lOMoARcPSD| 24865561 ASM2-1623 - Unit 5: Security Unit 5: Security (Trường Đại học FPT) Studocu is not sponsored or endorsed by any college or university Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 ASSIGNMENT 2 FRONT SHEET Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5: Security Submission date Date Received 1st submission Re-submission Date Date Received 2nd submission Student Name Phan Nguyen Dinh Trong Student ID GCD201526 Class GCD0905 Assessor name Tran Trong Minh Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a false declaration is a form of malpractice. Student’s signature Trong Grading grid P5 P6 P7 P8 M3 M4 M5 D2 D3 1 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 ❒ Summative Feedback: Grade: ❒ Resubmission Feedback: Assessor Signature: Date: Lecturer Signature: 1 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 Table of Contents P5. Discuss risk assessment procedures.......................................................................................................... 7 1. Risk ......................................................................................................................................................... 7 1.1 Negative school: risk is considered unlucky,loss, danger ................................................................. 7 1.2 The neutral school............................................................................................................................. 7 2. Risk assetment ........................................................................................................................................ 7 3. Asset........................................................................................................................................................ 8 4. Vulnerability ......................................................................................................................................... 10 5. Threat .................................................................................................................................................... 11 6. Risk Identification Procedures .............................................................................................................. 12 7. Risk assetment procedures .................................................................................................................... 14 P6. Explain data protection processes and regulations as applicable to an organisation. ............................. 16 1. Data protection...................................................................................................................................... 17 2. Data protection...................................................................................................................................... 17 2.1 Assessment of network security risks ............................................................................................. 17 2.2 Raise awareness about data security for employees ....................................................................... 17 2.3 Data security management .............................................................................................................. 18 2.4 Troubleshooting and problem management .................................................................................... 18 2.5 Configure the system securely ........................................................................................................ 19 2.6 Ensure the network is divided into separate areas .......................................................................... 19 2.7 Secure DN data by monitoring network security............................................................................ 19 2.8 Access control ................................................................................................................................. 19 2.9 Increased malware protection ......................................................................................................... 20 2.10 Update patches regularly .............................................................................................................. 20 2.11 Perform encryption ....................................................................................................................... 20 3. The important of data protection regulations ........................................................................................ 20 P7. Design and implement a security policy for an organisation.................................................................. 21 1. Security policy ....................................................................................................................................... 21 2. Example of policy .................................................................................................................................. 22 2 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 2.1 Purpose ........................................................................................................................................... 23 2.2 Scope............................................................................................................................................... 23 2.3 Policy .............................................................................................................................................. 23 2.4 Technical guidelines........................................................................................................................ 24 2.5 Reporting requirements................................................................................................................... 24 3. The most and should that must exist while creating policy ................................................................... 25 3.1 Ensure that there is a policy on policies ......................................................................................... 25 3.2 Identify any overlap with existing policies ..................................................................................... 25 3.3 Don't develop the policy in a vacuum............................................................................................. 25 3.4 Step back and consider the need ..................................................................................................... 25 3.5 Use the right words so there is no misunderstanding intent ........................................................... 26 3.6 When possible, include an exceptions process ............................................................................... 26 3.7 Allow some shades of gray ............................................................................................................. 26 3.8 Define policy maintenance responsibility ....................................................................................... 27 3.9 Keep senior executives out of the routine when possible ............................................................... 27 3.10 Establish a policy library with versioning .................................................................................... 27 4. The element of security policy .............................................................................................................. 27 4.1 Introduction ..................................................................................................................................... 27 4.2 Security Policy Document .............................................................................................................. 28 4.3 Introductory Elements .................................................................................................................... 28 4.4 Purpose ........................................................................................................................................... 28 4.5 Scope............................................................................................................................................... 29 4.6 Responsibilities ............................................................................................................................... 29 4.7 Objectives ....................................................................................................................................... 29 4.8 Threat and Risk Assessment ........................................................................................................... 29 4.9 Policy Attributes ............................................................................................................................. 29 4.10 Identification ................................................................................................................................. 30 4.11 Policy Statement ........................................................................................................................... 30 4.12 Elaboration .................................................................................................................................... 30 3 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 4.13 Threat addressed ........................................................................................................................... 30 4.14 Exceptions..................................................................................................................................... 30 4.15 Violations ...................................................................................................................................... 30 4.16 References..................................................................................................................................... 31 4.17 History .......................................................................................................................................... 31 4.18 Areas of Coverage......................................................................................................................... 31 4.19 Physical Security Policies ............................................................................................................. 31 4.20 Network Security Policies ............................................................................................................ 31 4.21 Host Security Policies ................................................................................................................... 31 4.22 User Security Policies ................................................................................................................... 32 4.23 Document Security Policies .......................................................................................................... 32 4.24 Documentation Policies ................................................................................................................ 32 4.25 Incident Handling Policies ............................................................................................................ 32 4.26 Audit Policies ................................................................................................................................ 32 4.27 Conclusion .................................................................................................................................... 33 5. The steps to design a policy .................................................................................................................. 33 6. Step in policy development................................................................................................................... 35 P8 List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion ........................................................................................................................................................ 37 1. Business continuity ................................................................................................................................ 37 2. The components of recovery plan ......................................................................................................... 37 3. Steps to Building a Disaster Recovery Plan ......................................................................................... 39 3.1 Conduct an asset inventory ............................................................................................................. 39 3.2 Perform a risk assessment ............................................................................................................... 39 3.3 Define criticality of applications and data ...................................................................................... 40 3.4 Define recovery objectives ............................................................................................................. 40 3.5 Determine the right tools and techniques........................................................................................ 