Tải bản đầy đủ (.doc) (29 trang)

Assignment 2 security Greenwich

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (650.44 KB, 29 trang )

ASSIGNMENT 2 FRONT SHEET
Qualification

BTEC Level 5 HND Diploma in Computing

Unit number and title

Unit 5: Security

Submission date

Date Received 1st submission

Re-submission Date

Date Received 2nd submission

Student Name

Student ID

Class

Assessor name

Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature
Grading grid


P5

P6

P7

P8

M3

M4

M5

D2

D3


 Summative Feedback:

 Resubmission Feedback:

2.1

Grade:
Lecturer Signature:

Assessor Signature:


Date:


Note: Nếu muốn support C, C#, Networking, Database, project web, 1633,
security_zalo 0962.986.805 or fb Nguyen Long | Facebook
Table of contents
TABLE OF CONTENTS............................................................................................................................................................. 2
LIST OF FIGURES.................................................................................................................................................................... 3
INTRODUCTION................................................................................................................................................................... 4
TASK 1 - DISCUSS RISK ASSESSMENT PROCEDURES (P5)..........................................................................................4
DEFINE A SECURITY RISK AND HOW TO DO RISK ASSESSMENT................................................................................................... 4
Definition of security risks:............................................................................................................................................... 4
Risk assessment procedures:............................................................................................................................................. 5
DEFINE ASSETS, THREATS, AND THREAT IDENTIFICATION PROCEDURES, AND GIVE EXAMPLES.................................................... 7
Definition of assets............................................................................................................................................................ 7
Definition of threats.......................................................................................................................................................... 8
Threat identification process............................................................................................................................................. 9
Example of threats identification procedures................................................................................................................... 10
EXPLAIN THE RISK ASSESSMENT PROCEDURE........................................................................................................................ 11
LIST RISK IDENTIFICATION STEPS.......................................................................................................................................... 11
TASK 2 - EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN
ORGANIZATION (P6)......................................................................................................................................................... 12
DEFINE DATA PROTECTION.................................................................................................................................................... 12
EXPLAIN DATA PROTECTION PROCESS IN AN ORGANIZATION.................................................................................................. 12
WHY ARE DATA PROTECTION AND SECURITY REGULATION IMPORTANT ?................................................................................. 13
TASK 3 - DESIGN AND IMPLEMENT A SECURITY POLICY FOR AN ORGANIZATION (P7)................................13
DEFINE A SECURITY POLICY AND DISCUSS ABOUT IT.............................................................................................................. 13
Define security policy:.................................................................................................................................................... 13
Discussion on policies:................................................................................................................................................... 14
GIVE AN EXAMPLE FOR EACH OF THE POLICIES...................................................................................................................... 16

GIVE THE MOST AND SHOULD THAT MUST EXIST WHILE CREATING A POLICY........................................................................... 18
EXPLAIN AND WRITE DOWN ELEMENTS OF A SECURITY POLICY.............................................................................................. 18
GIVE THE STEPS TO DESIGN A POLICY.................................................................................................................................... 19
TASK 4 - LIST THE MAIN COMPONENTS OF AN ORGANIZATIONAL DISASTER RECOVERY PLAN,
JUSTIFYING THE REASONS FOR INCLUSION (P8)..................................................................................................... 20


DISCUSS WITH EXPLANATION ABOUT BUSINESS CONTINUITY................................................................................................. 20
LIST THE COMPONENTS OF RECOVERY PLAN.......................................................................................................................... 21
WRITE DOWN ALL THE STEPS REQUIRED IN DISASTER RECOVERY PROCESS............................................................................. 21
EXPLAIN SOME OF THE POLICIES AND PROCEDURES THAT ARE REQUIRED FOR BUSINESS CONTINUITY ...................................... 23
CONCLUSION...................................................................................................................................................................... 24
REFERENCES...................................................................................................................................................................... 24

