Data Protection Regulations and Risk Assessment: A Comprehensive Guide - Prof. Pham, Study notes of Compilers

Download Data Protection Regulations and Risk Assessment: A Comprehensive Guide - Prof. Pham and more Study notes Compilers in PDF only on Docsity! >) UNIVERSITY of oo -. “BT EC ace wi Ig, ton ? I. Risk Assessment Procedures (P5): 1. Definition of risk and risk assessment: a) Security risk Security risk encompasses the consequences that could arise due to the risks and weaknesses associated with the operation and use of information systems and the environments under which such systems function for an entity and its stakeholders. In terms of the types of effect that may arise from the occurrence of a security-related event, security risk overlaps with many other types of risk. Factors attributed to other risk categories, including strategic, budgetary, program management, investment, political, legal, supply chain, and enforcement risk, also affect it. Financial losses, loss of privacy, reputational damage, legal consequences, and even loss of life are examples of risk. b) Risk assessment A Security Risk Assessment (or SRA) is an assessment that includes defining the risks in your company, your technology, and your processes to verify that security threats are covered by controls in place. Compliance norms, such as PCI-DSS requirements for payment card authentication, usually include security risk assessments. As part of a SOC II audit for service organizations, they are mandated by the AICPA and are also, just to name a few, criteria for ISO 27001, HITRUST CSF and HIPAA compliance. Because of this, security risk assessments can go by several names, often referred to as a risk assessment, a risk assessment of IT infrastructure, a safety risk audit, or a safety audit. Security Risk Assessments are carried out in order to locate risk areas by a security assessor who can analyze all aspects of the business processes. These may be as basic as a poor password-enabled device, or may be more complicated problems, such as insecure business processes. The appraiser is going to typically review everything from HR policies to firewall configurations while working to identify potential risks. Asset x Vulnerability x Threat = Risk Degree of ' security control: ! Likelihood of a cyber 1 security attack Figure 1: What is risk? SM) UNIVERSITY of as) GREENWICH Bm ‘BTEC c) How does risk assessment work? The depth of the risk assessment models is influenced by factors such as scale, growth rate, capital, and asset portfolio. When facing budget or time constraints, organizations may carry out generalized evaluations. Generalized evaluation; however, do not generally include comprehensive mapping of properties, related hazards, defined risks, effects, and control mitigation. A more in-depth evaluation is required if generalized evaluation results do not provide adequate correlation between these areas. = Ag ws Bx 2 af PUBLIC = weu Src TN vey Ze i SS COU ae MLTPLE Tak tin RISKS Propag uy 2 wc ro wwe, SP REQUREMENTS : LIFETIME B= MS ra = eso itll Sess! TIONS LOS 6 MDUSTRS pH RE 0 a LOW unser 3 HOWEVER TNE ay Even INFECTIOUS gg vow PROCESS. Fl ==, = ACTIVITY BB a8 => Figure 2: IT risk assessment d) Steps to risk assessment: There are 5 steps to risk assessment that you have to know: Just find the details of steps in this RISK ASSESSMENT PROCEDURE (P5) in the third title before the RISK IDENTIFICATION STEPS 1% step: Identify hazards (Anything that may cause harm) >) UNIVERSITY of a -. “BT EC *e ace i Ig stn 2"4 step: Decide who might be harm and tell how 3" step: Assess the risks and take actions 4" step: Make a record of the findings 5" step: Review risk assessment 2. Asset and threat identification procedures: Figure 3: Asset and threat identification 2.1. Assetand threat: a) Definition of asset: An asset is any data, system, or other component of the environment that supports information-related activities in information protection, computer security, and network security. Hardware (e.g. servers and switches), software (e.g. mission critical applications and support systems) and sensitive information are usually included in >) UNIVERSITY of a -. “BT EC ace i Ig stn . Determined who would be affected Controlled and dealt with obvious hazards Initiated precautions to keep risks low Kept your staff involved in the process 5th step: Review assessment and update if necessary Your workplace is always changing, so your organization's threats are also changing. Each brings the risk of a new danger as new equipment, procedures, and individuals are implemented. To keep on top of these new risks, constantly evaluate and upgrade the risk management process. 4. Risk identification steps: There are five core steps within the risk identification and management process. These steps include risk identification, risk analysis, risk evaluation, risk treatment, and risk monitoring. 15 step: Risk identification The goal of risk identification is to expose what where, where, why and how anything could affect the ability of an organization to work. A business in central California; for example, may include the possibility of wildfire" as an occurrence that could interfere with business operations. 24 step: Risk analysis This step includes determining the likelihood of a risk event occurring and the likely outcome of each event. Using the example of the California wildfire, safety managers may determine how much rainfall has occurred in the last 12 months and the degree of harm that the organization could face if a fire occurs. 3" step: Risk evaluation Risk evaluation compares and rates the severity of each risk according to prominence and consequences. For example, it is possible to balance the effects of a possible wildfire against the effects of a possible mudslide. It will rank higher regardless of which event is calculated to have a higher likelihood of occurring and causing harm. 4" step: Risk treatment Risk treatment is often referred to as Preparation for risk response. Risk reduction techniques, preventive treatment, and contingency measures are built in this process based on the measured importance of each risk. Risk managers can opt to house additional network servers offsite, using the wildfire example, so business >) UNIVERSITY of GREENWICH operations may still continue if an onsite server is destroyed. Evacuation plans for staff can also be created by the risk manager. 