ASSIGNMENT 2 FRONT SHEET
Qualification
BTEC Level 5 HND Diploma in Computing
Unit number and title
Unit 5: Security
Submission date
Date Received 1st submission
Re-submission Date
Date Received 2nd submission
Student Name
Student ID
Class
Assessor name
Michael Omar
Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature
Grading grid
P5
P6
P7
P8
M3
M4
M5
D2
D3
1
 Summative Feedback:
Grade:
Lecturer Signature:
 Resubmission Feedback:
Assessor Signature:
Date:
1
Table of Contents
Table of Contents ............................................................................................................................................................ 2
List of Figures.................................................................................................................................................................. 4
List of Tables ................................................................................................................................................................... 4
INTRODUCTION ........................................................................................................................................................... 5
TASK 1 - DISCUSS RISK ASSESSMENT PROCEDURES (P5) ................................................................................ 6
I.
DEFINE A SECURITY RISK AND HOW TO DO RISK ASSESSMENT ....................................................... 6
1.
Definition Of Security Risks............................................................................................................................. 6
2.
Risk Assessment Procedures ............................................................................................................................ 6
II.
DEFINE ASSETS, THREATS, AND THREAT IDENTIFICATION PROCEDURES, AND GIVE
EXAMPLES ................................................................................................................................................................ 9
1.
Definition of Assets .......................................................................................................................................... 9
2.
Definition of Threats ......................................................................................................................................... 9
3.
Threat Identification Process ............................................................................................................................ 9
4.
Examples of Threats Identification procedures .............................................................................................. 10
III.
EXPLAIN THE RISK ASSESSMENT PROCEDURE ................................................................................. 10
a)
Asset Identification ......................................................................................................................................... 11
b)
Threat identification ........................................................................................................................................ 11
c)
Assessment of Vulnerability ........................................................................................................................... 11
d)
Risk assessment .............................................................................................................................................. 11
IV.
LIST RISK IDENTIFICATION STEPS ........................................................................................................ 12
V. SUMMARISE THE ISO 31000 RISK MANAGEMENT METHODOLOGY AND ITS APPLICATION IN
IT SECURITY(M3) ................................................................................................................................................... 13
1.
Definition ........................................................................................................................................................ 13
2.
Contents of ISO 31000 ................................................................................................................................... 13
3.
Who Should use ISO 31000............................................................................................................................ 15
4.
Applications of ISO 31000 in IT Security ...................................................................................................... 16
TASK 2 - EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN
ORGANIZATION (P6) ................................................................................................................................................. 18
I.
DEFINITION OF DATA PROTECTION ......................................................................................................... 18
2
II.
EXPLAIN THE DATA PROTECTION PROCESS IN AN ORGANIZATION ........................................... 18
III.
WHY ARE DATA PROTECTION AND SECURITY REGULATION IMPORTANT? ............................. 19
IV. DISCUSS POSSIBLE IMPACTS ON ORGANISATIONAL SECURITY RESULTING FROM AN IT
SECURITY AUDIT (M4) ......................................................................................................................................... 20
1.
Definition of IT Security Audit ...................................................................................................................... 20
2.
Systems That An IT Security Audit covers .................................................................................................... 21
3.
The Possible Impacts To Organisational Security Resulting From An IT Security Audit ............................. 21
TASK 3 - DESIGN AND IMPLEMENT A SECURITY POLICY FOR AN ORGANIZATION (P7) ....................... 23
I.
DEFINE A SECURITY POLICY AND DISCUSS IT ...................................................................................... 23
1.
Define Security Policy: ................................................................................................................................... 23
2.
Discussion on policies: ................................................................................................................................... 24
II.
GIVE AN EXAMPLE FOR EACH OF THE POLICIES .............................................................................. 28
III.
GIVE THE MOST AND SHOULD THAT MUST EXIST WHILE CREATING A POLICY..................... 31
IV.
EXPLAIN AND WRITE DOWN ELEMENTS OF A SECURITY POLICY ............................................... 32
V. GIVE THE STEPS TO DESIGN A SECURITY POLICY ............................................................................... 35
TASK 4 - LIST THE MAIN COMPONENTS OF AN ORGANIZATIONAL DISASTER RECOVERY PLAN,
JUSTIFYING THE REASONS FOR INCLUSION (P8) ............................................................................................. 37
I.
DISCUSS WITH AN EXPLANATION ABOUT BUSINESS CONTINUITY ................................................ 37
1.
Definition: ....................................................................................................................................................... 37
2.
The Importance of Business Continuity ......................................................................................................... 38
II.
LIST THE COMPONENTS OF THE RECOVERY PLAN .......................................................................... 39
III.
ALL THE STEPS REQUIRED IN THE DISASTER RECOVERY PROCESS ........................................... 41
IV. EXPLAIN SOME OF THE POLICIES AND PROCEDURES THAT ARE REQUIRED FOR BUSINESS
CONTINUITY ........................................................................................................................................................... 43
V. DISCUSS THE ROLES OF STAKEHOLDERS IN THE ORGANISATION TO IMPLEMENT SECURITY
AUDIT RECOMMENDATIONS (M7) .................................................................................................................... 45
CONCLUSION ............................................................................................................................................................. 46
References ..................................................................................................................................................................... 46
3
List of Figures
Figure 1: Security Risk .................................................................................................................................................... 6
Figure 2: Risk assessment Procedures ............................................................................................................................. 7
Figure 3:Security Threats ................................................................................................................................................ 9
Figure 4: ISO 31000 ...................................................................................................................................................... 13
Figure 5: ISO 31000 Principles ..................................................................................................................................... 14
Figure 6: Data Protection............................................................................................................................................... 18
Figure 7: IT security audit ............................................................................................................................................. 20
Figure 8: Security Policy ............................................................................................................................................... 23
Figure 9: business continuity ......................................................................................................................................... 38
List of Tables
Table 1: ROLES OF STAKEHOLDERS IN THE ORGANISATION TO IMPLEMENT SECURITY AUDIT RECOMMENDATIONS ............... 46
4
INTRODUCTION
In today's data-driven and internationally networked culture, data routinely moves freely between individuals,
organizations, and businesses. Cybercriminals are fully aware that data has a high monetary value. As a result of the
continuous growth in cybercrime, the demand for security specialists to safeguard and defend a business is expanding.
To help me get deeper knowledge in this field, this report will discuss some fundamentally basic theories of security
including discussing Risk assessment procedures; explaining data protection processes and regulations as applicable
to an organization and designing a security policy for an organization. Additionally, it also discusses list the main
components of an organizational disaster recovery plan, justifying the reasons for inclusion.
5
TASK 1 - DISCUSS RISK ASSESSMENT PROCEDURES (P5)
I.
DEFINE A SECURITY RISK AND HOW TO DO RISK ASSESSMENT
1. Definition Of Security Risks
The likelihood of exposure, loss of key assets and sensitive information, or reputational harm as a result
of a cyber assault or breach within an organization's network is known as security risks. Cybersecurity
must remain a key priority across industries, and businesses should endeavour to create a cybersecurity
risk management plan to guard against ever-evolving cyber threats.
Figure 1: Security Risk
2. Risk Assessment Procedures
2.1. Definition:
A security risk assessment finds, evaluates, and applies important application security measures. It
also focuses on preventing security flaws and vulnerabilities in applications. An enterprise may see
its application portfolio holistically—from the standpoint of an attacker—by conducting a risk
assessment. It aids managers in making well-informed decisions about resource allocation, tools,
and security control implementation. As a result, completing an evaluation is an important aspect
of a company's risk management strategy.
6
Figure 2: Risk assessment Procedures
2.2. How Does Risk Assessment Works:
The depth of risk assessment models is affected by factors like size, growth rate, resources, and
asset portfolio. When faced with money or time restrictions, organizations might conduct generic
evaluations. Generalized evaluations, on the other hand, may not always include precise mappings
of assets, related threats, recognized risks, effects, and mitigation mechanisms. A more in-depth
evaluation is required if the findings of the generalized assessment do not offer enough of a link
between these areas.
