ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date 05/11/2022 Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Hoàng Tiến Dũng Student ID GCS200682

Class GCS0903B Assessor name Nguyễn Ngọc Tú

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.

Student’s signature HIEP

Grading grid
P5 P6 P7 P8 M3 M4 M5 D2 D3
x x x x

1
 Summative Feedback:  Resubmission Feedback:

Grade: Assessor Signature: Date:

Lecturer Signature:
 Assignment Brief 2 (RQF)
Higher National Certificate/Diploma in Computing
Student Name/ID Number:

Unit Number and Title: Unit 5: Security

Academic Year: 2021 – 2022

Unit Assessor: Van Ho

Assignment Title: Security Presentation

Issue Date: April 1st, 2021

Submission Date:

Internal Verifier Name:

Date:

Submission Format:

Format:

● The submission is in the form of an individual written report. This should be written in a concise,
formal business style using single spacing and font size 12. You are required to make use of headings,
paragraphs and subsections as appropriate, and all work must be supported with research and referenced
using the Harvard referencing system. Please also provide a bibliography using the Harvard referencing
system. Submission

● Students are compulsory to submit the assignment in due date and in a way requested by the
Tutor.
● The form of submission will be a soft copy posted on http://cms.greenwich.edu.vn/.
● Remember to convert the word file into PDF file before the submission on CMS.
Note:

● The individual Assignment must be your own work, and not copied by or from another student.

3
 ● If you use ideas, quotes or data (such as diagrams) from books, journals or other sources, you must
reference your sources, using the Harvard style.
● Make sure that you understand and follow the guidelines to avoid plagiarism. Failure to comply
this requirement will result in a failed assignment.

Unit Learning Outcomes:

LO3 Review mechanisms to control organizational IT security.

LO4 Manage organizational security.

Assignment Brief and Guidance:

Assignment scenario

You work for a security consultancy as an IT Security Specialist.

A manufacturing company “Wheelie good” in Ho Chi Min City making bicycle parts for export has called
your company to propose a Security Policy for their organization, after reading stories in the media related
to security breaches, etc. in organizations and their ramifications. Task 1
In preparation for this task, you will prepare a report considering:
• The security risks faced by the company.
• How data protection regulations and ISO risk management standards apply to IT security.
• The potential impact that an IT security audit might have on the security of the organization.
• The responsibilities of employees and stakeholders in relation to security. Task 2
Following your report:
• You will now design and implement a security policy
• While considering the components to be included in disaster recovery plan for Wheelie good,
justify why you have included these components in your plan.
Task 3
In addition to your security policy, you will evaluate the proposed tools used within the policy and how
they align with IT security. You will include sections on how to administer and implement these policies.

4
Learning Outcomes and Assessment Criteria (Assignment 1):

Learning Outcome Pass Merit Distinction

LO3 P5 Discuss risk M3 Summarise the ISO D2 Consider how IT
assessment 31000 risk security can be aligned
procedures. management with organisational
methodology and its policy, detailing the
P6 Explain data application in IT security impact of any
protection processes security. misalignment.
and regulations as
applicable to an M4 Discuss possible
organisation. impacts to
organisational security
resulting from an IT
security audit.
LO4 P7 Design and M5 Discuss the roles D3 Evaluate the
implement a security of stakeholders in the suitability of the tools
policy for an organisation to used in an
organisation. implement security organisational policy.
audit
P8 List the main recommendations.
components of an
organisational disaster
recovery plan,
justifying the reasons
for inclusion.

5
Contents
Assignment Brief 2 (RQF) ............................................................................................................................. 3
Higher National Certificate/Diploma in Computing .................................................................................. 3
Discuss risk assessment produres (P5) ........................................................................................................... 9
I.Security risk .............................................................................................................................................. 9
II. Assets, threats and threat identification procedures ............................................................................... 9
Explain data protection processes and regulations as applicable to an organization (P6) ........................... 13
I.Data protection in organizations ............................................................................................................. 13
II.Data protection process in an organization ........................................................................................... 14
III.Why are data protection and security regulation important? ............................................................... 14
Design and implement a security policy for an organization (P7) ............................................................... 15
I.Security policy ........................................................................................................................................ 15
II.The “must” and “should” must exist while creating a policy ............................................................... 16
III.Elements of a security policy ............................................................................................................... 17
IV.The steps to design a policy ................................................................................................................. 19
V.Security policy for Wheelie Good ........................................................................................................ 20
List the main components of an organizational disaster recovery plan, justifying the reasons for inclusion
(P8) ............................................................................................................................................................... 26
I. Discuss with explanation about business continuity ............................................................................. 26
II.Why is business continuity important? ................................................................................................. 26
III. What does business continuity include? ............................................................................................. 27
IV. Three key components of a business continuity plan ......................................................................... 27
V. Business continuity standards .............................................................................................................. 27
VI. Business continuity vs. disaster recovery ........................................................................................... 29
VII. Business continuity development ...................................................................................................... 30
VIII. Business continuity management ..................................................................................................... 30
IX. Business Continuity Institute .............................................................................................................. 31
X. List the components of recovery plan .................................................................................................. 31
XI. Write down all the steps required in disaster recovery process .......................................................... 33

6
 XIII.Explain some of the policies and procedures that are required for business continuity ................... 35
Reference...................................................................................................................................................... 40

7
Figure 1 Table 1 ............................................................................................................................................ 28
Figure 2 Table 2 ............................................................................................................................................ 28
Figure 3 Table 3 ............................................................................................................................................ 29
Figure 4 Business continuity vs. disaster recovery....................................................................................... 30
Figure 5 Draw up a Plan ............................................................................................................................... 34
Figure 6 Policy Specifics and Procedures .................................................................................................... 37

8
Discuss risk assessment produres (P5)

I.Security risk

a.Definition
By assessment, we mean identifying, evaluating, and implementing critical security measures in
applications. A security risk is also concerned with the prevention of application security flaws and
vulnerabilities. A risk assessment enables an organization to evaluate its application portfolio
holistically—from the perspective of an attacker. It assists managers in making educated decisions about
resource allocation, tools, and security control implementation. As a result, completing an assessment is an
essential component of an organization's risk management strategy. (Synopsis, 2022)
b.HOW TO DO RISK ASSESSMENT
Lucid Content Team (2022) claims that there are 5 steps to do risk assessment:
- Identify the hazards
- Determine who might be harmed and how
- Evaluate the risks and take precautions
- Record your findings
- Review assessment and update if necessary
II. Assets, threats and threat identification procedures

A.Assets
a.Definition
An asset is any resource or item that has economic worth or delivers advantages that increase the value of
a person or organization. Assets can be material or intangible, and they include everything that can be sold
or brought in profit in the long run.
Assets are divided into two categories as personal asset and business asset:
- Personal assets are items owned by the subject.
- Business asset is property that an organization or corporation owns.
b.Type of assets
MasterClass staff (2022) points out that there are 6 types of assets include:
- Current assets:
Current assets are assets that can be quickly sold and converted to cash without losing value.
Assets that are considered liquid current assets are mainly equities, stocks, bonds, and mutual
funds. Current assets are often inventory, accounts receivable, or prepaid costs for an organization
or firm.
- Fixed assets
Fixed assets, also known as long-term assets, generally require a long time to obtain the intended
monetary value. Some examples of fixed assets are houses, land, and equipment, which are often
not for short-term sale.
- Tangible assets