5'": Risk monitoring Risk management is a non-stop process which, over time, adapts and changes. It will help to ensure optimum coverage of known and unknown threats by repeating and constantly tracking the processes. II. | Data protection processes and regulations as applicable to an organization (P6): 1. Definition of data protection: a) Definition: The process of safeguarding important information from corruption, compromise or failure is data protection. As the volumes of data generated and processed continues to expand at exponential rates, the value of data protection increases. >) UNIVERSITY of a -. “BT EC ace i Ig stn ? Figure 4: Data protection b) How does it works: The Data Protection Act was designed to provide protection and set down guidelines for how to use data about individuals. The Act of 1998 protects information or data about living persons stored on a computer or a structured paper filing system. The fundamental way it functions is through: getting a Commissioner of Information to follow the laws. 2. Data protection processes with relations to organization: The Data Protection Laws grant certain rights over their personal data to individuals (known as 'data subjects’) while enforcing certain responsibilities on the organizations that process their data. The organization gathers and processes both personal data and confidential personal data as a recruiting enterprise. Data protection process relates to the availability and management of data: Data availability ensures that consumers have the information they need to conduct business, even if the information is compromised or lost. For reporting, testing, enabling growth, analytics and other purposes, data management has come to include seeking ways to unlock business value from otherwise dormant copies of data. The data protection process establishes and retains a full copy of the protected data and periodically constructs modified copy recovery points. The copy distributes the protected data as an entire backup. The points recovered allow you to recover earlier versions of the secured data. >, UNIVERSITY 3 GREENWICH e ‘B E acento . i C The prime candidate for encryption is high-risk data every step of the way. This involves processing (full memory encryption) during acquisition (online cryptographic protocols), and subsequent storage (RSA or AES). Wellencrypted information is inherently secure; the data would be useless and irrecoverable to attackers, except in cases of a data breach. For that reason, encryption is also expressly referred to in the GDPR as a data protection tool, which means that its proper use would definitely bring you favors in the regulators’ eyes. For example, if you encounter an infringement involving encrypted data, you do not even have to report it to the supervisory authorities because the data is deemed to be sufficiently secured! You should consider encrpytion as your #1 data protection technique for this purpose alone. Pseudonymisation: Another approach advocated in the GDPR is pseudonymisation, which improves the data protection and privacy of individuals. It fits well for larger data sets and consists of removing snippets of data from identifying information. For instance, you replace people's names with strings created at random. Therefore, it becomes difficult to connect together the identity of an individual and the data they provide. You are still left with very helpful information, but it no longer includes recognizable confidential data. Because individuals can not be identified directly from pseudonymized data, the procedures are much easier in the event of a data breach or failure and the risks are significantly reduced. The GDPR acknowledges this and, in the event of pseudonymized data breaches, the notification standards have been greatly relaxed. When conducting scientific or statistical analysis, pseudonymisation is also a must, so universities and schools should be well-versed in properly pseudonymizing their results. Assess controls: Avery successful risk mitigation approach is the application of access controls to the process of your business. The less people have access to data, the lower the chance of violation or loss of (inadvertent) information. Only trustworthy workers who have a legitimate reason to use it should ensure that you have access to sensitive data. We recommend that you keep regular training courses and refreshers for prior data handling, particularly after recruiting new employees. Draft a straightforward and succinct data protection policy with the support of the data protection officer, detailing the processes, duties and obligations of each worker (or a group of employees). >) UNIVERSITY of oo -. “BT EC ace i Ig stn ? Destruction: There will come a time when it would be appropriate to destroy the data you have. At first glance, data destruction may not seem like a form of security, but it really is. This way, the data is secured against unauthorized recovery and access. Under the GDPR, you are allowed to delete the data you do not need, and more extensive methods of destruction are required for confidential data. Using degaussing, hard discs are most commonly lost, while paper records, CDs and tape drives are torn into tiny bits. For confidential data, on-site data destruction is recommended. Through simply deleting the decryption keys, encrypted data may easily be destroyed, meaning that the data remains unreadable... for at least the next several decades, after which it would possibly become redundant anyway. Ill. Design and implement a security policy for an organization (P7): 1. Definition and discussion of security policy: a) Definition: Security policy is a