2.3. Risk Assessment Steps
 Step 1: Determine the dangers. The first stage of a risk assessment is to identify any possible
risks that would have a negative impact on the organization's capacity to do business if they
occurred. Natural catastrophes, utility outages, cyberattacks, and power outages are all
potential dangers that might be evaluated or discovered during a risk assessment.
 Step 2: Figure out what or who could be damaged. After the risks have been determined, the
following stage is to assess which business assets would be harmed if the risk materialized.
Critical infrastructure, IT systems, business operations, company reputation, and even
employee safety are all considered to be in danger from these threats (Cole, 2021).
7
 Step 3: Assess the threats and devise countermeasures. Risk analysis may assist in determining
how risks will affect company assets, as well as the steps that can be implemented to reduce or
eliminate the effects of these hazards on business assets. Property damage, company
interruption, financial loss, and legal fines are all possible risks.
 Step 4: Keep a record of your results. The company's risk assessment results should be
documented and filed as formal records that are easily accessible. Details on possible dangers,
their related risks, and measures to avoid the hazards should be included in the records.
 Step 5: Regularly review and update the risk assessment. In today's corporate world, potential
dangers, risks, and the controls that go along with them can alter quickly. It is critical for
businesses to update their risk assessments on a frequent basis in order to keep up with these
developments (Cole, 2021).
2.4. The goals of Risk Assessment
 Creating a risk profile that includes a quantitative examination of the hazards that the company
confronts.
 Creating a comprehensive inventory of IT and data assets.
 Justifying the expense of risk and vulnerability mitigation security remedies.
 Creating a comprehensive inventory of IT and data assets.
 Risks, threats, and known vulnerabilities to the organization's production infrastructure and
assets are identified, prioritized, and documented.
 Creating a budget to address or reduce the risks, hazards, and vulnerabilities that have been
identified.
 If money is invested in infrastructure or other corporate assets to mitigate possible risk, it's
important to understand the return on investment.
8
II.
DEFINE ASSETS, THREATS, AND THREAT IDENTIFICATION PROCEDURES, AND GIVE
EXAMPLES
1. Definition of Assets
Any data, gadget, or another component of the framework that supports information-related actions is
an asset in information security, computer security, and network security. Hardware (such as servers
and switches), software (such as mission-critical applications and support systems), and secret
information are all examples of assets. Assets must be protected from unauthorized access, use,
disclosure, alteration, destruction, and/or theft, which might result in a financial loss (Haldenby, 2016).
2. Definition of Threats
Software assaults, loss of intellectual property, identity theft, theft of equipment or information,
sabotage, and information extortion are all examples of information security threats.
Anything that can exploit a vulnerability to breach security and negatively change, delete, or injure an
item or object of interest is considered a threat. In this tutorial series, we'll define a threat as a potential
hacker attack that allows someone to obtain unauthorized access to a computer system
Figure 3:Security Threats
3. Threat Identification Process
 Pre-work meetings should be held to discuss the daily tasks to be completed.
 Encourage employees to be aware of potential dangers and to report them.
 Conduct workplace audits and safety inspections
 Perform a JSA
 HAZOPS should be used.
9
 Any novel procedures, materials, or buildings should be evaluated.
 Examine the product's safety information.
 Examine data that is freely available.
 Look for the previous incident and near-miss reports.
4. Examples of Threats Identification procedures
Identification threat in Asset: digital document/data:
 Threat identification: storage data failure and there is no document backup (possible availability
loss)
 Threat identification: Virus, caused vulnerability is when the anti-virus software is not up to date
or contains many security holes(possible confidentiality, integrity and availability loss)
 Threat identification: Unauthenticated access from an unidentified site; the access control strategy
isn't adequately established is a vulnerability, SQL injection from an unidentifiable party(possible
confidentiality, integrity and availability loss)
 Threat identification: Unauthorized access is a threat. Access was granted to far too many persons,
which created a vulnerability (possible confidentiality, integrity and availability loss)
Identification threat of Asset: physical document:
 Threat identification: Fire, hurricanes; the vulnerability is that the document is not housed in a
fire-proof safety box(the threat is that the availability of the document will be lost).
 Threat identification: Earthquakes, fire, etc.. and there is no backup of these document paper
(possible availability loss)
 Threat identification: Unauthorized access; the important document is not locked and assured in
a safety box (possible confidentiality loss) is a weakness.
III.
EXPLAIN THE RISK ASSESSMENT PROCEDURE
A risk assessment procedure should be carried out by a competent person or group of people who have a
thorough understanding of the subject under investigation. Supervisors and workers who work with the
10
process under evaluation should be included on the team or used as sources of information because they
are the most familiar with it. Here are procedures of risk assessment:
a) Asset Identification
 The assets inventory
Completed objects, components, or raw materials that an organization intends to sell are referred
to as inventory assets. In accounting, inventory is documented as a current asset on a company's
balance sheet. Manufacturing inventory assets serve as a buffer in the case of an increase in
demand (Cole, 2021).
 Attribute of assets to be recorded
 Calculate the asset's relative worth.
b) Threat identification
 Sort threats into categories.
A security threat is a malicious act undertaken to steal or damage data or disrupt an organization's
systems or the entire enterprise.
c) Assessment of Vulnerability
 Determine the asset's present weakness.
Organizations employ internal controls to protect themselves and maintain compliance with
industry norms and regulations when it comes to managing financial risks.
Effective controls help ensure that financial reporting is accurate and that investment, capital, and
credit requirements are satisfied.
 Vulnerability scanners should be used on both hardware and software.
A vulnerability scanner is a software that detects security problems in computers, networks,
operating systems, and other software applications. It's important to note that the same technology
may be utilized both proactively by system administrators and maliciously by cybercriminals.
d) Risk assessment
 Calculate the organization's vulnerability impact
Due to a variety of hazards, all facilities are in some danger. These dangers might arise as a result
of natural disasters, accidents, or deliberate operations meant to cause harm. Regardless of the
11
nature of the danger, facility owners must limit or control the risks caused by these hazards as
much as possible.
 Determine the expectancy of a loss.
 Calculate the probability that the vulnerability will be exploited.
We observed that using probability in more traditional risk analysis has sparked a lot of curiosity.
This section teaches some basic concepts in probability and illustrates how to apply them to
perform 7 operations (Cole, 2021).
 Make a decision about what to do with the risk.
It's crucial to note that the evaluation must consider not just the existing status of the workplace, but also
any possible circumstances.
The employer and the health and safety committee (where applicable) can determine if and to what extent
a control program is necessary by evaluating the degree of risk associated with the hazard.
IV.
LIST RISK IDENTIFICATION STEPS
 Step 1 - Template specification: This is a risk statement based on information provided concerning
causes, consequences, impacts, risk regions, and occurrences. A well-structured template can assist
you in capturing this information in a consistent manner.
 Step 2 - Basic Identification: Answering two questions regarding prospective risks: why or why not
us, and whether or not they have previously been encountered. The former may be acquired through a
SWOT analysis process, whereas the latter is a statement that should be sourced from a project
postmortem or lessons learned library.
 Step 3 - Detailed identification: This stage takes longer than the others, but it provides the information
you need to correctly analyze risk. PMI recommends the following five tools for use:
o Interviewing
o Analysis of Assumptions
o Examining documents
o The Delphi method
o Brainstorming
12
 Step 5 - Internal Cross-check: At this step, begin to build an opinion on which project parts are riskier
than others, as well as what mitigation methods to use.
 Step 6 - Statement Finalization: compiles results into a set of graphics that include dangerous
locations, causes, and consequences.
V.