9
 Tangible assets also seem to be real property such as merchandise, real land, machinery, cash, or
furniture. It is physically palpable and is frequently in the custody of the possessor. The majority of
tangible assets are also classified as current assets.
- Intangible assets
Intangible assets are assets that exist solely in principle, generally a license, knowledge, invention,
or reputation. Even if it is merely theoretical, it has the potential to increase the worth of persons or
enterprises.
- Operating assets
Operating assets are assets that create money on a daily basis or contribute to a lucrative operating
process for the owner. Operating assets are frequently machinery or copyrights.
- Non-operating assets
Non-operating is an asset that belongs to the firm but is not operational and cannot bring about
present profit. Non-operational assets are frequently an empty lot or a short-term investment.
B.Threat and threat identification procedures
a.Definition
According to Hell (2021), security threats and vulnerabilities are not the same issue. While vulnerabilities
are faults that exist in the system and must be resolved, security threats are dangers that potentially
compromise security. Although security risks cannot be totally eradicated, steps may be done to reduce the
harm they can cause.
b.Threat identification produces
To detect and analyze a threat, it is necessary to determine not just the source and vulnerability of the breach,
but also the likelihood and extent to which it will be exploited. Only by properly identifying such dangers
can the appropriate measures for preventing and treating them be established. This plan includes, in
particular, the regulations, norms, and processes that will be implemented, as well as the technology that
will be used.
- Antagonistic cyber attacks
- Error due to confusion
- Failure in matters managed by the organization
- Natural or artificial disasters, accidents not within the scope of the organization's management
c.Explain risk assessment produre
i.Asset identification
Inventory the asset:
Inventory assets are known as current accounts, which include items that the organization wants to sell but
has not yet released. Inventory assets exist to cope with a sudden spike in customer demand.
Record the content attribute:

10
In order to determine the value of a property, there are many conditions to determine the equivalent value
for that property.
ii. Threat identification
Classify threats against organizations based on their purpose into three main categories: stealing data and
assets, disrupting and disrupting systems, and destroying or damaging systems.
Design a model of the damage that will occur when attacked according to each threat.
iii.Vulnerability appraisal
Determine current weakness in assets:
With effective controls, an organization can create an environment that complies with established
regulations to protect assets and manage potential risks. As a result, investment, capital or credit needs
through the asset statement can be performed efficiently.
Use vulnerability scanners on hardware and software:
Vulnerability scanners are commonly used software in organizations. It is used to scan for security holes in
computer systems, networks, operating systems and many other devices. However, not only the
organizations that use this software but also the hackers also use it to exploit the security holes of the
organizations they target.
iiii.Risk assessment
This is a method of estimating the damage that risks bring when organizations are attacked. The risks that
can attack the organization are not only cybersecurity threats but also accidents or natural disasters.
Therefore, the organization must find ways to prevent by raising the level of risk management to the highest
possible level to minimize the damage brought.
Calculate the maximum amount of damage.
Calculate the probability and damage caused by the vulnerability.
Analyze and propose plans to deal with risks.
*Risk identification steps
Risk identification is a mandatory step in an organization, it is a method to identify security holes or security
threats that have the potential to harm the organization. According to Eku online (2022), risk identification
includes the following steps:
Risk Identification: This step aims to clearly define the risk including why it occurs, when it occurs and how
it harms the organization.

11
Risk Analysis: This step will determine the closest probability that the risk can occur and the damage it can
cause.
Risk Evaluation: After a clear analysis of the possible risks, this step will compare them and create a ranking
and classification for each type of risk based on the level of impact and loss that they cause.
Risk Treatment: According to each type of risk, there will be separate ways to deal with it. This step will be
based on the level of each type of risk, develop strategies to deal with them when they occur, find the most
effective methods to prevent and treat them.
Risk Monitoring: Monitoring and managing risk is an extremely important step because risks and their
severity can change over time. Therefore, monitoring of risks must be carried out regularly to have the most
reasonable policies to deal with them.

12
Explain data protection processes and regulations as applicable to an organization (P6)

I.Data protection in organizations

1.Data protection
a.Definition
According to Crosetti ( 2021), Data protection is the process of protecting data from being lost or altered by
external actors. However, data protection is not only about protecting it from loss, but also protecting it from
unauthorized compromises to steal it. Later on, as data becomes more and more vulnerable to theft or
destruction by hackers, the importance of data protection increases.
b.Principles of data protection
According to ARC (2022), there are 7 principles of data protection:
Lawfulness, fairness, and transparency:
All data processing must always be transparent, lawful and fair. Data processing information should be
easily accessible to an authorized audience, in clear and simple language.
Purpose Limitation:
Personal information data is collected only for clear and lawful purposes, in which public, statistical or
historical purposes are not considered legitimate.
Data Minimisation:
The processing of personal data must be complete and in accordance with the permissible limits. The
processing of personal data must have a lawful and fair purpose. However, the time to store personal data
must be strictly controlled and only stored for a minimum time.
Accuracy:
Controllers must ensure that personal data is always accurate and updated when necessary. When there is a
change in personal data, it must be updated immediately. In particular, the controller should pay attention
to the accuracy of such information and must cite the source obtained.
Storage Limitation:
Personal data is only stored in a form sufficient to be identifiable during research. In order to prevent
personal data from being stored beyond the expiration date, controllers will usually set a time limit for their
deletion.
Integrity and Confidentiality:
Personal data stored for research use needs to be carefully protected to prevent unauthorized access to
personal data. Data security measures include the avoidance of data being compromised, lost or damaged

13
Accountability:
Controllers must demonstrate that they are responsible for protecting all information securely, preventing it
from being compromised, lost or damaged. Also responsible for the processing of personal information data.
II.Data protection process in an organization

Risk Assessments:
The more important the data, the greater the risk, the higher the risk, the higher the amount of security
required. Evaluate information data to classify and rank them, where there are not only security benefits
but also financial benefits.
Backups:
To avoid data loss or corruption, backup is essential. The higher the security level of data, the more often
it is backed up. Tape storage technology can save a lot of money instead of storing it on a hard drive.
Encryption:
To limit the risks, the simplest method is still to encrypt the data step by step. After the data is encrypted,
if it is accidentally stolen, the hacker will only get worthless and meaningless data files. After backup,
encryption can be considered an optimal method to secure data.
Pseudonymization:
Pseudonymization is also heavily used and recommended for data security. It is used for large files, which
can be renamed or even changed identifying information. Then the possibility of data theft will be
significantly reduced.
Access Controls:
Access control is also a popular method. The fewer people who have access to the data, the lower the
chance of data theft or destruction.
Destruction:
For data of extreme importance, the method that will most often be used will be to destroy it directly. For
data, delete everything related to it, if there is a backup, it will often destroy it to the point of
irrecoverability to avoid falling into the hands of others to profit from that data information.
III.Why are data protection and security regulation important?

According to Guest (2020), the General Data Protection Regulation (GDPR) went into effect in May 2018
and has been a critical step in safeguarding people' basic rights in the present Digital Revolution, as well
as regulating businesses and preventing them from exploiting data for capital benefits, putting users at
danger.

