UNIT 5

Security

ASSIGNMENT

No.2

Learner’s name: Võ Thị Quỳnh Như

Assessor name: Ho Hai Van

Class: GCS0801A

Learner’s ID: GCS18612

Subject’s ID:1623

Assignment due: May 3, 2020 Assignment submitted: May 3, 2020

0
 Assessment Brief 2

Qualification BTEC Level 5 HND Diploma in Computing

Unit number Unit 5: Security

Assignment title Security Presentation

Academic Year 2019 – 2020

Unit Tutor Ho Hai Van

Submission
Issue date May 3, 2020 May 3, 2020
date

IV name and date Võ Thị Quỳnh Như

Submission Format
The submission is in the form of two documents/files:

1. A ten-minute Microsoft® PowerPoint® style presentation to be presented to your

colleagues. The presentation can include links to performance data with additional
speaker notes and a bibliography using the Harvard referencing system. The
presentation slides for the findings should be submitted with speaker notes as one copy.
2. A detailed report that provides more thorough, evaluated or critically reviewed technical
information on all of the topics.

You are required to make use of the font Calibri, Font size 12, Line spacing 1.5, Headings,
Paragraphs, Subsections and illustrations as appropriate, and all work must be supported
with research and referenced using the Harvard referencing system.

1
Unit Learning Outcomes

LO1 Assess risks to IT security.

LO2 Describe IT security solutions.
LO3 Review mechanisms to control organizational IT security.
LO4 Manage organizational security.

All the business organizations should always monitor their computer networks to block potential
unauthorized access and other kind of attacks. It is also important to establish a secured network
and security support system due to the following reasons:

1. To protect Client Data and information:

2. Keep Shared Data safe and secure:
3. Protect Computer systems From Harmful Spyware:
4. To Comply with Ethical Responsibilities and Regulatory Requirements:
5. Increase Network Performance:
Network Security and support system is one of the most vital factors to consider, no matter how
big or small a business organization is!

Assignment Brief and Guidance

SCENARIO:

You work as an IT Security Specialist for APPLE Corporation and as part of your role, you have
been asked to prepare a presentation to help junior staff members on the tools and techniques
associated with identifying and assessing IT security risks together with the organizational policies
to protect business critical data and equipment’s.

Prepare a presentation that will include:

1. Security legislation, types of security risks, describe the organizational security procedure
and method to asses and treat security risk. Also in your report provide solutions and the
management associated with operating effective IT security procedures.

2
 2. Describe IT security solution, by giving a review of different security technologies
supported with the tools and software used to develop effective IT security practice in an
organization. Identify the potential impact to IT security of incorrect configuration of firewall
policies and third- party VPNs. Your report should clearly show, using an example for each,
how implementing a DMZ, static IP and NAT in a network can improve Network Security.
Your report should be summarized by discussing three benefits to implement network
monitoring systems with supporting reasons.

“Having organizational policies related to IT security is essential”.

3. Review mechanisms to control organizational IT security : Discuss risks assessment

procedures and explain data protection processes and regulations as applicable to an
organization IT Security Audits.

4. List and justify the main components in a company disaster recovery plan.
Choose a company of your choice and evaluate the suitability of the tools used in their
security policy. Based on your findings, design a security policy and discuss with the
management the implementation process.

On this task, you should define business continuity planning and testing process. This process
involves the procedures of backup/restoration of data and security audits. In addition, you should
provide testing procedures for an organization data, network, and systems.

Assessment Criteria

Pass Merit Distinction

LO3: Review mechanisms to control organizational IT security

P5 Discuss risk assessment M3 Summarize the ISO D2 Consider how IT security

procedures. 31000 risk management can be aligned with

3
P6 Explain data protection processes methodology and its organizational policy,
and regulations as applicable to an application in IT security. detailing the security impact
organization. of any misalignment.
M4 Discuss possible
impacts to organizational
security resulting from an IT
security audit.

LO4. Manage organizational security

P7 Design and implement a security M5 Discuss the roles of D3 Evaluate the suitability of
policy for an organization. stakeholders in the the tools used in an
organization to implement organizational policy.
P8 List the main components of an security audit
organizational disaster recovery plan, recommendation.
justifying the reasons for inclusion.

