1923708 - SECURITY ASSESSMENT & RISK ANALYSIS

UNIT–III SECURITY PLANNING

Directives and procedures for policy mechanism, Risk Management: acceptance of risk (accreditation),
corrective actions information identification, risk analysis and/or vulnerability assessment
components, risk analysis results evaluation, roles and responsibilities of all the players in the risk
analysis process, Contingency plan components, determination of backup requirements, development
of plans for recovery actions after a disruptive event, development of procedures for offsite processing,
emergency destruction procedures.

SECURITY PLANNING

Security planning is a critical process for individuals, organizations, and governments to protect
assets, data, and individuals from various threats and risks. It involves assessing potential
vulnerabilities, developing strategies to mitigate these risks, and implementing measures to
safeguard against security breaches. Here are the key steps in security planning:

1. Risk Assessment:
Identify potential security threats and vulnerabilities.
Evaluate the likelihood and potential impact of each threat.
Prioritize threats based on their severity and potential consequences.

2. Set Objectives:
Define clear security objectives and goals.
Ensure alignment with the organization's mission and values.

3. Security Policies and Procedures:

Develop security policies and procedures that outline the rules and guidelines for
security.
Address areas such as access control, data protection, incident response, and more.

4. Security Awareness:
Educate employees and stakeholders about security risks and best practices.
Conduct training and awareness programs to ensure everyone is informed.

5. Access Control:
Implement access control mechanisms to restrict unauthorized access to systems,
data, and physical assets.
Use authentication methods, such as passwords, biometrics, or smart cards.

6. Data Protection:
Encrypt sensitive data both in transit and at rest.
Establish data retention and disposal policies.

7. Physical Security:
Secure physical premises with surveillance, alarms, access controls, and security
1|Page
 personnel.
Protect sensitive equipment and assets from theft or damage.

8. Network Security:
Implement firewalls, intrusion detection systems, and intrusion prevention systems.
Regularly update and patch software and hardware to address vulnerabilities.

9. Incident Response:
Develop an incident response plan to address security breaches or emergencies.
Assign roles and responsibilities for handling security incidents.

10. Business Continuity and Disaster Recovery:

Develop a business continuity plan to ensure operations continue in the event of a
disruption.
Create a disaster recovery plan to restore systems and data in case of catastrophic events.

Security planning is an ongoing process, and it requires regular review and adaptation to stay
ahead of emerging threats. It's important to involve relevant stakeholders, seek expert advice,
and stay informed about the latest security trends and best practices.

3.1 DIRECTIVES AND PROCEDURES FOR POLICY MECHANISM

Policy mechanisms refer to the various methods, tools, and strategies that governments and
organizations use to implement, regulate, and enforce policies.

 Directives and procedures for policy mechanisms are essential for guiding
decision-making, ensuring compliance with regulations, and achieving specific
goals within an organization or government
 These mechanisms help establish a framework for consistent and effective policy
implementation. Here is an outline of directives and procedures commonly used in
policy mechanisms:

1) Policy Objectives and Scope:

● Define the overarching goals and objectives of the policy.
● Specify the scope and boundaries of the policy, including who and what it applies
to.

2) Policy Development:
● Establish a process for creating and updating policies.
● Identify responsible individuals or committees for policy development.
● Set a timeline for policy development and revision.

3) Policy Authorization:
● Clearly define the authority responsible for approving policies.
● Specify the criteria and conditions under which a policy can be authorized.

2|Page
4) Policy Communication:
● Outline methods for communicating policies to relevant stakeholders.
● Ensure policies are easily accessible and understandable.

5) Policy Implementation:
● Define the steps and actions required to implement the policy.
● Identify responsible parties and their roles in the implementation process.
● Set deadlines and milestones for policy implementation.

6) Compliance and Enforcement:

● Describe the mechanisms for monitoring and enforcing policy compliance.
● Specify consequences for non-compliance.
● Establish reporting and auditing procedures.

7) Policy Review and Revision:

● Set a schedule for periodic policy reviews.
● Identify criteria for evaluating the effectiveness of the policy.
● Outline the process for making revisions or updates.

