Uploaded by Ho Nhat Linh (FGW DN)

asm2-1623-unit-5-security

advertisement
lOMoARcPSD| 24865561
ASM2-1623 - Unit 5: Security
Unit 5: Security (Trường Đại học FPT)
Studocu is not sponsored or endorsed by any college or university
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
ASSIGNMENT 2 FRONT SHEET
Qualification
BTEC Level 5 HND Diploma in Computing
Unit number and title
Unit 5: Security
Submission date
Date Received 1st submission
Re-submission Date
Date Received 2nd submission
Student Name
Phan Nguyen Dinh Trong
Student ID
GCD201526
Class
GCD0905
Assessor name
Tran Trong Minh
Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature
Trong
Grading grid
P5
P6
P7
P8
M3
M4
M5
D2
D3
1
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
❒ Summative Feedback:
Grade:
❒ Resubmission Feedback:
Assessor Signature:
Date:
Lecturer Signature:
1
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
Table of Contents
P5. Discuss risk assessment procedures.......................................................................................................... 7
1. Risk ......................................................................................................................................................... 7
1.1 Negative school: risk is considered unlucky,loss, danger ................................................................. 7
1.2 The neutral school............................................................................................................................. 7
2. Risk assetment ........................................................................................................................................ 7
3. Asset........................................................................................................................................................ 8
4. Vulnerability ......................................................................................................................................... 10
5. Threat .................................................................................................................................................... 11
6. Risk Identification Procedures .............................................................................................................. 12
7. Risk assetment procedures .................................................................................................................... 14
P6. Explain data protection processes and regulations as applicable to an organisation. ............................. 16
1. Data protection...................................................................................................................................... 17
2. Data protection...................................................................................................................................... 17
2.1 Assessment of network security risks ............................................................................................. 17
2.2 Raise awareness about data security for employees ....................................................................... 17
2.3 Data security management .............................................................................................................. 18
2.4 Troubleshooting and problem management .................................................................................... 18
2.5 Configure the system securely ........................................................................................................ 19
2.6 Ensure the network is divided into separate areas .......................................................................... 19
2.7 Secure DN data by monitoring network security............................................................................ 19
2.8 Access control ................................................................................................................................. 19
2.9 Increased malware protection ......................................................................................................... 20
2.10 Update patches regularly .............................................................................................................. 20
2.11 Perform encryption ....................................................................................................................... 20
3. The important of data protection regulations ........................................................................................ 20
P7. Design and implement a security policy for an organisation.................................................................. 21
1. Security policy ....................................................................................................................................... 21
2. Example of policy .................................................................................................................................. 22
2
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
2.1 Purpose ........................................................................................................................................... 23
2.2 Scope............................................................................................................................................... 23
2.3 Policy .............................................................................................................................................. 23
2.4 Technical guidelines........................................................................................................................ 24
2.5 Reporting requirements................................................................................................................... 24
3. The most and should that must exist while creating policy ................................................................... 25
3.1 Ensure that there is a policy on policies ......................................................................................... 25
3.2 Identify any overlap with existing policies ..................................................................................... 25
3.3 Don't develop the policy in a vacuum............................................................................................. 25
3.4 Step back and consider the need ..................................................................................................... 25
3.5 Use the right words so there is no misunderstanding intent ........................................................... 26
3.6 When possible, include an exceptions process ............................................................................... 26
3.7 Allow some shades of gray ............................................................................................................. 26
3.8 Define policy maintenance responsibility ....................................................................................... 27
3.9 Keep senior executives out of the routine when possible ............................................................... 27
3.10 Establish a policy library with versioning .................................................................................... 27
4. The element of security policy .............................................................................................................. 27
4.1 Introduction ..................................................................................................................................... 27
4.2 Security Policy Document .............................................................................................................. 28
4.3 Introductory Elements .................................................................................................................... 28
4.4 Purpose ........................................................................................................................................... 28
4.5 Scope............................................................................................................................................... 29
4.6 Responsibilities ............................................................................................................................... 29
4.7 Objectives ....................................................................................................................................... 29
4.8 Threat and Risk Assessment ........................................................................................................... 29
4.9 Policy Attributes ............................................................................................................................. 29
4.10 Identification ................................................................................................................................. 30
4.11 Policy Statement ........................................................................................................................... 30
4.12 Elaboration .................................................................................................................................... 30
3
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
4.13 Threat addressed ........................................................................................................................... 30
4.14 Exceptions..................................................................................................................................... 30
4.15 Violations ...................................................................................................................................... 30
4.16 References..................................................................................................................................... 31
4.17 History .......................................................................................................................................... 31
4.18 Areas of Coverage......................................................................................................................... 31
4.19 Physical Security Policies ............................................................................................................. 31
4.20 Network Security Policies ............................................................................................................ 31
4.21 Host Security Policies ................................................................................................................... 31
4.22 User Security Policies ................................................................................................................... 32
4.23 Document Security Policies .......................................................................................................... 32
4.24 Documentation Policies ................................................................................................................ 32
4.25 Incident Handling Policies ............................................................................................................ 32
4.26 Audit Policies ................................................................................................................................ 32
4.27 Conclusion .................................................................................................................................... 33
5. The steps to design a policy .................................................................................................................. 33
6. Step in policy development................................................................................................................... 35
P8 List the main components of an organisational disaster recovery plan, justifying the reasons for
inclusion ........................................................................................................................................................ 37
1. Business continuity ................................................................................................................................ 37
2. The components of recovery plan ......................................................................................................... 37
3. Steps to Building a Disaster Recovery Plan ......................................................................................... 39
3.1 Conduct an asset inventory ............................................................................................................. 39
3.2 Perform a risk assessment ............................................................................................................... 39
3.3 Define criticality of applications and data ...................................................................................... 40
3.4 Define recovery objectives ............................................................................................................. 40
3.5 Determine the right tools and techniques........................................................................................ 42
3.6 Get stakeholder buy-in.................................................................................................................... 42
3.7 Document and communicate your plan .......................................................................................... 43
4
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
3.8 Test and practice your DR plan ....................................................................................................... 43
3.9 Evaluate and update your plan ........................................................................................................ 43
4. The policies and procedures that are required for business continuity ................................................. 44
References ..................................................................................................................................................... 47
5
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
Figure 1 Risk................................................................................................................................................... 7
Figure 2 Vulnerability ................................................................................................................................... 11
Figure 3 Type of Threats ............................................................................................................................... 12
Figure 4 Risk assessment steps ..................................................................................................................... 16
Figure 5 illustration ...................................................................................................................................... 18
Figure 6 Control of access ............................................................................................................................ 19
Figure 7 conduct an asset inventory ............................................................................................................. 37
Figure 8 Perform a risk assessment .............................................................................................................. 38
Figure 9 Define criticality of applications and data ...................................................................................... 38
Figure 10 Test and practice your DR plan .................................................................................................... 41
Figure 11 life cycle ....................................................................................................................................... 42
6
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
P5. Discuss risk assessment procedures
1. Risk
1.1 Negative school: risk is considered unlucky,loss, danger ...
-
Risk is unhealthy, bad, and unexpected.
Risk (synonymous with risk) is unfortunate.
Risk is the ability to be in danger or suffer from pain ...
Risks are unforeseen uncertainties that develop in a company's business and production processes and
have a negative impact on the company's ability to exist and grow.
Briefly put, risk is defined by conventional wisdom as "damage, loss, danger, or factors linked with
danger, difficulty, or uncertainty that can happen to a person."
Figure 1 Risk
1.2 The neutral school
-
Risk is uncertainty that can be quantified and is potentially linked to the occurrence of
unanticipated events.
The risk's current value and outcome are uncertain.
2. Risk assetment
The process or procedure where you: +Identify hazards and risk factors that have the potential to cause
harm is known as risk assessment (hazard identification).
7
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
+Examine and assess the risk connected to that danger (risk analysis, and risk evaluation).
Determine the best strategies to remove the risk or, if that is not possible, to control the risk (risk control).
- A risk assessment is a detailed examination of your workplace to find any elements, circumstances,
procedures, etc. that could be harmful, especially to humans. Following identification, you assess the risk's
likelihood and seriousness. You can then decide what steps need to be taken to successfully eliminate or
control the harm once this assessment has been made.
The following phrases are used in the CSA Standard Z1002 "Occupational health and safety - Hazard
identification and elimination and risk assessment and control":
Risk assessment: The total procedure of risk analysis, risk assessment, and hazard identification.
Risk assessment: The entire process of hazard identification, risk analysis, and risk assessment.
Risk analysis: A process for comprehending the nature of hazards and determining the level of risk.
Risk evaluation: The process of comparing an estimated risk against given risk criteria to determine the
significance of the risk.
Risk control: The process of comparing an estimated risk against given risk criteria to determine the
signi昀椀cance of the risk.
3. Asset
A resource having economic worth that a person, business, or nation possesses or controls with the hope
that it would someday be useful is referred to as an asset. In order to raise a company's value or benefit its
operations, assets are acquired and recorded on the balance sheet of the company. Whether it's
manufacturing equipment or a patent, an asset can be viewed of as anything that, in the future, can
generate cash flow, lower expenses, or increase sales.