List of figures
FIGURE 1: SECURITY RISKS............................................................................................................................................................. 5
FIGURE 2: ASSETS........................................................................................................................................................................ 8
FIGURE 3: ISO 31000................................................................................................................................................................ 10
FIGURE 4: RISK ASSESSMENT STEPS.............................................................................................................................................. 11
FIGURE 5: DATA PROTECTION...................................................................................................................................................... 12
FIGURE 6: SECURITY POLICY........................................................................................................................................................ 13
FIGURE 7: HR POLICY AND PROCEDURE......................................................................................................................................... 14
FIGURE 8: AUP.......................................................................................................................................................................... 15
FIGURE 9:EXAMPLE INCIDENT REPONSE........................................................................................................................................ 17
FIGURE 10: BUSINESS CONTINUITY PLANING................................................................................................................................. 17
FIGURE 11: BUSINESS CONTINUITY............................................................................................................................................... 20

3



Introduction
A guy works as a trainee IT Security Specialist at FPT Information Security, a top security firm in Vietnam
(FIS). FIS advises and implements technological solutions to possible IT security concerns for mediumsized businesses in Vietnam. Most clients have outsourced their security concerns due to a lack of
technological expertise in-house. As part of my job, Manager Jonson asked me to create an interesting
report to help teach younger staff about the tools and procedures involved in detecting and assessing
security risks. To protect mission-critical data and equipment, IT security is utilized in combination with
business policies. The report will introduce and conclude the following major works: Procedures for risk
evaluation are discussed. Explain how an organization's data protection practices and rules work. Create
and implement an organization's security policy. List the primary components of an organization's disaster
recovery plan and explain why they're important.

Task 1 - Discuss risk assessment procedures (P5)
Define a security risk and how to do risk assessment
Definition of security risks:
A security risk is an act with bad intentions such as "crash" or steal data, user information, damage the
system of a company, business or organization. The threat may occur in the near or distant future.
It can be said that system security is the only method to be able to solve and close the vulnerabilities as
well as potential risks of a system. Security is a difficult area for developers, especially as more and more
bad guys find vulnerabilities to attack there. Non-physical issues can cause data loss, data exposure, slow
connections, and other security-related issues. The main causes are a network attack with different
purposes, spreading computer viruses, spyware, unauthorized access to computers to access data, and
software containing code other poison.

4


Figure 1: Security risks

These non-physical risks are always difficult problems and can only be solved by system security methods.


Risk assessment procedures:
The word "risk assessment" refers to a broad process or strategy for identifying potentially damaging
dangers and risk factors. Analyze and evaluate the risk that comes with it. Identify acceptable methods for
removing the danger or controlling the risk if it cannot be removed.
A risk assessment is a comprehensive evaluation that identifies items, events, procedures, and other factors
that might cause harm. After you've made your decision, you'll need to study and estimate the potential
amount of danger and severity. You can next select what steps to take to successfully minimize or control
the harm that happens after you've made this decision.
There are 4 steps in the security risk assessment process:
Step 1: Identify hazards and potentially harmful factors
First, it is necessary to determine how the hazards affect the system. Administrators can perform system
surveys to find threats. If hazards are not clearly identified, they will not be able to be controlled.
Consider all possible parts of the risk, especially the user's database, because it often becomes the target of
bad guys.

5


Find the spots discovered by surveyors, it is often the vulnerabilities that are difficult to detect by
administrators.
Identify potential hazards that may occur when that hazard occurs. Learn from the vulnerabilities, security
attacks that have happened before. This helps administrators identify potential threats that are difficult to
detect.
Step 2: Identify affected audience
Once the hazards have been identified, the panel should also clearly define who is affected and how.
Some groups of objects such as databases, servers, ... will be affected first. The next thing is to determine
how big or small the effect is.
Determine if the security risk affects the hardware, other components or not so that the best solution can be
found.
Determine who the affected users are, usually affecting customers and visitors. The risk can affect what

customer activities, whether they lose data or not.
In addition, any long-term, possible future hazards must also be identified.
Step 3: Identify, investigate, provide a solution to that risk
Once hazards have been identified, the evaluator must devise measures to remedy those hazards and must
ensure good practice. Thus, the evaluator can review the risk control measures that the organization has
previously put in place and see if they can be applied to improve the hazards. To do this, the evaluator
should consider:
-Can we completely eliminate the danger?
-If it cannot be eliminated, how can we control the risk so that the hazard is not likely to occur?
When implementing risk control controls, administrators can follow these steps step-by-step:
-Use less risky method; replace risk.

