Đang tải... (xem toàn văn)
1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) 1623 assignment 2 (pass) FPT Greenwich
ASSIGNMENT FRONT SHEET Qualification BTEC Level HND Diploma in Computing Unit number and title Unit 5: Security Submission date Date Received 1st submission Re-submission Date Date Received 2nd submission Student Name Đào Vĩnh Khang Student ID GCS200222 Class GCS0905B Assessor name SAMNX Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism I understand that making a false declaration is a form of malpractice Student’s signature KHANG Grading grid P5 P6 P7 P8 M3 M4 M5 D2 D3 Summative Feedback: Grade: Lecturer Signature: Resubmission Feedback: Assessor Signature: Date: asda ASSIGNMENT Security Presentation Acknowledgement First, I would like to thank the curators of the University of Greenwich, who make these courses available to students I would like to thank all the authors and researchers who have studied the Security program In addition, I would like thank speaker Dang Quang Hien for his very good and professional lectures and tutorials Finally, I would like to thank the teachers and responsible staff of our university Table of Contents Task – Discuss risk assessment procedures (P5) Define a security risk and how to risk assessment I Definition of Security Risk Assessment How does a security risk assessment work? How to risk assessment? Define assets, threats, and threat identification procedures, and give examples II What’s an asset? What’s a threat? Definition of Risk/Threat Identification Risk Identification Procedures Common Risk Identification Methods 10 III List risk identification steps 10 Task – Explain data protection processes and regulations as applicable to an organization (P6) 11 I Define data protection 11 II Explain data protection process in an organization 12 Media failure 12 Data corruption 12 Storage system failure 13 Full-on data center failure 13 III Why are data protection and security regulation important? 13 Task 2.1 – Summarize the ISO 31000 risk management methodology and its application in IT security (M3) 13 Briefly define ISO 31000 management methodology 13 I What is ISO 31000? 13 Why we use it? 14 What are the benefits of ISO 31000? 14 How does it work? 14hat are its applications in IT security? 15 II Task 2.2 – Discuss possible impacts to organizational security resulting from an IT security audit (M4) 15 Define IT security audit 15 I Definition 15 Why your company needs regular IT security audits 15 The steps in an IT security audit 16 How to Ensure Successful Security Auditing 17 II What possible impacts to organizational security resulting from an IT security audit? 17 III When is a security audit needed? 18 Task – Design and implement a security policy for an organization (P7) 18 I Define a security policy and discuss about it 18 II Types of the security policies 19 III Give the most and that should exist while creating a policy 20 Purpose – Explain the reasons for having this policy 20 Scope 20 Policy – State all policy requirements 20 Technical Guidelines – Identify all technological controls required to give data access 21 Reporting Requirements – Explain the standards for incident reporting 22 Ownership and Responsibilities – Specify who owns what and who is accountable for certain actions and controls 22 Enforcement – Specify the penalty for unauthorized access 22 Definitions – Defines any technical words used in this policy 23 Related Documents – Listings and links to all policy-related papers 23 10 Revision History – Record policy revision 23 IV Explain and write down elements of a security policy 24 Purpose 24 Audience and Scope 24 Information security objectives 24 Authority and access control policy 25 Data classification 25 Data support and operations 26 Security awareness and behavior 26 Responsibilities, rights, and duties of personnel 27 V Give the steps to design a policy 27 Identify need 27 Identify who will take lead responsibility 27 Gather information 27 Draft policy 27 Consult with appropriate stakeholders 27 Finalize / approve policy 28 Consider whether procedures 28 Implement 28 Monitor, review, revise 28 Task – List the main components of an organizational disaster recovery plan, justifying the reasons for inclusions (P8) 28 Discuss with explanation about business continuity 28 I Definition 28 Why is business continuity important? 29 What does business continuity include? 29 Three key components of a business continuity plan 30 II List the components of recovery plan 30 Take Inventory of IT Assets 30 Sort Assets According to Criticality and Context 31 Assess Potential Risks 31 Define Your RTO and RPO 31 Select A Disaster Recovery Setup 31 Propose A Budget 31 Test and Review 32 Write down all the steps required in disaster recovery process 32 III Create an inventory 32 Establish a recovery timeline 32 Communicate, communicate, and communicate 32 Back up your data 33 Consider physical damages 33 Consider the human factor 33 Consider insurance 33 Test your disaster recovery plan 33 that the Management Committee is ultimately accountable for all policies and procedures inside the organization Consider whether procedures Internal policies are more likely to necessitate the use of procedures Consider if there is a need for specific instructions on how and by whom the policy will be implemented (For example, a policy on receiving complaints will necessitate a set of procedures outlining how complaints will be handled.) Who will oversee establishing these procedures? When will this be completed? What procedures will be in place for consultation, approval, and implementation? Implement How and to whom will the policy be communicated? Is training necessary for staff and volunteers to help with implementation? Should the organization issue a press release (for stance on external policy)? Monitor, review, revise What monitoring and reporting methods are in place to guarantee policy implementation as well as to analyze usage and responses? When and on what basis will the policy be reviewed and updated (if necessary)? Task – List the main components of an organizational disaster recovery plan, justifying the reasons for inclusions (P8) I Discuss with explanation about business continuity Definition The capacity to maintain critical functions during and after a crisis occurs is referred to as business continuity The most fundamental requirement for business continuity is to maintain critical functions operational during a crisis and to recover with as little downtime as possible A business continuity plan considers a variety of unforeseeable situations, such as natural disasters, fires, disease outbreaks, and cyberattacks Figure 9: Business Continuity Business continuity is critical for firms of all sizes but maintaining all services for the length of a disaster may not be feasible for any save the largest enterprises The first stage in business continuity planning is determining which operations are critical and allocating available funding appropriately Administrators can put in place failover methods once critical components have been identified Organizations are increasingly relying on technology to guarantee that they have up-to-date copies of their data in locations outside than the central data center This allows data access to continue uninterrupted even if one location is unavailable, and it protects against data loss Why is business continuity important? Business continuity is crucial at a time when downtime is unacceptable Some hazards, such as cyberattacks and harsh weather, appear to be worsening A prolonged outage poses a financial, personal, and reputational danger Business continuity aids an organization's resilience by allowing it to respond rapidly to an interruption Business continuity necessitates a company looking at itself, analyzing possible areas of vulnerability, and gathering critical information By implementing business continuity planning, a firm may increase its communication, technology, and resilience Business continuity may also be required for legal or compliance concerns It's critical to understand which regulations apply to a certain company What does business continuity include? Business continuity is a proactive method of ensuring that mission-critical operations continue in the event of an interruption A complete strategy includes contact information as well as procedures for dealing with various events When it comes time to respond, there should be no doubt about how to proceed Customers, staff, and the firm itself might all be jeopardized In the case of a severe crisis, such as a power outage or cyber-attack, it's critical to be open and honest about recovery time and recovery point targets for your company Because not everything is mission-essential, it's necessary to define what must remain operational and what may be brought back up later Collaboration between an organization's IT and security teams to maintain business continuity in the case of a catastrophic disaster can provide significant benefits The whole organization, from high management on down, is involved in the process It is critical to obtain management support and deliver critical information to the whole business Everyone should, at the very least, be aware of how the company intends to respond Three key components of a business continuity plan An organization's resilience may be increased by designing vital services and infrastructures with multiple catastrophe scenarios in mind, such as personnel rotations, data redundancy, and keeping a surplus of capacity Assuring resilience against various eventualities can also assist firms in maintaining key services on-site and off-site without interruption It is critical to recover quickly after a disaster in order to resume company functioning Setting recovery time goals for various systems, networks, or applications might assist prioritize which pieces must be restored first Other recovery tactics include resource inventories, agreements with third parties to assume corporate activities, and the use of adapted premises for mission-critical tasks A contingency plan includes procedures for several external events, as well as a chain of command that distributes duties inside the company These obligations may include replacing hardware, leasing emergency office space, assessing damage, and hiring third-party providers for help II List the components of recovery plan Take Inventory of IT Assets You must first map out all your assets to determine which will require security Assets may include: • • Network equipment Hardware • Software • Cloud services • Critical data Creating a list of assets, albeit time-consuming, can help you to gain a thorough grasp of your company's processes Update your list on a regular basis as assets are added, withdrawn, or updated, and utilize it to purge superfluous data Sort Assets According to Criticality and Context In the case of a big tragedy, which of your company's assets would have the greatest impact if damaged or lost? Examine all your mapped assets and categorize them from high to low effect How does your company make use of these resources? It is not always possible to back up all your data Understanding the significance of each asset and how they interact will allow you to choose which should be prioritized in a disaster recovery strategy Assess Potential Risks What are the most serious dangers to your whole business? Which assets are likely to be targeted by these threats? Critical systems personnel are familiar with the most likely reasons of service disruption You can't predict every possible hazard, but you can devise an effective plan by considering the likelihood and magnitude of each Define Your RTO and RPO Recovery objectives should be determined early in the development of a disaster recovery plan so that an appropriate setup may be selected Recovery objectives are divided into two categories: recovery time and recovery point RTO is the period your assets may be down before being recovered; RPO is the quantity of data you are prepared to lose Contact your company's IT and operations employees to discuss the implications of a potential interruption that might last from one minute to a day or longer This information will help you to set your RTO and RPO, as well as how frequently your data needs to be backed up Select A Disaster Recovery Setup At this point, you have a thorough grasp of your assets, risks, and RTO and RPO You may construct your disaster recovery configuration using this information Having a remote data storage solution in place is critical for protecting your assets from cyberattacks and natural catastrophes that may cause physical harm After you've laid out your needed configuration, choose the cloud services, software, hardware, and partners you'll need to complete it Propose A Budget Regardless of the resources at their disposal, every firm should have a disaster recovery strategy Senior management should be reminded of the need of catastrophe recovery, but solutions with varying price points should be presented Higher budgets will include a Disaster Recovery Plan with stronger RTOs and RPOs, more generous coverage for more essential services, and may be part of a larger business continuity plan Management can establish the correct balance between risk and investment in disaster response technologies with the right information Test and Review The disaster recovery plan will need to be tested and reviewed in the final step to guarantee it is ready All employees must be aware of their responsibilities in the event of a crisis Conduct a catastrophe exercise to put the strategy to the test and to see how employees react to the danger If things don't go as smoothly as you'd want, make changes to the plan A catastrophe recovery strategy is never complete It should be examined on a regular basis, ideally every six months or so, to verify that it is still effective Assets, organizational structure, and IT configuration will all change over time, and the disaster recovery plan must be updated to reflect these changes III Write down all the steps required in disaster recovery process Create an inventory Every business should be aware of which IT resources—systems, hardware, and software—are being used Consider which systems might be impacted if your property had a flood, hurricane, fire, or power loss Aside from a simple inventory, it might be beneficial to include several scenarios in your IT disaster recovery plan Establish a recovery timeline Some companies may require a recovery timescale of minutes, but others may require a longer timetable After you've recorded your IT inventory, you may determine acceptable recovery goals and timescales for restoring certain systems The Recovery Time Objective (RTO) and Recovery Point Objective (RPO) ideas will be useful here: • RTO (Recovery Time Objective): The length of time that should elapse before your IT systems recover • RPO (Recovery Point Objective): The maximum period allowed since the most recent data backup for your IT systems to recover Communicate, communicate, and communicate Inquire with workers about how their job would be impacted if specific systems or networks went down for an extended length of time Create a strategy for communicating with your employees in the case of a power or Internet loss Everyone should be aware of which IT activities may be impacted and who will be accountable for fixing the difficulties Back up your data Cloud storage, off-site data backups, and vendor-supported backups are all alternatives for data backups Working with a reputable managed services provider can assist you in weighing the options and determining which is the best fit for your specific situation Choose data that is static and unchanging, as you may not need to backup it more than once You should also identify which apps and information are mission-critical during the inventory step It is not necessary to back up all your data Consider physical damages You may believe that migrating to the cloud has protected you from disaster, but you must still plan for physical damage to your premises and equipment Power outages and damaged wires may knock your company to its knees Make sure you have a backup generator ready to go in case of a calamity Consider the human factor Employees should be taught on how to spot phishing emails, which are the quickest route into a network and one of the most prevalent sources of data breaches Target experienced a severe data breach in 2013 after attackers gained access to the company's network through a third-party HVAC vendor Control who has administrative access to your systems Consider insurance If you are concerned about the expenses of recovery, purchasing catastrophe insurance as part of a disaster recovery plan may be an appealing choice This includes not just rebuilding your IT equipment, but also investigating the larger repercussions and losses that result from a disaster If this notion appeals to you, consult with an insurance specialist Test your disaster recovery plan An IT disaster recovery strategy should be evaluated at least once a year, preferably twice After not testing their plan for several years, one of our clients noticed that all of their disks failed when they attempted to recover them If this had happened during a genuine disaster, the data would have been lost permanently Work with a reputable MSP to learn about your remediation choices Combine DR and BC When a firm recovers from a crisis, IT is critical, but it is just one component of the puzzle Business continuity (BC) refers to an organization's overall plan for preserving critical business activities as much as feasible during and after a disaster Create and test a comprehensive BC strategy to ensure that you are ready to face any unforeseen occurrence 10 Find the right partner Working with an MSP may be quite beneficial if you want to get another pair of eyes on your disaster recovery plan or professional guidance on how to construct one Disaster recovery is not something that can be set and forget; it must be actively managed over time IV Explain some of the policies and procedures that are required for business continuity Business Continuity Plan (BCP) A Business Continuity Plan (BCP) is a comprehensive recovery strategy in the case of a significant calamity, such as an earthquake, tsunami, or terrorist attack It is stated in sufficient detail so that those who are necessary may carry out the plan with little delay A business continuity plan (BCP) is a collection of resources, activities, processes, and information that have been designed, tested, and are ready for use in the event of a substantial interruption in operations Business Continuity Planning Business continuity planning is the act of making prior plans and processes that will allow VCU to respond to an interrupting event in such a way that vital business functions may continue with little disturbance This exercise yields an effective company continuity strategy (BCP) Business Impact Analysis (BIA) A business impact analysis (BIA) is a comprehensive evaluation of the potential implications of an interruption in a critical function that gathers information needed to establish recovery measures to assist rapidly restart operations Comprehensive Emergency Management Plan (CEMP) A comprehensive emergency response plan (CEMP) is a comprehensive strategy established to enable effective response to and recovery from natural and man-made dangers A CEMP specifies what to in the event of an emergency Regardless of the occurrence, a business continuity strategy assists in minimizing the impact on VCU's business activities Continuity of Operations Plan (COOP) A COOP is a planning phrase that originally referred to business continuity planning (BCP), and it is comparable to a disaster recovery plan Businesses and companies use the phrase more frequently, whereas federal, state, and municipal governments use it to denote long-term planning Critical Functions Critical functions are those required for the campus community's survival, health, safety, and security During an incident, these functions must remain at or above usual levels The functions of life, health, safety, and security will never be shut down and will always require personnel on campus Emergency Operations Plan (EOP) For the purposes of this policy, the word EOP also refers to the university's Comprehensive