ASSIGNMENT FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Tran Van Khoi Student ID BH00082

Class IT0501 Assessor name Le Van Thuan

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand
that making a false declaration is a form of malpractice.

Student’s signature

Grading grid

P5 P6 P7 P8 M3 M4 M5 D2 D3
A. Introduction

Hello teacher. My name is Tran Van Khoi, currently studying in class IT0501 of BTEC FPT British College. I
will present my ASM 2 post here. The main body of the article includes the following sections:

+Discuss risk assessment procedures.

+ Explain data protection processes and regulations as applicable to an organization.

+ Design and implement a security policy for an organization.

+ List the main components of an organisational disaster recovery plan, justifying the reasons for
inclusion.

B. Content
I. Discuss risk assessment procedures.( P5)
1. Define Risk
Definition: Risk implies future uncertainty about deviation from expected earnings or expected outcome.
Risk measures the uncertainty that an investor is willing to take to realize a gain from an investment.

Description: Risks are of different types and originate from different situations. We have liquidity risk,
sovereign risk, insurance risk, business risk, default risk, etc. Various risks originate due to the
uncertainty arising out of various factors that influence an investment or a situation.

Figure 1: Risk

2. Define Risk assessment.

- A risk assessment is a systematic process that involves identifying, analyzing and controlling hazards
and risks. It is performed by a competent person to determine which measures are, or should be, in
place to eliminate or control the risk in the workplace in any potential situation.

- Risk assessment is one of the major components of a risk analysis. Risk analysis is a process with
multiple steps that intends to identify and analyze all of the potential risks and issues that are
detrimental to the business. This is an ongoing process that gets updated when necessary. These
concepts are interconnected and can be used individually.

- Identifying hazards by using the risk assessment process is a key element when ensuring the health and
safety of your employees and customers. OSHA requires businesses to conduct risk assessments.
According to regulations set by OSHA, assessing hazards or potential risk will determine the personal
protective gears and equipment a worker may need for their job. There are guidelines available for
different industries since present types of possible risks may vary, an example of this is agribusinesses.
Unique risks for this industry include manure storage, tractor operation, animal handling, behavior, and
health.
 Figure 2: Risk Analysis

* When Do You Perform a Risk Assessment?

Beyond complying with legislative requirements, the purpose of risk assessments are to eliminate
operational risks and improve the overall safety of the workplace. It is employers responsibility to
perform risk assessments when:

 new processes or steps are introduced in the workflow;

 changes are made to the existing processes,

  equipment, and tools; or new hazards arise.

Risk assessments are also performed by auditors when planning an audit procedure for a company.

* Examples

Risk assessments are essential to identify hazards and risks that may potentially cause harm to workers.
There are a variety of risk assessments used across different industries tailoring specific needs and
control measures. Here are common risk assessment examples:

 Health and Safety Risk Assessment – a type of risk assessment used by safety managers to
determine health and safety risks associated with the job, work environment, and current
processes. Hazards can be identified as biological, chemical, energy, environmental, and the like.

 Workplace Risk Assessment – performed by office managers and school administrators, this tool
helps ensure that a workplace is free from health and safety threats. This assessment also helps
boost employee morale and productivity.

 Fall Risk Assessment – performed by nursing staff of aged care units or centers to evaluate the
possibility of falling. This checklist will ensure that the facilities, equipment, and other factors are
safe for elderly patients.

 Construction Risk Assessment – a vital assessment used in the construction site to help safety
teams implement corrective measures and stakeholders comply with safety regulations.

* Steps to risk assessment:

- There are 5 steps to risk assessment that you have to know:

- Just find the details of steps in this risk assessment procedure (P5) in the third title before the RISK

- Identification steps

+ 1st step: Identify hazards (Anything that may cause harm)

+ 2nd step: Decide who might be harm and tell how

+ 3rd step: Assess the risks and take actions

+ 4th step: Make a record of the findings

+ 5th step: Review risk assessment

3. Asset and threat identification procedures:

3.1. Asset and threat
a. Definition of asset
An asset is any data, device or other component of an organisation’s systems that is valuable –
often because it contains sensitive data or can be used to access such information.