6


-Avoid approaching hazards.
-Organize work in a way that reduces exposure to hazards, applying safety methods and features.
- Provide policies and guidelines for users to avoid security risks.
Step 4: Take notes, evaluate
Record and present what the evaluator finds. This record must be easy to understand, making it accessible
to administrators and programmers.
Arrangements should be made to monitor risk control measures. System tests should be performed
daily/weekly/monthly as a mandatory test measure.
The organization should conduct regular risk identification to detect hazards in a timely manner. The
organization should conduct an overall review once a year to see if the assessments are still valid, to
ensure that security standards are still improving or at least not falling behind.
In addition, record and evaluate potential vulnerabilities that can become risks, which are born during the
risk remediation process so that they can be remedied in the next security assessment process.
Define assets, threats, and threat identification procedures, and give examples
Definition of assets

Identifying the assets that must be safeguarded is a crucial step in determining what should be safeguarded.

It is critical to assess the relevance of each item of value after performing an inventory of the assets that
have been inventoried.

7


Figure 2: Assets

An asset inventory aids an organization in compiling a list of its assets and providing specific information
about them. Each asset is assigned a numerical value by certain organizations. Physical and non-physical
assets are examples of assets. Money, machinery, and other tangible assets are examples of non-physical
assets; user databases are one of them.

Asset inventory management is a method of tracking and analyzing issues such as physical location,
maintenance requirements, depreciation, performance, and eventual asset disposal for an organization's
assets. produce.
Definition of threats
A threat is a possible negative action or occurrence aided by a vulnerability that results in an undesirable
impact on a computer system or application in the context of computer security.
A threat can be a negative "intentional" event (e.g., hacking: an individual cracker or a criminal
organization) or a negative "accidental" event (e.g., the possibility of a computer malfunctioning, or the
possibility of a natural disaster event such as an earthquake, fire, or tornado), or any other circumstance,
capability, action, or event (Shirey, 2000).
This is distinct from a threat actor, who is an individual or a group capable of carrying out a threat action,
such as exploiting a vulnerability to do harm.

8



Threat identification process
The kind of threat source specified is either a network attack tool or a physical opponent. The structure of
errors in the resources that the organization has tested (for example, hardware, software and test fields).
Natural and man-made disasters, as well as accidents and situations beyond the organization's control.
Step 1: Identify potential dangers.
Threats are divided into two categories: man-made and natural. Auditing, Configuration Management,
Data Protection in Storage and Transmission are examples of threat categories that may be identified using
threat categorization.
Step 2: Create a threat profile in step two.
Catalog threats to a profile that contains more particular information, such as the sort of threat discovered,
its likelihood of occurrence, any linked data, and its effects.
Step 3: Look for security flaws.
Countermeasures can be used to close a security weakness. People, vital facilities, and critical
infrastructure are the first three phases in the threat analysis process, in order of rescue priority. After
assigning risk ratings to threats in step 2, threats may be classified from greatest to lowest risk, and
mitigation measures can be prioritized. Following the identification of a potential effect, the following
approaches for mitigating the risk are available:
Accept and ignore: determine whether or not the impact is tolerable.
• Removal: components that might pose vulnerabilities due to their influence should be removed.
• Risk mitigation: lowering the likelihood of a negative outcome.
Step 4: Write down your thoughts.
The last step is to record the situations. The most alarming and likely risks are reflected in the emergency
management design scenarios. Initial warning, community effect forecast, probable regions of failure,

9


damage response, finite resources, and possible repercussions are all included in scenarios to accomplish
this. out. Every potential situation is included in the scenarios.