8) Documentation and Record-keeping:

● Require the maintenance of records related to policy implementation and
compliance.
● Define the format and storage requirements for policy documentation.

9) Training and Education:

○ Establish training programs or resources to educate relevant personnel
about the policy.
○ Ensure that employees or stakeholders understand their responsibilities.

10) Feedback and Evaluation:

Encourage feedback from stakeholders and those affected by the policy

3.2 RISK MANAGEMENT

 Risk management is the process of identifying, assessing and controlling financial,

legal, strategic and security risks to an organization’s capital and earnings.
 These threats, or risks, could stem from a wide variety of sources, including
financial uncertainty, legal liabilities, strategic management errors, accidents and
natural disasters.
 If an unforeseen event catches your organization unaware, the impact could be
minor, such as a small impact on your overhead costs.
 In a worst-case scenario, though, it could be catastrophic and have serious

3|Page
 ramifications, such as a significant financial burden or even the closure of your
business.
 To reduce risk, an organization needs to apply resources to minimize, monitor and
control the impact of negative events while maximizing positive events.
 A consistent, systemic and integrated approach to risk management can help
determine how best to identify, manage and mitigate significant risks.

THE RISK MANAGEMENT PROCESS

 Risk management is a system of people, processes and technology that enables an

organization to establish objectives in line with values and risks.
 A successful risk assessment program must meet legal, contractual, internal, social
and ethical goals, as well as monitor new technology-related regulations
 By focusing attention on risk and committing the necessary resources to control
and mitigate risk, a business will protect itself from uncertainty, reduce costs and
increase the likelihood of business continuity and success.

Three important steps of the risk management process are

 Risk identification,
 Risk analysis and assessment, and
 Risk mitigation and monitoring.

IDENTIFYING RISKS

 Risk identification is the process of identifying and assessing threats to an

organization, its operations and its workforce.

 For example, risk identification may include assessing IT security threats such as
malware and ransomware, accidents, natural disasters and other potentially
harmful events that could disrupt business operations.

RISK ANALYSIS AND ASSESSMENT

 Risk analysis involves establishing the probability that a risk event might occur
and the potential outcome of each event.
 Risk evaluation compares the magnitude of each risk and ranks them according to
prominence and consequence

RISK MITIGATION AND MONITORING

 Risk mitigation refers to the process of planning and developing methods and
options to reduce threats to project objectives.
 A project team might implement risk mitigation strategies to identify, monitor
and evaluate risks and consequences inherent to completing a specific project,

4|Page
 such as new product creation. Risk mitigation also includes the actions put into
place to deal with issues and effects of those issues regarding a project.
 Risk management is a nonstop process that adapts and changes over time.
Repeating and continually monitoring the processes can help assure maximum
coverage of known and unknown risks.

3.3 CORRECTIVE ACTIONS: (THE MOST COMMON RESPONSES TO RISK )

1) Risk avoidance:
Avoidance is a method for mitigating risk by not participating in activities that
may negatively affect the organization. Not making an investment or starting a product
line are examples of such activities as they avoid the risk of loss

2) Risk reduction
This method of risk management attempts to minimize the loss, rather than
completely eliminate it. While accepting the risk, it stays focused on keeping the loss
contained and preventing it from spreading.

3) Risk sharing
● When risks are shared, the possibility of loss is transferred from the individual to
the group.
● A corporation is a good example of risk sharing — a number of investors pool
their capital and each only bears a portion of the risk that the enterprise may fail.

4) Transferring risk
● Contractually transferring a risk to a third-party, such as, insurance to cover
possible property damage or injury shifts the risks associated with the property
from the owner to the insurance company.

5) Risk acceptance and retention

● After all risk sharing, risk transfer and risk reduction measures have been
implemented, some risk will remain since it is virtually impossible to eliminate all
risk (except through risk avoidance). This is called residual risk.

