ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date 27/04/2023 Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Nguyen Luu Bao Phuc Student ID GCD210392

Class GCD1101 Assessor name Dang Quang Hien

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.

Student’s signature Phuc

Grading grid

P5 P6 P7 P8 M3 M4 M5 D2 D3
❒Summative Feedback: ❒Resubmission Feedback:

Grade: Assessor Signature: Date:

Lecturer Signature:
Table of contents
Task 1 - Discuss risk assessment procedures (P5) ........................................................................................................ 5
I. Define a security risk and how to do risk assesment .................................................................................... 5
1. Definition Of Security Risks ....................................................................................................................... 5
2. Risk Assessment Procedures ...................................................................................................................... 5
II. Define assets, threats and threat identification procedures, give example ............................................. 6
1. Define of asset .............................................................................................................................................. 6
2. Define of threat ............................................................................................................................................ 6
3. Threat ( risk ) identification procedures ................................................................................................... 6
III. List risk identification steps ........................................................................................................................ 7
Task 2 - Explain data protection processes and regulations as applicable to an organisation (P6) ............................ 8
I. Definition of data protection........................................................................................................................... 8
II. Explain data protection process in an organization ................................................................................. 9
1. Assessment of network security risks ........................................................................................................ 9
2. Raise awareness about data security for employees ............................................................................... 10
3. Data security management ....................................................................................................................... 10
4. Troubleshooting and problem management ........................................................................................... 10
5. Configure the system securely .................................................................................................................. 10
6. Ensure the network is divided into separate areas ................................................................................. 10
7. Secure DN data by monitoring network security ................................................................................... 11
8. Access control ............................................................................................................................................ 11
9. Increased malware protection .................................................................................................................. 11
10. Update patch regularly ......................................................................................................................... 11
11. Perform encrytion ................................................................................................................................. 11
III. Why are data protection and security regulation important?............................................................... 12
Task 3 - Design and implement a security policy for an organisation (P7) ................................................................ 12
I. Define a security policy and discuss it ......................................................................................................... 12
II. Give an example for each of the policies.................................................................................................. 13
1. Purpose ....................................................................................................................................................... 13
2. Scope ........................................................................................................................................................... 13
 3. Policy........................................................................................................................................................... 13
4. Reporting requirment ............................................................................................................................... 14
III. The most and should that must exist while creating a policy ................................................................ 14
IV. Explain and write down elements of a security policy ........................................................................... 15
1. Purpose ....................................................................................................................................................... 15
2. Scope ........................................................................................................................................................... 15
3. Information security objectives ................................................................................................................ 15
4. Authorization and access control policy .................................................................................................. 16
5. Classification of data ................................................................................................................................. 16
6. Data support and operations .................................................................................................................... 17
7. Security awareness sessions ...................................................................................................................... 17
8. Responsibilities, rights and duties of personnel ...................................................................................... 17
V. The steps to design a policy........................................................................................................................... 17
Task 4 - List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion
(P8) .............................................................................................................................................................................. 18
I. Business continuity ........................................................................................................................................ 18
1. What is business continuity ...................................................................................................................... 18
2. Why business continuity is important ..................................................................................................... 18
3. What does business continuity include? .................................................................................................. 18
4. Business continuity and disaster recovery............................................................................................... 19
II. List the components of recovery plan ...................................................................................................... 19
1. Complete Inventory of Hardware/Software/Other Equipment ............................................................ 19
2. Documented Business Objectives ............................................................................................................. 19
3. Defined Tolerance for Downtime and Data Loss .................................................................................... 20
4. A DR Team................................................................................................................................................. 20
5. Alternative Workspaces ............................................................................................................................ 20
6. Remote Access............................................................................................................................................ 20
7. Secure Backups .......................................................................................................................................... 21
8. A Comprehensive Testing Strategy.......................................................................................................... 21
III. All the steps required in disaster recovery process ................................................................................ 21
 1. Create your disaster recovery contingency planning team........................................................................ 21
2. List all names and contact details ................................................................................................................ 21
3. Determine a chain of command.................................................................................................................... 21
4. Consider your risk assessment ................................................................................................................. 22
5. Do you have a ‘Plan B’? ............................................................................................................................ 22
6. Protect your company data....................................................................................................................... 22
7. Test, test and test again! ............................................................................................................................ 22
IV. Explain some of the policies and procedures that are required for business continuity ..................... 22
1. Risk assessment.......................................................................................................................................... 22
2. Understanding the Organization: Business Impact Analysis (BIA) ..................................................... 23
3. Determining the BCP Recovery Strategies ............................................................................................. 23
4. Develop and Implement the BCP ............................................................................................................. 23
5. Exercising, Maintaining and Reviewing .................................................................................................. 23
References ................................................................................................................................................................... 24

Table of figures
Figure 1: Risk identification step ................................................................................................................................... 8
Figure 2: Data protection .............................................................................................................................................. 9
Task 1 - Discuss risk assessment procedures (P5)
I. Define a security risk and how to do risk assesment
1. Definition Of Security Risks
The potential for exposure, loss of critical assets and sensitive information, or reputational
damage due to a cyber attack or breach in an organization's network is referred to as a
security risk. Cybersecurity should still be a priority across industries, and businesses
should work to create a cybersecurity risk management plan to protect against ever-
evolving cyber threats.
2. Risk Assessment Procedures
- Definition: Security Risk Assessment finds, evaluates, and applies critical application
security measures. It also focuses on preventing security bugs and vulnerabilities in the
application. Enterprises can view their application portfolio as a whole from an
attacker's perspective by conducting a risk assessment. It helps managers make
informed decisions about resource allocation, tools, and deployment of security
controls. As such, completing an assessment is an important aspect of a company's risk
management strategy.
- How does risk assessments work:
The depth of risk assessment models is influenced by factors such as size, growth rate,
resources, and asset portfolio. When faced with money or time constraints,
organizations can conduct joint assessments. On the other hand, general assessments
may not always include accurate mappings of assets, associated threats, perceived risks,
impacts, and mitigation mechanisms. Further assessment is required if the general
assessment results do not provide sufficient linkages between these areas.
- Risk Assessment steps
There are no fixed rules on how a risk assessment should be carried out, but there are a
few general principles that should be followed.
These Five steps to risk assessment can be followed to ensure that your risk assessment
is carried out correctly:

 Identify the hazards

 Decide who might be harmed and how
 Evaluate the risks and decide on control measures
 Record your findings and implement them
 Review your assessment and update if necessary.
 - Risk assessment goal:
 Creating a risk profile includes a quantitative examination of the hazards faced by
the company.
 Create a comprehensive inventory of IT and data assets.
 Cost-proven security measures that reduce risks and vulnerabilities.
 Create a comprehensive inventory of IT and data assets.
 Known risks, threats, and vulnerabilities to an organization's production
infrastructure and assets are identified, prioritized, and documented.
 Create a budget to address or mitigate the identified risks, hazards, and
vulnerabilities.
 If money is invested in a company's infrastructure or other assets to mitigate
possible risks, it is important to understand the return on investment.
II. Define assets, threats and threat identification
procedures, give example
1. Define of asset
Any data, widget, or other component of a framework that supports information-related
actions is an asset in information security, computer security, and network security.
Hardware (such as servers and switches), software (such as critical applications and support
systems), and confidential information are all examples of assets. Assets must be protected
from unauthorized access, use, disclosure, alteration, destruction, and/or theft, which could
result in financial loss.
2. Define of threat
Software attacks, intellectual property loss, identity theft, device or information theft,
information sabotage, and extortion are all examples of information security threats.
Anything that can exploit a vulnerability to breach security and negatively change, delete,
or damage an item or object of interest is considered a threat.
3. Threat ( risk ) identification procedures
Threat of risk indentification procedures include:
- Risk Integrated Product Team (IPT) identifies a list of potential risk items. There are
various methods of identifying risks. Risk can be identified from:
 Lessons Learned
 Subject Matter Experts (SME)
 Prior Experiences
 Technology Readiness Level (TRL) determination
 Programmatic Constraints
  Brain Storming
 Work Breakdown Structure (WBS)
- Risks are determined to be acceptable or not. Not all risk items identified in step 1 are
accepted.
- Accepted risks should be recorded and put into a Risk Register
- Identify root causes for each identified risk
- Risk analysis should examine each identified risk to refine the description of the risk,
isolate the cause, determine the effects, and aid in setting risk mitigation priorities.
(Risk Reporting Matrix)
- Risk Mitigation Planning should address each risk with action items and due dates.
- Risk Integrated Product Team (IPT) meets regularly (every 2 weeks) to assess risks and
add new risk items, if necessary.
- Risks are closed when all the actions to close the risk have been taken. Some risk items
are closed quickly; others are open for a long time. Some are considered watch items
and the action plan doesn’t kick in until certain negative events happen.
- Closed risks remain in the database for future learning.
III. List risk identification steps
There are five core steps within the risk identification and management process. These steps
include risk identification, risk analysis, risk evaluation, risk treatment, and risk monitoring.