SUMMARISE THE ISO 31000 RISK MANAGEMENT METHODOLOGY AND ITS
APPLICATION IN IT SECURITY(M3)
1. Definition
ISO 31000 is a security analysis technique (also known as a risk management process) that is utilized
in a variety of risk management programs in a variety of sectors. It aids in the standardization of the
procedures users take to assess and manage risk, resulting in a formal and consistent process (Anon.,
2016).
Figure 4: ISO 31000
Risk management may be applied to a full company, as well as individual departments, projects, and
activities, at any time and at various levels.
2. Contents of ISO 31000
a) Scope
ISO 31000 is an international risk management standard that may be implemented by any business,
regardless of size or industry (Lashin, n.d.).
13
At all levels and departments of a company, ISO 31000 may be used to achieve any and all sorts of
objectives.
It may be applied to all sorts of operations and can be utilized at a strategic or organizational level
to aid decision-making.
It may be used to assist manage processes, operations, functions, projects, programs, goods,
services, and assets; however, how an organization applies ISO 31000 is up to them and will be
determined by their goals, objectives, and problems, and should represent what they do and how
they operate.
b) Terms and Definitions
c) Principles
Figure 5: ISO 31000 Principles
d) Frameworks
The efficacy of the management framework provides the foundations and arrangements that will
integrate risk management across the business at all levels, according to ISO 31000.
The framework is as follows:
 Guarantees that information concerning risk obtained from the risk management process is
appropriately reported;
 Ensures that this information is utilized as a foundation for decision making and
accountability at all relevant organizational levels.
14
This section defines the framework for risk management's required components and how they
interact in an iterative manner:
 Mandate and commitment
 Design of framework for managing risk
 Implementing risk management
 Monitoring and review of the framework
 Continual improvement of the framework
 Risk assessment
 Risk treatment
 Monitoring and review
 Recording the risk management process:
e) Process
According to ISO 31000, the success of risk management is determined by the management's
efficacy.
The risk management process should be:
 An important component of management;
 Embedded in the organization's culture and practices;
 Tailored to the organization's business operations.
The following activities are included in the risk management process:
 Consultation and communication: All stages of the risk management process should include
communication and interaction with external and internal stakeholders.
 Creating the context: The organization articulates its objectives, identifies the external and
internal elements to be considered when managing risk, and establishes the scope and risk
criteria for the remaining process by establishing the context.
3. Who Should use ISO 31000
ISO 31000 can be utilized by a variety of persons, including those who need to:
 Create a risk management policy (top management).
 Review risk management procedures and practices (assessors).
15
 Managing and controlling risk within a company (managers).
 Describe the methods for managing and controlling risk (trainers - consultants).
 Create risk management policies and procedures (implementers).
 Develop related standards and norms of conduct (experts).
4. Applications of ISO 31000 in IT Security
a) Risk management creates and protects the value
Risk management helps to accomplish measurable goals and enhance performance in areas such as
human health and safety, security, legal and regulatory compliance, public acceptance,
environmental protection, product quality, project management, operational efficiency, governance,
and reputation (Lashin, 2016).
b) Risk management is an integral part of all organizational processes
Risk management is not a stand-alone activity distinct from the organization's major operations and
procedures. Risk management is an element of management's duties and an essential component of
all organizational operations, such as strategic planning and project and change management.
c) Risk management is part of decision making
Risk management aids decision-makers in making well-informed decisions, prioritizing activities,
and distinguishing between different options.
d) Risk management explicitly addresses uncertainty
Uncertainty, the nature of that uncertainty, and how it might be managed are all addressed directly
in risk management.
e) Risk management is systematic, structured and timely
Risk management that is systematic, timely, and organized leads to efficiency as well as consistent,
comparable, and trustworthy results.
16
f) Risk management is based on the best available information
The information sources used in the risk management process include historical data, experience,
stakeholder feedback, observation, projections, and expert judgment. However, decision-makers
should be aware of and consider any limits of the data or modelling employed, as well as the
likelihood of expert divergence.
g) Risk management takes human and cultural factors into account
Risk management is based on the organization's external and internal contexts, as well as its risk
profile.
h) Risk management is transparent and inclusive
Risk management takes into account the capabilities, attitudes, and intentions of external and
internal stakeholders who might help or impede the organization's goals.
i) Risk management is transparent and inclusive
Risk management stays relevant and up-to-date with appropriate and timely participation of
stakeholders and, in particular, decision-makers at all levels of the organization. Stakeholder
involvement also ensures that they are adequately represented and that their opinions are taken into
consideration when setting risk criteria.
j) Risk management is dynamic, iterative and responsive to change.
Change is constantly sensed and responded to by risk management. As external and internal events
occur, context and knowledge shift, risks are monitored and reviewed, new hazards develop, some
shift, and others vanish.
k) Risk management facilitates continual improvement of the organization.
Along with all other parts of their business, organizations should design and implement methods to
improve their risk management maturity.
17
TASK 2 - EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN
ORGANIZATION (P6)
I.
DEFINITION OF DATA PROTECTION
"Data protection" is the process of protecting data and involves the relationship between the collection and
dissemination of data and technology, the public perception and expectation of privacy and the political
and legal underpinnings surrounding that data. It aims to strike a balance between individual privacy rights
while still allowing data to be used for business purposes (Crocetti, 2021).
Figure 6: Data Protection
Data protection is also known as data privacy or information privacy.
II.
EXPLAIN THE DATA PROTECTION PROCESS IN AN ORGANIZATION
1) Assessing Risks
The riskier the data get, the more the security required. Sensitive data should be protected as much as
possible, whereas low-risk data can be granted less security. The main rationale for these evaluations is
the financial benefit since stronger data security means higher costs.
2) Backup Data
18
Backup is always a way of preventing data loss, which can occur as a result of user mistakes or
technological failure. Low-importance data does not need to be backed up as frequently as sensitive
data. Tape storage technologies are still (by two-thirds) less expensive than hard drives.
3) Data Encryption
High-risk data is the ideal choice for encryption at every stage of the process. Data that has been
adequately encrypted is inherently secure; even if a data breach occurs, attackers will render the data
useless and unrecoverable. Encryption is particularly mentioned in the GDPR as a data security
measure.
4) Pseudonymization
Another method recommended by the GDPR for improving data security and individual privacy is
pseudonymization. It works well with larger data sets and involves deleting personally-identifying
information from data snippets. The notification duties in the event of pseudonymized data breaches
have been greatly reduced.
5) Access Controls
The fewer people who have access to the data, the smaller the risk of (inadvertent) data leak or loss.
Keep track of previous data handling education courses and refreshers on a regular basis. Create a clear
and explicit data protection policy.
6) Destruction
On-site data destruction is recommended for sensitive data. The most frequent method for damaged
hard drives is degaussing. Paper, CDs, and tape drives are all shredded into minute pieces. By deleting
the decryption keys, encrypted data may be easily wiped.
III.
WHY ARE DATA PROTECTION AND SECURITY REGULATION IMPORTANT?
Data exists in every company and organization, including personnel files, customer data, product
information, financial transactions, and so on. This data is used to inform management decisions as well as
employee work procedures in order to produce high-quality products and services. In fact, data is one of a
company's most valuable assets. Data security should be a top concern for every firm for this reason alone.
This involves safeguarding the data's accessibility to personnel who require it, its integrity (keeping it
correct and up-to-date), and its confidentiality (the assurance that it is available only to people who are
authorized).
19
Customers will expect firms they do business with or invest money in to keep their data protected. Data
governance that is adequate fosters confidence. It protects your company's image by establishing you as a
brand that customers can trust with their personal information.
The data protection and security regulation elevated data security to a new level of importance, making it
not just a business but a legal need. A controller must 'take suitable technological and organizational means
to guarantee and be able to show that processing is carried out in compliance with the Regulation,' according
to the GDPR. Security awareness training is an important aspect of such measures: employees must
understand the need of adhering to data security rules and processes. Headlines about, and bad responses
to, a data breach, for example, may erode confidence built up over a decade in a matter of days (Besemer,
2011).