-
An asset is a resource having economic worth that a person, organization, or nation owns or
manages with the hope that it may someday be useful.
Assets are disclosed on a company's balance sheet and are acquired or produced in order to raise a
company's value or improve the operations of a company.
An asset can be anything that, in the future, can increase sales, lower costs, or generate cash flow,
whether it's a patent or manufacturing equipment.
Understanding Assets:
8
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
An asset represents a financial resource for a business or access that other people or companies do not
have. A right or other access is legally enforceable, so it can be used however the corporation sees fit and
its usage can be restricted or prohibited by the owner.
A corporation must have a right to an asset as of the date of the financial statements in order for it to be
present. A scarce resource with the capacity to increase financial inflows or decrease cash outflows is
considered an economic resource.
Short-term (or current) assets, fixed assets, financial investments, and intangible assets are some basic
categories for assets.
Personal Assets:
Personal assets are items with current or potential worth that belong to an individual or family. Personal
assets frequently comprise the following:
•
•
•
•
Cash and cash equivalents, CDs, checking and savings accounts, money market accounts, tangible
cash, and Treasury notes are all examples of financial instruments.
Real estate, including any building permanently affixed to it.
Personal property includes boats, collectibles, furniture, jewelry, and automobiles.
Investments include equities, bonds, mutual funds, annuities, pensions, and life insurance policy
cash values.
By deducting your liabilities from your assets, you may determine your net worth. In essence, your
liabilities are all of your debts, and your assets are everything you own. If you have a positive net worth,
your assets are worth more than your liabilities; if you have a negative net worth, your liabilities are more
than your assets (in other words, you are in debt)
Business Assets:
Assets are valuable items for businesses that support production and expansion. Assets for a firm might
include tangibles like machinery, real estate, raw materials, and inventory as well as intangibles like
royalties, patents, and other forms of intellectual property.
The balance sheet outlines the assets of a firm and details how those assets are financed, including whether
debt or stock issuance is used. A company's balance sheet gives a quick overview of how effectively its
management is managing its resources. The two categories of assets that typically appear on a balance
sheet are.
Current Assets:
9
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
Assets that can be turned into cash within one fiscal year or one operating cycle are referred to as current
assets. Expenses and investments related to daily operations are made possible by current assets.
Examples of current assets include:
Cash and cash equivalents: Cash, certificates of deposit, and Treasury bills.
Marketable securities: debt-related securities or liquid equity.
Accounts receivables: Customer debt that needs to be settled soon.
Inventory: Raw resources or marketed products.
Fixed Assets:
Non-current assets, or fixed assets, are those that a business utilizes to produce goods and services and
have a longer useful life. Fixed assets are shown as property, plant, and equipment on the balance sheet
(PP&E). Fixed assets are long-term investments that are categorized as tangible (i.e., touchable) assets
because they are.
Examples of fixed assets include:
•
•
•
•
•
Vehicles (such as company trucks)
Office furniture
Machinery
Buildings
Land
Non-current assets (like fixed assets) cannot be easily converted to cash to cover immediate operational
costs or investments, which is one of the two main contrasts between personal assets and corporate assets.
In contrast, it is anticipated that present assets will be liquidated within one fiscal year or one operating
cycle.
4. Vulnerability
A vulnerability is a gap or a weak point in the application—it could be an implementation error or a design
flaw—that allows an attacker to harm the application's stakeholders. The owner of the application,
application users, and other organizations that rely on the application are stakeholders.
10
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
Figure 2 Vulnerability
5. Threat
Define: A potential for violation of security, which exists when there is an entity, circumstance, capability,
action, or event that could cause harm
Cyber threats and vulnerabilities can occasionally be mistaken for one another. The word with the most
definitions is "potential." The threat is not a security issue with an organization or implementation. As
opposed to that, it is anything that could compromise security. This is comparable to a vulnerability, which
is a genuine weakness that can be used against the system. Without respect to any precautions, the threat
constantly exists. However, there are ways to reduce the likelihood that it will come to pass.
Types of threats
According to the NIST definition above, a threat might be an occurrence or a state of affairs. Natural
disasters, fires, and power outages are all considered events in this context. It is a pretty broad idea. In the
field of cybersecurity, dangers including viruses, Trojan horses, and denial-of-service attacks are more
frequently discussed.
Phishing emails provide a social engineering risk that may result in the loss of sensitive data such as
passwords, credit card numbers, and other personal information. Data loss in terms of confidentiality,
integrity, or availability can result from threats to information assets. The CIA triumvirate is another name
for this.
The STRIDE threat model is built on the CIA triad and three additional well-known security ideas. It is
convenient to start with an established classification when listing potential dangers. The most well-known
categorization is STRIDE, which was suggested by Microsoft in 1999. Because the name is derived from
the first letters of the several categories, it is also simpler to recall them.
11
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
Figure 3 Type of Threats
Examples of threats
Keep in mind that a danger is fairly broad. It does not specify how to accomplish it or even whether it is
feasible given the state of the system. Here are a few illustrations.
+A malicious user reads the files of other users.
+An attacker redirects queries made to a web server to his own web server.
+An attacker modifies the database.
+A remote attacker runs commands on the server.
Each of these examples can easily be mapped to a category in STRIDE. Other examples would be
malware, trojans and worms
6. Risk Identification Procedures
Risk Identification Procedures include:
12
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
1. Risk Integrated Product Team (IPT) identifies list of potential risk items. There are variety methods of
identifying risks. Risk can be identified from:
-Lessons Learned
-Subject Matter Experts (SME)
-Prior Experiences
-Technology Readiness Level (TRL) determination
-Programmatic Constraints
-Brain Storming
-Work Breakdown Structure (WBS)
2. Risks are rated as acceptable or unacceptable. Not all risk factors listed in step 1 are taken into account.
3. Risks that have been accepted should be noted and added to a Risk Register.
4. Define the causes of each danger that has been identified.
5. Risk analysis should focus on each risk that has been discovered in order to improve the risk
description, identify the underlying causes, ascertain the effects, and help prioritize risk reduction. a
matrix for reporting risks
6. Each risk should be addressed in the risk mitigation plan with action items and deadlines.
7. The Risk Integrated Product Team (IPT) holds regular meetings (every two weeks) to evaluate risks
and, as necessary, add new risk items.
8. When every step necessary to close a risk has been taken, the risk is considered closed. While some
risky products are swiftly closed, others remain open for a very long time. Some are listed as "watch
items," and the action plan doesn't start until a certain undesirable event occurs.
9. For future learning, closed hazards are still stored in the database.
Common risk identification methods are:
-
Identification of risks based on objectives: Project teams and organizations both have goals. Risk is
defined as an occurrence that could jeopardize completing a target wholly or partially.
Identification of risk based on scenarios: In scenario analysis, various scenarios are produced. The
scenarios could represent several approaches to achieving a goal or an analysis of the interactions
13
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
-
-
of forces in, say, a market or conflict. Risk is defined as any occurrence that results in a scenario
alternative that is undesirable.
Identification of risks using taxonomies: A breakdown of potential risk sources is represented by
the taxonomy in taxonomy-based risk identification. A questionnaire is created using the taxonomy
and knowledge of best practices. Risks are shown by the responses to the questions.
Checking for common dangers: Several sectors have lists of known concerns. The applicability of
each danger on the list to a particular circumstance can be checked.
7. Risk assetment procedures
1. Risk assessment in practice:
A risk assessment is a thorough investigation of what can endanger employees at work in order to assess
any safety safeguards already in place and determine whether additional preventative measures are
necessary. Performing a risk assessment is a proactive activity that:
•
•
•
Hazards are identi昀椀ed.
The risks associated with the hazard are evaluated.
Appropriate methods to eliminate or control the hazard evaluated.
2. Definitions:
Anything that has the potential to hurt is considered a hazard, including chemicals, working from ladders,
electricity, loud noises, and moving pieces of machinery. The risk is determined by the possibility that the
hazard will materialize as well as its consequences, or the seriousness of the possible harm involved.
Step 1: Identify hazards, anything that may cause harm
Employers are required to evaluate the hazards to their employees' health and safety. Your employer is
required to routinely look for potential biological, chemical, physical, and mental dangers.
This is one common classification of hazards:
Physical: Uostures, stumbles and falls, noise, dust, machinery, electronic devices, etc.
Mental: Working with clients that have high needs, working long hours, being bullied, etc. These are
sometimes known as "psychosocial" dangers since they have an impact on mental health and happen in
working relationships.
Chemical: Aerosols, cleaning products, asbestos, etc.
14
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
Biological: Covering the infectious diseases that affect healthcare professionals, such as tuberculosis,
hepatitis, and others, as well as home care staff.
Step 2: Decide who may be harmed, and how
Starting with the full- and part-time employees of your organization, determine who is at risk. Employers
are also required to evaluate the dangers that agency and contract workers, guests, clients, and other
members of the public may encounter while on their property.