14
With the expansion in user-generated data and the exponential industrial worth of data, it is critical that
government authorities take the required actions to protect individuals' data rights. Data protection rules
maintain the security of individuals' personal data and govern the collection, use, transfer, and disclosure
of such data. They also provide individuals access to their data, impose accountability standards on
enterprises that collect personal data, and augment it by giving remedies for unauthorized or detrimental
processing.
Design and implement a security policy for an organization (P7)

I.Security policy

DEFINITION
Techopedia (2022) said that a security policy should identify the critical assets in an organization that
must be safeguarded. It should also describe any possible dangers to those things. Once the risks have
been identified, the chance that they will occur must be calculated. A corporation must also figure out how
to avoid these hazards. A few protections might include implementing specific staff regulations as well as
robust physical and network security. There must also be a strategy in place for what to do if a danger does
materialize. The security policy should be distributed to everyone in the firm, and the process of protecting
data should be reviewed and modified on a regular basis as new employees join.
EXAMPLE OF EACH POLICY

• Access policy

Depending on the nature of the job, access to resources is limited.

IT user roles are defined by IT system characteristics and the organization in charge of IT administration.

There must be at least three main levels of data access in the IT role set: no access, read-only, and read-
write.

Password management

Access passwords must be changed at least twice per year.

System, network, and other administrator passwords must be documented and stored in a secure location.

• Cryptography policy

Just secure connections, such as VPN connections, SSL/HTTPS connections, and encrypted e - mails, should
be used to access internal network resources and transfer sensitive data over the public network.

15
All confidential data on computers transferred beyond the business perimeter (laptops, home employees'
PCs) must be encrypted, as must all private data on hard drives. Encryption keys must be copied and
maintained in a secure location.

The lowest key length allowed for symmetric key encryption is 256 bits.

• Logging and log reviewing policy

Logs must be able to identify between authorized and unauthorized attempts to access resources, as well as
the precise time and place of origin.

Following the incidents, at least once a week, a random system and networking log check must be performed.

Logs must be preserved for at least four weeks.

• Removal policy

All unnecessary paper documents holding confidential data (see 4.1.2.1-4.1.2.6) must be destroyed.

Physical destruction of retired and/or obsolete archival storage media is required.

To delete state secrets or extremely sensitive data from storage, secure erasure must be used.

• Work environment

New program must be examined and confirmed to be suitable before it can be utilized.

Real data cannot be used for testing or presentations.

• Legality policy

All property must be gained legally. All property uses must be lawful.

II.The “must” and “should” must exist while creating a policy

The “must” which exist to create policy

- Capable of putting it into action and enforcing it
Security rules are intended to be directive in nature, leading and controlling employee behavior.
Everyone, from the CEO to the newest employees, must adhere to the policies. Users must be

16
 subjected to security policies several times before the message sinks in and they understand the
policy's "why." Non - compliance with the policy, according to various security standards, can cause
in administrative processes up to and including termination of employment. If the policy is not
applied, employee behavior is not guided toward productive and secure computing habits.
- Be brief and easy to understand.
- Maintain your safety while being productive.
The “shoulf” which exist to create policy
Demonstrate why the policy is necessary.
One of the primary aims of a security policy is to protect your company and its employees. Security
professionals must be informed of the business's requirements. Consider how this policy adds to the mission
of my company. Is it addressing the concerns of top management? Security policies should not be developed
in a vacuum. If you do, it is likely that it will not meet your company's expectations and standards. Writing
security policies is an iterative process that must be approved by high management before they can be issued.
More resources will very probably be needed to sustain and monitor policy implementation.
Define the coverage of the policy.
An exception to a security policy is commonly necessary for good reasons. In these cases, the policy should
define how the policy exception is approved. Security policy exceptions should be communicated to
management.
Discuss how violations will be handled.
Security policies should not include everything but the kitchen sink. Procedures, baselines, and
recommendations can help you fill in the gaps in your policies' "how" and "when." Each policy should
address a specific issue. It will make things easier to handle and maintain.
III.Elements of a security policy

Due care
In cybersecurity, exercising due care means taking reasonable efforts to protect your organization's
reputation, resources, and legal rights. You can build some critical industry standards based on the
similarities seen in most cybersecurity frameworks.
- Know your assets
Personal identifiable information (PII) and intellectual property are examples of data assets (IP)
Storage options include on now and file storage.
Accounts and access for users, including standard and privileged accounts, for devices such as
Internet of Things (IoT) devices, routers, and switches
- Establish a cybersecurity policy

17
 Your cybersecurity contract is a document that specifies your organization's cybersecurity best
practices. Before developing your policy, your organization should do a risk assessment to establish
the strategies that will be used to control cyber risk.
- Continuously monitoring controls
The threat strategies of malicious actors are always developing, which means that the safeguards you
put in place today may not protect your environment tomorrow. To protect your company and
demonstrate that you are doing all possible, you must regularly examine your cybersecurity
measures.
- Create an incident response process
In today's cybersecurity world, data security blunders are inescapable. Developing, testing, and
evaluating incident response methods shows that you are taking the essential measures to become
resilient.
- Create an audit trail
Your audit trail is proof that your organization is doing what it promises. Almost every cybersecurity
or privacy rule necessitates that companies have their programs independently assessed.

SEPERATION OF DUTIES
According to Drupal (2022), Separation of duties ensures that no single person has complete authority
throughout the life of a transaction. A transaction should not be initiated, recorded, authorized, or reconciled
by a single individual. Functional duties should be separated in all companies. The division of roles ensures
that mistakes, whether deliberate or inadvertent, are found by someone else.
- Demand that the person in charge of information security report to the audit committee chairman.
- Employ a third party to monitor security, do surprise security audits, and carry out security testing.
They report to the audit committee chairman or the board of directors.
- Have a CISO report to the board of directors.
- Allow the CISO to report to internal audit as long as internal audit does not report to the executive
in charge of money, such as the CFO.
NEED TO KNOW
Controlling who has access to information is one of the most effective strategies to keep it secret. Access is
allowed only to personnel whose job responsibilities rely on understanding the content.
- Policy for Acceptable Encryption and Key Management
- Policy for Acceptable Use
- Clean Desk Procedures

18
 - Policy for Data Breach Response
- Policy on Disaster Recovery Plans
- Security Policy for Employees
- Policy on Data Backup
- User Authentication, Authorization, and Identification Policy
- Incident Response Procedures
- Policy for Protecting End-User Encryption Key
- Standards and Procedures for Risk Assessmen
- Policy Regarding Remote Access
- Policy for Managing Secure System
- Policy Regarding Monitoring and Logging
- Policy for Managing Change
IV.The steps to design a policy

Recognize need
To recognize the need for policies and procedures, the business must conduct frequent audits of its
operations, obligations, and external environment.
- Could the policies listed below be implemented?
- Prior to a necessity
- In reply to specifications

Determine who will bear the primary responsibilities.