IV.
DISCUSS POSSIBLE IMPACTS ON ORGANISATIONAL SECURITY RESULTING FROM AN
IT SECURITY AUDIT (M4)
1. Definition of IT Security Audit
A security audit is a systematic assessment of a company's information system's security by determining
how well it complies with a set of criteria. The security of the system's physical setup and environment,
software, information handling processes, and user habits are normally assessed during a complete audit
(Gillis, 2021).
Figure 7: IT security audit
20
Security audits are often used to determine compliance with regulations such as the Health Insurance
Portability and Accountability Act, the Sarbanes-Oxley Act and the California Security Breach
Information Act that specify how organizations must deal with information.
2. Systems That An IT Security Audit covers
a) Network vulnerabilities: Security Audit searches for flaws in any network component that an
attacker may use to gain access to systems or information or inflict harm. Information is more
susceptible when it moves between two sites. Network traffic, including emails, instant messaging,
files, and other communications, is tracked through security audits and frequent network
monitoring.
b) Security controls: The auditor examines the effectiveness of a company's security controls in this
section of the audit. This involves assessing how well a company has executed the rules and
procedures it has put in place to protect its data and systems. An auditor, for example, may look to
verify if the firm still has administrative control over its mobile devices. The auditor examines the
company's controls to ensure that they are working properly and that it is adhering to its own rules
and procedures.
c) Encryption: This section of the audit ensures that a company's data encryption methods are under
control.
d) System software: Software systems are evaluated here to ensure that they are functioning correctly
and giving reliable data. They're also reviewed to see whether there are any restrictions in place to
prevent unauthorized people from accessing private information. Data processing, software
development, and computer systems are among the fields investigated.
e) Architecture management capabilities: Auditors check that IT management has put in place
organizational structures and processes to provide a regulated and efficient information processing
environment.
f) Telecommunications controls: Telecommunications controls are tested on both the client and server
sides, as well as the network that links them, by auditors.
g) Systems development audit: Audits in this area ensure that any systems in development fulfil the
organization's security objectives. This component of the audit is also carried out to check that
systems in development adhere to established guidelines.
h) Information processing: These audits ensure that security mechanisms for data processing are in
place.
3. The Possible Impacts To Organisational Security Resulting From An IT Security Audit
An IT security audit shows the organization's IT assets' underlying vulnerabilities and security threats.
Identifying hazards, on the other hand, has a positive ripple impact on the security of the company as a
whole. Here are some possible impacts of an IT security audit on organizational security resulting:
21
a) Identification of vulnerable areas and components of IT infrastructure and system
Networks, PCs, and servers are examples of IT infrastructure in organizations that may be hacked
or compromised. An IT security audit exposes vulnerable areas that can be readily exploited by
threats such as hackers.
Fraud and other accounting irregularities may be prevented and detected by the frequent study of
an organization’s operations and the deployment of stringent internal control systems. Internal
control systems, which are intended to prevent fraud, are designed and modified with the help of
auditing specialists.
Deterrence is an important part of prevention. A organization's reputation may discourage an
employee or supplier from attempting to cheat it if it is regarded to have an active and rigorous audit
system.
b) Reduction of threats and risks
Computer assaults or system flaws that may be exploited by hostile individuals such as hackers are
examples of threats. The identification of susceptible places in the system by an IT audit necessitates
improved security solutions.
Risk reduction may be achieved by implementing a stronger disaster management strategy, which
tries to reduce or avoid hazards to an IT system.
Following the assessment of the risks, the IT team is given a clear organizational vision on how to
eliminate, mitigate, or accept those risks as part of the working environment through the
implementation of IT audit controls.
Furthermore, without an audit system or internal controls, an organization would be unable to
allocate resources and determine which product lines are lucrative and which are not.
c) Implementation and enforcement of better security policies
Security policies assist to prevent unneeded dangers by enacting recommended laws, such as a
password policy that requires a password to be longer than eight characters and not include a user
name.
d) Outsourcing of security cyber security services
If security concerns necessitate additional expertise, an organization might choose to outsource
security management to a third party.
e) Better strategies of compliance with programs like HIPAA
Compliance seeks to ensure that specified security policies are followed in order to better secure an
organization's assets. Regulatory authorities, which might be state-run, are in charge of ensuring
compliance.
22
f) Enhances Communication in an Organization
An IT audit can help the organization's business and technology management communicate more
effectively. The conclusion of a computer audit necessitates immediate communication between
businesses and their IT departments. The internal or external auditor has the chance to test what is
occurring in an organization and check whether there is a large gap between computer theory and
what is happening while interviewing with the auditor.
The auditor's final step will be to prepare a thorough report for his superiors explaining the problems
with the company's computer system. This not only improves communication across departments,
but also fosters trust, boosts responsibility, and allows departments to track their goals.
As a result, it's critical to recognize that IT auditing is the most important aspect of management's
technological supervision. Technology is used to assist the company's roles, strategy, and
operations. Business and supporting technology alignment is critical, and IT auditing ensures that
alignment.
TASK 3 - DESIGN AND IMPLEMENT A SECURITY POLICY FOR AN ORGANIZATION (P7)
I.
DEFINE A SECURITY POLICY AND DISCUSS IT
1. Define Security Policy:
A security policy is a written statement of how a corporation intends to safeguard its physical and
information technology (IT) assets. Security policies are dynamic documents that are updated and
revised when new technologies, vulnerabilities, and security needs emerge.
Figure 8: Security Policy
23
An acceptable usage policy may be included in a company's security policy. These outline how the
organization intends to educate its staff about the importance of safeguarding the company's assets.
They also contain a description of how security measures will be implemented and enforced and a
method for assessing the policy's efficacy and making required modifications (Duigan, 2013).
2. Discussion on policies:
a) Discussion on HR policy:
HR policies are particular standards that a business follows while managing its people resources.
These are explicit guidelines for hiring, evaluating, training, and rewarding employees. These
are the structure and guiding forces that aid in making consistent judgments for the
organization's and its employees' wellbeing.
HR policies are an important aspect of every business since they serve to provide clear
guidelines for how the firm operates. It's a strategy to safeguard an organization’s business and
avoid future misunderstandings.
The importance of HR policy:
 It guarantees that the organization's employees' requirements are acknowledged and met.
 It guarantees that suitable benefits are offered to workers for their work; it assists in the
resolution of employee problems, complaints, and grievances; and it ensures that proper
training and development opportunities are presented to employees to fulfil the
organization's needs.
 It provides employees with protection from anybody in the corporation.
 They are necessary because they ensure that eligible employees are given paid vacations
and holidays when they are due.
 It is regarded as crucial since it aids in the organization's discipline.
 It guarantees that employees are compensated fairly.
b) Discussion on Incidence response Policy:
Incident Response (IR) Procedure: Provide the necessary procedures for incident
management, reporting, and monitoring, as well as incident response training, testing, and
24
support, to ensure that the is prepared to respond to cyber security incidents, secure State
systems and data, and avoid interruption of government services.
This type of policy usually includes information about:
(i)
The organization's incident response team;
(ii)
Each team member's role;
(iii)
The people in charge of testing the policy;
(iv)
How to put the policy into action;
(v)
The technological means, tools, and resources that will be used to identify and recover
compromised data.
Incident Response Policy Phases:
 Preparation phase
 Identification phase
 Containment phase
 Eradication phase
 Recovery phase
 Post-incident phase
c) Discussion on Acceptable Use Policy
Acceptable Use Policy(AUP): An AUP outlines the restrictions and procedures that employees
who use organizational IT assets must accept in order to have access to the business network
or the internet. For new employees, it is a typical onboarding protocol. Before being assigned
a network ID, they must read and sign an AUP. It is suggested that the IT, security, legal, and
HR departments of a firm consider what is included in this policy (Anon., 2008).
General Use and Ownership:
 This policy applies to any data produced or stored on the Organization's systems.
