Assignment 2 môn Security đại học GW năm 2022, đạt các tiêu chuẩn Pass, có trích dẫn Harvard. Liên hệ zalo 0962986805 or https:www.facebook.comprofile.php?id=100080073517431 nếu muốn support với mức giá rẻ hơn thị trường. DISCUSS RISK ASSESSMENT PROCEDURES (P5), EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN ORGANIZATION (P6), DESIGN AND IMPLEMENT A SECURITY POLICY FOR AN ORGANIZATION (P7), LIST THE MAIN COMPONENTS OF AN ORGANIZATIONAL DISASTER RECOVERY PLAN, JUSTIFYING THE REASONS FOR INCLUSION (P8)
Trang 1ASSIGNMENT 2 FRONT SHEET
Unit number and title Unit 5: Security
Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism I understand thatmaking a false declaration is a form of malpractice
Student’s signature Grading grid
Trang 3Note: Nếu muốn support C, C#, Networking, Database, project web, 1633, security_zalo 0962.986.805 or fb Nguyen Long | Facebook
Table of contents
TABLE OF CONTENTS 2
LIST OF FIGURES 3
INTRODUCTION 4
TASK 1 - DISCUSS RISK ASSESSMENT PROCEDURES (P5) 4
D EFINE A SECURITY RISK AND HOW TO DO RISK ASSESSMENT 4
Definition of security risks: 4
Risk assessment procedures: 5
D EFINE ASSETS , THREATS , AND THREAT IDENTIFICATION PROCEDURES , AND GIVE EXAMPLES 7
Definition of assets 7
Definition of threats 8
Threat identification process 9
Example of threats identification procedures 10
E XPLAIN THE RISK ASSESSMENT PROCEDURE 11
L IST RISK IDENTIFICATION STEPS 11
TASK 2 - EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN ORGANIZATION (P6) 12
D EFINE DATA PROTECTION 12
E XPLAIN DATA PROTECTION PROCESS IN AN ORGANIZATION 12
W HY ARE DATA PROTECTION AND SECURITY REGULATION IMPORTANT ? 13
TASK 3 - DESIGN AND IMPLEMENT A SECURITY POLICY FOR AN ORGANIZATION (P7) 13
D EFINE A SECURITY POLICY AND DISCUSS ABOUT IT 13
Define security policy: 13
Discussion on policies: 14
G IVE AN EXAMPLE FOR EACH OF THE POLICIES 16
G IVE THE MOST AND SHOULD THAT MUST EXIST WHILE CREATING A POLICY 18
E XPLAIN AND WRITE DOWN ELEMENTS OF A SECURITY POLICY 18
Trang 4D ISCUSS WITH EXPLANATION ABOUT BUSINESS CONTINUITY 20
L IST THE COMPONENTS OF RECOVERY PLAN 21
W RITE DOWN ALL THE STEPS REQUIRED IN DISASTER RECOVERY PROCESS 21
E XPLAIN SOME OF THE POLICIES AND PROCEDURES THAT ARE REQUIRED FOR BUSINESS CONTINUITY 23
CONCLUSION 24
REFERENCES 24
List of figures F IGURE 1: S ECURITY RISKS 5
F IGURE 2: A SSETS 8
F IGURE 3: ISO 31000 10
F IGURE 4: R ISK ASSESSMENT STEPS 11
F IGURE 5: D ATA PROTECTION 12
F IGURE 6: S ECURITY POLICY 13
F IGURE 7: HR POLICY AND PROCEDURE 14
F IGURE 8: AUP 15
F IGURE 9:E XAMPLE I NCIDENT REPONSE 17
F IGURE 10: B USINESS C ONTINUITY P LANING 17
F IGURE 11: B USINESS CONTINUITY 20
Trang 5A guy works as a trainee IT Security Specialist at FPT Information Security, a top security firm inVietnam (FIS) FIS advises and implements technological solutions to possible IT security concerns formedium-sized businesses in Vietnam Most clients have outsourced their security concerns due to a lack oftechnological expertise in-house As part of my job, Manager Jonson asked me to create an interestingreport to help teach younger staff about the tools and procedures involved in detecting and assessingsecurity risks To protect mission-critical data and equipment, IT security is utilized in combination withbusiness policies The report will introduce and conclude the following major works: Procedures for riskevaluation are discussed Explain how an organization's data protection practices and rules work Createand implement an organization's security policy List the primary components of an organization's disasterrecovery plan and explain why they're important
Task 1 - Discuss risk assessment procedures (P5)
Define a security risk and how to do risk assessment
Definition of security risks:
A security risk is an act with bad intentions such as "crash" or steal data, user information, damage thesystem of a company, business or organization The threat may occur in the near or distant future
It can be said that system security is the only method to be able to solve and close the vulnerabilities aswell as potential risks of a system Security is a difficult area for developers, especially as more and morebad guys find vulnerabilities to attack there Non-physical issues can cause data loss, data exposure, slowconnections, and other security-related issues The main causes are a network attack with differentpurposes, spreading computer viruses, spyware, unauthorized access to computers to access data, andsoftware containing code other poison
Trang 6Figure 1: Security risks
These non-physical risks are always difficult problems and can only be solved by system security methods
Risk assessment procedures:
The word "risk assessment" refers to a broad process or strategy for identifying potentially damagingdangers and risk factors Analyze and evaluate the risk that comes with it Identify acceptable methods forremoving the danger or controlling the risk if it cannot be removed
A risk assessment is a comprehensive evaluation that identifies items, events, procedures, and other factorsthat might cause harm After you've made your decision, you'll need to study and estimate the potentialamount of danger and severity You can next select what steps to take to successfully minimize or controlthe harm that happens after you've made this decision
There are 4 steps in the security risk assessment process:
Step 1: Identify hazards and potentially harmful factors
First, it is necessary to determine how the hazards affect the system Administrators can perform systemsurveys to find threats If hazards are not clearly identified, they will not be able to be controlled
Consider all possible parts of the risk, especially the user's database, because it often becomes the target ofbad guys