1. Risk Identification: The purpose of risk identification is to reveal what, where, when,
why, and how something could affect a company’s ability to operate. For example, a
business located in central California might include “the possibility of wildfire” as an event
that could disrupt business operations.
2. Risk Analysis: This step involves establishing the probability that a risk event might occur
and the potential outcome of each event. Using the California wildfire example, safety
managers might assess how much rainfall has occurred in the past 12 months and the extent
of damage the company could face should a fire occur.
3. Risk Evaluation: Risk evaluation compares the magnitude of each risk and ranks them
according to prominence and consequence. For example, the effects of a possible wildfire
may be weighed against the effects of a possible mudslide. Whichever event is determined
to have a higher probability of happening and causing damage, it would rank higher.
4. Risk Treatment: Risk treatment is also referred to as Risk Response Planning. In this step,
risk mitigation strategies, preventative care, and contingency plans are created based on the
assessed value of each risk. Using the wildfire example, risk managers may choose to
house additional network servers offsite, so business operations could still resume if an
 onsite server is damaged. The risk manager may also develop evacuation plans for
employees.
5. Risk Monitoring: Risk management is a non-stop process that adapts and changes over
time. Repeating and continually monitoring the processes can help assure maximum
coverage of known and unknown risks.

Figure 1: Risk identification step

Task 2 - Explain data protection processes and

regulations as applicable to an organisation (P6)
I. Definition of data protection
 Data protection is the process of protecting sensitive information from loss, tampering, or
corruption. As data is created and stored at unprecedented speeds, the importance of data
protection is increasing. Additionally, limited tolerance for downtime can prevent access to
critical information. Therefore, an important component of a data protection plan is to ensure
that data can be recovered quickly from any loss or damage. Other essential elements of data
protection include protecting data privacy and preventing data breaches.

