Đang tải... (xem toàn văn)
Assignment 2 môn Security đại học GW năm 2022, đạt các tiêu chuẩn Pass, có trích dẫn Harvard. Liên hệ zalo 0962986805 or https:www.facebook.comprofile.php?id=100080073517431 nếu muốn support với mức giá rẻ hơn thị trường. DISCUSS RISK ASSESSMENT PROCEDURES (P5), EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN ORGANIZATION (P6), DESIGN AND IMPLEMENT A SECURITY POLICY FOR AN ORGANIZATION (P7), LIST THE MAIN COMPONENTS OF AN ORGANIZATIONAL DISASTER RECOVERY PLAN, JUSTIFYING THE REASONS FOR INCLUSION (P8)
ASSIGNMENT FRONT SHEET Qualification BTEC Level HND Diploma in Computing Unit number and title Unit 5: Security Submission date Date Received 1st submission Re-submission Date Date Received 2nd submission Student Name Student ID Class Assessor name Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism I understand that making a false declaration is a form of malpractice Student’s signature Grading grid P5 P6 P7 P8 M3 M4 M5 D2 D3 Summative Feedback: Resubmission Feedback: 2.1 Grade: Lecturer Signature: Assessor Signature: Date: Note: Nếu muốn support C, C#, Networking, Database, project web, 1633, security_zalo 0962.986.805 or fb Nguyen Long | Facebook Table of contents TABLE OF CONTENTS LIST OF FIGURES INTRODUCTION TASK - DISCUSS RISK ASSESSMENT PROCEDURES (P5) DEFINE A SECURITY RISK AND HOW TO DO RISK ASSESSMENT Definition of security risks: Risk assessment procedures: DEFINE ASSETS, THREATS, AND THREAT IDENTIFICATION PROCEDURES, AND GIVE EXAMPLES Definition of assets Definition of threats Threat identification process Example of threats identification procedures 10 EXPLAIN THE RISK ASSESSMENT PROCEDURE 11 LIST RISK IDENTIFICATION STEPS 11 TASK - EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN ORGANIZATION (P6) 12 DEFINE DATA PROTECTION 12 EXPLAIN DATA PROTECTION PROCESS IN AN ORGANIZATION 12 WHY ARE DATA PROTECTION AND SECURITY REGULATION IMPORTANT ? 13 TASK - DESIGN AND IMPLEMENT A SECURITY POLICY FOR AN ORGANIZATION (P7) 13 DEFINE A SECURITY POLICY AND DISCUSS ABOUT IT 13 Define security policy: 13 Discussion on policies: 14 GIVE AN EXAMPLE FOR EACH OF THE POLICIES 16 GIVE THE MOST AND SHOULD THAT MUST EXIST WHILE CREATING A POLICY 18 EXPLAIN AND WRITE DOWN ELEMENTS OF A SECURITY POLICY 18 GIVE THE STEPS TO DESIGN A POLICY 19 TASK - LIST THE MAIN COMPONENTS OF AN ORGANIZATIONAL DISASTER RECOVERY PLAN, JUSTIFYING THE REASONS FOR INCLUSION (P8) 20 DISCUSS WITH EXPLANATION ABOUT BUSINESS CONTINUITY 20 LIST THE COMPONENTS OF RECOVERY PLAN 21 WRITE DOWN ALL THE STEPS REQUIRED IN DISASTER RECOVERY PROCESS 21 EXPLAIN SOME OF THE POLICIES AND PROCEDURES THAT ARE REQUIRED FOR BUSINESS CONTINUITY 23 CONCLUSION 24 REFERENCES 24 List of figures FIGURE 1: SECURITY RISKS FIGURE 2: ASSETS FIGURE 3: ISO 31000 10 FIGURE 4: RISK ASSESSMENT STEPS 11 FIGURE 5: DATA PROTECTION 12 FIGURE 6: SECURITY POLICY 13 FIGURE 7: HR POLICY AND PROCEDURE 14 FIGURE 8: AUP 15 FIGURE 9:EXAMPLE INCIDENT REPONSE 17 FIGURE 10: BUSINESS CONTINUITY PLANING 17 FIGURE 11: BUSINESS CONTINUITY 20 Introduction A guy works as a trainee IT Security Specialist at FPT Information Security, a top security firm in Vietnam (FIS) FIS advises and implements technological solutions to possible IT security concerns for mediumsized businesses in Vietnam Most clients have outsourced their security concerns due to a lack of technological expertise in-house As part of my job, Manager Jonson asked me to create an interesting report to help teach younger staff about the tools and procedures involved in detecting and assessing security risks To protect mission-critical data and equipment, IT security is utilized in combination with business policies The report will introduce and conclude the following major works: Procedures for risk evaluation are discussed Explain how an organization's data protection practices and rules work Create and implement an organization's security policy List the primary components of an organization's disaster recovery plan and explain why they're important Task - Discuss risk assessment procedures (P5) Define a security risk and how to risk assessment Definition of security risks: A security risk is an act with bad intentions such as "crash" or steal data, user information, damage the system of a company, business or organization The threat may occur in the near or distant future It can be said that system security is the only method to be able to solve and close the vulnerabilities as well as potential risks of a system Security is a difficult area for developers, especially as more and more bad guys find vulnerabilities to attack there Non-physical issues can cause data loss, data exposure, slow connections, and other security-related issues The main causes are a network attack with different purposes, spreading computer viruses, spyware, unauthorized access to computers to access data, and software containing code other poison Figure 1: Security risks These non-physical risks are always difficult problems and can only be solved by system security methods Risk assessment procedures: The word "risk assessment" refers to a broad process or strategy for identifying potentially damaging dangers and risk factors Analyze and evaluate the risk that comes with it Identify acceptable methods for removing the danger or controlling the risk if it cannot be removed A risk assessment is a comprehensive evaluation that identifies items, events, procedures, and other factors that might cause harm After you've made your decision, you'll need to study and estimate the potential amount of danger and severity