Higher Nationals in Computing

UNIT 5

SECURITY
ASSIGNMENT
No.2

Learner’s name: Huynh Nhat Nam

Assessor name: Dang Thai Doan

Class: GCS0805_NX

Learner’s ID: GCS190293

Subject’s ID: 1623

Assignment due: December, 2020

Assignment submitted: December, 2020

 ASSESSMENT BRIEF
Qualification BTEC Level 5 HND Diploma in Computing

Unit number Unit 5: Security

Assignment title Assignment 2

Academic Year 2019 – 2020

Unit Tutor Dang Thai Doan

Issue date December 2020 Submission date December 2020

IV name and date Dang Thai Doan December 2020

Submission Format

Part 1
The submission is in the form of an individual written report. This should be written in a concise,
formal business style using single spacing and font size 12. You are required to make use of
headings, paragraphs, subsections and illustrations as appropriate, and all work must be supported
with research and referenced using the Harvard referencing system. Please also provide a
bibliography using the Harvard referencing system. The recommended word limit is 2,000–2,500
words, although you will not be penalised for exceeding the total word limit.
Part 2
The submission is in the form of a policy document (please see details in Part 1 above).
Part 3
The submission is in the form of an individual written reflection. This should be written in a concise,
formal business style using single spacing and font size 12. You are required to make use of
headings, paragraphs and subsections as appropriate, and all work must be supported with research

Page 1 of 39
and referenced using the Harvard referencing system. Please also provide a bibliography using the
Harvard referencing system. The recommended word limit is 250–500 words, although you will not
be penalised for exceeding the total word limit.

Unit Learning Outcomes

LO3: Review mechanisms to control organisational IT security.

LO4: Manage organisational security

Assignment Brief and Guidance

You work for a security consultancy as an IT Security Specialist.

A manufacturing company “FPT Bike” in Ho Chi Minh City making bicycle parts for export has called
your company to propose a Security Policy for their organization, after reading stories in the media
related to security breaches, etc. in organizations and their ramifications.

Part 1

In preparation for this task you will prepare a report considering:

The security risks faced by the company.

How data protection regulations and ISO risk management standards apply to IT security.

The potential impact that an IT security audit might have on the security of the organization.

The responsibilities of employees and stakeholders in relation to security.

Part 2

Following your report:

Page 2 of 39
You will now design and implement a security policy

While considering the components to be included in disaster recovery plan for Wheelie good, justify
why you have included these components in your plan.

Part 3

In addition to your security policy, you will evaluate the proposed tools used within the policy and
how they align with IT security. You will include sections on how to administer and implement these
policies

Learning Outcomes and Assessment Criteria

Pass Merit Distinction

L03 Review mechanisms to control organisational IT security

M3 Summarise the ISO 31000 risk

P5 Discuss risk assessment procedures. management methodology and its D2 Consider how IT security can be
application in IT security. aligned with organisational policy,
P6 Explain data protection processes
detailing the security impact of any
and regulations as applicable to an M4 Discuss possible impacts to
misalignment.
organisation. organisational security resulting
from an IT security audit.

L04 Manage organisational security

P7 Design and implement a security D3 Evaluate the suitability of the

policy for an organisation. M5 Discuss the roles of stakeholders tools used in an organisational
P8 List the main components of an in the organisation to implement policy.
organisational disaster recovery plan, security audit recommendations.
justifying the reasons for inclusion.

Page 3 of 39
 ASSIGNMENT FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and

Unit 5: Security
title

Date Received 1st

Submission date Dec 2020 Dec 2020
submission

Date Received 2nd

Re-submission Date
submission

Student Name Huynh Nhat Nam Student ID GCS190293

Class GCS0805_NX Assessor name Dang Thai Doan

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences
of plagiarism. I understand that making a false declaration is a form of malpractice.

Student’s signature

Grading grid

P5 P6 P7 P8 M3 M4 M5 D2 D3

Page 4 of 39
 Summative Feedback: Resubmission Feedback:

Grade: Assessor Signature: Dang Thai Doan Date: December 2020

Signature & Date:

Page 5 of 39
Table of Contents
Introduction: ......................................................................................................................... 8
P5. Discuss risk assessment procedures .................................................................................. 8
What is a Risk assessment? ............................................................................................................8
What is the goal of Risk assessment?..............................................................................................8
Likelihood or probability: ...............................................................................................................9
For example: ........................................................................................................................................................9
Another example: ..............................................................................................................................................10
Summary: .................................................................................................................................... 10
P6. Explain data protection processes and regulations as applicable to an organization ....... 10
Process of data protection: .......................................................................................................... 10
Explain data protection regulations: ............................................................................................. 14
P7. Design and implement a security policy for an organization ........................................... 14
Design: ........................................................................................................................................ 14
1 GENERAL .........................................................................................................................................................14
2 RISK ASSESMENT AND RISK MANAGEMENT...................................................................................................16
3. SECURITY MEASURE POLICIES .......................................................................................................................17
4. RISKS AND WEAKNESSES ...............................................................................................................................19
5. CHANGE MANAGEMENT ...............................................................................................................................20
Implement (Step by step): ............................................................................................................ 21
1.Identify risks ...................................................................................................................................................21
2.Learn from others ...........................................................................................................................................21
3.Make sure the policy conforms to legal requirements ..................................................................................21
4.Level of security = level of risk........................................................................................................................21
5.Include staff in policy development ...............................................................................................................21
6.Train employees .............................................................................................................................................22
7.Get it in writing ...............................................................................................................................................22
8.Set clear penalties and enforce them .............................................................................................................22
9.Update employees .........................................................................................................................................22
10.Install the tools you need .............................................................................................................................22