42 3.6 Get stakeholder buy-in.................................................................................................................... 42 3.7 Document and communicate your plan .......................................................................................... 43 4 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 3.8 Test and practice your DR plan ....................................................................................................... 43 3.9 Evaluate and update your plan ........................................................................................................ 43 4. The policies and procedures that are required for business continuity ................................................. 44 References ..................................................................................................................................................... 47 5 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 Figure 1 Risk................................................................................................................................................... 7 Figure 2 Vulnerability ................................................................................................................................... 11 Figure 3 Type of Threats ............................................................................................................................... 12 Figure 4 Risk assessment steps ..................................................................................................................... 16 Figure 5 illustration ...................................................................................................................................... 18 Figure 6 Control of access ............................................................................................................................ 19 Figure 7 conduct an asset inventory ............................................................................................................. 37 Figure 8 Perform a risk assessment .............................................................................................................. 38 Figure 9 Define criticality of applications and data ...................................................................................... 38 Figure 10 Test and practice your DR plan .................................................................................................... 41 Figure 11 life cycle ....................................................................................................................................... 42 6 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 P5. Discuss risk assessment procedures 1. Risk 1.1 Negative school: risk is considered unlucky,loss, danger ... - Risk is unhealthy, bad, and unexpected. Risk (synonymous with risk) is unfortunate. Risk is the ability to be in danger or suffer from pain ... Risks are unforeseen uncertainties that develop in a company's business and production processes and have a negative impact on the company's ability to exist and grow. Briefly put, risk is defined by conventional wisdom as "damage, loss, danger, or factors linked with danger, difficulty, or uncertainty that can happen to a person." Figure 1 Risk 1.2 The neutral school - Risk is uncertainty that can be quantified and is potentially linked to the occurrence of unanticipated events. The risk's current value and outcome are uncertain. 2. Risk assetment The process or procedure where you: +Identify hazards and risk factors that have the potential to cause harm is known as risk assessment (hazard identification). 7 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 +Examine and assess the risk connected to that danger (risk analysis, and risk evaluation). Determine the best strategies to remove the risk or, if that is not possible, to control the risk (risk control). - A risk assessment is a detailed examination of your workplace to find any elements, circumstances, procedures, etc. that could be harmful, especially to humans. Following identification, you assess the risk's likelihood and seriousness. You can then decide what steps need to be taken to successfully eliminate or control the harm once this assessment has been made. The following phrases are used in the CSA Standard Z1002 "Occupational health and safety - Hazard identification and elimination and risk assessment and control": Risk assessment: The total procedure of risk analysis, risk assessment, and hazard identification. Risk assessment: The entire process of hazard identification, risk analysis, and risk assessment. Risk analysis: A process for comprehending the nature of hazards and determining the level of risk. Risk evaluation: The process of comparing an estimated risk against given risk criteria to determine the significance of the risk. Risk control: The process of comparing an estimated risk against given risk criteria to determine the signi昀椀cance of the risk. 3. Asset A resource having economic worth that a person, business, or nation possesses or controls with the hope that it would someday be useful is referred to as an asset. In order to raise a company's value or benefit its operations, assets are acquired and recorded on the balance sheet of the company. Whether it's manufacturing equipment or a patent, an asset can be viewed of as anything that, in the future, can generate cash flow, lower expenses, or increase sales. - An asset is a resource having economic worth that a person, organization, or nation owns or manages with the hope that it may someday be useful. Assets are disclosed on a company's balance sheet and are acquired or produced in order to raise a company's value or improve the operations of a company. An asset can be anything that, in the future, can increase sales, lower costs, or generate cash flow, whether it's a patent or manufacturing equipment. Understanding Assets: 8 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 An asset represents a financial resource for a business or access that other people or companies do not have. A right or other access is legally enforceable, so it can be used however the corporation sees fit and its usage can be restricted or prohibited by the owner. A corporation must have a right to an asset as of the date of the financial statements in order for it to be present. A scarce resource with the capacity to increase financial inflows or decrease cash outflows is considered an economic resource. Short-term (or current) assets, fixed assets, financial investments, and intangible assets are some basic categories for assets. Personal Assets: Personal assets are items with current or potential worth that belong to an individual or family. Personal assets frequently comprise the following: • • • • Cash and cash equivalents, CDs, checking and savings accounts, money market accounts, tangible cash, and Treasury notes are all examples of financial instruments. Real estate, including any building permanently affixed to it. Personal property includes boats, collectibles, furniture, jewelry, and automobiles. Investments include equities, bonds, mutual funds, annuities, pensions, and life insurance policy cash values. By deducting your liabilities from your assets, you may determine your net worth. In essence, your liabilities are all of your debts, and your assets are everything you own. If you have a positive net worth, your assets are worth more than your liabilities; if you have a negative net worth, your liabilities are more than your assets (in other words, you are in debt) Business Assets: Assets are valuable items for businesses that support production and expansion. Assets for a firm might include tangibles like machinery, real estate, raw materials, and inventory as well as intangibles like royalties, patents, and other forms of intellectual property. The balance sheet outlines the assets of a firm and details how those assets are financed, including whether debt or stock issuance is used. A company's balance sheet gives a quick overview of how effectively its management is managing its resources. The two categories of assets that typically appear on a balance sheet are. Current Assets: 9 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 Assets that can be turned into cash within one fiscal year or one operating cycle are referred to as current assets. Expenses and investments related to daily operations are made possible by current assets. Examples of current assets include: Cash and cash equivalents: Cash, certificates of deposit, and Treasury bills. Marketable securities: debt-related securities or liquid equity. Accounts receivables: Customer debt that needs to be settled soon. Inventory: Raw resources or marketed products. Fixed Assets: Non-current assets, or fixed assets, are those that a business utilizes to produce goods and services and have a longer useful life. Fixed assets are shown as property, plant, and equipment on the balance sheet (PP&E). Fixed assets are long-term investments that are categorized as tangible (i.e., touchable) assets because they are. Examples of fixed assets include: • • • • • Vehicles (such as company trucks) Office furniture Machinery Buildings Land Non-current assets (like fixed assets) cannot be easily converted to cash to cover immediate operational costs or investments, which is one of the two main contrasts between personal assets and corporate assets. In contrast, it is anticipated that present assets will be liquidated within one fiscal year or one operating cycle. 4. Vulnerability A vulnerability is a gap or a weak point in the application—it could be an implementation error or a design flaw—that allows an attacker to harm the application's stakeholders. The owner of the application, application users, and other organizations that rely on the application are stakeholders. 10 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 Figure 2 Vulnerability 5. Threat Define: A potential for violation of security, which exists when there is an entity, circumstance, capability, action, or event that could cause harm Cyber threats and vulnerabilities can occasionally be mistaken for one another. The word with the most definitions is "potential." The threat is not a security issue with an organization or implementation. As opposed to that, it is anything that could compromise security. This is comparable to a vulnerability, which is a genuine weakness that can be used against the system. Without respect to any precautions, the threat constantly exists. However, there are ways to reduce the likelihood that it will come to pass. Types of threats According to the NIST definition above, a threat might be an occurrence or a state of affairs. Natural disasters, fires, and power outages are all considered events in this context. It is a pretty broad idea. In the field of cybersecurity, dangers including viruses, Trojan horses, and denial-of-service attacks are more frequently discussed. Phishing emails provide a social engineering risk that may result in the loss of sensitive data such as passwords, credit card numbers, and other personal information. Data loss in terms of confidentiality, integrity, or availability can result from threats to information assets. The CIA triumvirate is another name for this. The STRIDE threat model is built on the CIA triad and three additional well-known security ideas. It is convenient to start with an established classification when listing potential dangers. The most well-known categorization is STRIDE, which was suggested by Microsoft in 1999. Because the name is derived from the first letters of the several categories, it is also simpler to recall them. 11 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 Figure 3 Type of Threats Examples of threats Keep in mind that a danger is fairly broad. It does not specify how to accomplish it or even whether it is feasible given the state of the system. Here are a few illustrations. +A malicious user reads the files of other users. +An attacker redirects queries made to a web server to his own web server. +An attacker modifies the database. +A remote attacker runs commands on the server. Each of these examples can easily be mapped to a category in STRIDE. Other examples would be malware, trojans and worms 6. Risk Identification Procedures Risk Identification Procedures include: 12 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 1. Risk Integrated Product Team (IPT) identifies list of potential risk items. There are variety methods of identifying risks. Risk can be identified from: -Lessons Learned -Subject Matter Experts (SME) -Prior Experiences -Technology Readiness Level (TRL) determination -Programmatic Constraints -Brain Storming -Work Breakdown Structure (WBS) 2. Risks are rated as acceptable or unacceptable. Not all risk factors listed in step 1 are taken into account. 3. Risks that have been accepted should be noted and added to a Risk Register. 4. Define the causes of each danger that has been identified. 