Example of threats identification procedures

Figure 3: ISO 31000

Risk management process according to ISO 31000 The risk management process at <a company> includes:

-

Establish the context associated with the program's goals and activities;
Identify the risks (including identifying the likelihood and consequences associated with each risk);
Analysis of risks;
Assess and prioritize risks;
Risk management (including cost/benefit analysis of treatment options); and continuously monitor
and review risks and remedies.

10


Explain the risk assessment procedure
A risk assessment is an analysis of a specific job that you perform at work that may provide a hazard to
others. Before mapping and implementing any possible dangers, the goal is to understand them.
Reasonable precautions should be taken to avoid injury. As a result, a risk assessment may assist you in
comprehending and preparing for such events.
List risk identification steps
For more detail, the risk identification process can also be broken down into five steps.

Figure 4: Risk assessment steps

11



Task 2 - Explain data protection processes and regulations as applicable to an organization (P6)
Define data protection
The interaction between the collecting and distribution of data and technology, the public perception and
expectation of privacy, and the political and legal frameworks around that data is all part of data
protection. Its goal is to achieve a balance between individual privacy rights and the ability to utilize data
for commercial purposes. Data security is often referred to as data privacy or information security.

Figure 5: Data protection

Explain data protection process in an organization
Data protection rules and processes should be adjusted to your company's specific needs. You'll need to
establish your staff data rules and processes, for example, but it's pointless to describe what you'll do with
consumer data until you gather it.
This company's status data must be: Collected and handled honestly and lawfully.
Obtained for a specified and legal reason, and will not be used in any way that is incompatible with that
objective.
For those purposes, it must be adequate, appropriate, and not excessive. Be precise and up-to-date.
Keep no longer than is required for that reason. Processed in accordance with the data subject's rights.
Defend yourself against illegal access, loss, or destruction. Transfer to a nation outside the European
Economic Area only if that country has a comparable level of data protection.
12


Why are data protection and security regulation important?
You must have a formal policy and procedure in place to ensure that you meet the requirements
established by different countries. Data security and privacy regulations are very important for every
business, website. Currently, it can decide the life of a company or business. For example, Yahoo exposed
more than 1 billion user data, from a large company to decline. Large companies often follow a certain
privacy policy to best protect user data.

When user data is exploited by the bad guys, it will have extremely serious consequences. For example,
stolen bank data will come with an extremely large sum, up to millions of dollars. Another case was that a
leaked phone number caused customers to be disturbed by strangers. Therefore, data security and secure
processes are really important for each individual and business.

Task 3 - Design and implement a security policy for an organization (P7)
Define a security policy and discuss about it
Define security policy:
A security policy is a written document that defines how to defend an organization against dangers, such
as computer security threats, as well as how to address issues when they arise.

Figure 6: Security policy

13


All firm assets, as well as any possible dangers to those assets, should be listed in the privacy policy. The
company's privacy policy should be communicated to all workers. The policies themselves must be changed

on a regular basis.
Discussion on policies:


HR Policy
Usually refers to systematized documentation that state a company's position on problems like
internet use or dress code, but it may also refer to a position expressed through speech. Policies are
critical to the human resources department's success because they help define the employeremployee relationship. In order to establish a standard of behavior, employees must understand
what the organization stands for. Businesses cannot reprimand workers or establish improvement
targets without this standard, making it considerably more difficult to enhance corporate
procedures and values.

Because there would be no precedent or starting point if a situation developed without reference,
HR should have procedures in place for as many scenarios as feasible.
When it comes to systematizing HR policies, clarity is crucial. Everything should be clear - this is
especially crucial in the event of a hiring committee, as corporate rules will be evaluated. It's typically
crucial to determine where liability resides if a corporation has a consistent policy in place.

