<span class="text_page_counter">Trang 1</span><div class="page_container" data-page="1">

<b> ASSIGNMENT 2 FRONT SHEET </b>

<b>Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5: Security </b>

<b>Student Name </b> Nguyen Huu Hoang Khanh <b>Student ID </b> GCD220223

<b>Student declaration </b>

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a false declaration is a form of malpractice.

<b>Student’s signature Grading grid </b>

P5 P6 P7 P8 M3 M4 M5 D2 D3

</div><span class="text_page_counter">Trang 3</span><div class="page_container" data-page="3">

<b>❒ Summative Feedback: </b>❒<b>❒ Resubmission Feedback:</b>

<b>Lecturer Signature:</b>

</div><span class="text_page_counter">Trang 5</span><div class="page_container" data-page="5">

Contents

I. DISCUSS RISK ASSESSMENT PROCEDURES ... 5

1. Definition of security risk assessment ... 5

2. How to do a risk assessment: ... 6

3. Definition of asset:... 8

4. Definition of vulnerabilities: ... 8

5. What is a Threat? ... 9

6. Explain the risk assessment procedure: ... 10

7. Risk identification step: ... 12

II. EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN ORGANIZATION ... 14

1. Define data protection:... 14

2. Data protection process in “Wheelie good”: ... 14

2.1 Personal information document categories: ... 15

2.2 Conduct a risk assessment for categories of the company:... 15

2.3 Decide on risk treatment: ... 16

2.4 Implement security data for “Wheelie Good”: ... 16

2.5 Measures to protect employee data in the company: ... 16

2.6 Review security of personal data:... 17

3. Why are data protection and security regulations important? ... 17

</div><span class="text_page_counter">Trang 6</span><div class="page_container" data-page="6">

y p y g p

III. DESING AND IMPLEMENT A SECURITY POLICY FOR AN ORGANIZATION ... 18

1. Define a security policy: ... 18

2. The elements of information privacy policy: ... 19

</div><span class="text_page_counter">Trang 7</span><div class="page_container" data-page="7">

2.5 Policies for access control and permissions: ... 20

2.6 Security awareness sessions: ... 20

3. Give the most and that should exist creating a policy: ... 21

3.1 Identify duplicate policies: ... 21

3.2 Consider the necessity: ... 21

3.3 Use proper terminology: ... 21

3.4 Policy maintenance duty definition: ... 22

3.5 Configure the policy library: ... 22

3.6 Procedures for dealing with exceptions: ... 22

4. The step to design a policy: ... 22

4.1 Identify: ... 22

4.2 Analysis of security risks for each asset: ... 22

4.3 Security requirements analysis: ... 23

4.4 Develop a security plan:... 23

4.5 Training Employee: ... 23

4.6 Write it down:... 23

4.7 Establish and enforce the regulations: ... 23

5. Implementation of the policy: ... 23

5.1 Preparation: ... 24

5.2 Identify: ... 24

5.3 Contain: ... 25

</div><span class="text_page_counter">Trang 8</span><div class="page_container" data-page="8">

5.4 Dedicate: ... 25

5.5 Recovery: ... 25

IV. LIST THE MAIN COMPONENTS OF AN ORGANIZATIONAL DISASTER RECOVERY PLAN, JUSTIFYING THE REASONS FOR INCLUSION ... 26

1. What is the definition of business continuity? ... 26

2. Components of recovery plan: ... 26

2.1 Scope:... 26

2.2 Organization’s responsibility: ... 27

</div><span class="text_page_counter">Trang 9</span><div class="page_container" data-page="9">

2.3 Business functions and tolerance for downtime: ... 27

2.4 Important procedures and strategies: ... 27

2.5 Communication plan:... 27

2.6 Schedule tests, reviews, and improvements: ... 27

3. Required steps in disaster recovery process: ... 28

3.1 The key activities of “Wheelie Good” project: ... 28

3.2 Assessment of disaster scenario: ... 28

3.3 Create a communication plan:... 28

3.4 Plan for data backup and restoration: ... 28

3.5 Test Plan: ... 29

4. Some of the policies and procedures that are required for business continuity: ... 29

4.1 Create a strategy and define goals: ... 29

4.2 Business Continuity Planning: ... 29

4.3 Perform a business impact analysis: ... 30

4.4 Determine crucial business area: ... 30

4.5 Plan to maintain operations: ... 30

4.6 Examine and determine ongoing program maintenance:... 31

References... 32

</div><span class="text_page_counter">Trang 11</span><div class="page_container" data-page="11">

<b>I. DISCUSS RISK ASSESSMENT PROCEDURES 1. Definition of security risk assessment </b>

Information security risk is defined as existing system flaws that can be exploited to steal sensitive data. The dangers are also substantial, with a wide range of potential occurrences wreaking havoc on a company's brand and finances.