P8. List the main components of an organizational disaster recovery plan, justifying the
reasons for inclusion ............................................................................................................ 23
Communication plan and role assignment .................................................................................... 23
Outline a disaster recovery plan protocol for employees............................................................... 23
Backup data................................................................................................................................. 23
Take inventory of all assets .......................................................................................................... 24
Monitoring and logging operations of information technology systems ......................................... 24

Page 6 of 39
 Time recovery .............................................................................................................................. 24
M3. Summarize the ISO 31000 risk management methodology and its application in IT
security ............................................................................................................................... 25
Benefits that ISO 31000 brings: .........................................................................................................................26
In brief summary: ..............................................................................................................................................26
The process of applying ISO 31000 in IT security includes the following steps:................................................27

M4. Discuss possible impacts to organizational security resulting from an IT security audit .. 31
M5. Discuss the roles of stakeholders in the organization to implement security audit
recommendation ................................................................................................................. 32
The identification of key stakeholders and their interests is important in: ..................................... 32
Benefits of stakeholder plans: ...................................................................................................... 32
Recommendation: ....................................................................................................................... 34
Conclusion: .......................................................................................................................... 35
Evaluation: .......................................................................................................................... 36
References ........................................................................................................................... 37

Page 7 of 39
Introduction:
As an IT Security Speacialist , In this report i will give you the information and knowledge
about:

➢ Risk assessment ( include examples),

➢ Data Protection Process,
➢ ISO 31000 standards and how to apply
➢ Stakeholders
➢ Possible impacts to organizational security resulting from an IT security audit

Furthermore I will show the way how I Design, Implement security Policy for my organization
(FPT BIKE). By the way i give some recommedation to business and discuss about skateholders in
an organization to implement secuiry audit recommendation.

P5. Discuss risk assessment procedures

What is a Risk assessment?
Risk assessment is a term used to describe the overall process or method where you:

➢ Identify hazards and risk factors that have the potential to cause harm (hazard
identification).
➢ Analyze and evaluate the risk associated with that hazard (risk analysis, and risk
evaluation).
➢ Determine appropriate ways to eliminate the hazard, or control the risk when the
hazard cannot be eliminated (risk control).

What is the goal of Risk assessment?

The aim of the risk assessment process is to evaluate hazards, then remove that hazard or
minimize the level of its risk by adding control measures, as necessary. By doing so, you have
created a safer and healthier workplace.

The goal is to try to answer the following questions:

➢ What can happen and under what circumstances?

Page 8 of 39
 ➢ What are the possible consequences?
➢ How likely are the possible consequences to occur?
➢ Is the risk controlled effectively, or is further action required?

A risk assessment is a thorough look at your workplace to identify those things, situations,
processes, etc. that may cause harm, particularly to people. After identification is made, you
analyze and evaluate how likely and severe the risk is. When this determination is made, you can
next, decide what measures should be in place to effectively eliminate or control the harm from
happening Ccohs.ca. 2020. Risk Assessment : OSH Answers. [online] Available at:
<https://www.ccohs.ca/oshanswers/hsprograms/risk_assessment.html> [Accessed 30
November 2020].

Likelihood or probability:
There are few certainties in this world, and risk management is no exception. The greater the
vulnerability, the greater chance there will be a threat carried out.

Quantitatively and qualitatively are the two basic ways in which likelihood can be carried out.
Quantitatively may be gained from previously recorded information such as statistical data.
Meanwhile qualitative assessment is where the work is more subjective and depends on opinions
rather than facts.

For example:
Companies who produce anti-virus software can point to the large number of viruses which their
products can scan for and remove, from which one can conclude that without anti-virus software,
the risk of infection is high.

On the other hand, one does not need to know the exact number of incidents to be aware that
the likelihood of a breach of confidentiality or integrity is high without proper password
protection. Both methods of assessment have their place. The important thing is that likelihood
assessments are carried out according to agreed criteria.

Page 9 of 39
Meanwhile, the impact of the risk actually happening is perhaps the most important concept that
needs to be considered. It is this potential impact which has to be managed properly. If the
impacts are small and irrelevant then there is no need to take further action but instead just
monitor it every so often.

Another example:
When an ATM cash dispenser broke down, the impact would usually be low especially if it’s only
one machine in the bank’s network that fails.

On the other hand, if the potential impact could be the loss of vital company information, then
more appropriate countermeasures need to be considered. As far as businesses are concerned,
the impact on the organization and its daily activities are usually the crucial consideration and
will often warrant further measures being taken.

The business impacts of realized threats include the loss of confidentiality, integrity and
availability, and frequently lead to financial loss, inability to trade, brand damage, loss of
customer confidence, etc.

Summary:
A risk assessment is a thorough look at your workplace to identify those things, situations,
processes, etc. that may cause harm, particularly to people. After identification is made, you
analyze and evaluate how likely and severe the risk is. When this determination is made, you can
next, decide what measures should be in place to effectively eliminate or control the harm from
happening.