 All data including non-public personal information must be encrypted before being
electronically transmitted.
25
 Non-public personal information and other sensitive information shall be encrypted
following the Information Sensitivity Procedures in all other circumstances.
 For this policy, all information and data residing on the organization's systems and
networks are considered the organization's property.
 For any reason, at any time, with or without notice, the organization may monitor or
audit any information, including data files, emails, and information stored on
company-issued computers or other electronic devices, for testing and monitoring
compliance with these security procedures.
d) Discussion on Disposal Policy
Disposal policy refers to the disposal of any superfluous IT equipment and devices that have
reached the end of their useful lives, are broken, surplus, underused, or have become obsolete
as a result of an IT refresh.
To guarantee that any personal data is totally wiped, data-bearing devices should be safely
erased or destroyed.
The importance of Disposal Policy:
 Data Security – secure data erasure or data destruction to ensure that your sensitive
data does not get into the wrong hands.
 Environmental – ensuring that your assets do not end up in landfills or dumped in the
countryside.
 Audit Trail – provision of all necessary documentation and reports needed for an
environmental or data security audit.
 Maximise Return on Investment – saving time and money by avoiding unnecessary
purchases and recouping some costs.
 Keeping up with Advances in Technology – with the understanding that your old
devices will be reused or recycled.
26
e) Discussion on Business continuity policy
The goal of a business continuity system is to avoid, detect, and eliminate business interruption
risks and provide conditions for company recovery if one does occur.
One of the most important components of the organization is the business continuity policy,
which allows Softline to avoid and prevent business interruptions, maintain and enhance
Softline's image among customers, business partners, and government officials ("Parties
Concerned"), strengthen confidence in Softline and improve loyalty (Sullivan, 2020).
The business continuity plan's methods put the policy into effect. Both documents stress the
following elements:
 Contingency Planning: When a corporation makes a proactive effort to anticipate and
plan for potential events, it is known as contingency planning. This type of preparation
is typically used for bad occurrences, but it may also be used for favourable ones. The
difference between contingency planning and crisis management is how a corporation
responds to an issue.
 After an event, a company's attempts to save and resume vital processes are referred to
as recovery. After an interruption, a recovery strategy prescribes acceptable service
levels.
 The ability of a corporation to offer crucial products and services during and after a crisis
is referred to as resilience. Staff, other resources, and the brand are all protected by
resilience.
f) Discussion on Security Policy
The importance of Security Policy:
 Security policies are crucial because they safeguard an organization's physical and
digital assets. They include all of the company's assets as well as potential dangers to
those assets.
 Physical security rules are designed to safeguard a company's physical assets, such as
buildings and equipment, such as computers and other information technology. Data
27
security rules safeguard intellectual property from costly incidents like data breaches
and leaks.
Benefits of Security policy:
 Protect valuable assets
 Guard reputations
 Ensure compliance with legal and regulatory requirements
 Dictate the role of employees
Based on the scope and aim of the policy, security policy types may be categorized into three
categories:
 Organizational. These policies serve as a master plan for the complete security program
of the company.
 System-specific. Security measures for an information system or network are covered
by a system-specific policy.
 Issue-specific. These policies are focused on certain parts of the organization's overall
policy (Duigan, 2013).
II.
GIVE AN EXAMPLE FOR EACH OF THE POLICIES
a) HR Policy
Here is an example of a right HR Policy:
Company ABC's management realized that in order to remain competitive and grow market
share, it needed to boost productivity. For this reason, management devised a plan to place greater
focus on each individual's performance. Each department's manager or supervisor focused on
giving adequate training and development to each employee in order to make this transformation.
The supervisors grew more knowledgeable and began providing all pertinent work-related
information. They also provided enough incentives, awards, and recognition to motivate and
encourage staff to attain their goals. HR might set up training sessions for staff in order to educate
28
and inform them about the changes. This can help employees gain confidence and prevent
resistance to change.
b) Incidence response Policy
The person who finds the incident will contact the dispatch office via the grounds. Make a list of
potential sources for persons who could find out about the occurrence. Make a list of all possible
sources and mark them down if they provide contact information and processes. Contact
processes in the IT department may differ from those outside the IT department.
The IT staff member or impacted department staff member who receives the call (or discovers
the situation) will resort to their contact list to notify both management and incident response
professionals. Those on the list will be contacted by the staff person. The IT staff member will
send an email and a phone message to the incident response manager, as well as other relevant
and backup individuals and designated managers.
To identify how the incident occurred, team members will employ forensic techniques such as
checking system logs, looking for gaps in logs, reviewing intrusion detection logs, and
interviewing witnesses and the incident victim. Only authorized individuals should conduct
interviews or examine the evidence, and allowed persons may differ depending on the scenario
and the company.
Members of the team will provide recommendations to prevent the incident from reoccurring or
infecting other systems. Assess the damage to the organization and estimate the cost of the harm
as well as the cost of the containment measures.
Review and update policy, as well as plan and implement preventative measures to ensure that
the intrusion does not occur again.
c) Acceptable Use Policy
Example of Acceptable Use Policy In Online Banking Services:
Transferwise, currently known as Wise, is a financial technology business that enables clients to
have numerous bank accounts in different currencies, apply for a multi-currency credit card, and
send money throughout the world. Unlike typical banks, it does not have any physical premises
and hence only provides services through an internet platform.
29
Wise has a clear yet easy-to-understand Acceptable Use Policy that spells out the rules under
which users can access its services, which is unsurprising given the hazards inherent with the
handling of financial data (to be read in conjunction with its User Agreement which refers to its
other policies) (Anon., 2019).
In addition to limiting how its services may be used, Wise claims that it does not support a variety
of enterprises or transactions associated with the categories and industries because they are too
dangerous. It gives itself the power to immediately remove one’s access to its services, suspend
or cancel payment orders, remove user-uploaded material, issue warnings, take legal action
against perpetrators and report and disclose relevant information to law enforcement authorities.
d) Disposal Policy
For example, In order to preserve the network's confidentiality and data integrity of computer
systems and organizational assets, it is necessary for all employees and individuals with access
to organizational computer systems to follow the IT disposal control policy. The asset control
policy will provide not only for the tracking of organizational assets in terms of their location and
who is using them but also for the protection of any data held on those assets. The disposal of IT
assets is likewise covered by this asset policy.
All paper papers holding confidential information that are no longer needed in this organization
must be destroyed. Physical destruction of retired and/or abandoned archival storage media is
required. To delete state secrets or extremely sensitive data from a disk, secure deletion must be
used.
e) Business Continuity Policy
Here is an example of a well-executed business continuity Policy:
A fire broke out when lightning damaged an office building in Mount Pleasant, South Carolina,
in 2013. Cantey Technology, an IT firm that runs servers for more than 200 clients, called the
premises home.
Cantey's network infrastructure was destroyed by the fire, which melted cables and burned
computer systems. The office was useless and the equipment was ruined beyond repair. The
30
situation seems dismal for a corporation whose key function is hosting servers for other
companies. The whole infrastructure of Cantey was destroyed (Rock, 2022).
Cantey's clientele, on the other hand, was never aware of the distinction:
 Cantey had previously migrated its client servers to a faraway data centre as part of its
business continuity policy, where continuous backups were maintained.
 Despite the fact that Cantey's personnel was obliged to relocate to a temporary location,
its clients were never inconvenienced.
It was a situation where things could have gone very differently. The corporation had only kept
all of its client servers on-site for the last five years. However, creator Willis Cantey made the
correct decision in determining that this system posed too many hazards. One large on-site
interruption would be enough to wipe out his whole business, as well as his clients' enterprises,
potentially exposing him to legal consequences.
f) Security Policy
To access internal network resources over the public network and to send private data across the
public network, only secure connections such as VPN connections, SSL / HTTPS connections,
and encrypted mail messages should be used.
