ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Student ID

Class Assessor name

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand
that making a false declaration is a form of malpractice.

Student’s signature

Grading grid

P5 P6 P7 P8 M3 M4 M5 D2 D3

1
❒ Summative Feedback: ❒ Resubmission Feedback:

Grade: Assessor Signature: Date:

Internal Verifier’s Comments:

Signature & Date:

2
 Catalog
I. Introduction................................................................................................................................................................................ 5
II. Main body.................................................................................................................................................................................. 5
1 Review risk assessment procedures in an organization (P5).......................................................................................................5
1.1 Define a security risk and how to do risk assessment..............................................................................................................5
1.2 Define assets, threats and threat identification procedures....................................................................................................5
1.3 List risk identification steps:.....................................................................................................................................................6
1.4 Review risk assessment procedures in an organisation...........................................................................................................7
2 Explain data protection processes and regulations as applicable to an organisation (P6)..........................................................8
2.1 Define data protection.............................................................................................................................................................8
2.2 Explain data protection process and regulations in an organization........................................................................................8
2.3 Why are data protection and security regulation important?................................................................................................10
3 Design a suitable security policy for an organisation, including the main components of an organisational disaster recovery
plan (P7)....................................................................................................................................................................................... 11
3.1 Define a security policy and discuss about it..........................................................................................................................11
3.2 Give the must and should that must exist while creating a policy.........................................................................................13
3.3 Explain and write down elements of a security policy, including the main components of an organisational disaster
recovery plan............................................................................................................................................................................... 14
3.4 Give the steps to design a policy............................................................................................................................................16
4 Discuss the roles of stakeholders in the organization in implementing security audits (P8).....................................................17
4.1 Define stakeholders............................................................................................................................................................... 17
4.2 What are their roles in an organization?................................................................................................................................18
4.3 Define security audit and state why you need it....................................................................................................................19
4.4 Recommend the implementation of security audit to stakeholders in an organization........................................................21
5 Summarise an appropriate risk management approach or ISO standard and its application in IT security (M3)......................22
5.1 Briefly define a risk management approach or ISO standard.................................................................................................22
5.2 What are its applications in IT security?................................................................................................................................23
6 Analyse possible impacts to organizational security resulting from an IT security audit (M4)..................................................24
6.1 Define IT security audit.......................................................................................................................................................... 24
6.2 What possible impacts to organizational security resulting from an IT security audit...........................................................24
7 Justify the security plan developed giving reasons for the elements selected (M5).................................................................27
7.1 Discuss with explanation about business continuity..............................................................................................................27
7.2 List the components of the organisational disaster recovery plan.........................................................................................28
7.3 Justify and write down all the steps required in the disaster recovery process.....................................................................29
8 Recommend how IT security can be aligned with an organizational policy, detailing the security impact of any misalignment
(D2).............................................................................................................................................................................................. 31
8.1 Define an organizational policy and explain its purposes......................................................................................................31
8.2 What impacts of an organizational policy on IT security and explain how they happen if there is any misalignment between
the policy and IT security?...........................................................................................................................................................32
8.3 Provide a practical example with explanation for each of these impacts..............................................................................33
9 Evaluate the suitability of the tools used in the organizational policy to meet business needs (D3)........................................34
9.1 Define an organizational policy..............................................................................................................................................34
9.2 What tools can you use in an organizational policy?.............................................................................................................35
9.3 Evaluate the suitability of the tools in the organizational policy............................................................................................36
III. CONCLUSION.......................................................................................................................................................................... 37
IV. Evaluation............................................................................................................................................................................... 38
V. REFERENCES............................................................................................................................................................................ 38

Figure

3
Figure 1. List risk identification steps..............................................................................................…..........6

Figure 2. Data Protection…………………………………………………………..…………………………………………………………….9

Figure 3. Security policy………………………………………………………………………………………………………………….……...12

Figure 4. Stakeholders……………………………………………………………………………………………………………………….…..19

Figure 5. Briefly define a risk management approach..........................................................................….…..24

Figure 6. ISO.........................................................................................................................................……..2 4

Figure 7. IT security audit………………………………………………………………………………………………………………….……28

Figure 8. organizational policy and explain its purposes……………………………………………………………………..….36

Figure 9. Organizational policy……………………………………………………………………………………………………….….…..39

I. Introduction
- As an IT Security Specialist at a prominent security consulting firm, I am charged with protecting
organizations from potential cyber threats. Recently, I had the opportunity to work closely with a
production company called "Wheelie good" based in Ho Chi Minh City. Their core business revolves
around the production of bicycle parts for international export. Throughout the process, my role was not
only to provide the Privacy Policy but also to train and empower "Wheelie good" employees with
information security best practices.

II. Main body

1 Review risk assessment procedures in an organization (P5)

1.1 Define a security risk and how to do risk assessment

 Security Risk: A security risk refers to the potential for harm or loss resulting from the
exploitation of vulnerabilities in an organization's information systems, processes, or physical
infrastructure. These risks can stem from various sources such as cyberattacks, natural disasters,
human error, or malicious insiders.

 Risk Assessment Process: Risk assessment is the process of identifying, analyzing, and evaluating
potential risks to determine their impact and likelihood of occurrence. The process typically
involves several steps including risk identification, risk analysis, risk evaluation, and risk
treatment.[1]

4
 1.2 Define assets, threats and threat identification procedures
 Assets: Assets are valuable resources of an organization that need to be protected. They can
include physical assets (such as buildings, equipment), information assets (such as data,
intellectual property), and human assets (such as employees).

→ Examples: Customer database containing sensitive personal information.

 Threats: Threats are potential events or circumstances that can cause harm to an organization's
assets. They can be intentional (such as cyberattacks, theft) or unintentional (such as natural
disasters, human error).

→ Examples: Cyberattack by hackers attempting to steal customer data.

 Threat Identification Procedures: Threat identification involves systematically identifying and

categorizing potential threats that could exploit vulnerabilities in an organization's assets. This
can be done through various methods including brainstorming sessions, historical data analysis,
and threat intelligence gathering.

→ Examples:Conducting regular vulnerability assessments and penetration testing to identify

potential weaknesses in the organization's IT infrastructure.

1.3 List risk identification steps

1. Identify critical assets: First, identify and list all of the organization's critical assets, including
information, physical assets, infrastructure, and personnel.

→For example: a bank's critical assets include customer data, payment systems, cash, and physical
assets such as ATMs.

2. Identify threats: Identify and classify hazards or threats that could affect the organization's assets
from inside or outside.

→For example: One threat could be a cyber attack from hackers targeting banking systems to steal
customers' personal information.

3. Identify vulnerabilities and vulnerabilities: Identify vulnerabilities or vulnerabilities in systems,

processes, or organizational policies that could be exploited by a threat to cause loss or damage.

→For example: A vulnerability in a bank's security system could be the use of a weak password to
access the system.

4. Estimate likelihood and impact: Assess the occurrence and impact of each risk on the
organization. This helps determine which risks need to be prioritized and managed.

5
 →For example: A cyber attack may be estimated to be highly likely and have a major impact on a
bank's reputation and trust.

5. Identify specific risks: Classify and record specific risks, along with relevant information such as
causes, expected consequences and priorities.

→For example: A specific risk is the risk of losing customers' personal information through a cyber attack
on the banking system, which can lead to data loss, loss of customer trust and fines for violating
regulations. intended to protect personal information.

Figure 1. List risk identification steps

1.4 Review risk assessment procedures in an organisation

 Identify and list assets:

 Explanation: This process aims to identify and list all of the organization's critical assets, including
information, computer systems, personnel, and physical assets.

 For example, in a bank, assets might include customer data, transaction systems, computers, and
customer records.

 Identify threats:

 Explanation: This process focuses on identifying and evaluating potential threats to the
organization's assets from various sources such as hackers, natural disasters, or user error.

 For example: One threat could be a cyber attack from hackers targeting banking systems to steal
customers' personal information.

 Assess vulnerabilities and weaknesses:

6
 Explanation: This process aims to identify and assess vulnerabilities or weaknesses in an
organization's systems, processes or policies that could be exploited by threats to cause loss or
damage.

 For example: A vulnerability in a bank's security system could be the use of a weak password to
access the system.

 Estimate capabilities and impacts:

 Explanation: This process is to assess the occurrence and impact of each risk on the organization to
determine which risks need to be prioritized and managed.

 For example: A cyber attack may be estimated to be highly likely and have a major impact on a
bank's reputation and trust.