Figure 7: HR policy and procedure



Incidence response Policy
A plan outlining an organization's response to an information security incident is known as an
incident response policy.
The following is the policy reaction to an incident:

14


To provide a timely, efficient, and automated reaction to Security and Privacy issues, necessary
roles and processes must be created.
The organization's priorities in work Incident Security and Privacy issues should be agreed upon
with management, and individuals responsible for the Security management incident should
understand the organization's priorities in work Incident Security and Privacy concerns.
Security and privacy incidents should be notified as soon as feasible using collaborative
management channels.
A recorded Event Response incident must be used to respond to security and privacy incidents. The
knowledge gained from analyzing and resolving Security and Privacy incidents should be used to
reduce the likelihood of future incidents or their impact.
Procedures for identifying, collecting, collecting, and retaining information that can be used as
evidence should be specified and followed.

Topics like as the advantages of a consistent, formal approach to management breakdown should be
discussed (individuals and organizations)
Unreasonably invading one's privacy.
Any stumbling block to the investigation of a Confidentiality or Advisory Event or Incident should
be notified to top management right away.
Impedance circumstances can lead to disciplinary action, including the termination of a connection
contract.


Acceptable use policy (AUP)

Figure 8: AUP

AUPs can cover a wide range of concerns, including offering standards for fair online searches,
downloads, and surfing.
15


Rules governing the usage of email, phones, tablets, online gaming, and the publication of the
school website are common examples.
The consequences that will be enforced in the event of an AUP violation are also an essential
component of the policy document, and they will give your institution with clear instructions in the
event of a violation.
Educating parents, students, and instructors about the potential of the Internet as a learning
resource is any of the key purposes of AUP. Identifying proper online conduct and the
repercussions of violations, as well as providing schools with legal liability protection, are all
important aspects of policy development.
Students' online safety education is an important aspect of the school's internet safety program.
Children and teenagers require assistance and support in recognizing and avoiding technological
safety hazards.





Disposal policy
The goal of this policy is to provide standardized procedures for the management, retention, and
disposal of documents that are received, created, generated, or maintained. This policy aims to: To
assist guarantee that the company can satisfy the legal obligations connected to records
management, develop record management rules and a system of accountability. To guarantee that
government documents are legitimate and trustworthy. To preserve the privacy of constituents and
the confidentiality of documents. To prevent documents from being misused, misplaced, damaged,
destroyed prematurely, or stolen. To secure the preservation of documents of long-term historical
importance.
Business continuity policy
This is the Ribbon Company Continuity Policy 990-77001, which ensures that all business
operations can be maintained at normal or near-normal levels following an incident that might
cause substantial interruption. Severe weather events, cyber attacks, infrastructure outages,
outages, and facility or premises losses are just a few examples.

Give an example for each of the policies


HR Policy
At-Will Employment Policy: This policy reiterates that both an employer and employee can
terminate the employment relationship at any time and for any reason, providing said reason is
lawful. You should aim to prominently display this statement in the beginning of your employee
handbook.




Incidence response Policy

16


Figure 9:Example Incident reponse



Acceptable use policy (AUP)
Disrupting network access for others, whether deliberately or unintentionally. Examples: infected
computers flooding the network with spam or viruses, P2P file-sharing applications that consume
more than a fair share of network resources, improperly configured network devices.
Using technology resources to violate any State or federal law including copyright and license
agreements. Examples: illegally downloading, storing, and/or sharing copyrighted materials,
viewing child pornography, theft of confidential information.
Transmitting abusive, threatening, or harassing messages, chain letters, spam, or other
communications prohibited by law or University policy.
Unauthorized attempts to scan or gain access to systems, accounts, network traffic or information
not intended for you.



Business continuity policy

Figure 10: Business Continuity Planing

17





Security policy
Policy on remote access
Connecting to a business network from any host is known as remote access. The remote access policy
is intended to reduce the risk of damage caused by illegal access to resources. This policy should apply
to all workers and contain procedures for sending and receiving email as well as accessing intranet
resources. This policy should also contain VPN access and disk encryption requirements.
Remote access should have the same requirements as on-premises access. Employees must not, for
example, utilize their remote access for illicit conduct or enable unauthorized persons to use their
work equipment. The policy should also require users to use strong passwords, log out when
leaving their devices alone, and not connect to any other networks when connected to the internal
network. They should also advise customers to make sure that their operating system and antimalware software are up to date.