Figure 1 Security Risk

</div><span class="text_page_counter">Trang 12</span><div class="page_container" data-page="12">

The overarching goal of such risk evaluations is to improve worker safety. New steps or stages are added to the process, current steps, tools, and equipment are modified, or new dangers develop. Auditors consider risk while developing audit processes for businesses. Here are some examples of common risk assessments: Supervisors at workplaces and schools conduct workplace risk assessments to ensure that there are no health and safety hazards. This review will also help to increase productivity and employee morale.

</div><span class="text_page_counter">Trang 13</span><div class="page_container" data-page="13">

<b>2. How to do a risk assessment: </b>

Before beginning the auditing process, we should identify the scope of the audit and the resources required to complete it. The five categories of risk assessments listed below are required to begin the risk assessment process, particularly the scope of the review.

• Qualitative Risk Assessment. • Quantitative Risk Assessment. • Generic Risk Assessment. • Site-Specific Risk Assessment. • Dynamic Risk Assessment.

We must follow a variety of steps while doing a risk assessment to completely investigate the process of threats, vulnerabilities, and potential risks that may damage the project in the future. They delivered it. A risk assessment program should contain the following stages:

<b>a) Identify: </b>

In the first phase, we determine the scope of the evaluation, as well as the urgent priorities and dangers. In the "Wheel Good" appraisal, valuable assets will include:

• Hardware, software. • Data.

• Network structure. • Privacy Policy. • Security infrastructure.

<b>b) Assess: </b>

Step one involves assessing and listing the identified risk list. Following that, we will conduct a thorough examination of the highlighted hazards. To evaluate the amount of risk, we must first determine the chance

</div><span class="text_page_counter">Trang 14</span><div class="page_container" data-page="14">

of occurrence and the potential severity of "Wheel Good" security assaults. The hazards should be evaluated using the following criteria:

• System failure: obsolete equipment, outdated technologies.

• Natural catastrophes include fires, earthquakes, floods, and other natural calamities. • Human error: inexperienced and sensitive personnel.

• Unauthorized behavior: A hacker may take a computer, erase data, or... And the risk matrix, as illustrated below, is a good tool.

</div><span class="text_page_counter">Trang 15</span><div class="page_container" data-page="15">

Figure 2 Risk Assessment Matrix

<b>c) Control: </b>

Control mechanisms will be the next stage in properly controlling dangers. To eliminate common dangers, conventional controls such as codes of practice, guidelines, and standard operating procedures can be utilized. If we are unable to eliminate regulatory or high risks, we must use a "ladder of control" and a mission analysis or statement of procedure. Employment that poses no risk. The constraints might be set in decreasing order of efficacy. A "Decentralized Control System" is what this is. Personal protection equipment, for example, is the least effective measure since it just reduces the risk, but PPE is the most

</div><span class="text_page_counter">Trang 16</span><div class="page_container" data-page="16">

effective because it eliminates the risk. Substitution and isolation, when combined with an engineer, are both equally efficient techniques. A single concern is that you will frequently need to employ numerous controls.

</div><span class="text_page_counter">Trang 17</span><div class="page_container" data-page="17">

Figure 3 Control Level

<b>d) Reassess: </b>

After the steps have been implemented, reassess the degree of risk. You may not always have complete control the first time. If the new level of risk remains too high, go back, and take further steps before reevaluating. We may pick which risk-reduction methods to employ based on the risk matrix. Finally, the threat's extent, fragility, and impacts must be appropriately depicted.

<b>3. Definition of asset: </b>

The data and critical IT-related equipment or components of an organization's systems are referred to as information assets in the IT sector. Include personal details. This information should be as accessible and

</div><span class="text_page_counter">Trang 18</span><div class="page_container" data-page="18">

usable as possible to prevent hackers and illegal information theft. For physical files, it will be the filing cabinet where the data is maintained.

<b>4. Definition of vulnerabilities: </b>

A vulnerability is a weakness in a system's code that may be easily exploited and seriously jeopardizes the integrity and availability of security. There are several techniques for exploiting vulnerabilities. The term "error" refers to what remains after these mishaps. While faults do not necessarily constitute a threat, many of them can be exploited by malicious actors, which is known as a vulnerability. Vulnerabilities can be

</div><span class="text_page_counter">Trang 19</span><div class="page_container" data-page="19">

exploited to compel software to perform activities for which it was not designed, such as gaining information on current security mechanisms.