Figure 2: Data protection

II. Explain data protection process in an organization

1. Assessment of network security risks
Once your organization has all the data it needs, you must examine the threats your
corporate data may face:
- In case of network security incidents.
- In case of natural disasters such as fire, earthquake, etc.
 You must implement security measures for your organization's network after performing a
risk identification of the data to be protected. This will allow you to pinpoint the security
risks that the entire organizational network and the data security of organizations, in
particular, are currently facing. From there, deploy security solutions that fit the model,
finance, and organizational requirements, or protect the system by deploying patching
methods.
2. Raise awareness about data security for employees
- The human factor is one of the biggest potential threats to enterprise data security.
Therefore, one of the best and most successful ways to ensure data security in your
Enterprise is to establish measures to educate and create awareness among agency
employees about data security.
- Enterprises must regularly plan initiatives to raise awareness and train employees on
cybersecurity and data security. The most effective way to reduce corporate data
breaches and avoid spending money on outside security services.
3. Data security management
There are always security dangers to corporate data. Therefore, it is not feasible to
implement security measures quickly; instead, it must be done regularly and continuously.
Each company, where feasible, should have a leader or dedicated staff member
knowledgeable about the company's data security and privacy and responsible for
overseeing the application of security controls and processes. . security of data. This will
assist in minimizing cybersecurity risks for companies and commercial data
4. Troubleshooting and problem management
To reduce the harm a cybersecurity incident can cause to your business, it's important to
document your company's network and data incident response procedures.
Instead, you might consider hiring specialized assessment and troubleshooting units. When
an incident occurs, these units will take the lead in advising on response plans and
organizing incident handling. This will help your organization limit the damage.
5. Configure the system securely
All internal components (including software and hardware) are set up to comply with the
requirements of the privacy policy and take appropriate steps to protect your company's
data.
6. Ensure the network is divided into separate areas
Separate network zones will assist in isolating and mitigating the harm caused by
cybersecurity concerns such as corporate data leaks and malware. The DMZ also supports
throttling access between different network zones by using more firewalls between
untrusted external network zones (internet zones) and internal network zones. To ensure
 that policy accesses between network areas are always managed, conduct a routine
penetration testing assessment.
7. Secure DN data by monitoring network security
To adjust and identify network data anomalies early and maximize detection and
containment, technologies that monitor network traffic both inside and outside the network
are needed. prevent early attacks IDS (intrusion detection system), IPS (intrusion
prevention system), and SIEM are solutions that are frequently used by businesses today
(Cybersecurity monitoring system).
8. Access control
For corporate networks, decentralization, and access control measures are essential.
Effective access control is made possible by these policies both inside and outside the
system.
To do this, you only have to ask the user to grant the necessary permissions for them to
perform their task. Priority accounts must be carefully limited to major systems, database
administration functions, or critical systems.
User activity must be carefully monitored and logged, especially when it involves sensitive
data and user accounts. Remember to protect your data by creating a strong password at the
same time. Other important physical security features include security guards, magnetic
card systems, pedestrians, sirens, and access control to corporate buildings and private
workplaces. Access control to manage corporate data.
9. Increased malware protection
Businesses should also take measures to reduce the risk of harmful code and protect data
from it. There are many ways to reduce the risk of malware infection at various levels,
including user-specific anti-malware solutions, centralized anti-malware solutions, and
anti-malware solutions. Malware at ports. However, your ability to find a viable option for
your company depends on its size and financial position.
10. Update patch regularly
No system can be said to be always secure as new technological attack techniques are
constantly being developed. To protect company data and reduce the risk of attacks on
enterprise systems, updating software patches and operating systems is essential.
Enterprises must synchronize the development and deployment of multiple security
solutions and combine different security policies to ensure the maximum level of system
security.
11. Perform encrytion
Finally, before transferring the data, encrypt it. To help keep company data secure, this
mission is essential. Data encryption helps you prevent sensitive information from falling
 into the hands of attackers in the event that data is lost (due to a network security attack or
compressed in transit). In addition, you must protect your data with strong encryption.
III. Why are data protection and security regulation
important?
The value of data is always increasing. Furthermore, the possibilities and prospects for
obtaining various forms of personal data are growing quite rapidly. Unauthorized, negligent, or
ignorant handling of personal data can be very harmful to both individuals and businesses. A
data protection plan must be put in place by any organization that wishes to function
effectively if it wants to ensure the security of its information. Cyber attacks and data breaches
can lead to serious losses. Organizations must update their security protocols regularly and take
proactive steps to protect their data.
Businesses should take extra precautions to protect their data as losses and breaches can lead to
major financial losses. A company's reputation can suffer if its confidential data is not
protected and a data breach occurs. An organization may experience reduced income from
unhappy customers due to this damaged reputation. Additionally, organizations that violate
security standards may be subject to fines, which can place an undue financial burden on small
businesses.
The objective of personal data protection is to protect not only the data of the individual
concerned but also their fundamental rights and freedoms about that data. Personal information
can be protected without compromising the rights and freedoms of everyone. A person may be
deprived of a job opportunity or even worse, lose his or her current job due to improper
handling of personal data.

Task 3 - Design and implement a security policy for

an organisation (P7)
I. Define a security policy and discuss it
A privacy policy (also known as an information security policy or IT security policy) is a
document that outlines the overall rules, expectations, and approaches that an organization
uses to maintain confidentiality. confidentiality, integrity and availability of data. Security
policies exist at many different levels, from high-level structures that describe general
enterprise security principles and goals to documents that address specific issues, such as
access remote access or use Wi-Fi.
 Privacy policies are often used in conjunction with other types of documents, such as
standard operating procedures. These documents work together to help the company
achieve its security goals. The policy defines the overall strategy and security stance, with
other documents helping to build structure around that practice. You can think of a privacy
policy as an answer to the “what” and “why”, while processes, standards, and principles
answer the “how” question.