Emergency Management Plan (CEMP) Mission Essential Functions (MEFs) Departmental essential functions (MEFs) are services, programs, or activities that are critical to a university's ongoing operations and would have a direct impact on the development, distribution, and preservation of knowledge if they were to be halted Stopping them for a lengthy period would have a direct influence on the department's success They are departmental key operations that would be lost if the university stopped conducting them for any period Recovery Time Objective (RTO) The greatest amount of time that a certain business function or resource may be unavailable before causing significant interruption to operations is defined as RTO Also known as maximum permissible downtime 10 Risk Assessment (RA) A risk assessment is a procedure that identifies possible dangers and analyzes what could happen if one happens Task 4.1 – Discuss the roles of stakeholders in the organization to implement security audit recommendations (M5) I Define stakeholders Definition A stakeholder is a party who has an interest in a firm and may either influence or be influenced by it A typical corporation's key stakeholders are its investors, workers, customers, and suppliers Shareholders, customers, suppliers, and staff are examples of significant stakeholders for a firm It is becoming increasingly customary to refer to a larger variety of external stakeholders, such as the government in the nations where the firm works or the public Problems With Stakeholders The most effective businesses properly manage the interests and expectations of all its stakeholders From the standpoint of its shareholders, the basic purpose of a business is to maximize profits and increase shareholder value Because labor expenditures are inescapable for most businesses, a corporation may try to reduce these costs as low as possible This is likely to irritate another group of stakeholders, its employees Why Are Stakeholders Important? Stakeholders are crucial for a variety of reasons Internal stakeholders are crucial since the business's operations rely on their capacity to collaborate toward the company's goals External stakeholders, on the other hand, may have an indirect impact on the firm Customers, for example, can alter their purchasing patterns, suppliers can alter their production and distribution techniques, and governments can alter their laws and regulations Finally, maintaining relationships with internal and external stakeholders is critical to a company's long-term success II What are their roles in an organization? What Is the Role of a Stakeholder? A stakeholder's primary function is to assist a firm in meeting its strategic objectives by giving their expertise and opinion to a project Their support is critical to a successful project, and if they don't like the outcomes, the project is frequently regarded a failure - even if all goals are completed It is the project manager's responsibility to keep stakeholders satisfied by strategically managing their needs: through direct and timely interactions, as well as knowing their expectations and project time frame Such leadership fosters trust and confidence among project stakeholders while also confirming their buy-in or good cooperation What Are the Main Types of Stakeholders? Internal stakeholders – An internal stakeholder is a person or organization who is directly connected to the firm running the project Employees that are members of the project team are examples of internal stakeholders, as are outside contributors such as subcontractors and consultants Internal stakeholders include top management such as the firm president, board of directors, and operational committees External stakeholders – An external stakeholder is an entity that is not directly affiliated with the corporation participating in a project but is nonetheless influenced by its conclusion Vendors, suppliers, creditors, project consumers, project testers, and product user groups are all examples of external stakeholders Examples of Stakeholders Customers – The client is a stakeholder, which is an entity that is inextricably related to the organization and its financial performance Customers are regarded as the most important stakeholder by business owners since their support enables the company to continue operating Companies operate largely to service the requirements of their customers and profit directly from their purchases Employees – Employees are important stakeholders because they produce the goods and services that a firm sells, and the quality of their work has a direct influence on customer service Employees profit financially from the company's continuous growth and performance To preserve product quality and employee confidence, strategic personnel management is critical to a company's success Government – The government is a secondary stakeholder (meaning it is tied to the firm indirectly) since it collects taxes from employees and the corporation collects corporate taxes The media and business support organizations are also secondary stakeholders The government