For example, an employee’s desktop computer, laptop or company phone would be considered
an asset, as would applications on those devices. Likewise, critical infrastructure, such as servers and
support systems, are assets.

An organisation’s most common assets are information assets. These are things such as
databases and physical files – i.e. the sensitive data that you store.

A related concept is the ‘information asset container’, which is where that information is kept. In
the case of databases, this would be the application that was used to create the database. For physical
files, it would be the filing cabinet where the information resides.

b. Definition of threat

A threat is any incident that could negatively affect an asset – for example, if it’s lost, knocked
offline or accessed by an unauthorised party.

Threats can be categorised as circumstances that compromise the confidentiality, integrity or

availability of an asset, and can either be intentional or accidental.

Intentional threats include things such as criminal hacking or a malicious insider stealing
information, whereas accidental threats generally involve employee error, a technical malfunction or an
event that causes physical damage, such as a fire or natural disaster.

3.2. Threat identification procedure

The method of identifying threats is a way of collecting data on possible threats that can assist
management in identifying information security risks. A systematic methodology that helps an
organization to aggregate and measure possible threats is threat modeling. Institutions should consider
using threat modeling to better understand the existence, frequency, and complexity of threats;
determine the institution's vulnerability to information security; and apply this awareness to the
information security program of the institution.
The identification of threats involves the sources of threats, their capabilities, and their objectives.
By giving actions:
- Identify and assess threats.
- Use threat knowledge to drive risk assessment and response.
- Design policies to allow immediate and consequential threats to be dealt with expeditiously

4. Risk assessment procedure and risk identification steps

Risk assessment is an essential part of any project. A risk assessment is a systematic process that
identifies and evaluates risks in the workplace. A well-conducted risk assessment can help create
awareness of hazards in your work environment; identity who may be at increased personal risk
(employees, visitors, contractors); establish controls for those identified risks; determine if existing
control measures have been adequate or whether more should be done so the injury does not occur
during potentially hazardous activities

Figure 3: Risk assessment

* . How to conduct a risk assessment

There are 5 steps to conduct a risk assessment:

 Identify the hazard.

 Assess the risk
 Put controls/safe guards in place
 Re-assess the risk with control in place.
 Confirmation of reduced risk.
a.Identify the hazard.
- Hazard identification is the process of identifying all hazards at risk in your work environment.

- Four risk categories to be use to identify hazards: Extreme, High, Moderate, and Low.

Figure 4: Identify the hazard.

b. Assess the risk

Once you have identified what hazards may be present. decide how likely it is that someone could
be harmed by these and to what extent if so. This is assessing the level of risk for your business premises
or workplace environment with regard to those potential hazards. Decide: who might be harmed; what
action you’re already taking in order to reduce this harm happening again (control measures); any
further steps needed-who will carry out this necessary action; when they need to do it by

+ Risk matrix (Risk assessment matrix)

+ Guidelines for assessing Severity

c. Put controls/safe guards in place

In order to ensure that risks are eliminated as much as possible, it is important for any potential
hazards or dangers to be identified and evaluated. This will help determine the best way of handling
them – whether by eliminating their source completely or controlling how they affect people most at risk
(e.g., through engineering).

d. Re-assess the risk with control in place

If you’re already doing something in your workplace. ask yourself if there are ways to control or
reduce the risks so that harm is unlikely. Ask these questions:
 Can I get rid of this hazard altogether? If not, can I at least find a way to make it less hazardous?
Consider some options for controlling risk levels and then take action on those ideas with training where
necessary!

e. Confirmation of reduced risk

Confirmation of reduced risk is a must. The best way to know if you are reducing your risks at work,
however, is by reviewing the controls in place and their effectiveness on a regular basis.

* What is the purpose of a risk assessment

The purpose of a risk assessment process is to evaluate hazards then remove that hazard or minimize
its level for employees by adding necessary control measures. With this done you’ve created an even
safer workplace with healthier workers!