Give the most and should that must exist while creating a policy
Protect policy compliance with mandatory laws. I think it is the most important and must exist in a policy.
Depending on data retention, designation and location , may be required to comply with minimum standards

to ensure consulting and data integrity, especially if the company holds personal information . Having a
documented and applied security privacy policy is one way to reduce as a method of security any method
that may be required in the case of security.
Explain and write down elements of a security policy
A declaration of purpose, a statement that defines the policy audience, a statement of objectives,
permissions, and an access control policy are some of the important aspects of an organization's information

security policy. determine who gets access to what resources. Statements about data categorization a
statement of the responsibilities and duties of employees and who will be responsible for monitoring and
enforcing the policy, performance measures that will be used to evaluate security policies, a statement of
the responsibilities and duties of employees and who will be responsible for monitoring and enforcing the
policy, a statement of the responsibilities and duties of employees and who will be responsible for

monitoring and enforcing the policy, a statement of the responsibilities and duties of employees and who
will be responsible for monitoring and en how effectively security is doing and what steps will be taken to
enhance it

18


Give the steps to design a policy
Step 1. Assess your risk.
The usage of monitoring or reporting tools is a smart technique to detect your risk. Many firewall and
Internet security manufacturers provide evaluation periods for their solutions. If such items give reporting
information, using these evaluation intervals to estimate your risk is beneficial.
Step 2. Study what others have done.
Because there are so many different sorts of privacy practices, it's crucial to look at what other companies
like yours are doing.
Step 3. Ensure that the policy conforms with all applicable laws.
You may be obligated to observe some minimal requirements to safeguard data privacy and integrity,
depending on your data holdings, jurisdiction, and location.
Step 4. Involve employees in policy creation
No one wants a policy that is imposed from on high. Employees should be included in the process of
determining permissible use. When regulations are written and tools are applied, notify the personnel.
Step 5. Get it in writing
Make sure that every member of your staff has read, signed, and understood the policy.
Step 6. Establish explicit consequences and make sure they are followed.
Cybersecurity is no laughing matter. Your Privacy Policy is not a collection of rules you may choose to
follow; it is a requirement of employment. There is a clear set of processes in place that spells out the
consequences of violating the privacy policy. Then put them to death.

19



Task 4 - List the main components of an organizational disaster recovery plan, justifying the reasons
for inclusion (P8)
Discuss with explanation about business continuity

Figure 11: Business continuity

Business continuity refers to the planning and preparation done ahead of time to guarantee that an
organization's key business functions can continue to operate in the event of an emergency. Natural
catastrophes, business crises, pandemics, workplace violence, and any other event that disrupts your
business are examples of events. It's vital to note that you should plan and prepare not just for situations
that would cause your system to fully shut down, but also for occurrences that might have a negative
impact on your services or functioning.
• Supply chain failure - You don't have access to materials, goods, or services • Utilities outage - You don't
have access to electricity, water, or the internet • Cyber incident - Your website has been hacked and is
down • These are just a few of the many incidents that an organization must consider and plan for.

20


List the components of recovery plan
1. Communication and preparedness of the staff
Your staff play a critical part in getting your business back up and running after a crisis. However, if staff
do not know how to prepare and recuperate, this strategy will be rendered mostly ineffective.
2. Having at least one person from each department, including higher management, on the planning
committee is a smart method to start teaching staff on disaster preparedness. It is suggested that a
committee be formed to consider various requirements and views.
3. Recovering documents
You might lose all user data or key corporate papers right away. Document loss may be disastrous without
appropriate preparation and recovery. There are, fortunately, techniques to reduce them: Hosting should be