Content
P5 Discuss risk assessment procedures .......................................................................................................... 4
P6 Explain data protection processes and regulations as applicable to an organization ................. 10
P7 Design and implement a security policy for an organization .............................................................. 12
P8 List the main components of an organizational disaster recovery plan, justifying the reasons
for inclusion ............................................................................................................................................................ 18
References ............................................................................................................................................................... 19

P5 Discuss risk assessment procedures

What are RISK ASSESSMENT PROCEDURES?

Risk assessment procedures are the audit procedures performed to obtain an understanding of
the entity and its environment, including the entity's internal control, to identify and assess the
risks of material misstatement, whether due to fraud or error, at the financial statement and
relevant assertion levels.

The risk assessment procedure can best be illustrated in the following way:

4
 Figure 1: Risk assessment procedure
Step 1: Identify Hazards

WHS legislation in New South Wales requires that PCBUs, in consultation with workers identify
all potentially hazardous things or situations that may cause harm. In general, hazards are likely
to be found in the following:

- Physical work environment

- Equipment, materials or substances used

- Work tasks and how they are performed

- Work design and management

In order to, identify hazards the following are recommended:

Past incidents/accidents are examined to see what happened and whether the incident/accident
could occur again.

Employees be consulted to find out what they consider are safety issues, I.e. ask workers about
hazards near misses they have encountered as part of their work. Sometimes a survey or
questionnaire can assist workers to provide information about workplace hazards.

Work areas or work sites be inspected or examined to find out what is happening now. Identified
hazards should be documented to allow further action. The work environment, tool and
equipment as well as tasks and procedures should be examined for risks to WHS.

5
Information about equipment (e.g. plant, operating instructions) and Material Safety Data Sheets
be reviewed to determine relevant safety precautions.

) Welcome creative thinking about what could go wrong takes place, i.e. what hazardous event
could take place here?

Step 2: Assess Risks

Risk assessment involves considering the possible results of someone being exposed to a
hazard and the likelihood of this occurring. A risk assessment assists in determining:

- How severe a risk is

- Whether existing control measures are effective

- What action should be taken to control a risk

- How urgently action needs to be taken.

A risk assessment should include:

Identify factors that may be contributing to the risk

Review readily available resumes from an authoritative source and are relevant to the particular
hazard.

Assess the severity of harms.

Evaluation of how a hazard may cause harm. This includes examining how work is completed,
whether existing control measures are in place and whether they control the harm, looking at
infrequent/abnormal situations as well as standard operating situations. A chain of events related
to a risk may need to be considered.

Determining the likelihood of harm occurring. The level of risk will increase as the likelihood of
harm and its severity increases. The likelihood of harm occurring may be affected by how often
the task is completed, in what conditions, how many people are exposed to the hazard and for
what duration.

Identify the actions necessary to eliminate or control the risk.

Identify records that it is necessary to keep to ensure that the risks are eliminated or controlled.

Other risk factors should also be identified as they may contribute to the risk including:

The work premises and the working environment, including their layout and condition.

The capability, skill, experience and age of people ordinarily undertaking work.

6
The systems of work being used.

The range of reasonably foreseeable conditions.

The risk assessment process is conducted by reviewing any available information about the risk
(e.g. laws, industry codes of practice or risk documentation) and by using experience. Your
personal work on the type of danger that can be created and how this can be caused will occur
When determining how one or more important documents are at risk of being leaked, it is
necessary to Must consider these factors:

Are there any other risk factors that increase the likelihood of having a new product design
document or another document?

How often do you fix security holes?

How many people are exposed to this document?

The level of exposure is more or less?

At Apple company we require managers and supervisors to identify hazards, assess the risks of
harm resulting from exposure to the hazards and set a priority for corrective action by using a
clearly laid out process. The process is as follows:

Identified hazards are placed on the Risk Assessment and Control Form.

A Risk Category Table (below) is then used to categorize the type of risk to the company.

The Risk Ranking Matrix is used to assess the likelihood and the severity or consequences of
each hazard and to give it a “risk rating”.

Figure 2: Risk Rating Matrix example

Step 3: Controlling Risks

7
Once a risk rating is determined, each hazard must have its existing risk control measures
evaluated using the Evaluation of Control Effectiveness Table. This allows for determination of
any additional requirement necessary.

Figure 3: Evaluation of Control Effectiveness Table

Step 4: Implement additional risk controls.

Having identified hazards at your workplace, assessed their risks and reviewed existing control
measures, all hazards must be managed prior to the cause of damage. factory, property or
environment.