P6. Explain data protection processes and regulations as applicable to an

organization
Data protection is the process of safeguarding important information from corruption,
compromise or loss.

Process of data protection:

1. Evaluate network security risk

Page 10 of 39
Once you've got all the data your organization has, you need to do an assessment of the risks that
your organizational data may encounter:

➢ In case of occurring network security incidents …

➢ In case of occurring incident natural disasters such as fires and earthquakes
After performing risk identification for the data which need to protect, you need to take security
measures for your organization's network system. This will allow you to know exactly what
security risks are and will already happen to the general organizational network and data security
of organizations in particular. Since then, implementing patching measures, protect the system
or deploy security solutions that are suitable for models and finance and organization
requirements.

2. Raise awareness about data security for employees

One of the most potential hazards with an organization's data security is the human factor.
Therefore, the implementation of measures to train and raise employees' awareness about data
security is one of the leading and most effective measures to ensure data safety in your
organization.
Enterprises need to organize awareness programs, training data security for organization and
network security periodically. It is the most important solution to minimize organizational data
breaches, save financial outsourcing security services outside. At the same time, the organization
needs to have documents and documents on data security policies and work processes, use data
in the company to apply management standards and ensure data safety such as ISO 27001, PCI
DSS. These documents will also be used to train awareness and apply data security policies in the
enterprise...

3. Data security administration

Security risks to organization data always occur at any time. Therefore, it is not possible to
implement security measures in a short period of time but need to be carried out regularly and
continuously. If possible, each organization should have a specialized leader or individual, with

Page 11 of 39
knowledge about the security and data security of the organization responsible for monitoring
the implementation of security measures and processes ensure data safety. This will help
minimize the risks of network security for businesses and organizational data.
4. Fix and manage problems

Figure 1

Documents on the response process when incidents of security for the network and data of
enterprises occur are necessary to minimize the damage caused by network security incidents to
enterprises.
5. Configure the system safely
All internal components (including software and hardware) are configured to meet security policy
requirements as well as effective measures to ensure your business data safety.
6. Ensure the network is divided into separate areas
In case of network security problems, separate network areas will help isolate, minimize the
harms caused by network security threats such as enterprise data leakage, code infection poison.
Using more firewalls between untrusted external network areas (Internet zones) and intranet
zones, the DMZ also helps control access between different network areas. This allows
preventing connection from unsafe network areas to secure network areas. Conduct periodic
intrusion testing assessments to ensure that access policies between network areas are always
done correctly.
7. Secure organizational data by monitoring network security
Page 12 of 39
Securing organizational data by security monitoring Using network monitoring systems both
internally and externally from the network is essential to help control and detect network data
anomalies early, thus maximizing support for early detection and prevention of attacks. Common
solutions currently used by businesses are IDS (Intrusion Detection System), IPS (Intrusion
Prevention System) and SIEM system (Security information and event management).
8. Access control
Policies on decentralization and access control are indispensable for an enterprise's network.
These policies help to control access in and out of the system effectively. Priority accounts must
be strictly limited to the main systems, role of database administrators or locking systems. User
activity, especially regarding sensitive information, that data and that user's account must be
saved and strictly managed. At the same time, you need to keep in mind that - Set strong
passwords to protect data.
9. Enhance malware protection
The organization should also implement measures to prevent and protect data against the risk of
malicious code.
10. Update regular patches
There are more and more new attack methods, so no system can say is always safe. Therefore,
updating the operating system and software patches is an indispensable job, helping to protect
enterprise data, preventing the risk of attacks on the enterprise system.
11. Perform encryption
Finally, encrypt the data before sending. This is a necessary job to help protect the data safety of
the organization.

Www2.deloitte.com. 2020. [online] Available at:

<https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/Risk/2012_10_practical_ste
ps_to_data_protection.pdf> [Accessed 30 November 2020].

GoodCorporation. 2020. The Key Steps To Good Data Protection - Goodcorporation. [online]
Available at: <https://www.goodcorporation.com/goodblog/the-key-steps-to-good-data-
protection/> [Accessed 30 November 2020].

Page 13 of 39
Explain data protection regulations:
General Data Protection Regulation (GDPR): is a regulation in EU law on data protection and
privacy for all individuals within the European Union (EU) and the European Economic
Area (EEA).
Business data protection policies and procedures should be created to suit your specific business.
Although the General Data Protection Regulations make many changes to the Data Protection
Act principles, they are consistent with the original principles and therefore, any policy that
addresses the law Original data is a good place to start.

It is important that your policy addresses each of these points and explains how the organization
will ensure each point is taken.

That includes how you will ensure data is collected legally, how to update if there are any
changes, your business plans to keep data safe from unauthorized access, how to delete data
when it is no longer needed and how you will ensure the data is removed from all systems.

GDPR also adds a new principle - that is accountability - so the most important thing is that you
articulate your responsibility to enforce these policies for your organization. You will also need
to make sure the document explains how you will ensure your entire staff complies with these
policies and any processes your business is available if employees do not comply with the policies
promulgate.

En.wikipedia.org. 2020. General Data Protection Regulation. [online] Available at:

<https://en.wikipedia.org/wiki/General_Data_Protection_Regulation> [Accessed 30 November
2020].