3.4 RISK MANAGEMENT IMPORTANT

 Risk management has perhaps never been more important than it is now. The
risks that modern organizations face have grown more complex, fueled by the
rapid pace of globalization. New risks are constantly emerging, often related to
and generated by the now-pervasive use of digital technology. Climate change has
been dubbed a "threat multiplier" by risk experts.

5|Page
  A recent external risk that initially manifested itself as a supply chain issue at
many companies -- the COVID-19 pandemic -- quickly evolved into an existential
threat, affecting the health and safety of employees, the means of doing business,
the ability to interact with customers and corporate reputations.

 Businesses made rapid adjustments to the threats posed by the pandemic. But,
going forward, they are grappling with novel risks, including the ongoing issue of
how or whether to bring employees back to the office, what can be done to make
supply chains less vulnerable, inflation and the business and economic effects of
the war in Ukraine.

 In many companies, business executives and the board of directors are taking a
fresh look at their risk management programs. Organizations are reassessing
their risk exposure, examining risk processes and reconsidering who should be
involved in risk management.

 Companies that currently take a reactive approach to risk management -- guarding

against past risks and changing practices after a new risk causes harm -- are
considering the competitive advantages of a more proactive approach. There is
heightened interest in supporting business sustainability, resiliency and agility.
Companies are also exploring how AI technologies and sophisticated GRC
platforms can improve risk management.

3.5 TRADITIONAL RISK MANAGEMENT VS. ENTERPRISE RISK MANAGEMENT

Traditional risk management often gets a bad rap these days compared to enterprise risk
management. Both approaches aim to mitigate risks that could harm organizations. Both
buy insurance to protect against a range of risks -- from losses due to fire and theft
to cyber liability. Both adhere to guidance provided by the major standards bodies. But
traditional risk management, experts argue, lacks the mindset and mechanisms required
to understand risk as an integral part of enterprise strategy and performance.
For many companies, "risk is a dirty four-letter word -- and that's unfortunate," said
Forrester's Valente. "In ERM, risk is looked at as a strategic enabler versus the cost of
doing business."

"Siloed" vs. holistic is one of the big distinctions between the two approaches, according
to Shinkman. In traditional risk management programs, for example, risk has typically
been the job of the business leaders in charge of the units where the risk resides. For
example, the CIO or CTO is responsible for IT risk, the CFO is responsible for financial
risk, the COO for operational risk and so on. Departments and business units might have
sophisticated systems in place to manage their various types of risks, Shinkman
explained, but the company can still run into trouble by failing to see the relationships
among risks or their cumulative impact on operations. Traditional risk management also
tends to be reactive rather than proactive.

6|Page
"The pandemic is a great example of a risk issue that is very easy to ignore if you don't
take a holistic, long-term strategic view of the kinds of risks that could hurt you as a
company," Shinkman said. "A lot of companies will look back and say, 'You know, we
should have known about this, or at least thought about the financial implications of
something like this before it happened.'"

In enterprise risk management, managing risk is a collaborative, cross-functional and big-

picture effort. An ERM team, which could be as small as five people, works with the
business unit leaders and staff to debrief them, help them use the right tools to think
through the risks, collate that information and present it to the organization's executive
leadership and board. Having credibility with executives across the enterprise is a must
for risk leaders of this ilk, Shinkman said.
These types of experts increasingly come from a consulting background or have a
"consulting mindset," he said, and they possess a deep understanding of the mechanics of
business. Unlike in traditional risk management, where the head of risk typically reports
to the CFO, the heads of enterprise risk management teams -- whether they hold the chief
risk officer title or some other title -- commonly report to the CEO, an acknowledgement
that risk is part and parcel of business strategy.

In defining the chief risk officer role, Forrester makes a distinction between the
"transactional CROs" typically found in traditional risk management programs and the
"transformational CROs" who take an ERM approach. The former work at companies that
see risk as a cost center and risk management as an insurance policy, according to
Forrester. Transformational CROs, in the Forrester lexicon, are "customer-obsessed,"
Valente said. They focus on their company's brand reputation, understand the horizontal
nature of risk and define ERM as the "proper amount of risk needed to grow," as Valente
put it.