Managing workplace risks requires eliminating risks to a level that is practicable for the first time
e.g. If elimination is not possible, then the risk should be minimized, to the extent practicable.
now.

All assessed hazards should be handled in order of priority. The most effective control option / s

Should be selected to eliminate or minimize risks. Control hierarchy (see diagram below) ranks
control options

from the highest level of protection and reliability to the lowest. This should be used to determine
the most effective / s controls.

Step 5: Monitor and Review.

Risk identification, risk assessment and control is an ongoing process. Therefore, regularly
review the effectiveness of your risk assessment and control measures at least once a year.
Make sure you carry out a hazard and assess a change in the workplace, including when
working systems, tools, machines or equipment change. Provide additional supervision when
new employees with reduced skills or knowledge levels are introduced at work. The
effectiveness of control measures can be checked through regular evaluation as well as
consultation with workers.

Maintain records of the support risk management process when performing audits or follow-up
risk assessments as they demonstrate decision-making processes and indicate the intended
controls that have been implemented.

Why is a risk assessment important?

8
Risk assessments are very important as they form an integral part of an occupational health and
safety management plan. They help to:

Create awareness of hazards and risk.

Identify who may be at risk (e.g., employees, cleaners, visitors, contractors, the public, etc.).

Determine whether a control program is required for a particular hazard.

Determine if existing control measures are adequate or if more should be done.

Prevent injuries or illnesses, especially when done at the design or planning stage.

Prioritize hazards and control measures.

Meet legal requirements where applicable.

Hierarchy of Controls

Figure 4: Hierarchy of Controls

Hierarchy of hazard control is a system used in industry to minimize or eliminate exposure
to hazard It is a widely accepted system promoted by numerous safety organizations. This

9
concept is taught to managers in industry, to be promoted as standard practice in the workplace.
Various illustrations are used to depict this system, most commonly a triangle.
The hazard controls in the hierarchy are, in order of decreasing effectiveness:

P6 Explain data protection processes and regulations as applicable to an organization

What is the General Data Protection Regulation?

To quickly summarize, GDPR is a regulation on data protection which applies to data subjects
within the European Union (EU). GDPR gives control to EU data subjects in regards to how their
data is processed, stored, or transmitted. The ripple effect of GDPR reaches to all corners of the
globe, making this legislation applicable to organizations outside of the EU, many of which are
based in the U.S.

Now, let’s explore some key GDPR technical controls that need to be in place to ensure your
organization is ready for GDPR:

1. Identity and Access Management (IDAM)

Getting proper IDAM controls in place would allow the approved employees to limit access to
personal data. IDAM's two main principles, division of duties and least privilege, help ensure that
workers only have access to information or programs that are important to their job function.

What does that mean with respect to GDPR? Access is given only to those who need access to
personal information to perform their job. In this case, privacy training should be available to all
individuals to ensure that the purpose intended for personal data collection is preserved.

2. Data Loss Prevention (DLP)

DLP is applicable to GDPR and helps avoid personal data loss.

Functional safeguards are important in preventing violations, such as the DLP tool. Under
GDPR, organizations are responsible for the loss of any personal data they acquire, whether
they control or process personal information. Incorporating DLP controls provides a security
layer by preventing the transfer of personal data outside of the network.

3. Encryption & Pseudonymization

Pseudonymization is a data protection and de-identification method by which one or more

artificial identities, or pseudonyms, replace personal identifying information fields within a data
record. For each substituted field or set of spare fields, a single pseudonym makes the data
record less recognizable while remaining suitable for data analysis and data processing.

Pseudonymization may be one way of fulfilling the current General Data Security Legislation
standards of the European Union for safe data storage of personal data. Pseudonymized data

10
can be restored to its original state by inserting information that can then re-identify people, while
anonymized data can never be restored to its original state.

4. Incident Response Plan (IRP):

A successful IRP will tackle processes such as planning, defining, storing, eradicating, healing,
and understanding. But what if an accident happens and the personal data might have been
compromised are identified?

There are basic GDPR criteria for an incident response from the company. Requirements for
disclosure of violations are probably the most important in the law. Under GDPR, "In the case of
a possible data violation affecting personal details, an organization shall contact the Data
Protection Agency without undue delay, within 72 hours if practicable, upon being informed of
the violation; and shall without undue delay report high-risk infringements to the data subjects
involved" (GDPREU.org).