Delegate power based on the amount of knowledge necessary to a person, working group, subcommittee, or
staff member.
Gather data
- Do you have any legal responsibilities in this matter? Is your understanding accurate and up to date?
- Have similar issues been addressed by other organizations? o Can you make use of any pre-existing
templates or samples?
- Where are you going to seek advice?
Policy proposal
Ascertain that the policy's wording, length, and complexity are appropriate for people who will be needed
to apply it.
Consult with the right parties.
Policies are most effective when those who will be affected are consulted, supportive, and given the
opportunity to assess and discuss the policy's potential repercussions. You may choose to consult, for

19
example, if you are developing policies to govern the internal operations of the firm or views on foreign
policy issues.
- Supporters
- Employees and volunteers
- Members of the Executive Committee
- Service clients or receivers
Policy should be finalized and approved.
Who backs the policy? Is this a strategic problem that the Management Committee will support, or does the
Committee believe that staff can successfully handle it? Keep in mind that the Executive Committee is
solely responsible for the organization's policies and procedures.
Consider whether processes are necessary.
Internal policy processes are likely to be required. Consider if specific instructions on how and by whom
the policy will be implemented are required.
- Who will be in charge of developing such procedures?
- When will they get around to doing it?
- What will the consultation, approval, and implementation procedures be?
- Execute How and to whom will the strategy be communicated? Is training necessary for employees
and volunteers to participate in implementation? Is it necessary for the company to make a press
release (in the case of public policy positions)?
Monitor, examine, and revise
- What monitoring and reporting mechanisms are in place to ensure policy implementation and
evaluation of usage and responses?
- When and how will the policy be assessed and amended (if necessary)?
V.Security policy for Wheelie Good

Electronic files ownership

Wheelie Good owns any electronic files created, sent, received, or stored on Wheelie Good owned, leased,
or operated equipment, or otherwise in its custody and control.
Privacy
Electronic files created, sent, received, or stored on Wheelie Good owned, leased, or managed equipment,
or otherwise under Wheelie Good custody and control, are not private and may be read at any time by
Wheelie Good IT personnel without the user, sender, recipient, or owner's knowledge.
In accordance with Human Resources or the President's/directions, CEO's eligible people may also read
electronic file content.

20
General application and ownership
Access requests must be approved and filed by departmental supervisors before employees may have access
to computer systems. Authorized users are liable for all actions taken under their username. Authorized
users should be advised that any data or files they make on corporate systems instantly become the property
of Wheelie Good. Because of the need to protect Wheelie Good's network, there is no guarantee of privacy
or confidentiality of any information saved on any Wheelie Good network device.
Wheelie Good IT Department authorized personnel may monitor devices, systems, and traffic patterns
during any time for network and security maintenance purposes.
Wheelie Goods' IT Department reserves the right to audit networks and systems on a regular basis to
guarantee policy compliance.
Wheelie Goods' IT Department retains the right to remove any non-business-related software or data from
any system.
Non-business software or files include games, instant messengers, pop email, music and picture files,
freeware, and shareware.
Security and proprietary data
- This policy, as well as the accompanying policies, must be followed by all mobile and computer
devices that connect to the internal network:
- Account Management
- Anti-Virus
- Owned Mobile Device Acceptable Use and Security
- E-mail
- Internet
- Safeguarding Member Information
- Personal Device Acceptable Use and Security
- Password
- Cloud Computing
- Wireless (Wi-Fi) Connectivity
- Telecommuting

The Password Policy applies to both system and user passwords. Authorized users are not authorized to
expose their Wheelie Good login ID(s), account(s), passwords, Personal Identity Numbers (PIN), Security
Tokens (i.e., Smartcard), or other similar identification and authentication information or devices.
It is illegal to provide another person access, either knowingly or by neglecting to secure such access.
Authorized users may only access, use, or distribute Wheelie Good proprietary information to the extent
required to accomplish the user's authorized job duties.

21
E-mail policy
All email usage must be in accordance with Wheelie Good's standards and procedures for ethical behavior,
safety, compliance with applicable laws, and legitimate business practices.
Wheelie Good e - mails should be used largely for Wheelie Good business-related objectives; personal
correspondence is tolerated on a limited basis, but non-Wheelie Good related commercial applications are
forbidden.
All Wheelie Good data included inside an email message or an attachment must be safeguarded in
accordance with the Data Protection Standard.
Email should be kept only if it is a Wheelie Good business record. Email is a Wheelie Good business
documentation if there is a real and ongoing business need to keep the information included in the email.
Email classified as a Wheelie Good business documentation must be preserved in accordance with the
Wheelie Good Record Retention Schedule.
The Wheelie Good email system shall not be used to create or distribute any disruptive or offensive
communications, including offensive comments regarding race, gender, hair color, disability, age, sexual
orientation, pornography, religious views and practices, political beliefs, or country origin. Employees who
receive emails containing this information from any Wheelie Good employee should immediately notify
their supervisor.
Users are not permitted to automatically forward Wheelie Good correspondence to a third-party e - mail
(noted in 4.8 below). Individual communications transmitted by the user shall not include Wheelie Good
confidential or above information.
Users are not permitted to conduct Wheelie Good business, make or commemorate any binding transactions,
or store or retain email on behalf of Wheelie Good using third-party email systems and storage servers such
as Google, Yahoo, and MSN Hotmail, among others. Such conversations and transactions should go through
the authorized procedures and use Wheelie Good-approved paperwork.
Personal emails may use a decent amount of Wheelie Good resources, but they must be kept in a different
folder from business emails.
It is not permitted to send chain letters or humorous emails using a Wheelie Good email account.
Workers at Wheelie Good have no expectation of privacy in anything they keep, transmit, or receive through
the company's email system.
Wheelie Good has the right to monitor communications at any time. Wheelie Good is not required to monitor
e-mail.
Password policy
- Password creation

22
 Password construction guidelines must be followed for all user-level and system-level passwords.
Users must not have the same password for their Wheelie Good accounts as they use for any other
non-Wheelie Good access.
Users must avoid using the same password for multiple Wheelie Good access needs wherever
possible.
To obtain system-level rights, user accounts with system-level capabilities provided by group
memberships or programs such as sudor must have a password that is distinct from all other accounts
owned by that user.
When using the Simple Network Management Protocol (SNMP), the community strings must be
configured as anything other than the conventional settings of public, private, and system, and they
must be distinct from the passwords used to log in interactively. The password creation criteria for
SNMP community strings must be followed.
- Password change:
Every six months, all system-level passwords must be reset. Every four months is the
suggestedchange interval.
The Infosec Team or its delegates may execute password cracking or guessing on a regular or random
basis. If a password is guessed or hacked during one of these scans, the user must modify it to
conform to the Password Construction Guidelines.
- Password protection:
Passwords should never be shared. All passwords must be kept as confidential, Confidential Wheelie
This is useful information. Corporate Information Security understands that legacy applications do
not now support proxy systems. For further information, please see the technical reference.
Email communications, Alliance cases, and other kinds of electronic communication must not
contain passwords.
Passwords must not be revealed to anybody over the phone. Never divulge a password on security
surveys or forms. Never hint at a password's format.
Passwords for Wheelie Good should not be shared with anybody, including administrative assistants,
secretaries, supervisors, coworkers on vacation, and family members.
Passwords should not be written down and stored anywhere in your office. Passwords should not be
stored in an unencrypted file on a computer system or mobile device (phone, tablet).
Use the "Remember Password" function of programs sparingly.
Any user who believes his or her password has been hacked must notify the event and reset all
passwords.
- Application Development:
Application developers must make certain that their applications have the following security
safeguards:
Individual individuals, not groups, must be authenticated by applications.
Passwords must not be stored in clear text or in any easily reversed format in applications.
Passwords must not be sent in clear text over the network by applications.