Risk averse is another trait of organizations with traditional risk management programs.
But as Valente noted, companies that define themselves as risk averse with a low risk
appetite are sometimes off the mark in their risk assessments.

3.6 RISK ANALYSIS

 The term risk analysis refers to the assessment process that identifies the
potential for any adverse events that may negatively affect organizations and the
environment.
 Risk analysis is commonly performed by corporations (banks, construction
groups, health care, etc.), governments.
 Conducting a risk analysis can help organizations determine whether they should
undertake a project or approve a financial application, and what actions they may
need to take to protect their interests.
 Risk analysts often work in with forecasting professionals to minimize future
negative unforeseen effects.

7|Page
Types of Risk Analysis
● Risk-Benefits
● Needs Assessment
● Business Impact Analysis
● Root Cause Analysis

RISK BENEFITS

 Many people are aware of a cost-benefit analysis. In this type of analysis, an

analyst compares the benefits a company receives to the financial and non-
financial expenses related to the benefits.

 The potential benefits may cause other, new types of potential expenses to occur.
In a similar manner, a risk-benefit analysis compares potential benefits with
associated potential risks. Benefits may be ranked and evaluated based on their
likelihood of success or the projected impact the benefits may have

NEEDS ASSESSMENT
 A needs risk analysis is an analysis of the current state of a company. Often, a
company will undergo a needs assessment to better understand a need or gap that
is already known.
 Alternatively, a needs assessment may be done if management is not aware of
gaps or deficiencies. This analysis lets the company know where they need to
spending more resources in.

BUSINESS IMPACT ANALYSIS

 In many cases, a business may see a potential risk looming and wants to know
how the situation may impact the business.
 For example, consider the probability of a concrete worker strike to a real estate
developer. The real estate developer may perform a business impact analysis to
understand how each additional day of the delay may impact their operations.

ROOT CAUSE ANALYSIS

8|Page
  Root cause analysis (RCA) is the process of discovering the root causes of
problems in order to identify appropriate solutions.
 a root cause analysis is performed because something is happening that shouldn't
be.
 This type of risk analysis strives to identify and eliminate processes that cause
issues. Whereas other types of risk analysis often forecast what needs to be done
or what could be getting done, a root cause analysis aims to identify the impact of
things that have already happened or continue to happen.

STEPS TO PERFORM A RISK ANALYSIS

● Step #1: Identify Risks

● Step #2: Identify Uncertainty
● Step #3: Estimate Impact
● Step #4: Build Analysis Model(s)
● Step #5: Analyze Results
● Step #6: Implement Solutions

Step #1: Identify Risks

 The first step in many types of risk analysis to is to make a list of potential risks
you may encounter.
 These may be internal threats that arise from within a company, though most risks
will be external that occur from outside forces.
 It is important to incorporate many different members of a company for this
brainstorming session as different departments may have different perspectives
and inputs.

Step #2: Identify Uncertainty

 The primary concern of risk analysis is to identify troublesome areas for a

company. Most often, the riskiest aspects may be the areas that are undefined.

 Therefore, a critical aspect of risk analysis is to understand how each potential

risk has uncertainty and to quantify the range of risk that uncertainty may hold.

 Consider the example of a product recall of defective products after they have
been shipped. A company may not know how many units were defective, so it may
project different scenarios where either a partial or full product recall is
performed. The company may also run various scenarios on how to resolve the
issue with customers (i.e. a low, medium, or high engagement solution.

9|Page
Step #3: Estimate Impact

● Most often, the goal of a risk analysis is to better understand how risk will
financially impact a company. This is usually calculated as the risk value, which is
the probability of an event happening multiplied by the cost of the event.

Step #4: Build Analysis Model(s)

● The inputs from above are often fed into an analysis model. The analysis model
will take all available pieces of data and information, and the model will attempt to
yield different outcomes, probabilities, and financial projections of what may
occur. In more advanced situations, scenario analysis or simulations can
determine an average outcome value that can be used to quantify the average
instance of an event occurring

Step #5: Analyze Results

 With the model run and the data available to be reviewed, it's time to analyze the
results.
 Management often takes the information and determines the best course of action
by comparing the likelihood of risk, projected financial impact, and model
simulations.
 Management may also request to see different scenarios run for different risks
based on different variables or inputs.