benefits from the company's success as well because it contributes to the GDP (GDP) Investors and shareholders – Investors, shareholders, and stockholders are all forms of major shareholders that provide capital to keep firms financially viable and projects afloat When people are unsatisfied with a company's business plan or direction, they might have a direct influence on its outlook Local communities – A community is a stakeholder in a business's economic success or failure, and it can be called a secondary stakeholder since it benefits from the company's economic investment in the form of job creation Employees who live in the community can then reinvest their earnings to help the community's finances Suppliers and vendors – Suppliers and vendors are important stakeholders since the income earned by sales and services benefits both them and the firm to which they sell They bring resources, materials, and knowledge that corporations not have in-house, which can increase a company's capacity to satisfy the demands of its customers and shareholders References AcqNotes, 2021 Risk Identification Procedures [Online] Available at: https://acqnotes.com/acqnote/tasks/risk-identification-procedures [Accessed 28 august 2022] Crocetti, P., Peterson, S & Hefner, K., 2021 What is data protection and why is it important? [Online] Available at: https://www.techtarget.com/searchdatabackup/definition/data-protection [Accessed 27 august 2022] Doug, 2018 Risk Management Process: Security Analysis Methodology in SecureWatch [Online] Available at: https://riskwatch.com/2018/03/19/riskmanagementprocess/#:~:text=ISO%2031000%20is%20a%20security,a%20formal%20and%20standardized %20workflow [Accessed 22 august 2022] EKUONLINE, 2022 Risk Identification: Essentials [Online] Available at: https://safetymanagement.eku.edu/blog/riskidentification/#:~:text=There%20are%20five%20core%20steps,risk %20treatment%2C%20and%20risk%20monitori ng [Accessed 23 august 2022] FERNANDO, J., 2021 Stakeholder [Online] Available at: https://www.investopedia.com/terms/s/stakeholder.asp#:~:text=A%20stakeholder%20is%20a%20party,employe e s%2C%20customers%2C%20and%20suppliers [Accessed 23 august 2022] Gillis, A S., 2021 security audit [Online] Available at: https://www.techtarget.com/searchcio/definition/securityaudit#:~:text=Security%20audits%20will%20help %20protect,and%20can%20catch%20new%20vulnerabilities [Accessed 23 august 2022] GUERRA, B., 2020 Components That Make A Great Disaster Recovery Plan [Online] Available at: https://www.axiom.tech/7-components-that-make-a-great-disasterrecoveryplan/#:~:text=There%20are%20seven%20main%20components,testing%20and%20reviewing%20th e%20plan [Accessed 23 august 2022] Irwin, L., 2017 Risk terminology: Understanding assets, threats and vulnerabilities [Online] Available at: https://www.vigilantsoftware.co.uk/blog/risk-terminology-understanding-assets-threatsandvulnerabilities [Accessed 22 august 2022] Lutkevich, B., 2021 security policy [Online] Available at: https://www.techtarget.com/searchsecurity/definition/securitypolicy#:~:text=A%20security%20policy%20is%20a ,vulnerabilities%20and%20security%20requirements%20change [Accessed April 2022] MaterClass, 2022 Inside the Role of a Stakeholder: Examples of Stakeholders [Online] Available at: https://www.masterclass.com/articles/stakeholder-explained#what-is-a-stakeholder [Accessed April 2022] Mulligan, B., 2019 10-Step Disaster Recovery Plan for Your IT Department [Online] Available at: https://www.kelsercorp.com/blog/10-step-disaster-recovery-plan-it-department [Accessed April 2022] netwrix, 2022 Data Security and Protection Policy Template [Online] Available at: https://www.netwrix.com/data_security_policy_template.html?fbclid=IwAR1lZghFv7XUbKLYJ8CfaRJVoe8U9bRc Q 1Z7t5HE48XHDX9Mai2-wo9gDL0 [Accessed 15 May 2022] Peterson, O., 2019 What Is ISO 31000? Getting Started with Risk Management [Online] Available at: https://www.process.st/iso-31000/ [Accessed April 2022] Sullivan, E & Crocetti, P., 2020 What is business continuity and why is it important? [Online] Available at: https://www.techtarget.com/searchdisasterrecovery/definition/businesscontinuity [Accessed April 2022] SYNOPSYS, 2022 Security Risk Assessment [Online] Available at: https://www.synopsys.com/glossary/what-is-security-risk-assessment.html [Accessed April 2022] Tierney, M., 2020 IT Security Audits: The Key to Success [Online] Available at: https://blog.netwrix.com/2020/04/09/itsecurityaudit/#:~:text=An%20IT%20security%20audit%20is,ensure%20regulatory%20compliance%2C%20and% 20more [Accessed April 2022] VCU, 2020 Business Continuity Management [Online] Available at: https://policy.vcu.edu/universitywide-policies/policies/business-continuity-management.html Document shared on www.docsity.com [Accessed April 2022] Downloaded by: khang-djao-1 (daovinhkhang0834@gmail.com) Volunteer Now, 2022 How to Develop Policies and Procedures [Online] Available at: https://www.diycommitteeguide.org/resource/how-to-develop-policies-and-procedures [Accessed April 2022] Document shared on www.docsity.com Downloaded by: khang-djao-1 (daovinhkhang0834@gmail.com)