definition of what a system, company or other individual means to be protected. For an organization, it discusses the limitations on the actions of its members as well as the limitations imposed by structures such as doors, locks, keys and walls on adversaries. For systems, the security policy addresses work and flow constraints within them, access constraints by external systems and adversaries, including programs, and access by people to data. >) UNIVERSITY of oo GREENWICH “BT E Cc ace wi Ig, ton ? Figure 6: IT security policy b) Discussion: We live in a world where computers are globally connected and available, making fraud, exploitation, and destruction of digitized information extremely vulnerable. Violations of protection are inevitable. The decisions and defensive actions of Crucia must be swift and accurate. In order to secure information stored on computers, a security policy sets out what needs to be done. A well-written policy provides a sufficient description of "what" to do in order to define and quantify or determine the "how". Any company can be left open to the world without a security policy. It is necessary to remember that a risk assessment must first be performed in order to evaluate the policy needs. In terms of knowledge, processes, procedures and structures, this can enable an entity to identify standards of sensitivity. c) The importance: A key step in preventing and minimizing security breaches is to establish an efficient security strategy and take action to ensure compliance. Update it in response to changes in your business, new threats, lessons drawn from previous breaches, and other changes to your security posture to make your security policy truly successful. Make your policies on information protection realistic and enforceable. To meet requirements and emergencies that come from various parts of the organisation, it should have an exemption system in place. If it is important to be secure, then it is important to be sure that all security measures are implemented by >, UNIVERSITY 3 GREENWICH e ‘B E acento . i C 7. Terminated employees will be required to return all records, in any format, containing personal information. This requirement should be part of the employee onboarding process with employees signing documentation to confirm they will do this. 8. You must immediately notify <complete as appropriate> in the event that a device containing in scope data is lost (e.g. mobiles, laptops etc). 9. In the event that you find a system or process which you suspect is not compliant with this policy or the objective on information security you have a duty to inform <complete as appropriate> so that they can take appropriate action. 10. If you have been assigned the ability to work remotely you must take extra precaution to ensure that data is appropriately handled. Seek guidance from <complete as appropriate> if you are unsure as to your responsibilities. Please ensure that assets holding data in scope are not left unduly exposed, for example visible in the back seat of your car. 11. Data that must be moved within <company X> is to be transferred only via business provided secure transfer mechanisms (e.g. encrypted USB keys, file shares, email etc). <Company X> will provide you with systems or devices that fit this purpose. You must not use other mechanisms to handle in scope data. If you have a query regarding use of a transfer mechanism, or it does not meet your business purpose you must raise this with <complete as appropriate>. 12. Any information being transferred on a portable device (e.g. USB stick, laptop) must be encrypted in line with industry best practices and applicable law and regulations. If there is doubt regarding the requirements, seek guidance from <complete as appropriate>. b) Data leaked prevention — data in motion: Using this policy This example policy is intended to act as a guideline for organizations looking to implement or update their DLP controls. Adapt this policy, particularly in line with requirements for usability or in accordance with the regulations or data you need to protect. This policy provides a framework for classes of data that may wish to be monitored. You should expand them to. cover the sensitive assets in your business and subject to the types of you hold. Background to this policy >, UNIVERSITY 3 GREENWICH e ‘B E acento . i C Data leakage prevention is designed to make users aware of data they are transferring which may be sensitive or restricted in nature. 1.0 Purpose <Company X> must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to avoid adversely impacting our customers. The protection of in scope data is a critical business requirement, yet flexibility to access data and work effectively is also critical. It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it will reliably detect all data. It’s primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for data leakage prevention, a focus for the policy and a rationale. 2.0 Scope 1. Any <Company X> device which handles customer data, sensitive data, personally identifiable information or company data. Any device which is regularly used for e-mail, web or other work related tasks and is not specifically exempt for legitimate business or technology reasons. 2. The <Company X> information security policy will define requirements for handling of information and user behavior requirements. This policy is to augment the information security policy with technology controls. 3. Exemptions: Where there is a business need to be exempted from this policy (too costly, too complex, adversely impacting other business requirements) a risk assessment must be conducted being authorized by security management. See Risk Assessment process (reference your own risk assessment process). 3.0 Policy 1. <Company X’s> data leakage prevention (DLP) technology will scan for data in motion. 