•
•
•
Employers must evaluate daily schedules in all the many places and circumstances where their
employees is engaged. For instance:
The personal safety of their clients in the house must be taken into consideration by home care
supervisors, who must also make sure that their own home care personnel has safe working and
lifting conditions.
The repetitious duties at the checkout, lifting heavy objects, and slips and trips due to spills and
barriers in the store and storage areas are all risks in a supermarket. Customers and trespassers
pose a threat to the staff, particularly in the evenings. Each employee's workstation equipment in
call centers, such as the desk, screen, keyboard, and chair, must be customized.
Employers have particular responsibilities for the health and safety of young workers, those with
disabilities, people working nights or shifts, and women who are pregnant or nursing.
Step 3: Assess the risks and take action.
This means that employers must take into account the likelihood that any hazard may result in damage.
Depending on this, your company may or may not decide to lower the amount of risk. Some risk typically
persists even after all safety measures have been taken. Employers must determine if the risk is still high,
medium, or low for each danger that exists.
Step 4: Make a record of the findings.
The principal conclusions of the risk assessment must be documented in writing by employers with five or
more employees. This record is to detail any risks identified during the risk assessment as well as any
steps done to lessen or eliminate risk.
This documentation serves as evidence that the evaluation was completed and serves as the foundation for
a subsequent review of working procedures. The risk analysis is a work-in-progress. It ought to be
readable for you. It shouldn't be kept hidden in a cabinet.
Step 5: Review the risk assessment.
Keeping an eye on a risk assessment is necessary to:
15
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
•
•
Make sure that the established safe working procedures are followed (e.g., that supervisors and line
managers adhere to management's safety directives).
if there are any new procedures, tools, or challenging work goals, consider them.
Figure 4 Risk assessment steps
P6. Explain data protection processes and
regulations as applicable to an organisation.
The process of preventing critical information from being corrupted, compromised, or lost is known as
data protection.
16
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
1. Data protection
Data protection is the process of defending sensitive information against loss, tampering, or corruption.
As data is created and stored at previously unheard-of rates, the significance of data protection grows.
Additionally, there is limited tolerance for downtime that can prevent access to crucial information.
As a result, a key component of a data protection plan is making sure that data can be swiftly restored after
any loss or damage. Other essential elements of data protection include safeguarding data privacy and
preventing data breach.
2. Data protection
You must specify precisely the data your company needs to secure before investing in data security.
Businesses frequently only partially or incorrectly understand what data has to be safeguarded.
2.1 Assessment of network security risks
Once your organization has all the data it needs, you must examine the threats that your corporate data
may face:
- In case of a network security problem.
- In case of incidents of natural natural disasters such as fires, earthquakes, etc.
You must implement security measures for your organization's network system after performing risk
identification for the data that must be protected. This will enable you to precisely identify the security
dangers that the overall organizational network and the data security of organizations in particular are
currently experiencing. Since then, deploying security solutions fit for models, finances, and
organizational requirements or protecting the system by deploying patching methods.
2.2 Raise awareness about data security for employees
- The people element is one of the biggest potential threats to business data security. Therefore, one of the
best and most successful ways to secure data security in Your Business is to establish measures to educate
and create awareness among agency personnel about data security.
- Businesses must regularly plan initiatives to raise awareness and train employees on network security
and data security. The most effective way to reduce company data breaches and avoid spending money on
outside security services. Enterprises (enterprises) need to have documents on data security policies and
work procedures at the same time since they use data in their operations to implement management
standards and guarantee safety.
17
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
2.3 Data security management
There are always security dangers to company data. Because of this, implementing security measures
quickly is not viable; instead, it must be done often and continuously. Each company should, if at all
feasible, have a dedicated leader or employee who is knowledgeable about corporate data security and
confidentiality and who is in charge of overseeing the application of security procedures and controls.
security of data. This will assist in lowering the dangers of network security for companies and
commercial data
2.4 Troubleshooting and problem management
Figure 5 illustration
In order to lessen the harm that network security incidents to the business cause, documentation of the
process of responding to security incidents to the network and corporate data is crucial.
As an alternative, you can consider engaging specialized ANM assessment and troubleshooting units.
When accidents happen, these units will be in charge of consulting the reaction procedure and organizing
troubleshooting. This will assist your organization limit damage.
18
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
2.5 Configure the system securely
All internal components (including software and hardware) are set up to comply with security policy
requirements and to take appropriate steps to protect your company's data.
2.6 Ensure the network is divided into separate areas
Separate network regions will aid in isolating and minimizing the harms brought on by network security
concerns such as enterprise data leakage and ode infection poison. The DMZ also aids in regulating access
between various network regions by employing more firewalls between untrusted external network areas
(internet zones) and intranet zones. To make sure that access policies between network areas are always
followed, conduct frequent intrusion testing assessments.
2.7 Secure DN data by monitoring network security
To regulate and identify network data abnormalities early and maximize detection and prevention,
technologies to monitor network traffic both inside and outside the network are necessary. early attacks
blocking IDS (intrusion detection system), IPS (intrusion prevention system), and SIEM are the solutions
that are frequently employed by enterprises nowadays (Network Security Surveillance System).
2.8 Access control
Figure 6 Control of access
19
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
For a corporate network, decentralization and access control measures are essential. Effective access
control is made possible by these policies both inside and outside the system.
To accomplish this, you must only ask the user for the permissions required for them to perform their
duties. Priority accounts must be carefully limited to primary systems, database administration functions,
or critical systems. User activity must be carefully monitored and logged, especially when it involves
sensitive data and a user's account. Remember to protect your data by creating strong passwords at the
same time.
Other crucial physical security features include security guards, magnetic card systems, commuters, sirens,
and access control to corporate buildings and private workplaces. access control for corporate data
management
2.9 Increased malware protection
Enterprises should also implement measures to reduce the danger of harmful code and safeguard data from
it. There are numerous ways to reduce the risk of malware infection at various levels right now, including
user-specific anti-malware solutions, centralized anti-malware solutions, and anti-malware solutions at
gateways. However, your ability to find a workable option for your company depends on its size and
financial standing.
2.10 Update patches regularly
No system can be said to be always secure because there are constantly being developed new attack
techniques. In order to protect corporate data and reduce the risk of assaults on enterprise systems, it is
essential to update operating system and software patches. Businesses must synchronize the deployment of
numerous security solutions and the blending of various security policies in order to guarantee the
maximum level of system security.
2.11 Perform encryption
Finally, before transferring the data, encrypt it. To assist ensure the security of corporate data, this task is
essential. Encrypting the data helps you prevent sensitive information from falling into the hands of the
attacker in the event of data loss (due to a network security attack or being compressed on the transmission
line). Additionally, you must safeguard your data with robust encryption (preferably using asymmetric
ciphers). Base64's insecure weak encryption techniques are simple for hackers to decrypt.
3. The important of data protection regulations
The value of data is always increasing. Furthermore, the abilities and prospects for obtaining various
forms of personal data are developing quite quickly. Personal data processing that is unauthorized,
20
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
negligent, or ignorant can be very harmful to both individuals and businesses. A data protection plan must
be implemented by any organization that wishes to function efficiently if it is to guarantee the security of
its information. Cyberattacks and data breaches can result in severe losses. Organizations must update
their security protocols on a regular basis and take proactive steps to protect their data.
Businesses should take extra precautions to protect their data because losses and breaches can result in
large financial losses. A company's reputation may suffer if it fails to safeguard its confidential data and
permits data breaches. An organization may experience a decline in income from unhappy customers as a
result of this damaged reputation. Additionally, organizations that violate security standards may be
subject to fines, which could put an undue financial burden on small businesses.
The goal of protecting personal data is to safeguard not just the data of the individual concerned but also
their fundamental rights and liberties as they relate to that data. It is feasible to preserve personal
information without compromising people's rights and freedoms. A person may be passed over for a job
opportunity or, even worse, lose their current employment as a result of improper handling of personal
data.
P7. Design and implement a security policy for an
organisation
1. Security policy
An organization's IT resources and assets are subject to a set of rules and regulations known as the IT
security policy.
An organization's IT assets and resources must be accessed and used in accordance with the policies laid
out in its information technology (IT) security policy. The organization's culture is modeled by its
employees' attitudes toward their information and work in effective IT security policy, which serves as the
foundation for regulations and procedures. Since each organization's people have different opinions on
risk tolerance, how they view and value their information, and the consequent availability they maintain
for that information, each organization's successful IT security policy is a special document. Due to its
lack of regard for how the organization's employees really utilize and exchange information among
themselves and with the public, many firms will find a boilerplate IT security policy ineffective.
The preservation of the privacy, accuracy, and accessibility of the systems and data accessed by
organization members is the goal of an IT security policy. The CIA trio is made up of these three ideas:
•
The safeguarding of resources from unauthorized parties is a component of confidentiality.
21
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
•
•
Integrity guarantees that the alteration of assets is carried out in a predetermined and approved
manner.
The system is in a "availability" condition when authorized users can access the resources
continuously.