P7. Design and implement a security policy for an organization

Design:

1 GENERAL
1.1 Subject

This security policy involves the security of my organization. It consists of security objectives,
guidelines for their achievement, and overall security management strategy and

Page 14 of 39
implementation of policies on key security mechanisms. Information security policy complies
with EVS-ISO/IEC TR 13335 Guidelines, models and terms, the standards EVS ISO / IEC 2382-
8 and EVS-ISO/IEC TR 13335 are used for information security terms.

1.2 Scope

The security policy is for all subdivisions of my organization and regulates interactions and
relationships with the following subjects:

➢ Partners, customers and subcontractors

➢ State agencies
➢ Media and public

1.3 Goal of security policy

The security policy establishes the guidelines and procedures in the scope of assets that
organization employees are required to know and comply with as a primary means of
achieving security goals. Security policy is the base for planning, design, execution and
management of security.

1.4 Security Objectives

1.4.1 Security of assets must be maintained to the extent that organization could function
normally and without interruptions in the case of most probable threats, to achieve its
business goals.
1.4.2 Security measures must be economically justified and their disruptive effect to
Yellow Chicken operations and staff must be as small as possible.
1.4.3 Asset availability, integrity and confidentiality must conform to an average level of
security.
1.4.4 Compliance to the security legislation (including copyright, personal information,
state laws and regulations and workers health and safety requirements and fire safety

Page 15 of 39
 requirements) must be ensured. To meet this requirement, some objects and processes
must be protected with measures above the average level of security if needed.
1.4.5 Due to contractual and similar relationships with partners, security measures above
the average level must be used to meet the requirements of objects and processes where
appropriate. When preparing the contracts, resource costs for additional security must
be taken into account and the security measures must be economically justified.

1.5 Principles of security

1.5.1 General security methodology is based on the standards EVS-ISO/IEC 27001 and
EVS-ISO/IEC 17799.

1.5.2 The baseline for electing, deployment and management of security measures is ISKE
that is compiled from German Information Security Agency's (BSI) baseline security. The
term 'secure' in the following text means the compliance to ISKE baseline security
measures.

1.5.3 Assets usage permissions are granted to the workers on the basis of work-related
needs.

1.5.4 For any asset the is some individual responsible for it.

2 RISK ASSESMENT AND RISK MANAGEMENT

2.1 Acceptable residual risk

2.1.1 Acceptable residual risk is decided once a year.

2.1.2 Organization board accepts the residual risk of 250 000 EEK for 2019.

2.2 Testing of security conformance

Page 16 of 39
 2.2.1 External audit is performed when necessary, but not less frequently than once every
three years.

2.2.2 Security Council performs an internal audit to check the conformance to baseline
security at least once a year.

2.2.3 Security Council member test the conformance of security to the security policy at
random at least once a month.

2.3 Insurance

2.3.1 Under the present conditions, insurance is not economically justified for
organization.

3. SECURITY MEASURE POLICIES

The implementation and management of basic security mechanisms must comply with the
following policies and guidelines.

3.1 Access policy

3.1.1 IT role set must have at least 3 levels for access to data: no access, read-only, read-
write.

3.1.2 IT user roles are defined by IT system features and from the structure of IT
management.

3.1.3 Access to resources is role-based, according to job requirements.

3.2 Cryptography policy

3.2.1 The minimum acceptable key length for symmetric encryption is 256 bits.

Page 17 of 39
 3.2.2 The minimum allowable key length for using an asymmetric cryptographic system is
1024 bits.

3.2.3 All confidential data on computers being carried outside the company perimeter
(laptops, computers of home workers), all confidential data on hard disks must be
encrypted. Encryption keys must be duplicated in a safe backup.

3.2.4 For accessing internal network resources across the public network and for the
transmission of confidential data across public network, only secure connections must be
used: VPN connections, SSL / HTTPS connections, and encrypted mail messages.

3.3 Password management

3.3.1 Access passwords must be changed at least twice a year.

3.3.2 System, network and other administrative passwords must be stored in written form
in a safe.

3.4 Removal policy

3.4.1 To delete state secret or highly confidential data from disk, secure deletion must be
used.

3.4.2 All unnecessary paper documents with confidential data must be destroyed with a
shredder.

3.4.3 Retired and / or discarded from archive storage media must be destroyed physically.

3.5 Work environment

3.5.1 No real data must be used for testing and demos.

3.5.2 New software must be tested before use and confirmed to be suitable.

Page 18 of 39
3.6 Legality policy

3.6.1 All assets must be acquired legally.

3.6.2 All uses of the assets should be legal.

4. RISKS AND WEAKNESSES

For planning, implementation and management of security, the following risks will be considered
typical, and security measures should be based on this selection.

4.1 Spontaneous risks

➢ Fire
➢ Thunderstorm
➢ Water and fire extinguishing damages, including storm water, emergency pipelines, etc.
➢ Human error
➢ Fluctuations in power quality and plain blackout
➢ Hardware error
➢ Interruption of external communications
➢ Loss of staff

4.2 Attacks

➢ Theft
➢ Viruses
➢ Penetration into the internal network from public network
➢ Distributed Denial of Service (DDoS)
➢ Sniffing of an internal computer network
➢ Interception of oral communication
➢ Workers' deliberate security breaching behavior, internal attacks

Page 19 of 39
5. CHANGE MANAGEMENT

5.1 Security monitoring

5.1.1 Operative monitoring

5.1.1.1 Security officers should review audit logs at least once a week.

5.1.1.2 On security incidents, possible security needs changes need to be identified.

5.1.1.3 On significant technical, organizational, legal or other internal or external

changes, possible security need changes must be identified.