All confidential data on computers outside the business perimeter (laptops, home employees'
PCs) must be encrypted, as must all private data on hard drives. Encryption keys should be
duplicated and kept in a safe place.
The lowest key length allowed for symmetric encryption is 256 bits.
III.
GIVE THE MOST AND SHOULD THAT MUST EXIST WHILE CREATING A POLICY
a) The most must exist while creating a policy
 Possess the ability to put it into practice and enforce it
o Security rules are meant to be directive, leading and controlling employee behaviour.
Everyone, from the CEO to the newest employees, must adhere to the policies.
o Users must be exposed to security policies several times before the message is
understood and the policy's "why" is understood. Noncompliance with the policy,
according to various security standards, can result in administrative processes up to
31
and including termination of employment. If the policy is not applied, employee
behaviour will not be directed toward productive and secure computing habits.
 Be concise and easy to understand.
b) The most should exist while creating a policy
 Justify the need for the policy.
A security policy's main purpose is to keep the company and its employees secure.
The demands of the business must be known by security professionals. Think about how
this policy supports the mission of my company. Is it taking care of the concerns of top
management? Security policies should not be established in isolation. If we do, there's a
good chance it won't meet our company's needs. Writing security rules is an iterative process
that requires top-level management approval before being made public. To maintain and
monitor policy enforcement, more resources will undoubtedly be necessary.
 Describe the coverage provided by the insurance.
An exception to a security policy is commonly necessary for good reasons. The policy
should clarify how the exception to the policy is approved in certain situations. Exceptions
to security policies should be known by management.
 Specify how violations will be handled.
Security policies should not include everything but the kitchen sink. Procedures, baselines,
and recommendations can help you fill in the gaps in your policies' "how" and "when." Each
policy should address a specific problem (for example, permitted usage, access control, and
so on). It will make things simpler to manage and maintain.
IV.
EXPLAIN AND WRITE DOWN ELEMENTS OF A SECURITY POLICY
a) Purpose
First, state the policy's goal, which might be to:
 Create a comprehensive strategy for data security.
32
 Detect and prevent data security breaches, including network, data, application, and
computer system misuse.
 Maintain the organization's reputation while adhering to ethical and legal obligations.
 Respect customer rights, including how to respond to noncompliance queries and complaints
(Cassetto, 2022).
b) Information security objectives
Assist the management team in defining well-defined strategy and security objectives. The three
major goals of information security are:
 Confidentiality – Data and information assets can only be accessed by those who have
been given permission.
 Integrity – Data must be complete, accurate, and undamaged, and IT systems must remain
operating.
 Users should be able to access information or systems whenever they need them.
c) Authority and access control policy
A senior manager may have the ability to decide what data may be shared and with whom in a
hierarchical structure. A senior manager's security policy may differ from that of a junior
employee. Each organizational role's level of responsibility for data and IT systems should be
specified in the policy.
Users can only access business networks and servers through unique logins that need
authentication, such as passwords, biometrics, ID cards, or tokens, according to network security
policy.
d) Data classification
Data should be classified into categories such as "top secret," "secret," "confidential," and
"public," according to the guideline. When it comes to data classification, the goal is to:
To make sure that those with lesser clearance levels can't access important information
To safeguard highly sensitive data while avoiding unnecessary security measures for less
sensitive data
e) Data support and operations
33
Organizational standards, best practices, industry compliance standards, and relevant legislation
must all be followed when it comes to data protection regulations — systems that hold personal
data or other sensitive data. Encryption, a firewall, and anti-malware protection are all required
by most security requirements.
Data backup – Use industry best practices to encrypt data backups. Backup media should be kept
in a secure location, or backups should be moved to a secure cloud storage location.
Data transmission — Only use secure methods to send data. Any information copied to portable
devices or transferred over a public network should be encrypted.
f) Security awareness and behaviour
Employees should be aware of your IT security procedures. Conduct training sessions for staff
to learn about the security policies and mechanisms, such as data protection, access control, and
sensitive data categorization.
 Social engineering – Emphasize the hazards of social engineering assaults in particular
(such as phishing emails). Employees should be held accountable for detecting,
preventing, and reporting such assaults.
 Policy of keeping a clean workstation — A cable lock is a good way to keep computers
safe. Documents that are no longer needed should be shredded. Maintain a tidy printer
area to prevent papers from falling into the wrong hands (Cassetto, 2022).
 Acceptable Internet usage policy—define how Internet access should be limited.
g) Encryption policy
Encryption is the process of encrypting data in order to make it inaccessible to or invisible to
unauthorized parties. It aids in the protection of data at rest and in transit between places, ensuring
that sensitive, confidential, and proprietary information remains private. It can also make clientserver communication more secure. An encryption policy aids businesses in defining:
 The devices and media that the company needs to encrypt
 When encryption is required
 The minimal requirements for the encryption program you've chosen.
h) Data backup policy
34
A data backup policy establishes the rules and methods for creating data backup copies. It's an
important part of your entire data security, business continuity, and disaster recovery plan. The
following are some of the most important features of a data backup policy:
 Identifies all data that the company needs to back up.
 Determines the backup frequency, such as when to make a complete backup and when to
do incremental backups.
 Defines the place where backup data is stored.
 Lists all positions responsible for backup procedures, such as backup administrators and
IT team members.
i) Responsibilities, rights, and duties of personnel
Appoint personnel to conduct user access evaluations, education, change management, incident
management, security policy execution, and periodic updates. As part of the security policy,
responsibilities should be clearly specified.
j) References to regulations and compliance standards
Regulations and compliance requirements that affect the company, such as GDPR, CCPA, PCI
DSS, SOX, and HIPAA, should be referenced in the information security policy.
V.
GIVE THE STEPS TO DESIGN A SECURITY POLICY
1) Identify your risks
The usage of monitoring or reporting tools is a fantastic approach to discovering your risks. Many
firewall and Internet security manufacturers offer free trial periods for their solutions. If such items
give reporting information, using these assessment periods to analyze your risks can be beneficial.
2) Learn from others
Because there are so many different sorts of security measures, it's crucial to look at what other
companies are doing.
3)
Make sure the policy conforms to legal requirements
35
It may be obligated to adhere to some minimum requirements to safeguard the privacy and integrity
of your data, depending on data holdings, jurisdiction, and location, especially if your organization
has personal information. One strategy to mitigate any liability you could incur in the case of a
security breach is to have a robust security policy codified and in place (Duigan, 2013).
4) Consider Level of security = level of risk
In such instances, the most crucial thing is to have a documented code of behaviour. Excessive
security can make it difficult to run a business smoothly, so be careful not to overprotect oneself.
5) Include staff in policy development
No one wants a policy that is imposed from on high. Staff should be included in the process of
determining appropriate use. Keep employees informed as the regulations and tools are established.
People will be considerably more willing to cooperate if they appreciate the importance of a
responsible security policy.
6) Train employees
As part of the AUP implementation process, staff training is sometimes disregarded or undervalued.
However, it is perhaps one of the most helpful stages in practice. It not only assists you in informing
and explaining policies to employees, but it also allows you to explore the policy's practical, realworld repercussions. In a training forum, end-users frequently ask questions or provide examples,
which may be quite gratifying. These questions can assist us in defining the policy in greater depth
and modifying it to make it more useful.
7) Get it in writing
Make sure that everyone on the team has read, signed, and comprehended the policy. When new
personnel are brought on board, they should be asked to sign the policy and reread and confirm their
comprehension of it at least once a year. Use automated solutions to enable huge businesses
electronically send and track signatures on documents. Some programs even provide quizzes to
assess the user's understanding of the policy.
36
8) Set clear penalties and enforce them
Network security is no laughing matter. Security policy is a requirement of employment, not a
collection of optional suggestions. Establish a clear set of processes that explain the consequences
of violating the security policy. Then put them in place. A security policy that is followed
haphazardly is almost as bad as having no policy at all.
