Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

IT Security: Risk Assessment, Data Protection, and Disaster Recovery

Verified

Added on 2024/06/03

AI Summary

This report explores the critical aspects of IT security, encompassing risk assessment procedures, data protection processes and regulations, and disaster recovery planning. It delves into the ISO 31000 risk management methodology and its application in IT security, examining the potential impacts of security audits on organizational security. The report also discusses the alignment of IT security with organizational policy, highlighting the consequences of misalignment. Furthermore, it outlines the design and implementation of a security policy, detailing the main components of an organizational disaster recovery plan and the roles of stakeholders in implementing security audit recommendations. Finally, the report evaluates the suitability of various tools used in organizational security policy implementation.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

IT SECURITY

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

TABLE OF CONTENTS
Introduction..................................................................................................................................................1
LO 3.............................................................................................................................................................2
P5 Discuss risk assessment procedures....................................................................................................2
P6 Explain data protection processes and regulations as applicable to an organization.........................3
M3 Summaries the ISO 31000 risk management methodology and its application in IT security.........4
M4 Discuss possible impacts to organizational security resulting from an IT security audit.................5
D2 Consider how IT security can be aligned with organizational policy, detailing the security impact
of any misalignment................................................................................................................................6
LO 4.............................................................................................................................................................8
P7 Design and implement a security policy for an organization.............................................................8
P8. List the main components of an organizational disaster recovery plan, justifying the reasons for
inclusion...................................................................................................................................................9
M5. Discuss the roles of stakeholder in the organization to implement security audit recommendations
...............................................................................................................................................................10
D3 Evaluate the suitability of the tools used in an organizational policy..............................................11
Conclusion.................................................................................................................................................12
References..................................................................................................................................................13

LIST OF FIGURES
Figure 1: Risk assessment process...............................................................................................................3
Figure 2: Principles, framework and process in ISO 31000........................................................................5
Figure 3: Wireshark for data analysis in network......................................................................................11
Figure 4: Nessus vulnerabilities scanner....................................................................................................12

Introduction
Information technology is widely spread and used in every field; particularly it is of great significance in
business operations. IT system helps to accomplish the various organizational tasks and objectives by
gathering the information and generation of decision making process. Security enables the growth and
competence of the organization in the market. Therefore, the report will discuss risk assessment
procedures with discussion of the ISO 31000 standards. Various impacts of the security audit process on
the security of the organization will be discussed along with data protection process and regulations.
Report will discuss the applicability of the standards and regulations in the business for the security
purpose. Report will design and implement the security policies, list the main components of the
organizational disaster recovery plan and discuss the role of stakeholders in the implementation of the
security audits. Also various tools for security policies will be focussed.
1

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

LO 3
P5 Discuss risk assessment procedures
The risk assessment procedure of the organization has involvement of the two processes. First, risk
identification in which the risk is identified from the analysis of the systems and network resources
whereas in second, risk evaluation, the impact and potential solutions of the identified through the
organizational controls and standards. Risk assessment procedure is foundation for the risk management
risks so that the organization can handle the risk effectively with the proper understanding and
knowledge with the risk, impacts and sources. Risk assessment procedure in the organization has five
major steps:
 The organization can use the already gained knowledge and experience to understand the risks
with the information technology system. The process is further supported with the engagement
and communication of the employees. The step has role to define and identify the risk in the
organization.
 Later the organization can focus on the controls those are working on the business. It contains
system and environmental controls in which risk in impacting the security. Controls are the
major considerable factors of the IT systems those can bring strength or weaknesses (Clir.org,
2018). Therefore, it is essential to define the controls and then determine the weaker controls to
handle the risks.
 Risk assessment can be done through the consideration of the various techniques. For example,
risk matrices and impact analysis can be used to assess the risk. The objective of the risk
assessment is to uncover the security risks along with their source.
 Risk analysis process has consideration of the sources associated with the risk and then
evaluates the solutions for the security. The stage has role to justify the solution for the security
purpose in the information technology system (Bahr, 2014).
 Later the organization has to make the plan for the risk testing and document the results to
provide the understanding and knowledge in the future for such events and actions.
2

Figure 1: Risk assessment process
(Source: clir.org, 2018)
P6 Explain data protection processes and regulations as applicable to an organization
Data protection means to protect the information with high accuracy and consistency and ensure that it is
safe from the unwanted use or sharing. The organizations can follow the various processes to achieve
the data protection. Also the regulations can be enforced in the business process to achieve the data
security as it constraints the users for the operations and sharing on the data.
Data protection act: The act has guideline how the personal information can be used in the
organizations, governments and business. According to the act, the owner of the information has to
acquire the knowledge where the information has been used or shared in the organizations. It enforces
the organization to manage the individual’s privacy and confidentiality. It ensures that information is
used fairly and lawfully for the specific purpose (Sauerwein and Linnemann, 2016). Also information
should be handled effectively according to the rights and permissions of the owner.
Computer misuse act: The act has enforced the use of the computer resources in the lawful manner so
that users of the organizations are not allowed to use the system for the personal purpose. For example,
the users are not allowed to do the personal work at workplace and they cannot use the systems to store
3

their personal data (Fafinski, 2013). Also they cannot use the system in the criminal or unwanted
activities according to the policies and rules of the organization.
ISO 3001 standard: According to the standard, the risk management process can be simplified and
accomplished easily. The organization can use the principles, guidelines and framework to identify and
assess the risk effectively. The standard has focus on the utilization of the assets and resources in the
systematic manner to handle the risks and reduce the impacts (Lalonde and Boiral, 2012).
M3 Summaries the ISO 31000 risk management methodology and its application in IT security.
The standard has supported the organizations to design, implement and manage the risk management
activities in the effective manner. The organizations can use the methodology with the proper
integration of the stakeholders and business operations. The standard has following major principles
related to the risk management:
 The process of risk management creates values for the organizations and it is the integral part of
the operations.
 It is effective to address the uncertainly in the business and help in the decision making process.
 It is based on the available information but well structured and systematic to meet the security
goals.
 It is tailored and considers the human and cultural factors with high transparency and inclusion.
 It is highly flexible and responsive to adopt the changes and supports improvements over time.
The standard has simple concept to handle the risks as shown in the framework of the standard
(Ernawati and Nugroho, 2012). The standard focus on the identification of the risks, implements the risk
management plan, monitor the plan and then improve it over the time.
4

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Figure 2: Principles, framework and process in ISO 31000
(Source: iso.org, 2018)
Application in IT security
The standard has application in IT security as it has systematic and well defined set of the activities to
identify or control the risks in the business. To ensure the security in the IT systems, the standard has
proper focus on the risks and its impacts along with documentation of the process so that such risks in
the business can be managed more effectively (Lalonde and Boiral, 2012). It helps the organizations to
reduce or mitigate the impacts of the risks and circulate the risks related information at the enterprise
level to reduce the results from the risks.
M4 Discuss possible impacts to organizational security resulting from an IT security audit
IT Security audit in the organization can be defined as the process to inspect and manage the security
associated with the systems, network hardware and software and configurations. With security audits,
the organization can achieve the following impacts on the security:
5

User account security: The organization can monitor the security on the use accounts with the help of
security audit. It can uncover the user accounts those have weaker authentication method or pass phrase
or lacking two-factor authentication. It can help to determine the user responsibilities and roles in the
network and configure the user actions and permissions in the system.
Configure security policies: System security is implemented through the proper configuration of the
system, user accounts, and network hardware and software. It improves security policies and
implements the protocols required for security.
Strengthen server configuration: It can monitor the server for the configuration and provide the high
performance and security (Synergyintegrations.com.au, 2018). It can be protected from the risks and
threats on the data storages. The provisioning of servers can deliver reliable configuration toward
desired security status.
Security automation: It can review the physical security of the system and can provide the automation
in the security. Commercial alarm systems and smart locks can be configured for their automated
operations in the system.
Hardware maintenance: Performance of the IT system has root in the configuration and installation of
the hardware. Security audit can boost the security with proper installation and recommendation of the
hardware components in the network and system to achieve the goal (Steinbart et al, 2012).
In this manner, security audit in the organization can help to achieve security to the next level where the
organization can provision the physical and logical security and protect the data and assets from the
misuse, theft or damage.
D2 Consider how IT security can be aligned with organizational policy, detailing the security impact of
any misalignment
IT security can be achieved with the help of the organizational policies because the organizational
policies define the rules and regulations on the behaviour of the employees and promoted them to use
the resources effectively. Policies also make them aware about the losses and damages associated with
the misuse of the system and features against the organizational rules. It defines the roles and
responsibilities of the users so that security can be implemented easily. IT security can be made simple
with the help of the policies on the user accounts, user permissions, system placement and management
6

of the network services (Siponen et al, 2014). Therefore, the security policies also have to consider the
integration of the legal framework to make them standard in the business operations.
However, misalignment of the policies for the IT security can lead the conflicts among the users for the
roles and security responsibility. Also the conflicts might be occurred among the law and regulations
and organizational policies for the differences in the implementation. Misalignment can damage the
security parameters in the organization and allow the users to extend the risk with authenticity on the
system and resources.
7

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

LO 4
P7 Design and implement a security policy for an organization
Security policy in the organization is a critical document which records the rules and processes those
must be integrated in the business operations so that security can be adhered. It must have to contain the
purpose and the sections for that the business wants to constraint the risks through security guidelines.
Design and implementation
Significance: The significance of the security policy in the organization is to empower the use of the
resources and services for the business purpose only and reduce the crime and failure risks through the
personal utilization of the network capabilities.
Use of systems
 Users are allowed only to use the systems for the business purpose. They cannot accomplish
personal goals and objectives through the organizational assets.
 Users are suggested to safe their data and user account through the eight character long and
complex passphrase.
 Users are recommended to use the systems only in the defined permissions and timeframe so that
they can be authenticate on the system (Chen et al, 2012).
 External connections and adding of the peripherals on the system is prohibited and user might be
marked for the misconducts.
 Systems damaged or destructed during the user actions are the liabilities of the users and they
must have to report the issues to the management.
Use of mail services
 Do not share the mail authentication details with others. It is the sole liability of the user to
ensure the security on the own mail account.
 User cannot use the mail services to blackmail the others or to support the personal
communication over the internet.
8

 Unwanted and intentional requests to the server to influence the performance are the subject of
misconduct in the operations.
 It is highly recommended to avoid the financial transactions over the mail requests from the
anonymous. It is the liability of the user to report such actions to management (Neisse et al,
2014).
 Prohibited or abusing words or sentences should not be used in the mail content. Such senders
might be blocked for the mail services on the basis of the complaints.
P8. List the main components of an organizational disaster recovery plan, justifying the reasons for
inclusion
During disaster organisation conquer with several problems related to their sensitive data and potential
resources which might get lost. At that time, the organisation cannot bear such data loss which can
affect the growth rate of the organisation which necessitates the need of recovering the lost data. By the
help of several recoveries plan organisation can recover the potential resources and information to
sustain the continuity of the business. Following are the components of recovery plan adopted by the
organisation:
Backup: Backup is the term which refers to the second copy of the data and information creation that
can be reloaded at the time of situation where organisation faces the disastrous loss of vital information.
This is done when the access to the primary data get lost. As this taking up of backup created by the
organisation is of great importance to recover the sensitive data in case of disastrous condition
(Snedaker, 2013). Accessing the incremental backup taking process only by considering the space to
save when the previous back up is not covered in the information.
Monitoring: After recovering the backup of the lost data and resources, monitoring and regulating of the
IT systems is required for the security purpose. This monitoring process is essentially required to
prevent the loss of the organisation by determining the possible sources and their possible solution at the
time of disastrous situation. Further this also helps to take decisions on time to minimize the loss at time
of disaster condition.
Redundancy: To manage or handling the data and connectivity between two devices organisation can
the redundant the organisational devices. For ensuring the continuity redundancy delivers the alternative
sources for the communication (Järveläinen, 2013). At the time of disastrous situation when
9

organisation is conquering with the loss of data redundancy ensures the availability requirement in the
IT system.
M5. Discuss the roles of stakeholder in the organization to implement security audit recommendations
Stakeholders in the organisation are basically a depositor whose activities and efforts determine the
output of company. Their role in the organisation is to recommend the security. Stakeholders of the
company need not to be the equity shareholder. Employees can also be the stakeholder who has venture
in firm’s triumph and incentive for their work to succeed. The vital goal of the security audit is to
accomplish recommendations to meet the security and several other demands which have come from the
actual users. To effectively and lucratively implement the security recommendations several
stakeholders are there in the organisation. Investors and technical team are also two significant
stakeholders (Rozanski and Woods, 2012). Technical team has role to ensure that the security audit is
going with desired operations to determine the security and can fulfil the business requirements. Also,
investors has role to identify the need of the security audit in comparison of the market trends to achieve
stable profitability and surveillance.
For interfacing the user, transmission of data mechanism and security based methods are recommended
by the users. And all this things to be performed several things and support are required which include
cost, potential resources, knowledge and time. These supports are being provided by the management of
the organisation. Director of the firm has the power to counsel the strength of security and outcomes in
the structure as to accomplish permanence in the operations and objectives along with high margin
profit through security audit (Eason, 2014). Team management can also play central role in the
organisation by giving proper guidelines to the employees and users for achieving as well as heading
towards the unwavering and unswerving system and security. They are held responsible for making
strategies and organising the successful security audit.
On the other hand another stakeholder of the organisation has vital role to play that is network designer
and installation panel. Their main role is to make simplified changes in future and updates for the
preparation of the documents in the network. For rectifying the future related problems and solution for
overcoming in IT systems information can be used by the organisation.
In organisation another stakeholder directors and leaders have the role of determining the prevalent
opportunities and wider scope for the organisation. For accomplishing the role and responsibility of
10

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

directors and leaders specific technology helps to sustain and enables the growth of the organisation in
the market.
D3 Evaluate the suitability of the tools used in an organizational policy
There are various types of the tools those be used in the organization to implement the security policies.
The organization has goal to identify the weaker sections of the security and enforces the users to be
constraints within rules. The organization can use the following major tools for the security policy
implementation:
Wireshark: The organization can use the tool to analyze the data packets and prepare the reports to
make decision on the health of the network system. It helps to enforce the security policies as it can
prevent the users trying to exploit the network security and achieve data breaches. Wireshark has
complete set of tools and Plugins those can be used to monitor the user actions, permissions and network
performance. Easy to use graphical user interface and detailed monitoring of the data packets along with
real time monitoring and reporting to the administrator are some of the features those empower the
Wireshark (Chappell, 2017). However, it is best suitable for the Ethernet connections and need expertise
to use the reports from it.
Figure 3: Wireshark for data analysis in network
(Source: Wireshark.org, 2018)
11

Nessus: This tool is mainly designed to support the network security through the inspection of the users
on the hardware, software and network data packets. The tool is useful in the organization as it provides
graphical user interface with front-view commands for common operations. It can work in background
and scan the vulnerabilities on the system and network. It can analyze the risks, report the risks and
impacts and control with defined rules (Kumar, 2014). However still, it needs user attention for the
actions on the risks those occurred as the new events.
Figure 4: Nessus vulnerabilities scanner
(Source: tenable.com, 2018)
12

Conclusion
Above report reveals the fact that IT systems might be vulnerable to the various security threats when
they come across internet system or environment full of multiuser. It can be concluded that for securing
or protecting the IT systems against the security risks several procedures or methods related to security
can be used and assessed. Further it has also highlighted the prospective impacts due to wrong
configurations applied to IT system. Moreover, it has revealed that by security policies and regulations
for the data protection can be used to protect the information. Also the proper integration of the risk
management process in the business can reduce or mitigate the risks.
13

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

References
Books and Journals
 Bahr, N.J., 2014. System safety engineering and risk assessment: a practical approach. CRC
Press.
 Chappell, L., 2017. Wireshark 101: Essential Skills for Network Analysis-Wireshark Solution
Series. Laura Chappell University.
 Chen, Y., Ramamurthy, K. and Wen, K.W., 2012. Organizations' information security policy
compliance: Stick or carrot approach?. Journal of Management Information Systems, 29(3),
pp.157-188.
 Eason, K.D., 2014. Information technology and organisational change. CRC Press.
 Ernawati, T. and Nugroho, D.R., 2012, September. IT risk management framework based on ISO
31000: 2009. In System Engineering and Technology (ICSET), 2012 International Conference
on (pp. 1-8). IEEE.
 Fafinski, S., 2013. Computer Misuse: Response, regulation and the law. Routledge.
 Järveläinen, J., 2013. IT incidents and business impacts: Validating a framework for continuity
management in information systems. International journal of information management, 33(3),
pp.583-590.
 Kumar, H., 2014. Learning Nessus for Penetration Testing. Packt Publishing Ltd.
 Lalonde, C. and Boiral, O., 2012. Managing risks through ISO 31000: A critical analysis. Risk
management, 14(4), pp.272-300.
 Neisse, R., Steri, G. and Baldini, G., 2014, October. Enforcement of security policy rules for the
internet of things. In Wireless and Mobile Computing, Networking and Communications
(WiMob), 2014 IEEE 10th International Conference on (pp. 165-172). IEEE.
 Rozanski, N. and Woods, E., 2012. Software systems architecture: working with stakeholders
using viewpoints and perspectives. Addison-Wesley.
 Sauerwein, L.B. and Linnemann, J.J., 2016. Personal Data Protection Act.
 Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information
security policies: An exploratory field study. Information & management, 51(2), pp.217-224.
14

 Snedaker, S., 2013. Business continuity and disaster recovery planning for IT professionals.
Newnes.
 Steinbart, P.J., Raschke, R.L., Gal, G. and Dilla, W.N., 2012. The relationship between internal
audit and information security: An exploratory investigation. International Journal of
Accounting Information Systems, 13(3), pp.228-243.
Online
 Clir.org, 2018, Risk assessment procedures [Online] [Accessed Through]
<https://www.clir.org/pubs/reports/pub90/risk/> [Accessed On: 26th May, 2018]
 Iso.org, 2018, ISO 31000 standard [Online] [Accessed Through]
<https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-1:v1:en> [Accessed On: 26th May, 2018]
 Synergyintegrations.com.au, 2018, Benefits of security audits [Online] [Accessed Through]
<http://www.synergyintegrations.com.au/security-audit-benefits-businesses/> [Accessed On: 26th
May, 2018]
 Tenable.com, 2018, Nessus network scanner [Online] [Accessed Through]
<https://www.tenable.com/blog/nessus-html5-ui-21-provides-enhanced-usability> [Accessed
On: 26th May, 2018]
 Wireshark.org, 2018, Wireshark tutorials [Online] [Accessed Through]
<https://www.wireshark.org/docs/wsug_html_chunked/ChUseMainWindowSection.html>
[Accessed On: 26th May, 2018]
15

1 out of 18

+13062052269

info@desklib.com

IT Security: Risk Assessment, Data Protection, and Disaster Recovery

Contribute Materials

Secure Best Marks with AI Grader

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Related Documents

IT Security: A Comprehensive Guide to Protecting Your Organization

IT Security Audit: A Comprehensive Guide to Protecting Your Organization

Network Security: A Comprehensive Guide to Protecting Your Organization

IT Security Management: A Comprehensive Guide for Organizations

Security Assignment

P5 - Discuss risk assessment procedures