risk assessment, data protection procedures and regulations applicable to an organization, security policy for an organization, key component of an organization's disaster recovery plan,
Trang 1STUDENT : HUYNH TUONG VI CLASS : 1705101 STUDENTID : BC00059 SUPERVISOR : NGUYEN MINH TRIET
CANTHO, April 2023
Trang 2
submission)
Student name Huynh Tuong Vi Student ID BC00059
Class [T05101 Assessor name Nguyen Minh Triet
Trang 3Alliance with 8ø Education ‘BTEC
Trang 4‘BTEC 3
atone wth ILI en : ‘BT EC
TABLE OF CONTENT
I.:)1219)2ee).112 x5 di
LIST OF FIGURES - -S SH TH KH kg ky I INTRODUCTION - - HH HT HH HE KH II in 2 na
1 Discuss risk assessment procedures (PB) - - Án LH TH ng như 6 A De PIM 6
AC cua anh 6 6
c Define assets and thr©S sàng HH ng nh TH Tho TH Hà HH tàn 7 XI 86-0 ïiseii 90s 1Š e 9
1 €6 an S 12
2 Explain data protection processes and regulations as applicable to an 1172-1050) 14
a IM2iiiI-8e:-i89 visa 0 14
b Data protection process with relations to organization ccce-xee 14 c The reason why data protection and regulation are important 15
3 Design and implement a security policy for an organization (P7) 17
a M2iiI-8¬-i30iaia0s9iia 01100 17
b 5cIuNons90i1 111 17
C Give the must & should that must exist while creating polÏcy ‹- 19
d Explain and write down the element of security pOlÏCY c-cccccexsxs 20 e Give the steps to design 0-nooia 0n 21
4 List the main components of an organisational disaster recovery plan,
justifying the reasons for inclusion (P8) c:cccssccsssssecssscsseceeecseeesseecssesseesseecsaeeseeseeessnes 23
a Discuss with explanation about business continuÏty cccecrceeeres 23
Perfomed Student: Huynh Tuong Vi
Trang 5m1 " : ‘BT EC
b List the components of recovery Plan .cccsessscessseessssessseessseeessseeessneeeeees 23
c Write down all the steps required in disaster recovery prOCess 26
d Explain some of the policies and procedures that are required for business continuity 27
5 _ Summarise the ISO 31000 risk management methodology and its application
I IT SQCULIRY 29
Ea se 29
b — Contens of ISO 31000 nh n»n HH Hà HH TH TH Hà nh TH nhàn 30 s9) 9109 15 “ddđđ 36
Trang 6‘BTEC s
m1 " : ‘BT EC
LIST OF FIGURES
Figure 1 RISK 6
0-0 (141-000 6
0320-17 7
00-0 8
Il00-8N 00-8 ie.-03)ï19-ii983(ss.27- 0 10
Il00- 8:10 031 đie-0ä0ï1eii90¬i T11 12
Figure B.2i01-0e:-ir-89i9i-sie 0n 14
Figure 8 S@CULItY POLICY 0 17
Figure 9 International Organization for Standardization .csccssssssssccsseesssseeesssssaeeess 29 LIST OF TABLES Table 1 SWOT 37
Perfomed Student: Huynh Tuong Vi
Trang 7m1 " : ‘BT EC
| INTRODUCTION
In the previous article, we talked about six basic components that must be kept in computer security, and here we update some additional parts to add some important parts to the previous article, which includes 8 components: the evaluation process risk assessment, data protection procedures and regulations applicable to an organization, security policy for an organization, key component of an organization's disaster recovery plan, Summary of risk management methodol- ogy ISO 31000 risk, possible impact on organizational security due to IT security audits, role of organizational stakeholders to implement security audit recommendations, Consider how IT security can can be tailored to the organization's policy detailing the security impact
Perfomed Student: Huynh Tuong Vi 5
Trang 8‘BTEC ‘BTEC
II Identify and Evaluate
1 Discuss risk assessment procedures (P5)
Trang 9atone wih IG eon SBT EC
Risk assessment is the process of determining the likelihood and impact of potential risks that may affect the achievement of objectives It helps identify potential threats, analyze their probability and impact, and determine ways to manage them effectively
The key objectives of risk assessment
> — Identify potential risks - Identify potential risks that can hinder objectives and have ad- verse effects This includes risks from internal and external factors
> — Analyze the likelihood and impact - Determine the probability of risks occurring and es- timating their potential impact on objectives The likelihood evaluates how probable a risk is to occur while impact evaluates the severity of damage
> Prioritize important risks - With the analysis, identify high priority risks that need to be addressed urgently These are risks with high likelihood and impact Low priority risks can be noted and monitored