5. Third-Party Risk Management

If an organization entrusts a processor or sub-processor with the processing of personal data,

and a breach occurs, who is liable?

Quick answer: Liability for all!

Processers are bound by their controller’s instructions. However, GDPR data compliance also
obligates processors to have an active role in the protection of personal data. Regardless of
instructions from the controller, the processor of personal data must follow GDPR and can be
liable for any incidents associated with loss or unauthorized access to personal data. Sub-
processors also will need to comply with the GDPR based on each contractual relationship
established between a processor and sub-processor.

As you can see, GDPR cybersecurity compliance is just as important for third-party relationships
as it is internally for an organization as long as those third parties process, store, or transmit
personal data of EU data subjects.

6. Policy Management

Policy management is an essential part of any organization.

Policies communicate an organization’s mission and values. They help maintain standards, set
expectations and minimize potential risks and liabilities.

An organization’s policy and procedure manual lay the foundation for operational excellence.
When properly managed, policies set expectations, provide a direction for decisions, and hold
employees accountable.

11
P7 Design and implement a security policy for an organization
1. Network Security Policy

Identifying Settings Related to Password Policies

A password policy is a set of rules designed to enhance computer security by encouraging users
to employ strong passwords and use them properly. A password policy is often part of an
organization's official regulations and may be taught as part of security awareness training.
Either the password policy is merely advisory, or the computer systems force users to comply
with it. Some governments have national authentication frameworks that define requirements for
user authentication to government services, including requirements for passwords.

Many policies require a minimum password length. Eight characters is typical but may not be
appropriate. Longer passwords are generally more secure, but some systems impose a
maximum length for compatibility with legacy systems.

Some policies suggest or impose requirements on what type of password a user can choose,
such as:

The use of both upper-case and lower-case letters (case sensitivity)

Inclusion of one or more numerical digits

Inclusion of special characters, such as @, #, $

Prohibition of words found in a password blacklist

Prohibition of words found in the user's personal information

Prohibition of use of company name or an abbreviation

Prohibition of passwords that match the format of calendar dates, license plate numbers,
telephone numbers, or other common numbers

Complexity and regular changes.

The key points of these are:

Verifiers should not impose composition rules e.g., requiring mixtures of different character types
or prohibiting consecutively repeated characters

Verifiers should not require passwords to be changed arbitrarily or regularly e.g. the previous 90
day rule

Passwords must be at least 8 characters in length

Password systems should permit subscriber-chosen passwords at least 64 characters in length.

12
All printing ASCII characters, the space character, and Unicode characters should be acceptable
in passwords

When establishing or changing passwords, the verifier shall advise the subscriber that they need
to select a different password if they have chosen a weak or compromised password

Verifiers should offer guidance such as a password-strength meter, to assist the user in
choosing a strong password

Verifiers shall store passwords in a form that is resistant to offline attacks. Passwords shall be
salted and hashed using a suitable one-way key derivation function. Key derivation functions
take a password, a salt, and a cost factor as inputs then generate a password hash. Their
purpose is to make each password guessing trial by an attacker who has obtained a password
hash file expensive and therefore the cost of a guessing attack high or prohibitive.

Deploy the Password Policy:

13
 Figure 5: Password Policy
After setting up your password will be complex and security will be very high (minimum 7
characters).

2. Device Security

A layer of protection keeps your mobile devices safe and your organization compliant.

Laptops. Phones. Tablets. These devices allow your employees to work from anywhere,
anytime. But they also increase your vulnerability for a data breach or cyberattack. We provide
an extra level of security for your company and employee-owned devices—and the valuable
information that’s on them.

a. Lock your sensitive data

Our data encryption tools protect files and folders with a password to prevent sensitive
information from ending up in the wrong hands when a device is lost or stolen. Encryption helps
keep your organization compliant with privacy and security requirements.

b. Protect devices from online threats

Defend against threats that target iOS and Android operating systems. Our anti-virus software
protects mobile devices from untrusted apps and advertisements that could contain harmful
malware, ransomware and viruses.

c. Lower BYOD Risks

Your company-issued devices might be secure, but what about personal devices that employees
use to access your organization’s systems and data? Bring Your Own Device security solutions
allow you to apply organizational safeguards to employee-owned devices.