2. The DLP technology will identify large volumes (thus, of high risk of being sensitive and likely to have significant impact if handled inappropriately) of in scope data. A large number of records is defined as <complete as appropriate> (tailor to your enterprise’s stance e.g. 1000 records). In scope data is defined as: (you should adjust this to reflect the data that you are regulated on, or that which could be most damaging to your organization. The below is an appropriate template for many organizations) a. Credit card details, bank account numbers and other financial identifiers >, UNIVERSITY 3 GREENWICH e ‘B E acento . i C b. E-mail addresses, names, addresses and other combinations of personally identifiable information 9 . Documents that have been explicitly marked with the ‘<Company X> Confidential’ string. w . DLP will identify specific content, i.e.: 2 Sales data — particularly forecasts, renewals lists and other customer listings a . Exports of personally identifiable information outside controlled systems (this is data that you are particularly concerned about losing and wish to ensure is detected by the DLP policy). 4. DLP will be configured to alert the user in the event of a suspected transmission of sensitive data, and the user will be presented with a choice to authorize or reject the transfer. This allows the user to make a sensible decision to protect the data, without interrupting business functions. Changes to the DLP product configuration will be handled through the <Company X> IT change process and with security management approval, to identify requirements to adjust the information security policy or employee communications. w . DLP will log incidents centrally for review. The IT team will conduct first level triage on events, identifying data that may be sensitive and situations where its transfer was authorized and there is a concern of inappropriate use. These events will be escalated to HR to be handled through the normal process and to protect the individual. (you will need to tailor this for your organisation. It is common to defer enforcement to business owners of data rather than having IT conduct the triage). a . Where there is an active concern of data breach, the IT incident management process is to be used with specific notification provided to <complete as appropriate> (for example HR, Legal and Security Management). 7. Access to DLP events will be restricted to a named group of individuals to protect the privacy of employees. A DLP event does not constitute evidence that an employee has intentionally, or accidentally lost data but provides sufficient basis for investigation to ensure data has been appropriately protected 4.0 Technical guidelines Technical guidelines identify requirements for technical implementation and are typically technology specific. 1. The technology of choice is <complete as appropriate> 2. The product will be configured to identify data in motion to Browsers, IM Clients, E-mail clients, Mass storage devices and writable CD media. >, UNIVERSITY 3 GREENWICH e ‘B E acento . i C 10. (Some enterprises may have a requirement to practice a tiered approach to data security. This may involve a set of users that have particularly sensitive data and require greater security. You can remove this if this is not a requirement of your business). A group of sensitive data/VIP users will be identified by the restricted data policy. Users in this group will require a member of <complete as appropriate> (e.g. Senior Management or IT) authorization for key changes or challenge response. The help desk will not be permitted to access said systems without authorization. These systems are identified as having access to highly sensitive, restricted use data and have a requirement for separation of duty. Where identified by the authentication and restricted data policy, a system/user will be required to use two factor authentications in accordance with the <complete as appropriate> defined standard. The authentication will occur in the pre boot environment. 11. Configuration changes are to be conducted through the <complete as appropriate> change control process, identifying risks and noteworthy implementation changes to security management. 4.0 Technical guidelines Technical guidelines identify requirements for technical implementation and are typically technology specific. 1. <Complete as appropriate> is the standard product. 2. Strong, industry best practice defined cryptographic standards must be employed. AES-256 is an approved implementation. w . The BIOS will be configured with a secure password (as defined by password policy) that is stored by IT. The boot order will be fixed to the encrypted HDD. If an override is required by a user for maintenance or emergency use, the helpdesk can authenticate the user and then provide the password for the BIOS. The objective being to avoid an attacker cold booting and attacking the system. 4. Synchronization with Windows credentials will be configured so that the pre boot environment is matched to the user’s credentials and only one logon is required. w . A pre boot environment will be used for authentication. Credentials will be used to authenticate the user in compliance with <complete as appropriate>password security policy. (Some enterprises have a requirement to use two factor, and this should be reflected here as required). 5.0 Reporting requirements >) UNIVERSITY of a -. “BT EC ace i Ig stn . 1. A monthly report that identifies the % of encrypted systems versus assets in scope 2. A monthly report that identifies the compliance status of managed, encrypted systems 3. A monthly report that identifies the number of lost assets and validation that lost devices have been handled appropriately REFERENCE: https://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-example-data-security-policies-na.pdf d) Design my own policy: Wheelie Good Bin Cleaning Policy This Privacy Policy details our collection, use and disclosure policies and procedures for your information when you use the Service and tells you about your privacy rights and how you are covered by the law. In order to provide and enhance the service, we use your personal data. Through using the Service, in accordance with this Privacy Policy, you consent to the collection and use of information. With the assistance of the Privacy Policy Generator, this Privacy Policy was developed. Last updated: October 22, 2020 1. Interpretation and definitions: 1.1. Interpretation: The terms in which the initial letter is capitalized have, under the following conditions, specified meanings. The following words, irrespective of whether they occur in singular or plural form, have the same meaning. 