> Develop risk response plans - Formulate risk response plans such as risk avoidance, miti- gation, transfer or acceptance for high priority risks The risk response plan aims to reduce the likelihood or impact of risks
> Monitor and review risks - Conduct periodic monitoring and review of risks and risk re- sponse plans This ensures newly emerged risks are identified early and important risks are man- aged effectively New controls may be needed for changing risk profiles
c Define assets and threats
Define assets: An asset is any valuable resource, tangible or intangible, that is pos- sessed by an individual, a business, or the government with the hope of generating a profit Assets are defined in accounting as likely future economic gains received or con- trolled by a certain company as a result of previous transactions or occurrences
Trang 10* Vehicles (such as company trucks)
be liquidated within one fiscal year or one operating cycle
Define threats: Are potential risks that could cause harm or damage to a person, or- ganization or system These risks can come in various forms, such as physical threats, cyber threats, financial threats, environmental threats, and more
A hypothetical example of a threat might be a cyber attack on a company's database
Figure 4 Threats that could result in the loss or theft of confidential information, such as customer records or financial data This can lead to financial loss, a damaged reputation, and even legal action
Perfomed Student: Huynh Tuong Vi 8
Trang 11atone wth ILI en : ‘BT EC
Another example might be a physical threat, such as a natural disaster such as an earthquake or hurricane that can cause damage to property and human life In such a scenario, the threat can be mitigated by providing appropriate safety protocols, such as
an evacuation plan or disaster readiness infrastructure
Examples of threats
e Amalicious user reads the files of other users
e An attacker redirects queries made to a web server to his own web server
e Anattacker modifies the database
e Aremote attacker runs commands on the server
d Threat identification procedures
Step 1:
Conduct a risk assessment: A risk assessment involves identifying potential threats, determining the likelihood of each threat occurring, and assessing the potential impact of each threat on the organization This can help prioritize which threats to focus on Step 2:
Analyze recent security incidents: Analyzing recent security incidents within the or- ganization or industry can help identify patterns and potential areas of vulnerability that need to be addressed
Step 3:
Monitor external sources: Monitoring external sources such as social media, news outlets, and industry publications can provide insight into emerging threats and trends that may pose a risk to the organization
Step 4:
Consider insider threats: Insider threats can be just as damaging as external threats,
so it's important to consider the potential for malicious or unintentional actions by em- ployees or other insiders
Step 5:
Conduct penetration testing: Penetration testing involves simulating an attack on the organization's security controls to identify vulnerabilities and weaknesses This can help identify potential threats and provide recommendations for improving security Step 6:
Perfomed Student: Huynh Tuong Vi 9
Trang 12‘BTEC _
m1 " : ‘BT EC
Regularly review security policies and procedures: Regularly reviewing security poli- cies and procedures can help ensure that they are up-to-date and effective in addressing potential threats
Conduct a risk assessment Analyze recent security incidents Monitor external
Denial of service (DoS) attacks: Interrupt or suspend the services of a host connected
to the network The attacker floods the target with excessive traffic, crashing the server Distributed denial of service (DDoS) attacks: Similar to DoS but the traffic comes from multiple compromised systems (botnet) The combined traffic overwhelms the tar- get's bandwidth or capacity
Man-in-the-middle attacks: Cyberattacks where the attacker secretly relays and pos- sibly alters the communications between two parties who believe they are communi- cating directly with each other
SQL injections: Malicious SQL code is inserted into website input fields to exploit da- tabase vulnerabilities Allows attackers to access sensitive data or take control of the server
Perfomed Student: Huynh Tuong Vi 10
Trang 13atone wth ILI en : ‘BT EC
Zero-day exploits Vulnerabilities in software or systems that are unknown to the de- velopers No patch is available, so they can be used by attackers to compromise systems Often sold on the black market