You can next select what steps to take to successfully minimize or control the harm that happens after you've made this decision There are steps in the security risk assessment process: Step 1: Identify hazards and potentially harmful factors First, it is necessary to determine how the hazards affect the system Administrators can perform system surveys to find threats If hazards are not clearly identified, they will not be able to be controlled Consider all possible parts of the risk, especially the user's database, because it often becomes the target of bad guys Find the spots discovered by surveyors, it is often the vulnerabilities that are difficult to detect by administrators Identify potential hazards that may occur when that hazard occurs Learn from the vulnerabilities, security attacks that have happened before This helps administrators identify potential threats that are difficult to detect Step 2: Identify affected audience Once the hazards have been identified, the panel should also clearly define who is affected and how Some groups of objects such as databases, servers, will be affected first The next thing is to determine how big or small the effect is Determine if the security risk affects the hardware, other components or not so that the best solution can be found Determine who the affected users are, usually affecting customers and visitors The risk can affect what customer activities, whether they lose data or not In addition, any long-term, possible future hazards must also be identified Step 3: Identify, investigate, provide a solution to that risk Once hazards have been identified, the evaluator must devise measures to remedy those hazards and must ensure good practice Thus, the evaluator can review the risk control measures that the organization has previously put in place and see if they can be applied to improve the hazards To this, the evaluator should consider: -Can we completely eliminate the danger? -If it cannot be eliminated, how can we control the risk so that the hazard is not likely to occur? When implementing risk control controls, administrators can follow these steps step-by-step: -Use less risky method; replace risk -Avoid approaching hazards -Organize work in a way that reduces exposure to hazards, applying safety methods and features - Provide policies and guidelines for users to avoid security risks Step 4: Take notes, evaluate Record and present what the evaluator finds This record must be easy to understand, making it accessible to administrators and programmers Arrangements should be made to monitor risk control measures System tests should be performed daily/weekly/monthly as a mandatory test measure The organization should conduct regular risk identification to detect hazards in a timely manner The organization should conduct an overall review once a year to see if the assessments are still valid, to ensure that security standards are still improving or at least not falling behind In addition, record and evaluate potential vulnerabilities that can become risks, which are born during the risk remediation process so that they can be remedied in the next security assessment process Define assets, threats, and threat identification procedures, and give examples Definition of assets Identifying the assets that must be safeguarded is a crucial step in determining what should be safeguarded It is critical to assess the relevance of each item of value after performing an inventory of the assets that have been inventoried Figure 2: Assets An asset inventory aids an organization in compiling a list of its assets and providing specific information about them Each asset is assigned a numerical value by certain organizations Physical and non-physical assets are examples of assets Money, machinery, and other tangible assets are examples of non-physical assets; user databases are one of them Asset inventory management is a method of tracking and analyzing issues such as physical location, maintenance requirements, depreciation, performance, and eventual asset disposal for an organization's assets produce Definition of threats A threat is a possible negative action or occurrence aided by a vulnerability that results in an undesirable impact on a computer system or application in the context of computer security A threat can be a negative "intentional" event (e.g., hacking: an individual cracker or a criminal organization) or a negative "accidental" event (e.g., the possibility of a computer malfunctioning, or the possibility of a natural disaster event such as an earthquake, fire, or tornado), or any other circumstance, capability, action, or event (Shirey, 2000) This is distinct from a threat actor, who is an individual or a group capable of carrying out a threat action, such as exploiting a vulnerability to harm Threat identification process The kind of threat source specified is either a network attack tool or a physical opponent The structure of errors in the resources that the organization has tested (for example, hardware, software and test fields) Natural and man-made disasters, as well as accidents and situations beyond the organization's control Step 1: Identify potential dangers Threats are divided into two categories: man-made and natural Auditing, Configuration Management, Data Protection in Storage and Transmission are examples of threat categories that may be identified using threat categorization Step 2: Create a threat profile in step two Catalog threats to a profile that contains more particular information, such as the sort of threat discovered, its likelihood of