Unit 7
Assignment 2
Pass Work (P4)
Security problems and guidelines
Disaster recovery policies
Disaster recovery policies state what actions are to be taken in an event whereby the
organisation has been impacted by a disaster [for more information on likely disasters its
effect of organisations refer to Unit 7 Assignment 1].
The disaster recovery policy will likely include the procedures for data relocation, use of
alternative sites, the hiring of additional of staff and equipment.
Typically organisations will be supported by appropriate levels of insurance to fund the
organisations recovery from the disaster.
If disaster recovery policies are not in place and a disaster occurs the organisation will have
a prolonged downtime and their reputation may be impacted [from losing the customer’s
information and data].
Updating of security procedures
Updates and reviews of security procedures should be carried out periodically, it is essential
to check the security policies for currency and to compare the policy against current
knowledge and new threats.
Both security and computer systems require frequent updating as advancements in security
[and threats] are being produced at a rapid pace, the updates which may need to be
implemented by the organisations systems security may have an impact on the
organisations current established system.
Typically the updates will need to be tested by the staff [who are responsible for the up
keeping of the organisation systems security] prior to being released across the entire
organisation.
Scheduling of security audits
Security audits of physical and networked systems will need to be carried out regularly
ensuring the current system is working as expected [and has no issues], typically the security
audits are carried out without the employees knowing when they’re going to be done -
proving the effectiveness of the systems in place.
Within network management, an audit of database and network logs provide a detailed look
upon the recurring issues – this can be used to highlight the organisations existing threats.
The audit is often combined with penetration testing, simulating a hacker or denial of
service attack to establish the soundness of the existing systems.
Some organisations will go as far as to employ staff with the prime objective of breaking
into the building to ensure their physical security put in place is adequate.
Codes of conduct
1|Page
Matthew Lloyd-Jones
,Unit 7
Assignment 2
Code of conducts are created to ensure the personnel who require access to a system are
legally binded to not take advantage of their access.
Employees are expected to sign, agree and adhere to the code of conduct which states on it
a variety of policies – the policies ensure the systems users will abide by rules which suit the
organisation and its security needs.
Organisations typically will include the following policies [in some form] within their code of
conduct:
Email usage policy - This governs what subjects are deemed acceptable in the
sending of emails, the policy usually defines the acceptable size of attachments to be
sent and gives details as to the unacceptable activities such as sending data and
information to the organisations competitor.
Internet usage policy - employees will usually have restricted access online –
ensuring employees are doing their work rather than playing games online or
accessing their social media accounts. The policy will also state what cannot be
downloaded online.
Software acquisition and Installation policy – these policies are put in place to
prevent personal and unlicensed software from being installed into the system, upon
this it ensures there is no duplication of software. By having these policies in place
compatibility issues and potential malware from accessing the system are prevented.
Surveillance policies
Placing surveillance cameras [or an alternative piece of surveillance equipment] around the
work place within an organisation may cause unrest to the employees. Surveillance and
monitoring policies must clearly be defined to the employees and they must then agree to
the policy. The policy would include information such as, the reasons for the surveillance,
where it will be placed and what type of surveillance equipment is going to be used.
Risk management
Predicting possible issues and measuring the potential damage which can be caused to the
organisation [as a result of these issues] is essential in creating a strategy to minimise [or
eliminate] all threats to an organisation.
In managing the risks, organisations may decide to:
Tolerate the potential risk and waste no time in coming up with a solution
Minimise the likelihood of the risk occurring – for example purchasing an add-on
anti-virus software.
Terminate the risk – stopping the virus.
Transfer the risk by adapting the approach of the organisation.
Budget setting
Budget setting and the management of finances is essential in ensuring the organisation
does not overspend. It is of great importance to maintain an acceptable level of security
2|Page
Matthew Lloyd-Jones
, Unit 7
Assignment 2
within an organisation and in budgeting for organisational systems security you will need to
consider the following: The replacement of redundant equipment and software versions,
the cost of each audit, the training of staff, software licencing, the procurement of external
consultation and support, the staff wages relating to organisational systems security.