23
 Applications must provide role management, allowing one user to take over the functions of another
without knowing the other's password.
- Use of Passwords and Passphrases
Passwords are commonly used to authenticate public/private keys. A public/private key system
specifies a mathematical link between a public key that everyone knows and a private key that only
the user knows.
The user cannot obtain access until the pass is used to "unlock" the private key. o Passwords and
passes are not the same thing. A passcode is a lengthier variant of a password and hence more secure.
A pass is often made up of many words. As a result, a pass is more secure against "dictionary
attacks."
Internet policy
- General requirement
All wireless infrastructure devices that connect to a Wheelie Good network or allow access to
Wheelie Good Confidential, Wheelie Good Highly Confidential, or Wheelie Good Restricted data
must comply with the following requirements:
The authentication protocol should be Extensible Authentication Protocol-Fast Authentication
through Secure Tunneling (EAP-FAST), Protected Extensible Authentication Protocol (PEAP), or
Extensible Authentication Protocol-Translation Layer Security (EAP-TLS).
Use the Temporal Key Integrity Protocol (TKIP) or the Advanced Encryption System (AES)
protocols with a key length of at least 128 bits.
All Bluetooth devices must utilize Secure Simple Pairing with encryption enabled.
- Lab and Isolated Wireless Device Requirements
Wheelie's Service Set Identifier (SSID) must be different from that of the lab equipment. SSID for a
good manufacturing device.
The broadcast of the SSID of the lab equipment must be deactivated.
- Home Wireless Device Requirements
All home wireless infrastructure devices that offer direct access to a Wheelie Good network, such as
those hidden behind Enterprise Teleworker (ECT) or hardware VPN, must meet the following
guidelines: o Enable Wi-Fi Protected Access Pre-Shared Key (WPA-PSK), EAP-FAST, PEAP, or
EAP-TLS. o When activating WPAPSK, set a complicated shared secret key (at least 20 characters)
on the wireless client and the wireless access point.
Disable SSID broadcast o Modify the default SSID name
Modify the login and password by default.
Anti-virus policy
- All workstation and server-based assets utilized for state business, whether connected to the [LEP]
network or as independent devices, must employ [LEP] certified antivirus/antimalware protection
software and settings given by the [LEP]. The methods listed below must be followed:
- Virus prevention software should not be deactivated or circumvented.

24
 - The virus protection software settings must not be changed in a way that reduces the software's
efficacy.
- The frequency of automatic updates cannot be changed to lower the frequency of updates.
- All servers connected to the [LEP] network must employ [LEP] approved/standard virus prevention
software and virus detection and cleaning configuration.
- All electronic mail gateways, devices, and servers must utilize [LEP] approved e-mail
virus/malware/spam protection software and must follow [LEP] setup and usage guidelines.
- Any danger that is not automatically cleansed, quarantined, and removed by malware protection
software is a security event that must be reported to the IT Help Desk.
- The frequency of antivirus/antimalware signature updates shall be determined by the [Insert
Appropriate Role], but shall be no less than once each calendar day.
Cloud computing
- Inventory
The cloud - based security administrator and IT security management must conduct a quarterly
inventory of cloud services in use.
- Approved Services
The company includes a central headquarters as well as various locations around the United States.
Some employees use mobile devices to remotely access services. Human resources, sales, and
project management are just a few of the departments that employ cloud services. Every department
must have a list of permitted cloud providers and services that follow the overall cloud security
policy.
Among the permitted services are:
• Hardware layer: Indicate data centers
• Infrastructure layer
• Platform layer
• Application layer
- Unauthorized Services
Only the cloud-based solutions listed in Section 2 of this document's list of authorized services may
be used. Unauthorized software installation is prohibited on organizationally owned or managed user
end-point devices (e.g., workstations, laptops, and mobile devices), as well as IT infrastructure
network and system components. Any third-party cloud service must be authorized by the cloud
security administrator before it may be used. Any unlawful cloud service will instantly create a
notification for IT security and will be blocked from usage.

25
List the main components of an organizational disaster recovery plan, justifying the reasons for
inclusion (P8)

I. Discuss with explanation about business continuity

- Business continuity refers to an organization's capacity to sustain critical functions during and after
a crisis. Business continuity planning sets risk management methods and procedures with the goal
of preventing interruptions to mission-critical services and restoring full operation to the company
as fast and easily as feasible.
- The most fundamental requirement for business continuity is to maintain critical functions
operational during a crisis and to recover with as little downtime as feasible. A business continuity
plan takes into account a variety of unforeseeable situations, including as natural disasters, fires,
disease outbreaks, cyberattacks, and other external threats.
- Business continuity is critical for firms of all sizes, but maintaining all services for the length of a
disaster may not be feasible for any save the largest enterprises. Many experts agree that the first
stage in business continuity planning is determining which operations are critical and allocating the
available funds appropriately. Administrators can implement failover strategies after identifying
critical components.
- Disk mirroring, for example, enables an organization to keep up-to-date copies of data at
geographically spread sites, rather than simply the core data center. This allows data access to remain
uninterrupted even if one location is deactivated and prevents data loss.
II.Why is business continuity important?

- Business continuity is crucial at a time when downtime is unacceptable. Downtime may come from
a multitude of places. Some hazards, such as cyberattacks and harsh weather, appear to be worsening.
It is critical to have a business continuity strategy in place that accounts for any potential operational
disruptions.
- During a crisis, the strategy should allow the organization to function at a bare minimum. Business
continuity aids an organization's resilience in responding rapidly to an interruption. Business
continuity saves money, time, and the reputation of the organization. An protracted interruption
might result in financial, personal, and reputational harm.
- Business continuity necessitates that a business examine itself, identify possible areas of
vulnerability, and acquire important information – such as contact lists and technical schematics of
systems – that can be valuable outside of catastrophe scenarios. An organization may strengthen its
communication, technology, and resilience by implementing business continuity planning.
- Business continuity may also be required for legal or regulatory reasons. It's critical to understand
which rules apply to a certain company, especially in an era of rising regulation.

26
III. What does business continuity include?

- Business continuity is a proactive approach to ensuring mission-critical activities continue in the

event of an interruption. A thorough plan includes contact information, procedures for dealing with
a range of problems, and instructions for when to utilize the document.
- Business continuity includes specific rules for what an organization must do to keep operations
running. When the time comes for a response, there should be no doubt on how to proceed with
business procedures. Customers, workers, and the firm are all possibly at risk.
- Different levels of responsiveness are required for proper company continuity. Because not
everything is mission-essential, it's critical to prioritize what must remain operational and what can
wait till later. It is critical to be open and honest about recovery time and recovery point goals.
- The whole organization, from high management on down, is involved in the process. Although IT
may be in charge of business continuity, it is critical to gain management support and transmit critical
information to the entire organization. Another crucial area of collaboration is with the security team;
while the two groups frequently function independently, a business may benefit greatly from
exchanging information between both departments. At the absolute least, everyone should
understand the fundamental processes for how the business intends to respond.
IV. Three key components of a business continuity plan

- Resilience, recovery, and contingency are the three main components of a business continuity
strategy.
- A company may boost its resilience by building vital services and infrastructures with multiple
catastrophe scenarios in mind, such as personnel rotations, data redundancy, and keeping a surplus
of capacity. Ensured resilience in the face of various circumstances can also assist firms in
maintaining key services on and off site without interruption.
- It is critical to restore business services quickly after a disaster. Setting recovery time targets for
various systems, networks, or applications might assist in determining which pieces must be restored
first. Other recovery options include resource inventories, partnerships with third parties to take over
corporate activities, and employing transformed premises for mission-critical tasks.
- A contingency plan has processes in place for a number of external events, as well as a chain of
command that distributes duties inside the business. These duties may involve replacing hardware,
leasing emergency office space, assessing damage, and hiring third-party providers for help.
V. Business continuity standards

- Table 1 shows the ISO 223XX Series standards that pertain to business continuity and related
operations. The ISO 22398 and 22399 standards are also worth investigating.

27
 Figure 1 Table 1

- Table 2 contains the Good Practice Guidelines of the Business Continuity Institute. The principles,
which are closely aligned with the ISO 22301 standard, provide a thorough basis for understanding
the business continuity process.

Figure 2 Table 2

28
 - Table 3 contains a brief summary of standards, regulations, and good practices developed in the
United States by various organizations such as ASIS International, the National Fire Protection
Association, the Federal Financial Institutions Examination Council, the Information Systems Audit
and Control Association, the Financial Industry Regulatory Authority, the Federal Emergency
Management Agency, and the National Institute for Standards and Technology.

Figure 3 Table 3

VI. Business continuity vs. disaster recovery

- Disaster recovery planning, like business continuity planning, defines an organization's planned
tactics for post-failure processes. A disaster recovery plan, on the other hand, is only a subset of
business continuity planning.
- Disaster recovery plans are mostly data driven, focusing on storing data in a form that allows for
easier access after a disaster. Business continuity considers this, but also focuses on the risk
management, monitoring, and planning required for a business to remain functioning during an
interruption.

29
 Figure 4 Business continuity vs. disaster recovery

VII. Business continuity development

- Starting the planning project is the first step in ensuring business continuity. The stages of business
impact analysis (BIA) and risk assessment are critical in acquiring information for the strategy.
- A BIA can expose any potential flaws as well as the effects of a calamity on multiple departments.
The BIA report advises a company on which operations and systems should be prioritized in a
business continuity strategy.
- A risk assessment detects possible threats to a company, such as natural catastrophes, cyberattacks,
or technological failures. Risks can have an impact on employees, customers, building operations,
and the company's brand. The evaluation also specifies who or what a risk might hurt, as well as the
likelihood of the dangers.
- The BIA and risk assessment complement each other. The BIA explains the probable consequences
of the interruptions described in the risk assessment.
VIII. Business continuity management

- It is critical to identify who will be in charge of business continuity. It might be one individual for
a small firm or a whole team for a bigger enterprise. Software for business continuity management
is another alternative. Software, whether on-premises or in the cloud, aids in conducting BIAs,
creating and updating strategies, and identifying areas of risk.
- Business continuity is a constantly changing process. As a result, a company's business continuity
plan should not be left on the shelf. The organization should reach out to as many individuals as
possible. Implementing business continuity isn't simply for times of crisis; the corporation should
conduct training exercises so staff know what to do in the case of a real disruption.
- Testing for business continuity is vital to its success. It's impossible to determine if a strategy will
work unless it's been tested. A business continuity test can be as basic as a tabletop exercise in which

30
 employees debate what would happen in the event of an emergency. A comprehensive emergency
scenario is included in more stringent testing. To properly simulate a crisis, a company can organize
the test ahead of time or do it on short notice.
- After completing a test, the company should examine the results and change the strategy
accordingly. Some portions of the plan are expected to work successfully, while other measures
may need to be adjusted. A regular testing schedule is beneficial, especially if the company's
activities and personnel change often. Comprehensive business continuity is tested, reviewed, and
updated on a regular basis.
IX. Business Continuity Institute

- The Business Continuity Institute (BCI) is a global professional organization that provides
education, research, professional accreditation, certification, networking opportunities, leadership,
and direction on business continuity and organizational resilience.
- The BCI, which is located in the United Kingdom, was founded in 1994 and has about 8,000
members from both the public and commercial sectors in over 100 countries. BCI goods and services
are accessible to business continuity specialists and individuals interested in the subject.
- The BCI's goals and efforts include establishing business continuity standards, disseminating best
practices in business continuity, educating and certifying BC professionals, increasing the value of
the BC profession, and building the business case for business continuity.
- Among the various tools produced by the institute is its Good Practice Guidelines, which provide
assistance for identifying business continuity initiatives that might support strategic planning.
- Professional membership in the BCI confers an internationally recognized status; certification
validates a member's expertise in business continuity management.
- BCI Chapters have been created in countries or regions with a sizable member base. Locally chosen
officers represent the BCI in the Chapters, which include the United States, Japan, and India.
X. List the components of recovery plan

- Local and global risks are frequently unpredictable, and when something unexpected occurs, it
emphasizes the importance of preparation for the worst-case situation. This is why firms must have
a catastrophe recovery strategy (DRP).
- A disaster recovery plan is a component of your overall business continuity plan (BCP), and its goal
is to assist your organization and its employees in mitigating the effects of a disaster and resuming
operations as quickly as feasible. To clarify, a disaster recovery plan differs from an incident
response plan (also part of your BCP) in that an IRP is aimed at assisting you in dealing with a crisis
immediately before, during, or after it occurs, whereas a DRP is more concerned with getting your
business back up and running in the long run.
- You should include some crucial parts in your strategy to ensure that it is ready to launch your firm.
1. The scope of your plan
There are several characteristics of a business that must be safeguarded, therefore as easy as it may appear,
the initial section of your disaster recovery plan should identify the scope it covers. Does it, for example,

31
include what to do in the case of a cyber-attack, as well as what to do in the event of a natural disaster? It
should ideally include both, but this must be documented.
2. Organizational roles and responsibilities
Your company should have a defined disaster recovery team that is familiar with the specified recovery
processes and performs a particular role in the plan in order for recovery to occur. The recovery team's
responsibilities should include not just what to do during and after a crisis, but also what to do ahead of
time, such as:
- Assuring that more than one person understands how to complete important duties, so that if
something goes wrong, there is no chance that it will not be done properly or at all.
- Ensuring that your employees understand the manual approach to complete particular tasks (if they
exist), as software or hardware may be broken or interrupted during a catastrophe and therefore
unavailable.
- Training for all employees on how to respond and conduct their duties safely in the case of a crisis.
Adequate training, especially if your firm operates in a high-risk environment, may dramatically
decrease the effect of a disaster.
3. Your critical business functions and the tolerance for downtime
Your critical business functions (CBFs) are the functions that your organization cannot function correctly
or at all without. In order to decide the tactics that will assist your firm in recovering from a crisis, you must
first define these functions and then calculate how long you can go without them before suffering serious
loss. This is also known as your RTO (Recovery Time Objective). You can better prioritize the steps
indicated in your recovery plan by identifying your CBFs and how long you can tolerate until they are
restored.
4. The strategies, processes and procedures to resume your critical business functions
You may now develop your plans based on the functions of your firm that need to be restored in order for it
to function.
- The following should be documented for each essential business function:
- Preventive/recovery activities that should be made to back up or restore the BF
Resources/Equipment needed to facilitate such actions
- Recovery time goal (So you know how you quickly actions must happen)
- Accountability (Who is in charge of making sure the actions happen)
- You should also create a checklist for assessing the level of damage following a disaster and
monitoring the recovery process.
5. A communication plans
- When calamity hits, the last thing you want to do is address your customers, workers, or other
stakeholders, but good communication is critical to demonstrating that you are in charge of the