The IT Security Policy is a dynamic document that is frequently revised to reflect changing business and
IT needs. Standards and best practices for developing security policy have been issued by organizations
like the International Organization of Standardization (ISO) and the U.S. National Institute of Standards
and Technology (NIST). The National Research Council (NRC) has stated that any firm policy should
include the following information:
1. Objectives
2. Scope
3. Specific goals
4. Responsibilities for compliance and actions to be taken in the event of noncompliance.
Every IT security policy must also include portions addressing the observance of laws governing the
organization's sector. The Basel Accords, the PCI Data Security Standard, and the Dodd-Frank Wall Street
Reform in the United States are all common examples of this. Other examples from around the world
include the Consumer Protection Act, the Health Insurance Portability and Accountability Act, and the
Financial Industry Regulatory Authority. A written IT security policy is required by many of these
regulatory bodies.
The security policy of an organization will influence its choices and course greatly, but it shouldn't change
its strategy or objective. To promote the continuation of strong productivity and creativity, it is crucial to
develop a policy that is informed by the organization's current structural and cultural context rather than
writing a generic policy that prevents the business and its employees from achieving their objectives.
2. Example of policy
Workstation whole disk encryption is the data security policy. For companies wishing to develop or update
their full disk encryption control policy, this example policy is meant to serve as a reference. This policy
should be modified, especially to meet usability standards or to comply with any laws or data protection
obligations. History of this policy Full disk encryption is currently a crucial technique for enhancing
privacy and is required by several regulatory rules.
22
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
2.1 Purpose
Restricted, confidential, or sensitive material must be protected by <Company X> against loss in order to
preserve its reputation and prevent harm to its clients. This policy supports a collection of international
regulations (such as full as suitable>) that call for the protection of a wide range of data by limiting access
to data stored on those particular devices. Full disk encryption is necessary to prevent against exposure in
the event of asset loss, as stated by several compliance standards and industry best practices. This policy
specifies the processes and requirements for full disk encryption protection as a control.
2.2 Scope
1. All desktop and laptop workstations from "Company X" (depending on the type of data you hold and
physical security some organizations adjust this just to cover laptops).
2. All virtual computers owned by Company X.
3. Exemptions: Where a firm needs to be excused from this policy (because it would be too expensive, too
complex, or would negatively affect other business requirements), a risk assessment must be carried out
with security management's approval. See the Risk Assessment procedure (reference your own risk
assessment process).
2.3 Policy
1. Full disk encryption will be enabled on all of the devices in the scope.
2. Users shall be required by the Acceptable Use Policy (AUP) and security awareness training to report
suspected violations of this policy in accordance with the AUP.
3. Users must be required to report any lost or stolen devices in accordance with the AUP and security
awareness training.
4. Compliance with the encryption policy must be verified, and it must be managed. To enable audit
records to prove compliance as needed, machines must report to the central management infrastructure.
5. The device user must give IT a copy of the active encryption key in cases where management is not
possible and a standalone encryption is configured (only after being approved by a risk assessment).
6. Is permitted to look into any encrypted device for maintenance, inquiry, or in the absence of a worker
with primary file system access. to spot unauthorized system access or other harmful activity.
9. In the event of a failure, forgotten credentials, or other business blocking needs, the help desk will be
allowed to issue an out-of-band challenge/response to grant access to a system. Only in the case that the
23
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
user's identity can be determined using the challenge and response attributes listed in the password policy
will this challenge/response be sent.
10. (You can remove this if it's not a need for your firm; certain enterprises may have a requirement to
apply a tiered approach to data security; this may involve a group of users who have particularly sensitive
data and need extra security.) The limited data policy will let you identify a set of VIP users or users of
sensitive data. For key modifications or challenge responses, users in this group will need authorisation
from a member of (such as Senior Management or IT). The help desk won't be allowed uninvited access to
those systems. These systems have a necessity for separation of duties and are recognized as having access
to extremely sensitive, limited use data. A system/user will be obliged to employ two factor
authentications in line with the stated standard where indicated by the authentication and limited data
policy. The authentication will occur in the pre boot environment.
11. Configuration modifications must go via the change control procedure, which must be completed as
necessary, identifying risks and significant implementation changes to security management.
2.4 Technical guidelines
Technical guidelines identify requirements for technical implementation and are typically technology
specific.
1. <Complete as appropriate> is the standard product.
2. Strong, industry best practice defined cryptographic standards must be employed. AES-256 is an
approved implementation.
3. The BIOS will be configured with a secure password (as defined by password policy) that is stored by
IT. The boot order will be fixed to the encrypted HDD. If an override is required by a user for maintenance
or emergency use, the helpdesk can authenticate the user and then provide the password for the BIOS. The
objective being to avoid an attacker cold booting and attacking the system.
4. Synchronization with Windows credentials will be configured so that the pre boot environment is
matched to the user’s credentials and only one logon is required.
5. A pre boot environment will be used for authentication. Credentials will be used to authenticate the user
in compliance with <complete as appropriate>password security policy. (Some enterprises have a
requirement to use two factor, and this shouldbe reflected here as required).
2.5 Reporting requirements
1. A monthly report showing the ratio of assets in scope to encrypted systems
24
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
2. A monthly report that lists the managed, encrypted systems' compliance status.
3. A weekly report that counts lost items and certifies that misplaced gadgets have been properly handled
3. The most and should that must exist while creating policy
3.1 Ensure that there is a policy on policies
Even when it comes to the creation of policies, it's crucial to work inside a previously established and
widely accepted framework. A crucial initial step in maturing policies is the creation of a straightforward
policy on policies that outlines the organization's procedure for developing new policies. This "meta
policy" ought to provide instructions on when a new policy is necessary, the structure in which new
policies should be written, and the procedures that must be adhered to for a new policy to be authorized.
Without a method and structure for creating policies, you run the danger of having major inconsistencies
in the results and inconsistencies in the formulation, which can result in subpar or challenging
enforcement.
3.2 Identify any overlap with existing policies
This is an easy one. Check to determine whether the policy you're trying to create already exists or if any
of its components are already in other policies before you establish a new one. If so, think about updating
current policies as opposed to coming up with a completely new one.
3.3 Don't develop the policy in a vacuum
I've observed people working at their desks and coming up with whole independent policies that they felt
were important. This has mostly occurred in organizations without any form of structure for policy
governance. The majority of the time, the policies were biased against the organization and omitted
important components. However, as one might anticipate, the policies were beneficial to the individual
who created them.
I think that those who will be impacted by policies should be involved in their development. To reduce the
possibility of unexpected consequences, it's critical that all stakeholders are heard, even though the final
policy may not ultimately reflect all viewpoints. Additionally, policies must be comprehensive, and
different viewpoints can fill in any gaps that may present.
3.4 Step back and consider the need
Do you make policies because they are necessary or because someone did something you didn't like?
There is a considerable difference and, again, I have seen policies put into place out of malice and as
25
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
punishment. It goes without saying that such behavior would not occur in a rational company. But it also
won't occur in a tight policy-on-policies environment, as the policy will often go through several approval
stages before being approved, and somewhere along the line, someone will take a step back and ask, "Why
do we need this?"
When there is a clear need and a clear issue to be resolved, policies should be implemented.
3.5 Use the right words so there is no misunderstanding intent
To be effective, policies must be understood. This attempt is aided by the use of precise and unambiguous
grammar. Make sure your terminology is clear and basic so that everyone can understand it. In the body of
the policy, use the words "must" or "will" instead of "should." The latter suggests that the action is
voluntary, casting doubt on the necessity of the policy. Use the word "should" when something is
recommended but not when it is necessary.
Never use a person's name; always an office, department, unit, or job title Examples: "Contact the assistant
to the CFO to..."; "The office of the CIO is responsible for..."
Email addresses used for correspondence should always be generic department addresses or links to
websites with additional contact details. To avoid the need for policy revisions when personnel changes
take place, refrain from utilizing personal email addresses.
Subheadings and words that need to be stressed in a sentence shouldn't be underlined. If a word needs to
be stressed, bold or italicize subheadings instead. When the policy is published online, terms that are
italicized could be interpreted as links.
3.6 When possible, include an exceptions process
Every rule has an exception, at least most of the time. It is much simpler to outline an exceptions process
in advance, before the policy is put into effect. Think twice before declaring "I will never allow
exceptions." There will be a circumstance at some point that calls for an exception. It's crucial that
exceptions are also given in a fair and equitable manner because policies are implemented to manage
conduct and are intended to level the playing field. The validity of the entire policy may be questioned if
you abuse the exceptions process.
3.7 Allow some shades of gray
You've established an exceptions procedure that is unquestionable and produced a policy that is
impenetrable in every way. Although it's a worthy objective, not every policy will be able to achieve it.
Since policies are meant to produce egalitarian conditions, this is the argument that might face the most
opposition. However, I think that some laws should give room for some interpretation so that people can
26
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
decide for themselves. However, it seems that there are just too many situations where people are
permitted to use the justifications "that's policy" or "zero tolerance" to avoid acting morally. This is not to
say that the policy should simply enable people to do as they choose.