5.1.2 Random security checks

In subunits, the information security must be randomly checked at least once every two
months.

5.1.3 Regular review of security

Must be performed at least once a year.

5.2 Security policy modification

5.2.1 The security policy is changed, if so required by the security monitoring results.
5.2.2 The security policy is amended, if the need arises from the appearance of a new
version of baseline security directory.
5.2.3 Security Council makes the amendments in all cases, in no later than one week.
5.2.4 Security changes due to security policy changes are carried out within one month.

Page 20 of 39
Implement (Step by step):
1.Identify risks

Through the use of monitoring or reporting tools, it is the best way to identify risks. Internet
security products and many firewall providers allow time to evaluate their products. Such
products may be useful when using these evaluation stages to assess risk if it provides reporting
information.

2.Learn from others

There are many types of privacy policies, so it is important to see what other organizations like
yours are doing. In addition, you can take the time to talk to sales representatives from different
security software providers. They are always happy to give information.

3.Make sure the policy conforms to legal requirements

One way to minimize the legal responsibilities that you may incur in the event of a security breach
is to have a viable security policy documented and applied specifically. You may have to comply
with certain minimum standards to ensure the privacy and integrity of your data, depending on
your data, jurisdiction and location, especially if your company you keep personal information

4.Level of security = level of risk

In addition to preventing bad guys, you don't have any problems with proper use because you
have a dedicated staff. A written code of conduct is the most important in such cases. Make sure
you don’t overprotect yourself because excessive security can be a hindrance to smooth business
operations.

5.Include staff in policy development

The leaders above must propagate and attract employees to participate in the process of
determining appropriate use. No one wants a policy dictated from above. Keep employees
informed when rules are developed and tools are implemented. They will tend to adhere more if
people understand the need for a responsible privacy policy.

Page 21 of 39
6.Train employees
This is one of the most useful periods. Because it not only helps you inform employees and helps
them understand policies, but also allows you to discuss the actual meaning of the policy. End
users will often ask questions or give examples in a training forum and this can be very rewarding.
Because these questions will help you identify more detailed policies and improve it to be more
useful.

7.Get it in writing
Make sure all members have read, signed and understood the policy. For large organizations, use
automated tools to help electronically distribute and track document signatures. Some tools even
provide puzzle mechanisms to test user policy knowledge.

8.Set clear penalties and enforce them

There is a clear set of procedures in place that spell out the penalties for violations in the security
policy. Security policy is not a set of voluntary guidelines but a condition of employment. Then
enforce them. A security policy with chaos compliance is almost as bad as there is no policy at all.

9.Update employees
People come and go. Databases are created and destroyed. Because the network itself is always
growing so the security policy is a dynamic document. Keeping the updated security policy is
difficult enough, but one thing is even more difficult, is to keep employees aware of any changes
that may affect their daily activities. To succeed, open communication is the key.

10.Install the tools you need

Customizable sets of rules for Internet content and e-mail security products can ensure that your
policy, no matter how complex, is adhered to. One of the most effective purchases you have
made is probably to invest in tools to enforce security policies.

Page 22 of 39
P8. List the main components of an organizational disaster recovery plan,
justifying the reasons for inclusion
Communication plan and role assignment
When it comes to a disaster, communication is essential. A plan is essential because it puts all
employees on the same page and makes sure to clearly outline all communication. No matter
how many employees you have, keeping in touch is extremely helpful to building a trust network
in your business. Make sure you can contact each other, no matter where you are; make sure the
disaster can be handled as soon as it happens. Remote employees or staff should also know the
stages of disaster recovery plan for procedural purposes, to ensure that everyone sings from the
same hymn.

Outline a disaster recovery plan protocol for employees

All disaster recovery plans must include an employee safety and security protocol in case of
different disasters (fire, storm, intruder, etc.). Assign roles to each type of disaster and make sure
every employee finally understands the protocol ahead of time.

Be sure to consider the position and priority of employees when assigning roles. Ask staff to assist
with the company's recovery plans to expand when their homes and families are affected by
disasters as both reckless and thoughtless. Focusing your disaster recovery plan protocol on
getting local employees to safety and looking at the role of remote workers can help with more
time-consuming tasks.

Backup data
Make a list of data, software that needs to be backed up, classified according to importance,
storage time, backup time, backup method and system recovery time from data save. Data
requirements of important information technology systems must be backed up during the day.

Data of important information technology systems must be backed up to external storage media
(such as magnetic tape, hard disk, optical disc or other storage media) and safely stored and

Page 23 of 39
stored separately from Area to conduct backup. Check and restore backup data from external
storage media at least every six months.

Take inventory of all assets

Digital inventory: make inventory of hardware and software applications, prioritized in order of
importance. Each party should have a supplier's technical support contract linked to the
appropriate contact information, to allow easy reference when needed.

➢ Physical assets: information technology equipment, communication devices and

equipment for the operation of information technology systems.
➢ Information assets: data and information in digital form and documents are expressed in
paper documents or other means.
➢ Software assets: system software, utility software, databases, application programs and
development tools.

The unit makes a list of all IT assets, reviews and updates this list at least once a year.