Trang 7Find the spots discovered by surveyors, it is often the vulnerabilities that are difficult to detect byadministrators.
Identify potential hazards that may occur when that hazard occurs Learn from the vulnerabilities, securityattacks that have happened before This helps administrators identify potential threats that are difficult todetect
Step 2: Identify affected audience
Once the hazards have been identified, the panel should also clearly define who is affected and how.Some groups of objects such as databases, servers, will be affected first The next thing is to determinehow big or small the effect is
Determine if the security risk affects the hardware, other components or not so that the best solution can
be found
Determine who the affected users are, usually affecting customers and visitors The risk can affect whatcustomer activities, whether they lose data or not
In addition, any long-term, possible future hazards must also be identified
Step 3: Identify, investigate, provide a solution to that risk
Once hazards have been identified, the evaluator must devise measures to remedy those hazards and mustensure good practice Thus, the evaluator can review the risk control measures that the organization haspreviously put in place and see if they can be applied to improve the hazards To do this, the evaluatorshould consider:
-Can we completely eliminate the danger?
-If it cannot be eliminated, how can we control the risk so that the hazard is not likely to occur?
When implementing risk control controls, administrators can follow these steps step-by-step:
-Use less risky method; replace risk
Trang 8-Avoid approaching hazards.
-Organize work in a way that reduces exposure to hazards, applying safety methods and features
- Provide policies and guidelines for users to avoid security risks
Step 4: Take notes, evaluate
Record and present what the evaluator finds This record must be easy to understand, making it accessible
to administrators and programmers
Arrangements should be made to monitor risk control measures System tests should be performeddaily/weekly/monthly as a mandatory test measure
The organization should conduct regular risk identification to detect hazards in a timely manner Theorganization should conduct an overall review once a year to see if the assessments are still valid, toensure that security standards are still improving or at least not falling behind
In addition, record and evaluate potential vulnerabilities that can become risks, which are born during therisk remediation process so that they can be remedied in the next security assessment process
Define assets, threats, and threat identification procedures, and give examples
Definition of assets
Identifying the assets that must be safeguarded is a crucial step in determining what should be safeguarded
It is critical to assess the relevance of each item of value after performing an inventory of the assets thathave been inventoried
Trang 9Figure 2: Assets
An asset inventory aids an organization in compiling a list of its assets and providing specific informationabout them Each asset is assigned a numerical value by certain organizations Physical and non-physicalassets are examples of assets Money, machinery, and other tangible assets are examples of non-physicalassets; user databases are one of them
Asset inventory management is a method of tracking and analyzing issues such as physical location,maintenance requirements, depreciation, performance, and eventual asset disposal for an organization'sassets produce
This is distinct from a threat actor, who is an individual or a group capable of carrying out a threat action,such as exploiting a vulnerability to do harm
Trang 10Threat identification process
The kind of threat source specified is either a network attack tool or a physical opponent The structure oferrors in the resources that the organization has tested (for example, hardware, software and test fields).Natural and man-made disasters, as well as accidents and situations beyond the organization's control.Step 1: Identify potential dangers
Threats are divided into two categories: man-made and natural Auditing, Configuration Management,Data Protection in Storage and Transmission are examples of threat categories that may be identified usingthreat categorization
Step 2: Create a threat profile in step two
Catalog threats to a profile that contains more particular information, such as the sort of threat discovered,its likelihood of occurrence, any linked data, and its effects
Step 3: Look for security flaws
Countermeasures can be used to close a security weakness People, vital facilities, and criticalinfrastructure are the first three phases in the threat analysis process, in order of rescue priority Afterassigning risk ratings to threats in step 2, threats may be classified from greatest to lowest risk, andmitigation measures can be prioritized Following the identification of a potential effect, the followingapproaches for mitigating the risk are available:
Accept and ignore: determine whether or not the impact is tolerable
• Removal: components that might pose vulnerabilities due to their influence should be removed
• Risk mitigation: lowering the likelihood of a negative outcome
Step 4: Write down your thoughts
The last step is to record the situations The most alarming and likely risks are reflected in the emergencymanagement design scenarios Initial warning, community effect forecast, probable regions of failure,
Trang 11damage response, finite resources, and possible repercussions are all included in scenarios to accomplish this out Every potential situation is included in the scenarios.
