ASSIGNMENT 2 FRONT SHEET
Qualification

BTEC Level 5 HND Diploma in Computing

Unit number and title

Unit 5: Security

Submission date

Date Received 1st submission

Re-submission Date

Date Received 2nd submission

Student Name

Bui Quang Minh

Student ID

GCD210325

Class

GCD1104

Assessor name

Tran Thanh Truc

Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature
Grading grid

P5

P6

P7

P8

M3

M4

M5

D2

D3


 Summative Feedback:

Grade:

Lecturer Signature:

 Resubmission Feedback:

Assessor Signature:

Date:


Contents
Task 1 - Discussing risk assessment procedures (P5) ................................................................................................ 4
I. Security Risk ..................................................................................................................................................... 4
II. Assets, threats and threat identification procedures ........................................................................................ 5
2.1 Assets ........................................................................................................................................................ 5
2.2 Threats ...................................................................................................................................................... 5
2.3 Vulnerability .............................................................................................................................................. 5
2.4 Threat identification procedures ................................................................................................................ 6
III. Risk assessment procedure ............................................................................................................................. 7
IV. Risk identification steps .................................................................................................................................. 9
Task 2 - Explaining data protection processes and regulations as applicable to an organisation (P6) ...................... 11
I. Data protection .............................................................................................................................................. 11
II. Data protection process in an organization .................................................................................................... 12
III. Importance of data protection and security regulation ................................................................................. 13
Task 2.1 - Summarising the ISO 31000 risk management methodology and its application in IT security (M3) ........ 14
I. ISO 31000 management methodology definition ............................................................................................ 14
II. Its applications in IT security .......................................................................................................................... 15
III. Practical examples for above applications ..................................................................................................... 16
Task 2.2 - Discussing possible impacts to organisational security resulting from an IT security audit (M4) .............. 18
I. IT security audit definition .............................................................................................................................. 18
II. Possible impacts to organizatioal security ...................................................................................................... 18

III. Practical examples ........................................................................................................................................ 20
Task 2.2.1 - Considering how IT security can be aligned with organisational policy, detailing the security impact of
any misalignment (D2) ........................................................................................................................................... 21
I. Organizational policy and its purposes ............................................................................................................ 21
II. Impacts of an organizational policy on IT security .......................................................................................... 22
III. Practical examples ........................................................................................................................................ 23
Task 3 - Designing and implementing a security policy for an organisation (P7)...................................................... 24
I. Security policy ................................................................................................................................................ 24
II. Most important elements when creating a policy .......................................................................................... 25


III. Elements of a security policy ......................................................................................................................... 25
IV. Steps to design a policy................................................................................................................................. 26
1.1 Requirement ............................................................................................................................................ 26
1.2 Idea concept ............................................................................................................................................ 26
1.3 System model .......................................................................................................................................... 27
1.4 Implementation ....................................................................................................................................... 27
Task 4 - Listing the main components of an organisational disaster recovery plan, justifying the reasons for
inclusion (P8)......................................................................................................................................................... 30
I. Business continuity ......................................................................................................................................... 30
II. Components of recovery plan ........................................................................................................................ 30
III. Steps required in disaster recovery process .................................................................................................. 32
IV. Policies and procedures required for business continuity .............................................................................. 33
Task 4.1 - Discussing the roles of stakeholders in the organisation to implement security audit recommendations
(M5) ...................................................................................................................................................................... 35
I. Stakeholders definition ................................................................................................................................... 35
II. Stakeholders’ roles in an organization ............................................................................................................ 36
III. Security audit definition and why needs it..................................................................................................... 36
IV. Security audit implementation to stakeholders in an organization ................................................................ 38
Task 4.1.1 - Evaluating the suitability of the tools used in an organisational policy (D3) ......................................... 40

I. Organizational policy definition ...................................................................................................................... 40
II. Tools are used in organizational policy ........................................................................................................... 41
III. Evaluating the suitability of tools in organizational policy .............................................................................. 44
REFERENCE LIST ............................................................................................................................................... 46


Task 1 - Discussing risk assessment procedures (P5)
I. Security Risk
Security risk refers to the potential harm that can happen when digital information is accessed, used,
shared, disrupted, changed, or destroyed without permission. This danger can come from different
places, like cyber threats, data leaks, harmful software, and other security problems that mess up
sensitive info's privacy, accuracy, and access.
This risk can seriously hurt businesses. For instance, data leaks can lead to losing private and financial
data, causing damage to reputation, legal trouble, and money loss. Viruses and online dangers can
mess up a company's computer systems and networks, stopping work and causing time when things
don't happen. This can lead to losing money, doing less work, and upsetting customers.
To set up a smart risk control plan in your company, you have to start by figuring out what the risks
are. Even though each risk check might be different based on what's happening for you, a few basic
ideas give a good plan:






Find the risks: First, find out what could hurt the secret, right, or getting to info. Look at the
rules, steps, and systems to know what things need safety and what problems might show up.
Look at the risks: Next, see how likely it is that the risks could happen and what could happen if
they did. Think about how much they might show up and how bad things could get.
See how bad the risks are: Then, see how important the risks are by comparing them to what

you can handle. This helps you choose which ones to worry about the most and what to do
about them.
Fix the risks: Finally, try to stop the risks from happening and making things bad. Do this by
picking the right safety things like rules, steps, and ways of doing things to control the risks.

Figure 1. Security risk illustration


II. Assets, threats and threat identification procedures
2.1 Assets
An asset is any data, device or other component of an organisation’s systems that is valuable – often
because it contains sensitive data or can be used to access such information.
For example, an employee’s desktop computer, laptop or company phone would be considered an
asset, as would applications on those devices. Likewise, critical infrastructure, such as servers and
support systems, are assets.
An organisation’s most common assets are information assets. These are things such as databases and
physical files – i.e. the sensitive data that you store.
A related concept is the ‘information asset container’, which is where that information is kept. In the
case of databases, this would be the application that was used to create the database. For physical
files, it would be the filing cabinet where the information resides.

2.2 Threats
A threat is any incident that could negatively affect an asset – for example, if it’s lost, knocked offline
or accessed by an unauthorised party.
Threats can be categorised as circumstances that compromise the confidentiality, integrity or
availability of an asset, and can either be intentional or accidental.
Intentional threats include things such as criminal hacking or a malicious insider stealing information,
whereas accidental threats generally involve employee error, a technical malfunction or an event that
causes physical damage, such as a fire or natural disaster.


2.3 Vulnerability
A vulnerability is an organisational flaw that can be exploited by a threat to destroy, damage or
compromise an asset.
You are most likely to encounter a vulnerability in your software, due to their complexity and the
frequency with which they are updated. These weaknesses, known as bugs, can be used by criminal
hackers to access to sensitive information.


Vulnerabilities don’t only refer to technological flaws, though. They can be physical weaknesses, such
as a broken lock that lets unauthorised parties into a restricted part of your premises, or poorly written
(or non-existent) processes that could lead to employees exposing information.
Other vulnerabilities include inherent human weaknesses, such as our susceptibility to phishing emails;
structural flaws in the premises, such as a leaky pipe near a power outlet; and communication errors,
such as employees’ sending information to the wrong person.

2.4 Threat identification procedures
Threats come in many forms and through different channels, including:





Intentional Threats
Accidental Threats
Natural Disasters
Internal Threats

Intentional Threats
Threats are often intentional and are done through hacking from an individual or a criminal
organization. A few intentional external threats include viruses, malware, Denial of Service (DoS) and

ransomware attacks.
Accidental Threats
Threats are sometimes accidents due to some internal issue such as a computer malfunction or
employee lapse in protocol, judgment or memory.
Natural Disasters
Threats may come in the form of a natural disaster like a flood, lightning strike, earthquake, fire or
tornado. Any of these threats can slow, debilitate, restrict access to, or completely ruin your data.
Internal Threats
Finally, threats can sometimes strike your assets due to an internal employee’s intentional abuse of
rights or policies, or they may be attempting something more serious in the form of occupational
fraud.


5 Steps to Complete a Successful Threat Assessment
1. Scope Determination: Define the scope of your assessment, specifying what's included and its
level of detail. Consider sensitivity and assess potential avenues for threats.
2. Data Collection: Collaborate with your assessment team to gather necessary data, including
company policies, regulations, interview notes, and technical details like system configurations
and access permissions.
3. Vulnerability Identification: Analyze the collected data to pinpoint vulnerabilities. Conduct
penetration tests to simulate hacking scenarios and discover potential weak points.
4. Threat Analysis: Categorize identified threats based on severity and exposure levels, ranging
from minor to high. Evaluate their potential impact on the organization.
5. Risk Mitigation: Develop a strategy to address threats, including implementing new software,
enhancing security measures, refining access controls, and providing staff training to reduce
risks.