5. Risk analysis should focus on each risk that has been discovered in order to improve the risk description, identify the underlying causes, ascertain the effects, and help prioritize risk reduction. a matrix for reporting risks 6. Each risk should be addressed in the risk mitigation plan with action items and deadlines. 7. The Risk Integrated Product Team (IPT) holds regular meetings (every two weeks) to evaluate risks and, as necessary, add new risk items. 8. When every step necessary to close a risk has been taken, the risk is considered closed. While some risky products are swiftly closed, others remain open for a very long time. Some are listed as "watch items," and the action plan doesn't start until a certain undesirable event occurs. 9. For future learning, closed hazards are still stored in the database. Common risk identification methods are: - Identification of risks based on objectives: Project teams and organizations both have goals. Risk is defined as an occurrence that could jeopardize completing a target wholly or partially. Identification of risk based on scenarios: In scenario analysis, various scenarios are produced. The scenarios could represent several approaches to achieving a goal or an analysis of the interactions 13 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 - - of forces in, say, a market or conflict. Risk is defined as any occurrence that results in a scenario alternative that is undesirable. Identification of risks using taxonomies: A breakdown of potential risk sources is represented by the taxonomy in taxonomy-based risk identification. A questionnaire is created using the taxonomy and knowledge of best practices. Risks are shown by the responses to the questions. Checking for common dangers: Several sectors have lists of known concerns. The applicability of each danger on the list to a particular circumstance can be checked. 7. Risk assetment procedures 1. Risk assessment in practice: A risk assessment is a thorough investigation of what can endanger employees at work in order to assess any safety safeguards already in place and determine whether additional preventative measures are necessary. Performing a risk assessment is a proactive activity that: • • • Hazards are identi昀椀ed. The risks associated with the hazard are evaluated. Appropriate methods to eliminate or control the hazard evaluated. 2. Definitions: Anything that has the potential to hurt is considered a hazard, including chemicals, working from ladders, electricity, loud noises, and moving pieces of machinery. The risk is determined by the possibility that the hazard will materialize as well as its consequences, or the seriousness of the possible harm involved. Step 1: Identify hazards, anything that may cause harm Employers are required to evaluate the hazards to their employees' health and safety. Your employer is required to routinely look for potential biological, chemical, physical, and mental dangers. This is one common classification of hazards: Physical: Uostures, stumbles and falls, noise, dust, machinery, electronic devices, etc. Mental: Working with clients that have high needs, working long hours, being bullied, etc. These are sometimes known as "psychosocial" dangers since they have an impact on mental health and happen in working relationships. Chemical: Aerosols, cleaning products, asbestos, etc. 14 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 Biological: Covering the infectious diseases that affect healthcare professionals, such as tuberculosis, hepatitis, and others, as well as home care staff. Step 2: Decide who may be harmed, and how Starting with the full- and part-time employees of your organization, determine who is at risk. Employers are also required to evaluate the dangers that agency and contract workers, guests, clients, and other members of the public may encounter while on their property. • • • Employers must evaluate daily schedules in all the many places and circumstances where their employees is engaged. For instance: The personal safety of their clients in the house must be taken into consideration by home care supervisors, who must also make sure that their own home care personnel has safe working and lifting conditions. The repetitious duties at the checkout, lifting heavy objects, and slips and trips due to spills and barriers in the store and storage areas are all risks in a supermarket. Customers and trespassers pose a threat to the staff, particularly in the evenings. Each employee's workstation equipment in call centers, such as the desk, screen, keyboard, and chair, must be customized. Employers have particular responsibilities for the health and safety of young workers, those with disabilities, people working nights or shifts, and women who are pregnant or nursing. Step 3: Assess the risks and take action. This means that employers must take into account the likelihood that any hazard may result in damage. Depending on this, your company may or may not decide to lower the amount of risk. Some risk typically persists even after all safety measures have been taken. Employers must determine if the risk is still high, medium, or low for each danger that exists. Step 4: Make a record of the findings. The principal conclusions of the risk assessment must be documented in writing by employers with five or more employees. This record is to detail any risks identified during the risk assessment as well as any steps done to lessen or eliminate risk. This documentation serves as evidence that the evaluation was completed and serves as the foundation for a subsequent review of working procedures. The risk analysis is a work-in-progress. It ought to be readable for you. It shouldn't be kept hidden in a cabinet. Step 5: Review the risk assessment. Keeping an eye on a risk assessment is necessary to: 15 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 • • Make sure that the established safe working procedures are followed (e.g., that supervisors and line managers adhere to management's safety directives). if there are any new procedures, tools, or challenging work goals, consider them. Figure 4 Risk assessment steps P6. Explain data protection processes and regulations as applicable to an organisation. The process of preventing critical information from being corrupted, compromised, or lost is known as data protection. 16 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 1. Data protection Data protection is the process of defending sensitive information against loss, tampering, or corruption. As data is created and stored at previously unheard-of rates, the significance of data protection grows. Additionally, there is limited tolerance for downtime that can prevent access to crucial information. As a result, a key component of a data protection plan is making sure that data can be swiftly restored after any loss or damage. Other essential elements of data protection include safeguarding data privacy and preventing data breach. 2. Data protection You must specify precisely the data your company needs to secure before investing in data security. Businesses frequently only partially or incorrectly understand what data has to be safeguarded. 2.1 Assessment of network security risks Once your organization has all the data it needs, you must examine the threats that your corporate data may face: - In case of a network security problem. - In case of incidents of natural natural disasters such as fires, earthquakes, etc. You must implement security measures for your organization's network system after performing risk identification for the data that must be protected. This will enable you to precisely identify the security dangers that the overall organizational network and the data security of organizations in particular are currently experiencing. Since then, deploying security solutions fit for models, finances, and organizational requirements or protecting the system by deploying patching methods. 2.2 Raise awareness about data security for employees - The people element is one of the biggest potential threats to business data security. Therefore, one of the best and most successful ways to secure data security in Your Business is to establish measures to educate and create awareness among agency personnel about data security. - Businesses must regularly plan initiatives to raise awareness and train employees on network security and data security. The most effective way to reduce company data breaches and avoid spending money on outside security services. Enterprises (enterprises) need to have documents on data security policies and work procedures at the same time since they use data in their operations to implement management standards and guarantee safety. 17 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 2.3 Data security management There are always security dangers to company data. Because of this, implementing security measures quickly is not viable; instead, it must be done often and continuously. Each company should, if at all feasible, have a dedicated leader or employee who is knowledgeable about corporate data security and confidentiality and who is in charge of overseeing the application of security procedures and controls. security of data. This will assist in lowering the dangers of network security for companies and commercial data 2.4 Troubleshooting and problem management Figure 5 illustration In order to lessen the harm that network security incidents to the business cause, documentation of the process of responding to security incidents to the network and corporate data is crucial. As an alternative, you can consider engaging specialized ANM assessment and troubleshooting units. When accidents happen, these units will be in charge of consulting the reaction procedure and organizing troubleshooting. This will assist your organization limit damage. 18 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 2.5 Configure the system securely All internal components (including software and hardware) are set up to comply with security policy requirements and to take appropriate steps to protect your company's data. 2.6 Ensure the network is divided into separate areas Separate network regions will aid in isolating and minimizing the harms brought on by network security concerns such as enterprise data leakage and ode infection poison. The DMZ also aids in regulating access between various network regions by employing more firewalls between untrusted external network areas (internet zones) and intranet zones. To make sure that access policies between network areas are always followed, conduct frequent intrusion testing assessments. 2.7 Secure DN data by monitoring network security To regulate and identify network data abnormalities early and maximize detection and prevention, technologies to monitor network traffic both inside and outside the network are necessary. early attacks blocking IDS (intrusion detection system), IPS (intrusion prevention system), and SIEM are the solutions that are frequently employed by enterprises nowadays (Network Security Surveillance System). 2.8 Access control Figure 6 Control of access 19 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 For a corporate network, decentralization and access control measures are essential. Effective access control is made possible by these policies both inside and outside the system. To accomplish this, you must only ask the user for the permissions required for them to perform their duties. Priority accounts must be carefully limited to primary systems, database administration functions, or critical systems. User activity must be carefully monitored and logged, especially when it involves sensitive data and a user's account. Remember to protect your data by creating strong passwords at the same time. Other crucial physical security features include security guards, magnetic card systems, commuters, sirens, and access control to corporate buildings and private workplaces. access control for corporate data management 2.9 Increased malware protection Enterprises should also implement measures to reduce the danger of harmful code and safeguard data from it. There are numerous ways to reduce the risk of malware infection at various levels right now, including user-specific anti-malware solutions, centralized anti-malware solutions, and anti-malware solutions at gateways. However, your ability to find a workable option for your company depends on its size and financial standing. 2.10 Update patches regularly No system can be said to be always secure because there are constantly being developed new attack techniques. In order to protect corporate data and reduce the risk of assaults on enterprise systems, it is essential to update operating system and software patches. Businesses must synchronize the deployment of numerous security solutions and the blending of various security policies in order to guarantee the maximum level of system security. 