<b>5. What is a Threat? </b>

A threat is essentially a bad action or situation that has the potential to bring harm to an organization, such as theft or illegal access. They represent a huge risk to the business, threatening security's integrity and availability. It can also be caused by active administrative errors such as staff error, a technological issue, or an assault.

Figure 4 Security Threat

The threat identification process is a continuous and continuing activity that checks for security vulnerabilities and potential system breaches throughout the life of a project. When dangers are detected, we may fix them and prevent unauthorized external access. Project activities such as programmatic and

</div><span class="text_page_counter">Trang 20</span><div class="page_container" data-page="20">

technical meetings, risk analysis, risk planning, communication, and evaluation highlight new and existing dangers in the project. Lessons from the database are also useful for identifying possible hazards. When this happens, it must be documented and analyzed in the database.

Types of security threats:

Spoofing identity ^{Using another person's password}

to gain illegal access ^{Authentication}DDoS

An attack in which a server is flooded with internet traffic to prevent people from accessing

Availability

</div><span class="text_page_counter">Trang 21</span><div class="page_container" data-page="21">

online services and websites that are linked to it.

Non-repudiation

Data tampering

Data can be edited while it is at rest or being sent across a network.

Integrity

Information disclosure

When data is at rest or being sent over a network, it can be modified.

Confidentiality

<b>6. Explain the risk assessment procedure: </b>

The risk assessment process's goal is to identify hazards and estimate the risks associated. When doing a risk assessment, it is critical to consider and be guided by objectives such as:

• Recognize potential dangers. • Risk identification and evaluation.

• Determine the best ways for removing hazards or reducing risks. • Set priorities for your resources.

Before undertaking any activity or assignment, a complete risk assessment should be performed in order to successfully eliminate, reduce, or mitigate any dangers to health, safety, and well-being. Once completed,

</div><span class="text_page_counter">Trang 22</span><div class="page_container" data-page="22">

the risk assessment should be evaluated on a regular basis, especially if the existing assessment is no longer valid or if the operation or mission has changed significantly.

In general, any potentially hazardous conditions and the appropriate safeguards for the hazard or risk. To guarantee the identification of all potential threats:

• Repair and maintenance are instances of irregular operations. • Review incident reports.

• Examine how work is organized and completed.

</div><span class="text_page_counter">Trang 23</span><div class="page_container" data-page="23">

• Consider any unusual or anticipated conditions.

• Determine if the product, machine, or equipment might be changed deliberately or inadvertently. • Consider the full lifecycle.

• Consider the danger to tourists or the public.

The following sample table may also be used to graphically show hazards.

Product Risk Assessment

Inexperienced Staff ^{There will be several}

security flaws. ^{Must Have}Inadequate Equipment

Errors or delays may occur during security patching.

Must Have

The risk is strong

Must have a larger security assessment unit handle

Must Have

</div><span class="text_page_counter">Trang 25</span><div class="page_container" data-page="25">

<b>7. Risk identification step: </b>

</div><span class="text_page_counter">Trang 26</span><div class="page_container" data-page="26">

Figure 5 Risk Identification Steps

</div><span class="text_page_counter">Trang 27</span><div class="page_container" data-page="27">

Risk identification is the process of detecting and analyzing hazards to a company's operations and staff. For example, risk identification may entail searching for potential bad events like as accidents, natural disasters, and IT security risks such as malware and ransomware. Stop operations, corporation. Firms with strong risk management practices are more likely to mitigate the impact of risks when they occur. The process of risk identification and management is divided into six major stages. The following steps were made to recognize such danger:

i. Identify the hazard:

We will thoroughly evaluate the entire website for any hazards and concerns that must be addressed. We will highlight possible hazards that the company may face, such as natural disasters, floods, or technical difficulties. We'll pay specific attention to processes or activities that might be harmful to the organization, such as objective and arbitrary work, personnel, or maintenance phases.

ii. Identification of victims and solutions:

As we look around our business, we examine how business operations or external variables may harm your personnel. Consider who would be harmed if each of the dangers you outlined in step one came true.

iii. Risk assessment and precautions:

Following the completion of the preceding procedures, we will have a list of potential hazards, their likelihood of occurrence, and the severity of the consequences if they occur. Using the risk assessment data, we may decide which degree of risk to prioritize first.

iv. Record detected risks:

Risk notes will be kept, and they should contain the termites discovered as well as the external elements that impact the risk, such as human and behavioral factors. This remark must have the following information: • Figure out who will be impacted.