14
 3. Internet Access

We need Internet access policy to block websites that are not suitable for work or business, to
avoid interference with employee focus. Access to the internet must be based on the nature of
the work of each employee in each company. The Internet builds its own network topology and
connects itself to various important corporate assets, such as servers, accounts, etc., so it must
be properly filtered and monitored.

4. VPN Policy

Given the current exceptional situations worldwide, using one of the best VPNs is extremely
important for any modern business which has a flexible and mobile workforce.

As a VPN helps you protect business data by keeping a secure company network and internet
connection. Which in turn, allows you to ensure and maintain high levels of privacy and security.

This is especially helpful in the world of small businesses, which usually have limited resources
to devote to managing security. Fortunately, there are business VPNs out there which are a
breeze to set up and manage, plus they can be scaled to fit the organization’s needs as it grows.

5. Firewall Rules Policy

When a consumer connects to an unstable, accessible network like the Internet, he opens a
major gateway to future attacks. One of the easiest methods of protecting against vulnerable
network abuse is to use firewalls at the end of the contact level, because it is important to shield
their private networks and networking facilities. There will be rules compliance policies ranging
from firewall sort to network resource implementation as:

In the case of dedicated server entry, to mask the domain identification, an device proxy firewall
needs to be installed between the external user and dedicated server.

Second, if the prerequisite for traffic filtering based on IP / Port address source and destination,
packet filtering firewall positioning is very helpful, and also improves transmission speed.

On the other hand, when speed is not a concern, state table (stateful inspection firewall) filters
configuration at the network is an appropriate choice which dynamically validates the connection
and forwards the packet.

Moreover, NAT should also be employ as it complements the use of firewalls in providing an
extra measure of security for an organization’s internal network, especially preventing DDOS or
many SYN flooding attacks.

To avoid an IP address from connecting with your computer, you should use IP packet filtering if
you need a higher degree of control that is accessible.

15
 6. Port Communication Policy

Communication ports either inbound or outbound at the workstation for unnecessary services
must strictly be in the blocked state apart from essential service such as HTTP, HTTPS, etc. as
it being mostly noticed that ports open for several services opened needlessly, that typically
induces the hacker to breach the system with ease. Such security measures could be applied by
the system administrator at Firewall end as the first line of defense. Hence, a workstation that
does directly communicate to the internet must be limited to use only authorized communication
services or ports in inbound connection.

7. Intrusion Policy

IDS should be housed for anomaly detection and monitoring unauthorized access, as for the
extreme line of defense, firewall or antivirus are not sufficient. Security administrator must
constantly check system and security log files for something suspicious. Moreover, use Advance
Antivirus which has inbuilt IDS/IPS capability, for inappropriate auditing rights, elevated
privileges, incorrect groups, altered permission, registry change, inactive users and much more.
Most importantly, IDS software is configured on the top of an OS, but network intercepting IDSs
are increasingly being deployed as hardware application because of performance perspective.

8. Remote Connection Policy

Data security is becoming a vital issue as more organizations establish network links between
their employees to share information and increase productivity. As personnel more often prefer
to work from home, security begins with a terminal session between an authorized user and a
remote host on a network and user can perform all functions as if he were actually on the remote
host. At the same, mismanagement of user credentials can lead to exploitation too. Hence,
direct access to critical server or system of an organization should be strictly in restricted mode
via remote login or SSH utility in exception to authorized user. However, encrypted access could
be permissible.

9. DMZ Policy

Certain system or server for instance e-mail, web server, database etc.…that need to access the
public internet, must be deployed on a dedicated subnet which separates from the internal
system from outside, because publicly accessible system comes directly under attack by
hackers. A potential attack against critical system can be undermined or even negligible by
placing them in the segregated network along with the firewall.

10. Secure Communication Policy

Data that passes through many channels including a switch, routers on the network in
unencrypted form, is vulnerable to many attacks such as spoofing, SYN flooding, sniffing, Data
alteration, and session hijacking. Although, you are not in control to of the devices that your data

16
might pass over, but you can secure the sensitive data or may be secure the communication
channel from being data accessible to some extent. Hence, employment of numerous ciphering
tactics such as SSL, TLS or, IPSec, PGP, SSH can encrypt all kind of communication such as
POP, HTTP, POP3 or IMAP, and FTP because SSL packets can be passed through firewalls,
NAT servers, and other network devices without any special considerations other than making
sure the proper ports are open on the device. If we have some data need to transmit data over a
network securely, then there are some security initiatives one need to take to mitigate the risk of
an attack:

Authenticate the identity of people (and/or computers) who will send packets

Make sure that the data will not be tampered with (no MITM attack encountered)

Ensure that the data will not be read by any unauthorized individual between you and the
source.