Step #6: Implement Solutions

 After management has digested the information, it is time to put a plan in action.
Sometimes, the plan is to do nothing; in risk acceptance strategies, a company has
decided it will not change course as it makes most financial sense to simply live
with the risk of something happening and dealing with it after it occurs. In other
cases, management may want to reduce or eliminate the risk.

3.6 ADVANTAGES AND DISADVANTAGES OF RISK ANALYSIS

PROS OF RISK ANALYSIS

Risk analysis allows companies to make informed decisions and plan for
contingencies before bad things happen. Not all risks may materialize, but it is
important for a company to understand what may occur so it can at least choose to
make plans ahead of time to avoid potential losses.

Risk analysis also helps quantify risk, as management may not know the financial
impact of something happening. In some cases, the information may help companies

10 | P a g e
avoid unprofitable projects. In other cases, the information may help put plans in
motion that reduce the likelihood of something happen that would have caused
financial stress on a company.

Risk analysis may detect early warning signs of potentially catastrophic events. For
example, risk analysis may identify that customer information is not being
adequately secured. In this example, risk analysis can lead to better processes,
stronger documentation, more robust internal controls, and risk mitigation.

CONS OF RISK ANALYSIS

Risk is a probabilistic measure and so can never tell you for sure what your precise
risk exposure is at a given time, only what the distribution of possible losses is likely
to be if and when they occur. There are also no standard methods for calculating and
analyzing risk, and even VaR can have several different ways of approaching the task.
Risk is often assumed to occur using normal distribution probabilities, which in
reality rarely occur and cannot account for extreme or "black swan" events.

The financial crisis of 2008, for example, exposed these problems as relatively benign
VaR calculations that greatly understated the potential occurrence of risk events
posed by portfolios of subprime mortgages.

Risk magnitude was also underestimated, which resulted in extreme leverage

ratios within subprime portfolios. As a result, the underestimations of occurrence
and risk magnitude left institutions unable to cover billions of dollars in losses
as subprime mortgage values collapsed.

11 | P a g e
3.7 VULNERABILITY ASSESSMENT COMPONENTS

Vulnerability assessments are most effective when they are incorporated into an existing
planning or management process. Indeed, they follow many of the same phases of
standard resource management planning efforts (e.g., scoping, stakeholder engagement,
implementation, monitoring, adaptive management).

12 | P a g e
1. Define assessment purpose and scope

 Guides the activities of developing and implementing adaptation policies and

plans including establishing the purpose, outcomes, and stakeholder
engagement. This may include:
 assessment purpose and expected outcomes
 existing conservation goals and targets
 geographic scope and time frame
 key participants and partners
 resource needs and availability

2. Assess sensitivity and exposure

Determines the exposure and sensitivity of conservation targets including human

communities to climate change, variability, local stressors, and ecological
change. Combined these provide the overall potential impact to social, economic,
and ecological targets by climate change. This may include:

 magnitude and rate of ecosystem changes (e.g., from climate data and local
knowledge)
 existing local stressors on targets, ecosystem health, and ecosystem services
 differences in how humans may be affected by climate impacts (e.g., based on
occupation, gender, health, education, age)

3. Assess adaptive capacity

Identifies the key factors affecting adaptive capacity and assesses the ability of
communities and ecosystems to cope with and respond to the combined effects of local
stressors and climate change and variability. This may include:
 effectiveness of and access to social networks (e.g., women’s groups, church
groups, youth groups)
 local knowledge and practices to cope with climate events and impacts
 community awareness of climate change
 ability to plan, learn, and reorganize in response to hazards/climate events
 access to financial and material resources and information to cope with risk

4. Assess future vulnerability

Involves developing scenarios of future climate, and potential changes in exposure,

sensitivity, and adaptive capacity. This may include:
 climate projections combined with local knowledge of climate events and impacts
 scenarios of possible changes in climate, socioeconomic, and environmental
conditions