9) Update staff
Because the network is continually developing, a security policy is a dynamic document. People pass
by. Databases are produced and deleted on a regular basis. New security dangers emerge on a regular
basis. It's challenging enough to maintain the security policy up to date, but keeping employees
informed about any changes that can influence their day-to-day operations is much more difficult.
The key to success is open communication.
10) Install the necessary tools
It's one thing to have a policy; it's another to enforce it. Content security technologies for the internet
and e-mail with customisable rule sets can ensure that policy, no matter how complicated, is
followed. One of the most cost-effective expenditures people will ever make is purchasing tools to
implement your security policies.
TASK 4 - LIST THE MAIN COMPONENTS OF AN ORGANIZATIONAL DISASTER RECOVERY PLAN,
JUSTIFYING THE REASONS FOR INCLUSION (P8)
I.
DISCUSS WITH AN EXPLANATION ABOUT BUSINESS CONTINUITY
1. Definition:
The capacity of a company to maintain critical functions during and after a crisis is referred to as
business continuity. Business continuity planning sets risk management methods and procedures with
37
the goal of preventing mission-critical service outages and resuming full operations as fast and easily
as feasible (Sullivan, 2020).
Figure 9: business continuity
The most fundamental requirement for business continuity is to maintain critical functions operational
during a crisis and to recover with little downtime. Natural catastrophes, fires, disease outbreaks,
cyberattacks, and other external dangers are all factors to consider in a business continuity strategy.
2. The Importance of Business Continuity
Business continuity is crucial at a time when downtime is unacceptable. Downtime may occur in a
variety of forms. Cyberattacks and severe weather, for example, appear to be becoming worse. It's
critical to have a business continuity strategy in place that takes into account any potential operational
disruptions.
During a crisis, the strategy should allow the organization to continue operating at a minimum level.
Business continuity aids an organization's survivability by allowing it to respond swiftly to a disruption.
Business continuity saves money, time, and the reputation of the organization. A long outage poses a
danger of financial, personal, and reputational harm.
Business continuity necessitates an organization's self-evaluation, analysis of possible areas of
vulnerability, and collection of essential information - such as contact lists and system technical
diagrams - that might be beneficial outside of catastrophe scenarios. An organization's communication,
technology, and resilience may all benefit from the business continuity planning process.
38
For legal or compliance reasons, business continuity may be required. It's critical to understand which
rules apply to a certain company, especially in an era of rising regulation.
II.
LIST THE COMPONENTS OF THE RECOVERY PLAN
1) Take Inventory of IT Assets
Make a list of all your assets to see which ones will need to be protected. The following are examples
of assets:

Equipment for a network

Cloud services

hardware and software

Critical Data
Though time-consuming, compiling a list of assets can provide a thorough grasp of the company's
processes. Regularly update the list as assets are added, withdrawn, or updated, and utilize it to purge
unneeded information.
2) Sort Assets According to Criticality and Context
It’s necessary to look at assets in context now that taken inventory of them. What is the company's
strategy for utilizing these resources? Which assets, if compromised or lost, would have the most
significant impact in the event of a disaster? Examine all of the mapped assets and rank them from high
to low in terms of effect.
Knowing the value of each asset and how they interact can help to decide which assets should be
prioritized in the disaster recovery strategy.
3) Assess Potential Risks
Threats aren't all created equal. What are the most significant dangers to the company as a whole? What
are the most likely targets for these threats? Critical systems personnel are well-versed in the most likely
reasons for service disruption, therefore gaining their opinion early on is crucial. It won't be able to
predict all risks, but we can make an effective strategy by considering the likelihood and magnitude of
each.
39
4) Define RTO and RPO
Recovery goals should be divided into two categories: recovery time objectives (RTO) and recovery
point objectives (RPO) (RPO). RTO stands for the maximum length of time the assets may be down
before being recovered, and RPO stands for the maximum quantity of data you're prepared to lose.
These goals should be identified early in the disaster recovery planning process so that the right
arrangement may be chosen.
Discuss the implications of the anticipated interruption with the company's top management and
operational workers for as little as one minute to as long as one day. This data can help you determine
your RTO and RPO, as well as how frequently your data should be backed up.
5) Select A Disaster Recovery Setup
At this point, having a thorough grasp of your assets, risks, and RTO and RPO. Put together a disaster
recovery plan using this information. At this point, we could ask ourselves the following questions:

Will you have a ready-to-use disaster recovery facility?

What city will it be in? Is it going to be cloud-based? Do you want to host your own website?

Which backups are you going to keep? What will their location be?
It's critical to have a remote data storage solution in place to secure your assets from cyber-attacks and
natural catastrophes that might cause physical harm. Select the cloud services, software, hardware, and
partners.
6) Propose A Budget
Regardless of the resources available, every organization should have a disaster recovery strategy.
Senior management should be reminded of the need for disaster recovery, but there should be numerous
solutions available at various price ranges.
Higher budgets will include a disaster recovery plan with stronger RTOs and RPOs, as well as more
generous support for more essential services and maybe as part of a larger business continuity plan.
Each company's disaster recovery needs will differ, and with the correct information, management can
balance risk and investment in disaster recovery technology to achieve the right balance.
40
7) Test and Review
The disaster recovery plan will need to be tested and reviewed in the final step to guarantee it is ready.
All employees must be aware of their responsibilities in the event of a crisis. Conduct a catastrophe
exercise to test the strategy and assess how employees react to the threat. If things don't go as smoothly
as you'd want, make changes to the plan.
A catastrophe recovery strategy can never be fully implemented. It should be checked on a regular
basis, ideally every six months or so, to verify that it is still working. Assets, organizational structure,
and IT configuration will all change over time, and the disaster recovery plan will need to be updated
to reflect these changes.
III.
ALL THE STEPS REQUIRED IN THE DISASTER RECOVERY PROCESS
1) Create an inventory
Every organization should know which IT resources—systems, hardware, and software—are needed to
conduct its operations. In addition to a simple inventory, adding additional scenarios to your IT disaster
recovery strategy might be beneficial. Consider which systems might be impacted if your business was
hit by a flood, hurricane, fire, or power loss.
2) Establish a recovery timeline
After recording the IT inventory, this may decide on reasonable recovery targets and timelines for
certain systems. Healthcare sectors may have recovery times of only a few minutes, but other industries
may find longer recovery times reasonable.
The recovery time objective (RTO) and recovery point objective (RPO) ideas will come in handy here:
 The greatest amount of time that should pass before the IT systems recover is known as the
recovery time objective (RTO).
41
 RPO (Recovery Point Objective): The maximum length of time allowed for the IT systems to
recover since the most recent data backup (Mulligan, 2019).
3) Create a Communication Plan
Obtain buy-in from key stakeholders before calamity strikes. Everyone should be aware of which IT
activities may be impacted, what would happen next, and who would be in charge of correcting the
problems.
Ask employees how various systems or networks might affect their work if they were unavailable for a
period of time. In the case of a power or Internet failure, you should also devise a plan for
communicating with your employees.
4) Develop a Data Backup and Recovery Plan
Whether a small fault happens (a server fails, an employee deletes critical information), or a grave crisis
threatens to interrupt the company continuity entirely, planning for a disaster of any sort is necessary
for every firm that wishes to stay operating.
Despite the fact that the aim is to avoid a breach at all costs, cyber assaults are unavoidable.
It's vital to have a plan in place to address and mitigate the consequences.
A solid response strategy includes a team of IT professionals devoted to resolving the issue, monitoring
for additional infiltration, and controlling the current data breach.
5) Consider physical damages
Power outages and severed wires may put your firm on the verge of collapse. Make sure to have a
backup generator on hand to keep the organization afloat in the event of a crisis.
6) Consider the human factor
Humans, whether intentionally or unintentionally, maybe a source of tragedy. Lockdown has
administrative permissions on the systems to reduce the danger of a disaster.