Monitoring and logging operations of information technology systems

Recording and archiving logs on the operation of information technology systems and users,
arising errors and unsafely incidents of the information technology system. Log data must be
stored online for at least three months and backed up for at least one year. Take measures to
monitor, analyze diaries, risk warnings, process and report results. Protection of logging and log
information functions, anti-forgery and unauthorized access.

System administrators and users must not delete or modify the system log to record their own
activities. Time synchronization between information technology systems.

Time recovery
Performing business impact analysis will help you solve any vulnerability in the recovery model
and identify the key elements of your IT infrastructure. This means you can create an appropriate
recovery time line for your business.

Page 24 of 39
Every second counts to ensure that critical systems can be restored as quickly as possible.
Determining the acceptable recovery time that data must be restored after a disaster provides
the maximum time that disaster must be addressed. It also helps you identify any vulnerabilities
in your disaster recovery process because if the deadlines are not met, there is a potential
problem.

Reineke, N., 2020. 7 Critical Components of Disaster Recovery. [online] Unitrends.

Available at: <https://www.unitrends.com/blog/7-critical-components-of-disaster-
recovery> [Accessed 8 December 2020].

Entech. 2020. 7 Key Elements of A Business Disaster Recovery Plan - Entech. [online] Available at:
<https://entechus.com/7-key-elements-of-a-business-disaster-recovery-plan/> [Accessed 30
November 2020].

M3. Summarize the ISO 31000 risk management methodology and its
application in IT security

ISO 31000 establishes some principles that need to be met to do for effective risk management.
ISO 3100 of recommendations organize building, applying and improving, applying and
continually improving the molds with the aim is integrating risk management process with the
whole admin activities, strategy and planning, management, reporting processes, policies, values
and culture of the organization.

ISO 31000 includes principles and guidelines for managing all types of risk systematically,
transparently and reliably as well as in all areas and contexts. ISO 31000 provides general
principles and guidelines about risk management. Although ISO 31000 provides general
guidelines, it is not intended creating uniformity in risk management at all organizations.

ISO. 2020. ISO 31000 — Risk Management. [online] Available at: <https://www.iso.org/iso-
31000-risk-management.html> [Accessed 30 November 2020].

Page 25 of 39
Benefits that ISO 31000 brings:
• Integrating risk management processes into the organization's general management
system.
• Increase the ability to achieve goals, encourage proactive management, be aware of the
need to identify and handle risks in the organization.
• Improve the identification of opportunities and risks; comply with relevant legal
requirements, international regulations and standards.
• Improve financial reporting, improve governance, enhance stakeholder confidence,
establish a reliable basis for decision making and planning.
• Improving loss prevention and incident management, minimizing damage.
• Improving the resilience of the organization, knowledgeable management level the tools,
processes and techniques to manage risks.
• Help proactively manage risks rather than passive handling.
• Improve the capacity of system management, finance, the foundation of corporate
governance.
• Improve operational efficiency and implementation results; enhance health, safety and
environmental protection.

In brief summary:
Risk management principles and procedures are described in ISO 31000 provides a robust system
that allows organizations to design and implement strategic programs, can be repeated and
proactive. Regardless of the performance level, management involvement in setting directions
and regularly reviewing the results must be part of every program; this not only improves risk
management, but also ensures appropriate risk handling based on the organization's goals and
long-term strategy. The design of specific program elements depends heavily on the goals,
resources and circumstances of the individual organization.

Page 26 of 39
 Figure 1: Summary steps to apply ISO 31000

The process of applying ISO 31000 in IT security includes the following steps:
Step 1: Establish a risk management framework
Set up context
➢ Enterprises consider external and internal conditions affecting or risking operations of
enterprise.
Set up risk management policy
➢ Board of directors develops a risk management policy and publishes this policy to all
members and stakeholders
Responsibility
➢ Enterprises determine the powers responsibilities of the members of the business in the
application of risk management systems, including:
• Identify, evaluate, plan, handle, monitor and report risks;
• Develop, implement and maintain a risk management framework;

Page 27 of 39
 Integration of organizational processes
➢ Enterprises integrate risk management content into all processes of enterprise and see
risk management as an integral part of enterprise processes.
Resources allocation
➢ Enterprises use rational resources in risk management.
➢ Leadership provides resources to implement risk management programs.
Establishing internal reporting and information exchange mechanism
➢ Enterprises set up reporting mechanisms and exchange internal and external information
to support and encourage members to implement their responsibilities in risk
management.
Determine risk criteria
➢ Enterprises determine the criteria to as a basis for risk assessment and comparison of
current risks.
➢ Evaluation results compared with risk criteria will serve as basis for deciding to provide
resources to prioritize minimizing risks.
Athena Risk. 2020. Security Risk Management & ISO 31000 - Athena Risk. [online] Available at:
<https://www.athenarisk.com/security-risk-management-iso-31000/> [Accessed 30 November
2020].

Step 2: Implementing risk management framework

Implementing risk management framework

Monitor and review risk management framework

Continuous improvement of risk management framework
➢ Enterprises organize the implementation of risk management frameworks set up above.
➢ Head of departments will monitor and propose improvements to processes to minimize
risks.
➢ Risk management board will monitor and support the necessary tools to implement the
risk management system.

Page 28 of 39
Step 3: Identify risks
➢ The head of the department in the enterprise needs to identify the sources of risk,
impacted areas, events, causes and potential consequences of the event.
➢ Apply tools and techniques to identify risks, consistent with goals.
➢ Make a risk list.

