assignment 2 security 1623

ASSIGNMENT 2 Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5 Security Submission date Date Received 1st submission Re submission Date Date Received 2nd submission Stud.

ASSIGNMENT 2

Unit number and title Unit 5: Security

❒ Summative Feedback: ❒ Resubmission Feedback:

Lecturer Signature:

Table of Content

CHAPTER 1 DISCUSS RISK ASSESSMENT PROCEDURES (P5) 4

D EFINE A SECURITY RISK AND HOW TO DO RISK ASSESSMENT : _4

R ISK ASSESSMENT : _4

A SSETS , T HREATS & T HREAT I DENTIFICATION P ROCEDURE _5

1 ASSETS 5

A N ASSET IS ANY INFORMATION , DEVICE , OR OTHER COMPONENT OF A COMPANY ' S SYSTEMS THAT IS VALUABLE ,

PRIMARILY BECAUSE IT HOUSES OR ALLOWS ACCESS TO SENSITIVE INFORMATION _5

T HE MOST COMMON TYPE OF COMPANY ASSET IS INFORMATION ASSETS D ATABASES AND PHYSICAL FILES ARE BOTH TYPES OF FILES 5

E XAMPLES OF ITEMS CONTAINING SENSITIVE DATA THAT YOU PRESERVE 5

2 THREATS _6

3 T HREAT I DENTIFICATION P ROCEDURE : _7

E XAMPLE OF THREATS IDENTIFICATION PROCEDURES : _7

CHAPTER 2: EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN ORGANIZATION (P6) _ 9

1 D EFINITION OF D ATA P ROTECTION _9

2 E XPLAIN DATA PROTECTION PROCESS IN AN ORGANIZATION 9

3 T HE IMPORTANT OF DATA PROTECTION AND SECURITY REGULATION 11 11 CHAPTER 3: DESIGN AND IMPLEMENT A SECURITY POLICY FOR AN ORGANIZATION(P7) 12

1 I NTRODUCTION TO S ECURITY P OLICY _12

2 G IVE AN EXAMPLE FOR EACH OF THE POLICIES _12

3 G IVE THE MOST AND SHOULD THAT MUST EXIST WHILE CREATING A POLICY _14

4 S ECURITY E LEMENTS 14

5 T HE STEPS TO DESIGN A POLICY _17

CHAPTER 4: LIST THE MAIN COMPONENTS OF AN ORGANIZATIONAL DISASTER RECOVERY PLAN, JUSTIFYING THE REASONS FOR INCLUSION (P8) 19

4 P OLICIES AND P ROCEDURES THAT REQUIRE FOR B USINESS C ONTINUITY 23

Table of Figures:

Figure 1: Risk assessment 4Figure 2: Assets 5Figure 3: Cyber security threats 6Figure 4: What Data Protection is? _9Figure 5: Business continuity planning (BCP) 19Figure 6: Disaster recovery process 20

Chapter 1 Discuss risk assessment procedures (P5)

Define a security risk and how to do risk assessment:

Risk: The likelihood that risks and vulnerabilities connected to the use and operation ofinformation systems, as well as the settings in which those systems operate, will have a negative impact

on an organization and its stakeholders

Risk assessment:

Risk assessment is the process of identifying flaws that could jeopardize a company's ability to conduct business These evaluations' tools, methods, and controls aim to characterize these inherent business risks and mitigate their negative consequences on the organization

Figure 1: Risk assessmentTypically, the risk assessment process consists of multiple steps First, possible sources of injury ordamage should be identified This can encompass both physical risks like theft or sabotage and cyberdangers like hacking or viruses Second, determine who or what might be affected by these dangers andhow they might be harmed Employees, clients, financial assets, or sensitive data could all be included.Third, identify any existing controls or measures in place to prevent or minimize these dangers Finally,the effectiveness of these controls should be evaluated, and any further measures that may be requiredshould be identified

The identification of threats and vulnerabilities, as well as the matching of threats andvulnerabilities, is a required activity in risk assessment This is commonly referred to as threat-vulnerability (T-V) pairing The T-V pairings can then be used as a baseline to identify risk prior toimplementing security controls This baseline can then be compared to continuing risk assessments todetermine the success of risk management This stage of risk assessment is known as determining anorganization's inherent risk profile After the risks are identified, they may be scored or weighted as away of prioritizing risk reduction strategies For example, vulnerabilities that are found to havecorresponded with multiple threats can receive higher ratings In addition, T-V pairs that map to thegreatest institutional impact will also receive higher weightings

Assets, Threats & Threat Identification Procedure

Examples of items containing sensitive data that you preserve.

For example, an employee's desktop computer, laptop, or business phone, as well as the apps on those devices, will be regarded positively The assets also include infrastructure components such as servers and support systems

Figure 2: Assets

- Natural threats, such as floods, hurricanes, or tornadoes.

- Unintentional threats, like an employee mistakenly accessing the wrong information

- Intentional threats, such as spyware, malware, adware companies, or the actions of a

disgruntled employee

Figure 3: Cyber security threats

3 Threat Identification Procedure:

The threat detection approach assesses IT flaws and determines if they have the ability tocompromise your system It is a key component of the organization's risk management program.Threat identification enables the firm to take preventative action You get the information you require

to prevent device breaches and prohibit unauthorized users

Each environment for an IT system is distinct All organizations with public-facing online portals willface a shared set of dangers, some of which will overlap Some vulnerabilities may only apply to yourcompany Threat Identification should be included the following task:

- Analyzing and recognizing the unique threat portfolio specific to your company and its service

- Effectively prioritize the assessment of the device vulnerabilities

- Determining how these vulnerabilities can be exploited by a particular threat actor or

behavior

- Providing a summary of results with accurate details that will help your organization to takepreventive risk management action

Example of threats identification procedures:

You are then equipped to make choices about how to secure your business once you have recognizedthe risks that might potentially endanger it and calculated the potential damage from an occurrence.When doing a risk assessment, a user may uncover a sizable number of potential hazards that mightharm the business

For instance, a server may be affected by a number of threats Only a few threats include fire,vibrations, viruses, hackers, and others Installing security software (such firewalls and antivirus

programs) and making the space earthquake- and fire-proof are both feasible ways to safeguard theserver However, the price of doing so will soon surpass the asset's worth It would be better to install

a firewall and anti-virus software, back up your data, and take the chance that other threats won'tmaterialize Decide which risks are acceptable as a general rule

You must choose the most affordable ways to defend yourself after estimating the potential loss adanger might cause You must decide which dangers will be handled and how in order to accomplishthis Based on the risk information you've gathered management will need to decide how to go

forward Typically, this entails coming up with strategies to defend the asset from dangers To securethe asset, this can entail putting rules and procedures into place, deploying security software, oradding further security measures

According to ISO 31000, the risk management process at includes:

- Establish the backdrop for the objectives and actions of the program

- Determine the hazards (including identifying the likelihood and consequences associated with each risk)

- Prioritize and evaluate the risks

- Risk management, which includes a cost-benefit analysis of potential treatments, as well as ongoing monitoring and assessment of risks and countermeasures

Risk identification is a critical process in risk management that involves identifying and documenting potential risks to a project, organization, or system Here are some common steps in the risk

identification process:

Risk Statement: The first step is to create a brief and concise description of the risk, known as the risk statement This statement should clearly define the potential risk and its impact on the project, organization, or system

Basic Identification: In this step, you will list all the relevant facts about the risk Examples of these facts include what could cause the risk to occur, who might be affected, and what the consequences would be

if the risk were to happen

Detailed Identification: This step involves identifying and documenting the root causes, events,

conditions, and contributing factors that may lead to the risk This can be done by analyzing the basic identification information to identify all possible scenarios that could lead to the risk

Risk Assessment: After identifying the risks, the next step is to assess the likelihood and impact of each risk This involves analyzing the probability of the risk occurring and the impact it would have if it were tohappen

Risk Prioritization: Prioritizing risks is an essential step in the risk identification process It involves

ranking the risks based on their likelihood and impact, and then focusing on the risks with the highest priority first

Risk Register: The final step is to document all identified risks in a risk register The register should

include all relevant information about each risk, including the risk statement, basic and detailed

identification, likelihood, impact, and risk priority

Chapter 2: Explain data protection processes and regulations as applicable to an

organization (P6)

1 Definition of Data Protection

Data protection is the process of protecting data and includes the relationship between the collection and dissemination of data and technology, the public perception and expectation of privacy, and the political and legal underpinnings surrounding that data It seeks to achieve a balance between individual privacy rights and the usage of data for business purposes

Figure 4: What Data Protection is?

2 Explain data protection process in an organization

> Data Protection Process

A data protection policy is a sort of security strategy that tries to design, implement, guide,monitor, and manage data security for a company

Its primary goal is to secure and preserve logical data that an organization stores, consumes, andmanages This data can be stored within the organization's core infrastructure, at an offsite location, or

on the cloud

The basic purpose of data protection policy, regardless of whether the data is physically orconceptually located, is to ensure the security and integrity of data when it is in motion and at rest Thedata protection policy's goal is to ensure security at all data storage and consumption locations

A thorough data protection policy contains the following elements:

- Scope of data protection

- Data protection method/ policy at the granular level i.e., individual, department, device and/or ITenvironment

- Legal requirements for data protection

- Roles and responsibilities of data custodian or staff that will ensure data protection

> Principal of Data Protection

- Fair and Lawful: Organizations must be open and honest about the reasons for and purposes forwhich they intend to use the personal data they collect They should only utilize personalinformation for the stated purpose This suggests that a company should not use the information

to promote to its clients on behalf of other companies unless the client has consented

- Specific for its purpose: Organizations must be transparent about the reasons for their collection

of personal data and the purposes for which they plan to utilize it They could only use a person'spersonal information for the purposes they previously stated they would This makes sure that abusiness can't use the information to market to its customers about other companies unless theindividual has given permission for it

- Be adequate and only for what is required: Your client database should only contain informationthat is required for the reason for which it is being saved Avoid gathering more information than

is essential for your customers The best technique is to "minimize," or measure the specificsrequired to achieve your goals

- Accuracy and timeliness: Reasonable steps must be taken to keep data current and to correct itwhen necessary When the customer updates the information on file, the business must refrainfrom contacting the person using the previously provided information Furthermore, businessesshould not always wait for individuals to contact them in order to update their data, but shouldinstead be proactive in ensuring that they have accurate information on the person

- Organizations are expected to review how long personal data will be kept on file on a regularbasis It would only be easier to handle the data and provide personal information to consumerswho want it if the data was kept for the requisite amount of time It is critical to properly remove

or destroy obsolete or no longer required data

- Take into account people’s rights: People have the right to access their personal information, limit its use if it causes them harm, prevent it from being used for targeted advertising, correct inaccurate information, and seek compensation for data breaches that cause them harm In certain instances, customers may be allowed to request that sensitive data be removed or

destroyed Only information relevant to the customer can be requested The organization must decide if the information provided by a client is critical to the individual making the request

- To keep sensitive information safe and secure, as well as to avoid being exposed to unnecessary security dangers, a proper physical and technical protection plan must be created It is critical that the company's employees receive cyber security and data protection training Furthermore, the information security plan should be critical to the core of your organization and the customer data that you keep.

- International Transfers: Transferring data to nations without the same degree of data protection

is not advisable

3 The important of data protection and security regulation

General Data Protection Regulation

The General Data Protection Regulation (GDPR) harmonizes data protection regulations in the EUthat are appropriate for use in the digital age By adopting a single rule, the EU claims that it will bringgreater clarity to support the rights of citizens and the development of the digital economy

The GDPR is perhaps the greatest set of data security rules in the world since it improves how people can access information about them and places limitations on what businesses can do with that data

Importance of Data Protection & Regulation

Given the growth of user-generated data and the exponential industrial value of data,

government agencies must take the appropriate actions to protect their citizens' data rights Data

protection rules maintain the security of people's personal information and govern how it is collected, used, transferred, and disclosed Furthermore, they impose transparency requirements on firms that process personal data, enable access to such data, and provide remedy for unlawful or harmful

processing

The purpose of personal data protection is to preserve an individual's fundamental rights and liberties as well as their personal information While keeping personal data, it is possible to ensure that human rights and freedoms are not compromised For example, incorrect management of personal data may result in a person being passed over for a job opportunity or, worse, losing his current work

Situations might get even more difficult if the rules for the security of personal data are not followed

Data protection regulations are required to ensure honest and consumer-friendly services and trade Personal data protection legislation creates scenarios in which, for example, personal information cannot be sold openly, guaranteeing that individuals have more control over who offers it and what types of deals come from it