The IT Security Policy is a dynamic document that is frequently revised to reflect changing
business and IT needs. Standards and best practices for developing security policy have
been issued by organizations like the International Organization of Standardization (ISO)
and the U.S. National Institute of Standards and Technology (NIST). The National
Research Council (NRC) has stated that any firm policy should include the following
information:
1. Objectives
2. Scope
3. Specific goals
4. Responsibilities for compliance and actions to be taken in the event of noncompliance.
II. Give an example for each of the policies
1. Purpose
Restricted, confidential or sensitive material must be protected against loss by <ABC
Company> to preserve reputation and prevent harm to customers. This policy supports a set
of international regulations (such as adequacy or compliance>) that call for the protection
of many types of data by restricting access to data stored on specific devices. there. Full
disk encryption is necessary to avoid exposure in the event of asset loss, as outlined in
several compliance standards and industry best practices. This policy specifies procedures
and requirements for full disk encryption protection as a control.
2. Scope
- All desktop and laptop workstations from "ABC Company" (depending on the type of
data you keep and the physical security, some organizations tailor this to include
laptops only) ).
- All virtual computers are owned by Company ABC.
- Exemption: When a company needs to be exempt from this policy (because it is too
expensive, too complex, or will negatively affect other business requirements), a risk
assessment must be done with approved by the security management.
3. Policy
- Full disk encryption will be enabled on all devices in range.
 - Users will be required under the Acceptable Use Policy (AUP) and security awareness
training to report suspected violations of this policy under the AUP.
- Users must report any lost or stolen devices under AUP and security awareness training.
- Compliance with encryption policy must be verified and must be managed. To enable
audit trails to demonstrate compliance when needed, machines must report to a central
management infrastructure.
- The user of the device must provide IT with a copy of the active encryption key in the
event that it is not possible to manage and configure the encryption independently (only
after approval by the risk assessment).
- Permission to review any encrypted device for maintenance, queries, or in the absence of
personnel with primary file system access. to detect unauthorized system access or other
harmful activity.
- In the event of an error, forgotten credential, or other business blocking needs, the help
desk will be allowed to issue an out-of-scope request/response to grant access to the
system. . Only in cases where the user's identity can be determined using the challenge and
response attributes listed in the password policy will this challenge/response be submitted.
- (You can delete this section if it is not needed by your company; certain businesses may
require a tiered approach to data security; this may involve to a group of users whose data
is particularly sensitive and needs extra security.) a restrictive data policy will allow you to
define a group of VIP users or sensitive data users. For critical revisions or challenge
responses, users in this group will need authorization from a member of (such as Senior
Management or IT). The help desk will not be allowed uninvited access to such systems.
These systems require segregation of duties and are recognized for having access to
extremely sensitive, limited-use data. A system/user will be obligated to use two-factor
authentication according to the stated standard when specified by the authentication policy
and restricted data. Authentication will take place in the pre-boot environment.
- Configuration modifications should go through a change control process, which should be
completed as needed, identifying risks and implementation changes that are important to
security management.
4. Reporting requirment
- Monthly reports showing the percentage of assets in range for encrypted systems
- The monthly report lists the compliance status of encrypted, managed systems.
- Weekly reports count lost items and confirm that misplaced gadgets were handled
properly
III. The most and should that must exist while creating a
policy
1. Ensure that there is a policy on policies
 2. Identify any overlap with existing policies
3. Don’t develop the policy in a vacuum
4. Step back and consider the need
5. Use the right words so there is no misunderstanding intent
6. When possible, include an exceptions process
7. Allow some shades of gray
8. Define policy maintenance responsibility
9. Keep senior executives out of the routine when possible
10. Establish a policy library with versioning
IV. Explain and write down elements of a security policy
1. Purpose
Organizations create information security policies for a variety of reasons:

- To establish a common approach to information security

- To detect and prevent information security breaches such as misuse of data, networks,
computer systems, and applications.
- To protect the company's reputation against its ethical and legal responsibilities
- Comply with the interests of customers. Providing effective mechanisms for responding
to complaints and inquiries regarding actual or alleged noncompliance with the policy
is one way to achieve this goal.
2. Scope
The information security policy must address all data, programs, systems, facilities, other
technology infrastructure, technology users, and third parties within a given organization,
without Exception
3. Information security objectives
An organization attempting to draft an active information security policy should have
clearly defined security and strategy-related goals. Management must agree on these goals:
any existing disagreement in this context could render the entire project inefficient.

The most important thing a security professional should remember is that his knowledge of
security management practices will allow him to incorporate them into the documents he is
assigned to draft. It is a guarantee of completeness, quality, and workability.

Simplifying policy language is what can ease differences and ensure consensus among
managers. Ambiguous expressions should be avoided and authors should be careful to use
the correct meanings of common terms or words. For example, “must” represents
negotiable power, while “should” denotes a certain degree of discretion.
4. Authorization and access control policy
Typically, a security policy has a hierarchical model. Lower-level employees are often
asked not to share the little information they have unless explicitly authorized. In contrast,
senior management may have sufficient authority to make decisions about what data can be
shared and with whom, which means they are not bound by the terms of the privacy policy.
same information. This means that the information security policy should cover every
fundamental position in the organization with specifications that will clarify its authority.

Policy refinement occurs concurrently with determining the administrative control or

authority that everyone in the organization has. It's a delegation of control based on a
hierarchy, where one person can have rights to his work, and the project manager has
permission to project files belonging to the group that he or she belongs to. he is specified
and the system administrator only has permission to system files.

