ASSIGNMENT 2 FRONT SHEET Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5: Security Submission date Date Received 1st submission Re-submission Date Date Received 2nd submission Student Name Nguyen Huu Hoang Khanh Student ID GCD220223 Class GCD1102 Assessor name Dang Quang Hien Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a false declaration is a form of malpractice. Student’s signature Grading grid P5 P6 P7 P8 M3 M4 M5 D2 D3 ❒ Summative Feedback: ❒ Resubmission Feedback: Grade: Assessor Signature: Date: Lecturer Signature: Contents I. DISCUSS RISK ASSESSMENT PROCEDURES.
Definition of security risk assessment. How to do a risk assessment:. Definition of asset:. Definition of vulnerabilities:.
What is a Threat?. Explain the risk assessment procedure:. Risk identification step:. EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN ORGANIZATION.
Define data protection:. Data protection process in “Wheelie good”: .1 Personal information document categories: .2 Conduct a risk assessment for categories of the company:.3 Decide on risk treatment: .4 Implement security data for “Wheelie Good”: .5 Measures to protect employee data in the company: .6 Review security of personal data:. Why are data protection and security regulations important?. DESING AND IMPLEMENT A SECURITY POLICY FOR AN ORGANIZATION.
Define a security policy:. The elements of information privacy policy: .4 Authority and access control policy: .5 Policies for access control and permissions: .6 Security awareness sessions:. Give the most and that should exist creating a policy: .1 Identify duplicate policies: .2 Consider the necessity: .3 Use proper terminology: .4 Policy maintenance duty definition: .5 Configure the policy library: .6 Procedures for dealing with exceptions:. The step to design a policy: .2 Analysis of security risks for each asset: .3 Security requirements analysis: .4 Develop a security plan:.6 Write it down:.7 Establish and enforce the regulations:.
Implementation of the policy:. LIST THE MAIN COMPONENTS OF AN ORGANIZATIONAL DISASTER RECOVERY PLAN, JUSTIFYING THE REASONS FOR INCLUSION. What is the definition of business continuity?. Components of recovery plan: .3 Business functions and tolerance for downtime: .4 Important procedures and strategies: .6 Schedule tests, reviews, and improvements:.
Required steps in disaster recovery process: .1 The key activities of “Wheelie Good” project: .2 Assessment of disaster scenario: .3 Create a communication plan:.4 Plan for data backup and restoration:. Some of the policies and procedures that are required for business continuity: .1 Create a strategy and define goals: .2 Business Continuity Planning: .3 Perform a business impact analysis: .4 Determine crucial business area: .5 Plan to maintain operations: .6 Examine and determine ongoing program maintenance:. DISCUSS RISK ASSESSMENT PROCEDURES 1. Definition of security risk assessment Information security risk is defined as existing system flaws that can be exploited to steal sensitive data.
The dangers are also substantial, with a wide range of potential occurrences wreaking havoc on a company's brand and finances. Figure 1 Security Risk The overarching goal of such risk evaluations is to improve worker safety. New steps or stages are added to the process, current steps, tools, and equipment are modified, or new dangers develop. Auditors consider risk while developing audit processes for businesses.
Here are some examples of common risk assessments: Supervisors at workplaces and schools conduct workplace risk assessments to ensure that there are no health and safety hazards. This review will also help to increase productivity and employee morale. How to do a risk assessment: Before beginning the auditing process, we should identify the scope of the audit and the resources required to complete it. The five categories of risk assessments listed below are required to begin the risk assessment process, particularly the scope of the review.
• Qualitative Risk Assessment. • Quantitative Risk Assessment. • Generic Risk Assessment. • Site-Specific Risk Assessment.
• Dynamic Risk Assessment. We must follow a variety of steps while doing a risk assessment to completely investigate the process of threats, vulnerabilities, and potential risks that may damage the project in the future. They delivered it. A risk assessment program should contain the following stages: a) Identify: In the first phase, we determine the scope of the evaluation, as well as the urgent priorities and dangers.
In the "Wheel Good" appraisal, valuable assets will include: • Hardware, software. b) Assess: Step one involves assessing and listing the identified risk list. Following that, we will conduct a thorough examination of the highlighted hazards. To evaluate the amount of risk, we must first determine the chance of occurrence and the potential severity of "Wheel Good" security assaults.
The hazards should be evaluated using the following criteria: • System failure: obsolete equipment, outdated technologies. • Natural catastrophes include fires, earthquakes, floods, and other natural calamities. • Human error: inexperienced and sensitive personnel. • Unauthorized behavior: A hacker may take a computer, erase data, or.
And the risk matrix, as illustrated below, is a good tool. Figure 2 Risk Assessment Matrix c) Control: Control mechanisms will be the next stage in properly controlling dangers. To eliminate common dangers, conventional controls such as codes of practice, guidelines, and standard operating procedures can be utilized. If we are unable to eliminate regulatory or high risks, we must use a "ladder of control" and a mission analysis or statement of procedure.
Employment that poses no risk. The constraints might be set in decreasing order of efficacy. A "Decentralized Control System" is what this is. Personal protection equipment, for example, is the least effective measure since it just reduces the risk, but PPE is the most effective because it eliminates the risk.
Substitution and isolation, when combined with an engineer, are both equally efficient techniques. A single concern is that you will frequently need to employ numerous controls. Figure 3 Control Level d) Reassess: After the steps have been implemented, reassess the degree of risk. You may not always have complete control the first time.
If the new level of risk remains too high, go back, and take further steps before reevaluating. We may pick which risk-reduction methods to employ based on the risk matrix. Finally, the threat's extent, fragility, and impacts must be appropriately depicted. Definition of asset: The data and critical IT-related equipment or components of an organization's systems are referred to as information assets in the IT sector.
Include personal details. This information should be as accessible and usable as possible to prevent hackers and illegal information theft. For physical files, it will be the filing cabinet where the data is maintained. Definition of vulnerabilities: A vulnerability is a weakness in a system's code that may be easily exploited and seriously jeopardizes the integrity and availability of security.
There are several techniques for exploiting vulnerabilities. The term "error" refers to what remains after these mishaps. While faults do not necessarily constitute a threat, many of them can be exploited by malicious actors, which is known as a vulnerability. Vulnerabilities can be exploited to compel software to perform activities for which it was not designed, such as gaining information on current security mechanisms.
What is a Threat? A threat is essentially a bad action or situation that has the potential to bring harm to an organization, such as theft or illegal access. They represent a huge risk to the business, threatening security's integrity and availability. It can also be caused by active administrative errors such as staff error, a technological issue, or an assault. Figure 4 Security Threat The threat identification process is a continuous and continuing activity that checks for security vulnerabilities and potential system breaches throughout the life of a project.
When dangers are detected, we may fix them and prevent unauthorized external access. Project activities such as programmatic and technical meetings, risk analysis, risk planning, communication, and evaluation highlight new and existing dangers in the project. Lessons from the database are also useful for identifying possible hazards. When this happens, it must be documented and analyzed in the database.
Types of security threats: Threat Meaning/Example Related Security Assets Using another person's password Spoofing identity Authentication to gain illegal access An attack in which a server is DDoS flooded with internet traffic to Availability prevent people from accessing online services and websites that are linked to it. The most common and severe instance of this is an ordinary user Escalade privilege Authorization gaining root access. The user has the option to refuse Repudiation to complete an activity, such as Non-repudiation transmitting or receiving data. Data can be edited while it is at Data tampering rest or being sent across a Integrity network.
When data is at rest or being sent Information disclosure over a network, it can be Confidentiality modified. Explain the risk assessment procedure: The risk assessment process's goal is to identify hazards and estimate the risks associated. When doing a risk assessment, it is critical to consider and be guided by objectives such as: • Recognize potential dangers. • Risk identification and evaluation.
• Determine the best ways for removing hazards or reducing risks. • Set priorities for your resources. Before undertaking any activity or assignment, a complete risk assessment should be performed in order to successfully eliminate, reduce, or mitigate any dangers to health, safety, and well-being. Once completed, the risk assessment should be evaluated on a regular basis, especially if the existing assessment is no longer valid or if the operation or mission has changed significantly.
In general, any potentially hazardous conditions and the appropriate safeguards for the hazard or risk. To guarantee the identification of all potential threats: • Repair and maintenance are instances of irregular operations. • Review incident reports. • Examine how work is organized and completed.
• Consider any unusual or anticipated conditions. • Determine if the product, machine, or equipment might be changed deliberately or inadvertently. • Consider the full lifecycle. • Consider the danger to tourists or the public.
The following sample table may also be used to graphically show hazards. Mission Content Hazard Risk MoSCoW There will be several Inexperienced Staff Must Have security flaws. Errors or delays may Inadequate Equipment occur during security Must Have Product Risk Assessment patching. Must have a larger The risk is strong security assessment unit Must Have handle 7.
Risk identification step: Figure 5 Risk Identification Steps Risk identification is the process of detecting and analyzing hazards to a company's operations and staff. For example, risk identification may entail searching for potential bad events like as accidents, natural disasters, and IT security risks such as malware and ransomware. Stop operations, corporation. Firms with strong risk management practices are more likely to mitigate the impact of risks when they occur.
The process of risk identification and management is divided into six major stages. The following steps were made to recognize such danger: i. Identify the hazard: We will thoroughly evaluate the entire website for any hazards and concerns that must be addressed. We will highlight possible hazards that the company may face, such as natural disasters, floods, or technical difficulties.
We'll pay specific attention to processes or activities that might be harmful to the organization, such as objective and arbitrary work, personnel, or maintenance phases. Identification of victims and solutions: As we look around our business, we examine how business operations or external variables may harm your personnel. Consider who would be harmed if each of the dangers you outlined in step one came true. Risk assessment and precautions: Following the completion of the preceding procedures, we will have a list of potential hazards, their likelihood of occurrence, and the severity of the consequences if they occur.
Using the risk assessment data, we may decide which degree of risk to prioritize first. Record detected risks: Risk notes will be kept, and they should contain the termites discovered as well as the external elements that impact the risk, such as human and behavioral factors.