32
 problem and that it will be remedied. Effective communication entails not just sharing everything as
fast as feasible, but also understanding the essential communication chain and reporting correct
information. This is why it is critical to have a comprehensive communication strategy that includes
all of these components.
- This plan should contain contact lists for persons who need to be communicated with (internally and
externally), as well as a process for what information may and should be transmitted and how it
should be delivered, depending on the scenario. Communication after a natural catastrophe, for
example, will differ from communication after a data breach, and your strategy must account for
these differences.
6. Schedule for Testing, Reviewing & Improving
- Disaster recovery strategies must evolve in tandem with company changes and evolution.
- Unfortunately, it is not as simple as developing a DRP and then preparing your company for
everything. Your organization should devote time to testing or rehearsing your strategy to ensure its
usefulness, as well as reviewing the plan to ensure it meets business and industry requirements. If
your company grows and your personnel doubles, for example, you'll need to account for that extra
workers or office space in your disaster recovery plan. Schedule testing of your strategy on a
quarterly to annual basis, depending on the rate of development or change in your organization.
- Disaster recovery strategies must evolve in tandem with company changes and evolution.
- Unfortunately, it is not as simple as developing a DRP and then preparing your company for
everything. Your organization should devote time to testing or rehearsing your strategy to ensure its
usefulness, as well as reviewing the plan to ensure it meets business and industry requirements. If
your company grows and your personnel doubles, for example, you'll need to account for that extra
workers or office space in your disaster recovery plan. Schedule testing of your strategy on a
quarterly to annual basis, depending on the rate of development or change in your organization.
XI. Write down all the steps required in disaster recovery process

As organizations become more reliant on high-performance networks and massive information to give value
to customers, IT protection has grown to be a significant component of many disaster recovery strategies.
If you and your team are planning to create your own strategy, make sure you carefully evaluate the eight
phases below.
1.Determine the Scope of Your Project
First, you must determine what your ultimate aim is. If your firm relies entirely on rapid and simple access
to its data to continue in operation, your IT disaster recovery strategy should prioritize keeping your sensitive
information safe and secure—even if your onsite hardware fails catastrophically. This involves looking at
offsite data storage solutions such as public cloud storage and/or data center colocation for most small and
medium-sized enterprises.
2.Consider Your IT Vulnerabilities

33
 - Following the formulation of your ultimate objective, you must establish a complete understanding
of your most obvious weaknesses, paying special attention to previous catastrophe risks in your
geographic location. While the finest disaster recovery plans try to preserve as many assets as
possible, you'll almost certainly have to make difficult prioritization decisions to ensure that the most
critical aspects of your organization aren't jeopardized.
- If, for example, your top priority is your onsite hardware and the most typical natural catastrophe in
your location is floods, safeguarding your hardware from water damage—and having contingency
plans in place if these precautions fail—is critical.
3.Conduct Risk Analysis
- You should already be aware of your vulnerabilities and have protections in place to combat them
at this point, but you may not be aware of how these safeguards will react in a crisis. This is where
risk analysis comes in.
- A thorough risk analysis is akin to running a "stress test" to determine how vulnerable you are given
your present counter-disaster architecture. You will be better positioned to protect your most
important assets if you get this viewpoint.
4.Identify Recovery Strategies
- Following the stress testing of your safeguards, the next step is to determine the most efficient and
cost-effective recovery options. Ideally, this calculation will take into consideration both your most
critical IT vulnerabilities and the effectiveness of your protections throughout your risk assessment.
- If, for example, you've discovered that your onsite data storage is your most vulnerable point, you
should plan the most effective approach to relocate data stored in a public cloud or colocation center
back into your system after a crisis hits.
5.Draw up a Plan

Figure 5 Draw up a Plan

34
You are now ready to start putting together your IT disaster recovery strategy in earnest. This will include
compiling your findings and codifying them into an easy-to-follow, sequential guide.
6.Test Your Disaster Recovery Plan
Creating an IT disaster recovery plan is a start in the right direction—and, as indicated above, will likely put
you ahead of many of your competitors—but once you think you have everything in place, it's critical to
test your plan to ensure that each phase occurs as planned. After all, the ideal moment to discover if your
recovery strategy requires improvement is before calamity occurs, not after.
7.Train Team Members
When you're satisfied with your strategy, it's time to share it with your team. You should have been
consulting with key personnel throughout the previous six steps, but regardless of the level of collaboration
in your planning process, it is your responsibility to ensure that everyone in your organization understands
what will happen in the event of a flood, hurricane, wildfire, or other disaster.
In fact, involving your staff in the process is a terrific approach to get your strategy reviewed by individuals
with varied viewpoints who may be able to see something you've missed.
8.Update and Revise Your Plan
Of course, while we all hope we never have to use our IT disaster recovery plan, it's important to examine
and, if required, change your strategy on a regular basis. Is it still appropriate in light of the changes in your
operations?
Have vendors offered any new goods or services that you'd like to include in your recovery strategy? By
asking these kinds of questions, you can keep your plan up to date and ensure that you're ready if and when
the next natural catastrophe occurs.
XIII.Explain some of the policies and procedures that are required for business continuity

1.The Policies
- Business Continuity (BC)
BC is the foundation for constructing resilience and continuing operations with minimal or no
interruption, regardless of unfavorable situations or occurrences. It entails planning and preparation
to guarantee that an organization can continue to operate in the event of a disaster or substantial
interruption, and that it can recover to a functional condition in a reasonable amount of time.
- Business Continuity Plan (BCP)
A business continuity plan (BCP) is a document that gives guidelines and actions for recovering
from a certain function or process within a set time frame. It is stated in sufficient detail so that those
who are necessary may carry out the plan with little delay. It is a collection of resources, actions,
processes, and information that have been designed, tested, and are ready to be used in the case of a
substantial disruption in operations.
- Business Continuity Planning

35
 Business continuity planning is the act of making prior preparations and processes that allow VCU
to respond to an interrupting event in such a way that important business functions may continue
within predetermined levels of disruption. This task produces an effective company continuity
strategy (BCP).
- Business Impact Analysis (BIA)
A business impact analysis (BIA) is a comprehensive assessment of the potential repercussions of
an interruption in a critical function that gathers information needed to establish recovery measures
to assist rapidly restart operations.
- Comprehensive Emergency Management Plan (CEMP)
A comprehensive emergency response plan (CEMP) is a complete emergency response plan
established to guarantee adequate response to and recovery from natural and man-made threats. A
CEMP is not the same as a business continuity plan. A CEMP specifies what to do shortly before or
during an emergency. A business continuity plan aims to minimize the impact of any catastrophe on
VCU's business processes and aids in the resumption to regular operations as quickly as possible
following the disaster.
- Continuity of Operations Plan (COOP)
A COOP is a planning phrase that was originally used to refer to business continuity planning. A
COOP is similar to a BCP in that both are designed to assist an organization in recovering from a
disaster; however, business continuity planning is more commonly used by businesses or
corporations, whereas continuity of operations is more commonly utilized by federal, state, and
municipal governments.
- Critical Functions
Critical functions are those that are essential to the campus community's existence, health, safety,
and security. During an incident, these functions must be maintained at a normal or heightened level.
The functions of life, health, safety, and security will never close and will always require people on
campus.
- Disaster Recovery (DR) / Disaster Recovery Plans
DR plans are typically used to refer to specialist planning for computer and IT systems, such as plans
for restoring key IT services and equipment. This is a subset of business continuity planning that is
very specialized.
- Emergency Operations Plan (EOP)
The word EOP also refers to the university's Comprehensive Emergency Management Plan for the
purposes of this policy (CEMP)
- Mission Essential Functions (MEFs)
MEFs are services, programs, or activities that are critical to the university's ongoing operations and
would have a direct impact on knowledge generation, diffusion, and preservation if they were
interrupted for an extended length of time. The major services, programs, or activities provided by a
department are referred to as departmental essential functions. They are a department's primary
activities. Stopping them for a lengthy period of time would have a negative impact on the
department's success.