done on a secure server with a strong privacy policy.
4. Location off-site
Keep in mind that you should have an off-site location for safe data storage and backup while you evaluate
off-site venues. If a calamity destroys or corrupts computer data, a backup will save the data so you don't
have to start over with projects and files.
5. Inventory of Assets
If you don't know what your company's assets are, you'll never be able to fully recover. Include a list of the
company's physical assets and relevant information in the recovery plan (for example, make, model, serial
number, date of purchase, and purchase price). Computers, tablets, smartphones, scanners, printers,
cameras, software, office furniture, and other goods that employees use on a regular basis are among the
assets to include. Include images of the workstations before and after the emergency (to show that the
company has worked hard to secure equipment to respond to alerts).
Write down all the steps required in disaster recovery process
1. Define the scope of your project.

21


First and foremost, determine what your ultimate aim is. If your organization relies on rapid and simple
access to data to stay afloat, your IT troubleshooting strategy should be centered on guaranteeing data
availability. Even if your on-premises hardware fails catastrophically, your proprietary rights remain safe
and secure.
2. Examine Your IT Security Vulnerabilities
Following the definition of your ultimate objective, you must establish a thorough understanding of your
most evident weaknesses, paying special attention to historical catastrophe risks in your area.
3. Conduct risk analysis
A thorough risk analysis is akin to a "stress test," which is aimed to assist you determine how vulnerable
you are to your present catastrophe infrastructure. You will be better positioned to protect your most
important assets if you get this viewpoint.
4. Identify techniques for recovery

The next stage is to find the most successful and cost-efficient recovery techniques after stress-testing your
preventive measures.
5. Make a strategy
You're now ready to get serious about putting together your IT disaster recovery strategy. This will include
collecting the information you've obtained and organizing it into a logical, linear order.
6. Provide team members with training.
It's time to share your strategy with your team after you're confident in it.
7. Revise and update your strategy
While we all hope we'll never have to use our IT disaster recovery plan, it's a good idea to review it on a
regular basis and, if required, change it.

22


Explain some of the policies and procedures that are required for business continuity
1. Reliability
Businesses should try to provide clients with high-quality goods and services. Customers' expectations
should be met, if not exceeded, by the products given. Quality services and goods will earn you a good
reputation and help you grow your business.
2. Environment Businesses should be dedicated to reducing their environmental effect, from simple
recycling to advanced water and waste management systems. Businesses should put money into programs
that help the environment.
3. Code of ethics
Employees should follow the law, be ethical, and work in the best interests of the company. Employees
should be guided by a code of conduct in the workplace on how to cope with a range of ethical issues.
Employees are directed on how to interact with one another, customers, and possible business partners and
networks by a code of conduct.
4. Job opportunities
It's vital to manage your staff and make sure they understand their roles in the company. Employees must
be aware of how Performance Reviews are handled, the rehabilitation process, safe working conditions,

workers' compensation, non-discrimination in the workplace, and termination terms.
5. E-mail and the Internet
Our everyday operations need the use of the internet and email. Employees can be guided on what is
expected conduct and appropriate usage of the internet and email by having rules and procedures in place.
It's also a good idea for businesses to have social media usage policies in place.
6. Chances for everyone

23


Equal employment opportunities should be provided by businesses. There should be no discrimination
based on color, gender, race, or handicap when employing personnel. Guidelines should also include how
your company handles issues including a disability, pregnancy, or diversity in general.

Conclusion
I covered the following topics in this exercise: identifying security risks and analyzing risks; identifying assets,
threats, and threat identification techniques, as well as providing examples; enumerate the processes involved
in risk assessment; describe data protection, explain how an organization's data protection approach works, and
more. I also go through the components of a privacy policy and the methods for creating one. Discuss business
continuity, the components of a recovery plan, the phases involved in the disaster recovery process, and the
rules and practices that are essential for business continuity.

References
Shirey, R., 2000. RFC2828: Internet security glossary.

24

Powered by TCPDF (www.tcpdf.org)



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay
×