11. Proxy Server Policy

A proxy server typically resides between server and user, for both offensive and defensive
purpose. When deploying a proxy server, the following checklist must make sure as:

Logging facility should be enabled for all services

Never allow the proxy to accept outside connection.

The proxy must be running with most up-to-date patches and software.

12. Wireless LAN Policy

To stop the possible abuse of wireless network, there should be proper user authentication
ensured along with the appropriate replacement of WEP and anomaly tracking mechanism on
wireless LAN. Moreover, 802.11i security measures such as TKIP, CCMP should be employed
for encryption. At the same time, there is the following list of suspicious events on wireless LAN
which should always consider for intrusion detection as;

Beacon frames from unsolicited access point

Flood of unauthenticated frames (MITM attack)

Multiple incorrect SSID on closed network

Frames with duplicated MAC address.

Randomly changing MAC address

17
P8 List the main components of an organizational disaster recovery plan, justifying the
reasons for inclusion
Hurricane season is upon us and while we’ve been pretty lucky the past few years, the threat of
a major storm is still looming. While you don’t necessarily need to start boarding up our windows
or raiding Publix for water and batteries, you do need to start thinking proactively about how
you’re preparing your business for a potential major hurricane. In the past hurricanes have left
businesses down for a few days or weeks, cutting out phone service, electric and wiping out
servers and workstations. Ensuring that your assets, data and hardware are protected is only
part of a disaster recovery plan – the rest is determining a process for how quickly you can be
back up and running. Rather than scrambling to put the pieces back together after a major
storm, it’s time to put a plan in place. Here are the seven key elements of a business disaster
recovery plan.

Communication plan and role assignments.

When it comes to a disaster, communication is of the essence. A plan is essential because it

puts all employees on the same page and ensures clearly outlines all communication.
Documents should have all updated employee contact information and employees should
understand exactly what their role is in the days following the disaster. Assignments like setting
up workstations, assessing damage, redirecting phones and other tasks will need assignments if
you don’t have some sort of technical resource to help you sort through everything.

Plan for your equipment.

It’s important you have a plan for how to protect your equipment when a major storm is
approaching. You’ll need to get all equipment off the floor, moved into a room with no windows
and wrapped securely in plastic so ensure that no water can get to the equipment. It’s obviously
best to completely seal equipment to keep it safe from flooding, but sometimes in cases of
extreme flooding this isn’t an option.

Data continuity system.

As you create your disaster recovery plan, you’ll want to explore exactly what your business
requires in order to run. You need to understand exactly what your organization needs
operationally, financially, with regard to supplies, and with communications. Whether you’re a
large consumer business that needs to fulfill shipments and communicate with their customers
about those shipments or a small business to business organization with multiple employees –
you should document what your needs are so that you can make the plans for backup, business
continuity and have a full understanding of the needs and logistics surrounding those plans.

Backup check.

18
Make sure that your backup is running and include running an additional full local backup on all
servers and data in your disaster preparation plan. Run them as far in advance as possible and
make sure that they’re backed up to a location that will not be impacted by the disaster. It is also
prudent to place that backup on an external hard drive that you can take with you offsite, just as
an additional measure should anything happen.

Detailed asset inventory.

In your disaster preparation plan, you should have a detailed inventory of workstations, their
components, servers, printers, scanners, phones, tablets and other technologies that you and
your employees use on a daily basis. This will give you a quick reference for insurance claims
after a major disaster by providing your adjuster with a simple list (with photos) of any inventory
you have.

Pictures of the office and equipment (before and after prep).

In addition to the photos that you should have of individual inventory items, you’ll want to take
photos of the office and your equipment to prove that those items were actively in use by your
employees and that you took the necessary diligence to move your equipment out of harm way
to prepare for the storm.

Vendor communication and service restoration plan.

After a storm passes, you’ll want to begin running as quickly as possible. Make sure that you
include vendor communication as part of your plan. Check with your local power provided to
assess the likelihood for power surges or outages while damage is repaired in the area. You’ll
also want to include checking with your phone and internet providers on restoration and access.