Every day, employees take risks in the workplace. These risks could range from a slip-and-fall to an
electric shock, no matter what industry they work in or where their job is located. To help minimize
these incidents and bring safety awareness to all staff members at your company, it’s important to
conduct regular risk assessments

II. Explain data protection processes and regulations as applicable to an organisation. (P6)
1. Define data protection
- Data protection is the process of protecting sensitive information from damage, loss, or
corruption.

- As the amount of data being created and stored has increased at an unprecedented rate,
making data protection increasingly important. In addition, business operations increasingly depend on
data, and even a short period of downtime or a small amount of data loss can have major consequences
on a business.

Therefore, most data protection strategies have three key focuses:

 Data security – protecting data from malicious or accidental damage

 Data availability – Quickly restoring data in the event of damage or loss

 Access control – ensuring that data is accessible to those who actually need it, and not to anyone
else
 Figure 5: Data protection

2. Data protection process with relations to organization

* Principles of Data Protection

-The basic tenet of data protection is to ensure data stays safe and remains available to its users
at all times. These are the two key principles of data protection: data availability and data management.

- Data availability ensures users can access the data they need to do business, even if the data is
corrupted or lost.

- Data management encompasses two main areas of data protection:

 Data lifecycle management—automatically distributes important data to online and offline

storage, depending on its context and sensitivity. In today’s big data environment, this includes
methods of identifying valuable data and helping the business derive data from it, by opening it
for reporting, analytics, development, and testing.

 Information lifecycle management—assesses, classifies, and protects information assets to

prevent application and user errors, malware or ransomware attacks, system crashes or
malfunctions, and hardware failures.

* Enterprise Data Protection Trends

The latest trends in data protection policy and technology include the following:

 Hyper-Convergence

With the advent of hyper-converged systems, vendors are introducing devices that can provide backup
and recovery in one device that integrates compute, networking, and storage infrastructure. Hyper-
converged systems are replacing many devices in the traditional data center, and providing cloud-like
capabilities on-premises.

 Ransomware Protection

Ransomware is a type of malware that infects a system, encrypts its data, and demands a ransom fee to
release it. Traditional backup methods are useful for protecting data from ransomware. However, new
types of ransomware are able to infect backup systems as well, rendering them useless. This makes it
very difficult to restore the original version of the data.

To solve this problem, new backup solutions are designed to be completely isolated from the corporate
network, and use other measures, like data encryption at rest, to prevent ransomware from infecting
backups.

 Disaster Recovery as a Service

Disaster Recovery as a Service (DRaaS) is a cloud-based solution that allows an organization to create a
remote copy of local systems or even an entire data center, and use it to restore operations in case of
disaster. DRaaS solutions continuously replicate data from the local data center to provide a low
recovery time objective (RTO), meaning they can spring into action within minutes or seconds of a
disastrous failure.

 Copy Data Management (CDM)

CDM solutions simplify data protection by reducing the number of copies of data stored by the
organization. This reduces overhead, maintenance, and storage costs. Through automation and
centralized management, CDM can accelerate development lifecycles and increase the productivity of
many business processes.

* The guidelines for data protection specify how information shall be treated in accordance with the
following guidelines:

 Fair and Legal Processing: The gathering and use of personal information must not unreasonable
invasion of the data subject's privacy, as well as unreasonable interfere with the integrity of the
legal system, conformity with the overall structure of the law.
  Personal information will only be gathered and used with the consent of the data subject. given
his unambiguous approval for their processing
 Personal information must only be acquired for specific, authorized, and legitimate objectives
and not processed in a manner that conflicts with the reasons that data were gathered.
 Minimality: Only the least amount of personal data is collected and processed in order to fulfill
the intended purpose. This includes simply keeping personal information on file for as long as is
required to fulfill the intended purpose.
 Minimal Disclosure: Only under specific circumstances may personal information be disclosed to
third parties.
 Information Quality: For the purposes for which they are gathered and processed, personal data
must be accurate, relevant, and comprehensive.
 Data Subject Control: The data subject must be able to monitor and affect how his personal
information is processed.
 Sensitivity: More severe protection measures must be taken than usual to protect personal data
processing of those that are very sensitive for the data subject.
 Information Security: When processing personal data, care must be taken to ensure a level of
security commensurate with the risks involved and the nature of the data.