occurrence, any linked data, and its effects Step 3: Look for security flaws Countermeasures can be used to close a security weakness People, vital facilities, and critical infrastructure are the first three phases in the threat analysis process, in order of rescue priority After assigning risk ratings to threats in step 2, threats may be classified from greatest to lowest risk, and mitigation measures can be prioritized Following the identification of a potential effect, the following approaches for mitigating the risk are available: Accept and ignore: determine whether or not the impact is tolerable • Removal: components that might pose vulnerabilities due to their influence should be removed • Risk mitigation: lowering the likelihood of a negative outcome Step 4: Write down your thoughts The last step is to record the situations The most alarming and likely risks are reflected in the emergency management design scenarios Initial warning, community effect forecast, probable regions of failure, All firm assets, as well as any possible dangers to those assets, should be listed in the privacy policy The company's privacy policy should be communicated to all workers The policies themselves must be changed on a regular basis Discussion on policies: • HR Policy Usually refers to systematized documentation that state a company's position on problems like internet use or dress code, but it may also refer to a position expressed through speech Policies are critical to the human resources department's success because they help define the employeremployee relationship In order to establish a standard of behavior, employees must understand what the organization stands for Businesses cannot reprimand workers or establish improvement targets without this standard, making it considerably more difficult to enhance corporate procedures and values Because there would be no precedent or starting point if a situation developed without reference, HR should have procedures in place for as many scenarios as feasible When it comes to systematizing HR policies, clarity is crucial Everything should be clear - this is especially crucial in the event of a hiring committee, as corporate rules will be evaluated It's typically crucial to determine where liability resides if a corporation has a consistent policy in place Figure 7: HR policy and procedure • Incidence response Policy A plan outlining an organization's response to an information security incident is known as an incident response policy The following is the policy reaction to an incident: 14 To provide a timely, efficient, and automated reaction to Security and Privacy issues, necessary roles and processes must be created The organization's priorities in work Incident Security and Privacy issues should be agreed upon with management, and individuals responsible for the Security management incident should understand the organization's priorities in work Incident Security and Privacy concerns Security and privacy incidents should be notified as soon as feasible using collaborative management channels A recorded Event Response incident must be used to respond to security and privacy incidents The knowledge gained from analyzing and resolving Security and Privacy incidents should be used to reduce the likelihood of future incidents or their impact Procedures for identifying, collecting, collecting, and retaining information that can be used as evidence should be specified and followed Topics like as the advantages of a consistent, formal approach to management breakdown should be discussed (individuals and organizations) Unreasonably invading one's privacy Any stumbling block to the investigation of a Confidentiality or Advisory Event or Incident should be notified to top management right away Impedance circumstances can lead to disciplinary action, including the termination of a connection contract • Acceptable use policy (AUP) Figure 8: AUP AUPs can cover a wide range of concerns, including offering standards for fair online searches, downloads, and surfing 15 Rules governing the usage of email, phones, tablets, online gaming, and the publication of the school website are common examples The consequences that will be enforced in the event of an AUP violation are also an essential component of the policy document, and they will give your institution with clear instructions in the event of a violation Educating parents, students, and instructors about the potential of the Internet as a learning resource is any of the key purposes of AUP Identifying proper online conduct and the repercussions of violations, as well as providing schools with legal liability protection, are all important aspects of policy development Students' online safety education is an important aspect of the school's internet safety program Children and teenagers require assistance and support in recognizing and avoiding technological safety hazards • • Disposal policy The goal of this policy is to provide standardized procedures for the management, retention, and disposal of documents that are received, created, generated, or maintained This policy aims to: To assist guarantee that the company can satisfy the legal obligations connected to records management, develop record management rules and a system of accountability To guarantee that government documents are legitimate and trustworthy To preserve the privacy of constituents and the confidentiality of documents To prevent documents from being misused, misplaced, damaged, destroyed prematurely, or stolen To secure the preservation of documents of long-term