2.11 Perform encryption Finally, before transferring the data, encrypt it. To assist ensure the security of corporate data, this task is essential. Encrypting the data helps you prevent sensitive information from falling into the hands of the attacker in the event of data loss (due to a network security attack or being compressed on the transmission line). Additionally, you must safeguard your data with robust encryption (preferably using asymmetric ciphers). Base64's insecure weak encryption techniques are simple for hackers to decrypt. 3. The important of data protection regulations The value of data is always increasing. Furthermore, the abilities and prospects for obtaining various forms of personal data are developing quite quickly. Personal data processing that is unauthorized, 20 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 negligent, or ignorant can be very harmful to both individuals and businesses. A data protection plan must be implemented by any organization that wishes to function efficiently if it is to guarantee the security of its information. Cyberattacks and data breaches can result in severe losses. Organizations must update their security protocols on a regular basis and take proactive steps to protect their data. Businesses should take extra precautions to protect their data because losses and breaches can result in large financial losses. A company's reputation may suffer if it fails to safeguard its confidential data and permits data breaches. An organization may experience a decline in income from unhappy customers as a result of this damaged reputation. Additionally, organizations that violate security standards may be subject to fines, which could put an undue financial burden on small businesses. The goal of protecting personal data is to safeguard not just the data of the individual concerned but also their fundamental rights and liberties as they relate to that data. It is feasible to preserve personal information without compromising people's rights and freedoms. A person may be passed over for a job opportunity or, even worse, lose their current employment as a result of improper handling of personal data. P7. Design and implement a security policy for an organisation 1. Security policy An organization's IT resources and assets are subject to a set of rules and regulations known as the IT security policy. An organization's IT assets and resources must be accessed and used in accordance with the policies laid out in its information technology (IT) security policy. The organization's culture is modeled by its employees' attitudes toward their information and work in effective IT security policy, which serves as the foundation for regulations and procedures. Since each organization's people have different opinions on risk tolerance, how they view and value their information, and the consequent availability they maintain for that information, each organization's successful IT security policy is a special document. Due to its lack of regard for how the organization's employees really utilize and exchange information among themselves and with the public, many firms will find a boilerplate IT security policy ineffective. The preservation of the privacy, accuracy, and accessibility of the systems and data accessed by organization members is the goal of an IT security policy. The CIA trio is made up of these three ideas: • The safeguarding of resources from unauthorized parties is a component of confidentiality. 21 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 • • Integrity guarantees that the alteration of assets is carried out in a predetermined and approved manner. The system is in a "availability" condition when authorized users can access the resources continuously. The IT Security Policy is a dynamic document that is frequently revised to reflect changing business and IT needs. Standards and best practices for developing security policy have been issued by organizations like the International Organization of Standardization (ISO) and the U.S. National Institute of Standards and Technology (NIST). The National Research Council (NRC) has stated that any firm policy should include the following information: 1. Objectives 2. Scope 3. Specific goals 4. Responsibilities for compliance and actions to be taken in the event of noncompliance. Every IT security policy must also include portions addressing the observance of laws governing the organization's sector. The Basel Accords, the PCI Data Security Standard, and the Dodd-Frank Wall Street Reform in the United States are all common examples of this. Other examples from around the world include the Consumer Protection Act, the Health Insurance Portability and Accountability Act, and the Financial Industry Regulatory Authority. A written IT security policy is required by many of these regulatory bodies. The security policy of an organization will influence its choices and course greatly, but it shouldn't change its strategy or objective. To promote the continuation of strong productivity and creativity, it is crucial to develop a policy that is informed by the organization's current structural and cultural context rather than writing a generic policy that prevents the business and its employees from achieving their objectives. 2. Example of policy Workstation whole disk encryption is the data security policy. For companies wishing to develop or update their full disk encryption control policy, this example policy is meant to serve as a reference. This policy should be modified, especially to meet usability standards or to comply with any laws or data protection obligations. History of this policy Full disk encryption is currently a crucial technique for enhancing privacy and is required by several regulatory rules. 22 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 2.1 Purpose Restricted, confidential, or sensitive material must be protected by <Company X> against loss in order to preserve its reputation and prevent harm to its clients. This policy supports a collection of international regulations (such as full as suitable>) that call for the protection of a wide range of data by limiting access to data stored on those particular devices. Full disk encryption is necessary to prevent against exposure in the event of asset loss, as stated by several compliance standards and industry best practices. This policy specifies the processes and requirements for full disk encryption protection as a control. 2.2 Scope 1. All desktop and laptop workstations from "Company X" (depending on the type of data you hold and physical security some organizations adjust this just to cover laptops). 2. All virtual computers owned by Company X. 3. Exemptions: Where a firm needs to be excused from this policy (because it would be too expensive, too complex, or would negatively affect other business requirements), a risk assessment must be carried out with security management's approval. See the Risk Assessment procedure (reference your own risk assessment process). 2.3 Policy 1. Full disk encryption will be enabled on all of the devices in the scope. 2. Users shall be required by the Acceptable Use Policy (AUP) and security awareness training to report suspected violations of this policy in accordance with the AUP. 3. Users must be required to report any lost or stolen devices in accordance with the AUP and security awareness training. 4. Compliance with the encryption policy must be verified, and it must be managed. To enable audit records to prove compliance as needed, machines must report to the central management infrastructure. 5. The device user must give IT a copy of the active encryption key in cases where management is not possible and a standalone encryption is configured (only after being approved by a risk assessment). 6. Is permitted to look into any encrypted device for maintenance, inquiry, or in the absence of a worker with primary file system access. to spot unauthorized system access or other harmful activity. 9. In the event of a failure, forgotten credentials, or other business blocking needs, the help desk will be allowed to issue an out-of-band challenge/response to grant access to a system. Only in the case that the 23 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 user's identity can be determined using the challenge and response attributes listed in the password policy will this challenge/response be sent. 10. (You can remove this if it's not a need for your firm; certain enterprises may have a requirement to apply a tiered approach to data security; this may involve a group of users who have particularly sensitive data and need extra security.) The limited data policy will let you identify a set of VIP users or users of sensitive data. For key modifications or challenge responses, users in this group will need authorisation from a member of (such as Senior Management or IT). The help desk won't be allowed uninvited access to those systems. These systems have a necessity for separation of duties and are recognized as having access to extremely sensitive, limited use data. A system/user will be obliged to employ two factor authentications in line with the stated standard where indicated by the authentication and limited data policy. The authentication will occur in the pre boot environment. 11. Configuration modifications must go via the change control procedure, which must be completed as necessary, identifying risks and significant implementation changes to security management. 2.4 Technical guidelines Technical guidelines identify requirements for technical implementation and are typically technology specific. 1. <Complete as appropriate> is the standard product. 2. Strong, industry best practice defined cryptographic standards must be employed. AES-256 is an approved implementation. 3. The BIOS will be configured with a secure password (as defined by password policy) that is stored by IT. The boot order will be fixed to the encrypted HDD. If an override is required by a user for maintenance or emergency use, the helpdesk can authenticate the user and then provide the password for the BIOS. The objective being to avoid an attacker cold booting and attacking the system. 4. Synchronization with Windows credentials will be configured so that the pre boot environment is matched to the user’s credentials and only one logon is required. 5. A pre boot environment will be used for authentication. Credentials will be used to authenticate the user in compliance with <complete as appropriate>password security policy. (Some enterprises have a requirement to use two factor, and this shouldbe reflected here as required). 2.5 Reporting requirements 1. A monthly report showing the ratio of assets in scope to encrypted systems 24 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 2. A monthly report that lists the managed, encrypted systems' compliance status. 3. A weekly report that counts lost items and certifies that misplaced gadgets have been properly handled 3. The most and should that must exist while creating policy 3.1 Ensure that there is a policy on policies Even when it comes to the creation of policies, it's crucial to work inside a previously established and widely accepted framework. A crucial initial step in maturing policies is the creation of a straightforward policy on policies that outlines the organization's procedure for developing new policies. This "meta policy" ought to provide instructions on when a new policy is necessary, the structure in which new policies should be written, and the procedures that must be adhered to for a new policy to be authorized. Without a method and structure for creating policies, you run the danger of having major inconsistencies in the results and inconsistencies in the formulation, which can result in subpar or challenging enforcement. 3.2 Identify any overlap with existing policies This is an easy one. Check to determine whether the policy you're trying to create already exists or if any of its components are already in other policies before you establish a new one. If so, think about updating current policies as opposed to coming up with a completely new one. 3.3 Don't develop the policy in a vacuum I've observed people working at their desks and coming up with whole independent policies that they felt were important. This has mostly occurred in organizations without any form of structure for policy governance. The majority of the time, the policies were biased against the organization and omitted important components. However, as one might anticipate, the policies were beneficial to the individual who created them. I think that those who will be impacted by policies should be involved in their development. To reduce the possibility of unexpected consequences, it's critical that all stakeholders are heard, even though the final policy may not ultimately reflect all viewpoints. Additionally, policies must be comprehensive, and different viewpoints can fill in any gaps that may present. 