EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN ORGANIZATION, Essays (university) of Security Analysis

Download EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN ORGANIZATION and more Essays (university) Security Analysis in PDF only on Docsity! ASSIGNMENT 2 FRONT SHEET Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5: Security Submission date Date Received 1st submission Re-submission Date Date Received 2nd submission Student Name Le Thi Nhi Student ID GCD201813 Class GCD1001 Assessor name Tran Trong Minh Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a false declaration is a form of malpractice. Student’s signature Nhi Grading grid P5 P6 P7 P8 M3 M4 M5 D2 D3  Summative Feedback:  Resubmission Feedback: Grade: Assessor Signature: Date: Lecturer Signature: II. Define assets, threats and threat identification procedures, and give examples 1. Asset Identification ➢ Any information that is valuable and can be used to access sensitive information is referred to as an asset. Assets might be data, devices, or other system components inside an organization. An employee's desktop computer, laptop, or corporate phone, for instance, would be regarded as an asset together with the software installed on those gadgets. Critical infrastructure is also an asset and includes things like servers and backup systems. Information assets are the most prevalent assets in an organization. These include things like databases and physical files, or the sensitive data you keep on hand. The "information asset container," which is where the information is maintained, is a related idea. This would be the program that was used to generate the database in the case of databases. It would be the filing cabinet where the information is kept for physical files. (Irwin, 2020) Figure 1: Asset inventory and security management 2. Threat Identification Any event that potentially harm an asset is a threat. Threats are situations that jeopardize an asset's availability, secrecy, or integrity and can be deliberate or unintentional. In contrast to accidental threats, which typically entail employee error, a technical malfunction, or an incident that results in physical harm like a fire or natural disaster, deliberate insider information theft falls under this category. (Irwin, 2020) Figure 2: Threats ➢ Threats include both those posed by assailants and those posed by acts of God, such as fire or bad weather. ➢ Threat modeling creates hypothetical dangers that assets might encounter. ➢ The purpose of threat modeling is to gain a better understanding of the attackers, their motivations, and the potential forms of attacks. ➢ The creation of an attack tree is a useful technique for threat modeling. ➢ An attack tree gives a visual representation of the possible attacks on an object. 3. Example of threats identification procedures A server may be affected by a number of threats. Only a few threats include fire, vibrations, viruses, hackers, and others. Installing security software (such firewalls and antivirus programs) and making the space earthquake- and fire-proof are both feasible ways to safeguard the server. However, the price of doing so will soon surpass the asset's value. It would be wiser to install a firewall and anti-virus software, back up your data, and take the chance that future threats won't materialize. Decide which risks are acceptable as a general rule. You must choose the most affordable ways to defend yourself after estimating the potential loss a threat could cause. You must decide which threats will be handled and how in order to accomplish this. Case-by-case decisions will be required, which will entail coming up with strategies for safeguarding the asset from dangers. To secure the asset, this can entail putting policies and procedures into place, deploying security software, or adding further security measures. III. Explain the risk assessment procedure Risk Assessment ▪ Identification of risks ▪ Evaluation of risks ▪ Risk impact ▪ Recommendation of risk-reducing measures Risk Mitigation ▪ Risk avoidance ▪ Risk mitigation ▪ Risk acceptance ▪ Risk transference ▪ Evaluation of risks Evaluation and Assurance ▪ Ongoing risk assessment ▪ Periodic evaluation ▪ Regulatory compliance IV. List risk identification steps The risk identification and management process consists of five fundamental components. These processes entail risk identification, analysis, evaluation, and monitoring as well as treatment and monitoring. Risk Identification: Discovering what, where, when, why, and how something can impair a company's ability to operate is the goal of risk identification. A company in central California would list "the potential for wildfire" as an occurrence that could interfere with normal business operations. (Eku, 2020) Risk Analysis: In this step, the likelihood that a risk event will occur as well as the possible consequences of each event are determined. Safety managers might evaluate the amount of rain that has fallen in the last 12 months and the potential harm that a fire would cause to the company using the California wildfire example. (Eku, 2020) Risk Evaluation: A risk assessment assesses the severity of each risk and classifies them according to importance and impact. For instance, it may be necessary to compare the potential effects of a mudslide and a wildfire. Any occurrence that has a higher likelihood of occurring and inflicting harm would be ranked higher. (Eku, 2020) Risk Treatment: Risk response planning and risk treatment are both used interchangeably. Based on the estimated value of each risk, this step creates risk mitigation measures, preventative treatment, and contingency preparations. Using the wildfire scenario as an example, risk managers might decide to house extra network servers offshore so that operations can continue even if an onsite server is damaged. Plans for employee evacuation may be created by the risk management. (Eku, 2020) Risk Monitoring: The process of risk management is continuous and evolves over time. Repeating and monitoring the processes on a regular basis helps ensure that known and unexpected hazards are fully covered. (Eku, 2020) For your business, data protection is something that must be done both frequently and consistently. We will need to check the results as we apply any strategy in order to provide the future upgrade of the data protection technique. III. Why are data protection and security regulation important? Data protection is crucial because it shields an organization's information against fraud, hacking, phishing, and identity theft. Any firm that wants to operate efficiently must create a data protection plan to secure the security of its information. The significance of data protection grows along with the amount of data being created and stored. Cyberattacks and data breaches can have catastrophic consequences. Organizations must proactively safeguard their data and frequently upgrade their security protocols. TASK 3 - DESIGN AND IMPLEMENT A SECURITY POLICY FOR AN ORGANIZATION (P7) I. Define a security policy and discuss about it Define a security policy A security policy, also known as an information security policy or an IT security policy, is a written statement of the guidelines, standards, and general strategy that a company uses to protect the privacy, integrity, and accessibility of its data. There are many distinct types of security policies, ranging from high-level frameworks that outline an enterprise's overall security objectives and guiding principles to documents addressing more specialized issues like remote access or Wi-Fi use. (Grimmick, 2022) Figure 5: security policy Discuss about it The important assets in an organization that need to be safeguarded should be listed in the security policy. This could encompass the company's network, physical structure, and other things. It must also describe any potential risks to such things. If the document focuses on cyber security, internal dangers could be mentioned, such as the potential for irate employees to steal sensitive data or spread an internal virus over the company's network. The system could also be compromised by a hacker from outside the business, who could then alter, steal, or lose data. And finally, physical harm to computer systems is a possibility. (Techopedia, 2022) Once the threats have been identified, it is necessary to calculate the likelihood that they will really materialize. A business must decide how to counteract those dangers. Establishing specific personnel policies as well as robust network and physical security could be some precautions. A strategy must also be in place for what to do if and when a threat actually materializes. Everyone should be aware of the company's security policy, and the procedure for protecting data must be periodically reviewed and updated when new employees are hired. (Techopedia, 2022) In this instance, I'd want to highlight the "Wheelie Good" corporate security policy. All assets of the Company and any adverse threats to such assets shall be properly described in "Wheelie Good" policy. The mission of "Wheelie Good" should always be known to all of its employees. Regulation of privacy. Additionally, policies should be changed frequently. Step 1: Considering the risk to the business is "Wheelie good" The best way to evaluate a "Wheelie good" organization's risk is to employ monitoring or technologies for reporting. The "Wheelie Good" organization's employees must understand that their actions will be logged for the purpose of risk assessment. Instead, think about the following inquiries. Do you frequently? send or receive huge files and attachments via email? Is it conceivable that bothersome attachments making loops? What are the dangers of improper use? Step 2: The process used to create a "wheelie good" company's security policy workers must now discuss a strategy for creating security policies. It is necessary to guarantee a risk- adequate level of security. The number of security measures implemented should be in accordance with the real threat. The insurance must also adhere to all legal standards. Step 3: The workers at the company concur, "Wheelie good." A contentious and difficult process must be used to arrive at a final security policy. It must strike a balance between the necessity for security and the requirements of "Wheelie good" for business. Step 4: Applying the "Wheelie good" corporate penalty. The privacy policies are mandated by employment rather than being a set of "Wheelie wonderful" guidelines. Employees must adhere to. There are laws in place that spell out the repercussions for security policy transgressions. Implement them after that. Step 5: Implement the security protocol of "Wheelie good" company. All employees must abide by the company's "Wheelie good" security policy. Ensure that it is carefully followed by every employee. Step 6: "Wheelie excellent" staff training. Employees who have not received proper training may not be aware of how their activities could compromise security. Employee training is therefore necessary in order to implement the security policy at "Wheelie good." II. Examples of security policy Server security policy: Create a minimal requirement for server security setup. Database credential coding policy: To save and retrieve data at "Wheelie good," a clear hierarchy based on the specified login and password is required. The anti-virus policy's objective is to lessen and eliminate the risks that anti-virus software could damage the computers or networks of "Wheelie good" departments. Establish guidelines and provide the "Wheelie good" information security team the authority to carry out audits, risk analyses, and incident investigations to ensure adherence to security standards or to keep track of user activity there. Information sensitivity guidelines: Depending on the organization's level of security, establish guidelines for classifying and protecting "Wheelie good" information. III. Give the most and should that must exist while creating a policy of Wheelie good Data protection laws: Systems contain sensitive data, such as personal information, that must be protected in accordance with organizational guidelines. Data classification: The policy should classify data to make sure that highly sensitive information is safe and that sensitive material is not accessible to unauthorized people. Strategy: The security strategy needs to state its aims, objectives, and constraints up front. Scope: All "Wheelie good" employees, including senior executives, investors, connected parties, and third-party dependents, are subject to this policy. The authority and access control policy states that "Wheelie good" senior management makes decisions regarding who may and cannot access certain data. Different language in the security policy may apply to top management and subordinates. How much control each organizational position has over data and IT systems should be specified in the policy. Security: When privacy policies are created, "Wheelie good" employees must all take them seriously. Not only must these policies be implemented, but it must also be made sure that "Wheelie good" is not jeopardized from without. IV. Explain and write down elements of a security policy IT security rules • Since the computers that individuals use for work don't have social networking functions, interacting with others is challenging. Therefore, only communication devices created by computers may be used. • Each department at "Wheelie good" will be set up and equipped with a unique VLAN in order to stop hackers from breaking into the company. Written policies serve as a fundamental description of what the company expects and how those expectations will be met. When creating new policies, businesses should refrain from employing language that suggests rigid constraints that must always be adhered to exactly as written. Avoid making statements that could be interpreted as a contract, and use flexible language. Convince stakeholders To ensure that a policy is carried out and executed, it is all too frequently the case that no one is informed prior to its implementation. Communication with the managers and supervisors who will be in charge of executing the "Wheelie good" policy is essential following the development of the policy (for example, through meetings, emails, and teleconferences). The goal of the new policy (or change), how it will affect the stakeholder's area(s), and any potential opinions or issues the stakeholders may have should all be covered in this communication. Before legal counsel does its final policy review, the conversations from these meetings will help determine any adjustments that are required. Interacting with staff What a pleasure! The company should, if possible, inform its staff of the circumstances behind the application of the policy. Only the information necessary for them to understand the company's stance should be provided, and communication with them should always be prompt and open. Employers can choose the best method to communicate a policy to employees based on its nature, sensitivity, and level of simplicity. Additionally, the best method of disseminating the policy must be chosen. These communications should be distinguished from others that staff members might just ignore if they are delivered by email or company memo. For instance, businesses may alter the importance of an email, the background and font of a memo, the way memos are distributed, or the addition of read receipts to emails. Revise and update the "Wheelie good" policy Clear, well-written policies that are regularly reviewed can be one effective employee relations and communications strategies. They demonstrate the firm's dedication to fostering a supportive work environment. Written policies can be used to prove nondiscriminatory employment practices and serve as the cornerstone of a strong defense against employee claims, even when they are not legally required. TASK 4 - LIST THE MAIN COMPONENTS OF AN ORGANIZATIONAL DISASTER RECOVERY PLAN, JUSTIFYING THE REASONS FOR INCLUSION (P8) I. Discuss with explanation about business continuity Business continuity refers to the proactive planning and preparation done to guarantee that an organization will be able to carry out its essential business tasks in the event of an emergency. Events can include pandemics, corporate crises, natural catastrophes, workplace violence, or any other occurrence that prevents your organization from operating normally. It's crucial to keep in mind that you should plan and be ready for both incidents that will fully halt operations as well as those that could have a negative influence on services or other functions. (Long, 2017) Figure 6: Business Continuity Business continuity is essential in a time when downtime is unacceptable. During a crisis, the organization should be able to function at least minimally thanks to the plan. When an interruption occurs, business continuity enables the organization to remain resilient. Business reputation, time, and money are all saved by strong business continuity. An extended outage increases the likelihood of suffering monetary, reputational, and individual losses. Even for compliance or legal requirements, business continuity may be necessary. It's critical to comprehend which regulations apply to a particular company, especially in a time of rising regulation. II. List the components of recovery plan Documentation The disaster recovery document should list all the critical components of your IT infrastructure- both hardware and software, a responsible team, as well as a series of measures that need to be taken. In order to run the business again. Documentation must be up to date and up to date to comply with all changes taking place in your IT infrastructure. Scope and Dependence Your recovery scope doesn't necessarily cover the entire IT infrastructure, as not all components are equally important to ensure business continuity. Identify the most important virtual machines and bring them into your recovery scope to achieve a shorter Recovery Time Goal. These are virtual machines that hold business-critical information, applications, and IT systems. Responsible Team & Staff Training Your disaster recovery plan should clearly identify key roles and those responsible for coordinating disaster recovery activities. Communicate the plan to all your staff and make sure everyone understands who is responsible for what eliminates the risk of confusion, redundancy, and delays in the recovery process. In the event of a disaster, your staff should know who to contact or where to start in order to initiate the recovery process promptly. Configure sub-locations Sub-placement is your guarantee that you have the hardware and software resources, as well as the tools for it recuperate. Your sub-location should have enough space, hardware, as well as software resources for employees and maintenance of the workload, are transferred. Pay close attention to the CPU, to memory, disk network capacity, and bandwidth because shortages of these resources can lead to insufficient virtual machine efficiency. Setting of RTO and RPO Recovery time and restore point Goals are the indicators that are closely related to the recovery process. The RTO determines your business uptime without the need for a specific virtual machine, system or application running. The RPO sets out how much data your business can lose without affecting your business. In a perfect world, RTO and RPO should be as close to 0 as possible. However, for many businesses, this is an expensive luxury that may not justify itself. Testing and optimization An untested DR plan cannot be considered effective. There is only one disaster recovery the plan is not enough because once you examine it, you will discover its weaknesses and inconsistencies. And you may want to learn about these weaknesses before a disaster strikes. That is why the DR test is rigorous and is an important step, giving you confidence that you've won over your recovery efforts in the face of it of an actual disaster. Automation DR solutions enable complete automation of disaster recovery, from failover to failover activities. Automation frees IT, managers, from the manual burden and reduces complexity, that is the recovery process takes less time, is non-human error-prone, and provides uninterrupted DR experiment. Therefore, thanks to automation, in addition to saving time, you also save money because downtime is reduced to the minimum. References Anon., n.d. [Online] Available at: https://www.synopsys.com/glossary/what-is-security-risk- assessment.html#:~:text=A%20security%20risk%20assessment%20identifies,holistically%E2%80%94from%20an% 20attacker's%20perspective. Eku, 2020. [Online] Available at: https://safetymanagement.eku.edu/blog/risk- identification/#:~:text=Risk%20Identification%20Process%20Steps,risk%20treatment%2C%20and%20risk%20moni toring. Greenlee, M., 2021. [Online] Available at: https://securityintelligence.com/articles/what-is-data-protection/ Grimmick, R., 2022. [Online] Available at: https://www.varonis.com/blog/what-is-a-security-policy Irwin, L., 2020. [Online] Available at: https://www.vigilantsoftware.co.uk/blog/risk-terminology-understanding-assets-threats-and- vulnerabilities Irwin, L., 2020. [Online] Available at: https://www.vigilantsoftware.co.uk/blog/risk-terminology-understanding-assets-threats-and- vulnerabilities Long, R., 2017. [Online] Available at: https://www.mha-it.com/2017/08/01/what-is-business-continuity/ Techopedia, 2022. [Online] Available at: https://www.techopedia.com/definition/4099/security-policy uniserve, 2022. [Online] Available at: https://uniserveit.com/blog/security-policies-your-organization-should-have Warner, J., 2022. [Online] Available at: https://www.exabeam.com/information-security/information-security-policy/ UNIVERSITY of GREENWICH “BT E Cc ssonen GET anton ‘a