The user may need to know a particular type of information. Therefore, the data must have
sufficient granularity to allow appropriately authorized access, and nothing more. This is all
about finding the delicate balance between allowing access to those who need to use the
data as part of their job and denying it to unauthorized entities.

Access to the company's network and servers must be through a unique login that requires
authentication in the form of a password, biometrics, ID card or token, etc. Monitoring on
all systems must be in place to record login attempts (both successful and failed) and the
exact date and time of login and logout.
5. Classification of data
Data can have different values. Gradations in the value index may impose separation and
specific handling regimes/procedures for each kind. An information classification system
will therefore help with the protection of data that has a significant importance for the
organization and leave out insignificant information that would otherwise overburden the
organization’s resources.

A data classification policy may arrange the entire set of information as follows:

- High Risk class: Data protected by state and federal legislation (the Data Protection
Act, HIPAA, FERPA) as well as financial, payroll and personnel (privacy
requirements) are included here
- Confidential Class: The data in this class does not enjoy the privilege of being protected
by law, but the data owner judges that it should be protected against unauthorized
disclosure
 - Public class: This information can be freely distributed
Data owners should determine both the data classification and the exact measures a data
custodian needs to take to preserve the integrity in accordance to that level.
6. Data support and operations
In this part, we could find clauses that stipulate:

- The regulation of general system mechanisms responsible for data protection

- The data backup
- Movement of data
7. Security awareness sessions
Sharing IT security policies with employees is an important step. Asking them to read and
acknowledge a document does not necessarily mean that they are familiar with and
understand the new policies. On the other hand, a training session will engage employees
and ensure they understand the existing procedures and mechanisms for data protection.

Such an awareness training session should cover many important topics: how to
collect/use/delete data, maintain data quality, records management, security, privacy,
rational use of IT systems, proper use of social networks, etc. A little test at the end is
probably a good idea.
8. Responsibilities, rights and duties of personnel
Things to consider in this area generally focus on the responsibility of persons appointed to
carry out the implementation, education, incident response, user access reviews and
periodic updates of an information security policy.

Prevention of theft, information know-how and industrial secrets that could benefit
competitors are among the most cited reasons as to why a business may want to employ an
information security policy to defend its digital assets and intellectual rights.
V. The steps to design a policy
1. Identify your risks
2. Learn from others
3. Make sure the policy conforms to legal requirements
4. Level of security = level of risk
5. Include staff in policy development
6. Train your employees
7. Get it in writing
8. Set clear penalties and enforce them
9. Update your staff
 10. Install the tools you need

Task 4 - List the main components of an

organisational disaster recovery plan, justifying the
reasons for inclusion (P8)
I. Business continuity
1. What is business continuity
Business continuity is a business’s level of readiness to maintain critical functions after an
emergency or disruption. These events can include:

- Security breaches
- Natural disasters
- Power outages
- Equipment failures
- Sudden staff departure
2. Why business continuity is important
Leading organizations consider business continuity a top priority because maintaining
critical functions after an emergency or disruption can be the difference between the
success and failure of a business. . If key business capabilities fail, a quick recovery time to
get the system back up is critical. Having a business continuity strategy in place before
disaster strikes can save a lot of time and money. The recovery plan should include roles
and responsibilities, as well as which systems should be restored in what order. There are
many business continuity aspects to consider and examine, which is another reason to plan.
For instance, large data sets can take a long time to recover from backup, so failover to a
remote data center may be a better solution for businesses with large amounts of data.
whether big.

When recovery and resilience plans fail or when an unforeseen event occurs, a backup plan
can serve as a last resort. A contingency plan includes a strategy and practice plan for
needs. These needs can range from asking third-party vendors for help to find a second
location for emergency office space or a remote backup server.
3. What does business continuity include?
A business continuity and risk management plan usually involves three considerations:
 - Resiliency
- Recovery
- Contingency
There are many international standards and policies to guide the development of disaster
recovery and business continuity plans.
4. Business continuity and disaster recovery
Business continuity and disaster recovery are closely linked. Having a crisis management
and business continuity plan in place can save business hundreds of thousands of dollars
and can even make the difference between surviving the business consequences of a natural
disaster or urgent situation. With a good business continuity strategy and effectively
managed disaster recovery tools, businesses stand a better chance of recovering and
operating faster after a disaster. Ideally, well-prepared businesses should be in a position to
continue operating as if nothing had happened. Businesses without a disaster recovery
strategy and business continuity plan are much more susceptible to being wiped out by a
natural disaster or a cyber attack.
II. List the components of recovery plan
1. Complete Inventory of Hardware/Software/Other Equipment
When creating a DR plan, you have to know what resources may need to be recovered. You
will need to do a full inventory of every piece of hardware, software, and peripheral that
touches your networks or is used by your employees, contractors, and vendors.