3.8 Define policy maintenance responsibility
To ensure that they remain applicable, most policies need to be reviewed on a regular basis. In addition,
someone needs to be prepared to provide clarification as queries regarding the policy are raised. Make
careful to always mention the office, not a specific person, as being in charge of the policy. Since people
come and go, you cannot identify them.
3.9 Keep senior executives out of the routine when possible
When possible, I emphasized the necessity to devise a policy exceptions procedure. When I worked for
one company, the CEO was inherently responsible for it. That, in my opinion, was a waste of his time.
Someone within the company should be given the authority to manage exceptions through the
implementation of an exceptions process. Except as required by law or regulation, the designated person
need not be a vice president or the company's chief executive officer. Additionally, don't count on senior
executives to create every policy. However, it should be the leadership team's obligation to review new
policies before they are implemented.
3.10 Establish a policy library with versioning
These days, you can keep versions of documents using a variety of platforms, including SharePoint. Every
employee should always have access to all pertinent policies. How can you expect employees to adhere to
policies if they cannot access them? When it comes to versioning, it's beneficial to view their history to
understand what has changed over time as policies alter.
4. The element of security policy
4.1 Introduction
Like all organizations, small firms increasingly rely on networks and computer systems to conduct
business. For many small firms, email is becoming a vital tool for communication. Websites are crucial
sales producers for companies with eCommerce sites and crucial marketing platforms. As our reliance on
computer systems grows, so does the need to secure them, much as door locks and safes secure physical
structures, valuables, and trade secrets of enterprises. The Honeynet Project has investigated the security
ramifications of connecting a computer to the Internet using a basic broadband connection, similar to those
used by many small businesses. Without security measures, Windows and Linux computers deployed were
frequently inspected, attacked, and compromised within a week. Additionally, the project experienced a
27
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
100% rise in scans from May 2000 to February 2001, demonstrating the growing threat to security. These
results point to a major threat to information security posed by links to the Internet, even if the conclusions
are by an order of magnitude overly pessimistic.
Except for companies that provide computer consulting and security services, not many small businesses
have an innate or special interest in network or other types of security. Resources are used up in the pursuit
of security and related activities. These assets serve the business's objectives or stand in for the earnings
the enterprise hopes to make. The majority of information security is intangible, with even the most
obvious components being less obvious than a door lock or a safe. Greg Bassett outlines a strategy for
persuading management of the need of computer security in a paper he wrote for GIAC certification. This
essay discusses the factors that should be taken into account when creating a security policy, which serves
as the cornerstone of information security.
4.2 Security Policy Document
A security policy document serves a number of purposes. Its name implies that security policies are
documented. It does more than merely record them. It offers a structure within which policies can be
created, altered, and evaluated. The context connecting the policies to the business should also be included
in a security policy document. Outlines for security policy documents can be found in Internet Security
Systems, Walker and Cavanaugh, and numerous more books and online resources. They provide writing
tips for introductions as well as specific security policies. The precise subject matter and focus that each
guideline recommends varies. There should be a thorough introduction to every security policy document
in addition to the specific security policies.
4.3 Introductory Elements
An introduction to a security policy document places the regulations in the context of the enterprise they
are meant to safeguard. The introduction should be customized to the company's needs, but it should at the
very least cover the following topics: the document's goal, its scope, and its policies; specific
organizational responsibilities; general and detailed organizational security policy objectives; and a threat
and risk assessment.
4.4 Purpose
The extent to which a company deals with sensitive data, as well as the methods used to manage systems
and networks—whether by in-house staff members with specialized knowledge, staff members who take
on additional responsibilities, or outside contractors—can all have an impact on the purpose of a security
policy document.
28
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
4.5 Scope
The scope description should define precisely what is protected by the policies and should clarify what is
not. A small business must determine whether the security rules include permitted use and disaster
recovery strategies, in particular. Numerous sources advise them to. Small enterprises might not require
these. A small group of employees may decide what is permissible use by voting as a group. The
redundancy needed for a comprehensive disaster recovery or business continuity plan may be too
expensive for some small organizations. These policies, along with others, may serve as additional
documentation for others, as the Joint Information Systems Committee in the UK advises.
4.6 Responsibilities
Every organization needs to think about and allocate roles for security. Within an organization,
responsibilities may be delegated to specific people or job roles.
4.7 Objectives
The triangle of confidentiality, integrity, and availability of information resources is frequently used to
describe the overarching goal of security and security policy. The European ITSEC security requirements
from 1991 contain this concept, however its core ideas date back far further. The objectives of a security
strategy for a particular firm should be stated as being confidentiality, integrity, and accessibility of
particular resources that are crucial to the business.
4.8 Threat and Risk Assessment
One of the most crucial parts of the security strategy document is the threat and risk assessment. What the
policies are meant to defend against is determined by the threat assessment. Some hazards are
commonplace, such as the danger of Internet attacks and what the Honeynet Project research reveals.
Small organizations may be less concerned about other types of dangers, such as those coming from
within. The risk assessment enables management to prioritize the security concerns, enabling a small
organization to make the most of its scarce security resources. It offers a foundation for the document's
audit. All policies should take into account the threats listed in this section. If rules are created that fail to
address threats, greater threat assessment is required. Contrarily, some threats may not be justified by
policies if their hazards are minimal. The risk assessment is highly tailored to the company and its
particular circumstances.
4.9 Policy Attributes
Each policy should specify a set of properties that are universal. The firm should establish what
characteristics each policy should have, and it should develop a model for security policies that outlines
these characteristics. The parts that follow go over qualities that are frequently used. The details of these
29
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
attributes may be altered to suit the preferences of the company, but the security policy document must
contain the data they contain.
4.10 Identification
Each security policy should have a unique identity. The security policy document, extra external
documents, and audit tools like coverage matrices all need to make it simple to refer to policies. Policy
IDs can be textual, numeric, or alphanumeric. A written name and a distinct number are frequently used in
papers to distinguish each policy.
4.11 Policy Statement
The policy is described in the policy statement. It must be unambiguous, succinct, and clear. While
expressing management's intention, the statement shouldn't be overly vague.
4.12 Elaboration
In the policy statement, the policy is described. It needs to be clear, concise, and without ambiguity. The
remark shouldn't be excessively ambiguous, even though it expresses management's purpose.
4.13 Threat addressed
At least one danger found in the threat and risk assessment should be mapped to each policy. Many
policies deal with many dangers, however if a policy cannot be linked to at least one known threat, it
should either be dropped or the threats should be reevaluated.
4.14 Exceptions
Like many business policies, security policies are not necessarily absolute. The policy should identify any
foreseeable exceptions. The circumstances of exceptions should be clearly defined, as should the limits.
4.15 Violations
Every company should think about what to do when security regulations are broken. A method for
recording the responses to infractions should be provided by the policy framework. The severity of the
punishment for breaking a certain security policy should be taken into consideration, and guidelines for
handling violations should be included alongside them, even though disciplinary policies belong in a
personnel manual rather than the security policy document.
30
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
4.16 References
Certain laws can stand on their own. Some policies can only be meaningful when they replace, expand
upon, or harmonize with other policies. The framework ought to offer a uniform method of recording
these connections.
4.17 History
The policy framework must provide tracking of specific policy changes because policies might evolve
over time. For audits, the modification history of policies is crucial.
4.18 Areas of Coverage
The topics covered in a security policy document should line up with the dangers listed in the introduction.
Individual policies, however, are considerably more tightly defined, and a single threat can justify a
number of different policies. There are many rules that can be used to specify what topics security policies
for businesses should include. The SANS Top Twenty Internet security vulnerabilities and the National
Infrastructure Protection Center's tips both highlight topics that should be taken into account when drafting
any security policy document. Although each security policy document will be unique, the areas listed in
the following sections are likely to be covered in most of them.
4.19 Physical Security Policies
Physical access to server rooms, computers, and other resources that can be usurped are covered by
physical security policies. These regulations can encompass administrator password escrow notebooks as
well as the protection of media like backup tapes, emergency recovery diskettes, and printouts. Printouts,
CDs, and diskettes might need to be handled carefully and disposed of in organizations that deal with
extremely sensitive documents, according to the policies.
4.20 Network Security Policies
Since networks are susceptible to both internal and external dangers if they are not effectively secured,
network security policies are frequently the most numerous and significant. Firewalls, Virtual Private
Networks, wireless access, modem usage, device installation on the network, and everything else related
to connections to the network are all covered by network security regulations. These regulations might
also cover network logging, intrusion detection, and monitoring.
4.21 Host Security Policies
Network security policies may include rules governing how certain hosts or computer systems should be
configured, although these rules typically stand out enough to merit their own classification. Host policies
31
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
can specify how servers should be set up, how workstations should be uniform, what software is
acceptable and necessary, such as anti-virus software, and what data can be stored on what kinds of hosts.
Since taking over a host computer without authorization is a common security risk, host policies may take
into account both intrusion detection, which can identify when a host has been compromised, and backup
policies, which can help recover from a compromise. Host security policies may span a wide spectrum,
from what data is allowed to be carried on laptops while traveling to high risk servers exposed on the
Internet.
4.22 User Security Policies
Both what is expected of users in terms of conduct that improves security and how users are treated may
be covered by user security rules. The effectiveness of security rules can be significantly impacted by user
behaviors, such as selecting strong passwords and preventing their unintentional disclosure. A user's
access to systems and documents, as well as how they are categorized for security, should be covered by
user security policies.
4.23 Document Security Policies
Document classification will often be cited in other security regulations for any business that deals with
sensitive information. Policies for document management might also be required. Document security
standards might include encryption rules.
4.24 Documentation Policies
Although appropriate process and network documentation considerably improves the ability to implement
policy, audit for security, and ensure that policy implementation stays successful when personnel change,
documentation is not always recognized as a key component of security policy.
4.25 Incident Handling Policies
The ability to implement policy, audit for security, and ensure that policy implementation remains
successful when personnel change are all significantly improved by appropriate process and network
documentation; however, documentation is not always acknowledged as a key component of security
policy.
4.26 Audit Policies
The frequency and rigor of various security audit types are specified by audit policies. The process of
security is ongoing. Threats, security countermeasures, the network, and the company all evolve over time.
Reassessments on a regular basis are required to adjust to these changes. The security policy document
itself has to be evaluated occasionally. To make sure they are providing the security intended, systems and
32
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
practices put in place to implement security policies should be audited. Who will conduct various audits,
whether internal or external auditors, should also be specified in audit policies.
4.27 Conclusion
Security practices and procedures are established on top of the security policy paper. It must be a dynamic
document that evolves over time as threats and business activity develop. A solid document foundation
and usable security policy templates make it easier to create an extensive, practical security policy
document and provide you the flexibility and control you need to make changes that actually function. To
match the demands of the company and the security resources available with the threats, small businesses
must have the flexibility to create and adjust security policies.
5. The steps to design a policy
Steps to design a policy:
There are 10 steps to design a successful security policy:
1st step: Identify your risks
What risks could arise from inappropriate use? Do you possess knowledge that should be kept to yourself?
Do you send or receive a lot of huge attachments and files? Are there any possibly objectionable
attachments circulating? Maybe there is no problem. Alternatively, it may cost you hundreds of dollars
each month in lost productivity or staff computer downtime. A useful technique to categorize your risks
can be through the use of tracking or reporting devices. Many providers of firewalls and Internet security
systems permit evaluation periods for their products. If these objects have reporting information, using
these evaluation intervals to identify the risks may be helpful. But if this is something you want to pursue,
it's critical to let your staff members know that you will record their behavior for risk assessment purposes.
Many employees will view it as a privacy infringement if it is attempted without their permission.
2nd step: Learn from others
It's interesting to check what other businesses like yours are doing because there are many types of
security strategies. You can spend several hours searching online, or you can buy a book like Information
Security Policies Made Simple by Charles Cresson Wood, which has more than 1,200 policies that are
ready to be customized. Speak with the salespeople from several security software companies as well.
They always appreciate specifics.
3rd step: Make sure the policy conforms to legal requirements
33
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
Depending on your data holdings, jurisdiction, and location, especially if your organization stores personal
information, you might be required to follow a set of minimal requirements to safeguard the privacy and
integrity of your data. Having a workable security policy in place and documented is one method to
minimize numerous dangers you can face in the case of a security incident.
4th step: Level of security = level of risk
Avoid being too zealous. Too much defense might be just as harmful as not enough. Since you have a
responsible, mature workforce, you can discover that you don't have any concerns with proper use in
addition to keeping the bad folks out. The most important thing in these circumstances is a codified code
of behavior. Make sure you don't overprotect yourself because it can become a barrier to efficient business
operations.
5th step: Include staff in policy development
Nobody prefers a plan that is predetermined from above. Include employees in the process of assessing
appropriate usage. As laws are created and enforcement tools are deployed, keep employees informed. If
people understand the necessity of a responsible security policy, they would be much more inclined to
comply.
6th step: Train your employees
Staff training is typically disregarded or undervalued as part of the AUP implementation process. But it's
unquestionably among the most advantageous phases of operation. Along with assisting with employee
education and policy comprehension, it also motivates you to consider the policy's probable, practical
effects. End users frequently have the opportunity to ask questions or provide examples in a training
forum, which may be highly gratifying. You can describe and modify the policy in more detail to make it
more beneficial by using these questions.
7th step: Get it in writing
Ensure that each team member has read, signed, and comprehended the policy. All new hires should sign
the policy when they are hired, and they should be required to review it and affirm their comprehension of
it at least once a year. Use digital tools to track and distribute document signatures among huge
organizations. Some technologies additionally include frameworks for quizzing users to gauge their
understanding of policies.
8th step: Set clear penalties and enforce them
Network security is a serious matter. Your protection policy is a requirement of your job, not a list of
optional rules. Have a detailed set of rules in place that spell out the consequences of breaking the security
34
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
policy. then enforce them. A security policy that is implemented carelessly is just as harmful as having no
policy at all.
9th step: Upgrade your staff
A security policy is a complicated document since the network itself is always evolving. People can come
and go. Databases are created and destroyed. There are increasing threats to safety. Updating security
procedures is challenging enough, but informing employees of any changes that can affect their daily work
is far more challenging. Transparent communication is the key to success.10th step: Install the tools you
need
10th step: Install the tools you need
Having a plan is one thing; putting it into action is quite another. No matter how complicated your policy
is, security technologies for Internet and email content with customisable rule sets will guarantee that it is
followed. The purchase of tools to carry out your protection strategy is possibly one of the most
economical expenditures you will ever make.
6. Step in policy development
1
2
3
4
5
Identify and de昀椀ne the problem or issue that necessitates the development of a policy
The organization must also be aware of the goals of policies and recognize that they can be
created or changed to address a problem or issue in an efficient manner.
Appoint a person or person(s) to co-ordinate the policy development process
The process of developing a policy could take several months. The procedure needs to be
"driven" by someone or even a committee.
Establish the policy development process
Tasks related to research, consulting, and policy writing are required. A schedule of the tasks that
must be completed, by whom, and when should be created by the coordinator.
Conduct research
• Read policy documents created by other organisations on the same topic
• Research legislation on the Internet
• Conduct a meeting with sta昀昀 and other people with experience
• Survey participants or a particular group of participants such as coaches
• Read minutes of management committee meetings (if allowed)
• Read other documents such as annual reports or event reports
• Read industry magazines and journals
• Seek legal advice
Prepare a discussion paper
The discussion paper's objectives are to describe the nature of the problem or issue, to
summarize the facts obtained through research, and to offer a variety of policy solutions. The
discussion paper will be a crucial instrument in the consultation process.
35
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
6
7
8
9
10
11
Consultation - Stage 1
One of the first steps in the consultation process is to distribute the discussion paper to all
stakeholders (interested parties). It can also be required to call and notify stakeholders to remind
them to read the discussion document. Then, it's critical to get as much input as you can from all
relevant parties. This can be accomplished through workshops, public gatherings, your website,
and one-on-one encounters. To make sure that this round of consultation is exhaustive, several
months may be needed.
Prepare a draft policy
The next stage is to create a draft policy once the consultation processes have had enough time
to be finished.
Consultation - Stage 2
The draft policy should be sent to important stakeholders after completion, published on the
organization's website and newsletter, and discussed at additional meetings and forums. Before
the policy is finalized, it is vital to enlist the assistance of stakeholders to polish the language,
define key terms, and make required changes.
Adoption
It is time to finalize the policy once the process coordinator for developing the policy is
reasonably comfortable that all questions and concerns have been brought up and addressed. The
organization's management (management committee) must formally endorse the final policy
paper, and a suitable entry must be made in the minutes.
Communication
The policy should be widely disseminated among all stakeholders in the organization after being
formally adopted. To make sure that organization staff members are completely informed and
capable of implementing the policy, training sessions may need to be held. The policy could fail
if it is poorly explained.
Review and evaluate
Monitoring the policy's application is necessary. The policy might still need to be adjusted, and
its justifications for being in place might also alter. Setting a date for the policy's review is a
standard procedure; this date may be once a year or every three years. Simply said, it depends on
the type of policy.
36
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
P8 List the main components of an organisational
disaster recovery plan, justifying the reasons for
inclusion
1. Business continuity
The capacity of an organization to prevent operations and fundamental business functions from being
negatively impacted by a disaster or unanticipated incident that takes critical systems offline is known as
business continuity. Business continuity planning is the interdepartmental process of putting into action
the strategies needed to resume regular business operations in a predetermined amount of time, define the
level of data loss that the company considers acceptable, and communicate crucial information to
organizational stakeholders both during and after incidents. This process is frequently led by information
technology.
For all but the largest firms, implementing redundant IT infrastructure and backup plans used to be
prohibitively expensive. However, new affordable, on-demand cloud technologies are making effective
business continuity strategies accessible to millions of businesses.