3|Page
Matthew Lloyd-Jones
Assignment 2
Pass Work (P4)
Security problems and guidelines
Disaster recovery policies
Disaster recovery policies state what actions are to be taken in an event whereby the
organisation has been impacted by a disaster [for more information on likely disasters its
effect of organisations refer to Unit 7 Assignment 1].
The disaster recovery policy will likely include the procedures for data relocation, use of
alternative sites, the hiring of additional of staff and equipment.
Typically organisations will be supported by appropriate levels of insurance to fund the
organisations recovery from the disaster.
If disaster recovery policies are not in place and a disaster occurs the organisation will have
a prolonged downtime and their reputation may be impacted [from losing the customer’s
information and data].
Updating of security procedures
Updates and reviews of security procedures should be carried out periodically, it is essential
to check the security policies for currency and to compare the policy against current
knowledge and new threats.
Both security and computer systems require frequent updating as advancements in security
[and threats] are being produced at a rapid pace, the updates which may need to be
implemented by the organisations systems security may have an impact on the
organisations current established system.
Typically the updates will need to be tested by the staff [who are responsible for the up
keeping of the organisation systems security] prior to being released across the entire
organisation.
Scheduling of security audits
Security audits of physical and networked systems will need to be carried out regularly
ensuring the current system is working as expected [and has no issues], typically the security
audits are carried out without the employees knowing when they’re going to be done -
proving the effectiveness of the systems in place.
Within network management, an audit of database and network logs provide a detailed look
upon the recurring issues – this can be used to highlight the organisations existing threats.
The audit is often combined with penetration testing, simulating a hacker or denial of
service attack to establish the soundness of the existing systems.
Some organisations will go as far as to employ staff with the prime objective of breaking
into the building to ensure their physical security put in place is adequate.
Codes of conduct
1|Page
Matthew Lloyd-Jones
,Unit 7
Assignment 2
Code of conducts are created to ensure the personnel who require access to a system are
legally binded to not take advantage of their access.
Employees are expected to sign, agree and adhere to the code of conduct which states on it
a variety of policies – the policies ensure the systems users will abide by rules which suit the
organisation and its security needs.
Organisations typically will include the following policies [in some form] within their code of
conduct:
Email usage policy - This governs what subjects are deemed acceptable in the
sending of emails, the policy usually defines the acceptable size of attachments to be
sent and gives details as to the unacceptable activities such as sending data and
information to the organisations competitor.
Internet usage policy - employees will usually have restricted access online –
ensuring employees are doing their work rather than playing games online or
accessing their social media accounts. The policy will also state what cannot be
downloaded online.
Software acquisition and Installation policy – these policies are put in place to
prevent personal and unlicensed software from being installed into the system, upon
this it ensures there is no duplication of software. By having these policies in place
compatibility issues and potential malware from accessing the system are prevented.
Surveillance policies
Placing surveillance cameras [or an alternative piece of surveillance equipment] around the
work place within an organisation may cause unrest to the employees. Surveillance and
monitoring policies must clearly be defined to the employees and they must then agree to
the policy. The policy would include information such as, the reasons for the surveillance,
where it will be placed and what type of surveillance equipment is going to be used.
Risk management
Predicting possible issues and measuring the potential damage which can be caused to the
organisation [as a result of these issues] is essential in creating a strategy to minimise [or
eliminate] all threats to an organisation.
In managing the risks, organisations may decide to:
Tolerate the potential risk and waste no time in coming up with a solution
Minimise the likelihood of the risk occurring – for example purchasing an add-on
anti-virus software.
Terminate the risk – stopping the virus.
Transfer the risk by adapting the approach of the organisation.
Budget setting
Budget setting and the management of finances is essential in ensuring the organisation
does not overspend. It is of great importance to maintain an acceptable level of security
2|Page
Matthew Lloyd-Jones
, Unit 7
Assignment 2
within an organisation and in budgeting for organisational systems security you will need to
consider the following: The replacement of redundant equipment and software versions,
the cost of each audit, the training of staff, software licencing, the procurement of external
consultation and support, the staff wages relating to organisational systems security.
3|Page
Matthew Lloyd-Jones