36
 - Recovery Time Objective (RTO)
The greatest amount of time a certain business function or resource may be unavailable before
causing significant interruption to operations is defined as RTO. Maximum permissible downtime
is another term for this.
- Risk Evaluation (RA)
A risk assessment is a procedure for identifying prospective dangers and analyzing what could
happen if the threat happens.
- Condition of Readiness
In a state of repair, ready to operate quickly and efficiently.
- VEOCI
The VCU Police Department and the VCU Department of Safety and Risk Management deployed
this software system as a tool for crisis management, emergency response, and business continuity
planning.
- Contacts
This policy is formally interpreted by the VCU Police Department's Office of Emergency
Preparedness. The VCU Police Department, Office of Emergency Preparedness, is responsible for
getting permission for any policy amendments. Developing and implementing policies and
procedures using the appropriate governance frameworks. Please send any policy inquiries to the
VCU Police Department, Office of Emergency Preparedness, and the director of emergency
preparedness.
2.Policy Specifics and Procedures

Figure 6 Policy Specifics and Procedures

This policy establishes a consistent procedure for developing, testing, and maintaining VCU's first reaction,
business continuity, and business recovery plans. This policy encompasses the following components of the
business continuity plan (BCP) lifecycle:
- Risk Assessment.

37
 During the risk assessment process, each university department will identify, analyze, and rate
numerous hazards based on the likelihood of occurrence and the amount of disruption to the
department's operation, as well as consider how each hazard may affect property, business, and
people working in the department and any customers they may service, as well as the university at
large. The Director of Emergency Preparedness will examine the hazards and offer context through
terminology, current occurrences, and potential threat scenarios. As a result, a variety of outcomes
may be required, including major business impact analysis (BIA) and recovery programs that must
be devised and supported with resources. Departments within the university will analyze the risk
assessment data to create a prioritized list of mission essential functions (MEFs), with the most
crucial at the top.
- Understanding the Organization: Business Impact Analysis (BIA).
- The business impact analysis (BIA) is the process of determining, analyzing, and evaluating the
possible impacts of an interruption or suspension of important company activities, functions, and
processes due to an accident, emergency, or disaster. It is a methodical approach of estimating the
possible and likely repercussions of these disturbances, generally from the perspective of the worst-
case scenario. The BIA is seen as crucial to disaster recovery planning, particularly in terms of risk
minimization in the event of operational delays or disruptions caused by catastrophes and similar
occurrences.
• Each department is responsible for determining its MEFs and critical resources. Essential
functions are those services, programs, or activities that are required for ongoing operations
and would have a direct impact on the department's success if they were to be interrupted for
a lengthy period of time. MEFs will serve as a roadmap for resuming activities in the
aftermath of a disaster or substantial disruption. In general, four to six key functions should
be included, with more if it is a very complex department or unit.
• Each department is in charge of administering university MEFs and is required to be as
detailed as feasible in articulating needs and establishing interdependencies for each function.
Consider how the function may need to be updated or modified if any of the top dangers
listed in the risk assessment causes a severe interruption.
• Each department is responsible for conducting a BIA for each MEF in order to analyze and
document the probable impacts and negative repercussions of a catastrophe or large
interruption on the function. A business impact analysis (BIA) is done for each mission-
critical function to assist analyze and document the probable implications and negative
repercussions of a disaster or substantial interruption on the function. Completing a BIA also
aids in the establishment of recovery priorities and recovery time goals (RTOs) by taking
into account dependencies, peak periods, negative repercussions, and financial risks.
• Each department is responsible for determining the human and technological resources
needed to sustain an optimal level of operations.
• Each department is responsible for establishing and finalizing the RTOs, or the time required
to recover the process or function and return business operations to normal, or as near to
normal as practicable.

38
- Determining the BCP Recovery Strategies
Recovery strategies are various methods for restoring company operations to a minimally acceptable
level after a business interruption, and they are prioritized by the RTO determined during the
business impact study. Recovery plans need the use of resources such as people, buildings,
equipment, materials, and information technology. Each department must perform an analysis of the
resources needed to carry out recovery initiatives in order to identify gaps. Each department is
required to:
• Perform risk identification and risk management techniques across business units. Internal
reasons of interdependence might include line of business connections,
telecommunication/information technology links, and/or shared resources.
• Maintain, continue, and recover important company activities and processes by documenting
strategies and procedures.
• Describe the immediate steps that were disrupted as well as the actions that were required to
recover.
- Develop and Implement the BCP
VEOCI, a crisis management and software solution, will be used to design and maintain university
business continuity plans, assuring the preparedness of mission-critical activities across the
institution. Once the planning (BIA and risk assessment) and meetings are completed, the relevant
department designee will submit each Business Continuity Plan (BCP) into VEOCI. For VEOCI
access, contact the VCU director of emergency preparation. There is training available. Each
department is required to:
• Describe the sorts of events that would occur prior to the official announcement of a
disruption, as well as the procedure for invoking the BCP.
• Determine the format of the BCP, such as the executive summary, goals and scope, summary
of results, and recovery activities.
- Exercising, Maintaining and Reviewing
Once the BCP is complete, the director of emergency preparation will conduct training and testing
to verify that all department personnel are acquainted with it. The director of emergency preparation
will organize a continuity planning group comprised of people involved during and after a
catastrophe or substantial interruption. Following training and/or real incidents, each department will
amend the BCP as required.
• Timely Review and Maintenance: Each department plan owner is responsible for reviewing
all BCPs and supporting documentation on a yearly basis. The goal of reviewing is to keep
the plan current and up to date, as well as to maintain preparedness. The VCU director of
emergency preparation will manage the maintenance schedule.
• Training and Exercises: The head of emergency preparation will oversee annual testing for
all departments. Testing techniques range from the most basic (no notice drills) to the most
complicated (full scale). Each has its own set of qualities, goals, and rewards. The sort of
testing used should be chosen by the organization's expertise with business continuity
planning, as well as the size, complexity, and nature of the business. Tabletop exercises,

39
 functional exercises, and full-scale exercises are examples of testing procedures in sequence
of increasing complexity.
Reference

Synopsys, 2022, Security Risk Assessment. Availabled at:

https://www.synopsys.com/glossary/what-is-security-risk-assessment.html
Lucid Content Team, 2022, A Complete Guide to the Risk Assessment Process.
Availabled at:
https://www.lucidchart.com/blog/risk-assessment-process
MasterClass staff, 2022, What Is an Asset? Definition and Types of Assets. Availabled at:
https://www.masterclass.com/articles/what-is-an-asset#what-is-an-asset
Hell, 2021, What Is a Security Threat?: Get Your Answer Here. Availabled at:
https://debricked.com/blog/what-is-security-threat/
Eku online, 2021, Risk Identification: 7 Essentials. Availabled at:
https://safetymanagement.eku.edu/blog/risk-
identification/#:~:text=Risk%20Identification%20Process%20Steps,risk%20treatment%2C%20and%20ris
k%20monitoring.
Crosetti, 2021, What is data protection and why is it important? Availabled at:
https://www.techtarget.com/searchdatabackup/definition/data-protection
ARC, 2022, Principles of Data Protection. Availabled at:
https://www.dataprotection.ie/en/individuals/data-protection-basics/principles-data-protection
Guest, 2020, What is data protection, and why is it important? Availabled at:
https://www.financialexpress.com/industry/technology/what-is-data-protection-and-why-is-it-
important/2076419/
Drupal, 2022, Separation of Duties. Availabled at:
https://finance.uw.edu/fr/internal-controls/separation-of-duties

40