Risk Assessment, Data Protection, Security Policy & Disaster Recovery

Verified

Added on 2021/09/08

AI Summary

This report provides a comprehensive overview of critical aspects of organizational security and business continuity. It begins with a detailed examination of risk assessment procedures, including defining risk, identifying assets and threats, and outlining the steps involved in a thorough risk assessment. The report then delves into data protection processes and regulations, emphasizing their importance and how they apply to an organization. Next, it explores the design and implementation of a security policy, covering its definition, various examples, and the key elements and steps required for its creation. Finally, the report examines the main components of an organizational disaster recovery plan, justifying their inclusion and outlining the disaster recovery process steps and essential policies and procedures for business continuity. The report utilizes figures and tables to illustrate key concepts and provides a structured approach to understanding and managing organizational risks and ensuring business resilience.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Contents
I. Risk Assessment Procedures (P5): ............................................................................................................................ 5
1. Definition of risk and risk assessment: ................................................................................................................ 5
2. Asset and threat identification procedures: ........................................................................................................ 7
2.1. Asset and threat: ........................................................................................................................................... 7
2.2. Threat identification procedures: ................................................................................................................. 8
3. Risk assessment procedure: ................................................................................................................................ 8
4. Risk identification steps: .................................................................................................................................... 10
II. Data protection processes and regulations as applicable to an organization (P6): ............................................... 11
1. Definition of data protection: ............................................................................................................................ 11
2. Data protection processes with relations to organization: ............................................................................... 12
3. The importance of data protection regulation: ................................................................................................. 13
III. Design and implement a security policy for an organization (P7): ....................................................................... 16
1. Definition and discussion of security policy: ..................................................................................................... 16
2. Examples of security policies: ............................................................................................................................ 18
3. The elements of creating security policy: .......................................................................................................... 32
4. Steps to design a policy: .................................................................................................................................... 34
IV. Main components of an organizational disaster recovery plan, justifying the reasons for inclusion (P8): .......... 37
1. Business continuity: ........................................................................................................................................... 37
2. Components of recovery plan: .......................................................................................................................... 38
3. Disaster recovery process steps: ....................................................................................................................... 41
4. Some of the policies and procedures required for business continuity: ........................................................... 44

Figure 1: What is risk? ............................................................................................................................................. 4
Figure 2: IT risk assessment ..................................................................................................................................... 5
Figure 3: Asset and threat identification .................................................................................................................. 6
Figure 4: Data protection ...................................................................................................................................... 10
Figure 5: Data protection process .......................................................................................................................... 11
Figure 6: IT security policy ..................................................................................................................................... 14
Figure 7: Business Continuity Plan ......................................................................................................................... 30
Figure 8: Components of disaster recovery plan .................................................................................................... 33
Figure 9: BCP Lifecycle ........................................................................................................................................... 37

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

I. Risk Assessment Procedures (P5):
1. Definition of risk and risk assessment:
a) Security risk
Security risk encompasses the consequences that could arise due to the risks and weaknesses associated with the
operation and use of information systems and the environments under which such systems function for an entity
and its stakeholders. In terms of the types of effect that may arise from the occurrence of a security-related
event, security risk overlaps with many other types of risk. Factors attributed to other risk categories, including
strategic, budgetary, program management, investment, political, legal, supply chain, and enforcement risk, also
affect it. Financial losses, loss of privacy, reputational damage, legal consequences, and even loss of life are
examples of risk.
b) Risk assessment
A Security Risk Assessment (or SRA) is an assessment that includes defining the risks in your company, your
technology, and your processes to verify that security threats are covered by controls in place. Compliance norms,
such as PCI-DSS requirements for payment card authentication, usually include security risk assessments. As part
of a SOC II audit for service organizations, they are mandated by the AICPA and are also, just to name a few,
criteria for ISO 27001, HITRUST CSF and HIPAA compliance. Because of this, security risk assessments can go by
several names, often referred to as a risk assessment, a risk assessment of IT infrastructure, a safety risk audit, or
a safety audit.
Security Risk Assessments are carried out in order to locate risk areas by a security assessor who can analyze all
aspects of the business processes. These may be as basic as a poor password-enabled device, or may be more
complicated problems, such as insecure business processes. The appraiser is going to typically review everything
from HR policies to firewall configurations while working to identify potential risks.
Figure 1: What is risk?

c) How does risk assessment work?
The depth of the risk assessment models is influenced by factors such as scale, growth rate, capital, and asset
portfolio. When facing budget or time constraints, organizations may carry out generalized evaluations.
Generalized evaluation; however, do not generally include comprehensive mapping of properties, related hazards,
defined risks, effects, and control mitigation.
A more in-depth evaluation is required if generalized evaluation results do not provide adequate correlation
between these areas.
Figure 2: IT risk assessment
d) Steps to risk assessment:
There are 5 steps to risk assessment that you have to know:
Just find the details of steps in this RISK ASSESSMENT PROCEDURE (P5) in the third title before the RISK
IDENTIFICATION STEPS
1st step: Identify hazards (Anything that may cause harm)

2nd step: Decide who might be harm and tell how
3rd step: Assess the risks and take actions
4th step: Make a record of the findings
5th step: Review risk assessment
2. Asset and threatidentification procedures:
Figure 3: Asset and threat identification
2.1. Asset and threat:
a) Definition of asset:
An asset is any data, system, or other component of the environment that supports information-related activities
in information protection, computer security, and network security. Hardware (e.g. servers and switches),
software (e.g. mission critical applications and support systems) and sensitive information are usually included in

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

the properties. Assets should be protected against unauthorized entry, use, disclosure, modification, damage
and/or theft, resulting in the organization's loss.
b) Definition of threat:
A security threat is a possible negative behavior or event facilitated by a weakness in computer security that
resulting in an unintended effect on a computer system or application.
A danger can be either a negative "intentional" event (i.e. hacking: a person cracker or a criminal organization) or
an "accidental" negative event (e.g. the possibility of a computer failure or the possibility of an event of a natural
disaster such as an earthquake, a fire, or a tornado) or a condition, ability, behavior, or event otherwise.
This is distinct from a threat actor who is a person or group that can perform the action of the threat, such as
leveraging a vulnerability to have a negative effect.
2.2. Threat identification procedures:
The method of identifying threats is a way of collecting data on possible threats that can assist management in
identifying information security risks. A systematic methodology that helps an organization to aggregate and
measure possible threats is threat modeling. Institutions should consider using threat modeling to better
understand the existence, frequency, and complexity of threats; determine the institution's vulnerability to
information security; and apply this awareness to the information security program of the institution.
The identification of threats involves the sources of threats, their capabilities, and their objectives. By giving
actions:
Identify and assess threats.
Use threat knowledge to drive risk assessment and response.
Design policies to allow immediate and consequential threats to be dealt with expeditiously.
3. Risk assessment procedure:
Risk assessment procedures are audit procedures carried out in order to gain an understanding of the
organization and its environment, including internal monitoring of the entity, to recognize and determine the risks
of material misrepresentation, whether due to fraud or mistake, at the level of the financial statements and at the
level of the related claim.
The Risk Assessment divides 5 steps:
1st step: Identify the hazards