</div><span class="text_page_counter">Trang 28</span><div class="page_container" data-page="28">

• Address and control evident dangers

• Precautions are being made to mitigate the risk. • Involve your staff in the process.

v. Review and update:

To eliminate needless risk, assessments will need to be evaluated numerous times by another individual, and the risks to the company will constantly need to be updated on a frequent basis.

</div><span class="text_page_counter">Trang 29</span><div class="page_container" data-page="29">

<b>II. EXPLAIN DATA PROTECTION PROCESSES AND </b>

<b>ORGANIZATION </b>

<b>1. Define data protection: </b>

The process of safeguarding information and data against loss, intrusion, or injury is known as data protection. They are legally controlled and can only be used for lawful purposes. It includes data management and data availability deployments, as well as operational data backup and business continuity/disaster recovery (BCDR). A data leak has severe consequences for the firm. Because the majority of organizations are now controlled by primary books or data privacy legislation, failure to maintain data security may result in monetary loss, a loss of consumer confidence, and legal liability. Furthermore, data protection strategies may be classified into three types (Imperva,2022):

• Data security: protect data from purposeful or unintended harm. • Data Availability: Quickly recover data in the event of damage or loss.

• Access Control: Ensure that only those who need the information have access to it.

<b>2. Data protection process in “Wheelie good”: </b>

General Data Protection Regulation GDPR was created at a period when there were many requirements –and worries about information security; equal responsibility would be assigned for data control and data processing. The GDPR will safeguard information such as online data.

</div><span class="text_page_counter">Trang 30</span><div class="page_container" data-page="30">

• Health and genetic data. • Biometric data. • Race/ethnicity. • Political perspectives. • Sexual orientation.

We will suggest the Designated Organization Management System, which meets GDPR regulations while also emphasizing the secure management of personal information within the organization.

</div><span class="text_page_counter">Trang 31</span><div class="page_container" data-page="31">

Figure 6 Data Protection Process

<b>2.1 Personal information document categories: </b>

The first stage in the data protection cycle is identifying the various kinds of personal data. We will gather lists of personal data as a software consulting firm and create a processing history or list of processing activities. We'll look at controller and CPU possibilities. If we are the controller, our software security firm will determine the purpose for data processing. Furthermore, as indirect data processors, we process the data in line with the client's request. We will have a data processing category that includes:

• Customer data

</div><span class="text_page_counter">Trang 32</span><div class="page_container" data-page="32">

• Personal information. • Company email for employees. • Potential employees.

<b>2.2 Conduct a risk assessment for categories of the company: </b>

We processed personal data that was previously included in the "Wheelie good" company. The following step would be to conduct a risk analysis for each portfolio, which may comprise processing activity records and processing activity type information. Risks to personal data will be identified as part of this risk

</div><span class="text_page_counter">Trang 33</span><div class="page_container" data-page="33">

assessment, and their level of risk will be established based on their likelihood and possible impacts on the firm.

<b>2.3 Decide on risk treatment: </b>

We will focus on dealing with high and unacceptable threats after the company's security organization "Wheelie good" has done a preliminary assessment of the hazards. The organization will implement security steps to reduce the risk to a reasonable level. In terms of GDPR, we have the following options: • Technological safeguards include data encryption, backup, and infrastructure monitoring.

• Organizational measures: Define information security management mechanisms and train personnel on them.

• Contractual measures: When utilizing other firms' services to handle data, employees are expected to regulate how other organizations deliver services or goods.

<b>2.4 Implement security data for “Wheelie Good”: </b>

We will now focus on minimizing risk by protecting personal data using a range of methods, including monitoring and measurement, as well as a specialized operational management plan. appropriate danger The following list contains examples of the major components.

Define roles and duties.

In terms of the personal data privacy policy. Handle all security events and accidents.

</div><span class="text_page_counter">Trang 34</span><div class="page_container" data-page="34">

• Contractual Measures:

Inform persons about the handling of their personal data.

Contracts with workers involving the processing of personal data should be amended. Control user permissions.

<b>2.5 Measures to protect employee data in the company: </b>

Following that, we will improve employee access to firm data. The goal is to ensure the safety of system operations. Plans for operational management will be developed on a regular basis, and implementation will be assigned. These tasks will be handled by IT system administrators. As part of the operations management process, I will implement risk control measures from the approved Risk Treatment Plan.

</div>