 Identify specific risks:

 Explanation: This process involves classifying and recording specific risks, along with relevant
information such as causes, expected consequences and priorities.

 For example: A specific risk is the risk of losing customers' personal information through a cyber
attack on the banking system, which can lead to data loss, loss of customer trust and fines for
violating regulations. intended to protect personal information.

2 Explain data protection processes and regulations as applicable to an organisation

(P6)

2.1 Define data protection

- Data protection refers to the practices, policies, and measures implemented by organizations to protect
the privacy, integrity, and availability of data. It is concerned with ensuring that personal and sensitive
information is handled appropriately, securely and in compliance with relevant regulations and
standards. Data protection aims to prevent unauthorized access, use, disclosure, alteration or
destruction of data, thereby maintaining trust with stakeholders and minimizing the risk of breach or
misuse data.

- Effective data protection includes many different aspects such as encryption, access control, regular
backups, data minimization, and employee training on security best practices. Additionally, organizations
must comply with data protection regulations and standards specific to their jurisdiction or industry to
ensure legal compliance and protect the rights of individuals regarding data their personal. [2]

7
 Figure 2. Data Protection

2.2 Explain data protection process and regulations in an organization

- Data protection processes and regulations within an organization are important for protecting sensitive
information, ensuring compliance with legal requirements, and maintaining trust with stakeholders.

1. Inventory and classify data:

 Organizations start by conducting a comprehensive inventory of the data they collect, store, and
process.

 Data is classified based on sensitivity, importance, and legal requirements. Common classifications
include public, internal, secret, and highly confidential.

2. Risk assessment:

 Risk assessments are performed to identify potential threats and vulnerabilities to an organization's
data.

 Risks are assessed based on likelihood of occurrence and potential impact, helping to prioritize
mitigation efforts.

3. Data access control:

 Access controls are implemented to ensure that only authorized individuals have access to specific
data based on their roles and responsibilities.

8
 Techniques such as role-based access control (RBAC), authentication mechanisms, and encryption
are used to enforce access restrictions.

4. Data minimization and retention:

 Organizations implement a policy of collecting and retaining only data necessary for legitimate
business purposes.

 Data retention periods are determined based on legal requirements and business needs, and data
that is no longer needed is disposed of securely.

5. Data encrypt:

 Encryption is used to protect data both during transmission and at rest, ensuring that even if
unauthorized individuals gain access to that data, they cannot decrypt its contents. that data
without the appropriate encryption key.

6. Training and raising awareness for employees:

 Employees are trained on data protection policies, procedures and best practices to ensure they
understand their roles and responsibilities in protecting data.

 Regular awareness campaigns help reinforce the importance of data protection and promote a
culture of security within the organization.

7. Data breach response plan:

 Organizations develop and maintain data breach response plans to effectively respond to and
minimize the impact of any data breach.

 The plan includes steps to contain the breach, assess the scope and impact of the breach, notify
affected individuals and regulators as required by law, and take appropriate measures. fix.

8. Compliance with regulations:

 Organizations must comply with data protection regulations that apply to their industry and
geographic location, such as the General Data Protection Regulation (GDPR) in the European Union
or the Accountability Act Health insurance disclosure and information provision (HIPAA) in the
United States.

 Compliance includes understanding and complying with legal requirements related to data
collection, processing, storage and disclosure, as well as implementing appropriate technical and
organizational measures to protect data. Whether.

9
 2.3 Why are data protection and security regulation important?
1. Protecting Individual Privacy: Data protection regulations ensure that individuals have control over
their personal information. This helps safeguard privacy rights by preventing unauthorized access,
use, or disclosure of sensitive data

2. Preventing Data Breaches: Regulations set standards for data security measures, reducing the risk of
data breaches. By implementing these measures, organizations can minimize the likelihood of
unauthorized access to sensitive information, thereby protecting both individuals and businesses
from financial loss and reputational damage.

3. Building Trust and Credibility: Compliance with data protection regulations enhances trust and
credibility between organizations and their customers, partners, and stakeholders. It demonstrates a
commitment to ethical data handling practices, which is essential for maintaining positive
relationships and sustaining business success.

4. Facilitating Cross-Border Data Flows: In an increasingly globalized world, data protection regulations
help facilitate cross-border data transfers by establishing common standards for data handling. This
promotes interoperability between different legal jurisdictions and enables organizations to conduct
international business operations more efficiently.

5. Enabling Innovation: Data protection regulations provide a framework for responsible data usage,
which fosters innovation in technology and business practices. By establishing clear guidelines for
data collection, processing, and sharing, regulations encourage organizations to develop innovative
solutions while protecting individual privacy rights.

6. Mitigating Risks: Regulations require organizations to assess and mitigate risks associated with data
handling practices. By identifying vulnerabilities and implementing appropriate security measures,
organizations can reduce the likelihood of data breaches and other security incidents, thereby
minimizing potential harm to individuals and businesses.

7. Ensuring Legal Compliance: Compliance with data protection regulations is mandatory and failure to
comply can result in significant penalties, fines, and legal consequences. Therefore, adherence to
these regulations is essential for avoiding legal liabilities and maintaining regulatory compliance.

8. Protecting National Security: Data protection regulations may also include provisions aimed at
protecting national security interests, such as safeguarding critical infrastructure and preventing
cyber threats. By establishing robust security protocols and incident response procedures,
regulations help safeguard national security interests in the digital domain.

10
 3 Design a suitable security policy for an organisation, including the main
components of an organisational disaster recovery plan (P7)

3.1 Define a security policy and discuss about it

a, Define

- A security policy is a formal document that outlines an organization's approach to information security.
It serves as a framework for defining, implementing, and maintaining security controls to protect the
organization's assets, including data, technology systems, and physical infrastructure. A comprehensive
security policy encompasses various aspects of security management, including access control, data
protection, incident response, and compliance with relevant regulations. [3]

Figure 3. Security policy

b, Key Components of a Security Policy:

 Purpose and Scope: This section defines the purpose of the security policy and its applicability to the
organization's operations. It outlines the scope of the policy, specifying the systems, data, and
resources covered.

→ Example: The purpose of this security policy is to ensure the confidentiality, integrity, and availability
of the organization's information assets, including data, systems, and physical infrastructure. This policy
applies to all employees, contractors, and third-party vendors who have access to the organization's
resources.

 Roles and Responsibilities: Clearly delineates the roles and responsibilities of individuals within the
organization regarding security. This includes responsibilities for management, IT personnel,
employees, and third-party vendors.

11
→Example:

 Management: Senior management is responsible for establishing the security objectives, providing
resources for implementation, and ensuring compliance with the security policy.

 IT Personnel: IT administrators are responsible for implementing and maintaining security controls,
monitoring security events, and responding to security incidents.

 Employees: All employees are responsible for adhering to security policies and procedures,
safeguarding sensitive information, and reporting security concerns promptly.

 Access Control: Describes the principles and procedures for controlling access to information
systems, networks, and physical facilities. It includes guidelines for user authentication,
authorization, and access privileges.

→Example: Access to the organization's network and systems is restricted to authorized users only.
Users must authenticate using unique credentials (e.g., username and password) and adhere to the
principle of least privilege, granting access only to resources necessary for their job roles.

 Data Protection: Outlines measures for protecting sensitive data from unauthorized access,
disclosure, or alteration. This may include encryption, data masking, access controls, and secure data
disposal practices.

→Example: Sensitive data, such as customer personally identifiable information (PII) or proprietary
business information, must be encrypted when transmitted over public networks and stored securely
using encryption or access controls. Data classification policies define the sensitivity level of data and
appropriate protection measures.

 Incident Response: Defines procedures for detecting, responding to, and mitigating security
incidents. It includes reporting mechanisms, escalation procedures, and steps for investigating and
remediating security breaches.

→Example: In the event of a security incident, employees must immediately report the incident to the IT
security team. The incident response plan outlines procedures for containing the incident, assessing its
impact, notifying relevant stakeholders, and restoring normal operations. Regular incident response drills
are conducted to test the effectiveness of the plan.

 Physical Security: Addresses measures for safeguarding physical assets, such as facilities, equipment,
and storage media. This may include access controls, surveillance systems, and security patrols.

12
→Example: Physical access to data centers, server rooms, and other sensitive areas is restricted to
authorized personnel only. Access controls, such as biometric authentication or access cards, are
implemented to prevent unauthorized entry. Surveillance cameras and security patrols are used to
monitor physical premises.

 Security Awareness and Training: Specifies requirements for educating employees about security
risks and best practices. This may include security awareness training, phishing simulations, and
ongoing communication about security policies and procedures.

→Example: All employees receive mandatory security awareness training upon joining the organization
and undergo regular refresher training sessions. Training topics include recognizing phishing emails,
creating strong passwords, and adhering to security policies. Employees are encouraged to report
security incidents and participate in security awareness campaigns.

 Compliance and Legal Requirements: Ensures that the organization complies with relevant laws,
regulations, and industry standards related to information security. This may include data protection
regulations (e.g., GDPR, HIPAA), industry-specific standards (e.g., PCI DSS), and contractual
obligations.

→Example: The organization complies with relevant data protection regulations, such as the General
Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA), as
applicable to its operations. Regular audits are conducted to ensure compliance with regulatory
requirements and industry standards.

 Monitoring and Auditing: Describes procedures for monitoring security controls, detecting
anomalies, and conducting periodic security assessments. It includes mechanisms for logging
security-related events and conducting audits to assess compliance with the security policy.

→Example: Security controls, such as intrusion detection systems and security information and event
management (SIEM) tools, are deployed to monitor network traffic and detect suspicious activities. Logs
of security events are regularly reviewed, and periodic security assessments are conducted to identify
vulnerabilities and weaknesses in the security posture.

 Policy Enforcement and Review: Specifies mechanisms for enforcing the security policy, such as
disciplinary actions for non-compliance. It also outlines procedures for reviewing and updating the
policy to address emerging threats, changes in technology, and regulatory requirements.

→ Example: Non-compliance with security policies and procedures may result in disciplinary action,
including warnings, suspension, or termination, depending on the severity of the violation. The security
policy is reviewed annually and updated as needed to address emerging threats, changes in technology,
and regulatory requirements.

13
 3.2 Give the must and should that must exist while creating a policy
 Must:

1. Purpose and Scope: Clearly define the purpose of the policy and specify its applicability to the
organization's operations. This section should outline the scope of the policy, including the systems,
data, and resources covered.

2. Roles and Responsibilities: Clearly delineate the roles and responsibilities of individuals within the
organization regarding security. This includes responsibilities for management, IT personnel,
employees, and third-party vendors.

3. Access Control: Establish principles and procedures for controlling access to information systems,
networks, and physical facilities. Define requirements for user authentication, authorization, and
access privileges.

4. Data Protection: Outline measures for protecting sensitive data from unauthorized access,
disclosure, or alteration. This may include encryption, access controls, data masking, and secure data
disposal practices.

5. Incident Response: Define procedures for detecting, responding to, and mitigating security incidents.
This includes reporting mechanisms, escalation procedures, and steps for investigating and
remediating security breaches.

 Should:

1. Physical Security: Address measures for safeguarding physical assets, such as facilities, equipment,
and storage media. This may include access controls, surveillance systems, and security patrols.

2. Security Awareness and Training: Specify requirements for educating employees about security risks
and best practices. This may include security awareness training, phishing simulations, and ongoing
communication about security policies and procedures.

3. Compliance and Legal Requirements: Ensure that the organization complies with relevant laws,
regulations, and industry standards related to information security. This may include data protection
regulations (e.g., GDPR, HIPAA), industry-specific standards (e.g., PCI DSS), and contractual
obligations.

4. Monitoring and Auditing: Describe procedures for monitoring security controls, detecting anomalies,
and conducting periodic security assessments. This includes mechanisms for logging security-related
events and conducting audits to assess compliance with the security policy.

14
5. Policy Enforcement and Review: Specify mechanisms for enforcing the security policy, such as
disciplinary actions for non-compliance. Also, outline procedures for reviewing and updating the
policy to address emerging threats, changes in technology, and regulatory requirements.

3.3 Explain and write down elements of a security policy, including the main
components of an organisational disaster recovery plan
a, Security Policy:

1. Purpose and Scope: Clearly define the purpose of the security policy and its scope, outlining the
systems, data, and resources it covers.

→Example: "The purpose of this security policy is to ensure the confidentiality, integrity, and availability
of ABC Corporation's information assets, including customer data, proprietary information, and IT
systems. This policy applies to all employees, contractors, and third-party vendors who access or handle
ABC Corporation's information resources."

2. Roles and Responsibilities: Clearly delineate the roles and responsibilities of individuals within the
organization regarding security.

→Example:

 Management: Responsible for setting security objectives, providing resources, and ensuring
compliance.

 IT Personnel: Responsible for implementing security controls, monitoring security events, and
responding to incidents.

 Employees: Responsible for adhering to security policies, safeguarding sensitive information, and
reporting security incidents.

3. Access Control: Establish principles and procedures for controlling access to information systems,
networks, and physical facilities.

→Example: "Access to ABC Corporation's network and systems is granted based on the principle of least
privilege. Users must authenticate using unique credentials and adhere to access control policies based
on their job roles."

4. Data Protection:Outline measures for protecting sensitive data from unauthorized access,
disclosure, or alteration.

→Example: "Sensitive data, such as customer information or intellectual property, must be encrypted
when transmitted over public networks and stored securely using access controls and encryption."

15
5. Incident Response: Define procedures for detecting, responding to, and mitigating security incidents.

→Example: "In the event of a security incident, employees must immediately report it to the IT security
team. The incident response plan outlines procedures for containing the incident, assessing its impact,
and restoring normal operations."

b, Organizational Disaster Recovery Plan:

1. Risk Assessment: Conduct a risk assessment to identify potential threats and vulnerabilities to the
organization's operations.

→Example: Identify risks such as natural disasters, cyberattacks, hardware failures, and human errors.

2. Backup and Recovery Procedures: Establish procedures for regularly backing up critical data and
systems to ensure their availability in the event of a disaster.

→Example: Implement automated backup processes for data and system configurations, with regular
testing to ensure data integrity and recovery readiness.

3. Disaster Recovery Team: Formulate a disaster recovery team responsible for coordinating response
efforts and executing the disaster recovery plan.

→Example: Designate members from IT, operations, and management to form the disaster recovery
team with clearly defined roles and responsibilities.

4. Communication Plan: Develop a communication plan for notifying stakeholders and coordinating
response efforts during a disaster.

→Example: Establish communication channels and protocols for internal and external communication,
including emergency contact information for key personnel.

5. Testing and Training: Conduct regular testing and training exercises to ensure the effectiveness of
the disaster recovery plan and familiarize personnel with their roles and responsibilities.

→Example: Conduct simulated disaster scenarios, tabletop exercises, and drills to test response
procedures and identify areas for improvement.

6. Documentation and Review: Maintain comprehensive documentation of the disaster recovery plan,
including procedures, contact lists, and recovery strategies

→Example: Document recovery procedures, recovery time objectives (RTOs), and recovery point
objectives (RPOs), and periodically review and update the plan based on lessons learned and changes in
the organizational environment.

16
 3.4 Give the steps to design a policy
1. Identify Objectives:Determine the objectives of the policy, such as protecting sensitive data,
mitigating security risks, or ensuring regulatory compliance. Clearly define the goals that the policy
aims to achieve.

2. Gather Requirements:Gather input from stakeholders, including management, IT personnel, legal

advisors, and employees, to understand their security requirements and concerns. Identify any legal
or regulatory requirements that must be addressed by the policy.

3. Research Best Practices:Research industry best practices, standards, and regulations relevant to the
organization's sector. This may include frameworks such as ISO 27001, NIST Cybersecurity
Framework, or industry-specific regulations like GDPR or HIPAA.

4. Define Scope:Clearly define the scope of the policy, including the systems, data, and resources it
covers. Determine who and what the policy applies to within the organization.

5. Develop Policy Components:Develop the key components of the policy, including purpose and
scope, roles and responsibilities, access controls, data protection measures, incident response
procedures, and any other relevant sections based on the organization's needs.

6. Draft the Policy: Draft the policy document using clear and concise language. Ensure that the policy
is written in a way that is understandable and accessible to all relevant stakeholders.

7. Review and Revision:Review the draft policy with key stakeholders, including management, legal
advisors, and IT personnel, to gather feedback and identify any necessary revisions. Incorporate
feedback and make revisions as needed to ensure accuracy and effectiveness.

8. Approval Process:Obtain approval for the policy from appropriate stakeholders, such as executive
management or the board of directors. Ensure that all stakeholders understand and support the
policy before finalizing it.

9. Communication and Training:Communicate the policy to all employees and stakeholders within the
organization. Provide training and awareness programs to ensure that employees understand their
roles and responsibilities under the policy.

10. Implementation and Enforcement:Implement the policy within the organization's operations and
enforce compliance with its requirements. Establish mechanisms for monitoring and enforcing
adherence to the policy, such as regular audits and disciplinary measures for non-compliance.

11. Periodic Review and Updates:Periodically review and update the policy to reflect changes in the
organization's operations, technology, regulations, or best practices. Ensure that the policy remains
current and effective in addressing the organization's security needs.

17
 4 Discuss the roles of stakeholders in the organization in implementing security
audits (P8)

4.1 Define stakeholders

1. Leadership (Board of Directors, Executive Board): The organization's leadership is primarily
responsible for determining the information security strategy, providing resources and supporting
the security audit process. They need to promote information security awareness within the
organization and ensure commitment from all departments.

2. Information Security Department (CISO or information security team): This department is

responsible for designing, implementing, and maintaining information security policies, standards,
and procedures. They coordinate with stakeholders to ensure compliance and effectiveness of
security measures.

3. Internal Audit or Quality Assurance Department: This department is typically responsible for testing
and evaluating the performance of deployed information security measures. They ensure that the
security audit process is carried out fully and effectively.

4. Information Technology (IT) Department: The IT department supports the implementation of

information security measures and provides technical support during the audit process. They
coordinate with the information security department to deploy and maintain security solutions.

5. Employees and end users: Employees and end users play an important role in implementing
information security measures. They must comply with security policies and procedures, participate
in training programs, and report security issues when necessary.

6. External stakeholders: In addition to the parties within the organization, there are external
stakeholders such as partners, customers, regulators, and associate partners. They can also play an
important role in supporting and performing the information security audit process. [4]

18
 Figure 4. Stakeholders

4.2 What are their roles in an organization?

1. Leadership Team (Board of Directors, Executive Management):

 Setting the Strategic Direction: The leadership team establishes the strategic direction for
information security within the organization. They define the overall goals and objectives related to
security audits and allocate resources accordingly.

 Providing Oversight and Support: The leadership team provides oversight and support to ensure that
security audits are conducted effectively. They endorse the importance of security audits and ensure
that they align with the organization's broader objectives.

 Approving Policies and Procedures: The leadership team approves security policies, procedures, and
standards. They ensure that these documents reflect the organization's risk appetite and comply
with relevant regulations.

2. Information Security Team (CISO or Information Security Department):

 Designing Security Controls: The information security team designs security controls and measures
to address identified risks. They develop policies, procedures, and technical solutions to enhance the
organization's security posture.

 Implementing Security Measures: The information security team implements security measures
across the organization. They work with other departments to deploy and configure security
technologies, conduct security awareness training, and enforce compliance with security policies.

19
 Conducting Audits and Assessments: The information security team leads or participates in security
audits and assessments. They evaluate the effectiveness of existing security controls, identify gaps or
vulnerabilities, and recommend improvements to mitigate risks.

3. Internal Audit or Quality Assurance Department:

 Conducting Audits and Reviews: The internal audit or quality assurance department is responsible
for conducting audits and reviews of the organization's security practices. They assess compliance
with security policies and procedures, identify weaknesses or deficiencies, and make
recommendations for improvement.

 Providing Independent Assessment: Internal auditors provide an independent assessment of the

organization's security posture. They offer objective insights into the effectiveness of security
controls and help ensure transparency and accountability in the audit process.

4. Information Technology (IT) Department:

 Supporting Security Initiatives: The IT department supports security initiatives by implementing

technical solutions and providing technical expertise. They deploy and maintain security
technologies such as firewalls, antivirus software, and intrusion detection systems.

 Assisting with Audits: The IT department assists with security audits by providing access to IT
systems and data, responding to auditor inquiries, and implementing audit recommendations. They
ensure that IT systems and infrastructure meet security requirements and standards.

5. Employees and End Users:

 Following Security Policies and Procedures: Employees and end users are responsible for following
security policies and procedures established by the organization. They adhere to security best
practices, such as using strong passwords, safeguarding sensitive information, and reporting security
incidents promptly.

 Participating in Training and Awareness: Employees and end users participate in security training and
awareness programs to enhance their understanding of security risks and responsibilities. They stay
informed about security threats and contribute to a culture of security within the organization.

6. External Stakeholders:

 Providing Oversight and Guidance: External stakeholders, such as regulators, industry associations,
and business partners, may provide oversight and guidance on security audits. They may set
standards or requirements that the organization must meet and provide feedback on audit findings
and remediation efforts.

20
 Collaborating on Security Initiatives: External stakeholders collaborate with the organization on
security initiatives, such as information sharing and joint audits. They contribute expertise and
resources to enhance the organization's security capabilities and resilience.

4.3 Define security audit and state why you need it

a, Define

- A security audit is a systematic evaluation of an organization's information security practices, policies,

procedures, and controls. It aims to assess the effectiveness of the organization's security measures,
identify vulnerabilities or weaknesses in its security posture, and recommend improvements to mitigate
risks and enhance security.

1. Evaluation of Security Controls: Assessing the adequacy and effectiveness of technical,

administrative, and physical security controls implemented by the organization, such as firewalls,
access controls, encryption, and security policies.

2. Compliance Assessment: Ensuring compliance with relevant laws, regulations, standards, and
industry best practices governing information security, such as GDPR, HIPAA, PCI DSS, ISO 27001, or
NIST Cybersecurity Framework.

3. Risk Assessment: Identifying and analyzing potential security risks and threats to the organization's
assets, including data breaches, cyberattacks, insider threats, and natural disasters.

4. Review of Security Policies and Procedures: Examining the organization's security policies,
procedures, and guidelines to verify their alignment with security objectives, regulatory
requirements, and industry standards.

5. Testing and Validation: Conducting technical assessments, penetration testing, vulnerability

scanning, and other security testing methods to identify vulnerabilities and weaknesses in the
organization's systems and applications.

6. Incident Response Readiness: Evaluating the organization's readiness to respond to security

incidents and breaches, including incident detection, response procedures, incident reporting, and
post-incident analysis.

7. Documentation and Reporting: Documenting audit findings, observations, and recommendations in

a comprehensive audit report. The report may include an executive summary, detailed findings, risk
ratings, and prioritized recommendations for remediation.

b, Reason

21
 Risk Management: Security audits help organizations identify and mitigate security risks, reducing
the likelihood and impact of security incidents such as data breaches, financial losses, reputational
damage, and legal liabilities.

 Compliance Assurance: Security audits ensure that organizations comply with relevant laws,
regulations, and industry standards governing information security. Compliance with these
requirements helps demonstrate due diligence and reduces the risk of non-compliance penalties and
fines.

 Continuous Improvement: Security audits provide valuable insights into the organization's security
posture and highlight areas for improvement. By addressing audit findings and implementing
recommended controls, organizations can continuously enhance their security capabilities and
resilience.

 Enhanced Trust and Credibility: Demonstrating a commitment to security through regular audits
enhances trust and credibility with customers, partners, stakeholders, and regulators. It instills
confidence that the organization takes security seriously and safeguards sensitive information
effectively.

 Cybersecurity Awareness: Security audits raise awareness of cybersecurity risks and best practices
among employees and stakeholders. They promote a culture of security within the organization and
encourage proactive measures to protect against emerging threats.

4.4 Recommend the implementation of security audit to stakeholders in an

organization

1. Security Awareness Test:

- Organizations can conduct surveys or personal conversations with users to gauge their level of security
awareness. Questions may focus on their understanding of security threats, basic security measures, and
their attitude toward complying with the organization's security policies and procedures.

2.Test Security Knowledge Through Training:

- Organizations can organize information security training courses for employees and require them to
complete tests or exercises to assess their knowledge of security. These exams may focus on basic
security concepts, preventing information attacks, and implementing security measures in real-life
situations.

3.Check User Safety Behavior:

22
- Organizations can use cyber behavior monitoring tools to monitor users' online behavior and detect
unusual or malicious activities. Reports generated from these tools can help organizations identify
security issues and take preventative measures.

4.Check Compliance with Policies and Procedures:

- Organizations may perform periodic or non-routine checks to ensure that users comply with the
organization's security policies and procedures. This may include checking that users have taken security
measures such as changing passwords periodically, not sharing authentication information, and
reporting security incidents promptly.

5.Check Your Skills to Prevent Phishing and Handle Malicious Email:

- Organizations can organize phishing tests or simulations to evaluate the ability to identify and prevent
phishing attacks. Users may be asked to identify and report malicious or fraudulent emails.

6.Effective Feedback and Evaluation:

- Organizations can use feedback from security testing activities to evaluate the effectiveness of security
training and education measures. This feedback can be used to tailor training programs and improve
user security awareness and behavior.

5 Summarise an appropriate risk management approach or ISO standard and its

application in IT security (M3)

5.1 Briefly define a risk management approach or ISO standard

a, Briefly define a risk management approach

- A risk management approach is a systematic and structured method used by organizations to identify,
assess, and mitigate risks that could impact their objectives. It involves identifying potential risks,
evaluating their likelihood and potential impact, implementing strategies to manage or reduce the risks,
and monitoring and reviewing the effectiveness of these strategies.

23
 Figure 5. Briefly define a risk management approach

b, ISO standard

- ISO standards provide internationally recognized frameworks for various management systems. In the
context of risk management in IT security, ISO 27001 is a key standard. ISO 27001 specifies requirements
for establishing, implementing, maintaining, and continually improving an information security
management system (ISMS). It provides a systematic approach to managing information security risks
and protecting sensitive data, ensuring confidentiality, integrity, and availability.

Figure 6. ISO

5.2 What are its applications in IT security?

1. Risk Management: ISO 27001 provides a systematic approach to identifying, assessing, and
managing information security risks within an organization's IT environment. It helps organizations
identify vulnerabilities, assess the likelihood and impact of potential risks, and implement controls to
mitigate or manage those risks effectively.

→Example: An IT department conducts a risk assessment using ISO 27001 guidelines to identify potential
security risks associated with the organization's network infrastructure. They identify vulnerabilities such

24
as outdated software, weak authentication mechanisms, and lack of encryption. Based on the
assessment, the IT team develops a risk treatment plan that includes implementing software updates,
enhancing authentication measures, and encrypting sensitive data to mitigate these risks.

2. Information Security Management System (ISMS): ISO 27001 helps organizations establish and
maintain an Information Security Management System (ISMS) tailored to their IT security needs. An
ISMS is a framework of policies, procedures, and controls that ensures the confidentiality, integrity,
and availability of information assets.

→Example: An organization implements an ISMS based on ISO 27001 requirements to manage its IT
security. They establish policies, procedures, and controls for protecting information assets, such as data
classification, access control, incident response, and encryption. The ISMS provides a structured
framework for managing IT security risks and ensures that security measures are aligned with
organizational objectives and compliance requirements.

3. Compliance: ISO 27001 helps organizations comply with legal, regulatory, and contractual
requirements related to IT security. By implementing the standard's requirements, organizations
demonstrate their commitment to safeguarding sensitive information and meeting compliance
obligations.

→Example: A financial institution obtains ISO 27001 certification to demonstrate compliance with
regulatory requirements such as the Payment Card Industry Data Security Standard (PCI DSS) and the
General Data Protection Regulation (GDPR). ISO 27001 certification provides assurance to customers and
regulatory authorities that the organization has implemented effective IT security controls and
safeguards sensitive financial and personal data in accordance with legal and industry standards.

4. Third-Party Assurance: ISO 27001 certification provides assurance to customers, partners, and
stakeholders that an organization has implemented robust IT security practices. It enhances trust
and confidence in the organization's ability to protect sensitive data and manage security risks
effectively.

→Example: A cloud service provider achieves ISO 27001 certification to assure customers of the security
of its cloud infrastructure and services. The certification demonstrates that the provider has
implemented robust IT security practices to protect customer data from unauthorized access, disclosure,
or loss. ISO 27001 certification enhances trust and confidence in the provider's ability to safeguard
sensitive information and meet customers' security requirements.

5. Cybersecurity Resilience: ISO 27001 helps organizations build resilience against cybersecurity
threats by implementing a comprehensive set of security controls and measures. It enables
organizations to detect, respond to, and recover from security incidents in a timely and effective
manner.

25
→Example: An e-commerce company implements ISO 27001-compliant security controls to enhance its
cybersecurity resilience. They deploy intrusion detection systems, conduct regular vulnerability scans,
and establish incident response procedures to detect and respond to cyber threats effectively. In the
event of a security incident, the organization follows predefined incident response protocols to mitigate
the impact and restore normal operations promptly.

6. Business Continuity: ISO 27001 incorporates requirements for business continuity planning and
disaster recovery. It helps organizations develop strategies and measures to ensure the continuity of
critical IT operations in the event of disruptive incidents or emergencies.

→Example: A manufacturing company develops a business continuity plan (BCP) aligned with ISO 27001
requirements to ensure the resilience of its IT infrastructure and operations. The BCP includes measures
such as data backup and recovery procedures, alternative communication channels, and off-site data
storage to minimize disruptions and maintain critical IT functions during emergencies or disasters.
Regular testing and review of the BCP help the organization identify and address gaps in its business
continuity preparedness.

6 Analyse possible impacts to organizational security resulting from an IT security

audit (M4)

6.1 Define IT security audit

- An IT security audit is a systematic evaluation of an organization's information technology systems,
infrastructure, policies, and procedures to assess their compliance with established security standards,
best practices, and regulatory requirements. The primary goal of an IT security audit is to identify
vulnerabilities, weaknesses, and areas of non-compliance that may pose risks to the organization's
information assets, data integrity, confidentiality, and availability. [5]

Figure 7. IT security audit

26
 6.2 What possible impacts to organizational security resulting from an IT
security audit

1. Identification of Vulnerabilities: The audit may reveal previously unidentified vulnerabilities and
weaknesses in the organization's IT systems, infrastructure, policies, and procedures. These
vulnerabilities could include outdated software, reconfigured systems, inadequate access controls,
or gaps in data protection measures.

→Example: During an IT security audit, it's discovered that the organization's web server is running
outdated software with known vulnerabilities. These vulnerabilities could potentially be exploited by
attackers to gain unauthorized access to the server and compromise sensitive data. The audit report
highlights these vulnerabilities, prompting the organization to promptly patch the software, update
configurations, and implement additional security measures to mitigate the risk.

2. Risk Awareness: The audit findings raise awareness among stakeholders about the security risks
facing the organization. It provides insight into the potential consequences of security breaches and
the importance of implementing robust security measures to mitigate risks effectively.

→Example: The findings of an IT security audit reveal that employees frequently use weak passwords
and share login credentials, posing a significant risk of unauthorized access to sensitive systems and data.
The audit report raises awareness among employees about the importance of strong password policies
and the risks associated with poor password practices. As a result, the organization conducts security
awareness training to educate employees about password security best practices and encourages them
to adopt stronger password practices to mitigate the risk of unauthorized access.

3. Compliance Gaps: The audit may uncover areas of non-compliance with regulatory requirements,
industry standards, or internal security policies. Failure to comply with these requirements could
result in legal and financial penalties, reputation damage, and loss of customer trust.

→Example: An IT security audit identifies several areas of non-compliance with the Payment Card
Industry Data Security Standard (PCI DSS), including inadequate encryption of cardholder data and
insufficient access controls. The audit report highlights these compliance gaps, prompting the
organization to take corrective actions to address the deficiencies and achieve compliance with PCI DSS
requirements. Failure to comply with PCI DSS could result in fines, penalties, and reputational damage,
making compliance a top priority for the organization.

27
4. Operational Disruption: Implementing corrective actions and remediation measures identified
during the audit may disrupt normal business operations. For example, patching vulnerabilities,
updating software, or re configuring systems may require downtime or temporary changes to
workflows, impacting productivity and efficiency.

→Example: Following an IT security audit, the organization implements recommended changes to its
network infrastructure to enhance security, including implementing firewall rules, segmenting network
traffic, and configuring intrusion detection systems. These changes require scheduled downtime and
temporary disruptions to network services, impacting business operations. However, the organization
recognizes that the short-term disruptions are necessary to strengthen its security posture and mitigate
the risk of cyberattacks and data breaches.

5. Resource Allocation: The audit findings may necessitate the allocation of additional resources, such
as personnel, budget, or technology investments, to address identified security gaps and
vulnerabilities. Organizations may need to prioritize security initiatives and reallocate resources to
enhance their security posture effectively.

→Example: An IT security audit reveals that the organization lacks sufficient resources and expertise to
effectively monitor and respond to security incidents in real-time. As a result, the organization allocates
additional budget and hires dedicated security personnel to establish a Security Operations Center (SOC)
and implement a Security Information and Event Management (SIEM) system. These investments enable
the organization to improve its incident detection and response capabilities and enhance its overall
security posture.

6. Improved Security Posture: Despite the potential disruptions and resource requirements, an IT
security audit ultimately contributes to improving the organization's security posture. By addressing
identified vulnerabilities, implementing security controls, and enhancing security awareness,
organizations strengthen their defenses against cyber threats and reduce the likelihood of security
incidents.

→Example: After conducting an IT security audit, the organization implements a series of security
enhancements, including strengthening access controls, encrypting sensitive data, and implementing
multi-factor authentication. These measures significantly reduce the organization's susceptibility to cyber
threats and improve its overall security posture. As a result, the organization experiences fewer security
incidents and data breaches, leading to increased confidence in its ability to protect sensitive
information effectively

7. Enhanced Trust and Confidence: Demonstrating a commitment to IT security through regular audits
and proactive risk management enhances trust and confidence among customers, partners,

28
 stakeholders, and regulatory authorities. It reassures them that the organization takes security
seriously and has implemented measures to protect sensitive information effectively.

→Example: Following an IT security audit, the organization obtains ISO 27001 certification,
demonstrating its commitment to information security best practices and compliance with international
standards. The certification enhances trust and confidence among customers, partners, and
stakeholders, who recognize the organization's dedication to protecting sensitive information and
managing security risks effectively. As a result, the organization gains a competitive advantage and
strengthens its relationships with stakeholders.

8. Continuous Improvement: An IT security audit fosters a culture of continuous improvement in

information security practices. Organizations use audit findings and recommendations as feedback
to refine and enhance their security strategies, policies, and procedures, ensuring ongoing alignment
with evolving threats and best practices.

→Example: An IT security audit identifies areas for improvement in the organization's incident response
procedures, such as communication protocols, escalation procedures, and incident reporting
mechanisms. In response, the organization conducts a post-audit review to evaluate the effectiveness of
its incident response capabilities and implements enhancements based on lessons learned from the
audit findings. These continuous improvement efforts enable the organization to refine its security
practices and adapt to evolving threats, ensuring ongoing resilience against cyber risks.

7 Justify the security plan developed giving reasons for the elements selected (M5)

7.1 Discuss with explanation about business continuity

1. Maintaining Operations: Business continuity planning helps organizations maintain critical business
operations and functions, even in the face of unexpected events such as natural disasters,
cyberattacks, or system failures. By identifying key processes and resources, organizations can
develop strategies to minimize downtime and ensure continuity of services to customers, partners,
and stakeholders.

2. Minimizing Disruption: Disruptions to business operations can have significant financial,

reputational, and operational consequences for organizations. Business continuity planning helps
mitigate the impact of disruptions by implementing measures such as backup systems, redundant
infrastructure, and alternative work arrangements to minimize downtime and maintain productivity.

3. Protecting Reputation: The ability to effectively respond to and recover from disruptions
demonstrates resilience and reliability, enhancing an organization's reputation and credibility with
customers, partners, and stakeholders. A well-developed business continuity plan helps

29
 organizations demonstrate their commitment to delivering consistent and reliable services, even
under adverse conditions.

4. Ensuring Compliance: Regulatory requirements and industry standards often mandate the
implementation of business continuity planning as part of an organization's risk management and
compliance efforts. Compliance with these requirements helps organizations avoid legal and
regulatory penalties, maintain business licenses, and protect against reputational damage resulting
from non-compliance.

5. Mitigating Financial Losses: Disruptions to business operations can result in significant financial
losses, including lost revenue, increased expenses, and potential liability claims. Business continuity
planning helps organizations identify potential financial impacts of disruptions and implement
strategies to mitigate losses, such as insurance coverage, financial reserves, and business
interruption planning.

6. Enhancing Stakeholder Confidence: Customers, partners, investors, and other stakeholders expect
organizations to have plans in place to ensure continuity of operations and protect their interests in
the event of disruptions. Business continuity planning demonstrates proactive risk management and
instills confidence in stakeholders that the organization is prepared to respond effectively to
unforeseen events.

7. Promoting Organizational Resilience: Business continuity planning fosters a culture of resilience

within an organization, emphasizing the importance of preparedness, adaptability, and agility in
responding to challenges and uncertainties. By regularly reviewing and updating business continuity
plans, organizations can strengthen their resilience and ability to navigate disruptions effectively
over time.

7.2 List the components of the organisational disaster recovery plan

1. Executive Summary: A high-level overview of the disaster recovery plan, including its objectives,
scope, key stakeholders, and critical functions.

2. Introduction: A brief introduction outlining the purpose and importance of the disaster recovery
plan, as well as the roles and responsibilities of individuals involved in its execution.

3. Scope and Objectives: Clearly defined scope and objectives of the disaster recovery plan, including
the types of disasters or incidents covered, the expected outcomes, and the timeline for recovery.

4. Risk Assessment: An assessment of potential risks and threats to the organization's operations,
infrastructure, and data, including natural disasters, cyberattacks, human errors, and equipment
failures.

30
5. Critical Functions and Dependencies: Identification of critical business functions, processes,
systems, and dependencies that must be prioritized for recovery to ensure continuity of operations.

6. Recovery Strategies: Strategies and approaches for recovering critical functions and systems
following a disaster or disruptive event, including backup and restoration procedures, failover
mechanisms, and alternative work arrangements.

7. Response and Notification Procedures: Procedures for responding to and managing a disaster or
incident, including activation of the disaster recovery plan, communication protocols, escalation
procedures, and notification of key stakeholders.

8. Roles and Responsibilities: Clear assignment of roles and responsibilities to individuals and teams
involved in executing the disaster recovery plan, including their specific duties, authorities, and
contact information.

9. Resource Requirements: Identification of resources required for disaster recovery efforts, including
personnel, equipment, facilities, and external services or vendors.

10. Communication Plan: A communication plan outlining how information will be disseminated to
employees, customers, partners, suppliers, regulatory authorities, and other stakeholders during
and after a disaster, including alternative communication channels.

11. Testing and Training: Procedures for testing and validating the effectiveness of the disaster recovery
plan through drills, exercises, simulations, and tabletop discussions. Training programs for
employees to ensure they understand their roles and responsibilities and are prepared to execute
the plan effectively.

12. Documentation and Maintenance: Documentation of all aspects of the disaster recovery plan,
including policies, procedures, contact lists, recovery strategies, test results, and incident reports.
Regular review and updating of the plan to reflect changes in the organization's operations,
technology, and risks.

13. Compliance and Governance: Alignment of the disaster recovery plan with relevant laws,
regulations, industry standards, and best practices governing disaster recovery and business
continuity. Compliance with applicable requirements to ensure legal and regulatory obligations are
met.

14. Appendices: Additional supporting documentation, templates, forms, and reference materials
relevant to the disaster recovery plan, such as emergency contact lists, facility maps, vendor
contracts, and recovery site agreements.

31
 7.3 Justify and write down all the steps required in the disaster recovery process
 The disaster recovery process involves a series of steps to effectively respond to and recover from a
disruptive event or disaster.

1. Risk Assessment:

 Justification: Conducting a risk assessment helps identify potential risks and threats to the
organization's operations, infrastructure, and data. Understanding these risks is essential for
developing an effective disaster recovery plan tailored to the organization's specific needs and
vulnerabilities.

2. Business Impact Analysis (BIA):

 Justification: BIA assesses the potential impact of a disaster on critical business functions, processes,
and resources. It helps prioritize recovery efforts by identifying which functions are most vital to the
organization's operations and determining the maximum tolerable downtime for each function.

3. Plan Development:

 Justification: Developing a comprehensive disaster recovery plan involves documenting strategies,

procedures, and resources required to recover critical functions and systems following a disaster. A
well-developed plan ensures that the organization can respond effectively and minimize the impact
of disruptions on business operations.

4. Testing and Validation:

 Justification: Regular testing and validation of the disaster recovery plan help identify gaps,
weaknesses, and areas for improvement before a real disaster occurs. Testing ensures that recovery
strategies and procedures work as intended, employees understand their roles and responsibilities,
and systems can be restored within acceptable timeframes.

5. Training and Awareness:

 Justification: Providing training and awareness programs to employees ensures that they understand
their roles and responsibilities in the event of a disaster. Training helps employees respond
effectively, follow established procedures, and contribute to the organization's recovery efforts.

6. Implementation and Activation:

 Justification: Implementing and activating the disaster recovery plan involves executing predefined
procedures to respond to and manage a disaster. Activation of the plan triggers the mobilization of

32
 resources, communication with stakeholders, and initiation of recovery efforts to minimize
downtime and restore critical functions.

7. Communication and Notification:

 Justification: Communication and notification procedures ensure that relevant stakeholders are
informed about the disaster, its impact, and the organization's response efforts. Effective
communication helps maintain transparency, manage expectations, and coordinate recovery efforts
among internal and external stakeholders.

8. Recovery and Restoration:

 Justification: Recovery and restoration activities focus on restoring critical functions, systems, and
data to their per-disaster state. This may involve deploying backup systems, restoring data from
backups, re configuring infrastructure, and implementing temporary workarounds to maintain
business continuity.

9. Monitoring and Evaluation:

 Justification: Monitoring and evaluating the recovery process help track progress, identify issues,
and make necessary adjustments to ensure successful recovery. Regular monitoring enables the
organization to assess the effectiveness of recovery efforts, address emerging challenges, and refine
procedures for future incidents.

10. Documentation and Reporting:

 Justification: Documenting the disaster recovery process, including actions taken, decisions made,
and outcomes achieved, is essential for accountability, transparency, and compliance purposes.
Reporting provides stakeholders with insights into the organization's response efforts, lessons
learned, and areas for improvement.

11. Post-Incident Review and Lessons Learned:

 Justification: Conducting a post-incident review and lessons learned exercise allows the organization
to evaluate the effectiveness of its disaster recovery efforts, identify strengths and weaknesses, and
capture insights for future improvements. Learning from past experiences helps enhance the
organization's resilience and preparedness for future incidents.

33
 8 Recommend how IT security can be aligned with an organizational policy, detailing
the security impact of any misalignment (D2)

8.1 Define an organizational policy and explain its purposes

- An organizational policy is a formal document that outlines the rules, guidelines, and principles
governing various aspects of an organization's operations, conduct, and decision-making processes.
These policies are typically developed by senior management and are intended to provide a framework
for consistent behavior, decision-making, and compliance within the organization.

1. Establishing Standards and Expectations: Organizational policies define the standards of behavior
and performance expected from employees, contractors, and other stakeholders. They outline
acceptable practices, procedures, and conduct in areas such as ethics, professionalism, and
interpersonal relations.

2. Ensuring Compliance: Organizational policies help ensure compliance with legal requirements,
industry regulations, and internal standards. They provide guidance on how the organization should
conduct its operations in a manner that is consistent with applicable laws and regulations, thereby
minimizing the risk of legal liabilities and penalties.

3. Managing Risks: Organizational policies address risks associated with various aspects of the
organization's operations, including financial, operational, and reputation risks. By establishing clear
guidelines and procedures, policies help identify, assess, and mitigate risks to the organization's
assets, resources, and stakeholders.

4. Promoting Consistency and Fairness: Organizational policies promote consistency and fairness in
decision-making processes and treatment of individuals within the organization. They ensure that
similar situations are handled uniformly and that all individuals are treated equitably and without
discrimination.

5. Protecting Assets and Resources: Organizational policies help protect the organization's assets,
resources, and intellectual property. They establish controls, safeguards, and protocols for the use,
management, and protection of these assets, thereby reducing the risk of theft, misuse, or
unauthorized access.

6. Fostering Accountability and Transparency: Organizational policies promote accountability and

transparency by clarifying roles, responsibilities, and expectations for individuals within the
organization. They provide a framework for evaluating performance, addressing violations, and
promoting a culture of accountability and integrity. [6]

34
 Figure 8. organizational policy and explain its purposes

8.2 What impacts of an organizational policy on IT security and explain how they
happen if there is any misalignment between the policy and IT security?

- Organizational policies have significant impacts on IT security, as they provide the framework for how
security measures are implemented, maintained, and enforced within an organization.

1. Data Protection and Privacy:

 Impact: Misalignment between organizational policies and IT security can result in inadequate
protection of sensitive data and privacy violations.

 Explanation: If organizational policies lack clear guidelines on data handling, classification, and
access controls, IT security measures may not adequately safeguard sensitive information. This can
lead to data breaches, unauthorized access, or inadvertent exposure of confidential data.

2. Compliance Failures:

 Impact: Misalignment with regulatory requirements can lead to compliance failures and legal
consequences.

 Explanation: If organizational policies do not align with relevant regulations (such as GDPR, HIPAA,
or PCI DSS), IT security practices may not meet legal requirements. This can result in regulatory fines,
legal actions, reputation damage, and loss of trust from customers, partners, and stakeholders.

35
3. Risk Management:

 Impact: Misalignment between policies and IT security practices can lead to ineffective risk
management and heightened exposure to security threats.

 Explanation: If organizational policies fail to address emerging security risks or do not mandate
adequate security controls, IT security measures may be insufficient to mitigate evolving threats.
This can leave the organization vulnerable to cyberattacks, data breaches, and other security
incidents.

4. Incident Response and Reporting:

 Impact: Misalignment can hinder incident response efforts and delay the detection and mitigation of
security incidents.

 Explanation: If organizational policies do not clearly define incident response procedures, roles, and
responsibilities, IT security teams may struggle to detect, respond to, and report security incidents
effectively. This can result in prolonged downtime, increased impact of security breaches, and
difficulties in recovering from incidents.

5. Resource Allocation:

 Impact: Misalignment can lead to inefficient resource allocation and ineffective utilization of IT
security resources.

 Explanation: If organizational policies do not prioritize IT security investments or allocate sufficient

resources to security initiatives, IT security teams may lack the necessary tools, technologies, and
manpower to address security challenges adequately. This can result in gaps in security defenses
and increased vulnerability to cyber threats.

8.3 Provide a practical example with explanation for each of these impacts
1. Data Protection and Privacy:

 Example: An organization's policy states that employees should have access to customer data only
on a need-to-know basis and should not download sensitive information onto personal devices.

 Explanation: If this policy is not aligned with IT security practices, employees may lack proper access
controls or encryption measures on company devices. This misalignment could lead to scenarios
where sensitive customer data is easily accessible, either due to lax access controls or inadequate
encryption, potentially resulting in data breaches or unauthorized access.

2. Compliance Failures:

36
 Example: A healthcare organization's policy outlines the need for patient data confidentiality and
compliance with HIPAA regulations.

 Explanation: If IT security practices within the organization do not align with these policies, such as
not implementing encryption for patient records or failing to conduct regular security assessments,
the organization could be in violation of HIPAA regulations. This misalignment could lead to
significant fines and penalties for non-compliance.

3. Risk Management:

 Example: An organization's policy does not require regular updates and patching of software
systems to address security vulnerabilities.

 Explanation: Without alignment between policies and IT security practices, critical security
vulnerabilities may go unaddressed, increasing the risk of exploitation by malicious actors. For
example, if the organization fails to patch known vulnerabilities in its systems, it becomes more
susceptible to cyberattacks such as ransomware or data breaches.

4. Incident Response and Reporting:

 Example: An organization's policy lacks clear guidelines on reporting security incidents and
responding to data breaches.

 Explanation: In the event of a security incident, such as a data breach or a malware infection, the
lack of clear incident response procedures outlined in the organizational policy can lead to delays in
detecting and containing the incident. This misalignment could result in prolonged downtime,
increased impact of the breach, and difficulties in fulfilling legal reporting requirements.

5. Resource Allocation:

 Example: An organization's policy does not prioritize IT security investments and allocates minimal
resources to cybersquatting initiatives.

 Explanation: Without alignment between policy and IT security practices, the organization may
under fund critical security initiatives such as employee training, security software licenses, or
cybersquatting staffing. This misalignment could leave the organization vulnerable to cyber threats
due to insufficient resources devoted to maintaining robust security defenses.

37
 9 Evaluate the suitability of the tools used in the organizational policy to meet
business needs (D3)

9.1 Define an organizational policy

- An organizational policy is a formal document or set of guidelines that articulates the principles, rules,
and procedures governing various aspects of an organization's operations, conduct, and decision-making
processes. These policies are developed by senior management or designated authorities within the
organization and serve as a framework for guiding behavior, ensuring compliance, managing risks, and
protecting the organization's interests. [7]

Figure 9. Organizational policy

1. Code of Conduct/Ethics: Defines expected standards of behavior, ethics, and professionalism for
employees and stakeholders.

2. Data Protection and Privacy: Outlines rules and procedures for handling, storing, and protecting
sensitive information and personal data.

3. Information Security: Establishes measures and controls to safeguard the organization's information
assets from unauthorized access, disclosure, alteration, or destruction.

4. Employee Relations: Addresses matters related to hiring, termination, promotions, performance

evaluations, and employee benefits.

5. Health and Safety: Ensures a safe and healthy work environment for employees, visitors, and
contractors by outlining safety protocols, emergency procedures, and compliance with health
regulations.

38
6. Financial Management: Sets guidelines for budgeting, accounting, procurement, and expenditure
control to ensure financial integrity and transparency.

7. Compliance and Regulatory Requirements: Ensures adherence to applicable laws, regulations,

industry standards, and contractual obligations relevant to the organization's operations.

8. IT Usage and Acceptable Use: Defines rules and guidelines for the appropriate use of information
technology resources, including computer systems, networks, and software applications.

9. Conflict Resolution: Provides procedures for resolving conflicts, disputes, grievances, and complaints
among employees or between employees and management.

10. Environmental Sustainability: Demonstrates the organization's commitment to environmental

responsibility by promoting sustainable practices and minimizing environmental impact.

9.2 What tools can you use in an organizational policy?

 Policy Templates: Pre-designed templates or formats specifically tailored for different types of
policies can serve as a foundation for creating new policies. These templates often include sections
for objectives, scope, definitions, responsibilities, procedures, and enforcement mechanisms.

 Policy Development Software: Specialized software applications or platforms are available to

streamline the process of creating, reviewing, and managing policies. These tools often offer
features such as version control, collaboration capabilities, and automated workflows to facilitate
the policy development life cycle.

 Policy Management Systems: Dedicated policy management systems provide centralized

repositories for storing, organizing, and disseminating policies throughout the organization. These
systems offer features for policy access control, distribution tracking, acknowledgment tracking, and
compliance monitoring.

 Policy Libraries and Databases: Access to centralized repositories or databases containing a

collection of existing policies, guidelines, and best practices can aid in policy development and bench
marking. Organizations can leverage these resources to gather insights, reference examples, and
ensure alignment with industry standards and regulatory requirements.

 Policy Review Committees: Establishing dedicated committees or teams responsible for reviewing
and approving new policies can ensure thorough evaluation, stakeholder input, and alignment with
organizational objectives. These committees may include representatives from relevant
departments, legal counsel, compliance officers, and senior management.

39
 Training and Awareness Programs: Training sessions, workshops, and educational materials are
essential tools for communicating policy requirements, expectations, and implications to employees.
These programs help foster awareness, understanding, and compliance with organizational policies
across the workforce.

 Policy Communication Channels: Utilizing various communication channels such as intranet portals,
email newsletters, employee handbooks, and signage can effectively disseminate policy information
and updates to employees. Clear and consistent communication ensures that employees are aware
of policy changes and understand their responsibilities.

 Policy Audits and Assessments: Conducting regular audits and assessments of organizational policies
helps evaluate effectiveness, identify gaps or areas for improvement, and ensure ongoing
compliance with regulatory requirements. These audits may involve internal reviews, external
audits, or third-party assessments.

 Policy Enforcement Mechanisms: Establishing clear mechanisms for enforcing policies, such as
disciplinary actions, sanctions, or incentives, reinforces compliance and accountability. Consistent
enforcement demonstrates the organization's commitment to upholding its policies and maintaining
a culture of integrity and responsibility.

9.3 Evaluate the suitability of the tools in the organizational policy

1. Policy Templates:

 Effectiveness: Policy templates can be effective for standardizing policy formats and ensuring
consistency across different policies. However, they may not address the specific needs or
complexities of the organization adequately.

 Efficiency: Templates streamline the policy development process by providing a structured

framework, saving time and effort compared to creating policies from scratch.

 Scalability: Policy templates may lack scalability if they cannot be easily adapted to accommodate
the organization's evolving needs or if customization is challenging.

 Alignment: The suitability of policy templates depends on their alignment with the organization's
industry, size, culture, and regulatory requirements.

2. Policy Development Software:

 Effectiveness: Policy development software offers features such as version control, collaboration
tools, and automated workflows, enhancing the effectiveness of policy creation and management.

40
 Efficiency: These tools improve efficiency by streamlining the policy development lifecycle,
facilitating collaboration among stakeholders, and automating approval processes.

 Scalability: Policy development software can scale to accommodate the organization's growing
needs and complexities, such as managing a larger volume of policies or involving more stakeholders
in the process.

 Alignment: The suitability of policy development software depends on its alignment with the
organization's existing systems, workflows, and IT infrastructure.

3. Policy Management Systems:

 Effectiveness: Policy management systems centralize policy repositories, streamline access control,
and facilitate compliance monitoring, enhancing the effectiveness of policy management.

 Efficiency: These systems improve efficiency by automating policy distribution, tracking

acknowledgments, and generating compliance reports, reducing manual effort and administrative
overhead.

 Scalability: Policy management systems can scale to manage a diverse range of policies across
different departments, locations, and regulatory jurisdictions.

 Alignment: The suitability of policy management systems depends on their alignment with the
organization's governance structure, compliance requirements, and technological capabilities.

4. Policy Libraries and Databases:

 Effectiveness: Policy libraries and databases provide valuable resources for policy development,
bench marking, and reference, enhancing the effectiveness of policy creation and alignment with
best practices.

 Efficiency: These repositories save time and effort by providing ready-made templates, examples,
and guidelines for policy development, accelerating the process.

 Scalability: Policy libraries and databases can scale to accommodate a growing collection of policies
and support the organization's evolving needs and priorities.

 Alignment: The suitability of policy libraries and databases depends on their alignment with the
organization's industry, regulatory environment, and specific areas of focus.

41
III. CONCLUSION
- With my expertise and experience in the field of IT security, I can provide the company "Wheelie good"
with effective and tailored security solutions to their specific needs, helping them protect your
information and data from dangerous cyber threats. This will play an important role in protecting the
success and sustainable development of the company "Wheelie good" in today's competitive market.

IV. Evaluation
 All theories in the presentation are compiled from reputable sources with my own research based
on those available theories, so the information this report brings is even more standard. higher.

 Advantages:

 The solutions provide companies with a lot of simple but practical cybersecurity information

 Providing information about cybersecurity in a simple and practical way brings great benefits to
businesses. This helps them better understand security risks and be able to take protective measures
effectively.

 Weaknesses:

 It has a lot of information and some new information is difficult for newcomers to grasp easily

 The large amount of information can make it difficult for beginners or those without experience in
cybersecurity. This may reduce the performance of the report.

 Opportunities:

 These methods open up new job opportunities for the company providing opportunities for choice

 By providing cybersecurity solutions, your company opens up new opportunities for businesses
looking for security solutions. This can lead to the expansion and development of the company's
market.

 Threat:

 The company needs to learn continuously and invest a lot of time focusing on learning a lot of
content, as well as the need to address and select its cognitive resources and improve its resource
recall.

 While the company has the opportunity to open up new opportunities, it also faces some challenges.
Continuous learning and investing time in improving knowledge and skills is necessary. At the same
time, selecting and improving information recall is also a challenge for the company.

42
V. REFERENCES
[1] What is Security Risk Assessment and How Does It Work? (no date) Synopsys. Available at:
https://www.synopsys.com/glossary/what-is-security-risk-assessment.html (Accessed: 23 March 2024).

[2] What is Data Protection? (no date) SNIA. Available at: https://www.snia.org/education/what-is-data-
protection (Accessed: 23 March 2024).

[3] Lutkevich, B. (2021) What is a Security Policy? - Definition from SearchSecurity, Security. TechTarget.
Available at: https://www.techtarget.com/searchsecurity/definition/security-policy (Accessed: 23 March
2024).

[4] Fernando, J. (no date) What Are Stakeholders: Definition, Types, and Examples, Investopedia.
Investopedia. Available at: https://www.investopedia.com/terms/s/stakeholder.asp (Accessed: 23 March
2024).

[5] IT Security Audit: Importance, Types, and Methodology (2024) Astra Security Blog. Available at:
https://www.getastra.com/blog/security-audit/it-security-audit/#:~:text=An%20IT%20security%20audit
%20is,security%20posture%20and%20IT%20infrastructure. (Accessed: 23 March 2024).

[6] Organizational Policies (no date) greythr. Available at:

https://www.greythr.com/hr-garden/organizational-policies/ (Accessed: 23 March 2024).

[7] Organizational Policy (no date) Organizational Policy - an overview | ScienceDirect Topics. Available
at: https://www.sciencedirect.com/topics/computer-science/organizational-policy (Accessed: 23 March
2024).

43