Cloud data backups, cloud-based disaster recovery as a service (DRaaS) for infrastructure failures, and
managed security strategies that defend against more sophisticated cyberattacks are common technology
services created for business continuity.
2. The components of recovery plan
-Communication plan and role assignments.
In the event of a calamity, communication is crucial. A strategy is necessary because it unifies the team
and ensures that all communications are spelled out in detail. Employee contact information should be
current in all documents, and everyone should be clear on their responsibilities in the days following a
crisis. If you don't have access to some form of technical resource to help you go through everything,
you'll need assignments for things like setting up workstations, analyzing damage, redirecting phones, and
other activities.
- Plan for your equipment.
When a severe storm is on the horizon, it's critical that you have a strategy in place to safeguard your
equipment. To ensure that no water can reach the equipment, you must take all equipment off the floor,
37
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
into a room without windows, and securely wrap everything in plastic. Although it's essential to totally
seal equipment to protect it from flooding, this isn't always possible during extremely heavy flooding.
-Data continuity system.
You should investigate precisely what your company needs in order to function when you develop your
disaster recovery plan. You must fully comprehend the operational, financial, supply, and communication
requirements for your company. You should document your needs so that you can make plans for backup
and business continuity and have a complete understanding of the needs and logistics surrounding those
plans, regardless of whether you're a small business to business organization with multiple employees or a
large consumer business that needs to fulfill shipments and communicate with their customers about those
shipments.
-Backup check.
A comprehensive local backup should also be performed on all servers and data as part of your disaster
recovery plan. Make sure your backup is active. Make careful to run them as far in advance as you can and
to backup to a location that won't be affected by the calamity. It's also a good idea to store that backup on
an external hard drive that you can take with you when you leave the office, just in case.
-Detailed asset inventory.
You should include a thorough inventory of the workstations, their parts, servers, printers, scanners,
phones, tablets, and other technology that you and your staff regularly use in your disaster readiness plan.
By giving your adjuster a straightforward list (with images) of any inventory you may have, this will
enable you to quickly refer to it while filing insurance claims in the wake of a significant tragedy.
-Pictures of the o昀케ce and equipment (before and after prep)
To demonstrate that the o昀케ce and your equipment were being used by your employees and that you
took the necessary precautions to move your equipment out of harm's way in preparation for the storm,
you should also take photos of the o昀케ce and your equipment in addition to the photos of individual
inventory items.
-Vendor communication and service restoration plan.
When a storm has passed, you should start running as soon as you can. Make certain that your plan
includes vendor communication. To determine the risk of power surges or outages while the damage is
being fixed in the area, check with your local power provider. You should also inquire about access and
restoration with your phone and internet service providers.
38
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
These factors are a fantastic starting point for a comprehensive disaster recovery plan, but be sure to pay
close attention to the specifics of each element of your plan. Along with the fuzzier specifics of how you'll
communicate with vendors, account for your assets, and guarantee that you're back up and running as
quickly as possible, the practicalities of testing backups and performing as many backups as you can
before the storm are also crucial. If you feel a little overburdened by all of these details, you can enlist the
aid of a third party to assist you in creating a disaster plan so that you are ready for any storms that may
affect us during hurricane season.
3. Steps to Building a Disaster Recovery Plan
3.1 Conduct an asset inventory
An inventory of all your IT assets should always be the first step in any disaster recovery strategy. To sort
through your environment's complexity, you must do this. List all the resources that fall under IT
administration at first, including all servers, storage devices, software, data, network switches, access
points, and network appliances. Next, draw a map showing the physical location of each asset, the network
it is on, and any dependencies. Here's an illustration:
Figure 7 conduct an asset inventory
3.2 Perform a risk assessment
Following the mapping of all your IT resources, networks, and dependencies, make a list of all the internal
and external threats to each resource. Consider every possibility, and be thorough. Typical IT malfunctions
or natural calamities could be among these threats.
39
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
Include the likelihood that the event will occur as well as the expected effects it will have if it does. How
would each of the possible outcomes impact business continuity? Additionally, this is a wonderful
opportunity to ask your coworkers for assistance. Just keep in mind to underline how much more regularly
banal events occur than natural disasters. Talk less about storms and earthquakes and more on how likely
it is that the area would encounter a power outage or IT hardware failure. Here's an illustration:
Figure 8 Perform a risk assessment
3.3 Define criticality of applications and data
You must categorize your data and applications based on their criticality before constructing your IT
disaster recovery plan. To start, ask your coworkers and the support team how crucial each program and
data collection is.
Look for commonalities and arrange them into groups based on how important they are to your business
continuity, how often changes occur, and your retention policy. You shouldn't use a separate approach for
every single application or dataset you have. You can use a less complicated recovery technique if you
divide your data into classes with comparable traits.
Making assumptions-based classifications of data in a vacuum could end up costing you. Make sure you
include support personnel and other business management in this planning process. To reduce the number
of data types you have, you will surely have to make some trade-offs. The recommended range for the
number of classes for medium-sized businesses is between three and five. Here's an illustration:
Figure 9 Define criticality of applications and data
40
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
3.4 Define recovery objectives
Different sessions will have various goals for recovering. For instance, a crucial e-commerce database can
have very aggressive recovery objectives since the company simply cannot afford to lose any transactions
or be down for an extended period of time. A historic internal system, on the other hand, can have less
strict recovery objectives and be less crucial to recover as the data doesn't change very frequently and it's
less critical to come back online.
Numerous IT experts fail at this stage. The number one source of misalignment is setting recovery
objectives without consulting the company line managers. You must include them in this process if you
want to make sure that the company can recover from a tragedy effectively.
Here is a sample list of questions you can ask your business colleagues:
•
•
•
•
•
•
•
What software and information does your department use?
How much downtime can you tolerate for each?
How much data loss are you willing to accept for each?
Are there instances where customers, partners, or workers do not use these applications?
If data was more than 90 days old, would you ever need to restore it? Possibly six months old?
Let's say one year old.
Are there any demands on the company to keep the data for a specific amount of time, either
internally or outside (i.e. industry or regulatory)?
Do any internal or external (i.e., industry or governmental) constraints preclude us from
transferring the data to another location?
Understanding business requirements and offering a differentiated level of service availability based on
priority are crucial in this situation. Now that you have that knowledge at your disposal, you must translate
it into recovery objectives for your disaster plan.
RTO: Recovery Time Objective What is the maximum amount of time that any of your production or data
systems can be down? Your goal for recovery time is this. Consider how much money your company
would lose if an application was down for a specific period of time when determining the RTO. How
much, for instance, would you lose if your client portal was unavailable for a day or an hour? How much
would it cost if your staff couldn't work because email wasn't working?
Determine the characteristics your data protection systems and products must have by calculating your
RTO. In contrast, if your RTO is very low (as in just a few minutes), you must employ host-based
replication or a disk-based backup with continuous data protection capabilities. If your RTO is very large,
for instance, say more than four hours, you will likely have time to back up from tape.
41
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
What is the maximum quantity of data your organization can tolerate losing? This is known as the
recovery point objective (RPO). That is the goal of your recovery point. Recovery point objectives (RPOs)
might range from hours to days if your company has a high tolerance for data loss. Your RPO will be
seconds if your company can't afford to lose any data at all or very little. The minimum frequency for
backing up your data is determined by the RPO you choose. Data should be backed up at least once an
hour if you can only afford to lose an hour's worth. In this manner, you can restore the 2:00 p.m. backup
and satisfy the RPO requirement even if an outage starts, say, at 2:30 p.m.
3.5 Determine the right tools and techniques
It's time to decide which tools and procedures to employ after you have identified all of your IT assets,
defined their relationships, and classified them according to their criticality and recovery goals.
The good news is that there are many options available on the market right now. Just be certain that
whatever you purchase delivers the proper level of security. Overprotection can add extra complexity and
cost the business money. Complexity will probably make human error more likely and is the enemy of
productivity. Under-protection might be just as harmful because it could endanger the continuity of your
firm.
For low-impact data, typical (file-based) nightly backups are more than adequate, however they wouldn't
be ideal for high-impact data and applications. High-impact data and systems benefit greatly from a CDP
solution, although production servers and storage costs may increase as a result.
Offsite protection is arguably the most important part of your backup and disaster recovery plan.
Regardless of the kind of data backup technique you pick, this should be used. The technique (whether
cloud replication or a tape vaulting service) should be appropriate for your recovery goals. Make sure the
place to which your data is transported is sufficiently remote so as not to be in the same area of geographic
risk. This is typically at least 25 miles from the main location.
As much as you can, automate and streamline the recovery procedure. Key IT personnel might be
unavailable in a disaster. Automation reduces the possibility of human error as well.
3.6 Get stakeholder buy-in
Include important stakeholders in all of your business divisions outside of the data center (i.e. application
owners and business managers). They must take part in the planning process. They should also concur
with you over the priorities of the organization and the service level agreements (SLAs) that your team
will deliver.
