Asm2 1st 7406 bh01085 nguyen dang tung

ASM2 Security is a professional security company providing comprehensive security services and solutions for individuals, businesses and organizations. We are committed to providing the best protection to our customers through the most convenient and technically advanced means.

ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5: Security

Re-submission DateDate Received 2nd submission

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism I understand that making a false declaration is a form of malpractice

Student’s signature Tung

Grading grid

 Summative Feedback:  Resubmission Feedback:

Grade:Assessor Signature:Date:Internal Verifier’s Comments:

Signature & Date:

2.2 How does risk assessment works : 10

2.3 The goal of risk assessment is to: 10

2.4 Five steps in the risk assessment process: 11

2.5 How to do risk assessment ? 12

3 Define assets, threats and threat identification procedures, and give example 14

3.1 Definition of Assets 14

3.2 Definition of Threats 14

3.3 Threats Identification Process 15

3.4 Example of Threats Identification Procedures 15

4 Explain the risk assessment procedure 16

4.1 Asset Identification 16

4.2 Threat Identification: 16

4.3 Assessment of Vulnerability: 16

4.4 Risk Assessment: 17

5 List risk indentification 17

II Explain data protection processes and regulations as applicable to an organization (P6) 18

1 Define data protection 18

2 Explain data protection process in an organization 19

3 Why are data protection and security regulation important? 20

3.1 Data Protection Important 20

3.2 Security regulation important? 21

III Design and implement a security policy for an (P7) 22

1 Define a security policy 22

2 Discuss about security policy 23

2.1 HR policy 24

2.2 Incidence response (IR) policy 25

2.3 Acceptable Use Policy (AUP) 26

3 Give an example for each of the policies 28

3.1 HR policy 28

3.2 Incidence response (IR) policy 28

3.3 Acceptable Use Policy (AUP) 29

4 Give the most and should that must exist while creating a policy 29

4.1 The most must exist while creating a policy 29

4.2 The most should exist while creating a policy 29

5 Explain and write down elements of a security policy 30

5.1 Purpose 30

5.2 Information security objectives 31

5.3 Authority and access control policy 31

5.4 Data classification 31

6 Give the steps to design a security policy 31

IV Discuss the roles of stakeholders in the organization in implementing security audits (P8) 33

1 Define stackholders 33

2 Their roles in an organization 36

3 Define security audit and state 37

4 Recommend the implementation of security audit to stakeholders in an organization 38

C CONCLUSION 40

D REFERENCES 40

Figure 1: Security risk 7

Figure 2: Risk assessment 9

Figure 3: Steps in the risk assessment process 11

Figure 4: Quanlitative 13

Figure 5: Quantitative 14

Figure 6: Threats 15

Figure 7: Data Protection 19

Figure 8: Important of Data Protecttion 21

Figure 9: Important of security regulation important 22

Figure 10: Sercurity Policies 23

Figure 11: Incidence response 25

Figure 12: Acceptable Use Policy (AUP) 26

Figure 13: Information security policy framework 30

Figure 14: Stakeholder 34

Figure 15: Types of Stakeholders 35

A INTRODUCTION

In today's interconnected world, the proliferation of digital data has become ubiquitous, permeating every aspect of our personal and professional lives Data flows freely among individuals, organizations, and enterprises, serving as the lifeblood of modern economies and carrying immense value in its wake However, this unprecedented level of connectivity and data sharing also exposes it to a myriad of threats, chief among them being cybercrime Cybercriminals, equipped with increasingly sophisticated tools and techniques, continuously exploit vulnerabilities in digital systems and networks for illicit gains From ransomware attacks targeting critical infrastructure to data breaches compromising sensitive information, the impact of cybercrime reverberates across industries, causing financial losses, reputational damage, and erosion of trust

Amidst this backdrop, the need for skilled security professionals tasked with safeguarding businesses and mitigating cyber risks has never been more pressing Organizations across the globe are scrambling to bolster their cybersecurity defenses, investing in technologies, training, and expertise to combat the growing threat landscape

This report aims to delve into foundational security concepts essential for navigating the complex terrain of cybersecurity risk management It begins by exploring risk assessment techniques, which form the bedrock of any effective security strategy From identifying assets and vulnerabilities to assessing threats and potential impacts, risk assessment enables organizations to prioritize resources and allocate efforts where they are most needed

B CONTENTS

I Review risk assessment procedures in an organisation (P5) 1 Sercurity risk

1.1 Definition

Security risk refers to the potential for harm, damage, or loss resulting from vulnerabilities in an organization's systems, processes, or assets being exploited by internal or external threats These risks can encompass various forms, including unauthorized access, data breaches, system failures, and malicious attacks, among others Understanding and managing security risks are essential for organizations to protect their sensitive information, maintain operational continuity, and safeguard their reputation and financial well-being Effective risk management strategies involve identifying, assessing, prioritizing, and mitigating potential threats to ensure a robust security posture (SYNOPSYS, 2024)

Figure 1: Security risk

1.2 Negative school

The negative school of thought regarding risk offers a perspective that views risk as inherently unpleasant, undesirable, and unforeseen Within this framework, risk is perceived as the potential to encounter discomfort or danger, whether it be financial loss, reputational damage, or operational disruptions Unlike the neutral or positive schools, which may acknowledge the potential benefits or opportunities associated with risk-taking, the negative school tends to focus on the adverse consequences and potential harm that risks pose to individuals or organizations

In essence, risks are seen as unknown uncertainties that manifest in the activities and production procedures of a company, posing threats to its stability and growth These uncertainties can arise from various sources, including market fluctuations, technological failures, regulatory changes, or human errors Regardless of their origins, risks have a detrimental effect on the capacity of the firm to continue operating and expanding, potentially leading to financial losses, diminished market share, or even organizational failure

- Risk is unpleasant, undesirable, and unforeseen

- It represents the potential to experience discomfort or danger

- Risks are unknown uncertainties that arise in a company's activities and production procedures, ultimately impairing the firm's capacity to sustain operations and expand

- According to popular knowledge, risk is simply described as "damage, loss, danger, or elements related to danger, difficulty, or uncertainty that can happen to a person."

1.3 The neutral school

The neutral school of thought regarding risk posits that risk is a measurable uncertainty inherently linked to the occurrence of unforeseen events Within this framework, risk is characterized by its dual nature: its current value is uncertain, as is its eventual outcome Unlike the negative school, which often views risk through a lens of potential harm or loss, and the positive school, which tends to see risk as a pathway to potential gain, the neutral school adopts a more objective stance It acknowledges that risk exists in various forms and contexts, and its assessment requires a systematic approach that considers both quantitative and qualitative factors

Within the neutral school, risk is perceived as an inherent part of decision-making processes, particularly in the realms of business, finance, and project management It is recognized that every action or decision carries a degree of uncertainty, and risk assessment serves as a tool to quantify and manage this uncertainty Rather than viewing risk as solely negative or positive, the neutral school emphasizes the importance of understanding the probabilistic nature of risk and its potential impact on objectives and outcomes

Risk is measurable uncertainty that could be linked to the occurrence of unforeseen events; both the risk's current value, as well as its outcome, as well as its outcome are uncertain

2 Risk assessment 2.1 Define:

Risk assessment is the process of systematically identifying, analyzing, and evaluating potential risks or uncertainties that could impact an organization, project, or activity It involves assessing both the likelihood of these risks occurring and the potential consequences or impacts they may have Risk assessment aims to provide decision-makers with valuable insights into the nature and severity of risks, enabling them to make informed decisions about risk management strategies and resource allocation (Welter, 2024)

Figure 2: Risk assessment

In essence, risk assessment involves several key steps:

 Identification: This step involves identifying and cataloging all potential risks that could affect the

organization or project Risks can stem from various sources, including internal processes, external factors, and human factors

 Analysis: Once risks have been identified, they are analyzed to determine their nature, causes, and

potential triggers This step involves examining the likelihood of each risk occurring and estimating the magnitude of its potential impacts

 Evaluation: In this step, the identified risks are evaluated based on their significance and prioritized

according to their potential impact on organizational objectives or project outcomes Risks are often assessed using criteria such as severity, likelihood, and the organization's tolerance for risk  Treatment: After risks have been assessed, decision-makers must determine the most appropriate

course of action to manage or mitigate them This may involve implementing control measures, transferring risk to third parties through insurance or contractual agreements, avoiding certain activities or exposures altogether, or accepting the risk and monitoring it closely

 Monitoring and Review: Risk assessment is an ongoing process that requires regular monitoring

and review to ensure that risk management strategies remain effective and relevant As circumstances change and new risks emerge, organizations must adapt their risk management approach accordingly

Overall, risk assessment is a critical component of effective risk management, providing organizations with valuable insights into potential threats and vulnerabilities By systematically evaluating and addressing risks, organizations can minimize their exposure to potential harm, enhance decision-making processes, and improve their overall resilience in the face of uncertainty

2.2 How does risk assessment works :

The depth of risk assessment models can vary based on factors such as the size, growth rate, resources, and asset portfolio of an organization When organizations face financial or time constraints, they may opt for generic reviews However, these generalized evaluations might not provide precise mappings of assets, associated threats, known risks, consequences, and mitigation strategies If the outcomes of broad assessments fail to adequately address these areas, a more detailed study becomes necessary

2.3 The goal of risk assessment is to:

At the heart of effective risk management lies a series of essential tasks aimed at safeguarding organizational interests and ensuring continuity From analyzing potential dangers to justifying expenses, each step plays a vital role in mitigating risks and enhancing overall resilience Let's delve into these tasks:  Analyzing Potential Dangers: The first step involves identifying and assessing potential dangers

that could threaten the organization's operations, assets, or stakeholders

 Preventing Diseases or Injuries: By proactively identifying and addressing risks, organizations can

mitigate the likelihood of diseases, injuries, or other adverse events occurring

 Adhering to Legal Obligations: Compliance with legal obligations is crucial for minimizing legal risks

and avoiding potential penalties or liabilities

 Making a Thorough Inventory of Resources: A comprehensive inventory of accessible resources

helps organizations understand their assets and vulnerabilities, enabling more effective risk management strategies

 Defining the Budget for Risk Mitigation: Allocating resources for risk mitigation activities allows

organizations to prioritize and address identified risks effectively

 Justifying the Expenses of Risk Management: Clearly articulating the rationale behind risk

management expenses helps secure necessary resources and support from stakeholders

 Documenting Risks, Threats, and Known Vulnerabilities: Formal documentation of risks, threats,

and vulnerabilities ensures that they are clearly defined, prioritized, and addressed in risk mitigation efforts

 Putting Up a Budget for Risk Mitigation: Establishing a budget specifically earmarked for

addressing identified risks, dangers, and vulnerabilities is essential for effective risk management  Understanding Return on Investment: Evaluating the return on investment associated with risk

management activities helps organizations make informed decisions about allocating resources to mitigate potential risks

In summary, by systematically carrying out these tasks, organizations can strengthen their ability to anticipate, assess, and mitigate risks, ultimately enhancing their resilience and safeguarding their long-term success

2.4 Five steps in the risk assessment process:

In the realm of organizational safety and security, navigating potential risks demands a structured approach This involves a methodical process consisting of five key steps designed to identify, evaluate, and mitigate potential hazards Let's explore these steps in detail to understand how organizations effectively manage risks to safeguard their operations, assets, and stakeholders

Figure 3: Steps in the risk assessment process

Step1: Identify the hazards

- Determine potential sources of harm

- Consider physical, chemical, biological, and organizational factors - Include long-term and immediate hazards

Step2: Assess the risks

- Evaluate the likelihood of harm occurring

- Consider the severity of potential injuries or damage - Take into account existing control measures

Step3: Control the risks

- Implement measures to reduce or eliminate risks - Prioritize actions based on risk level

- Ensure control measures are practical and effective

Step4: Record your findings

- Document identified hazards and their risks - Keep records of risk control measures

- Ensure documentation is accessible and up to date

Step5: Review the controls

- Regularly reassess the risk assessment - Update measures as necessary

- Engage with employees for feedback and improvements

2.5 How to do risk assessment ?

IT agent can approach risk assessment in two ways :  Quanlitative

In qualitative risk assessment, risks are categorized based on their likelihood of occurrence and their potential impact on company operations Impact refers to the level of danger posed by a genuine threat, often expressed as a range from low (insignificant) to high (catastrophic) While qualitative risk analyses may involve subjective judgments, they help pinpoint the most critical threats This approach encourages the use of descriptive language and solicits diverse input from individuals across different departments Through qualitative assessment, technical specialists and business units gain insight into how specific incidents could impact various operations or departments (Contributor, 2022)

Figure 4: Quanlitative  Quantitative

In quantitative risk assessment, risks are quantified in monetary terms, aiming to provide a financial definition of risk Unlike qualitative analysis, this approach is more objective However, assigning monetary values to certain risks, such as reputation or the availability of countermeasures, can be challenging Exact figures for estimating the cost of potential events may be difficult to determine, particularly for future impacts Despite this challenge, quantitative risk assessments are easier to automate compared to qualitative evaluations (Bhandari, 2023)

Figure 5: Quantitative

3 Define assets, threats and threat identification procedures, and give example 3.1 Definition of Assets

Assets refer to valuable resources or items that an individual, organization, or entity possesses and controls These resources can take various forms, including physical assets such as property, equipment, inventory, and infrastructure, as well as intangible assets like intellectual property, patents, trademarks, and goodwill Assets are essential components of an organization's operations and can contribute to its value and success

They are typically classified based on their nature, purpose, and use, and are managed and protected to ensure their continued availability and usefulness Proper identification, evaluation, and management of assets are critical for effective risk management, strategic planning, and decision-making within an organization (TEAM, 2023)

3.2 Definition of Threats

Threats refer to potential sources of harm, danger, or damage that may negatively impact individuals, organizations, systems, or assets These sources can arise from various sources such as natural disasters, accidents, human error, malicious attacks, or technological failures Threats pose risks to the security, integrity, and functionality of entities or systems, and they can lead to financial losses, operational disruptions, reputational damage, or harm to individuals Understanding and identifying threats is

essential for implementing appropriate risk management strategies and protective measures to mitigate their potential impact and ensure the safety and security of people, assets, and operations

Figure 6: Threats

3.3 Threats Identification Process

- Organizing pre-work meetings is crucial for discussing daily tasks to be completed Employees should be encouraged to remain vigilant of potential hazards and promptly report any identified risks

- Conducting workplace audits is essential to ensure safety standards are met

- Performing Job Safety Analysis (JSA) and utilizing Hazard and Operability Studies (HazOps), if feasible, is necessary It's important to assess any unique methods, components, or structures - Reviewing safety information regarding products and accessing publicly available data is essential

This includes examining reports of previous incidents and near misses

3.4 Example of Threats Identification Procedures Threats identified in digital documents:

 Data storage failure and lack of document backup pose risks to data integrity and availability  When anti-virus software is outdated or contains security vulnerabilities, it creates a potential for

virus infection, compromising confidentiality, integrity, and availability

 Unauthenticated access from unknown sources, poorly developed access control systems, and SQL injection attacks pose risks to confidentiality, integrity, and availability

 Unauthorized access due to excessive user permissions can lead to confidentiality, integrity, and availability breaches

Threats identified in physical documents:

 Risks such as fire and hurricanes threaten the physical document, especially when not stored in a fire-proof protective container Additionally, the absence of paper backups increases the risk of availability loss

 Not locking up vital documents in a safety box poses a risk of confidentiality breach

4 Explain the risk assessment procedure

A qualified individual or group of individuals with in-depth knowledge of the topic at hand should conduct a risk assessment approach Because they are most familiar with the process being evaluated, managers and employees who work with it should be a part of the team or employed as information sources The following are risk assessment procedures :

4.1 Asset Identification

 Asset Register: Inventory assets encompass finished goods, parts, or raw materials expected for

sale In accounting, inventory constitutes a current asset on a company's balance sheet Manufacturing inventories serve as a buffer against demand surges

 Recording asset attributes and determining relative values

4.2 Threat Identification:

 Once risks posing potential dangers to the business are recognized and the likely magnitude of resulting losses determined, users can decide on defense strategies A risk assessment reveals various potential hazards, like break-ins, vandalism, or theft, unique to each business, making some risk management tasks seem daunting

 Categorizing threats: Security threats encompass harmful acts aimed at stealing, corrupting, or disrupting data, organizational systems, or the entire firm

4.3 Assessment of Vulnerability:

Vulnerability assessment systematically examines an information system's security flaws It determines system vulnerability to known flaws, rates their severity, and recommends necessary corrections or mitigations

Examples of preventable threats:

- Code injection attacks such as SQL injection and XSS

- Unauthorized privilege escalation due to inadequate authentication methods - Insecure default software settings, including easily guessable admin passwords

4.4 Risk Assessment:

Assessing the impact of organizational vulnerability:

 All facilities face varying degrees of risk from natural disasters, accidents, or malicious intent Facility owners must minimize or mitigate risks from these hazards

Evaluating the likelihood of vulnerability exploitation:

 Probability considerations are increasingly incorporated into traditional risk assessments This section introduces basic probability concepts and demonstrates their application in risk assessment

 Developing a risk management plan and deciding on actions

 Evaluation must consider all potential scenarios alongside the current workplace situation By assessing the risk level associated with hazards, employers and health and safety committees determine the necessity and extent of a control program

5 List risk indentification

Step 1: Formulate Risk Statements

 Gradually compile a list of hazards and characterize them, creating risk statements These statements detail potential occurrences, reasons, timing, impacts, and types of hazards

Step 2: Conduct Basic Identification

Address two questions regarding potential risks: why or why not they affect the project and whether they've been experienced before Project postmortems or SWOT analyses provide insights

 Step 3: Perform Detailed Identification

Investigate identified hazards further using tools like assumptions analysis, interviews, document reviews, and brainstorming sessions

 Step 4: External Cross-Check

- It's time to broaden your list of hazards after compiling one based on the suggestions and expertise of your project team You can use the external cross-check step to determine whether there is

pertinent information accessible outside of the project Checklists and categories are two resources you may use to undertake external cross-checking

- A checklist is a collection of common industrial dangers, their root causes, and typical effects They frequently provide potential answers as well

- Risks are listed in categories, which are collections of risks that may include subcategories The "Risk Breakdown Structure," or RBS, is an illustration of a technique for producing categories By using this method, you categorize each danger The following are some examples of categories: technical, operational, commercial, and planning Then you further go into each area

Step 5: Internal Cross-Check

Map hazards to work breakdown structure (WBS) elements to identify potential impacts on project processes

Step 6: Finalize Risk Statements

The following action is to ascertain whether any components are lacking before finalizing your risk statement Check the document's correctness by reading it again It could be beneficial to read the

message aloud to a few more team members

II Explain data protection processes and regulations as applicable to an organization (P6) 1 Define data protection

Data protection refers to the set of measures and practices implemented to safeguard sensitive information from unauthorized access, disclosure, alteration, or destruction This sensitive information, often referred to as data, can include personal, financial, proprietary, or any other type of confidential data that an individual or organization wishes to keep secure

Data protection involves various strategies and technologies to ensure the confidentiality, integrity, and availability of data This may include encryption, access controls, authentication mechanisms, data backup and recovery processes, and security policies and procedures (SNIA, 2022)

Figure 7: Data Protection

2 Explain data protection process in an organization

When explaining data protection to organizations, it's beneficial to provide clear instructions, simplifying the numerous requirements of GDPR into one overarching demand: ensure data security By focusing on this fundamental aspect, organizations can streamline their efforts and address potential issues more effectively To aid in this endeavor, I've compiled a list of commonly used data protection strategies, some of which are outlined in legislation itself

Risk Assessment:

 Data protection measures should align with the level of risk associated with the data While less sensitive data may require less stringent protection, highly sensitive data demands rigorous security measures Financial considerations often drive these assessments, helping organizations identify data requiring enhanced protection and enhancing overall data processing system efficacy  A comprehensive risk assessment should consider the potential consequences of a data breach and the likelihood of its occurrence The sensitivity of the data significantly impacts the risk level on both axes

 Data protection officers can assist in conducting these evaluations and establishing robust protocols to mitigate risks It's advisable to seek assistance rather than proceeding independently to avoid missteps that could lead to significant repercussions

Backups:

 Implementing regular backups is crucial to prevent data loss resulting from human error or technological failures While backups entail organizational costs, the potential disruptions to daily operations can be far more detrimental Adhering to the principle of data sensitivity, sensitive data should be backed up more frequently than less critical data

 Secure storage of backups is essential, potentially involving encryption and physical security measures Avoid storing private information in the cloud and periodically inspect storage media for degradation as recommended by manufacturers Additionally, follow official guidelines for storage preservation to ensure data integrity and accessibility

Encryption:

 High-risk data should undergo encryption at every stage of the process, including collection (utilizing online cryptographic techniques), processing (employing full memory encryption), and archival (utilizing RSA or AES encryption methods)

 Properly encrypted data is inherently secure; even in the event of a breach, the data becomes worthless and inaccessible to attackers GDPR specifically acknowledges encryption as a data security technique, highlighting its effectiveness and potential favor with regulatory authorities

Pseudonymization:

 Pseudonymization, endorsed by GDPR to enhance data security and individual privacy, involves removing personal identifiers from data sets, particularly effective with large data sets

 For example, replacing individuals' names with randomly generated strings makes it challenging to link data to specific individuals Institutions and organizations should possess adequate knowledge of pseudonymization processes to effectively safeguard data

Access Control:

 Implementing access restrictions within business processes significantly reduces the risk of data breaches or losses Limiting access to data minimizes the likelihood of unauthorized access Establishing a clear and concise data protection policy outlining procedures, roles, and responsibilities of each employee, with guidance from data protection experts, enhances access control effectiveness

Destruction:

 Data deletion, although not initially perceived as a protective measure, serves as a vital strategy Deleting unnecessary data safeguards it from unauthorized access and retrieval GDPR mandates the deletion of obsolete data, with stricter destruction procedures required for sensitive data

3 Why are data protection and security regulation important? 3.1 Data Protection Important

Data protection is paramount for organizations as it shields their information from fraudulent activities like hacking, phishing, and identity theft Effective data protection plans are essential for organizational efficiency As the volume of stored and generated data grows, so does the significance of data protection Cyberattacks and data breaches can inflict severe harm, necessitating proactive data protection measures and regular updates to safeguards