3.4 Step back and consider the need Do you make policies because they are necessary or because someone did something you didn't like? There is a considerable difference and, again, I have seen policies put into place out of malice and as 25 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 punishment. It goes without saying that such behavior would not occur in a rational company. But it also won't occur in a tight policy-on-policies environment, as the policy will often go through several approval stages before being approved, and somewhere along the line, someone will take a step back and ask, "Why do we need this?" When there is a clear need and a clear issue to be resolved, policies should be implemented. 3.5 Use the right words so there is no misunderstanding intent To be effective, policies must be understood. This attempt is aided by the use of precise and unambiguous grammar. Make sure your terminology is clear and basic so that everyone can understand it. In the body of the policy, use the words "must" or "will" instead of "should." The latter suggests that the action is voluntary, casting doubt on the necessity of the policy. Use the word "should" when something is recommended but not when it is necessary. Never use a person's name; always an office, department, unit, or job title Examples: "Contact the assistant to the CFO to..."; "The office of the CIO is responsible for..." Email addresses used for correspondence should always be generic department addresses or links to websites with additional contact details. To avoid the need for policy revisions when personnel changes take place, refrain from utilizing personal email addresses. Subheadings and words that need to be stressed in a sentence shouldn't be underlined. If a word needs to be stressed, bold or italicize subheadings instead. When the policy is published online, terms that are italicized could be interpreted as links. 3.6 When possible, include an exceptions process Every rule has an exception, at least most of the time. It is much simpler to outline an exceptions process in advance, before the policy is put into effect. Think twice before declaring "I will never allow exceptions." There will be a circumstance at some point that calls for an exception. It's crucial that exceptions are also given in a fair and equitable manner because policies are implemented to manage conduct and are intended to level the playing field. The validity of the entire policy may be questioned if you abuse the exceptions process. 3.7 Allow some shades of gray You've established an exceptions procedure that is unquestionable and produced a policy that is impenetrable in every way. Although it's a worthy objective, not every policy will be able to achieve it. Since policies are meant to produce egalitarian conditions, this is the argument that might face the most opposition. However, I think that some laws should give room for some interpretation so that people can 26 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 decide for themselves. However, it seems that there are just too many situations where people are permitted to use the justifications "that's policy" or "zero tolerance" to avoid acting morally. This is not to say that the policy should simply enable people to do as they choose. 3.8 Define policy maintenance responsibility To ensure that they remain applicable, most policies need to be reviewed on a regular basis. In addition, someone needs to be prepared to provide clarification as queries regarding the policy are raised. Make careful to always mention the office, not a specific person, as being in charge of the policy. Since people come and go, you cannot identify them. 3.9 Keep senior executives out of the routine when possible When possible, I emphasized the necessity to devise a policy exceptions procedure. When I worked for one company, the CEO was inherently responsible for it. That, in my opinion, was a waste of his time. Someone within the company should be given the authority to manage exceptions through the implementation of an exceptions process. Except as required by law or regulation, the designated person need not be a vice president or the company's chief executive officer. Additionally, don't count on senior executives to create every policy. However, it should be the leadership team's obligation to review new policies before they are implemented. 3.10 Establish a policy library with versioning These days, you can keep versions of documents using a variety of platforms, including SharePoint. Every employee should always have access to all pertinent policies. How can you expect employees to adhere to policies if they cannot access them? When it comes to versioning, it's beneficial to view their history to understand what has changed over time as policies alter. 4. The element of security policy 4.1 Introduction Like all organizations, small firms increasingly rely on networks and computer systems to conduct business. For many small firms, email is becoming a vital tool for communication. Websites are crucial sales producers for companies with eCommerce sites and crucial marketing platforms. As our reliance on computer systems grows, so does the need to secure them, much as door locks and safes secure physical structures, valuables, and trade secrets of enterprises. The Honeynet Project has investigated the security ramifications of connecting a computer to the Internet using a basic broadband connection, similar to those used by many small businesses. Without security measures, Windows and Linux computers deployed were frequently inspected, attacked, and compromised within a week. Additionally, the project experienced a 27 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 100% rise in scans from May 2000 to February 2001, demonstrating the growing threat to security. These results point to a major threat to information security posed by links to the Internet, even if the conclusions are by an order of magnitude overly pessimistic. Except for companies that provide computer consulting and security services, not many small businesses have an innate or special interest in network or other types of security. Resources are used up in the pursuit of security and related activities. These assets serve the business's objectives or stand in for the earnings the enterprise hopes to make. The majority of information security is intangible, with even the most obvious components being less obvious than a door lock or a safe. Greg Bassett outlines a strategy for persuading management of the need of computer security in a paper he wrote for GIAC certification. This essay discusses the factors that should be taken into account when creating a security policy, which serves as the cornerstone of information security. 4.2 Security Policy Document A security policy document serves a number of purposes. Its name implies that security policies are documented. It does more than merely record them. It offers a structure within which policies can be created, altered, and evaluated. The context connecting the policies to the business should also be included in a security policy document. Outlines for security policy documents can be found in Internet Security Systems, Walker and Cavanaugh, and numerous more books and online resources. They provide writing tips for introductions as well as specific security policies. The precise subject matter and focus that each guideline recommends varies. There should be a thorough introduction to every security policy document in addition to the specific security policies. 4.3 Introductory Elements An introduction to a security policy document places the regulations in the context of the enterprise they are meant to safeguard. The introduction should be customized to the company's needs, but it should at the very least cover the following topics: the document's goal, its scope, and its policies; specific organizational responsibilities; general and detailed organizational security policy objectives; and a threat and risk assessment. 4.4 Purpose The extent to which a company deals with sensitive data, as well as the methods used to manage systems and networks—whether by in-house staff members with specialized knowledge, staff members who take on additional responsibilities, or outside contractors—can all have an impact on the purpose of a security policy document. 28 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 4.5 Scope The scope description should define precisely what is protected by the policies and should clarify what is not. A small business must determine whether the security rules include permitted use and disaster recovery strategies, in particular. Numerous sources advise them to. Small enterprises might not require these. A small group of employees may decide what is permissible use by voting as a group. The redundancy needed for a comprehensive disaster recovery or business continuity plan may be too expensive for some small organizations. These policies, along with others, may serve as additional documentation for others, as the Joint Information Systems Committee in the UK advises. 4.6 Responsibilities Every organization needs to think about and allocate roles for security. Within an organization, responsibilities may be delegated to specific people or job roles. 4.7 Objectives The triangle of confidentiality, integrity, and availability of information resources is frequently used to describe the overarching goal of security and security policy. The European ITSEC security requirements from 1991 contain this concept, however its core ideas date back far further. The objectives of a security strategy for a particular firm should be stated as being confidentiality, integrity, and accessibility of particular resources that are crucial to the business. 4.8 Threat and Risk Assessment One of the most crucial parts of the security strategy document is the threat and risk assessment. What the policies are meant to defend against is determined by the threat assessment. Some hazards are commonplace, such as the danger of Internet attacks and what the Honeynet Project research reveals. Small organizations may be less concerned about other types of dangers, such as those coming from within. The risk assessment enables management to prioritize the security concerns, enabling a small organization to make the most of its scarce security resources. It offers a foundation for the document's audit. All policies should take into account the threats listed in this section. If rules are created that fail to address threats, greater threat assessment is required. Contrarily, some threats may not be justified by policies if their hazards are minimal. The risk assessment is highly tailored to the company and its particular circumstances. 4.9 Policy Attributes Each policy should specify a set of properties that are universal. The firm should establish what characteristics each policy should have, and it should develop a model for security policies that outlines these characteristics. The parts that follow go over qualities that are frequently used. The details of these 29 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 attributes may be altered to suit the preferences of the company, but the security policy document must contain the data they contain. 4.10 Identification Each security policy should have a unique identity. The security policy document, extra external documents, and audit tools like coverage matrices all need to make it simple to refer to policies. Policy IDs can be textual, numeric, or alphanumeric. A written name and a distinct number are frequently used in papers to distinguish each policy. 4.11 Policy Statement The policy is described in the policy statement. It must be unambiguous, succinct, and clear. While expressing management's intention, the statement shouldn't be overly vague. 4.12 Elaboration In the policy statement, the policy is described. It needs to be clear, concise, and without ambiguity. The remark shouldn't be excessively ambiguous, even though it expresses management's purpose. 4.13 Threat addressed At least one danger found in the threat and risk assessment should be mapped to each policy. Many policies deal with many dangers, however if a policy cannot be linked to at least one known threat, it should either be dropped or the threats should be reevaluated. 4.14 Exceptions Like many business policies, security policies are not necessarily absolute. The policy should identify any foreseeable exceptions. The circumstances of exceptions should be clearly defined, as should the limits. 4.15 Violations Every company should think about what to do when security regulations are broken. A method for recording the responses to infractions should be provided by the policy framework. The severity of the punishment for breaking a certain security policy should be taken into consideration, and guidelines for handling violations should be included alongside them, even though disciplinary policies belong in a personnel manual rather than the security policy document. 