List risk identification steps
Risk identification is a vital step in the risk management process that involves identifying potential risks and hazards that an organization may face Here are the step- by-step procedures for identifying potential risks:
Assess risk factors: Have the impact of any factor relevant to the activity, process
or situation assessed for each identified hazard
Perfomed Student: Huynh Tuong Vi 11
Trang 14Figure 6 List risk identification steps
e Risk assessment procedure
A risk assessment procedure involves identifying, analyzing, and evaluating risks that could affect an organization's objectives It helps manage risks in a systematic and structured manner
Risk Identification
Perfomed Student: Huynh Tuong Vi
Trang 15atone wth ILI en : ‘BT EC
This step involves identifying potential risks that could impact the organization It in- cludes identifying risks from internal factors such as systems, processes, resources, people, etc
as well as external factors such as economic conditions, technology changes, competitors, etc
A range of techniques like brainstorming, checklist analysis, surveys, audit findings, etc can be used to identify risks
Risk Analysis
Risk analysis aims to determine the likelihood and impact of the identified risks It in- cludes estimating the probability of occurrence and potential damage that could be caused by the risks Quantitative, qualitative, or semi-quantitative approaches can be used for risk analy- sis The impact could be in terms of financial loss, reputation damage, legal/regulatory penal- ties, etc Likelihood might be high, medium, or low
Risk Evaluation
Risk evaluation involves comparing the analyzed results of risks with risk appetite and risk tolerance to determine which risks need treatment and priority of the treatment Risks be- yond the risk appetite need to be mitigated on priority Risks within the risk appetite can be ac- cepted or additionally mitigated based on cost-benefit analysis This step helps in deciding whether a risk should be accepted, mitigated, avoided, or transferred
Risk Treatment
Risk treatment develops and implements risk mitigation plans to reduce the likelinood
or impact of high-priority risks This could include risk avoidance, risk transfer, risk acceptance,
or risk mitigation Selecting the wrong treatment for risk may create other new risks Therefore, risk treatments need to be continuously monitored and reviewed Risk management is an ongo- ing process
Perfomed Student: Huynh Tuong Vi 13
Trang 16‘BTEC $
2 Explain data protection processes and regulations as applicable to an organization (P6)
a Define data protection
b Data protection process with relations to organization
The data protection concept is to use procedures and technology to safeguard and make data available in all circumstances Storage technologies such as disk, tape, and cloud backup can be used to secure data by safely storing copies of the data that can be utilised in the case of data loss or interruption In addition to standard backup, additional software techniques (such as cloning, mirroring, replication, snapshots, modi-
Perfomed Student: Huynh Tuong Vi 14
Trang 17atone wih IG eon ‘BT E Cc
fied block tracking, and so on) provide an additional layer of data protection Because of technological improvements, it is now normal practise to provide continuous data pro- tection, which backs up the data anytime a change is made, allowing for near-
instantaneous recovery Cloud backup is also becoming more common as organisations increasingly shift backup data to public clouds or clouds managed by third-party service suppliers These backups can be used to replace on-site disc and tape libraries, or they can be used to give additional protected copies of data in the event of a disaster CIA
The Confidentiality, Integrity, and Availability (CIA) triangle is a concept created
to govern information security policy inside an organisation To prevent confusion with the Central Intelligence Agency, the paradigm is often known as the AIC triad (availabil- ity, integrity, and confidentiality) Although the CIA triad parts are three of the most fundamental and critical cybersecurity demands, experts feel the CIA triad need an up- grade to be successful
c The reason why data protection and regulation are important