3. Why are data protection and regulation important ?

Data protection is important, since it prevents the information of an organization from fraudulent
activities, hacking, phishing, and identity theft. Any organization that wants to work effectively need to
ensure the safety of their information by implementing a data protection plan. As the amount of data
stored and created increases, so does the importance of data protection. Data breaches and
cyberattacks can cause devastating damages. Organizations need to proactively protect their data and
regularly update their protective measures.

- Key Elements of Data Protection

- One very important data protection model is the CIA triad, where the three letters of the name
represent the three elements of data protection: confidentiality, integrity, and availability. This model
was developed to help individuals and organizations develop a holistic approach to data protection. The
three elements are defined as follows:

 Confidentiality: The data is retrieved only by authorized operators with appropriate credentials.

 Integrity: All the data stored within an organization is reliable, precise, and not subject to any
unjustified changes.

 Availability: The data stored is safely and readily available whenever needed.

* Data Protection Best Practices

There are different data protection management practices. Some of the most commonly used include:

 Data loss prevention (DLP): A set of tools and processes used to secure data from theft, loss,
misuse, deletion, or other illegal or inappropriate forms of contact

 Firewalls: Tools used for monitoring and filtering the network traffic to ensure data is transferred
or accessed only by authorized users

 Encryption: Altering the content of data based on an algorithm that can be reversed only with the
right encryption password or key.
Encryption protects data even if it gets stolen, since the data would be unreadable.

 Data erasure: Deleting data that is no longer needed or relevant

This is also a requirement of the GDPR.

 Data resiliency: Building resiliency systems within the software and hardware of an organization’s
system to ensure the security in case of natural disasters or power outages

 Data backups: A plan to securely back up data in case of failure or breach

Such backup plans may include a separate physical disk or cloud.
 Figure 6: Data protection

III. Design and implement a security policy for an organisation.(P7)

1. Define and discuss what is security policy
1.1. Define of security policy
- A policy is a document that outlines specific requirements or rules that must be met

 Has the characteristics listed on page 393 of the text

 Correct vehicle for an organization to use when establishing information security
 A standard is a collection of requirements specific to the system or procedure that must be met
by everyone
 A guideline is a collection of suggestions that should be implemented

- Types of Security Policies

+ Umbrella term for all of the subpolicies included within it

+ In this section, you examine some common security policies:

  Acceptable use policy

 Human resource policy

 Password management policy

 Privacy policy

 Disposal and destruction policy

 Service-level agreement

* Acceptable use policy

 Defines what actions users of a system may perform while using computing and networking
equipment

 Should have an overview regarding what is covered by this policy

 Unacceptable use should also be outlined

* Human Resource Policy

 Policies of the organization that address human resources

 Should include statements regarding how an employee’s information technology resources will
be addressed

* Password Management Policy

 Although passwords often form the weakest link in information security, they are still the most
widely used

 A password management policy should clearly address how passwords are managed

 In addition to controls that can be implemented through technology, users should be reminded
of how to select and use passwords

* Privacy Policy

 Privacy is of growing concern among today’s consumers

 Organizations should have a privacy policy that outlines how the organization uses information it
collects

* Disposal and Destruction Policy

  A disposal and destruction policy that addresses the disposing of resources is considered
essential

 The policy should cover how long records and data will be retained

 It should also cover how to dispose of them

* Service-Level Agreement (SLA) Policy

 Contract between a vendor and an organization for services

 Typically contains the items listed on page 403

2. Examples of policies
Policies are also known as the mini-mission statement, that are formulated by the top
management, for serving as guidelines to take quick and rational decision regarding the day to day
operational activities of the company.

Policies affect the internal structure and routine activities of the entity which requires periodic
decision making. They are generally in the form of the concise statement. While crafting the policies of
the organisation, some points are to be taken into consideration:

 They must be based on past experiences, facts, and knowledge.

 People who are going to be influenced by these policies must actively participate at the time of
framing it.

 They need to be modified with the modifications in the operations of the entity.

 They should be versatile and completely acceptable by the people.

Policies are an integral part of the big organisation which helps in its smooth functioning. They
provide some common parameters over which the management can take a consistent decision over a
long period.

Ex:

 Recruitment policy
 Credit Policy
 Mark up policy
 Privacy policy
 Payment policy
  Access control policies say which employees can access which resources.
 Change management policies provide procedures for changing IT assets so that adverse
effects are minimized.
 Disaster recovery policies ensure business continuity after a service disruption. These policies
typically are enacted after the damage from an incident has occurred.
 Incident response policies define procedures for responding to a security breach or incident
as it is happening.

3. The element of security policy

An information security policy, sometimes known as a cybersecurity policy or data security policy,
is a set of rules and procedures that keeps an organization's data secure. A business usually designs its
information security policies to ensure its users and networks meet the minimum criteria for information
technology (IT) security and data protection security.

Figure 7: he element of security policy

Some of the key elements of an organizational information security policy include the following:

- Designing a security policy is the logical next step in the security policy cycle

- After risks are clearly identified, a policy is needed to mitigate what the organization decides are the
most important risks

- When designing a security policy, you can consider a standard set of principles
- These can be divided into what a policy must do and what a policy should do

- Security policy design should be the work of a team and not one or two technicians

- The team should have these representatives:

 Senior level administrator

 Member of management who can enforce the policy

 Member of the legal staff

 Representative from the user community

IV. List the main components of an organisational disaster recovery plan, justifying the reasons for
inclusion.(P8)
1. Discuss with explanation about business continuity
- Business continuity is the advance planning and preparation undertaken to ensure that an
organization will have the capability to operate its critical business functions during emergency events.
Events can include natural disasters, a business crisis, pandemic, workplace violence, or any event that
results in a disruption of your business operation. It is important to remember that you should plan and
prepare not only for events that will stop functions completely but for those that also have the potential
to adversely impact services or functions.

- BC covers the planning and preparation needed to ensure an organization will have the
capability to perform its critical business functions during emergency events. It identifies, plans for,
and/or creates:How to communicate with customers, vendors and other third parties to ensure you are
providing good information and support.

 How to ensure services or products can still be provided to customers.

 The order and timing required to restore business processes.

 How to support employees during an emergency event.

 The required technology to support the business functions (disaster recovery – or DR – will
implement recovery solutions for technology).

 Workaround processes to use when technology is not available.

 Where and how to relocate people and processes in the event business locations are impacted or
not available.
  The teams and organization that will be necessary to manage emergency events.

 Business process dependencies (what, or who does each business process rely upon in order to
do their work).

 Regular exercises to validate that plans and actions meet requirements and will be functional in
an actual event.

 Ensure staffing levels will be adequate during an event for both external and internal needs.

 Documentation of the steps and actions to take during an event to accomplish the items above.

* The BCM Process

To get started, consider performing the following steps. We have provided links to relevant MHA blog
posts on these topics.

 Assessment:  The first step to a successful planning process is to make sure that you have a
thorough understanding of what is, and is not, critical to your organization. You can (and should)
perform a Business Impact Analysis (BIA) and a Threat & Risk Assessment to guide you. Without
understanding your organization’s processes, how critical those processes are, and the threats
and risks inherent in your operations, you cannot effectively develop appropriate plans and
strategies.

 Business Recovery: The purpose of  business recovery planning is to ensure that your critical
business processes can be recovered in the event of an emergency. Your plan will document the
actions, including temporary workarounds, that will be necessary to keep critical functions
operational until IT applications, systems, facilities, or personnel are again available.

 IT Recovery:  IT recovery planning refers to the development of plans and strategies for the
recovery of your technology, including actions that will be necessary to restore critical IT
applications and systems.

 Crisis Management:  Crisis Management refers to a specific plan that details how your
organization will manage a crisis event, as well as to an internal organizational unit (the Crisis
Management Team) that will manage that event.  
 Figure 8:The BCM Process

2. Recovery plan
A disaster recovery (DR) is the ability to provide important information technology (IT) and
telecommunication capability for a pre-determined period of time by an organisation which is disrupted
by a disaster or an emergency.

The DR helps to resume the disrupted IT and telecommunication capabilities to ensure that the
business can continue within planned levels of disruption. Thus, the creation of a disaster recovery plan
is vital for the success and safety of any business. The following is a discussion of the importance of a
Disaster Recovery Plan, the elements that make up a DRP, and six critical steps required to create a
successful one.
a. The importance of a disaster recovery plan
A di5saster recovery plan can prevent your organisation from going out of business. According to the
U.S. Federal Emergency Management Agency (FEMA), 40 per cent of organisations never recover from a
natural disaster. Even if your company stays afloat, the consequences of a major disaster may include:

 Damaged reputation

 Loss of data

 Loss of revenue

 Instability

 Reduced employee productivity (Mulligan, 2020)

The use of a DRP can improve the overall business process through the use of advanced technology
to make systems more consistent and less disruptive. Also, it provides higher quality services; both for
the company itself and to its supply-chain partners and its customers.

b. Elements of a disaster recovery plan

- A disaster recovery plan (DRP) is a highly organised documented strategy that “describes how an
organisation can quickly resume work after an unplanned incident”. It is an essential part of a business
continuity plan (BCP), assisting the company in the recovery of system functionality and data loss so
everything can perform perfectly in the aftermath of an incident.

Some types of disasters that organisations can plan for include:

 Application failure

 Communication failure

 Data centre disaster

 Building disaster

 Citywide disaster

 Regional disaster

 National disaster

 Multinational disaster
Recovery strategies define an organisation's plans for responding to an incident, while disaster recovery
plans describe how the organisation should respond. Recovery plans are derived from recovery
strategies. In determining a recovery strategy, organisations should consider such issues as:

 facilities
 Management's position on risks
 Technology Budget
 Insurance coverage
 Resources -- people and physical
 Data
 Suppliers
 Compliance requirements

3. Steps involved in creating a disaster recovery plan

There are several guidelines that one can follow to create a DRP, such as a list of hardware and software
ranked in order of priority, a list stating who is responsible for what, and the identification of backup
employees. Additionally, one should always test their DRP regularly to ensure that it is as best as it could
be. Furthermore, there are several steps required to create a successful DRP.

 Create an inventory list

Every company should know exactly which IT resources—systems, hardware, and software—are used to
run the business. In addition to a simple inventory management system, it can be helpful to add different
scenarios to your IT disaster recovery plan. Ask yourself, which systems would be affected in the event of
a flood, hurricane, fire, or power outage on your premises?

 Establish a recovery timeline

Once you’ve documented your IT inventory, you can decide on the acceptable recovery goals and
timeframes by which certain systems need to be back in operation. Industries such as healthcare may
have a recovery timeline of mere minutes, while other industries may find longer timelines to be
tolerable.

 Communication

Before a disaster strikes, get information from key stakeholders. Everyone should understand which IT
operations are potentially affected, what would happen next, and who would be responsible for
resolving the issues. Ask employees how their work would be impacted if certain systems or networks
were unavailable for a while. You should also create a plan for communicating with your staff in the
event of a power or Internet outage.

 Back up your data

Your options for data backups include cloud storage, internal off-site data backups, and vendor-
supported backups. Maintaining your backups physically on-premises is not acceptable due to the risk of
a natural disaster. Both physical and cloud backups have their risks. Working with a trusted managed
services partner can help you weigh the issue and decide which is the better option for your
circumstances.

Data backup and recovery should be an integral part of the business continuity plan and information
technology disaster recovery plan. Developing a data backup strategy begins with identifying what data
to backup, selecting and implementing hardware and software backup procedures, scheduling and
conducting backups, and periodically validating data to ensure it has been properly stored3.

 Consider insurance

Purchasing catastrophe insurance as part of a disaster recovery plan can be an interesting option if
you’re worried about the costs of recovery. This means not just replacing your IT equipment, but
examining the broader consequences and losses following a disaster. If this idea appeals to you, please
consult with an insurance professional.

 Test your disaster recovery plan

Your IT disaster recovery plan should be tested at least once, and preferably twice, per year. After not
testing their plan for several years, one of our clients discovered that all of their drives failed to restore.
If this had occurred during a real disaster, the data would have been lost forever. Any gaps that you
identify during these tests should be documented extensively for further investigations and mitigations.
 Figure 9: Steps involved in creating a disaster recovery plan

4. The policies and procedures that are required for business continuity.
A business continuity policy is the set of standards and guidelines an organization enforces to
ensure resilience and proper risk management. Business continuity policies vary by organization and
industry and require periodic updates as technologies evolve and business risks change.

The goal of a business continuity policy is to document what is needed keep an organization
running on ordinary business days as well as times of emergency. When the policy is well-defined and
clearly adhered to, the company can set realistic expectations for business continuity and disaster
recovery (BC/DR) processes. This policy can also be used to determine what went wrong so the problems
can be addressed. Ultimately, a business continuity policy is created and enforced at the organization's
discretion, following its industry and compliance requirements.

Common metrics in a policy may include key performance indicators (KPIs) and key risk indicators
(KRIs). KPIs are used by corporate executives and managers to analyze crucial functions and processes
required to meet goals and performance targets. KRIs measure the likelihood of an event affecting the
company, These can help plan risk management.

The International Organization for Standardization and the British Standards Institution issue
common business continuity standards. These standards are occasionally updated, so changes should be
monitored.

A risk assessment is a reliable method of figuring out potential threats and determining their
likelihood. A risk assessment identifies potential hazards and provides ways to reduce the impact of
them on the business. Similar to a business continuity policy, risks assessments differ, but follow general
steps:

 Identify the hazards;

 Determine what or who could be harmed;

 Evaluate the risks and create control measures;

 Record the findings;

 Review and update the assessment.

Along with a risk assessment, conducting a business impact analysis (BIA) can help form the
backbone of a business continuity policy. A BIA determines the effects of a potential disaster on an
organization by finding existing vulnerabilities. Though similar to a risk assessment, a BIA often takes
place first, and focuses primarily on the business impact and meeting recovery time and recovery point
objectives.
 An emergency management plan is a document that helps to lessen the damage of a hazardous
event. Proper business continuity planning includes emergency management as an important
component. The appointed emergency management team takes the lead during a business disruption.

An emergency management plan, like a BCP, should be reviewed, tested and updated regularly. It
should be fairly simple and provide the steps needed to get through an event. The plan also should be
flexible, because situations are often fluid. Teams involved in the event of a disaster should
communicate frequently during the incident.

Figure 10: business impact analysis (BIA)

Disaster recovery (DR) and business continuity planning are often linked, but they are different. A DR
plan is reactive, as it details how an organization recovers after a business disruption. A business
continuity plan is a proactive approach that describes how an organization can maintain business
operations during an emergency.

C. Conclusion
I finished my ASM presentation. In this ASM I've outlined what I understand about risk, assessed risk, and
discussed the key components of disaster recovery, the steps needed to design a strategy, and much
more. Is it related to the post. Thank you

D.Reseach

https://safetyculture.com/topics/risk-assessment/

https://economictimes.indiatimes.com/definition/risk

https://www.safetynotes.net/risk-assessment/

https://www.imperva.com/learn/data-security/data-protection/

https://pecb.com/article/why-is-data-protection-important

https://www.techtarget.com/searchsecurity/definition/security-policy

https://www.mha-it.com/2017/08/01/what-is-business-continuity/

https://www.techtarget.com/searchdisasterrecovery/definition/business-continuity-policy