Step 4: Risk analysis

➢ Head of risk analysis department, risk assessment and decision of risk handling plan.
➢ The process owner must consider the cause and source of their risk, its positive and
negative consequences, and the likelihood that these consequences may occur.

Step 5: Risk assessment

➢ The department head compares the level of risk seen during the analysis with the risk
criteria identified in Step 1.
➢ Choose options for risk handling take into account legal, management and other
requirements.
➢ Risk management board will consider risks (identification, analysis, evaluation) before
submitting to the Board of Directors for consideration and providing resources to handle
the risks.

Step 6: Risk handling

Selecting options for handling risks

➢ The process owner chooses one or more options to adjust risks and implement these
options.
➢ Choose the most appropriate risk management option that involves balancing costs and
implementation compared with the benefits obtained.
➢ Risk management board will consider selecting options for risk management before
submitting to the Board of Directors for consideration and decision.
➢ Note other risks that may occur when handling risks.
Prepare and implement options for handling risks
➢ Owners of processes write in writing how to implement solution options through risk
handling plan.
Page 29 of 39
 ➢ Risk management board reviews and determines the nature and extent backlog the risk
after it has dealt with the risk.

Step 7: Follow and review

➢ Proactively monitor and review processes according to the planning of risk management
process.
➢ Process of implementing risk management options; provide a measure of the
implementation of risk management system.

Step 8: Report the risks

➢ Head of Risk Management Department summarizes and reports to the General Director,
Board of Directors together with suggestions for improvement to minimize risks.
➢ Risk reports will provide the basis for the Board of Directors to make future business and
production decisions and serve as a basis for improving risk management methods.

Step 9: Review and adjust

➢ The Board of Directors reviews the results of risk management and evaluation to make
the basis for adjustment accordingly.
➢ Provide additional resources as needed to handle outstanding risks.
➢ Orienting to handle risks according to technical technology updates and the financial
capacity of the enterprise.
➢ Organize the implementation of the above model in the following years.

IFAC. 2020. Eight Steps To Establish A Firm Risk Management Program. [online] Available at:
<https://www.ifac.org/knowledge-gateway/preparing-future-ready-
professionals/discussion/eight-steps-establish-firm-risk-management-program> [Accessed 30
November 2020].

Page 30 of 39
M4. Discuss possible impacts to organizational security resulting from an
IT security audit
Information Technology Audit (IT) is an audit an organization of IT systems, management and
operation and related processes. IT audits can be done in relation to regular financial audits or
selected audits. As the records, services and activities of many organizations often highly
computerized, need to evaluate IT controls in the audit process these organizations.

Many users rely on IT without knowing how the computers work. A computer error could be
repeated indefinitely, causing more extensive damage than a human mistake.

➢ IT audit is important because it gives assurance that the IT systems are adequately
protected, provide reliable information to users and properly managed to achieve their
intended benefits.
➢ IT audit could also help to reduce risks of data tampering, data loss or leakage, service
disruption, and poor management of IT systems.
➢ Crime prevention. IT security audit prevent crime. It will help the system to be the most
secure, prevent hackers from exploiting vulnerabilities and security weaknesses of the
company system. At the same time, it also offers solutions to fix the fastest problems (if
any problems occur), to ensure data integrity.
➢ Enhances IT governance, IT auditing serves an important function in ensuring all your
business laws, regulations and compliance are met by all employees and of course the IT
department. This in turn improves IT governance, because IT management generally has
a strong understanding of the organization's controls, risks and values. It includes
leadership, organizational structure and processes that ensure that the organization's IT
maintains and broadens its strategies and goals. Deep network penetration testing also
improves IT management of any company.

Page 31 of 39
M5. Discuss the roles of stakeholders in the organization to implement
security audit recommendation

Stakeholder audit is an important component of the ongoing strategic development process. Your
organization may benefit from stakeholder audits in other ways. Stakeholder audits are a
mandatory component of a problem management program, they are part and part of good
governance, and they are the key to collaboration.

An important way in which audits provide value to stakeholders is through assessing internal
control and making recommendations for improvements.

The identification of key stakeholders and their interests is important in:

➢ Ensuring the success of an internal audit function.
➢ Ensuring internal audit efforts are appropriately aligned with the needs of their
organization.

Benefits of stakeholder plans:

➢ Keeps you current with emerging issues, risks, priorities
➢ Demonstrates how internal audit adds value
➢ Markets the contribution and services of internal audit

Floodmanagement.info. 2020. What Are The Benefits Of Stakeholder Participation? – Associated

Programme On Flood Management. [online] Available at:
<https://www.floodmanagement.info/what-are-the-benefits-of-stakeholder-participation/>
[Accessed 30 November 2020].

Investopedia. 2020. Learn What Stakeholders Are And The Roles That They Play. [online] Available
at: <https://www.investopedia.com/terms/s/stakeholder.asp> [Accessed 30 November 2020].

Page 32 of 39
Figure 2: SKATEHOLDERS

Role of administrators: responsible for maintaining, configuring and maintaining the operation
of computer systems, servers or organizations.

Role of customers: are people who interact with businesses, who provide feedback, requests and
comments to improve and troubleshoot the more complete system.