III. Risk assessment procedure
Step 1: Identify Potential Hazards
Start by recognizing the risks that could impact your employees and business. These may include

natural disasters (like floods or fires), biological hazards (such as diseases), workplace accidents,
intentional acts, technological issues, chemical exposures, mental stressors, and supply chain
disruptions. Examine all work aspects, even remote or non-routine activities, and consider past
incidents.
Step 2: Determine Affected Parties and Impact
Consider who within your organization could be harmed by these hazards and how. For each identified
hazard, assess the potential impact on individuals or groups.
Step 3: Evaluate Risks and Apply Precautions
Assess the likelihood of each hazard occurring and the severity of its consequences. Based on this
evaluation, prioritize risks and decide which ones require immediate attention. Implement measures to
lower risks where possible.
Step 4: Document Your Findings
If your office has more than five employees, you're legally obligated to create a written record of your
risk assessment. Detail the hazards, their effects, and the steps you're taking to mitigate them. Your


documentation should demonstrate that you've thoroughly checked the workspace, identified affected
parties, controlled evident dangers, taken precautions, and involved your staff.
Step 5: Regularly Review and Update
Recognize that your workplace is dynamic, introducing new equipment, processes, and personnel.
With each change, new hazards may arise. Continuously review and adjust your risk assessment to
address these evolving risks and ensure ongoing safety.

Figure 2. Risk assessment procedures


IV. Risk identification steps
Risk identification involves the process of recognizing possible threats to your business, ranging from
natural disasters that could harm your property to dissatisfied employees who might undermine your
systems. As a business owner, you consistently encounter risks of varying magnitudes, all with the

potential to affect your financial performance. Thus, having a structured approach to spotting these
risks is vital.
For any business, risk identification holds significant importance, particularly for small enterprises.
Small businesses are more susceptible to harm, necessitating heightened vigilance. Moreover, limited
resources mean fewer safety nets in case of emergencies. The benefits of effective risk identification
encompass:




Enhancing your understanding of potential pitfalls and preventive measures.
Enabling you to devise strategies for managing emergent risks.
Facilitating sound decision-making within your business operations.

The advantages of thorough risk identification encompass:




Recognizing potential threats to your business, both internal and external, equipping you to
anticipate and counter various challenges.
Evaluating your business's vulnerabilities, paving the way for reinforcement and defense against
potential attacks.
Augmenting decision-making prowess by comprehending the risks inherent in different
scenarios, averting costly errors.

When it comes to risk identification, a few key steps need to be followed in order to ensure that all
possible risks are considered. Let’s go over them briefly:
1. Risk Statement
The first step is making a risk statement. This is a brief, concise description of the risk that you’re

looking at.
2. Basic Identification
In this step, you will list all the relevant facts about the risk. Examples include what could happen, who
could be affected, and so on.


3. Detailed Identification
This is where you go into more detail about the risk, including what could cause it and how it could
affect people or businesses. Here, you can use various methods such as brainstorming, interviews, and
documentation.
4. External Cross-check
In the external cross-checking step, you will look for any potential risk or relevant information outside
the project. Some methods you can use are checklists and categories.
5. Internal Cross-check
This is where you look for any potential risks inside the project that may have been missed in the
previous steps. To do internal cross-checking, break down a work structure or a project document in
order to list down any potential risks.
6. Statement Finalization
The last and final step is statement finalization. This is where you put all the information together and
come up with a final statement about the risk.

Figure 3. Risk illustration


Task 2 - Explaining data protection processes and regulations as applicable to
an organisation (P6)
I. Data protection
Data protection is the process of protecting data and involves the relationship between the collection
and dissemination of data and technology, the public perception and expectation of privacy and the
political and legal underpinnings surrounding that data. It aims to strike a balance between individual

privacy rights while still allowing data to be used for business purposes.
The importance of data protection increases as the amount of data created and stored continues to
grow at unprecedented rates. There is also little tolerance for downtime that can make it impossible to
access important information.
Consequently, a large part of a data protection strategy is ensuring that data can be restored quickly
after any corruption or loss. Protecting data from compromise and ensuring data privacy are other key
components of data protection.
Most data protection strategies have three key focuses:




Data security – protecting data from malicious or accidental damage
Data availability – Quickly restoring data in the event of damage or loss
Access control – ensuring that data is accessible to those who actually need it, and not to
anyone else

Figure 4. data protection illustration


II. Data protection process in an organization
Data Protection Process: 10 Key Steps
Identify Sensitive Data
Define sensitive data as information that, if exposed, could harm your organization financially,
reputationally, or operationally. Start by identifying what data falls into this category.
Understand Data Lifecycle
Comprehend the lifecycle stages of sensitive data: creation, storage, use, sharing, archiving, and
destruction. This insight guides the implementation of protective measures at each stage.
Know Applicable Regulations
Recognize the relevant data protection regulations your organization must adhere to, and understand

that exceeding these standards enhances security beyond mere compliance.
Control Access
Limit access to sensitive data to authorized personnel through authentication and authorization
methods. Assign specific roles to individuals based on their responsibilities.
Promote Security Awareness
Educate all employees about data security responsibilities, irrespective of their roles, to foster a culture
of vigilance and prevent inadvertent mishandling.
Regular Backups
Regularly back up sensitive data to secure locations to ensure data recovery in case of breaches or data
loss, minimizing financial impact.
Document Processes
Document how sensitive data is used within your organization's processes, aiding compliance and
aiding vulnerability identification in case of compromise.
Take Data Inventory
Locate sensitive data across various repositories, including physical and digital sources, and create a
comprehensive inventory.