This will be a pretty extensive project, because you will need to account for every on-
premise, cloud-based, and mobile/BYOD tool and technology your organization uses.
2. Documented Business Objectives
DR is often more about business decisions than IT decisions. So it is imperative to involve
all business units and stakeholders in the conversation about business objectives, so you
know where to focus first during recovery.

Start by mapping out the entire infrastructure to ensure all systems are accounted for. Once
you know what you are protecting, you can set priorities to ensure the most important
systems and applications are up and running first.

Divide systems and applications into three tiers to facilitate recovery efforts:

- Mission-critical: These are the first priority. Get these systems back up immediately to
avoid massive data loss or severe disruption to business operations.
 - Essential: These systems are less critical and can be unavailable for up to 24 hours
without significant impact to the business.
- Non-essential: The applications are the lowest priority because business can run
without them for a few days.
Be sure to consider any system dependencies in your business objectives, because they may
affect how you prioritize recovery efforts.
3. Defined Tolerance for Downtime and Data Loss
With your documented business objectives in hand, you can define recovery time
objectives (RTO) and recovery point objectives (RPO). These are the metrics you will use
to determine your downtime and data loss tolerance. In other words, these metrics allow
you to measure how much time an application can be down without causing significant
damage to the business (RTO) and the amount of data that can be lost before significant
harm to the business occurs (RPO).
4. A DR Team
A trained DR team is invaluable during a crisis. Every member of the team is assigned
specific tasks, so there is no question about who is responsible for which part of the
recovery effort.

This team will also be in charge of communications throughout the crisis and be a point of
contact for stakeholders. The disaster response team is in charge of training staff so
everyone is aware of emergency response policies and procedures during a disaster.
5. Alternative Workspaces
In the event of a fire or natural disaster, your office space may not be accessible. Having a
plan to enable employees to work remotely will help keep the business operating as close to
normally as possible.

Be sure all employees have or can quickly get access to laptops and an internet connection.
And stay accessible by preparing fall-back email and phone system solutions that provide
essential lines of communication for employees, customers, and vendors.
6. Remote Access
Whether you’re using VPN, RDP, SSH, or other access-control technology, accessing
company data and applications remotely can be a security risk. This became very apparent
when COVID-19 concerns suddenly forced millions of employees to work from home.

The middle of a crisis isn’t the best time to find out your infrastructure can’t handle remote
access securely. Update your security technology now to ensure your data can be safely
accessed from outside the firewall.
 7. Secure Backups
The quality and frequency of your backups will make or break your DR efforts. Consider
these best practices for keeping backups secure and available if you need them in a crisis:

- Keep your backups separate and inaccessible from the main company network. Some
ransomware can pass through the network and encrypt backup data, rendering it
useless.
- Implement a 3-2-1 backup strategy; create three copies of your data, store them on two
different media, and store one of those copies off-site or in the cloud.
- Invest in a cloud backup and DR solution that simplifies backup and recovery by
providing a central UI and the most current disaster recovery tools and technology.
8. A Comprehensive Testing Strategy
Don’t wait for an actual disaster to find out whether your DR plan works. Implement a
comprehensive testing strategy now (and actually use it). Your strategy should accomplish
three objectives:

- Test your backups to make sure your data is protected and recoverable
- Test your DR processes to make sure they work
- Test your people to make sure they know what to do in a real emergency
III. All the steps required in disaster recovery process
1. Create your disaster recovery contingency planning team
Your first step is to select the employees who will form your contingency planning team.