13 | P a g e
  vulnerability of current socioeconomic/environmental conditions to future
climate change
 uncertainty of climate change and associated impacts

5. Identify adaptation strategies

Involves the development and prioritization of adaptation strategies and policies that
reduce exposure or sensitivity and/or build adaptive capacity. This may include:
 adapting current management strategies or developing new ones, to more
comprehensively address vulnerabilities to climate impacts
 prioritization of adaptation strategies based on criteria (e.g., community
acceptability, costs/benefits, possible adverse effects, effectiveness, feasibility, and
potential impacts)
 barriers to adaptation and ways to overcome barriers

6. Develop implementation plan

Identifies core components of an implementation plan including resources and the

incorporation of adaptation strategies into conservation and development policies,
programs, and plans. This may include:
 timeline of activities with deliverables and dates
 identification of who will lead each activity and resources needed
 integration of adaptation strategies into existing policies, programs, plans
 measures to assess performance of adaptation strategies

7. Monitor adaptation actions and revise conservation goals

Includes the monitoring and evaluation of adaptation strategies and changes in
conservation target and adaptive capacity of target community, reassessment and
revision of adaptation strategies, and conservation goals based on evaluation results/new
information. This may include:
 clarifying goals and purpose for assessment and evaluation
 selecting relevant indicators and methods for monitoring
 developing data management plan, analysis, and reporting
 communicating evaluation results

3.8 RISK EVALUATION

Risk evaluation is the process of assessing and analyzing potential risks in order to make
informed decisions about how to manage or mitigate them. It is a fundamental
component of risk management and is used in various fields, including business, finance,
project management, and safety. The primary steps involved in risk evaluation include:

1. Identification of Risks: The first step is to identify potential risks. This can be done

14 | P a g e
 through brainstorming, historical data analysis, expert opinions, and other
methods. Risks can be categorized as internal (e.g., operational, financial) or
external (e.g., market, environmental).
2. Risk Assessment: Once risks are identified, they need to be assessed. This involves
estimating the likelihood of each risk occurring and the potential impact or
consequences if it does. Various tools and techniques, such as risk matrices and
probability assessments, can be used in this phase.
3. Risk Prioritization: Not all risks are of equal importance. Prioritization helps focus
resources and attention on the most significant risks. This can be done by
assigning a risk score based on likelihood and impact or by using other criteria
that are relevant to the specific context.
4. Risk Mitigation and Management: After prioritization, organizations or individuals
can decide on strategies for managing or mitigating the identified risks. This might
involve risk avoidance, risk reduction, risk sharing (e.g., insurance), or risk
acceptance.
5. Monitoring and Review: Risk evaluation is an ongoing process. Regular monitoring
is crucial to ensure that risks are managed effectively and to identify new risks
that may emerge. Continuous review and adjustment of risk management
strategies are essential.
6. Reporting and Communication: Effective communication of risks and risk
management strategies is crucial, both within an organization and, in some cases,
to external stakeholders. Transparency and clear reporting can help in decision-
making and gaining support for risk management efforts.

Who should do risk assessments?

every employer must conduct risk assessments. Risk assessments should always be
carried out by a professional who is familiar to risk, a person who is experienced and
competent to do so. Competence can be expressed as a combination of knowledge,
awareness, training, and experience. Remember competence does not mean you have to
know everything about everything, competence also means knowing when you know
enough or when you should call in further expert help.

But we all like to think that all of our employees will be trustworthy, but this is not
always the case. There have been many instances in which an employee has been
dishonest about their job history, qualifications or even criminal history. A dishonest
employee could be unqualified for the position, possibly endangering others on the job.
Or they might be a fraud risk, willing to bend the truth in other ways in order to enrich or
advance themselves on your dime. No organisation can afford to have employees or staff
who aren’t what they claim to be. Even a seemingly innocent embellishment can indicate
more background problems under the surface, and the potential for future problems
down the road so remember, trust your employees but, verify them too.

