P5

In an organization to understand cybersecurity is to manage, control and reduces

the company risks and important assets. In a business, certain critical activities
should be done before commencing an IT\ssecurity risk assessment. Looking over
the organization information technology assets, looking over the danger that
influence the performance of organization business and top five business processes
that used and needed this information.
The purpose of risk assessment is to determine and analyze in a methodical manner
the process of assessing the possible risks faced by an IT firm. There is a process
that, after following several phases of IT risk assessment mentioned below, may
detect any risk that may be present for a company.
1. Recognize and rank the importance of the organization's assets The
organization's valuable assets include servers, information about customers,
sensitive documents, and trade secrets. In order to compile an accurate list of
the organization's assets, you should collaborate with all of the organization's
users as well as management.

2. Identify Threats: Threats are the vulnerabilities of the organization's

security systems. There are many various forms of threats, with hackers and
malware assaults being two of the most common types of attacks.
 All of the catastrophes that are caused by nature, such as floods, hurricanes,
fires, and earthquakes, are examples of natural disasters. These calamities
are capable of destroying all data, servers, and appliances. When
determining the location of the server room, careful thought should be given
to the possibility of a natural catastrophe. There should be a solid strategy in
place.
 System Failures - Depends on the Devices and Systems Used, for Example,
if it is used an old system or computers the chance of failure is more
probable compared with high-quality equipment that reduces the likelihood
of failure by a significant amount.
 Accidental human interference - it does not matter what kind of company
you work for, since humans are fallible, anybody may mistakenly delete
vital data, click on harmful links in emails, or cause damage to the gadgets.
It is advised that you perform frequent backups of your data, including your
system settings and the configuration of your system, in order to prevent all
of this.

3. Identify Vulnerabilities Vulnerabilities are to uncover the flaws and danger

that may be unlikely to damage the organization system. Identifying these
vulnerabilities is the third step. To avoid having to do routine checks on the
information technology system, the company needs.

4. Analyze and Control Is to Analyze and Control All of the Threats and
Vulnerabilities in Order to Minimize the Exploitation of the System The goal
of this step is to minimize the system's potential for being exploited. Control
may be technical, including aspects such as software, hardware, encryption,
and the detection of malware. Alternatively, control may be nontechnical,
covering aspects such as security policies, administrative action, and physical
and environmental mechanisms. Both technological and nontechnical control
will be necessary in the future for recognizing and avoiding control issues.

5. Assign Information Security Risks a Priority This step involves assigning a

degree of importance to each risk that a company faces, classifying them as
either high, medium, or low on a risk-level matrix.
 High- a plan and action must be taken immediately
 Medium- a plan and action must be taken in a reasonable period
 Low- a plan and action must decide to implement for a corrective action

6. Documenting the Results is the sixth and last phase, which involves creating
a risk assessment report for the purpose of assisting management in making
future decisions on the budget, policies, and procedures. The report has to go
through all of the potential dangers and openings, as well as the effects of the
IT infrastructure and the dangers posed by the assets.

P6
A legislation that is supposed to be implemented to safeguard and manage personal
data from abuses committed by corporations and to ensure that these firms do not
exchange personal data with one another without first informing us of their
intentions.

Need of data protection - Because everyone uses and registers on the Internet in
order to buy products, pay taxes, or make appointments to go to the doctor, without
our knowledge, all of the data and information about us are stored in a database
system and are captured by companies even though we do not work or interact
with them. This highlights the need for data protection. A robust data protection
procedures and effective regulations for minimizing data exploration are necessary
in order to win back the trust of the general public in both the government and the
private sector.

Right to privacy - is recognized by the international Human rights of the

Universal Declaration of Human Rights with the scope of exercise the rights to
privacy to protect the data and themselves when they required disclosure of
personal data from private companies and third parties. Right to privacy—is
recognized by the international Human rights of the Universal Declaration of
Human Rights with the scope of exercise the rights to privacy to protect the data
and themselves when they required disclosure.
When an organization, whether private or public, processes and collects personal
information with the intention of using that information, that organization is
subject to the requirements of the data protection law and must handle that
information in accordance with the data protection law using the following
principle:
1) Fair, Lawful, and Transparent - when collecting the personal data, it is
vital to be fair and transparent so that the data are not used in an
unanticipated manner. Additionally, the collection of the personal data must
be done in accordance with the legislation so that the data may be sold
and/or transferred. The collection and processing of personal data must take
place in accordance with all applicable laws, since this is a fundamental
requirement of the law designed to safeguard individuals' privacy.
2) Purpose Limitation - it is not acceptable for the data collection of a person
to be used in any purpose other than the necessary one without notification
or justification. The data should be used for a specified and valid purpose
only, and it should be utilized for that reason alone. This concept is highly
significant, and the organization that obtained the data in order to utilize it
solely for the reason that was indicated must have a solid understanding of
it.
3) Minimisation - the main idea behind data protection is known as data
minimization, and it stipulates that only the data that is gathered should be
processed if doing so is both essential and pertinent. This is important for the
preservation of individual rights and information. Any exception must be
extremely restricted, and its need and relevance must be specified very
specifically.
4) Accuracy - The organization that was responsible for collecting the data has
the responsibility of ensuring that, at every stage of the process, each step is
carried out in order to guarantee that the process is correct and to reduce the
likelihood of losing the data.
5) Storage Limitation – The responsibility of the organization, after they have
collected and stored the data for the reason necessary, is to delete all of the
data once the procedure is complete.
6) Integrity and Confidentiality – Any and all risks, including illegal or
unauthorized access, loss and destruction of data, or damage to data, must be
secured against for any and all data that is gathered until the processing
purpose, whether the data is at rest or in transit. Another preventative
organizational action is to do vulnerability or risk assessment audits on a
regular basis on the system.
7) Accountability - the duty of an entity for using and processing all personal
data should be responsible for complying with the requirements of data
protection low, and it should be proved how the company complies with the
data protection law.
P7
In order for an IT organization to maintain all of the standards at a high level and
have a good quality of knowing how the firm operates, there have been various
policies put into place, and one of those policies will be discussed below.

Networking Server Room

Policy
1 Purpose The purpose of this policy is to maintain the security levels and standards of
the Network server room devices, data and information for the
employee of the
company as well of the authorized employees accessing the Network server
Room.
2 Scope This policy covers the appropriate needs of use, the Network Server Room of
the IT organization and applies to all engineers that are qualified and trained to
access the
network server room.
3 Policy 3.1 Technical requirement:
 The Network Server Room must be accessed only by the qualified
employee
 Ensure the room is clean and tidy all of the time
 Ensure the temperature in the room is correspond with the
specification given
 Ensure all the cable and devices are connected and work on parameter
 Connection with the room devices must be conducted only if necessary
 Server room access must be conducted once a week or in an
emergency requirement

3.2 User Requirement :

 When accessing the server the qualified employee must sign in and
out in the logbook
 When accessing the server room all personal devices(laptops, phones)
must be left out of the room
 Preserve confidentiality when accessing any information about the
server
 When accessing the server room qualified employee must ensure
they used the right equipment for maintenance
 The qualified employee must wash their hands before accessing the
server
room
 If there are any issues discovered and cannot be resolved by the
qualified employee that accessed the room please reported to
Maintenance
Operation Manager
4 Responsibility It is the responsibility of the Security Director Manager and his department of
the organization to ensure the access of the Network server room is accessed
once a week by the qualified employee. The responsibility for accessing the
Network Server room with the scope maintenance lies with the Security
Director Manager while the responsibility of correct access and maintenance
of the Network Server room lies the relevant maintenance Operation Manager