30 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 4.16 References Certain laws can stand on their own. Some policies can only be meaningful when they replace, expand upon, or harmonize with other policies. The framework ought to offer a uniform method of recording these connections. 4.17 History The policy framework must provide tracking of specific policy changes because policies might evolve over time. For audits, the modification history of policies is crucial. 4.18 Areas of Coverage The topics covered in a security policy document should line up with the dangers listed in the introduction. Individual policies, however, are considerably more tightly defined, and a single threat can justify a number of different policies. There are many rules that can be used to specify what topics security policies for businesses should include. The SANS Top Twenty Internet security vulnerabilities and the National Infrastructure Protection Center's tips both highlight topics that should be taken into account when drafting any security policy document. Although each security policy document will be unique, the areas listed in the following sections are likely to be covered in most of them. 4.19 Physical Security Policies Physical access to server rooms, computers, and other resources that can be usurped are covered by physical security policies. These regulations can encompass administrator password escrow notebooks as well as the protection of media like backup tapes, emergency recovery diskettes, and printouts. Printouts, CDs, and diskettes might need to be handled carefully and disposed of in organizations that deal with extremely sensitive documents, according to the policies. 4.20 Network Security Policies Since networks are susceptible to both internal and external dangers if they are not effectively secured, network security policies are frequently the most numerous and significant. Firewalls, Virtual Private Networks, wireless access, modem usage, device installation on the network, and everything else related to connections to the network are all covered by network security regulations. These regulations might also cover network logging, intrusion detection, and monitoring. 4.21 Host Security Policies Network security policies may include rules governing how certain hosts or computer systems should be configured, although these rules typically stand out enough to merit their own classification. Host policies 31 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 can specify how servers should be set up, how workstations should be uniform, what software is acceptable and necessary, such as anti-virus software, and what data can be stored on what kinds of hosts. Since taking over a host computer without authorization is a common security risk, host policies may take into account both intrusion detection, which can identify when a host has been compromised, and backup policies, which can help recover from a compromise. Host security policies may span a wide spectrum, from what data is allowed to be carried on laptops while traveling to high risk servers exposed on the Internet. 4.22 User Security Policies Both what is expected of users in terms of conduct that improves security and how users are treated may be covered by user security rules. The effectiveness of security rules can be significantly impacted by user behaviors, such as selecting strong passwords and preventing their unintentional disclosure. A user's access to systems and documents, as well as how they are categorized for security, should be covered by user security policies. 4.23 Document Security Policies Document classification will often be cited in other security regulations for any business that deals with sensitive information. Policies for document management might also be required. Document security standards might include encryption rules. 4.24 Documentation Policies Although appropriate process and network documentation considerably improves the ability to implement policy, audit for security, and ensure that policy implementation stays successful when personnel change, documentation is not always recognized as a key component of security policy. 4.25 Incident Handling Policies The ability to implement policy, audit for security, and ensure that policy implementation remains successful when personnel change are all significantly improved by appropriate process and network documentation; however, documentation is not always acknowledged as a key component of security policy. 4.26 Audit Policies The frequency and rigor of various security audit types are specified by audit policies. The process of security is ongoing. Threats, security countermeasures, the network, and the company all evolve over time. Reassessments on a regular basis are required to adjust to these changes. The security policy document itself has to be evaluated occasionally. To make sure they are providing the security intended, systems and 32 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 practices put in place to implement security policies should be audited. Who will conduct various audits, whether internal or external auditors, should also be specified in audit policies. 4.27 Conclusion Security practices and procedures are established on top of the security policy paper. It must be a dynamic document that evolves over time as threats and business activity develop. A solid document foundation and usable security policy templates make it easier to create an extensive, practical security policy document and provide you the flexibility and control you need to make changes that actually function. To match the demands of the company and the security resources available with the threats, small businesses must have the flexibility to create and adjust security policies. 5. The steps to design a policy Steps to design a policy: There are 10 steps to design a successful security policy: 1st step: Identify your risks What risks could arise from inappropriate use? Do you possess knowledge that should be kept to yourself? Do you send or receive a lot of huge attachments and files? Are there any possibly objectionable attachments circulating? Maybe there is no problem. Alternatively, it may cost you hundreds of dollars each month in lost productivity or staff computer downtime. A useful technique to categorize your risks can be through the use of tracking or reporting devices. Many providers of firewalls and Internet security systems permit evaluation periods for their products. If these objects have reporting information, using these evaluation intervals to identify the risks may be helpful. But if this is something you want to pursue, it's critical to let your staff members know that you will record their behavior for risk assessment purposes. Many employees will view it as a privacy infringement if it is attempted without their permission. 2nd step: Learn from others It's interesting to check what other businesses like yours are doing because there are many types of security strategies. You can spend several hours searching online, or you can buy a book like Information Security Policies Made Simple by Charles Cresson Wood, which has more than 1,200 policies that are ready to be customized. Speak with the salespeople from several security software companies as well. They always appreciate specifics. 3rd step: Make sure the policy conforms to legal requirements 33 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 Depending on your data holdings, jurisdiction, and location, especially if your organization stores personal information, you might be required to follow a set of minimal requirements to safeguard the privacy and integrity of your data. Having a workable security policy in place and documented is one method to minimize numerous dangers you can face in the case of a security incident. 4th step: Level of security = level of risk Avoid being too zealous. Too much defense might be just as harmful as not enough. Since you have a responsible, mature workforce, you can discover that you don't have any concerns with proper use in addition to keeping the bad folks out. The most important thing in these circumstances is a codified code of behavior. Make sure you don't overprotect yourself because it can become a barrier to efficient business operations. 5th step: Include staff in policy development Nobody prefers a plan that is predetermined from above. Include employees in the process of assessing appropriate usage. As laws are created and enforcement tools are deployed, keep employees informed. If people understand the necessity of a responsible security policy, they would be much more inclined to comply. 6th step: Train your employees Staff training is typically disregarded or undervalued as part of the AUP implementation process. But it's unquestionably among the most advantageous phases of operation. Along with assisting with employee education and policy comprehension, it also motivates you to consider the policy's probable, practical effects. End users frequently have the opportunity to ask questions or provide examples in a training forum, which may be highly gratifying. You can describe and modify the policy in more detail to make it more beneficial by using these questions. 7th step: Get it in writing Ensure that each team member has read, signed, and comprehended the policy. All new hires should sign the policy when they are hired, and they should be required to review it and affirm their comprehension of it at least once a year. Use digital tools to track and distribute document signatures among huge organizations. Some technologies additionally include frameworks for quizzing users to gauge their understanding of policies. 8th step: Set clear penalties and enforce them Network security is a serious matter. Your protection policy is a requirement of your job, not a list of optional rules. Have a detailed set of rules in place that spell out the consequences of breaking the security 34 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 policy. then enforce them. A security policy that is implemented carelessly is just as harmful as having no policy at all. 9th step: Upgrade your staff A security policy is a complicated document since the network itself is always evolving. People can come and go. Databases are created and destroyed. There are increasing threats to safety. Updating security procedures is challenging enough, but informing employees of any changes that can affect their daily work is far more challenging. Transparent communication is the key to success.10th step: Install the tools you need 10th step: Install the tools you need Having a plan is one thing; putting it into action is quite another. No matter how complicated your policy is, security technologies for Internet and email content with customisable rule sets will guarantee that it is followed. The purchase of tools to carry out your protection strategy is possibly one of the most economical expenditures you will ever make. 6. Step in policy development 1 2 3 4 5 Identify and de昀椀ne the problem or issue that necessitates the development of a policy The organization must also be aware of the goals of policies and recognize that they can be created or changed to address a problem or issue in an efficient manner. Appoint a person or person(s) to co-ordinate the policy development process The process of developing a policy could take several months. The procedure needs to be "driven" by someone or even a committee. Establish the policy development process Tasks related to research, consulting, and policy writing are required. A schedule of the tasks that must be completed, by whom, and when should be created by the coordinator. Conduct research • Read policy documents created by other organisations on the same topic • Research legislation on the Internet • Conduct a meeting with sta昀昀 and other people with experience • Survey participants or a particular group of participants such as coaches • Read minutes of management committee meetings (if allowed) • Read other documents such as annual reports or event reports • Read industry magazines and journals • Seek legal advice Prepare a discussion paper The discussion paper's objectives are to describe the nature of the problem or issue, to summarize the facts obtained through research, and to offer a variety of policy solutions. The discussion paper will be a crucial instrument in the consultation process. 