historical importance Business continuity policy This is the Ribbon Company Continuity Policy 990-77001, which ensures that all business operations can be maintained at normal or near-normal levels following an incident that might cause substantial interruption Severe weather events, cyber attacks, infrastructure outages, outages, and facility or premises losses are just a few examples Give an example for each of the policies • HR Policy At-Will Employment Policy: This policy reiterates that both an employer and employee can terminate the employment relationship at any time and for any reason, providing said reason is lawful You should aim to prominently display this statement in the beginning of your employee handbook • Incidence response Policy 16 Figure 9:Example Incident reponse • Acceptable use policy (AUP) Disrupting network access for others, whether deliberately or unintentionally Examples: infected computers flooding the network with spam or viruses, P2P file-sharing applications that consume more than a fair share of network resources, improperly configured network devices Using technology resources to violate any State or federal law including copyright and license agreements Examples: illegally downloading, storing, and/or sharing copyrighted materials, viewing child pornography, theft of confidential information Transmitting abusive, threatening, or harassing messages, chain letters, spam, or other communications prohibited by law or University policy Unauthorized attempts to scan or gain access to systems, accounts, network traffic or information not intended for you • Business continuity policy Figure 10: Business Continuity Planing 17 • Security policy Policy on remote access Connecting to a business network from any host is known as remote access The remote access policy is intended to reduce the risk of damage caused by illegal access to resources This policy should apply to all workers and contain procedures for sending and receiving email as well as accessing intranet resources This policy should also contain VPN access and disk encryption requirements Remote access should have the same requirements as on-premises access Employees must not, for example, utilize their remote access for illicit conduct or enable unauthorized persons to use their work equipment The policy should also require users to use strong passwords, log out when leaving their devices alone, and not connect to any other networks when connected to the internal network They should also advise customers to make sure that their operating system and antimalware software are up to date Give the most and should that must exist while creating a policy Protect policy compliance with mandatory laws I think it is the most important and must exist in a policy Depending on data retention, designation and location , may be required to comply with minimum standards to ensure consulting and data integrity, especially if the company holds personal information Having a documented and applied security privacy policy is one way to reduce as a method of security any method that may be required in the case of security Explain and write down elements of a security policy A declaration of purpose, a statement that defines the policy audience, a statement of objectives, permissions, and an access control policy are some of the important aspects of an organization's information security policy determine who gets access to what resources Statements about data categorization a statement of the responsibilities and duties of employees and who will be responsible for monitoring and enforcing the policy, performance measures that will be used to evaluate security policies, a statement of the responsibilities and duties of employees and who will be responsible for monitoring and enforcing the policy, a statement of the responsibilities and duties of employees and who will be responsible for monitoring and enforcing the policy, a statement of the responsibilities and duties of employees and who will be responsible for monitoring and en how effectively security is doing and what steps will be taken to enhance it 18 Give the steps to design a policy Step Assess your risk The usage of monitoring or reporting tools is a smart technique to detect your risk Many firewall and Internet security manufacturers provide evaluation periods for their solutions If such items give reporting information, using these evaluation intervals to estimate your risk is beneficial Step Study what others have done Because there are so many different sorts of privacy practices, it's crucial to look at what other companies like yours are doing Step Ensure that the policy conforms with all applicable laws You may be obligated to observe some minimal requirements to safeguard data privacy and integrity, depending on your data holdings, jurisdiction, and location Step Involve employees in policy creation No one wants a policy that is imposed from on high Employees should be included in the process of determining permissible use When regulations are written and tools are applied, notify the personnel Step Get it in writing Make sure that every member of your staff has read, signed, and understood the policy Step Establish explicit consequences and make sure they are followed Cybersecurity is no laughing matter Your Privacy Policy is not a collection of rules you may choose to follow; it is a requirement of employment There is a clear set of processes in place that spells out the consequences of violating the privacy policy Then put them to death 19 Task - List the main components