1.2. Definitions: For the purposes of this Privacy Policy: Account: means a unique account created for You to access our Service or parts of our Service. Company: (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Wheelie Good Bin Cleaning, Perth 6006. >, UNIVERSITY 3 GREENWICH “B E sacs IEG se . i C Cookies: are small les that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses. Country refers to: Western Australia, Australia Device: means any device that can access the Service such as a computer, a cellphone or a digital tablet. Personal Data: is any information that relates to an identified or identifiable individual. Service: refers to the Website. Service Provider: means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used. Third-party Social Media Service: refers to any website or any social network website through which a User can log in or create an account to use the Service. Usage Data: refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit). Website: refers to Wheelie Good Bin Cleaning, accessible from focuswa.com.au You mean, as appropriate, the individual accessing or using the Service, or the corporation or some other legal entity on behalf of which such person accesses or uses the Service. 2. Collecting and use your personal data: 2.1. Types of data collected: 2.1.1. Personal Data: We can ask you to provide us with some personally identifiable information while using our service, which can be used to contact or identify you. Information that is personally identifiable can include, but is not limited to: Email address First name and last name Phone number Usage Data 2.1.2. Usage Data: Usage data is automatically obtained when the service is used. >, UNIVERSITY 3 GREENWICH “B E sacs IEG se . i C For the following reasons, the Organization can use Personal Data: To provide our Service and to sustain it, including to track the use of our Service. Managing Your Account: Managing Your registration as a Service Customer. The personal data you provide may provide you with access to the various features of the Service available to you as a registered user. For the execution of a contract: the development, delivery and performance of a purchase agreement for the goods, products or services purchased by you or any other contract with us through the Service. To contact you: To contact you via e-mail, telephone, SMS or other similar means of electronic communication, such as push noti ‘ions of changes or informative communications related to functions, goods or services contracted by a mobile application, including security updates, if appropriate or acceptable for their implementation. To provide you with news, special offers and general details about other products, services and activities that we offer that are similar to those that you have already bought or asked about, unless you have chosen not to receive such information. To handle your requests: To attend to us and to manage your requests. Company transfers: We may use Your information for the purpose of evaluating or carrying out a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of any or all of Our properties, whether as a continuing concern or as part of a bankruptcy, liquidation or similar proceeding involving the transfer of personal data kept by Us regarding users of our Service. For other purposes, we may use Your Information for other purposes, such as the analysis of data, the identification of usage patterns, the effectiveness of our promotional campaigns, and the evaluation and enhancement of our Program, goods, services, marketing and experience. In the following cases, we will share your personal information: With service providers: In order to track and evaluate the usage of our service, we can share your personal information with service providers in order to contact you. For business transfers: We can exchange or move your personal details in connection with any merger, sale of company properties, financing, or acquisition of all or part of our business to another company, or during negotiations. >, UNIVERSITY 3 GREENWICH “B E sacs IEG se . i C With Affiliates: We may share your data with our affiliates, in which case these affiliates would be expected to comply with this Privacy Policy. Our parent company and all other branches, joint venture partners or other entities owned by us or under common control with us are affiliates. With business partners: In order to give you those goods, services or promotions, we can share your details with our business partners. With other users: when you exchange personal information or otherwise communicate with other users in public places, the information can be accessed by all users and transmitted to the public outside. Your friends on the Third-Party Social Media Service can see your name, profile, photos and summary of your behavior if you connect with other users or register with a Third-Party Social Media Service. Likewise, other users will be able to access your activity descriptions, connect with you, and view your profile. Your permission: We can, with your consent, disclose your personal information for any other reason. 2.1.5. Retention of your personal data: Your personal data will only be maintained by the company for as long as is appropriate for the purposes set out in this Privacy Policy. To the extent appropriate to satisfy our legal obligations (for example, if we are needed to maintain your data in order to comply with applicable laws), to settle conflicts, and to implement our legal agreements and pi s, we will retain and use your personal data. For internal review purposes, the Organization will also maintain Consumption Data. Use Data is usually kept for a shorter period of time, unless this information is used to enhance security or strengthen the reliability of Our Service, or We are legally obliged to maintain this information for longer periods of time. 2.1.6. Transfer of your personal data: Your information, including personal data, is processed at the operating offices of the Organization and at any other location where the parties to the processing are located. This implies that this data can be transmitted to and stored on computers outside your state, province, nation or other governmental jurisdiction where the laws on data security which vary from those of your jurisdiction. Your consent to this Privacy Policy accompanied by Your submission of such information shall constitute Your commitment to the transfer of such information. The Company shall take all reasonably necessary steps to ensure that Your data is handled safely and in compliance with this Privacy Policy and that no transfer of Your Personal Data to an entity or country takes >, UNIVERSITY 3 GREENWICH ° ‘B E acento . i C place unless appropriate safeguards, including the protection of Your data and other personal information, are in place. 2.2. Disclosure of your personal data: 2.2.1, Business transations: Your personal data can be transferred if the company participates in a merger, acquisition or asset sale. Before your personal data is transferred and becomes subject to a different privacy policy, we will provide warning. 2.2.2. Law enforcement: In such cases, if required to do so by regulation or in response to legitimate requests from public authorities, the organization may be required to reveal your personal data (e.g. a court or a government agency). 2.2.3. Other legal requirements: The Company may disclose Your Personal Data in the good faith belief that such action is necessary to: Fulfill a legal duty Secure and defend the Company's interests or properties Preventing or prosecuting suspected misconduct related to the Service Security of the personal safety of service users or of the public Protect against civil liability 2.2.4. Security of your personal data: The protection of your personal data is so vital to us, but noted that no electronic storage system or method of transmission over the Internet is 100% secure. Although we aim to use commercially appropriate means to secure your personal data, its full protection cannot be guaranteed. 3. The elements of creating security policy: Asecurity policy can be as broad as you want it to be, but enforceable in its full context, from everything related to IT security to the security of related physical properties. When designing an information security strategy, the following list provides some essential considerations: > Purpose: First, state the policy's intent, which may be: >, UNIVERSITY 3 GREENWICH e ‘B E acento . i C By the use of tracking or reporting devices, a good way to classify your risks may be. For their goods, many vendors of firewalls and Internet security products allow assessment periods. It may be useful to use these assessment intervals to determine the risks if such items have reporting information. It is crucial, however, to ensure that your employees are aware that, if this is something you want to try, you will record their actions for risk assessment purposes. If it's attempted without their consent, many workers will see this as a violation of their privacy. 2"4 step: Learn from others There are several forms of security strategies, so what other companies like yours are doing is interesting to see. You can spend a few hours searching online, or you can purchase a book that has more than 1,200 policies ready to be personalized, such as Information Security Policies Made Simple by Charles Cresson Wood. Speak to the sales representatives of different suppliers of security software, too. They are always pleased to have details. 3" step: Make sure the policy conforms to legal requirements You may be required to adhere to certain minimum standards to ensure the privacy and integrity of your data, depending on your data holdings, jurisdiction and location, especially if your company holds personal information. One way of reducing many risks you might incur in the event of a security breaches is to have a viable security strategy documented and in place. 4" step: Level of security = level of risk Don't get overzealous. Too much defense can be as bad as too little. You might find that, aside from keeping the bad guys out, since you have a mature, committed team, you don't have any issues with proper use. In such situations, the most significant thing is a formal code of conduct. Excessive protection can be an obstacle to business operations that are smooth, so make sure you don't overprotect yourself. 5" step: Include staff in policy development Nobody wants a strategy that has been dictated from above. Involve workers in the method of determining acceptable usage. Keep workers updated as the laws are produced and instruments are enforced. They would be far more likely to comply if people recognize the need for a responsible security policy. 6" step: Train your employees >, UNIVERSITY 3 GREENWICH e ‘B E acento . i C As part of the AUP implementation process, staff training is generally ignored or underappreciated. But, it's definitely one of the most beneficial stages of operation. Not only does it help you educate workers and help them understand the policies, but it also encourages you to explore the policy's realistic, real-world consequences. In a training forum, end users can often ask questions or give examples, and this can be very rewarding. These questions will allow you to describe and change the policy in more depth to be more useful. 7 step: Get it in writing Make sure the policy has been read, signed and understood by every member of your team. When they are brought on board, all new employees should sign the policy and should be expected to reread and reconfirm their understanding of the policy at least annually. Use digital tools for large organisations to help distribute and track document signatures electronically. Some tools also have quizzing frameworks to assess the policy comprehension of the consumer. 8" step: Set clear penalties and enforce them Security on the network is no joke. Your protection policy is not a set of voluntary guidelines but an employment requirement. Have a specific set of policies in place that lay out the penalties in the security policy for violations. Enforce them then. There is just as bad a security policy of haphazard implementation as no policy at all. 9" step: Upgrade your staff Because the network itself is always changing, a security policy is a complex document. Come and go people. It builds and destroys databases. New safety risks are popping up. It is difficult enough to keep the security policies updated, but it is much more difficult to keep workers aware of any changes that could impact their day-to-day operations. The secret to success is open communication. 10" step: Install the tools you need It is one thing to have a strategy, implementing it is another. Security products for Internet and e-mail content with customizable rule sets will ensure that your policy is adhered to, no matter how complex. One of the most cost-effective investments you can ever make is probably the investment in instruments to implement your protection strategy. >) UNIVERSITY of oo -. “BT EC ace i Ig stn ? IV. Main components of an organizational disaster recovery plan, justifying the reasons for inclusion (P8): 1. Business continuity: a) Definition: The continuity of operation is the capacity of a company to continue basic operations throughout and after a catastrophe has occurred. Business continuity planning defines risk management policies and procedures aimed at preventing mission-critical programs from being interrupted and restoring the organization's full operation as efficiently and smoothly as possible. Keeping critical functions up and running after a crisis and rebuilding with as little downtime as possible is the most basic business continuity condition. Various unexpected incidents, such as natural disasters, explosions, disease outbreaks, cyberattacks and other external threats, are considered in a business continuity plan. == y == 1CP > ae RB ysineses Mecs19081 7@ tbe edu sn) AE Figure 7: Business Continuity Plan For organizations of any scale, business continuity is essential, but retaining all operations for the duration of a disaster may not be feasible for all but the largest enterprises. The first step in business continuity planning, according to many experts, is to determine what roles are necessary and allocate the available budget accordingly. When essential components have been identified, administrators may put mechanisms for failover in place. In geographically scattered locations, technologies such as disk mirroring allow an enterprise to retain up-to-date copies of data, not just in the primary data center. This allows uninterrupted data access to continue if one location is disabled and protects against data loss. >) UNIVERSITY of GREENWICH soi ED cas ments Of The Disaster Recov 1 aS PN ELIS Infrastructure DEVAS tS "el beeen’ Come ener ted Sd Bay pete etd cS TSO/CICS ST eget es a it... Pee Oy ant Bee ear Recovery Plans aoa aie Infrastructure SPEMsS ystems Coenen Dae Connectivity Requirements Brees Oar Remote Access Parameters ee Define ‘rogue’ FTPs * Identified NetworkServices Gateway Seaton eee tert ard Figure 8: Components of disaster recovery plan 5" component: A communication plan Documentation a etna era reed Contact Lists Bis Peete Ve ard The last thing you would want to do if tragedy occurs is to discuss your clients, workers or other stakeholders, but good communication is essential to showing that you are in charge of the situation and that it will be resolved. Effective communication involves not only communicating anything as easily as possible, but understanding the communication chain required and reporting accurate information. This is why a detailed communication strategy that covers these elements is important to outline. >, UNIVERSITY 3 GREENWICH e ‘B E acento . i C Depending on the case, this strategy should include contact lists of those that would need to be communicated to (internally and externally), a protocol for what data should be communicated and how it should be transmitted. The communication after a natural disaster, for example, will vary from the communication after a data breach, and those differences need to be prepared for by your strategy. 6" component: Schedule for testing, reviewing, improving As industries increasingly change and grow, disaster recovery strategies will need to evolve. Sadly, it's not as easy as making a “DRP”, and the organization is ready for something. Your company should spend time checking or rehearsing the proposal to ensure that it is useful and that the plan is tested so that it remains up to the expectations of business and industry. If business is booming and your workers double, for example, in your disaster recovery plan, you would need to pay for such new employees or office space. Schedule for testing of your strategies periodically to yearly and depending on the pace of growth or improvement in your organization. While some of the procedures you need to think about can seem like common sense as part of your disaster recovery plan, the fact is that people don't always think clearly in the midst of disasters. Shock, tension and panic begin to take over instead. These strategies tell the company what to do in those moments to mitigate repercussions and leave you facing a stronger result, regardless of the conditions. "It's better to be safe than sorry". 3. Disaster recovery process steps: There are 8 several steps to create such a useful disaster recovery process: 15 step: Set clear recovery objectives Reducing downtime and the cost of data loss is the primary motive for implementing a successful disaster recovery plan. With RTO (Recovery Time Objective) and RPO (Recovery Point Objective), set key targets so that you can create an optimal plan for data recovery. These criteria help you determine how quickly steps to retrieve the data need to be taken. An RTO specifies the operating downtime during which the entire recovery of the device should take place. The overall limit for sustainable data loss that will not lead to a disastrous business effect is evaluated by an RPO. 2° step: Identify involved professionals >, UNIVERSITY 3 GREENWICH e ‘B E acento . i C Simple identification of all the staff involved, including internal and external members, should be given. Information about how and when to contact each member should have been recorded by the DRP. It should also cover in depth their assigned duties. Having a pre-approved resource budget (recovery equipment and services) would also help ease the flow and establish a successful strategy for disaster recovery. 3" step: Draft a detailed documentation on network infrastructure With the execution of the data recovery process, a step-by-step guide on network configurations can help. The new network infrastructure's comprehensive blueprint guarantees proper reconstruction and regeneration of the entire system. The thorough documentation enhances the likelihood that corrupted network infrastructure can be successfully restored. Holding all the records offline and in a private cloud is advisable. The document should be easy for all staff to view, either way. 4" step: Choose your data recovery techniques There are several types of solutions for data recovery, such as recovery from hard drives, RAID recovery, tape recovery, optical recovery, and more. It is important to pick the correct one for your company. Consider the criteria of organizations-on-premise, outsourced, or cloud-based DRaaSS-to choose one of these solutions (Disaster recovery as a service). Every method of data recovery has its collection of capabilities, making it expensive or putting it within your budget. There are a few variables that impact the cost of recovery solutions: storage capacity, timetable of recovery, and complexity of configuration. 5" step: Explicitly define an incident criteria checklists Every company experiences temporary outages, but it is not possible to use these events to launch a disaster recovery process. A recovery plan for a temporary outage of power will not be carried out by any entity, but if it is due to a natural disaster, then the incident needs to be considered. It will enable the recovery team to conduct DRP as efficiently as possible by developing an all-inclusive checklist for defining a disaster. UNIVERSITY of oo -. ‘BT E Cc ace wi Ig, ton ? Essential roles are those which are important for the campus community's life, health, safety and protection. During an event, these tasks must proceed at a normal or increased pace. The roles of life, wellness, safety and security will never close and will still involve individuals on campus. g) Mission essential functions (MEFs): MEFs are facilities, programs or activities which are required for the university's ongoing business and which, if they were to be discontinued for an extended period of time, would directly impact the development, distribution and preservation of information. The primary services, initiatives, or tasks undertaken by a department are basic departmental functions. They are a department's main operations. Stopping them for a prolonged period of time would have a direct impact on the department's performance. h) Recovery time objectives (RTO): RTO is the cumulative period of time that can be inaccessible until causing major interruption of operations for a particular business feature or resource. Maximum permissible downtime is often referred to. Train, Test & Maintain Assessment Business Analysis Selection >) UNIVERSITY of GREENWICH “BT EC ace i Ig stn ? REFERENCE: https://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-example-data-security-policies-na.pdf Microsoft. (n.d.). Secure the Windows 8.1 boot process, viewed June 7 2019 Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report, viewed June 7 2019 Securitytrails, Top 10 common network security threats explained, viewed June 7 2019, from https://securitytrails.com/blog/top-10-common-network-security-threats-explained Searchsecurity, Ten ways to prevent insider secutity threats, viewed June 7 2019, from https://searchsecurity.techtarget.com/feature/Ten-ways-to-prevent-insider-security-threats Attack.mitre, Bootkit, viewed June 7 2019, from https://attack.mitre.org/techniques/T1067/ Csoonline, The biggest data breaches of the 21% century, viewed June 7 2019, from https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html Linfordco, Security procedures, viewed June 7 2019, from https://linfordco.com/blog/securityprocedures, Imperva, Man-in-the-middle-attack, viewed June 7 2019, from https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/ Searchsecurity, DMZ definition, viewed June 7 2019, from https://searchsecurity.techtarget.com/definition/DMZ Lifewire, Using static ip address on private computer, viewed June 7 2019, from https://www.lifewire.com/using-static-ip-address-on-private-computer-818404 Techterms, NAT definition, viewed June 7 2019, from https://techterms.com/definition/nat Smartdatacollective, Businesses handle cyber security risk assessment, viewed June 7 2019, from https://www.smartdatacollective.com/businesses-handle-cyber-security-risk-assessment/ Itgovernance, 5 steps to an effective iso 27001 risk assessment, viewed June 7 2019, from https://www.itgovernance.eu/blog/en/5-steps-to-an-effective-iso-27001-risk-assessment Cwps, The >) UNIVERSITY of a -. “BT EC ace wi Ig, ton ? advantages to using a network monitoring service, viewed June 7 2019, from https://www.cwps.com/blog/the-advantages-to-using-a-network-monitoring-service Careerride, Networking trusted and untrusted network, viewed June 7 2019, from https://www.careerride.com/Networking-trusted-and-untrusted-networks.aspx