan (BCP) is a
collection of resources, activities, procedures, and information that have been created, tested, and are
ready to be implemented in the event of a significant disruption in operations.
2. Business Continuity Planning
Business continuity planning is the process of developing prior strategies and processes that will enable
VCU to respond to an interrupting event in such a manner that key business activities can continue with
minimal disruption. This exercise produces a viable firm continuity strategy (BCP).
3. Business Impact Analysis (BIA)
A business impact analysis (BIA) is a complete study of the probable consequences of a vital function
disruption that gathers information needed to design recovery procedures to help in the speedy restart of
operations.
4. Comprehensive Emergency Management Plan (CEMP)
A comprehensive emergency response plan (CEMP) is a complete approach developed to allow for
successful response to and recovery from natural and man-made hazards. In the case of an emergency, a
P a g e | 27
CEMP states what to do. Whatever the event, a business continuity strategy aids in reducing the impact on
VCU's business operations.
5. Continuity of Operations Plan (COOP)
A COOP is a planning term that was initially used to refer to business continuity planning (BCP) and is
similar to a disaster recovery plan. Businesses and corporations use it more commonly, whereas federal,
state, and local governments use it to refer to long-term planning.
6. Critical Functions
Critical functions are those that are essential for the survival, health, safety, and security of the campus
community. These functions must stay at or above normal levels during an occurrence. Life, health, safety,
and security functions will never be shut down and will always require workers on campus.
7. Emergency Operations Plan (EOP)
The term EOP also refers to the university's Comprehensive Emergency Management Plan for the
purposes of this policy (CEMP)
8. Mission Essential Functions (MEFs)
Departmental essential functions (MEFs) are services, programs, or activities that are crucial to the
continuous operations of a university and would have a direct influence on the production, diffusion, and
preservation of knowledge if they were to be discontinued. Stopping them for an extended period of time
would have a direct impact on the department's success. They are critical departmental operations that
would be lost if the university discontinued them for any reason.
9. Recovery Time Objective (RTO)
RTO is defined as the maximum period of time that a certain business function or resource can be
unavailable before causing substantial disruption to operations. Also known as the maximum allowable
downtime.
10.Risk Assessment (RA)
A risk assessment is a method that detects potential hazards and examines what could happen if one
occurs.
P a g e | 28
References
AcqNotes, 2021. Risk Identification Procedures. [Online]
Available at: https://acqnotes.com/acqnote/tasks/risk-identification-procedures
[Accessed 1 April 2022].
Crocetti, P., Peterson, S. & Hefner, K., 2021. What is data protection and why is it important?. [Online]
Available at: https://www.techtarget.com/searchdatabackup/definition/data-protection
[Accessed 1 April 2022].
Doug, 2018. Risk Management Process: Security Analysis Methodology in SecureWatch. [Online]
Available at: https://riskwatch.com/2018/03/19/riskmanagementprocess/#:~:text=ISO%2031000%20is%20a%20security,a%20formal%20and%20standardized%20wor
kflow.
[Accessed 1 April 2022].
EKUONLINE, 2022. Risk Identification: 7 Essentials. [Online]
Available at:
https://safetymanagement.eku.edu/blog/riskidentification/#:~:text=There%20are%20five%20core%20steps,risk%20
treatment%2C%20and%20risk%20monitori
ng.
[Accessed 1 April 2022].
FERNANDO, J., 2021. Stakeholder. [Online]
Available at:
https://www.investopedia.com/terms/s/stakeholder.asp#:~:text=A%20stakeholder%20is%20a%20party,employee
s%2C%20customers%2C%20and%20suppliers.
[Accessed 1 April 2022].
Gillis, A. S., 2021. security audit. [Online]
Available at:
https://www.techtarget.com/searchcio/definition/securityaudit#:~:text=Security%20audits%20will%20help%20prot
ect,and%20can%20catch%20new%20vulnerabilities.
[Accessed 1 April 2022].
GUERRA, B., 2020. 7 Components That Make A Great Disaster Recovery Plan. [Online]
Available at: https://www.axiom.tech/7-components-that-make-a-great-disasterrecoveryplan/#:~:text=There%20are%20seven%20main%20components,testing%20and%20reviewing%20the%20p
lan.
[Accessed 1 April 2022].