You’ll need a good mix here, so consider choosing people who can bring a variety of
perspectives on the company’s vulnerabilities to the table. Make sure you include
representatives from all the main departments within your business, including HR, facilities
and high-level managers.
2. List all names and contact details
Next, create a list of all employees’ names with all methods of communication for each
one, ensuring that this is regularly updated. You may need to access this info quickly, so it
needs to be accurate. Communication should include personal and work contact details.
3. Determine a chain of command
A system disaster is a high stress event. This means that a clear chain of command and
authority needs to be put in place well in advance to determine who’s in charge if and when
any key personnel are missing.
 During a critical incident, this will help your whole team understand who’s in charge in the
chaos that may ensue after a disaster has taken place.
4. Consider your risk assessment
When creating your disaster recovery plan, preparation is everything. So review as many
potential disaster scenarios as you can, and create a checklist of things that might possibly
go wrong. Then consider how each one of those situations would affect your core business,
your revenue streams, your customer service and your employees.
5. Do you have a ‘Plan B’?
Your ‘Plan B’ planning is when you think about what’ll happen if your primary disaster
recovery plan is not actionable.

For example, if your usual premises are unavailable, you’ll need to consider if employees
can work from home or if you can share the facilities of another company temporarily.
Your top priority may well be keeping your revenue flowing, in which case you’ll need to
consider what people, equipment, space, supplies, or services are needed to avoid any
downtime?
6. Protect your company data
Data loss can have a huge impact on your business. Data protection and recovery is a key
aspect of all disaster recovery planning, so getting on top of them will result in good
business continuity.

Bare Machine Recovery (BMR) provides a complete protection solution, assisting in the
rapid recovery of machines to a pre-disaster state. Replication software can also help you
quickly clone your systems to another environment, for example a virtual network or into
the cloud.
7. Test, test and test again!
We suggest that you run a regular testing drill to make sure your new disaster recovery plan
actually works. And scheduling regular recovery simulations ensures that your systems are
up and running before the CEO – and your customers – even notice!
IV. Explain some of the policies and procedures that are
required for business continuity
1. Risk assessment
During the risk assessment step, each department identifies, evaluates, and ranks different
hazards based on their probability of occurrence and the degree of disruption that will cause
the division's operations, and considers How each hazard can affect property, businesses,
 and people. work in the department and any clients they may serve, as well as the
university in general. Hazards will be reviewed by the Director of Emergency
Preparedness, who will provide context through definitions, recent events, and various
threat scenarios.
2. Understanding the Organization: Business Impact Analysis
(BIA)
The word "BIA" refers to the process of identifying, analyzing, and evaluating the potential
consequences of disruption or discontinuance of critical business functions, functions and
processes as a result of an emergency, tragedy or accident. It is a methodical approach to
predicting the likely and probable effects of these disruptions, often from a worst-case
perspective. The BIA is considered the focal point of disaster recovery planning, especially
to reduce risks in the event of operational delays or disruptions caused by disasters and
similar incidents.
3. Determining the BCP Recovery Strategies
RTOs created during a business impact analysis will prioritize recovery plans, which are
alternative ways to bring business back to a minimum acceptable level after a business
interruption . Recovery plans are resource-intensive, including personnel, infrastructure,
tools, supplies, and IT. Each department must perform an analysis of the resources needed
to implement recovery measures to find any vulnerabilities.
4. Develop and Implement the BCP
To create and maintain university business continuity plans, VEOCI, a crisis management
and software solution, will be used. This will ensure the availability of critical functions
throughout the university. The responsible department designee will enter each Business
Continuity Plan (BCP) into VEOCI once the plan (BIA and risk assessment) and meetings
are over. To access VEOCI, contact the VCU emergency preparedness director. Training
provided.
5. Exercising, Maintaining and Reviewing
The Head of Emergency Preparedness will conduct training and testing after the BCP is
over to ensure every member of the department is familiar with it. The emergency
preparedness director will form a continuum planning team composed of individuals who
will be involved before, during, and after a disaster or significant disruption. After training
and/or actual events, each department will revise the BCP as necessary.
 References

Anon., n.d. [Online]

Available at: https://www.rospa.com/workplace-health-and-safety/what-is-a-risk-assessment
[Accessed 26 4 2023].

Anon., n.d. [Online]

Available at: https://safetymanagement.eku.edu/blog/risk-
identification/#:~:text=Risk%20Identification%20Process%20Steps,risk%20treatment%2C%20and%20risk%20moni
toring.
[Accessed 26 4 2023].

Anon., n.d. [Online]

Available at: https://www.computerworld.com/article/2572970/10-steps-to-a-successful-security-policy.html
[Accessed 27 4 2023].

Anon., n.d. [Online]

Available at: https://www.cristie.com/news/7-steps-to-a-successful-disaster-recovery-plan-2/
[Accessed 27 4 2023].

Anon., n.d. [Online]

Available at: https://resources.infosecinstitute.com/topic/key-elements-information-security-policy/
[Accessed 27 4 2023].