35 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 6 7 8 9 10 11 Consultation - Stage 1 One of the first steps in the consultation process is to distribute the discussion paper to all stakeholders (interested parties). It can also be required to call and notify stakeholders to remind them to read the discussion document. Then, it's critical to get as much input as you can from all relevant parties. This can be accomplished through workshops, public gatherings, your website, and one-on-one encounters. To make sure that this round of consultation is exhaustive, several months may be needed. Prepare a draft policy The next stage is to create a draft policy once the consultation processes have had enough time to be finished. Consultation - Stage 2 The draft policy should be sent to important stakeholders after completion, published on the organization's website and newsletter, and discussed at additional meetings and forums. Before the policy is finalized, it is vital to enlist the assistance of stakeholders to polish the language, define key terms, and make required changes. Adoption It is time to finalize the policy once the process coordinator for developing the policy is reasonably comfortable that all questions and concerns have been brought up and addressed. The organization's management (management committee) must formally endorse the final policy paper, and a suitable entry must be made in the minutes. Communication The policy should be widely disseminated among all stakeholders in the organization after being formally adopted. To make sure that organization staff members are completely informed and capable of implementing the policy, training sessions may need to be held. The policy could fail if it is poorly explained. Review and evaluate Monitoring the policy's application is necessary. The policy might still need to be adjusted, and its justifications for being in place might also alter. Setting a date for the policy's review is a standard procedure; this date may be once a year or every three years. Simply said, it depends on the type of policy. 36 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 P8 List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion 1. Business continuity The capacity of an organization to prevent operations and fundamental business functions from being negatively impacted by a disaster or unanticipated incident that takes critical systems offline is known as business continuity. Business continuity planning is the interdepartmental process of putting into action the strategies needed to resume regular business operations in a predetermined amount of time, define the level of data loss that the company considers acceptable, and communicate crucial information to organizational stakeholders both during and after incidents. This process is frequently led by information technology. For all but the largest firms, implementing redundant IT infrastructure and backup plans used to be prohibitively expensive. However, new affordable, on-demand cloud technologies are making effective business continuity strategies accessible to millions of businesses. Cloud data backups, cloud-based disaster recovery as a service (DRaaS) for infrastructure failures, and managed security strategies that defend against more sophisticated cyberattacks are common technology services created for business continuity. 2. The components of recovery plan -Communication plan and role assignments. In the event of a calamity, communication is crucial. A strategy is necessary because it unifies the team and ensures that all communications are spelled out in detail. Employee contact information should be current in all documents, and everyone should be clear on their responsibilities in the days following a crisis. If you don't have access to some form of technical resource to help you go through everything, you'll need assignments for things like setting up workstations, analyzing damage, redirecting phones, and other activities. - Plan for your equipment. When a severe storm is on the horizon, it's critical that you have a strategy in place to safeguard your equipment. To ensure that no water can reach the equipment, you must take all equipment off the floor, 37 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 into a room without windows, and securely wrap everything in plastic. Although it's essential to totally seal equipment to protect it from flooding, this isn't always possible during extremely heavy flooding. -Data continuity system. You should investigate precisely what your company needs in order to function when you develop your disaster recovery plan. You must fully comprehend the operational, financial, supply, and communication requirements for your company. You should document your needs so that you can make plans for backup and business continuity and have a complete understanding of the needs and logistics surrounding those plans, regardless of whether you're a small business to business organization with multiple employees or a large consumer business that needs to fulfill shipments and communicate with their customers about those shipments. -Backup check. A comprehensive local backup should also be performed on all servers and data as part of your disaster recovery plan. Make sure your backup is active. Make careful to run them as far in advance as you can and to backup to a location that won't be affected by the calamity. It's also a good idea to store that backup on an external hard drive that you can take with you when you leave the office, just in case. -Detailed asset inventory. You should include a thorough inventory of the workstations, their parts, servers, printers, scanners, phones, tablets, and other technology that you and your staff regularly use in your disaster readiness plan. By giving your adjuster a straightforward list (with images) of any inventory you may have, this will enable you to quickly refer to it while filing insurance claims in the wake of a significant tragedy. -Pictures of the o昀케ce and equipment (before and after prep) To demonstrate that the o昀케ce and your equipment were being used by your employees and that you took the necessary precautions to move your equipment out of harm's way in preparation for the storm, you should also take photos of the o昀케ce and your equipment in addition to the photos of individual inventory items. -Vendor communication and service restoration plan. When a storm has passed, you should start running as soon as you can. Make certain that your plan includes vendor communication. To determine the risk of power surges or outages while the damage is being fixed in the area, check with your local power provider. You should also inquire about access and restoration with your phone and internet service providers. 38 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 These factors are a fantastic starting point for a comprehensive disaster recovery plan, but be sure to pay close attention to the specifics of each element of your plan. Along with the fuzzier specifics of how you'll communicate with vendors, account for your assets, and guarantee that you're back up and running as quickly as possible, the practicalities of testing backups and performing as many backups as you can before the storm are also crucial. If you feel a little overburdened by all of these details, you can enlist the aid of a third party to assist you in creating a disaster plan so that you are ready for any storms that may affect us during hurricane season. 3. Steps to Building a Disaster Recovery Plan 3.1 Conduct an asset inventory An inventory of all your IT assets should always be the first step in any disaster recovery strategy. To sort through your environment's complexity, you must do this. List all the resources that fall under IT administration at first, including all servers, storage devices, software, data, network switches, access points, and network appliances. Next, draw a map showing the physical location of each asset, the network it is on, and any dependencies. Here's an illustration: Figure 7 conduct an asset inventory 3.2 Perform a risk assessment Following the mapping of all your IT resources, networks, and dependencies, make a list of all the internal and external threats to each resource. Consider every possibility, and be thorough. Typical IT malfunctions or natural calamities could be among these threats. 39 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 Include the likelihood that the event will occur as well as the expected effects it will have if it does. How would each of the possible outcomes impact business continuity? Additionally, this is a wonderful opportunity to ask your coworkers for assistance. Just keep in mind to underline how much more regularly banal events occur than natural disasters. Talk less about storms and earthquakes and more on how likely it is that the area would encounter a power outage or IT hardware failure. Here's an illustration: Figure 8 Perform a risk assessment 3.3 Define criticality of applications and data You must categorize your data and applications based on their criticality before constructing your IT disaster recovery plan. To start, ask your coworkers and the support team how crucial each program and data collection is. Look for commonalities and arrange them into groups based on how important they are to your business continuity, how often changes occur, and your retention policy. You shouldn't use a separate approach for every single application or dataset you have. You can use a less complicated recovery technique if you divide your data into classes with comparable traits. Making assumptions-based classifications of data in a vacuum could end up costing you. Make sure you include support personnel and other business management in this planning process. To reduce the number of data types you have, you will surely have to make some trade-offs. The recommended range for the number of classes for medium-sized businesses is between three and five. Here's an illustration: Figure 9 Define criticality of applications and data 40 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 3.4 Define recovery objectives Different sessions will have various goals for recovering. For instance, a crucial e-commerce database can have very aggressive recovery objectives since the company simply cannot afford to lose any transactions or be down for an extended period of time. A historic internal system, on the other hand, can have less strict recovery objectives and be less crucial to recover as the data doesn't change very frequently and it's less critical to come back online. Numerous IT experts fail at this stage. The number one source of misalignment is setting recovery objectives without consulting the company line managers. You must include them in this process if you want to make sure that the company can recover from a tragedy effectively. Here is a sample list of questions you can ask your business colleagues: • • • • • • • What software and information does your department use? How much downtime can you tolerate for each? How much data loss are you willing to accept for each? Are there instances where customers, partners, or workers do not use these applications? If data was more than 90 days old, would you ever need to restore it? Possibly six months old? Let's say one year old. Are there any demands on the company to keep the data for a specific amount of time, either internally or outside (i.e. industry or regulatory)? Do any internal or external (i.e., industry or governmental) constraints preclude us from transferring the data to another location? Understanding business requirements and offering a differentiated level of service availability based on priority are crucial in this situation. Now that you have that knowledge at your disposal, you must translate it into recovery objectives for your disaster plan. RTO: Recovery Time Objective What is the maximum amount of time that any of your production or data systems can be down? Your goal for recovery time is this. Consider how much money your company would lose if an application was down for a specific period of time when determining the RTO. How much, for instance, would you lose if your client portal was unavailable for a day or an hour? How much would it cost if your staff couldn't work because email wasn't working? Determine the characteristics your data protection systems and products must have by calculating your RTO. In contrast, if your RTO is very low (as in just a few minutes), you must employ host-based replication or a disk-based backup with continuous data protection capabilities. If your RTO is very large, for instance, say more than four hours, you will likely have time to back up from tape. 41 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 What is the maximum quantity of data your organization can tolerate losing? This is known as the recovery point objective (RPO). That is the goal of your recovery point. Recovery point objectives (RPOs) might range from hours to days if your company has a high tolerance for data loss. Your RPO will be seconds if your company can't afford to lose any data at all or very little. The minimum frequency for backing up your data is determined by the RPO you choose. Data should be backed up at least once an hour if you can only afford to lose an hour's worth. In this manner, you can restore the 2:00 p.m. backup and satisfy the RPO requirement even if an outage starts, say, at 2:30 p.m. 3.5 Determine the right tools and techniques It's time to decide which tools and procedures to employ after you have identified all of your IT assets, defined their relationships, and classified them according to their criticality and recovery goals. The good news is