To ensure you're getting the most out of your DR solution and/or services, talk to your key partners and
vendors. The IT personnel at the Orleans Parish in New Orleans hadn't been in close communication with
42
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
the parish's cloud backup / DRaaS supplier when two servers failed, resulting in the loss of crucial
conveyance and mortgage information dating back to the 1980s. The vendor in charge of DreamHost's
data center was informed of the issue when there was an outage by the web hosting provider. Avoid doing
that and maintain regular communication with any vendor you hire.
After consulting with all of the important parties, find an executive-level sponsor who will support you
and the project. It is impossible to overstate how crucial executive support, collaboration, and consensus
are to the success of your catastrophe plan.
3.7 Document and communicate your plan
You need a written plan on how to resume operations in the event of a crisis. It is important to write this
paper with its intended audience in mind.
Share your strategy. All too frequently, there is only one person in the organization who truly has the full
picture, making the company susceptible if that person is not accessible in the event of a tragedy.
Additionally, make sure to keep your DR plan accessible during a disaster rather than on a public share in
your Exchange files. It should ideally be printed and placed in several places.
3.8 Test and practice your DR plan
It's a common adage that "practice makes perfect." "Practice makes progress" might be a more appropriate
adage. No organization's disaster plan is ever perfect, but with practice, you can identify and fix any issues
with your plan and execute it more quickly and correctly. Even if you hold them on certain days of the
week, like Saturdays, make sure that everyone who has a part to play shows up to the practice sessions.
Every time, you do not need to practice carrying out the entire disaster recovery plan. To test specific
portions of your plan, feel free to do so. Here's an illustration:
43
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
Figure 10 Test and practice your DR plan
3.9 Evaluate and update your plan
A DR plan ought to be an ongoing project. Given the shifting sands of an ever-changing business climate,
it is especially crucial to routinely assess your plan. Data loss and downtime may no longer be tolerated as
much. Key individuals may be let go or have their employment terminated. New hardware or operating
systems may be adopted by IT. The business might buy out another business. Your planning must take into
account the organization's existing situation.
4. The policies and procedures that are required for business
continuity
Figure 11 life cycle
44
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
This policy establishes a uniform procedure for VCU's initial reaction, business continuity, and business
recovery plans to be created, tested, and maintained. The following business continuity plan (BCP)
lifecycle elements are included in this policy:
1. Risk Assessment. During the risk assessment step, each university department will identify, assess and
rank various hazards based on the probability of occurrence and the level of disruption that will be caused
to the department's operation, and consider how each hazard may affect property, business, and people
working in the department and any clients they may serve, as well as the university at large. Hazards will
be reviewed by the Director of Emergency Preparedness who will provided context though definitions,
recent events, and various threat scenarios. This will result in a range of outcomes that may require
significant business impact analysis (BIA) and recovery strategies to be developed and supported with
resources. The mission essential functions (MEFs) will be ranked in priority order by importance by
university departments, who will analyze the risk assessment data.
2. Understanding the Organization: Business Impact Analysis (BIA). The word "BIA" refers to the
procedure of identifying, analyzing, and evaluating the potential repercussions of a disruption or cessation
of the business's crucial operations, functions, and processes as a result of an emergency, tragedy, or
accident. It is a methodical approach to anticipating the probable and likely effects of these disruptions,
typically from the standpoint of the worst-case scenario. The BIA is seen as the focal point of disaster
recovery planning, notably for the reduction of risks in the event of operational delays or disruptions
brought on by catastrophes and similar incidents.
a/ The MEFs and key resources for each department must be identified. The success of the department
would be significantly impacted if one or more of its essential services, programs, or activities were to
cease operations for an extended period of time. MEFs will act as a manual for how to resume operations
after a catastrophe or significant disruption. If it is a highly complicated department or unit, there should
generally be more than the standard four to six fundamental functions.
b/ The administration of university MEFs is the responsibility of each department, and they are required to
be as detailed as possible in defining the needs and determining interdependencies for each function.
Think about how the function might need to be changed or modified if one of the major risks included in
the risk assessment caused a large interruption.
c/ Each department is required to carry out a BIA for each MEF in order to evaluate and record any
potential negative effects of a disaster or significant disruption on the function. Each mission-critical
function has a BIA done to help assess and document potential negative effects of a disaster or significant
disruption on the function. By considering dependencies, peak times, negative effects, and financial risks,
completing a BIA also aids in establishing recovery priorities and recovery time objectives (RTOs).
45
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
d/ Each department must take into account the human and technological resources needed to keep
operations at their best.
e/ Each department is responsible for establishing and finalizing RTOs, or the amount of time required to
recover a process or function and resume regular, or nearly normal, commercial activities.
3. Determining the BCP Recovery Strategies. The RTO created during the business impact analysis
prioritizes recovery plans, which are alternative ways to return business operations to a minimally
acceptable level following a business disruption. Recovery plans need a range of resources, including
personnel, infrastructure, tools, supplies, and IT. Each department must do an analysis of the resources
needed to carry out recovery measures in order to find any gaps. Each department must:
a/ Create risk treatment plans across all business areas after performing a risk identification. Determine
internal reasons of interdependencies, such as shared resources, telecommunications/IT links, and line of
business dependencies.
b/ Maintain, resume, and recover important business operations and processes by documenting your
strategy and practices.
c/ Describe the immediate actions that must be performed during an event to reduce the harm from a
disruption and the processes required to recover.
4. Develop and Implement the BCP. To create and maintain university business continuity plans,
VEOCI, a crisis management and software solution, will be employed. This will guarantee the
preparedness of mission-critical functions across the university. The responsible department designee will
enter each Business Continuity Plan (BCP) into VEOCI after the planning (BIA and risk assessment) and
meetings are finished. For access to VEOCI, get in touch with the VCU director of emergency
preparedness. Training is offered. Each department must:
a/ Describe the steps involved in triggering the BCP as well as the kinds of circumstances that might result
in the official announcement of a disruption.
b/ Establish the BCP's structure, including its executive summary, objectives and scope, summary of
results, and recovery activities.
5. Exercising, Maintaining and Reviewing. The head of emergency preparation will conduct training
and testing after the BCP is finished to make sure every member of the department is familiar with it. The
director of emergency preparedness will establish a continuity planning group made up of individuals who
would be involved before, during, and after a disaster or significant disruption. After training and/or actual
events, each department will modify the BCP as necessary.
46
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
a/ Timely Review and Maintenance: Each department's plan owner is accountable for annually
reviewing all BCPs and associated documentation. Reviewing is done to make sure the plan is still
relevant and current and to keep everything in a condition of preparedness. The VCU director of disaster
preparedness will be in charge of monitoring the maintenance schedule.
b/ Training and Exercises: The head of emergency preparation will organize annual testing for all
departments. The range of testing techniques includes the simplest (no notice drills) and most
sophisticated (full scale). Each has distinct traits, goals, and advantages. The size, complexity, and nature
of the company's operation should all be taken into consideration when choosing the testing strategy.
Testing techniques include tabletop exercises, functional exercises, and full-scale exercises, in that
sequence of increasing complexity.
References
Anon., 2013. Associated programme on Flood Management. [Online]
Available at: floodmanagement.info/what-are-the-benefits-of-stakeholder-participation
[Accessed 26 8 2022].
Anon., 2014. [Online]
Available at: https://www.cityofglasgowcollege.ac.uk/sites/default/files/hs-risk-assessment-procedure.pdf
[Accessed 26 8 2022].
Anon., 2017. Canadian Centre for Occupational Health & Safety. [Online]
Available at: https://www.ccohs.ca/oshanswers/hsprograms/risk_assessment.html
[Accessed 26 8 2022].
47
Downloaded by Linh H? (honhatlinh310803@gmail.com)
lOMoARcPSD| 24865561
Anon., 2020. Virginia Commonwealth University Integrity and Compliance Office Policy Program.
[Online]
Available at: https://policy.vcu.edu/universitywide-policies/policies/business-continuity-management.html
[Accessed 26 8 2022].
Anon., 2021. IBM. [Online]
Available at:
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzamv/rzamvdevelopsecpol.htm
[Accessed 26 8 2022].
Anon., n.d. entechus. [Online]
Available at: https://entechus.com/7-key-elements-of-a-business-disaster-recovery-plan/
[Accessed 26 8 2022].
Anon., n.d. leoisaac. [Online]
Available at: http://leoisaac.s446.sureserver.com/policy/top132.htm
[Accessed 26 8 2022].
Anon., n.d. SecurityBox. [Online]
Available at: https://securitybox.vn/1281/huong-dan-tung-buoc-bao-mat-du-lieu-trong-doanh-nghiep/
[Accessed 26 8 2022].
Anon., n.d. The Open Web Application Security Project. [Online]
Available at: https://owasp.org/www-community/vulnerabilities/
[Accessed 26 8 2022].
Crocetti, P., n.d. TechTarget. [Online]
Available at: https://searchdatabackup.techtarget.com/definition/data-protection
[Accessed 26 8 2022].
48
Downloaded by Linh H? (honhatlinh310803@gmail.com)
Download