Data Classification
Classify data based on sensitivity levels to establish access controls and protection measures tailored to
different types of data.
Implement Automation
Deploy automation tools to ensure accurate and consistent data protection processes, reducing human
errors and enhancing overall efficiency.

III. Importance of data protection and security regulation
A crucial data safeguarding model is the CIA triad, symbolizing the cornerstones of data protection:
confidentiality, integrity, and availability. This framework aids individuals and entities in fostering a
comprehensive approach to safeguarding data. The three components are characterized as:
 Confidentiality: Ensuring data access is limited to authorized

personnel possessing valid credentials.
 Integrity: Upholding the reliability and accuracy of stored
data, preventing unwarranted alterations.
 Availability: Guaranteeing secure and prompt data
accessibility whenever required.

Figure 5. CIA triad illustration

The significance of data protection arises from its role in thwarting fraudulent activities, cyberattacks,
phishing, and identity theft. For organizations to operate effectively, safeguarding their information via
a robust data protection strategy is imperative.
As the volume of generated and stored data expands, data protection's relevance grows. Data
breaches and cyber threats can yield catastrophic consequences. Organizations must proactively shield
their data, continually refining protective measures to counter evolving risks.
In essence, the core principle and value of data protection lie in shielding data from diverse threats and
situations. For a more comprehensive exploration of data protection's essence and significance, refer
to the linked article.


Task 2.1 - Summarising the ISO 31000 risk management methodology and its
application in IT security (M3)
I. ISO 31000 management methodology definition
ISO 31000, established by ISO in 2009, is an international standard that offers guidance for designing,
implementing, and maintaining effective risk management practices.
Organizations of all sizes confront uncertainties—both internal and external—that can impact their
objectives. This uncertainty is termed "risk."
ISO 31000 outlines a systematic process for managing risk. It involves identifying, analyzing, and
evaluating risks to determine if they require treatment to meet established risk criteria.
Applicable to entire organizations, specific functions, projects, and activities, risk management serves
as a vital practice across different levels and areas.

ISO 31000 offers universal principles and guidance for building and improving risk management
frameworks. It's versatile for any sector, applicable throughout an organization's lifecycle, and
adaptable to diverse activities. This standard doesn't enforce uniformity; instead, it recognizes varied
organizational needs, objectives, and practices.

Figure 6. ISO 31000:2009 logo


II. Its applications in IT security
ISO 31000 aims to guide organizations in a systematic approach to managing risks through three key
steps:




Risk Identification: Identify potential risks.
Risk Probability Evaluation: Assess the likelihood of identified risks occurring.
Risk Impact Determination: Evaluate the severity of problems arising from potential events.

It's important to note that ISO 31000 doesn't aim to eliminate all risks, as complete eradication is
impractical. Instead, its purpose is to aid organizations in recognizing risks and devising strategies to
mitigate or minimize them as appropriate.
Below are ten application of ISO 31000:












Risk Identification: In IT security, ISO 31000 aids in systematically identifying potential threats
and vulnerabilities to digital assets, networks, and systems.
Risk Assessment: The standard assists in evaluating the likelihood and potential impact of cyber
threats, data breaches, and other security risks.
Risk Treatment: ISO 31000 helps IT security teams select and implement appropriate security
controls, policies, and procedures to mitigate identified risks effectively.
Incident Response Planning: The framework supports the development of well-structured
incident response plans, ensuring a coordinated approach to handling security breaches.
Compliance: ISO 31000 aids in meeting regulatory requirements by ensuring that IT security
measures align with data protection and privacy regulations.
Vendor Risk Management: The standard guides the assessment of third-party IT vendors'
security practices, helping organizations make informed decisions about partnerships.
Security Training: ISO 31000 principles can be applied to create IT security training programs for
employees, ensuring they understand their roles in risk management.
Continuous Improvement: IT security practices benefit from ISO 31000's principle of continuous
improvement, ensuring that protective measures evolve with changing threats.
Decision-Making: ISO 31000 provides a structured approach to evaluating IT security risks,
enhancing decision-making regarding resource allocation and mitigation strategies.
Data Protection: The standard aids in identifying, assessing, and managing risks related to data
breaches, unauthorized access, and data loss.