Role of branches: branches will support each other for security audits to enhance enterprise
security.

Role of business partners: as a second party to work with businesses and help security audit
businesses, the two units will work together to comply with security policies.

Page 33 of 39
Recommendation:
Administrators/branches offer solutions and implement the following security measures:

➢ Application Visibility: Reduce productivity losses, compliance issues, threat spread and
risk of data leakage
➢ Encrypt company laptop hard disks: Less sensitive data can be stored on a laptop that can
be encrypted to increase security.
➢ Web Content Filtering: Web content filtering solutions continually update these websites
and push these updates to your filter according to the schedule that administrators can
define.
➢ Network Security Analysis: Scanning network rings and network devices allows you to
thoroughly examine vulnerabilities in your environment.
➢ Malware Scans: Malware includes viruses, adware, spyware, worms, Trojans, SPAM and
other active malicious content. Administrators can detect all this with products and
eliminate threats to the enterprise intranet.
➢ Threat Security: Stop bad apps. Scanning allowed applications for all types of threats. Do
it at multi-Gbps speeds.
➢ UTM multi-purpose firewall solution (Benefits - Protecting system ports (ports),
preventing risks from the Internet environment.
➢ Anti-intrusion and anti-denial of service (DDoS) solutions (Benefits - Specialized
equipment to prevent DDoS attacks.)
➢ Network security and encryption solutions (Benefits - Dedicated solutions to protect
connections between websites within the system, especially suitable for businesses with
many branches and high security requirements on the road transmission.)
➢ Solution to detect security vulnerabilities (Benefits - Identify, monitor and offer solutions
to address security vulnerabilities across the network, servers, operating systems,
databases and applications.)

Page 34 of 39
Customers using the service include survey and evaluation of the following information:

➢ Data backup and recovery system

➢ Network transmission speed and stability
➢ Basic network devices (Routers, Switches, ...)
➢ Software support tools and network security devices (Firewalls, attack detection and
prevention systems, VPN systems, etc.)
➢ Model of integrated system connection.

Business partners (Security consulting services):

➢ Total security advice (Total security consultant): Review, check and survey the entire
system, analyze the risk details (risks of information and data security). From there, give
advice, solutions and orientations to improve security as well as security investment
roadmap in accordance suitable with the system of wishes and requirements of
customers.
➢ On-demand security advice (On-demand security consultant): Will check and analyze the
system of related detailed components, depending on the specific needs of the customer
(for example: need advice on terminal security, application security or system-level
protection…). Thereby advising in detail the security solutions / services that will be
deployed to help meet customers' security needs.

Conclusion:
Nowadays, IT security prevents malicious threats and potential security breaches that can have a
huge impact on your organization. When you enter your internal company network, IT security
helps ensure only authorized users can access and make changes to sensitive information that
resides there. IT security works to ensure the confidentiality of your organization’s data.

That’s why every business need to know how to design and implement a security policy. By the
way we need to meet the standards such as ISO 31000 which metioned to help us to protect our
information better

Page 35 of 39
Evaluation:
This report supported useful informations and gave some examples about Risk, Data protection
and regulation which help readers to understand clearly. This report has detailed instructions in
order to design and implement a security step by step. By the way Summarizing the ISO 31000
which is the most important standard could help business or user know and how to apply it to their
businesses.

Hopefully, by this report businesses could learn how to improve their security policy or inplement
a good policy

Page 36 of 39
References
Floodmanagement.info. 2020. What Are The Benefits Of Stakeholder Participation? – Associated
Programme On Flood Management. [online] Available at:
<https://www.floodmanagement.info/what-are-the-benefits-of-stakeholder-participation/>
[Accessed 30 November 2020].

Investopedia. 2020. Learn What Stakeholders Are And The Roles That They Play. [online]
Available at: <https://www.investopedia.com/terms/s/stakeholder.asp> [Accessed 30
November 2020].

IFAC. 2020. Eight Steps To Establish A Firm Risk Management Program. [online] Available at:
<https://www.ifac.org/knowledge-gateway/preparing-future-ready-
professionals/discussion/eight-steps-establish-firm-risk-management-program> [Accessed 30
November 2020].
Athena Risk. 2020. Security Risk Management & ISO 31000 - Athena Risk. [online] Available at:
<https://www.athenarisk.com/security-risk-management-iso-31000/> [Accessed 30 November
2020].

ISO. 2020. ISO 31000 — Risk Management. [online] Available at: <https://www.iso.org/iso-
31000-risk-management.html> [Accessed 30 November 2020].

Entech. 2020. 7 Key Elements Of A Business Disaster Recovery Plan - Entech. [online] Available
at: <https://entechus.com/7-key-elements-of-a-business-disaster-recovery-plan/> [Accessed 30
November 2020].

En.wikipedia.org. 2020. General Data Protection Regulation. [online] Available at:

<https://en.wikipedia.org/wiki/General_Data_Protection_Regulation> [Accessed 30 November
2020].

Www2.deloitte.com. 2020. [online] Available at:

<https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/Risk/2012_10_practical_st
eps_to_data_protection.pdf> [Accessed 30 November 2020].

Ccohs.ca. 2020. Risk Assessment : OSH Answers. [online] Available at:

<https://www.ccohs.ca/oshanswers/hsprograms/risk_assessment.html> [Accessed 30
November 2020].

Page 37 of 39
Page 38 of 39