of an organizational disaster recovery plan, justifying the reasons for inclusion (P8) Discuss with explanation about business continuity Figure 11: Business continuity Business continuity refers to the planning and preparation done ahead of time to guarantee that an organization's key business functions can continue to operate in the event of an emergency Natural catastrophes, business crises, pandemics, workplace violence, and any other event that disrupts your business are examples of events It's vital to note that you should plan and prepare not just for situations that would cause your system to fully shut down, but also for occurrences that might have a negative impact on your services or functioning • Supply chain failure - You don't have access to materials, goods, or services • Utilities outage - You don't have access to electricity, water, or the internet • Cyber incident - Your website has been hacked and is down • These are just a few of the many incidents that an organization must consider and plan for 20 List the components of recovery plan Communication and preparedness of the staff Your staff play a critical part in getting your business back up and running after a crisis However, if staff not know how to prepare and recuperate, this strategy will be rendered mostly ineffective Having at least one person from each department, including higher management, on the planning committee is a smart method to start teaching staff on disaster preparedness It is suggested that a committee be formed to consider various requirements and views Recovering documents You might lose all user data or key corporate papers right away Document loss may be disastrous without appropriate preparation and recovery There are, fortunately, techniques to reduce them: Hosting should be done on a secure server with a strong privacy policy Location off-site Keep in mind that you should have an off-site location for safe data storage and backup while you evaluate off-site venues If a calamity destroys or corrupts computer data, a backup will save the data so you don't have to start over with projects and files Inventory of Assets If you don't know what your company's assets are, you'll never be able to fully recover Include a list of the company's physical assets and relevant information in the recovery plan (for example, make, model, serial number, date of purchase, and purchase price) Computers, tablets, smartphones, scanners, printers, cameras, software, office furniture, and other goods that employees use on a regular basis are among the assets to include Include images of the workstations before and after the emergency (to show that the company has worked hard to secure equipment to respond to alerts) Write down all the steps required in disaster recovery process Define the scope of your project 21 First and foremost, determine what your ultimate aim is If your organization relies on rapid and simple access to data to stay afloat, your IT troubleshooting strategy should be centered on guaranteeing data availability Even if your on-premises hardware fails catastrophically, your proprietary rights remain safe and secure Examine Your IT Security Vulnerabilities Following the definition of your ultimate objective, you must establish a thorough understanding of your most evident weaknesses, paying special attention to historical catastrophe risks in your area Conduct risk analysis A thorough risk analysis is akin to a "stress test," which is aimed to assist you determine how vulnerable you are to your present catastrophe infrastructure You will be better positioned to protect your most important assets if you get this viewpoint Identify techniques for recovery The next stage is to find the most successful and cost-efficient recovery techniques after stress-testing your preventive measures Make a strategy You're now ready to get serious about putting together your IT disaster recovery strategy This will include collecting the information you've obtained and organizing it into a logical, linear order Provide team members with training It's time to share your strategy with your team after you're confident in it Revise and update your strategy While we all hope we'll never have to use our IT disaster recovery plan, it's a good idea to review it on a regular basis and, if required, change it 22 Explain some of the policies and procedures that are required for business continuity Reliability Businesses should try to provide clients with high-quality goods and services Customers' expectations should be met, if not exceeded, by the products given Quality services and goods will earn you a good reputation and help you grow your business Environment Businesses should be dedicated to reducing their environmental effect, from simple recycling to advanced water and waste management systems Businesses should put money into programs that help the environment Code of ethics Employees should follow the law, be ethical, and work in the best interests of the company Employees should be guided by a code of conduct in the workplace on how to cope with a range of ethical issues Employees are directed on how to interact with one another, customers, and possible business partners and networks by a code of conduct Job opportunities It's vital to manage your staff and make sure they understand their roles in the company Employees must be aware of how Performance Reviews are handled, the rehabilitation process, safe working conditions, workers' compensation, non-discrimination in the workplace, and termination terms E-mail and the Internet Our