These considerations are a great foundation for a complete disaster recovery plan, but make
sure that you are paying attention to the details within each section of your plan. The logistics of
testing backups and performing as many backups as possible before the storm is also important
in addition to the grainy details of how you’ll communicate with vendors, account for your assets
and ensure that you’re back up and running as quickly as possible. If you’re a little overwhelmed
in considering these details you can engage an external resource to help you put a disaster plan
in place so that you’re prepared for any storms that might come our way for hurricane season.

References
[1] Unit 5 - Security 2019, Chapter 1 - Introduction to information security, University of
Greenwich (Alliance with Vietnam FPT Education), United Kingdom.
[2] Unit 5 - Security 2019, Chapter 2 - Malware Attacks, University of Greenwich (Alliance with
Vietnam FPT Education), United Kingdom.
[3] Unit 5 - Security 2019, Chapter 3 - Social Engineering attacks, University of Greenwich
(Alliance with Vietnam FPT Education), United Kingdom.

19
[4] Unit 5 - Security 2019, Chapter 4 - Application attacks, University of Greenwich (Alliance
with Vietnam FPT Education), United Kingdom.
[5] Unit 5 - Security 2019, Chapter 5 - Networking Based Attacks, University of Greenwich
(Alliance with Vietnam FPT Education), United Kingdom.
[6] Unit 5 - Security 2019, Chapter 6 - Host, Application, and Data Security, University of
Greenwich (Alliance with Vietnam FPT Education), United Kingdom.
[7] Unit 5 - Security 2019, Chapter 7 - Basic Cryptography, University of Greenwich (Alliance
with Vietnam FPT Education), United Kingdom.
[8] Unit 5 - Security 2019, Chapter 8 - Network Security Fundamentals, University of
Greenwich (Alliance with Vietnam FPT Education), United Kingdom.
[9] Unit 5 - Security 2019, Chapter 9 - Access Control Fundamentals, University of Greenwich
(Alliance with Vietnam FPT Education), United Kingdom.
[10] Unit 5 - Security 2019, Chapter 10 - Wireless Network Security, University of Greenwich
(Alliance with Vietnam FPT Education), United Kingdom.
[11] Unit 5 - Security 2019, Chapter 11 - Mobile device security, University of Greenwich
(Alliance with Vietnam FPT Education), United Kingdom.
[12] Unit 5 - Security 2019, Chapter 12 - Business Continuity, University of Greenwich (Alliance
with Vietnam FPT Education), United Kingdom.
[13] Unit 5 - Security 2019, Chapter 13 - Risk Mitigation, University of Greenwich (Alliance with
Vietnam FPT Education), United Kingdom.
[14] Unit 5 - Security 2019, Chapter 14 - Vulnerability Assessment, University of Greenwich
(Alliance with Vietnam FPT Education), United Kingdom.
[15] CyStack Resource. 2020. 7 Rủi Ro Bảo Mật Thường Gặp Của Phần Mềm Dịch Vụ Saas.
[online] Available at: <https://cystack.net/vi/resource/7-rui-ro-bao-mat-saas/> [Accessed 3
May 2020].
[16] Westernsydney.edu.au. 2020. [online] Available at:
<https://www.westernsydney.edu.au/__data/assets/pdf_file/0020/12917/12917_Hazard_Id
entification,_Risk_Assessment_and_control_Procedure.pdf> [Accessed 3 May 2020].
[17] PowerDMS. 2020. What Is Policy Management And Why It Matters. [online] Available at:
<https://www.powerdms.com/blog/what-is-policy-management/> [Accessed 3 May 2020].
[18] CyberGRX. 2020. 6 Security Controls You Need For General Data Protection Regulation
(GDPR). [online] Available at: <https://www.cybergrx.com/resources/blog/6-security-
controls-need-general-data-protection-regulation-gdpr/> [Accessed 3 May 2020].
[19] En.wikipedia.org. 2020. Network Security Policy. [online] Available at:
<https://en.wikipedia.org/wiki/Network_security_policy> [Accessed 3 May 2020].
[20] Ccohs.ca. 2020. Risk Assessment : OSH Answers. [online] Available at:
<https://www.ccohs.ca/oshanswers/hsprograms/risk_assessment.html> [Accessed 3 May
2020].

20
[21] Infosec Resources. 2020. Network Security Policy. [online] Available at:
<https://resources.infosecinstitute.com/network-security-policy-part-3/> [Accessed 3 May
2020].

21