III. Practical examples for above applications
Risk Identification:
Example: An IT security team uses ISO 31000 to identify potential risks, such as outdated software
vulnerabilities, weak password policies, and unencrypted data storage.

Risk Assessment:
Example: A company assesses the likelihood and impact of a data breach by evaluating the probability
of unauthorized access to sensitive customer information and estimating the financial and reputational
damage that could result.
Risk Treatment:
Example: After identifying vulnerabilities in their network infrastructure, an organization implements
firewall and intrusion detection systems as part of their risk treatment strategy.
Incident Response Planning:
Example: A financial institution develops an incident response plan using ISO 31000 principles,
outlining roles and responsibilities for handling a cyberattack to minimize data loss and service
disruption.
Compliance:
Example: A healthcare organization aligns its IT security measures with ISO 31000 guidelines to ensure
compliance with regulations like HIPAA, safeguarding patient data and avoiding legal penalties.
Vendor Risk Management:
Example: Prior to partnering with a cloud service provider, a company evaluates the provider's security
practices using ISO 31000, ensuring data stored on their servers remains secure.
Security Training:
Example: An IT department develops training programs based on ISO 31000 principles to educate
employees about phishing threats, password management, and secure data handling.
Continuous Improvement:
Example: A technology company regularly updates its risk management practices based on evolving
cyber threats and technological advancements to maintain a robust IT security posture.


Decision-Making:
Example: A financial organization uses ISO 31000 to evaluate potential risks associated with adopting a
new online payment system, guiding informed decisions on resource allocation and implementation
strategies.
Data Protection:

Example: A retail company identifies the risk of customer credit card data theft and implements
encryption protocols and access controls to prevent unauthorized access.

Figure 7. ISO 31000 risk management


Task 2.2 - Discussing possible impacts to organisational security resulting
from an IT security audit (M4)
I. IT security audit definition
An IT security audit entails a thorough examination of an organization's security stance, encompassing
an analysis of its infrastructure, processes, configurations, and related aspects. Conducting security
audits is essential to determine the strength of your current safeguards in facing modern threat
scenarios.
Performing security audits aids in pinpointing vulnerabilities, adhering to pertinent compliance
regulations (such as HIPAA, GDPR, CCPA), and detecting potential repercussions arising from
organizational modifications. Additionally, security audits facilitate the evaluation of the efficacy of
your cybersecurity training initiatives.

Figure 8. IT security audit question

II. Possible impacts to organizatioal security
Risk Mitigation
The primary and most crucial advantage of an IT audit is the reduction of risks. A successful audit of
your organization's IT systems identifies and evaluates potential risks, offering recommendations for
actions to mitigate or address these risks effectively.


IT audits encompass a broad range of organizational risks, encompassing data security, confidentiality,
infrastructure, and operational processes. Moreover, an audit can assess the effectiveness and
reliability of your IT operations and their overall efficiency.

It's important to recognize that any IT risk inherently translates to an organizational risk. In today's
business landscape, IT plays a pivotal role, and any threat to its smooth functioning also jeopardizes
the overall efficacy of the entire enterprise.
Enhanced Controls
Conducting an IT audit empowers you to strengthen internal controls and enhance external security,
thereby fortifying your organization against both internal and external threats and vulnerabilities.
Often, IT audits utilize the COBIT framework to evaluate and enhance controls. This framework
encompasses four domains housing a total of 32 control processes effective in mitigating
organizational risks. Through this framework, the audit assesses existing controls, determining optimal
adjustments and implementations to enhance overall control within the organization.
Regulatory Compliance
Regulatory compliance, which can be complex and challenging for IT departments, becomes a vital
aspect of the IT audit process. This ensures a comprehensive understanding and adherence to the
requirements stipulated by various regulations and regulatory bodies.
Facilitated Communication
IT departments frequently encounter communication challenges with the broader organization. An IT
audit positively impacts this aspect by opening channels and fostering improved communication
between IT and other business divisions.
Auditors function as an additional communication link, furnishing management with reports on IT
functions and processes, conveying expectations and objectives from management to IT. This
bidirectional feedback not only enhances direct communication but also establishes new avenues for
interaction, ultimately facilitating more effective collaboration and communication.
Enhanced Governance
IT governance falls within the purview of executives and board members, ensuring IT aligns with an
organization's strategic direction and objectives. By pinpointing and mitigating risks, as well as
bolstering internal controls, an IT audit contributes to improved IT governance. The audit often