Protect data from cyber attacks: Currently, cyber attacks on large and small organiza- tions are increasingly recorded These attacks can cause data loss, theft of sensitive infor- mation, or complete destruction of an organization's data Protecting data helps an organiza- tion stop these security threats
Ensure customer privacy: One of the most important reasons to protect data is to en- sure customer privacy If customer data is exposed, sensitive information such as bank account numbers or personal information could be misused or abused
Perfomed Student: Huynh Tuong Vi 1S
Trang 18BTEC ‘BTEC
aaionce win 7ƒ cassen
Compliance with regulations and laws: Many regulations and laws require organizations
to protect customer information and data Complying with these regulations means avoiding significant fines or other potential legal consequences
Ensure business performance: Data loss or missing data can affect an organization's business performance Data protection ensures that an organization's data and systems are kept secure and operating in a stable manner
Perfomed Student: Huynh Tuong Vi
Trang 19‘BTEC ®
Alliance with 8ø Education
3 Design and implement a security policy for an organization (P7)
a Define security policy
Security Policies
www.educba.com
Figure 8 Security policy
A security policy (also known as an information security policy or IT security policy) is a document that outlines an organization's norms, expectations, and general strategy to maintain the confidentiality, integrity, and availability of its data Security policies may be divided into several categories, ranging from high-level structures that explain an enterprise's overall securi-
ty aims and principles to documents that address specific concerns such as remote access or Wi-Fi use
An successful security policy should be in line with the aims and objectives of the compa-
ny, handle any new or emerging dangers, and ensure legal and regulatory compliance It should also include recommendations for managing security incidents, such as data breaches or data loss, by establishing protocols to follow and steps to take to protect the organisation and its consumers
b Exam of policies :
Purpose
Restricted, confidential, or sensitive material must be safeguarded against loss by Com- pany in order to preserve its reputation and protect its clients This policy supports a set of in- ternational regulations (such as complete as appropriate) that demand for the protection of a
Perfomed Student: Huynh Tuong Vi 17
Trang 20‘BTEC 3
atone wih IG eon ‘BT E Cc
wide range of data by restricting access to data stored on those specific devices According to various regulatory requirements and industry best practices, full disc encryption is required to avoid exposure in the event of asset loss As a control, this policy provides the processes and standards for full disc encryption protection
Scope
All "Company Z" desktop and laptop workstations (depending on the type of data you hold and physical security, some organizations alter this only to cover laptops)
Company Z owns all virtual machines
Exemptions: If a company needs to be exempted from this policy (due to cost, complexity,
or a negative impact on other business requirements), a risk assessment must be performed with the security management's agreement Refer to the Risk Assessment procedure (or your own risk assessment procedure)
Policy
On all devices in the scope, full disc encryption will be enabled The Acceptable Use Policy (AUP) and security awareness training will require users to report suspected violations of this policy in line with the AUP
In compliance with the AUP and security awareness training, users must be asked to re- port any lost or stolen devices Compliance with the encryption policy must be validated and managed Machines must report to the central management infrastructure in order for audit records to be used to show compliance as needed
In circumstances where monitoring is not possible and standalone encryption is config- ured (after being accepted by a risk assessment), the device user must provide IT with a copy of the active encryption key
In the event of a failure, forgotten credentials, or other business blocking requirements, the help desk will be permitted to issue an out-of-band challenge/response to provide system access This challenge/response will be provided only if the identity of the 24 user can be de- termined using the challenge and response attributes stated in the password policy
Perfomed Student: Huynh Tuong Vi 18