that there are many options available on the market right now. Just be certain that whatever you purchase delivers the proper level of security. Overprotection can add extra complexity and cost the business money. Complexity will probably make human error more likely and is the enemy of productivity. Under-protection might be just as harmful because it could endanger the continuity of your firm. For low-impact data, typical (file-based) nightly backups are more than adequate, however they wouldn't be ideal for high-impact data and applications. High-impact data and systems benefit greatly from a CDP solution, although production servers and storage costs may increase as a result. Offsite protection is arguably the most important part of your backup and disaster recovery plan. Regardless of the kind of data backup technique you pick, this should be used. The technique (whether cloud replication or a tape vaulting service) should be appropriate for your recovery goals. Make sure the place to which your data is transported is sufficiently remote so as not to be in the same area of geographic risk. This is typically at least 25 miles from the main location. As much as you can, automate and streamline the recovery procedure. Key IT personnel might be unavailable in a disaster. Automation reduces the possibility of human error as well. 3.6 Get stakeholder buy-in Include important stakeholders in all of your business divisions outside of the data center (i.e. application owners and business managers). They must take part in the planning process. They should also concur with you over the priorities of the organization and the service level agreements (SLAs) that your team will deliver. To ensure you're getting the most out of your DR solution and/or services, talk to your key partners and vendors. The IT personnel at the Orleans Parish in New Orleans hadn't been in close communication with 42 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 the parish's cloud backup / DRaaS supplier when two servers failed, resulting in the loss of crucial conveyance and mortgage information dating back to the 1980s. The vendor in charge of DreamHost's data center was informed of the issue when there was an outage by the web hosting provider. Avoid doing that and maintain regular communication with any vendor you hire. After consulting with all of the important parties, find an executive-level sponsor who will support you and the project. It is impossible to overstate how crucial executive support, collaboration, and consensus are to the success of your catastrophe plan. 3.7 Document and communicate your plan You need a written plan on how to resume operations in the event of a crisis. It is important to write this paper with its intended audience in mind. Share your strategy. All too frequently, there is only one person in the organization who truly has the full picture, making the company susceptible if that person is not accessible in the event of a tragedy. Additionally, make sure to keep your DR plan accessible during a disaster rather than on a public share in your Exchange files. It should ideally be printed and placed in several places. 3.8 Test and practice your DR plan It's a common adage that "practice makes perfect." "Practice makes progress" might be a more appropriate adage. No organization's disaster plan is ever perfect, but with practice, you can identify and fix any issues with your plan and execute it more quickly and correctly. Even if you hold them on certain days of the week, like Saturdays, make sure that everyone who has a part to play shows up to the practice sessions. Every time, you do not need to practice carrying out the entire disaster recovery plan. To test specific portions of your plan, feel free to do so. Here's an illustration: 43 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 Figure 10 Test and practice your DR plan 3.9 Evaluate and update your plan A DR plan ought to be an ongoing project. Given the shifting sands of an ever-changing business climate, it is especially crucial to routinely assess your plan. Data loss and downtime may no longer be tolerated as much. Key individuals may be let go or have their employment terminated. New hardware or operating systems may be adopted by IT. The business might buy out another business. Your planning must take into account the organization's existing situation. 4. The policies and procedures that are required for business continuity Figure 11 life cycle 44 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 This policy establishes a uniform procedure for VCU's initial reaction, business continuity, and business recovery plans to be created, tested, and maintained. The following business continuity plan (BCP) lifecycle elements are included in this policy: 1. Risk Assessment. During the risk assessment step, each university department will identify, assess and rank various hazards based on the probability of occurrence and the level of disruption that will be caused to the department's operation, and consider how each hazard may affect property, business, and people working in the department and any clients they may serve, as well as the university at large. Hazards will be reviewed by the Director of Emergency Preparedness who will provided context though definitions, recent events, and various threat scenarios. This will result in a range of outcomes that may require significant business impact analysis (BIA) and recovery strategies to be developed and supported with resources. The mission essential functions (MEFs) will be ranked in priority order by importance by university departments, who will analyze the risk assessment data. 2. Understanding the Organization: Business Impact Analysis (BIA). The word "BIA" refers to the procedure of identifying, analyzing, and evaluating the potential repercussions of a disruption or cessation of the business's crucial operations, functions, and processes as a result of an emergency, tragedy, or accident. It is a methodical approach to anticipating the probable and likely effects of these disruptions, typically from the standpoint of the worst-case scenario. The BIA is seen as the focal point of disaster recovery planning, notably for the reduction of risks in the event of operational delays or disruptions brought on by catastrophes and similar incidents. a/ The MEFs and key resources for each department must be identified. The success of the department would be significantly impacted if one or more of its essential services, programs, or activities were to cease operations for an extended period of time. MEFs will act as a manual for how to resume operations after a catastrophe or significant disruption. If it is a highly complicated department or unit, there should generally be more than the standard four to six fundamental functions. b/ The administration of university MEFs is the responsibility of each department, and they are required to be as detailed as possible in defining the needs and determining interdependencies for each function. Think about how the function might need to be changed or modified if one of the major risks included in the risk assessment caused a large interruption. c/ Each department is required to carry out a BIA for each MEF in order to evaluate and record any potential negative effects of a disaster or significant disruption on the function. Each mission-critical function has a BIA done to help assess and document potential negative effects of a disaster or significant disruption on the function. By considering dependencies, peak times, negative effects, and financial risks, completing a BIA also aids in establishing recovery priorities and recovery time objectives (RTOs). 45 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 d/ Each department must take into account the human and technological resources needed to keep operations at their best. e/ Each department is responsible for establishing and finalizing RTOs, or the amount of time required to recover a process or function and resume regular, or nearly normal, commercial activities. 3. Determining the BCP Recovery Strategies. The RTO created during the business impact analysis prioritizes recovery plans, which are alternative ways to return business operations to a minimally acceptable level following a business disruption. Recovery plans need a range of resources, including personnel, infrastructure, tools, supplies, and IT. Each department must do an analysis of the resources needed to carry out recovery measures in order to find any gaps. Each department must: a/ Create risk treatment plans across all business areas after performing a risk identification. Determine internal reasons of interdependencies, such as shared resources, telecommunications/IT links, and line of business dependencies. b/ Maintain, resume, and recover important business operations and processes by documenting your strategy and practices. c/ Describe the immediate actions that must be performed during an event to reduce the harm from a disruption and the processes required to recover. 4. Develop and Implement the BCP. To create and maintain university business continuity plans, VEOCI, a crisis management and software solution, will be employed. This will guarantee the preparedness of mission-critical functions across the university. The responsible department designee will enter each Business Continuity Plan (BCP) into VEOCI after the planning (BIA and risk assessment) and meetings are finished. For access to VEOCI, get in touch with the VCU director of emergency preparedness. Training is offered. Each department must: a/ Describe the steps involved in triggering the BCP as well as the kinds of circumstances that might result in the official announcement of a disruption. b/ Establish the BCP's structure, including its executive summary, objectives and scope, summary of results, and recovery activities. 5. Exercising, Maintaining and Reviewing. The head of emergency preparation will conduct training and testing after the BCP is finished to make sure every member of the department is familiar with it. The director of emergency preparedness will establish a continuity planning group made up of individuals who would be involved before, during, and after a disaster or significant disruption. After training and/or actual events, each department will modify the BCP as necessary. 46 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 a/ Timely Review and Maintenance: Each department's plan owner is accountable for annually reviewing all BCPs and associated documentation. Reviewing is done to make sure the plan is still relevant and current and to keep everything in a condition of preparedness. The VCU director of disaster preparedness will be in charge of monitoring the maintenance schedule. b/ Training and Exercises: The head of emergency preparation will organize annual testing for all departments. The range of testing techniques includes the simplest (no notice drills) and most sophisticated (full scale). Each has distinct traits, goals, and advantages. The size, complexity, and nature of the company's operation should all be taken into consideration when choosing the testing strategy. Testing techniques include tabletop exercises, functional exercises, and full-scale exercises, in that sequence of increasing complexity. References Anon., 2013. Associated programme on Flood Management. [Online] Available at: floodmanagement.info/what-are-the-benefits-of-stakeholder-participation [Accessed 26 8 2022]. Anon., 2014. [Online] Available at: https://www.cityofglasgowcollege.ac.uk/sites/default/files/hs-risk-assessment-procedure.pdf [Accessed 26 8 2022]. Anon., 2017. Canadian Centre for Occupational Health & Safety. [Online] Available at: https://www.ccohs.ca/oshanswers/hsprograms/risk_assessment.html [Accessed 26 8 2022]. 47 Downloaded by Linh H? (honhatlinh310803@gmail.com) lOMoARcPSD| 24865561 Anon., 2020. Virginia Commonwealth University Integrity and Compliance Office Policy Program. [Online] Available at: https://policy.vcu.edu/universitywide-policies/policies/business-continuity-management.html [Accessed 26 8 2022]. Anon., 2021. IBM. [Online] Available at: https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzamv/rzamvdevelopsecpol.htm [Accessed 26 8 2022]. Anon., n.d. entechus. [Online] Available at: https://entechus.com/7-key-elements-of-a-business-disaster-recovery-plan/ [Accessed 26 8 2022]. Anon., n.d. leoisaac. [Online] Available at: http://leoisaac.s446.sureserver.com/policy/top132.htm [Accessed 26 8 2022]. Anon., n.d. SecurityBox. [Online] Available at: https://securitybox.vn/1281/huong-dan-tung-buoc-bao-mat-du-lieu-trong-doanh-nghiep/ [Accessed 26 8 2022]. Anon., n.d. The Open Web Application Security Project. [Online] Available at: https://owasp.org/www-community/vulnerabilities/ [Accessed 26 8 2022]. Crocetti, P., n.d. TechTarget. [Online] Available at: https://searchdatabackup.techtarget.com/definition/data-protection [Accessed 26 8 2022]. 48 Downloaded by Linh H? (honhatlinh310803@gmail.com)