Only the systems and data that employees and third-party providers require should be accessible.
7) Consider insurance
42
If there are concerns about the expenses of recovery, purchasing catastrophe insurance as part of a
disaster recovery plan may be a viable choice. This entails not just replacing your IT equipment, but
also looking at the larger consequences and losses that may occur as a result of a disaster. Speak with
an insurance specialist if this notion appeals.
8) Test disaster recovery plan
At the absolute least, the IT disaster recovery strategy should be evaluated twice a year. One of our
clients realized that all of their drives failed while trying to recover them after not testing their strategy
for several years. The data would have been gone forever if this had happened during a true disaster.
Any holes discovered during these testing should be thoroughly recorded so that they may be addressed.
Consult a reputable MSP to learn about your remediation choices.
9) Combine DR and BC
IT is critical, but it is just one part of the puzzle when a company recovers from a tragedy. During and
after a disaster, business continuity (BC) refers to an organization-wide plan to sustain key business
activities as much as feasible. Create and test a comprehensive BC strategy so you can be assured in
your ability to deal with any unforeseen occurrence.
10) Find the right partner
Disaster recovery isn't something that can be set and forgotten; it requires ongoing maintenance. It’s
essential to update the disaster recovery plan with new methods, technologies, and equipment, as well
as make any necessary revisions if the business requirements alter. Working with an MSP may be quite
beneficial in terms of getting a second pair of eyes on the disaster recovery plan or professional advice
on how to construct one (Mulligan, 2019).
IV.
EXPLAIN SOME OF THE POLICIES AND PROCEDURES THAT ARE REQUIRED FOR
BUSINESS CONTINUITY
1. Policies That Are Required For Business Continuity
 Risk Management Policy: When designing a business continuity policy, the most important
factor to consider is the types of risks that an organization may encounter. Is the company
located in a location where storms or other big weather events are likely to occur? What
geopolitical circumstances may lead to a failure? Have you ever had any troubles with
43
ransomware or other viruses that need extra attention? When developing a business continuity
policy, companies must consider all of these considerations by sticking to the risk management
policy.
 Incidence Response Policy: The earlier the organization can notice and respond to a data breach
or even a security event, the less likely it is to have a major impact on your data, customer
confidence, reputation, and income. If the company doesn't have an incident response plan in
place, there are more potential threats that harm the business continuity.
 Emergency Management Policy: The course of action taken by a firm to mitigate the impact of
an incident or crisis is known as emergency management policy. The basic goal of emergency
planning is to keep people safe, protect the community, and maintain businesses continuity.
Sticking to Emergency Management policy generally includes procedures to follow in the event
of a disaster, a defined set of roles and duties, and instructions for local emergency response and
recovery organizations. This is an important aspect of keeping employees safe.
 Business continuity policy: If this gets back to regular operations while the competitors are still
trying to figure it out, it will have a significant edge over them. Getting the network back up and
running quickly, restoring access to the business data and documents, and reconnecting the staff
so they can interact with one another and serve the customers helps the company to stand out as
a leader and one that can be trusted.
2. Procedures That Are Required For Business Continuity
 Business Impact Analysis: The organization will identify time-sensitive functions and
resources.
 Recovery: The organization must establish and implement actions to restore critical business
functions in this area.
 Organization: A management department must be established. This group will devise a strategy
to deal with the interruption.
 Training: Training and testing are required for the continuity crew. Members of the team should
also participate in activities that go beyond the plan and strategy.
44
V.
DISCUSS THE ROLES OF STAKEHOLDERS IN THE ORGANISATION TO IMPLEMENT
SECURITY AUDIT RECOMMENDATIONS (M7)
Stakeholders have a role and obligation in making good decisions, and they may also help with project
scheduling and budgeting. Many project stakeholders are accountable for the business, which includes
developer education, project development, scheduling parameter generation, and milestone date setting.
The organization's information security policy would aid in defining the personnel as well as their ongoing
conduct in terms of security and the organization. Stakeholders would also be required to provide input and
expertise in order to assess and improve the ISP. The goal of the paper would be to identify stakeholders
who might then be used in the ISP development process. Stakeholders would be involved in the creation of
the ISP and would vary in terms of organizational size. The study would identify the development process
and employ contextual interviews to validate the roles from a practical standpoint.
They also develop assumptions and limits, and work packages, engage in the risk management process,
assist with quality and communication strategies, establish ground rules, and give estimates.
Stakeholders
Director (Internal)
Role
A director is a person in charge of making decisions for a company. The
director will make sure that a security audit plan can be carried out
successfully by the departments that are directly involved.
Server Manager (Internal)
Sever Administrator also contacted them. They are in charge of
providing assistance, installing, maintaining, and keeping track of the
network. They keep software and system equipment up to date, as well
as oversee system availability and performance.
System Developer (Internal)
They are the individuals or departments in charge of network security,
data security, and policy enforcement. For instance, network engineers,
database developers, and so on.
Risk Manager (Internal)
A risk manager is a person or department responsible for ensuring that
all departments are working together to analyze, manage, and implement
a plan to combat cyber threat agents. Risk managers also comprehend
45
danger agents and have a strategy in place for what will happen to the
organization's security...
The Business Partner
When a group or organization collaborates with a business, they will
(External)
work together to ensure that the security policy is followed and that the
security strategy is implemented.
Table 1: ROLES OF STAKEHOLDERS IN THE ORGANISATION TO IMPLEMENT SECURITY AUDIT RECOMMENDATIONS
CONCLUSION
This paper covers risk assessment and data protection, as well as a variety of policies and procedures that can help
individuals and organizations get better to protect their data when online. List policies to help to understand what is
required to design and implement a security policy and business continuity. There are many risks and threats to identify,
but there is also more knowledge to help me defend myself from cyber threats, allowing me to be more cautious when
identifying them.
References
Anon., 2016. SECURITY RISK MANAGEMENT & ISO 31000. [Online]
Available at: https://www.athenarisk.com/security-risk-management-iso-31000/
Anon., 2019. Sample Acceptable Use Policy Template and Examples. [Online]
Available at: https://www.websitepolicies.com/blog/sample-acceptable-use-policy-template
Besemer, L., 2011. Data protection , s.l.: s.n.
Cassetto, O., 2022. The 12 Elements of an Information Security Policy. [Online]
Available at: https://www.exabeam.com/information-security/information-security-policy/
Cole, B., 2021. risk assessment. [Online]
Available at: https://searchcompliance.techtarget.com/definition/risk-assessment
46
Crocetti, P., 2021. What is data protection and why is it important?. [Online]
Available at: https://www.techtarget.com/searchdatabackup/definition/data-protection
Duigan, A., 2013. security policy. [Online]
Available at: https://www.computerworld.com/article/2572970/10-steps-to-a-successful-security-policy.html
Gillis, A. S., 2021. Security Audit. [Online]
Available at: https://www.techtarget.com/searchcio/definition/securityaudit#:~:text=Security%20audits%20will%20help%20protect,and%20can%20catch%20new%20vulnerabilities.
Haldenby, 2016. Product Tracking and Control System. Toronto: s.n.
Lashin, M., 2016. Application of ISO 31000 principles. [Online]
Available at: https://www.linkedin.com/pulse/application-iso-31000-principles-dr-mohamed-lashin
Lashin, M., n.d. Risk Management Principles and Guidelines - ISO 31000, s.l.: s.n.
Mulligan, B., 2019. 10-Step Disaster Recovery Plan for Your IT Department. [Online]
Available at: https://www.kelsercorp.com/blog/10-step-disaster-recovery-plan-it-department
Rock, T., 2022. 7 Real-Life Business Continuity Examples You’ll Want to Read. [Online]
Available at: https://invenioit.com/continuity/4-real-life-business-continuity-examples/
Sullivan, E., 2020. Business Continuity. [Online]
Available at: https://www.techtarget.com/searchdisasterrecovery/definition/business-continuity
47