everyday operations need the use of the internet and email Employees can be guided on what is expected conduct and appropriate usage of the internet and email by having rules and procedures in place It's also a good idea for businesses to have social media usage policies in place Chances for everyone 23 Equal employment opportunities should be provided by businesses There should be no discrimination based on color, gender, race, or handicap when employing personnel Guidelines should also include how your company handles issues including a disability, pregnancy, or diversity in general Conclusion I covered the following topics in this exercise: identifying security risks and analyzing risks; identifying assets, threats, and threat identification techniques, as well as providing examples; enumerate the processes involved in risk assessment; describe data protection, explain how an organization's data protection approach works, and more I also go through the components of a privacy policy and the methods for creating one Discuss business continuity, the components of a recovery plan, the phases involved in the disaster recovery process, and the rules and practices that are essential for business continuity References Shirey, R., 2000 RFC2828: Internet security glossary 24 Powered by TCPDF (www.tcpdf.org) Index of comments 2.1 Kindly find below the comments based on the questions you've answered General academic report structure is recognized P5 Discuss risk assessment procedures Define a security risk Risk assessment procedures: Define assets, threats Threat identification procedures, with examples List risk identification steps The report provided a definition of risk, the assessment procedure was given Risk identification steps were also provided in the report P6 Explain data protection processes and regulations as applicable to an organization Define data protection Explain the data protection process in an organization Why are data protection and security regulations important? Definition of data protection was given Data protection processes such as AAA, GDPR, CIA triads were NOT discussed The importance of security regulations was clearly given in the report P7 Design and implement a security policy for an organization Define security policy: Discussion on policies: Give an example for each of the policies Give the most and should that must exist while creating a policy Explain and write down elements of a security policy Give the steps to design a policy The report had defined what a security policy is and had provided a few discussions on policies The elements of security policy were given The most and should for policy creation was given in the report Steps for designing a policy is given in the report However, a generic process or step was given P8 List the main components of an organizational disaster recovery plan, justifying the reasons for inclusion Discuss with an explanation about business continuity List the components of the recovery plan Write down the steps required in the disaster recovery process Explain some of the policies and procedures that are required for business continuity Index of comments The report provided a brief discussion with a short explanation of BCP The components of the recovery plan such as DRP was discussed in the report A few policies for required business continuity were given in the report M3 Summarize the ISO 31000 risk management methodology and its application in IT security No report M4 Discuss possible impacts on organizational security resulting from an IT security audit No report M5 Discuss the roles of stakeholders in the organization to implement a security audit recommendation No report D2 Consider how IT security can be aligned with organizational policy, detailing the security impact of any misalignment No report D3 Evaluate the suitability of the tools used in organizational policy No report Recommendation It would help if you were more focused on your studies; your report has missing components Avoid the use of first-person pronouns in an academic report Document formatting Your document format, justification, fonts and size are fairly ok Documents are justified Index of comments References: References are ok The report has a reference However, one reference list is not enough for this report FrontPage: Frontpage is ok Frontpage is ok NOTE You must write all questions clearly with the corresponding number, such as P5, P6, P7, P8, followed by the answer All report questions must proceed with P5, P6, P7 etc File naming convention: Your full name and student Id required, with the course name Filename ASM2_Secu.pdf is NOT acceptable; please use the conventions on the right next time My name is just used as a sample, you shouldn't use my name in your file naming 1623-ASM2-GCH0123-Michael_Omar Introduction/ Contents The report has an introduction The use of first-person pronouns should be avoided The introduction is ok Conclusions / The report has a conclusion Index of comments Your conclusion is ok Powered by TCPDF (www.tcpdf.org) ... essential for business continuity References Shirey, R., 20 00 RFC2 828 : Internet security glossary 24 Powered by TCPDF (www.tcpdf.org) Index of comments 2. 1 Kindly find below the comments based on the... PROCESS 21 EXPLAIN SOME OF THE POLICIES AND PROCEDURES THAT ARE REQUIRED FOR BUSINESS CONTINUITY 23 CONCLUSION 24 REFERENCES 24 List of figures... FIGURE 11: BUSINESS CONTINUITY 20 Introduction A guy works as a trainee IT Security Specialist at FPT Information Security, a top security firm in Vietnam (FIS) FIS advises and