The first step in developing your risk assessment plan is to decide what risks are facing your employees and your
company, including:
Natural disaster
Biological hazards
Workplace accidents
Intentional acts
Technological hazards
Chemical hazards
Mental hazards
Supply chains interruption
Take a look around your workplace to see what processes or operations could potentially affect your business.
Include all facets of employment, including remote staff and tasks such as repair and maintenance that are not
routine. To assess what risks have affected your business in the past, you can also look at accident/incident
records.
2nd step: Determine who might be harmed and how
Think about how your workers could be affected by company practices or external influences when you look at
your organization. Think about who would be affected if the danger takes place with any hazard that you find in
phasing one.
3rd step: Evaluate the risks and take precautions
Now that a list of possible hazards has been compiled, you need to know how likely it is that the danger will occur
and how serious the consequences will be if that hazard happens. This assessment will help you decide where the
risk level should be minimized and which hazards you should first prioritize.
4th step: Record your findings
You are required by law to write down the risk management process if you have more than five employees in your
office. The dangers you have discovered, the persons they impact, and how you plan to minimize them should be
included in your plan. The document or the risk management plan should explain that you:
Conducted a proper check of your workspace

Determined who would be affected
Controlled and dealt with obvious hazards
Initiated precautions to keep risks low
Kept your staff involved in the process
5th step: Review assessment and update if necessary
Your workplace is always changing, so your organization's threats are also changing. Each brings the risk of a new
danger as new equipment, procedures, and individuals are implemented. To keep on top of these new risks,
constantly evaluate and upgrade the risk management process.
4. Risk identification steps:
There are five core steps within the risk identification and management process. These steps include risk
identification, risk analysis, risk evaluation, risk treatment, and risk monitoring.
1st step: Risk identification
The goal of risk identification is to expose what where, where, why and how anything could affect the ability of an
organization to work. A business in central California; for example, may include the possibility of wildfire" as an
occurrence that could interfere with business operations.
2nd step: Risk analysis
This step includes determining the likelihood of a risk event occurring and the likely outcome of each event. Using
the example of the California wildfire, safety managers may determine how much rainfall has occurred in the last
12 months and the degree of harm that the organization could face if a fire occurs.
3rd step: Risk evaluation
Risk evaluation compares and rates the severity of each risk according to prominence and consequences. For
example, it is possible to balance the effects of a possible wildfire against the effects of a possible mudslide. It will
rank higher regardless of which event is calculated to have a higher likelihood of occurring and causing harm.
4th step: Risk treatment
Risk treatment is often referred to as Preparation for risk response. Risk reduction techniques, preventive
treatment, and contingency measures are built in this process based on the measured importance of each risk.
Risk managers can opt to house additional network servers offsite, using the wildfire example, so business

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

operations may still continue if an onsite server is destroyed. Evacuation plans for staff can also be created by the
risk manager.
5th: Risk monitoring
Risk management is a non-stop process which, over time, adapts and changes. It will help to ensure optimum
coverage of known and unknown threats by repeating and constantly tracking the processes.
II. Data protection processes and regulations as applicable to an
organization (P6):
1. Definition of data protection:
a) Definition:
The process of safeguarding important information from corruption, compromise or failure is data protection. As
the volumes of data generated and processed continues to expand at exponential rates, the value of data
protection increases.

Figure 4: Data protection
b) How does it works:
The Data Protection Act was designed to provide protection and set down guidelines for how to use data about
individuals. The Act of 1998 protects information or data about living persons stored on a computer or a
structured paper filing system. The fundamental way it functions is through: getting a Commissioner of
Information to follow the laws.
2. Data protection processes with relations to organization:
The Data Protection Laws grant certain rights over their personal data to individuals (known as 'data subjects')
while enforcing certain responsibilities on the organizations that process their data. The organization gathers and
processes both personal data and confidential personal data as a recruiting enterprise.
Data protection process relates to the availability and management of data:
Data availability ensures that consumers have the information they need to conduct business, even if the
information is compromised or lost.
For reporting, testing, enabling growth, analytics and other purposes, data management has come to
include seeking ways to unlock business value from otherwise dormant copies of data.
The data protection process establishes and retains a full copy of the protected data and periodically constructs
modified copy recovery points. The copy distributes the protected data as an entire backup. The points recovered
allow you to recover earlier versions of the secured data.

Figure 5: Data protection process
3. The importance of data protection regulation:
Data is becoming increasingly precious. Skills and possibilities for retrieving various kinds of personal data are also
evolving extremely rapidly. Unauthorized, reckless or ignorant personal data processing can cause great harm to
individuals and businesses.
As the volume of data generation and procession continues to expand at exponential rates, the value of data
security increases. There is also little downtime tolerance that can render it difficult to access critical data. Three
explanations why Data Protection Regulation is relevant are given below:
v First, the object of personal data protection is not only to protect the data of individuals, but also to
protect the fundamental rights and freedoms of individuals related to such data. Although preserving
personal data, it is possible to guarantee that the rights and freedoms of individuals are not violated.
Incorrect processing of personal data, for example, may lead to a situation where a person is ignored for a
job opportunity or, worse, loses current jobs.
v Secondly, failure to comply with the regulations on personal data security will lead to even harsher
circumstances in which it is possible to remove all the money from the bank account of an individual or
even establish a life-threatening situation by manipulating health information.
v Thirdly, data protection regulations are essential for fair and consumer-friendly trade and service
provision to be guaranteed. Personal data security laws establish a situation where personal data can not

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

be openly sold, for instance, which ensures that individuals have more control over who sells them and
what kind of offers they make.
4. The methods of data protection procedures:
You will be given 6 methods that you can protect your data better:
Risk assessments:
The riskier the data, the more security it has to be provided. Critical data should be tightly guarded, although less
security can be given for low-risk data. The cost advantage is the key justification for these evaluations, as better
data protection means higher expenditure. It is, however, a good test to decide what information needs to be
more tightly guarded and to make the entire data processing system more efficient.
The possible severity in the event of a data breach and the likelihood of a breach are two axes on which your risk
assessment should be based. On both of these axes, the greater the risk, the more vulnerable the data is. Such
tests will also include the assistance of a Data Protection Officer (Privacy Officer) who will assist you in the
creation of valid ground rules. If you are completely confident that you know what you are doing, stop doing it on
your own. Mischaracterized data could prove devastating if lost.
Backups:
Backups are a way to avoid data loss that can sometimes occur due to user errors or technological malfunctions.
Backups should be made and updated on a regular basis. Daily backups will place an extra expense on your
company, but it will cost much more to potentially disrupt your normal business operations. Money is time!
Backups should be carried out in line with the above-explained principle-low-important information does not have
to be backed up as much, however sensitive information does. These backups should be saved, and likely
encrypted, in a secure location. Never store in the cloud sensitive data. According to manufacturer instructions,
regularly review storage media for degradation and ensure that they are stored according to official
recommendations (check for humidity, temperature, etc.)
Compared to hard disks, tape-storage methods are still a cheaper alternative (by two-thirds). Hard drives,
however, are more compact and better-suited to operations on a small scale. With disk-storage methods, data
access is often much quicker.
Encryption:

The prime candidate for encryption is high-risk data every step of the way. This involves processing (full memory
encryption) during acquisition (online cryptographic protocols), and subsequent storage (RSA or AES).
Wellencrypted information is inherently secure; the data would be useless and irrecoverable to attackers, except
in cases of a data breach.
For that reason, encryption is also expressly referred to in the GDPR as a data protection tool, which means that
its proper use would definitely bring you favors in the regulators' eyes. For example, if you encounter an
infringement involving encrypted data, you do not even have to report it to the supervisory authorities because
the data is deemed to be sufficiently secured! You should consider encrpytion as your #1 data protection
technique for this purpose alone.
Pseudonymisation:
Another approach advocated in the GDPR is pseudonymisation, which improves the data protection and privacy of
individuals. It fits well for larger data sets and consists of removing snippets of data from identifying information.
For instance, you replace people's names with strings created at random. Therefore, it becomes difficult to
connect together the identity of an individual and the data they provide.
You are still left with very helpful information, but it no longer includes recognizable confidential data. Because
individuals can not be identified directly from pseudonymized data, the procedures are much easier in the event
of a data breach or failure and the risks are significantly reduced. The GDPR acknowledges this and, in the event
of pseudonymized data breaches, the notification standards have been greatly relaxed.
When conducting scientific or statistical analysis, pseudonymisation is also a must, so universities and schools
should be well-versed in properly pseudonymizing their results.
Assess controls:
A very successful risk mitigation approach is the application of access controls to the process of your business. The
less people have access to data, the lower the chance of violation or loss of (inadvertent) information.
Only trustworthy workers who have a legitimate reason to use it should ensure that you have access to sensitive
data. We recommend that you keep regular training courses and refreshers for prior data handling, particularly
after recruiting new employees.
Draft a straightforward and succinct data protection policy with the support of the data protection officer,
detailing the processes, duties and obligations of each worker (or a group of employees).

Destruction:
There will come a time when it would be appropriate to destroy the data you have. At first glance, data
destruction may not seem like a form of security, but it really is. This way, the data is secured against
unauthorized recovery and access. Under the GDPR, you are allowed to delete the data you do not need, and
more extensive methods of destruction are required for confidential data.
Using degaussing, hard discs are most commonly lost, while paper records, CDs and tape drives are torn into tiny
bits. For confidential data, on-site data destruction is recommended. Through simply deleting the decryption keys,
encrypted data may easily be destroyed, meaning that the data remains unreadable... for at least the next several
decades, after which it would possibly become redundant anyway.
III. Design and implement a security policy for an organization (P7):
1. Definition and discussion of security policy:
a) Definition:
Security policy is a definition of what a system, company or other individual means to be protected. For an
organization, it discusses the limitations on the actions of its members as well as the limitations imposed by
structures such as doors, locks, keys and walls on adversaries. For systems, the security policy addresses work and
flow constraints within them, access constraints by external systems and adversaries, including programs, and
access by people to data.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Figure 6: IT security policy
b) Discussion:
We live in a world where computers are globally connected and available, making fraud, exploitation, and
destruction of digitized information extremely vulnerable. Violations of protection are inevitable. The decisions
and defensive actions of Crucia must be swift and accurate. In order to secure information stored on computers, a
security policy sets out what needs to be done. A well-written policy provides a sufficient description of "what" to
do in order to define and quantify or determine the "how". Any company can be left open to the world without a
security policy. It is necessary to remember that a risk assessment must first be performed in order to evaluate
the policy needs. In terms of knowledge, processes, procedures and structures, this can enable an entity to
identify standards of sensitivity.
c) The importance:
A key step in preventing and minimizing security breaches is to establish an efficient security strategy and take
action to ensure compliance. Update it in response to changes in your business, new threats, lessons drawn from
previous breaches, and other changes to your security posture to make your security policy truly successful.
Make your policies on information protection realistic and enforceable. To meet requirements and emergencies
that come from various parts of the organisation, it should have an exemption system in place.
If it is important to be secure, then it is important to be sure that all security measures are implemented by

sufficiently strong mechanisms. To ensure the completeness of security policies and ensure that they are strictly
implemented, there are structured methodologies and risk management methods. Policies may be broken down
into sub-policies in complex systems, such as information systems, to enable the distribution of security
frameworks for the implementation of sub-policies. This practice does, however, have drawbacks. Simply moving
straight to the sub-policies, which are simply the rules of action and dispensing with the top level regulation, is
too simple. That gives the false sense that when they do not, the rules of operation address some general concept
of protection. Since it is so hard to think clearly about protection with completeness, rules of operation stated as
"sub-policies" without "super-policy" generally turn out to be rambling rules that do not completely enforce
anything. Consequently, for any serious security scheme, a top-level security policy is necessary and sub-policies
and rules of operation are meaningless without it.
2. Examples of security policies:
a) Employee requirements:
Using this policy
This example policy outlines behaviors expected of employees when dealing with data and provides a
classification of the types of data with which they should be concerned. This should link to your AUP (acceptable
use policy), security training and information security policy to provide users with guidance on the required
behaviors.
1.0 Purpose
<Company X> must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to
avoid adversely
impacting our customers. The protection of data in scope is a critical business requirement, yet flexibility to access
data and work
effectively is also critical.
It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it
will reliably detect
all data. It’s primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines
the requirements for data leakage prevention, a focus for the policy and a rationale.
2.0 Scope

1. Any employee, contractor or individual with access to <Company X> systems or data.
2. Definition of data to be protected (you should identify the types of data and give examples so that your users
can identify it
when they encounter it)
PII
Financial
Restricted/Sensitive
Confidential
IP
3.0 Policy – Employee requirements
1. You need to complete <Company X>’s security awareness training and agree to uphold the acceptable
use policy.
2. If you identify an unknown, un-escorted or otherwise unauthorized individual in <Company X> you need
to immediately notify <complete as appropriate>.
3. Visitors to <Company X> must be escorted by an authorized employee at all times. If you are responsible
for escorting visitors you must restrict them appropriate areas.
4. You are required not to reference the subject or content of sensitive or confidential data publically, or via
systems or communication channels not controlled by <Company X>. For example, the use of external e-mail
systems not hosted by <Company X> to distribute data is not allowed.
5. Please keep a clean desk. To maintain information security you need to ensure that all printed in scope
data is not left unattended at your workstation.
6. You need to use a secure password on all <Company X> systems as per the password policy. These
credentials must be unique and must not be used on other external systems or services.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7. Terminated employees will be required to return all records, in any format, containing personal
information. This requirement should be part of the employee onboarding process with employees signing
documentation to confirm they will do this.
8. You must immediately notify <complete as appropriate> in the event that a device containing in scope
data is lost (e.g. mobiles, laptops etc).
9. In the event that you find a system or process which you suspect is not compliant with this policy or the
objective on information security you have a duty to inform <complete as appropriate> so that they can take
appropriate action.
10. If you have been assigned the ability to work remotely you must take extra precaution to ensure that
data is appropriately handled. Seek guidance from <complete as appropriate> if you are unsure as to your
responsibilities. Please ensure that assets holding data in scope are not left unduly exposed, for example visible in
the back seat of your car.
11. Data that must be moved within <company X> is to be transferred only via business provided secure
transfer mechanisms (e.g. encrypted USB keys, file shares, email etc). <Company X> will provide you with systems
or devices that fit this purpose. You must not use other mechanisms to handle in scope data. If you have a query
regarding use of a transfer mechanism, or it does not meet your business purpose you must raise this with
<complete as appropriate>.
12. Any information being transferred on a portable device (e.g. USB stick, laptop) must be encrypted in line
with industry best practices and applicable law and regulations. If there is doubt regarding the requirements, seek
guidance from <complete as appropriate>.
b) Data leaked prevention – data in motion:
Using this policy
This example policy is intended to act as a guideline for organizations looking to implement or update their DLP
controls. Adapt this policy, particularly in line with requirements for usability or in accordance with the
regulations or data you need to protect.
This policy provides a framework for classes of data that may wish to be monitored. You should expand them to
cover the sensitive assets in your business and subject to the types of you hold.
Background to this policy

Data leakage prevention is designed to make users aware of data they are transferring which may be sensitive or
restricted in nature.
1.0 Purpose
<Company X> must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to
avoid adversely impacting our customers. The protection of in scope data is a critical business requirement, yet
flexibility to access data and work effectively is also critical.
It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it
will reliably detect all data. It’s primary objective is user awareness and to avoid accidental loss scenarios. This
policy outlines the requirements for data leakage prevention, a focus for the policy and a rationale.
2.0 Scope
1. Any <Company X> device which handles customer data, sensitive data, personally identifiable information or
company data. Any device which is regularly used for e-mail, web or other work related tasks and is not
specifically exempt for legitimate business or technology reasons.
2. The <Company X> information security policy will define requirements for handling of information and user
behavior requirements. This policy is to augment the information security policy with technology
controls.
3. Exemptions: Where there is a business need to be exempted from this policy (too costly, too complex,
adversely impacting other business requirements) a risk assessment must be conducted being authorized by
security management. See Risk Assessment process (reference your own risk assessment process).
3.0 Policy
1. <Company X’s> data leakage prevention (DLP) technology will scan for data in motion.
2. The DLP technology will identify large volumes (thus, of high risk of being sensitive and likely to have
significant impact if handled inappropriately) of in scope data. A large number of records is defined as
<complete as appropriate> (tailor to your enterprise’s stance e.g. 1000 records).
In scope data is defined as: (you should adjust this to reflect the data that you are regulated on, or that which
could be most damaging to your organization. The below is an appropriate template for many organizations)
a. Credit card details, bank account numbers and other financial identifiers

b. E-mail addresses, names, addresses and other combinations of personally identifiable information
c. Documents that have been explicitly marked with the ‘<Company X> Confidential’ string.
3. DLP will identify specific content, i.e.:
a. Sales data – particularly forecasts, renewals lists and other customer listings
b. Exports of personally identifiable information outside controlled systems (this is data that you are particularly
concerned about losing and wish to ensure is detected by the DLP policy).
4. DLP will be configured to alert the user in the event of a suspected transmission of sensitive data, and the user
will be presented with a choice to authorize or reject the transfer. This allows the user to make a sensible
decision to protect the data, without interrupting business functions. Changes to the DLP product configuration
will be handled through the <Company X> IT change process and with security management approval, to
identify requirements to adjust the information security policy or employee communications.
5. DLP will log incidents centrally for review. The IT team will conduct first level triage on events, identifying data
that may be sensitive and situations where its transfer was authorized and there is a concern of inappropriate
use. These events will be escalated to HR to be handled through the normal process and to protect the
individual. (you will need to tailor this for your organisation. It is common to defer enforcement to business
owners of data rather than having IT conduct the triage).
6. Where there is an active concern of data breach, the IT incident management process is to be used with specific
notification provided to <complete as appropriate> (for example HR, Legal and Security Management).
7. Access to DLP events will be restricted to a named group of individuals to protect the privacy of employees. A
DLP event does not constitute evidence that an employee has intentionally, or accidentally lost data but provides
sufficient basis for investigation to ensure data has been appropriately protected
4.0 Technical guidelines
Technical guidelines identify requirements for technical implementation and are typically technology specific.
1. The technology of choice is <complete as appropriate>
2. The product will be configured to identify data in motion to Browsers, IM Clients, E-mail clients, Mass storage
devices and writable CD media.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

5.0 Reporting requirements
1. Weekly reports of incidents to <complete as appropriate>
2. High priority incidents discovered by IT should be immediately flagged with <complete as appropriate>
3. Monthly report showing % devices compliant with DLP policy
c) Workstation full disk encryption:
Using this policy
This example policy is intended to act as a guideline for organizations looking to implement or update their full
disk encryption control policy. Adapt this policy, particularly in line with requirements for usability or in
accordance with the regulations or data you need to protect.
Background to this policy
Full disk encryption is now a key privacy enhancing technology which is mandated my many regulatory guidelines.
1.0 Purpose
<Company X> must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to
avoid adversely impacting our customers. A collection of global regulations (such as <complete as appropriate>)
also require the protection of a broad scope of data, which this policy supports by restricting access to data
hosted on <complete as appropriate> devices.
As defined by numerous compliance standards and industry best practice, full disk encryption is required to
protect against exposure in the event of loss of an asset. This policy defines requirements for full disk encryption
protection as a control and associated processes.
2.0 Scope
1. All <Company X> workstations – desktops and laptops (depending on the type of data you hold and physical
security some organizations adjust this just to cover laptops).
2. All <Company X> virtual machines.

3. Exemptions: Where there is a business need to be exempted from this policy (too costly, too complex,
adversely impacting other business requirements) a risk assessment must be conducted being authorized by
security management. See Risk assessment process (reference your own risk assessment process).
3.0 Policy
1. All devices in scope will have full disk encryption enabled.
2. <Company X’s> Acceptable Use Policy (AUP) and security awareness training must require users to notify
<complete as appropriate> if they suspect they are not in compliance with this policy as per the AUP.
3. The AUP and security awareness training must require users to notify <complete as appropriate> of any device
which is lost or stolen.
4. Encryption policy must be managed and compliance validated by <complete as appropriate>. Machines need to
report to the central management infrastructure to enable audit records to demonstrate compliance as
required.
5. Where management is not possible and a standalone encryption is configured (only once approved by a risk
assessment), the device user must provide a copy of the active encryption key to IT.
6. <Complete as appropriate> has the right to access any encrypted device for the purposes of investigation,
maintenance or the absence of an employee with primary file system access. <complete as appropriate, AUP
and security awareness training will advise users of this requirement. (Depending on your AUP, or agreement
with employees you will want to alter the stance of this policy requirement).
7. The encryption technology must be configured in accordance with industry best practice to be hardened
against attacks.
8. All security related events will be logged and audited by <complete as appropriate> to identify inappropriate
access to systems or other malicious use.
9. The <complete as appropriate> help desk will be permitted to issue an out-of-band challenge/response to allow
access to a system in the event of failure, lost credentials or other business blocking requirements. This
challenge/response will be provided only in the event that the identity of the user can be established using
challenge and response attributes documented in the password policy.

10. (Some enterprises may have a requirement to practice a tiered approach to data security. This may
involve a set of users that have particularly sensitive data and require greater security. You can remove this if
this is not a requirement of your business).
A group of sensitive data/VIP users will be identified by the restricted data policy. Users in this group will require a
member of <complete as appropriate> (e.g. Senior Management or IT) authorization for key changes or challenge
response. The help desk will not be permitted to access said systems without authorization. These systems are
identified as having access to highly sensitive, restricted use data and have a requirement for separation of duty.
Where identified by the authentication and restricted data policy, a system/user will be required to use two factor
authentications in accordance with the <complete as appropriate> defined standard. The authentication will
occur
in the pre boot environment.
11. Configuration changes are to be conducted through the <complete as appropriate> change control process,
identifying risks and noteworthy implementation changes to security management.
4.0 Technical guidelines
Technical guidelines identify requirements for technical implementation and are typically technology specific.
1. <Complete as appropriate> is the standard product.
2. Strong, industry best practice defined cryptographic standards must be employed. AES-256 is an approved
implementation.
3. The BIOS will be configured with a secure password (as defined by password policy) that is stored by IT. The
boot order will be fixed to the encrypted HDD. If an override is required by a user for maintenance or
emergency use, the helpdesk can authenticate the user and then provide the password for the BIOS. The
objective being to avoid an attacker cold booting and attacking the system.
4. Synchronization with Windows credentials will be configured so that the pre boot environment is matched to
the user’s credentials and only one logon is required.
5. A pre boot environment will be used for authentication. Credentials will be used to authenticate the user in
compliance with <complete as appropriate>password security policy. (Some enterprises have a requirement to
use two factor, and this should be reflected here as required).
5.0 Reporting requirements

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1. A monthly report that identifies the % of encrypted systems versus assets in scope
2. A monthly report that identifies the compliance status of managed, encrypted systems
3. A monthly report that identifies the number of lost assets and validation that lost devices have been handled
appropriately
REFERENCE:
https://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-example-data-security-policies-na.pdf
d) Design my own policy:
Wheelie Good Bin Cleaning Policy
This Privacy Policy details our collection, use and disclosure policies and procedures for your information when
you use the Service and tells you about your privacy rights and how you are covered by the law.
In order to provide and enhance the service, we use your personal data. Through using the Service, in
accordance with this Privacy Policy, you consent to the collection and use of information. With the assistance
of the Privacy Policy Generator, this Privacy Policy was developed.
Last updated: October 22, 2020
1. Interpretation and definitions:
1.1. Interpretation:
The terms in which the initial letter is capitalized have, under the following conditions, specified meanings. The
following words, irrespective of whether they occur in singular or plural form, have the same meaning.
1.2. Definitions:
For the purposes of this Privacy Policy:
Account: means a unique account created for You to access our Service or parts of our Service.
Company: (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to
Wheelie Good Bin Cleaning, Perth 6006.

Cookies: are small files that are placed on Your computer, mobile device or any other device by a
website, containing the details of Your browsing history on that website among its many uses.
Country refers to: Western Australia, Australia
Device: means any device that can access the Service such as a computer, a cellphone or a digital tablet.
Personal Data: is any information that relates to an identified or identifiable individual.
Service: refers to the Website.
Service Provider: means any natural or legal person who processes the data on behalf of the Company. It
refers to third-party companies or individuals employed by the Company to facilitate the Service, to
provide the Service on behalf of the Company, to perform services related to the Service or to assist the
Company in analyzing how the Service is used.
Third-party Social Media Service: refers to any website or any social network website through which a
User can log in or create an account to use the Service.
Usage Data: refers to data collected automatically, either generated by the use of the Service or from the
Service infrastructure itself (for example, the duration of a page visit).
Website: refers to Wheelie Good Bin Cleaning, accessible from focuswa.com.au
You mean, as appropriate, the individual accessing or using the Service, or the corporation or some other legal
entity on behalf of which such person accesses or uses the Service.
2. Collecting and use your personal data:
2.1. Types of data collected:
2.1.1. Personal Data:
We can ask you to provide us with some personally identifiable information while using our service, which can
be used to contact or identify you. Information that is personally identifiable can include, but is not limited to:
Email address
First name and last name
Phone number
Usage Data
2.1.2. Usage Data:
Usage data is automatically obtained when the service is used.

Usage Details may include information such as the Internet Protocol address of your computer (e.g. IP address),
the type of browser, the version of the browser, the pages you visit on our Service, the time and date of your
visits, the time spent on those pages, specific device identifiers, and other diagnostic information.
We may collect such information automatically when you access the Service through or via a mobile device,
including, but not limited to, the type of mobile device you are using, the unique ID of your mobile device, the
IP address of your mobile device, your mobile operating system, the type of mobile internet browser you are
using, unique device identifiers and other diagnostic information.
When you visit our Service, or when you access the Service through or through a mobile device, we can also
collect information that your browser sends.
2.1.3. Tracking technologies and cookies:
We use cookies and similar tracking technologies to monitor and store certain information about the operation
of Our Service. Beacons, tags, and scripts are monitoring strategies used to gather and track information and to
optimize and evaluate our service. The methods we use can include:
Cookies or Browser Cookies: A cookie is a tiny file that is saved on your computer. You may instruct your
browser to reject all cookies or to decide when to submit a cookie. However, if you do not accept cookies,
some parts of our service will not be available for you to use. Our service can use cookies unless you have
changed your browser settings to reject cookies.
Flash Cookies: Certain features of our Service can be used to collect and store information about your interests
or your behavior on our Service using local storage objects (or Flash Cookies). The browser settings used for
Flash Cookies are not the same as those used for Browser Cookies. Please read for more details about how you
can erase Flash Cookies or you can read this: "Where can I change the settings for disabling, or deleting local
shared objects?" available at https://helpx.adobe.com/flash-player/kb/disable-local-shared-
objectsflash.html#main_Where_can_I_change_the_settings_for_disabling__or_deleting_local_shared_objects
_
Web Beacons: Some parts of our Service and our emails can contain small electronic files known as web
beacons (also known as simple gifs, pixel tags, and single-pixel gifs) that enable the Company to count, for
example, users who have visited or opened an email or other related website statistics (for example, recording
the popularity of a certain section and verifying system and server integrity).

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Cookies may be cookies that are "Persistent" or "Session". If you go offline, permanent cookies will stay on
your personal computer or mobile device, while session cookies will be removed when you close your web
browser. Read about cookies in more: “All About Cookies”.
For the purposes set out below, we use both Session and Persistent cookies:
Necessary / Essential Cookies
Type: Session Cookies
Administered by: Us
Purpose: These cookies are important to provide you with the services provided on the website and to make it
easier for you to use some of their features. They help to authenticate users and prevent user accounts from
being used fraudulently. The services you have requested cannot be given without these cookies, and we only
use these cookies in order to provide you with those services.
Cookies Policy / Notice Acceptance Cookies
Type: Persistent Cookies
Administered by: Us
Purpose: These cookies identify whether the use of cookies on the website has been approved by users.
Functionality Cookies
Type: Persistent Cookies
Administered by: Us
Purpose: These cookies allow us to remember choices you make, such as remembering your login details or
language preference, when you use the website. These cookies are intended to provide you with a more
personal experience and to prevent you from re-entering your habits if you use the website.
Please visit our Cookies Policy or the Cookies section of our Privacy Policy for more information about the
cookies we use and your options about cookies.
2.1.4. Use of your personal data:

For the following reasons, the Organization can use Personal Data:
To provide our Service and to sustain it, including to track the use of our Service.
Managing Your Account: Managing Your registration as a Service Customer. The personal data you
provide may provide you with access to the various features of the Service available to you as a
registered user.
For the execution of a contract: the development, delivery and performance of a purchase agreement
for the goods, products or services purchased by you or any other contract with us through the Service.
To contact you: To contact you via e-mail, telephone, SMS or other similar means of electronic
communication, such as push notifications of changes or informative communications related to
functions, goods or services contracted by a mobile application, including security updates, if
appropriate or acceptable for their implementation.
To provide you with news, special offers and general details about other products, services and
activities that we offer that are similar to those that you have already bought or asked about, unless
you have chosen not to receive such information.
To handle your requests: To attend to us and to manage your requests.
Company transfers: We may use Your information for the purpose of evaluating or carrying out a
merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of any or all of
Our properties, whether as a continuing concern or as part of a bankruptcy, liquidation or similar
proceeding involving the transfer of personal data kept by Us regarding users of our Service.
For other purposes, we may use Your Information for other purposes, such as the analysis of data, the
identification of usage patterns, the effectiveness of our promotional campaigns, and the evaluation
and enhancement of our Program, goods, services, marketing and experience.
In the following cases, we will share your personal information:
With service providers: In order to track and evaluate the usage of our service, we can share your
personal information with service providers in order to contact you.
For business transfers: We can exchange or move your personal details in connection with any merger,
sale of company properties, financing, or acquisition of all or part of our business to another company,
or during negotiations.

With Affiliates: We may share your data with our affiliates, in which case these affiliates would be
expected to comply with this Privacy Policy. Our parent company and all other branches, joint venture
partners or other entities owned by us or under common control with us are affiliates.
With business partners: In order to give you those goods, services or promotions, we can share your
details with our business partners.
With other users: when you exchange personal information or otherwise communicate with other
users in public places, the information can be accessed by all users and transmitted to the public
outside. Your friends on the Third-Party Social Media Service can see your name, profile, photos and
summary of your behavior if you connect with other users or register with a Third-Party Social Media
Service. Likewise, other users will be able to access your activity descriptions, connect with you, and
view your profile.
Your permission: We can, with your consent, disclose your personal information for any other reason.
2.1.5. Retention of your personal data:
Your personal data will only be maintained by the company for as long as is appropriate for the purposes set
out in this Privacy Policy. To the extent appropriate to satisfy our legal obligations (for example, if we are
needed to maintain your data in order to comply with applicable laws), to settle conflicts, and to implement
our legal agreements and policies, we will retain and use your personal data.
For internal review purposes, the Organization will also maintain Consumption Data. Use Data is usually kept
for a shorter period of time, unless this information is used to enhance security or strengthen the reliability of
Our Service, or We are legally obliged to maintain this information for longer periods of time.
2.1.6. Transfer of your personal data:
Your information, including personal data, is processed at the operating offices of the Organization and at any
other location where the parties to the processing are located. This implies that this data can be transmitted to
and stored on computers outside your state, province, nation or other governmental jurisdiction where the
laws on data security which vary from those of your jurisdiction.
Your consent to this Privacy Policy accompanied by Your submission of such information shall constitute Your
commitment to the transfer of such information.
The Company shall take all reasonably necessary steps to ensure that Your data is handled safely and in
compliance with this Privacy Policy and that no transfer of Your Personal Data to an entity or country takes

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

place unless appropriate safeguards, including the protection of Your data and other personal information, are
in place.
2.2. Disclosure of your personal data:
2.2.1. Business transations:
Your personal data can be transferred if the company participates in a merger, acquisition or asset sale. Before
your personal data is transferred and becomes subject to a different privacy policy, we will provide warning.
2.2.2. Law enforcement:
In such cases, if required to do so by regulation or in response to legitimate requests from public authorities,
the organization may be required to reveal your personal data (e.g. a court or a government agency).
2.2.3. Other legal requirements:
The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:
Fulfill a legal duty
Secure and defend the Company's interests or properties
Preventing or prosecuting suspected misconduct related to the Service
Security of the personal safety of service users or of the public
Protect against civil liability
2.2.4. Security of your personal data:
The protection of your personal data is so vital to us, but noted that no electronic storage system or method of
transmission over the Internet is 100% secure. Although we aim to use commercially appropriate means to
secure your personal data, its full protection cannot be guaranteed.
3. The elements of creating security policy:
A security policy can be as broad as you want it to be, but enforceable in its full context, from everything related
to IT security to the security of related physical properties. When designing an information security strategy, the
following list provides some essential considerations:
Ø Purpose:
First, state the policy's intent, which may be:

o Establish an overall approach to the protection of knowledge.
o Detect and prevent violations of information security, such as abuse of networks, records, software, and
computer systems.
o Maintain the integrity of the business, and maintain ethical and legal duties. o Respect the rights of
consumers, including how to respond to inquiries and non-compliance complaints. Ø Audience:
Defining the audience to which the policy on information security refers. You may also decide which audiences are
beyond the policy reach (for example, staff in another business unit which manages security separately may not
be in the scope of the policy).
Ø Information security objectives:
Direct the management team to settle on well-defined strategic and security goals. Protection of knowledge
focuses on three main goals:
• Confidentiality - only people with approval can access data and information assets.
• Integrity - Data should be intact, specific and complete, and operational IT systems must be preserved.
• Availability - When appropriate, users should be able to access information or systems. Ø Authority and
access control policy:
Hierarchical pattern - a senior manager can have the power to decide when and with whom data can be
exchanged. For a senior manager vs. a junior employee, the safety policy can have distinct terms. For each
organizational position, the policy should outline the degree of authority over data and IT systems.
Network security policy - users can only access company networks and servers, including passwords, biometrics,
ID cards, or tokens, through specific logins that require authentication. All systems should be controlled and all
login attempts registered.
Ø Data classification:
Data should be classified by the policy into categories that may include "top secret," "secret," "confidential," and
"public." In classifying knowledge, your objective is:
§ To ensure that people with lower clearance levels do not access confidential data.
§ To protect highly sensitive data, and eliminate excessive measures of protection for unimportant data. Ø
Data support and operations:

Data protection laws - must be protected according to operational guidelines, best practices, industry
enforcement standards and applicable regulations for systems that store personal data or other sensitive data.
The majority of security requirements require encryption, a firewall, and anti-malware protection at a minimum.
Data backup - encrypt data backup according to best practices in the industry. Store backup media safely, or
transfer backup to secure cloud storage.
Movement of data – only transfer data via secure protocols. Encrypt all information that is copied or distributed
over a public network to portable devices.
Ø Security awareness and behavior:
Share with the employees IT security policies. Conduct training workshops, including data protection measures,
access protection measures, and confidential data classification, to notify employees of the security protocols and
mechanisms:
Social Engineering - puts particular focus on the dangers of attacks from social engineering (such
as phishing emails). Make it accountable for workers to notice, avoid and report such assaults.
Clean desk policy - Safe laptops with a cable lock. Many shared documents that aren't needed
anymore.
Keep clean areas of the printer so that papers do not fall into the wrong hands.
Acceptable Internet usage policy - rules for the use of the Internet determine how the Internet
can be limited. Do you allow YouTube, websites for social media, etc.? Use a proxy to block
unwanted websites. Ø Responsibilities, rights and duties of personnel:
Appoint user access assessments, education, change management, crisis management, implementation, and
periodic security policy changes for staff. As part of the Security Strategy, roles should be clearly defined.
4. Steps to design a policy:
There are 10 steps to design a successful security policy:
1st step: Identify your risks
What are the dangers as a result of improper use? Do you have knowledge that ought to be limited? Are there a
lot of large attachments and files you send or receive? Are offensive attachments potentially making the rounds?
Maybe it's a nonissue. Or it could cost you thousands of dollars a month in reduced productivity or computer
downtime for workers.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

By the use of tracking or reporting devices, a good way to classify your risks may be. For their goods, many
vendors of firewalls and Internet security products allow assessment periods. It may be useful to use these
assessment intervals to determine the risks if such items have reporting information. It is crucial, however, to
ensure that your employees are aware that, if this is something you want to try, you will record their actions for
risk assessment purposes. If it's attempted without their consent, many workers will see this as a violation of their
privacy.
2nd step: Learn from others
There are several forms of security strategies, so what other companies like yours are doing is interesting to see.
You can spend a few hours searching online, or you can purchase a book that has more than 1,200 policies ready
to be personalized, such as Information Security Policies Made Simple by Charles Cresson Wood. Speak to the
sales representatives of different suppliers of security software, too. They are always pleased to have details.
3rd step: Make sure the policy conforms to legal requirements
You may be required to adhere to certain minimum standards to ensure the privacy and integrity of your data,
depending on your data holdings, jurisdiction and location, especially if your company holds personal information.
One way of reducing many risks you might incur in the event of a security breaches is to have a viable security
strategy documented and in place.
4th step: Level of security = level of risk
Don't get overzealous. Too much defense can be as bad as too little. You might find that, aside from keeping the
bad guys out, since you have a mature, committed team, you don't have any issues with proper use. In such
situations, the most significant thing is a formal code of conduct. Excessive protection can be an obstacle to
business operations that are smooth, so make sure you don't overprotect yourself.
5th step: Include staff in policy development
Nobody wants a strategy that has been dictated from above. Involve workers in the method of determining
acceptable usage. Keep workers updated as the laws are produced and instruments are enforced. They would be
far more likely to comply if people recognize the need for a responsible security policy.
6th step: Train your employees

As part of the AUP implementation process, staff training is generally ignored or underappreciated. But, it's
definitely one of the most beneficial stages of operation. Not only does it help you educate workers and help
them understand the policies, but it also encourages you to explore the policy's realistic, real-world
consequences. In a training forum, end users can often ask questions or give examples, and this can be very
rewarding. These questions will allow you to describe and change the policy in more depth to be more useful.
7th step: Get it in writing
Make sure the policy has been read, signed and understood by every member of your team. When they are
brought on board, all new employees should sign the policy and should be expected to reread and reconfirm their
understanding of the policy at least annually. Use digital tools for large organisations to help distribute and track
document signatures electronically. Some tools also have quizzing frameworks to assess the policy
comprehension of the consumer.
8th step: Set clear penalties and enforce them
Security on the network is no joke. Your protection policy is not a set of voluntary guidelines but an employment
requirement. Have a specific set of policies in place that lay out the penalties in the security policy for violations.
Enforce them then. There is just as bad a security policy of haphazard implementation as no policy at all.
9th step: Upgrade your staff
Because the network itself is always changing, a security policy is a complex document. Come and go people. It
builds and destroys databases. New safety risks are popping up. It is difficult enough to keep the security policies
updated, but it is much more difficult to keep workers aware of any changes that could impact their day-to-day
operations. The secret to success is open communication.
10th step: Install the tools you need
It is one thing to have a strategy, implementing it is another. Security products for Internet and e-mail content
with customizable rule sets will ensure that your policy is adhered to, no matter how complex. One of the most
cost-effective investments you can ever make is probably the investment in instruments to implement your
protection strategy.

IV. Main components of an organizational disaster recovery plan, justifying
the reasons for inclusion (P8):
1. Business continuity:
a) Definition:
The continuity of operation is the capacity of a company to continue basic operations throughout and after a
catastrophe has occurred. Business continuity planning defines risk management policies and procedures aimed
at preventing mission-critical programs from being interrupted and restoring the organization's full operation as
efficiently and smoothly as possible.
Keeping critical functions up and running after a crisis and rebuilding with as little downtime as possible is the
most basic business continuity condition. Various unexpected incidents, such as natural disasters, explosions,
disease outbreaks, cyberattacks and other external threats, are considered in a business continuity plan.
Figure 7: Business Continuity Plan
For organizations of any scale, business continuity is essential, but retaining all operations for the duration of a
disaster may not be feasible for all but the largest enterprises. The first step in business continuity planning,
according to many experts, is to determine what roles are necessary and allocate the available budget
accordingly. When essential components have been identified, administrators may put mechanisms for failover in
place.
In geographically scattered locations, technologies such as disk mirroring allow an enterprise to retain up-to-date
copies of data, not just in the primary data center. This allows uninterrupted data access to continue if one
location is disabled and protects against data loss.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

b) The importance:
Business continuity is crucial at a moment when downtime is inappropriate. Downtime originates from a number
of sources. Some risks seem to be getting worse, such as cyberattacks and extreme weather. It's critical to have a
business continuity plan in place that takes into account any possible operational disruptions.
The strategy should allow the company during a crisis to keep going at least at a minimal level. In responding
rapidly to an interruption, business continuity helps the company retain resilience. Good business continuity saves
money, time and the credibility of a business. There is a chance of economical, personal and reputational damage
from an extended outage.
Business sustainability allows a company to take a look at itself, analyze possible points of vulnerability and collect
key information that can be useful outside of emergency situations, such as contact lists and technical diagrams of
processes. An organization can enhance its communication, technology and resilience in undertaking the business
continuity planning process.
For legal or compliance purposes, business continuity may also be a prerequisite. It is important to understand
which regulations affect a given organization, especially in an era of increased regulation.
2. Components of recovery plan:
There are 6 key components in disaster recovery plan:
1st component: The scope of your plan
There are many types of disasters that could impact organizations and several organizational aspects that need to
be covered, so the first component of the disaster recovery plan should determine what scope it encompasses, as
basic as it sounds. Does it cover, for instance, what to do in the event of a cyber attack or in the event of a natural
disaster? It should hopefully cover both, but that has to be recorded.
2nd component: Organizational roles and responsibilities
Your company should have a dedicated disaster recovery team that is well acquainted with the established
recovery processes and plays a specific role in the strategy in order for recovery to take place. The recovery
team's duties do not only include what is being done during and after a disaster, but also in advance, such as:
ü Ensuring that more than one individual knows how to execute the tasks required, so if anything happens,
there is no chance that it will not be executed correctly or at all.

ü Ensuring that your workers know the manual way to execute such procedures (if they exist) as during a
disaster, software or hardware can be destroyed or interrupted and not usable.
ü Education of all workers so that they are prepared to behave and do their work safely in the event of a
disaster. Adequate preparation will dramatically reduce the impact of a crisis, especially if the
organization operates in a high-risk setting.
3rd component: You critical business functions and tolerance for downtime
Your essential business functions (CBFs) are your organization's vital functions, without which it can not operate
properly or at all. You have to define these roles and decide how long you will last without them before suffering
significant loss while deciding the tactics that will help your organization recover from a disaster. This is also
known as your goal for recovery time or RTO. You will help prioritise the processes described in your recovery
plan by detailing your CBFs and how long you can live before they are restored.
4th component: The strategies, processes, procedures to resume your critical business functions
You can plan your plans accordingly, now that you have established the functions of your company that need to
be restored in order for your business to operate.
You should log the following for each critical business function:
Preventative/Recovery steps to be taken to support or restore the CBF
Resources/Equipment necessary to promote such acts
Objective recovery period (So you know how you quickly actions must happen)
Responsibilities (Who is in charge of making sure the actions happen)
A checklist that is used to determine the extent of the damage after a disaster and track the recovery process
should also be established.
Let's see this in an instance to which most businesses will relate:

Figure 8: Components of disaster recovery plan
5th component: A communication plan
The last thing you would want to do if tragedy occurs is to discuss your clients, workers or other stakeholders, but
good communication is essential to showing that you are in charge of the situation and that it will be resolved.
Effective communication involves not only communicating anything as easily as possible, but understanding the
communication chain required and reporting accurate information. This is why a detailed communication strategy
that covers these elements is important to outline.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Depending on the case, this strategy should include contact lists of those that would need to be communicated to
(internally and externally), a protocol for what data should be communicated and how it should be transmitted.
The communication after a natural disaster, for example, will vary from the communication after a data breach,
and those differences need to be prepared for by your strategy.
6th component: Schedule for testing, reviewing, improving
As industries increasingly change and grow, disaster recovery strategies will need to evolve. Sadly, it's not as easy
as making a “DRP”, and the organization is ready for something. Your company should spend time checking or
rehearsing the proposal to ensure that it is useful and that the plan is tested so that it remains up to the
expectations of business and industry. If business is booming and your workers double, for example, in your
disaster recovery plan, you would need to pay for such new employees or office space. Schedule for testing of
your strategies periodically to yearly and depending on the pace of growth or improvement in your organization.
While some of the procedures you need to think about can seem like common sense as part of your disaster
recovery plan, the fact is that people don't always think clearly in the midst of disasters. Shock, tension and panic
begin to take over instead. These strategies tell the company what to do in those moments to mitigate
repercussions and leave you facing a stronger result, regardless of the conditions. "It's better to be safe than
sorry".
3. Disaster recovery process steps:
There are 8 several steps to create such a useful disaster recovery process:
1st step: Set clear recovery objectives
Reducing downtime and the cost of data loss is the primary motive for implementing a successful disaster
recovery plan. With RTO (Recovery Time Objective) and RPO (Recovery Point Objective), set key targets so that
you can create an optimal plan for data recovery. These criteria help you determine how quickly steps to retrieve
the data need to be taken.
An RTO specifies the operating downtime during which the entire recovery of the device should take place. The
overall limit for sustainable data loss that will not lead to a disastrous business effect is evaluated by an RPO.
2nd step: Identify involved professionals

Simple identification of all the staff involved, including internal and external members, should be given.
Information about how and when to contact each member should have been recorded by the DRP. It should also
cover in depth their assigned duties.
Having a pre-approved resource budget (recovery equipment and services) would also help ease the flow and
establish a successful strategy for disaster recovery.
3rd step: Draft a detailed documentation on network infrastructure
With the execution of the data recovery process, a step-by-step guide on network configurations can help. The
new network infrastructure's comprehensive blueprint guarantees proper reconstruction and regeneration of the
entire system. The thorough documentation enhances the likelihood that corrupted network infrastructure can be
successfully restored.
Holding all the records offline and in a private cloud is advisable. The document should be easy for all staff to
view, either way.
4th step: Choose your data recovery techniques
There are several types of solutions for data recovery, such as recovery from hard drives, RAID recovery, tape
recovery, optical recovery, and more. It is important to pick the correct one for your company. Consider the
criteria of organizations-on-premise, outsourced, or cloud-based DRaaSS-to choose one of these solutions
(Disaster recovery as a service).
Every method of data recovery has its collection of capabilities, making it expensive or putting it within your
budget. There are a few variables that impact the cost of recovery solutions: storage capacity, timetable of
recovery, and complexity of configuration.
5th step: Explicitly define an incident criteria checklists
Every company experiences temporary outages, but it is not possible to use these events to launch a disaster
recovery process. A recovery plan for a temporary outage of power will not be carried out by any entity, but if it is
due to a natural disaster, then the incident needs to be considered.
It will enable the recovery team to conduct DRP as efficiently as possible by developing an all-inclusive checklist
for defining a disaster.

For any organisation, this checklist may vary, depending on their data recovery priorities and budget. Even the
decision to obey this checklist strictly or not is totally up to organizations.
6th step: Document your entire disaster recovery procedure
A recorded collection of procedures helps to execute the disaster recovery plan following successful detection of a
disaster recovery event. The DRP should be in compliance with the RTO and RPO requirements already developed.
For optimum DRP productivity, both automated and manual processes included in the plan should be neatly
recorded.
It's critical that all the recovered data should be in an operational state at the end of the disaster recovery
procedure.
7th step: Regularly test your DRP
If not checked regularly, your DRP can fall flat. A carefully tested strategy is effective and has a better chance of
achieving good outcomes. All the included measures should be checked regularly for a working DRP.
In these studies, the entire disaster management team should participate. Playing real-time data loss
and cyberattack scenarios helps the team remain prepared for the unforeseen occurrence. 8th step:
Keep updating your recovery plan
With the development of the organization, the DRP needs to be revised. If your DRP goes through routine testing,
then in your current strategy, there are equal chances that you will come across some limitations. Keep removing
these bugs so that the latest modifications are consistent with the requirements of your company. Also, retain a
log for the same for any shift in DRP.
As the personnel shifts, the list of participating participants should have a chance. The new members should be
trained and allocated as soon as possible to their duties. This move will help to evolve your DRP over time.
Disasters are inevitable, but having a disaster recovery plan helps to minimize possible harm, rapidly return to
operating mode, and reducing the cost of damage. Check out EC-Council Disaster Recovery Specialist (E|DRP) to
know how to remain operational at the time of another “WannaCry” or “Hurricane Maria”. The software is
crafted by industry experts and complies with various regulatory enforcement requirements such as NFPA 1600,
the NICE system, and many others. It is a hands-on curriculum that ensures that, as a qualified disaster recovery
specialist, you learn all the technical skills.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4. Some of the policies and procedures required for business continuity:
a) Business continuity plan (BCP):
BCP is a document that offers instructions and recovery steps for a specific function or process in a specified time
span. It is written in sufficient detail so that those needed can execute the plan with minimal delay. It is a set of
tools, behavior, processes, and knowledge that, in the event of a major disruption of operations, is created,
checked, and kept ready for use.
b) Business continuity planning:
The preparation of business continuity is the process of establishing prior plans and procedures that enable
VCU to react to an interrupting event in such a way that essential business operations can continue at the
expected disruption levels. An successful business continuity plan is the end product of this operation (BCP). c)
Business impact analysis (BIA):
BIA is a thorough evaluation of the potential implications of a loss of an important function and gathers the
necessary information to establish recovery plans to help restart operations rapidly.
d) Comprehensive emergency management plan (CEMP):
A CEMP is a detailed emergency management plan designed to ensure that natural and man-made threats are
responded to and recovered appropriately. A CEMP is distinct from a continuity plan for business. A CEMP
provides advice shortly before or after an emergency about what to do. Regardless of the incident, a business
continuity plan helps to mitigate the effect on VCU's business processes and helps to return to normal operations
as quickly as possible after the emergency.
e) Continuity of operations plan (COOP):
A COOP is a planning term used previously to suggest planning for business continuity. A COOP is somewhat
similar to a BCP in that they are both created to help the company recover from a tragedy, but organizations
or businesses use business continuity planning more and organizational continuity is used more by federal,
state, and local governments.
f) Critical functions:

Essential roles are those which are important for the campus community's life, health, safety and protection.
During an event, these tasks must proceed at a normal or increased pace. The roles of life, wellness, safety and
security will never close and will still involve individuals on campus.
g) Mission essential functions (MEFs):
MEFs are facilities, programs or activities which are required for the university's ongoing business and which, if
they were to be discontinued for an extended period of time, would directly impact the development, distribution
and preservation of information. The primary services, initiatives, or tasks undertaken by a department are basic
departmental functions. They are a department's main operations. Stopping them for a prolonged period of time
would have a direct impact on the department's performance.
h) Recovery time objectives (RTO):
RTO is the cumulative period of time that can be inaccessible until causing major interruption of operations for a
particular business feature or resource. Maximum permissible downtime is often referred to.