Example of threats identification procedures
Figure 3: ISO 31000
Risk management process according to ISO 31000 The risk management process at <a company> includes:
and review risks and remedies
Trang 12Explain the risk assessment procedure
A risk assessment is an analysis of a specific job that you perform at work that may provide a hazard toothers Before mapping and implementing any possible dangers, the goal is to understand them.Reasonable precautions should be taken to avoid injury As a result, a risk assessment may assist you incomprehending and preparing for such events
List risk identification steps
For more detail, the risk identification process can also be broken down into five steps
Figure 4: Risk assessment steps
Trang 13Task 2 - Explain data protection processes and regulations as applicable to an organization (P6) Define data protection
The interaction between the collecting and distribution of data and technology, the public perception andexpectation of privacy, and the political and legal frameworks around that data is all part of dataprotection Its goal is to achieve a balance between individual privacy rights and the ability to utilize datafor commercial purposes Data security is often referred to as data privacy or information security
Figure 5: Data protection
Explain data protection process in an organization
Data protection rules and processes should be adjusted to your company's specific needs You'll need toestablish your staff data rules and processes, for example, but it's pointless to describe what you'll do withconsumer data until you gather it
This company's status data must be: Collected and handled honestly and lawfully
Obtained for a specified and legal reason, and will not be used in any way that is incompatible with thatobjective
For those purposes, it must be adequate, appropriate, and not excessive Be precise and up-to-date
Keep no longer than is required for that reason Processed in accordance with the data subject's rights.Defend yourself against illegal access, loss, or destruction Transfer to a nation outside the EuropeanEconomic Area only if that country has a comparable level of data protection
Trang 14Why are data protection and security regulation important?
You must have a formal policy and procedure in place to ensure that you meet the requirementsestablished by different countries Data security and privacy regulations are very important for everybusiness, website Currently, it can decide the life of a company or business For example, Yahoo exposedmore than 1 billion user data, from a large company to decline Large companies often follow a certainprivacy policy to best protect user data
When user data is exploited by the bad guys, it will have extremely serious consequences For example,stolen bank data will come with an extremely large sum, up to millions of dollars Another case was that aleaked phone number caused customers to be disturbed by strangers Therefore, data security and secureprocesses are really important for each individual and business
Task 3 - Design and implement a security policy for an organization (P7)
Define a security policy and discuss about it
Define security policy:
A security policy is a written document that defines how to defend an organization against dangers, such
as computer security threats, as well as how to address issues when they arise
Figure 6: Security policy
Trang 15All firm assets, as well as any possible dangers to those assets, should be listed in the privacy policy Thecompany's privacy policy should be communicated to all workers The policies themselves must be changed
Because there would be no precedent or starting point if a situation developed without reference,
HR should have procedures in place for as many scenarios as feasible
When it comes to systematizing HR policies, clarity is crucial Everything should be clear - this isespecially crucial in the event of a hiring committee, as corporate rules will be evaluated It's typicallycrucial to determine where liability resides if a corporation has a consistent policy in place
Figure 7: HR policy and procedure
A plan outlining an organization's response to an information security incident is known as an incident response policy
The following is the policy reaction to an incident: