ASSIGNMENT FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Phan Anh Ly Ly Student ID GCD191295

Class GCD0806 Assessor name Tran Trong Minh

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.

Student’s signature LyLy

Grading grid

P5 P6 P7 P8 M3 M4 M5 D2 D3
 Table of Contents
1 INTRODUCTION: ............................................................................................................................................................5
1.1 Part 1...........................................................................................................................................................................5
1.2 Part 2...........................................................................................................................................................................5
1.3 Part 3...........................................................................................................................................................................5
2 Risk assessment procedures: ....................................................................................................................................6
2.1 What is risk assessment ? (synopsys.com) ..................................................................................................6
2.2 How does a security risk assessment work? ...............................................................................................6
2.2.1 The 4 steps of a successful security risk assessment model ........................................................6
2.3 What problems does a security risk assessment solve? .........................................................................7
2.4 What industries require a security risk assessment for compliance? ...............................................8
3 Explain data protection processes and regulations as applicable to an organization.
(searchdatabackup.techtarget.com) ................................................................................................................................9
3.1 Data protection: ......................................................................................................................................................9
3.2 Explain data protection process with relations to organization .........................................................9
3.3 Principles of data protection: ......................................................................................................................... 11
3.4 What is the purpose of data protection? .................................................................................................... 12
3.5 Data portability .................................................................................................................................................... 12
3.6 The convergence of disaster recovery and backup. .............................................................................. 13
3.7 Enterprise data protection strategies ......................................................................................................... 13
3.7.1 Media failure ................................................................................................................................................ 14
3.7.2 Data corruption ........................................................................................................................................... 14
3.7.3 Storage system failure .............................................................................................................................. 15
3.7.4 Full-on data center failure. ..................................................................................................................... 15
3.8 Data protection trends ...................................................................................................................................... 15
3.8.1 Hyper-convergence ................................................................................................................................... 15
3.8.2 Ransomware ................................................................................................................................................ 15
3.8.3 Copy data management ........................................................................................................................... 16
3.8.4 Disaster recovery as a service (DRaaS) ............................................................................................. 16
3.9 Mobile data protection...................................................................................................................................... 16
3.10 Differences between security and privacy ........................................................................................... 16
 3.11 Data protection and privacy ....................................................................................................................... 16
3.12 EU data protection directive ...................................................................................................................... 17
3.13 Fundamental right to data protection .................................................................................................... 18
4 Design and implement a security policy for an organization. ................................................................... 19
4.1 Define and discuss what is security policy (techopedia.com) ........................................................... 19
4.2 Examples of policies........................................................................................................................................... 20
4.3 The must and should that must exist in Policy and procedures (universalclass.com). ........... 22
4.4 The element of security policy (zdnet.com). ............................................................................................ 27
4.5 Steps to design a policy (leoisaac.com) ...................................................................................................... 28
4.6 Design security policy ....................................................................................................................................... 30
5 List the main components of an organizational disaster recovery plan, justifying the reasons for
inclusion. .................................................................................................................................................................................. 32
5.1 Business continuity (searchdisasterrecovery.techtarget.com) ........................................................ 32
5.2 Components of recovery plan. ....................................................................................................................... 32
5.3 Steps required in disaster recovery process (eccouncil.org) ............................................................ 33
5.4 Explain some of the policies and procedures that are required for business continuity. ...... 36
5.5 Business continuity policy............................................................................................................................... 36
5.6 Important policy considerations................................................................................................................... 36
5.7 When to bring in a vendor ............................................................................................................................... 37
5.8 Business continuity policy vs. business continuity plan...................................................................... 38
6 INDEX OF COMMENTS .............................................................................................................................................. 39

Table of Figure
Figure 1: Risk assessment. ...................................................................................................................................................6
Figure 2: Data protection. ....................................................................................................................................................9
Figure 3: Security policy. ................................................................................................................................................... 19
Figure 4: Facebook. .............................................................................................................................................................. 20
Figure 5: Business continuity. ......................................................................................................................................... 32
1 INTRODUCTION:
You work for a security consultancy as an IT Security Specialist.

A manufacturing company “Wheelie good” in Ho Chi Min City making bicycle parts for export
has called your company to propose a Security Policy for their organization, after reading stories in
the media related to security breaches, etc. in organizations and their ramifications.

1.1 Part 1
In preparation for this task, you will prepare a report considering:

1. The security risks faced by the company.

2. How data protection regulations and ISO risk management standards apply to IT security.
3. The potential impact that an IT security audit might have on the security of the organization.
4. The responsibilities of employees and stakeholders in relation to security.

1.2 Part 2
Following your report:

1. You will now design and implement a security policy

2. While considering the components to be included in disaster recovery plan for Wheelie good,
justify why you have included these components in your plan.

1.3 Part 3
In addition to your security policy, you will evaluate the proposed tools used within the policy and
how they align with IT security. You will include sections on how to administer and implement
these policies
 2 Risk assessment procedures:
2.1 What is risk assessment ? (synopsys.com)

Figure 1: Risk assessment.

A security risk assessment identifies, assesses, and implements key security controls in
applications. It also focuses on preventing application security defects and vulnerabilities.

Carrying out a risk assessment allows an organization to view the application portfolio
holistically—from an attacker’s perspective. It supports managers in making informed resource
allocation, tooling, and security control implementation decisions. Thus, conducting an assessment
is an integral part of an organization’s risk management process.

2.2 How does a security risk assessment work?

Factors such as size, growth rate, resources, and asset portfolio affect the depth of risk
assessment models. Organizations can carry out generalized assessments when experiencing budget
or time constraints. However, generalized assessments don’t necessarily provide the detailed
mappings between assets, associated threats, identified risks, impact, and mitigating controls.

If generalized assessment results don’t provide enough of a correlation between these areas,
a more in-depth assessment is necessary.

2.2.1 The 4 steps of a successful security risk assessment model

➢ Step 1: Identification

Determine all critical assets of the technology infrastructure. Next, diagnose sensitive data
that is created, stored, or transmitted by these assets. Create a risk profile for each.
 ➢ Step 2: Assessment

Administer an approach to assess the identified security risks for critical assets. After careful
evaluation and assessment, determine how to effectively and efficiently allocate time and resources
towards risk mitigation. The assessment approach or methodology must analyze the correlation
between assets, threats, vulnerabilities, and mitigating controls.

➢ Step 3: Mitigation

Define a mitigation approach and enforce security controls for each risk.

➢ Step 4: Prevention

Implement tools and processes to minimize threats and vulnerabilities from occurring in
your firm’s resources.

2.3 What problems does a security risk assessment solve?

A comprehensive security assessment allows an organization to:

• Identify assets (network, servers, applications, data centers, tools, etc.) within the
organization.
• Create risk profiles for each asset.
• Understand what data is stored, transmitted, and generated by these assets.
• Assess asset criticality regarding business operations. This includes the overall impact
to revenue, reputation, and the likelihood of a firm’s exploitation.
• Measure the risk ranking for assets and prioritize them for assessment.
• Apply mitigating controls for each asset based on assessment results.

It’s important to understand that a security risk assessment isn’t a one-time security project.
Rather, it’s a continuous activity that should be conducted at least once every other year.
Continuous assessment provides an organization with a current and up-to-date snapshot of threats
and risks to which it is exposed.

At Synopsys, we recommend annual assessments of critical assets with a higher impact and
likelihood of risks. The assessment process creates and collects a variety of valuable information. A
few examples include:

• Creating an application portfolio for all current applications, tools, and utilities.
• Documenting security requirements, policies, and procedures.
• Establishing a collection of system architectures, network diagrams, data stored or
transmitted by systems, and interactions with external services or vendors.
• Developing an asset inventory of physical assets (e.g., hardware, network, and
communication components and peripherals).
 • Maintaining information on operating systems (e.g., PC and server operating
systems).
➢ Information about:
o Data repositories (e.g., database management systems, files, etc.).
o Current security controls (e.g., authentication systems, access control systems,
antivirus, spam controls, network monitoring, firewalls, intrusion detection,
and prevention systems).
o Current baseline operations and security requirements pertaining to
compliance of governing bodies.
o Assets, threats, and vulnerabilities (including their impacts and likelihood).
o Previous technical and procedural reviews of applications, policies, network
systems, etc.
o Mapping of mitigating controls for each risk identified for an asset.

2.4 What industries require a security risk assessment for compliance?

Most organizations require some level of personally identifiable information (PII) or
personal health information (PHI) for business operations. This information comes from partners,
clients, and customers. Information such as social security number, tax identification number, date
of birth, driver’s license number, passport details, medical history, etc. are all considered
confidential information.

As such, organizations creating, storing, or transmitting confidential data should undergo a

risk assessment. Risk assessments are required by a number of laws, regulations, and standards.
Some of the governing bodies that require security risk assessments include HIPAA, PCI-DSS, the
Massachusetts General Law Chapter 93H 201 CMR 17.00 regulation, the Sarbanes-Oxley Audit
Standard 5, and the Federal Information Security Management Act (FISMA).

Organizations often question the need for compliance and adherence to these regulations. At
Synopsys, we feel that an organization is required to undergo a security risk assessment to remain
compliant with a unified set of security controls. Controls that are implemented and agreed upon by
such governing bodies.

In fact, these controls are accepted and implemented across multiple industries. They
provide a platform to weigh the overall security posture of an organization. Governing entities also
recommend performing an assessment for any asset containing confidential data. Assessments
should take place bi-annually, annually, or at any major release or update.
3 Explain data protection processes and regulations as applicable
to an organization. (searchdatabackup.techtarget.com)
3.1 Data protection:

Figure 2: Data protection.

Data protection is the process of safeguarding important information from corruption,

compromise or loss.

The importance of data protection increases as the amount of data created and stored
continues to grow at unprecedented rates. There is also little tolerance for downtime that can make
it impossible to access important information.

Consequently, a large part of a data protection strategy is ensuring that data can be restored
quickly after any corruption or loss. Protecting data from compromise and ensuring data privacy are
other key components of data protection.

3.2 Explain data protection process with relations to organization

Methods of protecting or protecting critical information from being destroyed, hacked,
abused, and exploited are often referred to as data security.

For any business and organization, the data is really relevant. In these days, so many entities
and organizations produce and maintain data at unrivaled speed in databases, so the importance of
data collection and legislation has been enhanced. The problem is that unauthorized people will
access sensitive data.

If we create data security procedures and guidelines, they must be developed to be relevant
to companies or organizations. Our data security mechanisms must be accessed and handled in a
reasonable and legal manner. It must be relevant, necessary, and also up to date. It must be safe
enough to prevent unauthorized intrusion, damage and destruction. The purpose of all data
protection procedures is to protect information. There are several ways to protect data, and each of
them is listed below:

Data warehouse

In general, a data warehouse is the process of gathering and managing data from a variety of
sources to bring out meaningful business vision in an organization. Data vault is mainly used to
centralize data sources for purpose analysis and reporting. Bill Inman is considered to be the father
of the data warehouse, according to him, "A data warehouse is a collection of subject oriented,
integrated, variable time and non-volatile data."

• Thematic means a data warehouse that can be used to analyze any particular subject area
such as the sales trends of the business.

• Integration means it can combine or collect data from multiple sources and can deliver
meaningful visibility to the business.

• Variation over time means it can store large historical data. When the company wants to
get back the data from the previous time like 3/6 months ago or even older, it may be from the data
warehouse.

• Here immutable refers to the immutable, unmodified history data of the data warehouse.

Data Mining

Data mining is the procedure of finding hidden data and analyzing hidden data samples
under many angles to classify it into useful information, information collected and gathered in
mutual areas, wallets. Data warehouse instance for efficiency analysis. Data mining is also known as
data discovery.

Visibility extracted from data mining can be used for marketing, scientific discovery, and
fraud detection. The data mining process involves efficient data collection, computerized processing
and storage. It evaluates the likelihood of future events occurring, as a data mining business
application can learn more about the customer. Data mining methods can help businesses get closer
to their goals.

Data backup

In general, data backup is the process of copying or duplicating or storing data to enable
them to be restored in the event of data loss. Data can be lost from a variety of ways such as
computer viruses, hardware failures, file corruption, fires, environmental factors, etc. Loss of data
can lead to huge financial losses, so solid data backups are important for any organization or
company.
 Raid 5

RAID stands for the redundant array of disk independent mode. RAID is made up of at least
three hard drives, although there is no limit. RAID 5 is known to be one of the most reliable RAIDS
because parity data is scattered throughout the drives in this RAID; Therefore, data can be
recovered in the event of a disc loss. Raid 5 is currently one of the most widely used tactics.

Another major advantage of Raid 5 is the combination of strip and disk parity. The term
stripping is a method of storing in all drives consecutive pieces of data to increase efficiency and
throughput. Disk partitioning only, combined with parity, does not tolerate any array errors,
providing longevity and redundancy.

Data encrypt

Encoding is the conversion or conversion to an encoded format of a data format that is

readable that cannot be interpreted and must be decoded for reading or processing. It's one of the
easiest and most effective ways to protect documents. Anyone who tries to use it for nefarious
purposes will not steal and read it. It can be used by both the organization and the public. On the
internet, encryption is often used to send information. Encryption helps to protect data that cannot
access our data if it breaches our data. This prevents the data from being copied and read in detail.

3.3 Principles of data protection:

The key principles of data protection are to safeguard and make available data under all
circumstances. The term data protection is used to describe both the operational backup of data and
business continuity/disaster recovery (BC/DR). Data protection strategies are evolving along two
lines: data availability and data management.

Data availability ensures users have the data they need to conduct business even if the data is
damaged or lost.

There are two main areas of data management used in data protection:

- Data lifecycle management and information lifecycle management.

- Data lifecycle management is the process of automating the migration of important data
to online and offline storage.It is a comprehensive strategy for pricing, cataloging, and
protecting information assets from application and user failures, malware and virus
attacks, machine failures or timing, died, and facility interruption.

More recently, data management has come to include finding ways to unlock business value
from otherwise dormant copies of data for reporting, test/dev enablement, analytics and other
purposes.
3.4 What is the purpose of data protection?
Storage technologies that can be used to protect data include backing up discs or tapes that
copy specified information into arrays of disk-based storage or cartridge equipment for safe storage.

Clone can be used to make exact copies of a website or files so that they are available from a
variety of places.

Memory snapshots can automatically create a set of pointers to information stored on tape
or disk, allowing for faster data recovery, While Continuous Data Protection (CDP) backs up all data
in the business whenever changes are made.

3.5 Data portability

The ability to move data among different application programs, computing environments or
cloud services-- presents another set of problems and solutions for data protection.

On the one hand, cloud-based computing makes it possible for customers to migrate data and
applications between or among cloud service providers (CSP). On the other hand, it requires
safeguards against data duplication.

Either way, cloud backup is becoming more popular.

Organizations routinely migrate their backup data to public clouds or clouds maintained by
backup providers.

These backups can replace on-premises tape and disk libraries, or they can serve as
additional protected copies of data.

Traditionally, backup has been the key to an effective data protection strategy. That is when
the backed-up data will be accessed and used to restore lost or corrupted data.

Backup is no longer a standalone function. Instead, they are combined with other data
protection functions to save storage space and reduce costs.

For example, Backup and archiving are considered two separate functions. Backup's purpose
is to restore data after failure, while the archive provides a searchable copy of the data. However,
that has resulted in redundant data sets.

Today, there are many products that backup, store and index data in a single transfer. This
approach saves organizations time and cuts down on the amount of long-term data storage.

Cloud backup is becoming more prevalent. Organizations frequently move their backup data
to public clouds or clouds maintained by backup vendors. These backups can replace on-site disk
and tape libraries, or they can serve as additional protected copies of data.
3.6 The convergence of disaster recovery and backup.
Another area where data protection technologies are coming together is the combination of
backup and disaster recovery (DR) capabilities. Virtualization has an important role here, shifting
the focus from copying data at a specific point in time to continuous data protection.

Historically, data backup is the creation of duplicate data copies. On the other hand, disaster
recovery focuses on how to use backups when disaster strikes.

Snapshots and duplicates have made disaster recovery much faster than before. When the
server fails, the data from the backup array is used instead of the main memory, but only if steps are
taken to prevent that backup from being modified.

Those steps involve using a snapshot of data from the backup array to instantly create a
distinctive disk.

The original data from the backup array is then used for read and write operations to be
transferred directly to the different disk. This approach does not change the original backup data.
And while all of this is happening, the faulty server's memory is rebuilt, and the data is copied from
the backup array to the faulty server's newly rebuilt memory.

When replication is complete, the contents of the distinguished disk are merged into the
server's storage and the user returns to work.

Data deduplication, also known as data dedupe, plays a key role in disk-based backup.
Dedupe eliminates redundant copies of data to reduce the storage capacity required for backups.
Deduplication can be built into backup software or can be a software-enabled feature in disk
libraries

Dedupe applications replace redundant data blocks with pointers to unique data copies.
Subsequent backups only include data blocks that have changed since the previous backup.
Deduplication began as a data protection technology and has moved into primary data as a valuable
key feature to reduce the amount of capacity required for more expensive flash media.

CDP has come to play a key role in disaster recovery, and it enables fast restores of backup
data. CDP enables organizations to roll back to the last good copy of a file or database, reducing the
amount of information lost in the case of corruption or deletion of data. CDP started as a separate
product category, but evolved to the point where it is now built into most replication and backup
applications. CDP can also eliminate the need to keep multiple copies of data. Instead, organizations
retain a single copy that's updated continuously as changes occur.

3.7 Enterprise data protection strategies

Modern data protection for primary storage involves using a built-in system that
supplements or replaces backups and protects against the following potential problems:
3.7.1 Media failure
The goal here is to provide data even when the storage device fails. Synchronous replication
is an approach in which data is written to a local disk and a remote web page at the same time. The
recording is not considered complete until a confirmation is sent from the remote site, which
ensures that the two web pages are always identical. Reflection costs 100% of capacity.

RAID Protection is an alternative that requires less capacity. With RAID, the physical drives
are combined into a logical unit presented as a single hard drive for the operating system. RAID
allows the same data to be stored in different places on multiple disks. As a result, I/O operations
overlap in a balanced manner, improving performance and increasing protection.

RAID protection must compute parity, a technique that checks to see if data is lost or
overwritten when it is moved from one storage location to another, and that calculation consumes
Computer resources.

The cost of recovering from a vehicle breakdown is the time it takes to get back to the
protected state. Cloned systems can quickly return to protected state. RAID systems take longer
because they have to recalculate all parity values. The advanced RAID controller doesn't have to
read the entire drive to recover data when performing a drive rebuild; they just need to rebuild the
data that is on that drive. Since most drives run at around 1/3 capacity, Smart RAID can significantly
reduce recovery times.

Erasure coding is an alternative to advanced RAID that's often used in scale-out storage
environments. Like RAID, erasure coding uses parity-based data protection systems, writing both
data and parity across a cluster of storage nodes. With erasure coding, all the nodes in the storage
cluster can participate in the replacement of a failed node, so the rebuilding process doesn't get
CPU-constrained and it happens faster than it might in a traditional RAID array.

Replication is another data protection alternative for scale-out storage. Data is mirrored
from one node to another or to multiple nodes. Replication is simpler than erasure coding, but it
consumes at least twice the capacity of the protected data.

3.7.2 Data corruption

When data gets corrupted or accidentally deleted, the snapshot can be used to set everything
up properly. Most storage systems today can track hundreds of snapshots with no noticeable effect
on performance.

The snapshot storage system can work with key applications, such as Oracle and Microsoft
SQL Server, to collect a clean copy of the data while the snapshot is in progress. This approach
allows frequent snapshots to be stored for long periods of time.
 When data is corrupted or accidentally deleted, a snapshot can be attached and the data
copied back to a production drive, or the snapshot can replace the existing drive. With this method,
data loss is minimal and recovery time is almost instant.

3.7.3 Storage system failure

To protect against multiple drive failures or some other major event, data centers rely on
replication technology built on top of snapshots.

With snapshot replication, only chunks of changed data are copied from the primary storage
system to the off-site secondary storage system. Snapshot copy is also used to copy data to on-
premises mass memory available for recovery if the main storage system fails.

3.7.4 Full-on data center failure.

Protection against the loss of a data center requires a full disaster recovery plan. As with the
other failure scenarios, there are multiple options. Snapshot replication, where data is replicated to
a secondary site, is one option. However, the cost of running a secondary site can be prohibitive.

Cloud services are another alternative. Replication and cloud backup products and services
can be used to store the most recent copies of data that is most likely to be needed in the event of a
major disaster, and to instantiate application images. The result is a rapid recovery in the event of a
data center loss.

3.8 Data protection trends

The latest trends in data protection policy and technology include the following:

3.8.1 Hyper-convergence
With the advent of hyper-convergence, vendors have started offering appliances that provide
backup and recovery for physical and virtual environments that are hyper-converged, non-hyper-
converged and mixed. Data protection capabilities integrated into hyper-converged infrastructure
are replacing a range of devices in the data center.

Cohesity, Rubrik and other vendors offer hyper-convergence for secondary storage,
providing backup, disaster recovery, archiving, copy data management and other nonprimary
storage functions. These products integrate software and hardware, and they can serve as a backup
target for existing backup applications in the data center. They can also use the cloud as a target and
provide backup for virtual environments.

3.8.2 Ransomware
Which holds data hostage for an extortion fee, is a growing problem. Traditional backup
methods have been used to protect data from ransomware. However, more complex ransomware is
adapting and disrupting traditional backup processes.
 The latest version of the malware slowly infiltrates an organization's data over time so the
organization ends up backing up the ransomware virus along with the data. This situation makes it
difficult, if not impossible, to roll back to a clean version of the data.

To counter this problem, vendors are working on adapting backup and recovery products
and methodologies to thwart the new ransomware capabilities.

3.8.3 Copy data management

CDM cuts down on the number of copies of data an organization must save, reducing the
overhead required to store and manage data and simplifying data protection. It can speed up
application release cycles, increase productivity and reduce administrative costs through
automation and centralized control.

The next step with CDM is to add more intelligence. Companies are combining CDM with
their intelligent data management platforms.

3.8.4 Disaster recovery as a service (DRaaS)

DRaaS use is expanding as more options are offered and reduce price. It's being used for
critical business systems where an increasing amount of data is being replicated rather than just
backed up.

3.9 Mobile data protection

Data protection on mobile devices has its own challenges. It can be difficult to extract data
from these devices. Inconsistent connectivity makes scheduling backups difficult, if not impossible.
And mobile data protection is further complicated by the need to keep personal data stored on
mobile devices separate from business data.

Selective file sync and share is one approach to data protection on mobile devices. While it
isn't true backup, file sync-and-share products typically use replication to sync users' files to a
repository in the public cloud or on an organization's network. That location must then be backed
up. File sync and share does give users access to the data they need from a mobile device, while
synchronizing any changes they make to the data with the original copy. However, it doesn't protect
the state of the mobile device, which is needed for quick recovery.

3.10 Differences between security and privacy

In general, data security refers specifically to measures taken to protect the integrity of the
data itself against manipulation and malware, while privacy refers to controlling access to the data.
Understandably, a privacy breach can lead to data security issues.

3.11 Data protection and privacy

Data privacy laws and regulations vary from country to country and even from state to state,
and there are always a host of new regulations. China's data privacy law comes into effect June 1,
2017. The European Union's General Data Protection Regulation (GDPR) comes into force in 2018.
Compliance with any one set of regulations Any rule is complex and challenging.

Coordinating among all the disparate rules and regulations is a massive task. Being out of
compliance can mean steep fines and other penalties, including having to stop doing business in the
country or region covered by the law or regulation.

For a global organization, experts recommend having a data protection policy that complies
with the most stringent set of rules the business faces, while, at the same time, using a security and
compliance framework that covers a broad set of requirements. The basics of data protection and
privacy apply across the board and include:

safeguarding data;

• getting consent from the person whose data is being collected.

• identifying the regulations that apply to the organization in question and the data it
collects.
• ensuring employees are fully trained in the nuances of data privacy and security.

3.12 EU data protection directive

The European Union updated its data privacy laws with a directive that went into effect May
25, 2018. The GDPR replaces the EU Data Protection Directive of 1995 and focuses on making
businesses more transparent. It also expands privacy rights with respect to personal data.

The GDPR covers all EU citizens' data regardless of where the organization collecting the
data is located. It also applies to all people whose data is stored within the European Union, whether
or not they are EU citizens.

GDPR requirements include:

• Barring businesses from storing or using an individual's personally identifiable

information without that person's express consent.
• Requiring companies to notify all affected people and the supervising authority within
72 hours of a data breach.
• For businesses that process or monitor data on a large scale, having a data protection
officer who's responsible for data governance and ensuring the company complies
with GDPR.

Fines for not complying can be as much as €20 million or 4% of the previous fiscal year's
worldwide turnover, depending on which is larger.

In July 2019, the European Commission in Brussels reported that individuals in the EU are
increasingly aware of data protection rules and of their rights: 67% respondents to a May 2019
Eurobarometer are aware of the Regulation; 57% know that there is a national data protection
authority to which they can turn for information or to lodge complaints; and 73% have heard of at
least one of the rights granted by the Regulation. However, a sizable number of individuals in the EU
still do not take active steps to protect their personal data when they go online. For instance, 44% of
individuals have not changed their default privacy settings on social networks.

EU member states also have reported the growing threat of data compromises. For example,
Ireland's newly formed Data Protection Commission (DPC) noted in its first annual report (covering
the period from May 25 to December 31, 2018) that 4,113 complaints were received in the 2018
calendar year, representing a 56% increase on the 2,642 of complaints received in 2017.

3.13 Fundamental right to data protection

GDPR, in Recital 1, notes that the protection of personal data is a fundamental right. In
Recital 4, however, it says that one right must be balanced with other rights.

Recital 1 states: " The protection of natural persons in relation to the processing of personal
data is a fundamental right.

Article 8(1) of the Charter of Fundamental Rights of the European Union (the 'Charter') and
Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone
has the right to the protection of personal data concerning him or her."

Recital 4 states: “The processing of personal data should be designed to serve mankind.

The right to the protection of personal data is not an absolute right; it must be considered in
relation to its function in society and be balanced against other fundamental rights, in accordance
with the principle of proportionality.

This Regulation respects all fundamental rights and observes the freedoms and principles
recognized in the Charter as enshrined in the Treaties, in particular the respect for private and
family life, home and communications, the protection of personal data, freedom of thought,
conscience and religion, freedom of expression and information, freedom to conduct a business, the
right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.”
4 Design and implement a security policy for an organization.
4.1 Define and discuss what is security policy (techopedia.com)

Figure 3: Security policy.

A security policy is a written document in an organization outlining how to protect the

organization from threats, including computer security threats, and how to handle situations when
they do occur.

An Information Technology (IT) Security Policy identifies the rules and procedures for all
individuals accessing and using an organization's IT assets and resources.

The main objectives of the IT security policy are to maintain the confidentiality, integrity, and
availability of systems and information to members of the organization.

These three principles compose the CIA triad:

➢ Confidentiality: the protection property from unauthorized entities.

➢ Integrity: ensures the modification of assets is handled in a specified and authorized
manner
➢ Availability: System state in which authorized users have continuous access to the
aforementioned assets.

When threats are identified, the likelihood they actually happened it needs to be determined.
A company must also determine how to prevent those threats.

Establishing some strong employee policies as well as strong physical and network security
will be the safeguards. There is also a need to have a plan for what to do when a real threat emerges.
The privacy policy should be made public to everyone in the company, and the data protection
process should be reviewed and updated regularly for new staff.
4.2 Examples of policies
In here I take an example of Facebook

Figure 4: Facebook.

What kinds of information is collected?

Your Organization will collect the following kinds of information when you, your colleagues or
other users access the Service:

• your contact information, such as full name and email address;

• your username and password;
• your work title, department information and other information related to your work or
Organization ;
• the content, communications and other information that you provide when you use the
Service, including when you sign up for an account, create or share content, and message or
communicate with others. This can include information in or about the content that you
provide (e.g. metadata), such as the location of a photo or the date a file was created;
• content, communications and information that other people provide when they use the
Service. This can include information about you, such as when they share or comment on a
photo of you, send a message to you or upload, sync or import your contact information;
• all communications with other users of the Services;
• user communications, feedback, suggestions and ideas sent to your Organization ;
• billing information; and
• information that you provide when you or your Organization contact or engage platform
support regarding the Service.
How does your Organization use this information?

Your Organization will share the information that it collects with Facebook, as provider of the
platform, in order to allow Facebook to provide and support the Service for your Organization and
other users, and in accordance with any other instructions from your Organization . Examples of
such use include:

• communicating with users and administrators regarding their use of the Service;
• enhancing the security and safety of the Service for your Organization and other users, such
as by investigating suspicious activity or violations of applicable terms or policies;
• personalising your and your Organization 's experiences as part of our provision of the
Service;
• developing new tools, products or services within the Service for your Organization ;
• associating activity on the Service across different devices operated by the same individual to
improve the overall operation of the Service;
• identifying and fixing bugs that may be present; and
• conducting data and system analytics, including research to improve the Service.

Disclosure of information

Your Organization discloses the information collected in the following ways:

• to third-party service providers that assist in providing the Service or part of the Service;
• to third-party apps, websites or other services that you can connect to through the Services;
• in connection with a substantial corporate transaction, such as the transfer of the Service, a
merger, consolidation, asset sale or in the unlikely event of bankruptcy or insolvency;
• to protect the safety of any person; to address fraud, security or technical issues; and
• in connection with a subpoena, warrant, discovery order or other request or order from a
law enforcement agency.

Accessing and modifying your information

You and your Organization may access, correct or delete information that you have uploaded
to the Service using the tools within the Service (for example, editing your profile information or via
the activity log). If you are not able to do so using the tools provided in the Service, you should
contact your Organization directly to access or modify your information.

Third-party links and content

The Service may contain links to content maintained by third parties that your Organization
does not control. You should review the privacy policies of each website that you visit.
Account closure

If you would like to stop using the Service, you should contact your organization. Similarly, if
you stop working for or with the Organization, the Organization may suspend Your Account and/or
delete any information associated with Your Account.

It typically takes about 90 days to delete an account after account closure, but some
information may remain in backup copies for a reasonable period of time. Please note that content
you create and share on the Service is owned by your organization and may remain on the Service
and be accessible even if your organization deactivates or terminates Your Account. In this way,
content that you provide on the Service is similar to other types of content (such as presentations or
memos) that you may generate in the course of your work.

Changes to the Privacy Policy

This Privacy Policy may be updated from time to time. When updated, the "last updated" date
below will be amended and the new Privacy Policy will be posted online.

Contact

If you have any questions about this Privacy Policy or Workplace Acceptable Use Policy,
please contact your Organization via your Organization's admin.

For California residents, you can learn more about your consumer privacy rights by
contacting your Organization via your Organization's admin.

*Last updated: 3 January 2020*

4.3 The must and should that must exist in Policy and procedures
(universalclass.com).
A written policy will help your organization run more smoothly and efficiently. A basic way
to look at a policy is that it is a written record of a workplace rule.

Therefore, it is time to develop a policy when:

Legislation expressly requires an organization such as yours to have a certain policy in place.

Legislation does not expressly require your organization have the policy, but the regulations
and steps are tightly defined. In this case, a written company policy will help to ensure that your
organization is in full compliance.

Inconsistencies exist in how managers make decisions and/or how employees behave. Those
inconsistencies are having a negative impact on the work environment, or on how your business is
carried out.
 Confusion exists in certain areas of your business as to how things are done.

Developing a new policy is not something that should be done impulsively.

For an example: carefully if you are creating a policy that just apply a few times with few
individuals who may be causing problems.

Remember that a written policy creates a rule or standard to be followed consistently. As

such, it can reduce management's flexibility to treat each situation as unique. Policies that are not
necessary, or that are not well written, can actually cause harm to your organization. Plus, they can
be difficult to change once they have been put into place, and become part of your company culture.

Therefore, at their best and most effective, policies are designed for the many, not the few. In
other words, aim to develop policies that benefit your entire organization.

Before you develop any policy, it is important to research the topic to ensure there is a real
need for the policy. Make sure you are clear on the of the policy's objective.

Is the proposal simply a knee-jerk reaction to a problem that will likely not re-occur? Is it
best for the issue to be handled on a case-by-case basis if it does re-occur? Or is the policy
something that needs to be in place in order for your business to run more efficiently, or for your
business to meet a new local, state, or federal regulation?

Here are some questions to consider if you are unsure about the need for a new or existing
policy:

• What will this policy accomplish? What will be the outcomes?

• How will this policy support our company mission and our desired company culture?
• How will this policy be monitored? How will it be enforced?
• How will this policy affect a manager's ability to perform regular duties, including
hiring, firing, performance reviews, and promotions?
• Will this policy have an impact on our ability to attract quality candidates?
• In what way has our company handled this issue in the past?
• Does the size of our company (specifically the number of our employees) justify
having this policy?
• How much time and effort will it take to keep this policy up to date?
• Would this policy have an impact on any of our funding?

Now that you have learned about what to include – and not to include – in your manual, let's
look at some secrets to drafting those important policies and procedures for your organization.

First, we will consider policies. An effective policy should include the following 10 sections:
 Purpose

The purpose explains the goal of the policy. For example, a health and safety policy has the
goal of ensuring a healthy and safe workplace for all workers, and complying with all relevant health
and safety regulations.

Here is an example of a purpose statement for an attendance policy:

The purpose of this policy is to set forth XYZ Company's statement of policy and procedures for
handling employee absences and instances of tardiness. The objective of this policy is to promote the
efficient operation of the company.

Scope

The scope of the policy reveals to whom the policy pertains. Depending on the size of your
company, some policies may be relevant to only certain departments. A specific policy may apply to
all staff members, or differentiate based on location, department, or employee position.

The scope should explain if the policy applies to volunteers, contract workers and/or
consultants doing work for the company. Make sure your scope section identifies anyone who is
exempt from the policy.

Here is an example of a scope statement.

This policy applies to each employee at XYZ Company.

Statement

The statement is the standard or rule the policy needs to communicate.

Here is an example:

XYZ employees are expected to report to work as scheduled, on time, and ready to start work.
Employees should remain at work for their entire work schedule. Since late arrivals, early departures,
or other absences from scheduled hours are disruptive, they are to be avoided.

Procedures and Responsibilities

This section clearly describes how the policy is implemented at your company. Include any
action steps, and who will perform those steps, in this section.

If there are multiple steps to the procedure, put them in chronological order for ease of use.
Some sections may need to include lists of individual tasks, as well as departmental tasks.
 This section also states the responsibilities of the board, management, and/or staff in regards
to maintaining, monitoring, and implementing the policy. Avoid including information that is likely
to change frequently. Instead of using an individual's name, for instance, use the position title.

Here are two examples:

Any employee who fails to report to work for a period of three days or more without notice to a
supervisor will terminate the employment relationship.

or

Failure to comply with this attendance policy could result in the termination of your
employment.

Definitions

Are there any terms in the policy that need defining or clarifying? If so, you will place those
statements in this section. These definitions are particularly important if your policy is designed to
follow legal requirements for the workplace.

Here are two examples:

"Absence" is defined as the failure of an employee to report for work when he or she is scheduled
to work.

"Tardy" is defined in this policy as an unscheduled late arrival or unscheduled early departure
of more than six minutes.

Questions

In this section, you can give names and contact information for the supervisor or manager
the employee can approach if they have questions on the policy.

Here is an example:

Questions, comments, and suggestions regarding this policy may be directed to XYZ Policy
Coordinator, HR Department, policycoordinator@xyzcompany.com.

References

Reference any other policies, documents, or legislation that support the interpretation of this
policy. For example, if it is a health and safety policy, you could reference the Occupational Health
and Safety Act.

Under the Occupational Health and Safety Act (OSHA), employers are responsible for
providing a safe and healthful workplace.
 If it is a non-discriminatory policy, you could reference the Americans With Disabilities Act.

The Americans With Disabilities Act prohibits any discrimination against anyone with
disabilities in employment, public accommodation, transportation, governmental activities, and
communications.

Effective Date

In this section, state the date this policy went into effect, as well as the date of any revisions.

Here is an example:

XYZ Company's attendance policy went into effect on Jan.1, 1989. It was revised on Jan. 1, 1999,
and again on Jan. 1, 2010.

Review Date

Here you can indicate the date that the policy will be reviewed.

This attendance policy will be reviewed at the annual meeting of XYZ Company's board of
directors on Oct. 15, 2016.

Approval

Here you indicate who approved the policy, and the date of their last approval.

Here is an example:

The XYZ Company board of directors approved this attendance policy at its annual meeting on
Oct. 12, 2015.
4.4 The element of security policy (zdnet.com).
There are Seven elements of highly effective security policies:

1. Security accountability: Stipulate the security roles and responsibilities of general

users, key staff, and management. Creating accountability in these three employee
categories helps your organization understand and manage expectations and provides a
foundation for enforcing all other ancillary policies and procedures. This section should
also define various classes of data, such as internal, external, general, and confidential. By
classifying the data, you can then make stipulations as to what types of employees are
responsible for, and allowed to modify or distribute, particular classes of data.
2. Network service policies: Generate policies for secure remote access, IP address
management and configuration, router and switch security procedures, and access list
(ACL) stipulations. Indicate which key staff need to review which change procedures
before they are implemented.
3. System policies: Define the host security configuration for all mission-critical operating
systems and servers. Include which services should be running on which networks,
account management policies, password management policies, messaging, database, anti-
virus, host-based intrusion detection, and firewall policies.
4. Physical security: Define how buildings and card-key readers should be secured, where
internal cameras should be installed, how visitors should be handled, and what inventory
rules and regulations you’re shipping and receiving folks should follow. Though this
might seem a bit afield of a discussion of IT security, remember that no organization is
secure from attack unless it's physically secure too.
5. Incident handling and response: Specify what procedures to follow in the event of a
security breach or incident. Include policies such as how to evaluate a security incident,
how the incident should be reported, how the problem should be eradicated, and what
key personnel your organization should engage in the process.
6. Behavior and acceptable use policies: Stipulate what type of behavior is expected of
employees and your management team, and what forms and documents need to be read,
reviewed, filled out, and followed. Employees should be required to read and sign the
acceptable use policy so that management has the option to take disciplinary action in the
event that the policy is violated.
7. Security training: Define a security training plan for key staff who manage day-to-day
security operations in order to sustain your security policy and keep your security staff
current with the latest techniques.
4.5 Steps to design a policy (leoisaac.com)
Step 1: Identify and define the problem or issue that necessitates the development of a policy

The organization also needs to know and understand the purpose of policies and to
recognize that the issue or problem can be effectively dealt with by the creation or modification of a
policy.

Step 2: Appoint a person or person(s) to co-ordinate the policy development process

The policy development process may take place over several months. There needs to be
someone or perhaps a committee who is "driving" the process.

Step 3: Establish the policy development process

The process requires research, consultation and policy writing tasks. The co-ordinator
should develop a plan of what tasks need to be done, by whom and when.

Step 4: Conduct research

• Read policy documents created by other organizations on the same topic

• Research legislation on the Internet
• Conduct a meeting with staff and other people with experience
• Survey participants or a particular group of participants such as coaches
• Read minutes of management committee meetings (if allowed)
• Read other documents such as annual reports or event reports
• Read industry magazines and journals
• Seek legal advice

Step 5: Prepare a discussion paper

The purpose of the discussion paper is to explain the nature of the problem or issue, to
summaries information yielded by research and to suggest a number of policy options. The
discussion paper will be an important tool in the process of consultation.

Step 6: Consultation - Stage 1

Circulating the discussion paper to all stakeholders (interested parties) is a first step in the
consultation process. It may also be necessary to telephone stakeholders and send notices to remind
stakeholders to read the discussion paper. It is then important to gain as much feedback from
stakeholders as possible. This may be affected through workshops, open meetings, your web site
and by meetings with individuals. Several months may be required to ensure that this stage of
consultation is thorough.
 Step 7: Prepare a draft policy

When there has been sufficient time for consultation processes to be completed the next step
is to prepare a draft policy.

Step 8: Consultation - Stage 2

When the draft policy is completed it should be circulated to key stakeholders, published in
the organization’s newsletter and web site, discussed in further meetings and forums. At this stage it
is necessary to seek help from stakeholders to fine tune the wording, clarify meaning and make
adjustments to the policy before it is finalized.

Step 9: Adoption

When the co-ordinator of the policy development process is reasonably satisfied that all issues and
concerns about the policy have been aired and dealt with, it is time to finalise the policy. The final
policy document needs to be formally adopted by the management of the organisation
(management committee) with an appropriate record entered in to the minutes.

Step 10: Communication

Following formal adoption of the policy it should be communicated far and wide throughout
the organization and stakeholders. Training sessions may need to be conducted to ensure that
organization personnel are fully informed and able to implement the policy. If the policy is not well
communicated it may fail.

Step 11: Review and evaluate

The implementation of the policy should be monitored. The policy may still require further
adjustments and furthermore the reasons for the policies existence may change. A general practice
is to set a date for the policy to be reviewed, this might be one a year or once in every three years. It
just depends on the nature of the policy.
4.6 Design security policy
Introduction:

This process is created so that employees and managers can be aware of the full steps of
information protection in the public as well as for all users on the system.

Scope of Procedure

This process applies to all employees, customers, business partners, and suppliers with
access to the company's IT systems and data.

Our Procedure

Customer Information management processes are designed to ensure that all users of a
company's IT systems have the tools and processes to effectively protect customer identities and
their system data.

All system users are required to follow the Company Password Management Procedure.

All system users are required to follow the company's security procedures.

This procedure outlines the responsibilities of both the system user and the service provider.

End User Responsibilities

Anyone with access to the system or data must:

1. Protect all data files from unauthorized access, non-disclosure, alteration and
destruction;
2. Responsible for security, privacy and internal data controls, access controls and
permissions;
3. Changing and storing Customer information may be changed more often at the
user's discretion;
4. Encrypts personal information on the system.
5. Make sure information is never shared with anyone with any reason.
6. Set up alternative and recovery practices when your identity being released or
information being leaked.
7. Notify customer if any doubts about passenger information are exposed.

Responsibility:

1. Crypt information continuously to best protect customer information;

2. Ensure that all data is kept secure and cannot be accessed internally or
externally;
 3. Ensure that there is a process for encoding the frequency of change and code
complexity that follows best practices;
4. User has privileges granted to the system through group or system
membership;
5. Carrying out the procedures for handling lost or compromised information;
6. Freezing user accounts after being suspected of infiltrating information and
requesting identity identification;
7. Notify users when customer information is compromised.
8. Changing and encrypting information continuously on information
management systems.

Procedure author – Phan Anh Ly Ly Procedure owner – Bendigo

Parental Policy Statement - Customer Public Access or Employee Only Access -

Information management process. Public

Version 1 – 22th Dec, 2020 Changes and Reason for Changes –

Streamlined
5 List the main components of an organizational disaster
recovery plan, justifying the reasons for inclusion.
5.1 Business continuity (searchdisasterrecovery.techtarget.com)

Figure 5: Business continuity.

Business continuity is an organization's ability to maintain essential functions during and

after a disaster has occurred. Business continuity planning establishes risk management processes
and procedures that aim to prevent interruptions to mission-critical services, and reestablish full
function to the organization as quickly and smoothly as possible.

The most basic business continuity requirement is to keep essential functions up and
running during a disaster and to recover with as little downtime as possible. A business continuity
plan considers various unpredictable events, such as natural disasters, fires, disease outbreaks,
cyberattacks and other external threats.

Business continuity is important for organizations of any size, but it might not be practical
for any but the largest enterprises to maintain all functions for the duration of a disaster. According
to many experts, the first step in business continuity planning is deciding what functions are
essential and allocating the available budget accordingly. Once crucial components have been
identified, administrators can put failover mechanisms in place.

Technologies such as disk mirroring enable an organization to maintain up-to-date copies of

data in geographically dispersed locations, not just in the primary data center. This enables data
access to continue uninterrupted if one location is disabled and protects against data loss.

5.2 Components of recovery plan.

Create a disaster recovery team.

The team will be responsible for developing, implementing, and maintaining the DRP. A DRP
should identify the team members, define each member’s responsibilities, and provide their contact
information. The DRP should also identify who should be contacted in the event of a disaster or
emergency. All employees should be informed of and understand the DRP and their responsibility if
a disaster occurs.

Identify and assess disaster risks.

Your disaster recovery team should identify and assess the risks to your organization. This
step should include items related to natural disasters, man-made emergencies, and technology
related incidents. This will assist the team in identifying the recovery strategies and resources
required to recover from disasters within a predetermined and acceptable timeframe.

Determine critical applications, documents, and resources.

The organization must evaluate its business processes to determine which are critical to the
operations of the organization. The plan should focus on short-term survivability, such as
generating cash flows and revenues, rather than on a long-term solution of restoring the
organization’s full functioning capacity. However, the organization must recognize that there are
some processes that should not be delayed if possible. One example of a critical process is the
processing of payroll.

Specify backup and off-site storage procedures.

These procedures should identify what to back up, by whom, how to perform the backup,
location of backup and how frequently backups should occur. All critical applications, equipment,
and documents should be backed up. Documents that you should consider backing up are the latest
financial statements, tax returns, a current list of employees and their contact information,
inventory records, customer and vendor listings. Critical supplies required for daily operations, such
as checks and purchase orders, as well as a copy of the DRP, should be stored at an off-site location.

Test and maintain the DRP.

Disaster recovery planning is a continual process as risks of disasters and emergencies are
always changing. It is recommended that the organization routinely test the DRP to evaluate the
procedures documented in the plan for effectiveness and appropriateness. The recovery team
should regularly update the DRP to accommodate for changes in business processes, technology,
and evolving disaster risks.

5.3 Steps required in disaster recovery process (eccouncil.org)

Step 1: Set Clear Recovery Objectives

The primary motive to develop a successful disaster recovery plan is to reduce downtime
and the cost of data loss. Set key objectives with RTO (Recovery Time Objective) and RPO (Recovery
Point Objective), so that you can build an optimal data recovery plan. These parameters help you
decide how quickly you need to take steps to recover the data.
 An RTO determines the operational downtime within which the system should have its full
recovery. An RPO evaluates the maximum limit for manageable data loss that won’t lead to a
catastrophic impact on business.

Step 2: Identify Involved Professionals

There should be a clear identification of all the included personnel, including internal and
external members. The DRP should have documented information on how and when to contact each
member. It should also cover their assigned responsibilities in detail.

Also, having a pre-approved budget for resources (recovery tools and services) will help ease the
flow and build a successful disaster recovery plan.

Step 3: Draft a Detailed Documentation on Network Infrastructure

A step-by-step guide on network configurations will help with the execution of the data
recovery process. A holistic blueprint of the current network infrastructure ensures proper
rebuilding and recovery of the entire system. The detailed documentation increases the chances of
successful reconstruction of corrupted network infrastructure.

It’s advisable to keep all the documents offline and in a private cloud. Either way, the
document should be easy for all personnel to access.

Step 4: Choose Your Data Recovery Technique

There are many types of data recovery solutions, such as hard drive recovery, RAID recovery,
tape recovery, optical recovery, and more. Selecting the right one for your organization is critical. To
choose one of these solutions, consider the requirements of the organizations – on-premise,
outsourced, or cloud-based DRaaS (Disaster recovery as a service).

Each data recovery method has its set of capabilities, making it costly or bringing it within
your budget. There are a few factors that affect the cost of recovery solutions – storage capacity,
recovery timeline, and configuration complexity.

Step 5: Explicitly Define an Incident Criteria Checklist

Every organization faces temporary outages, but these incidents cannot be used to initiate a
disaster recovery procedure. No organization would carry out a recovery procedure for a temporary
electricity outage, but if it is due to a natural disaster, then the incident needs to be taken into
consideration.

Creating an all-inclusive checklist for identifying a disaster will help the recovery team to
execute DRP as quickly as possible.
 This checklist will differ for every organization, depending on their goals and budget for data
recovery. Even the decision to strictly follow this checklist or not is entirely upon organizations.

Step 6: Document Your Entire Disaster Recovery Procedure

After successful identification of a disaster recovery incident, a documented set of

procedures help in carrying out the disaster recovery strategy. The DRP should be in accordance
with the already established RTO and RPO standards. Both automated to manual processes included
in the plan should be neatly documented for maximum efficiency of the DRP.

It’s important that at the end of the disaster recovery procedure, all the recovered data
should be in an operational state.

Step 7: Regularly Test Your DRP

Your DRP can fall flat if not tested regularly. A thoroughly tested plan is reliable and has a
higher chance of giving effective results. For a functional DRP, all the included steps should be
routinely tested.

The entire disaster recovery team should participate in these tests. Playing real-time
scenarios of data loss and cyberattacks helps the team to stay ready for the unexpected event.

Step 8: Keep Updating Your Recovery Plan

With the growth of the company, the DRP needs to be updated. If your DRP goes through
regular testing, then there are fair chances that you will come across some limitations in your
existing plan. Keep eliminating these flaws so that the new changes will be aligned with your
company’s requirements. Also, with every change in DRP, maintain a log for the same.

The list of involved members should chance as the staff changes. The new members should
be trained and assigned their responsibilities as soon as possible. This step will help your DRP to
evolve with time.

Disasters are unavoidable, but having a disaster recovery plan helps limit potential damage,
getting back to operational mode quickly, and lower the damage cost. To learn how to stay
operational at the time of another WannaCry or Hurricane Maria, check out EC-Council Disaster
Recovery Professional (E|DRP). The program is developed by the experts of the industry and
follows different regulatory compliance standards like NFPA 1600, NICE framework, and many
others. It is a hands-on program, which ensures that you gain all the technical skills as a trained
disaster recovery professional.
5.4 Explain some of the policies and procedures that are required for business
continuity.
5.5 Business continuity policy.
A business continuity policy is the set of standards and guidelines an organization enforces
to ensure resilience and proper risk management. Business continuity policies vary by organization
and industry and require periodic updates as technologies evolve and business risks change.

The goal of a business continuity policy is to document what is needed keep an organization
running on ordinary business days as well as times of emergency. When the policy is well-defined
and clearly adhered to, the company can set realistic expectations for business continuity and
disaster recovery (BC/DR) processes. This policy can also be used to determine what went wrong so
the problems can be addressed. Ultimately, a business continuity policy is created and enforced at
the organization's discretion, following its industry and compliance requirements.

While business continuity policies are different for every company, they all include basic
components. Key components of business continuity policy include staffing, metrics and standard
requirements.

Internal staffing in a business continuity policy should outline the roles and responsibilities
of department heads, corporate management liaisons and members of the BC/DR team. It may also
include external personnel such as vendors, stakeholders and customers. Keeping track of everyone
involved in and affected by the business continuity policy is a key to ensuring compliance.

Common metrics in a policy may include key performance indicators (KPIs) and key risk
indicators (KRIs). KPIs are used by corporate executives and managers to analyze crucial functions
and processes required to meet goals and performance targets. KRIs measure the likelihood of an
event affecting the company, these can help plan risk management.

The International Organization for Standardization and the British Standards Institution
issue common business continuity standards. These standards are occasionally updated, so changes
should be monitored.

5.6 Important policy considerations.

The primary thing to consider when crafting a business continuity policy is the particular
risks an organization is likely to face. Is the company in an area that frequently has hurricanes or
other major weather events? Is there a geopolitical element that could bring failures? Have there
been problems with ransomware or other malware in the past that need particular attention?
Organizations should take all these factors into account when creating a business continuity policy.

A risk assessment is a reliable method of figuring out potential threats and determining their
likelihood. A risk assessment identifies potential hazards and provides ways to reduce the impact of
them on the business. Similar to a business continuity policy, risks assessments differ, but follow
general steps:

• Identify the hazards;

• Determine what or who could be harmed;
• Evaluate the risks and create control measures;
• Record the findings;
• Review and update the assessment.

Along with a risk assessment, conducting a business impact analysis (BIA) can help form the
backbone of a business continuity policy. A BIA determines the effects of a potential disaster on an
organization by finding existing vulnerabilities. Though similar to a risk assessment, a BIA often
takes place first, and focuses primarily on the business impact and meeting recovery time and
recovery point objectives.

Business continuity policy oversight and verification is another element to be aware of, if
there are legal requirements that must be followed. Leadership, such as a company executive, may
be designated as a liaison to the BC/DR team, coordinating efforts to resolve any compliance issues.
The BC/DR team itself may be placed in charge of verifying policy compliance, along with any
necessary internal departments. Along with setting the procedures and staffing, the BC/DR team
should regularly verify policy compliance.

If non-compliance is found according to the policy, corporate management may be brought in

to address it.

5.7 When to bring in a vendor

While creating a business continuity policy is a company decision, taking a look at BC/DR
vendors and what services they provide can help the process. Managed BC/DR vendors can take
some of the work out of an organization's hands and help facilitate tests of a business continuity
strategy.

With the wider availability of the cloud, disaster recovery as a service (DRaaS) is a popular
BC/DR option. DRaaS comes in all shapes and sizes, which makes it an appealing option when
deciding on a BC/DR plan. Able to handle minor issues to major disasters, DRaaS is a fairly universal
method to implement.

Major DRaaS providers include Acronis, Amazon Web Services, Axcient, IBM, Unitrends,
VMware and Zerto.
5.8 Business continuity policy vs. business continuity plan
A business continuity policy and business continuity plan (BCP) have a lot in common, in that
they address all of the unique requirements and preparations for an organization to maintain
continuity. They both serve different purposes within the organization, however. While the policy
outlines the standards to be followed and benchmarks to be met, a plan maps out from beginning to
end how the organization will get through an event. Business continuity policy information should
be included in the business continuity plan, but as a separate entity.
 6 INDEX OF COMMENTS

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................

................................................................................................................................................................................................................