15 | P a g e
ROLES AND RESPONSIBILITIES

16 | P a g e
17 | P a g e
3.9 CONTINGENCY PLANS
Contingency plans are a crucial part of risk management. They are designed to help
organizations prepare for and respond to unexpected events that could disrupt
operations or damage the organization's assets. Here are the key components of a
contingency plan in risk management:

1. Risk Assessment:

 Identify and assess potential risks and threats to the organization. This
includes natural disasters, economic downturns, cybersecurity breaches,
and other unforeseen events.

2. Objectives and Scope:

 Define the objectives and scope of the contingency plan. What are the
specific goals and the areas of the organization it will cover? This could be a
plan for the entire organization or specific departments.

18 | P a g e
 3. Risk Analysis:

 Analyze the potential impact of identified risks, including the financial,

operational, and reputational consequences of each risk.

4. Response Strategies:

 Develop strategies for responding to each identified risk. This may involve
risk mitigation, risk avoidance, risk transfer (e.g., insurance), or risk
acceptance. For some risks, you may need a combination of these
strategies.

5. Incident Response Team:

 Identify and designate the members of an incident response team. This

team should be responsible for implementing the contingency plan and
managing the organization's response to an incident.

6. Communication Plan:

 Establish a communication plan that outlines how information will be

disseminated during a crisis. This should include internal and external
communication, including communication with employees, customers,
suppliers, and the media.

7. Resource Allocation:

 Determine the necessary resources (financial, human, and technical)

required to implement the contingency plan. Ensure that these resources
are readily available in the event of an incident.

8. Recovery Procedures:

 Develop detailed procedures for recovery and continuity of operations.

This may include backup systems, alternative work locations, and specific
steps for resuming normal business activities.

9. Testing and Training:

 Regularly test the contingency plan through simulations and exercises.

Ensure that the incident response team is well-trained and aware of their
roles and responsibilities.

19 | P a g e
 10. Documentation:

 Maintain detailed documentation of the contingency plan, including risk

assessments, response strategies, contact information, and recovery
procedures. Keep this documentation up to date.

DETERMINATION OF BACKUP REQUIREMENTS IN RISK MANAGEMENT

BACKUP AND RECOVERY STANDARDS

Purpose

All electronic information considered of institutional value should be copied onto secure
storage media on a regular basis (i.e., backed up), for disaster recovery and business
resumption. This policy outlines the minimum requirements for the creation and
retention of backups. Special backup needs, identified through technical risk analysis that
exceeds these requirements, should be accommodated on an individual basis.

Scope

Data custodians are responsible for providing adequate backups to ensure the recovery
of data and systems in the event of failure. Backup provisions allow business processes to
be resumed in a reasonable amount of time with minimal loss of data. Since hardware
and software failures can take many forms, and may occur over time, multiple
generations of institutional data backups need to be maintained.

Definitions

University Critical Data is data that if it were deemed unavailable to the University will
have an immediate (within 24 hours) critical impact on the University.

Data Owners are the department managers, members of the top management team, or
their delegates who bear responsibility for the acquisition, development, and
maintenance of production applications that process University information. See
the Information Security Roles and Responsibilities for more information.

Data Custodians are in physical or logical possession of either University information or

information that has been entrusted to Michigan Tech. Custodians are responsible for
safeguarding the information and making backups so that critical information is not lost.

Standard

20 | P a g e
Backup and Recovery processes commensurate with legislative and business
requirements must be developed, maintained and regularly tested, to ensure continued
business operation and access to data and information within the required timeframe,
should a risk event occur.

Backup requirements will be determined by a business risk assessment completed by the

owner, and is dependent on the:

 Importance of the data and information to the function of the University

 Acceptable transaction loss (business areas must determine what level of

potential transaction loss would not be acceptable or would be too difficult to
recover. This can be determined in terms of a timeframe, the number of
transactions, or the amount of effort and period of time required re-entering data.

 The maximum acceptable outage of the system while performing backups

 The maximum acceptable outage of system while recovering data

In addition to regular backup processes, backups will be performed before and after
major technical or business related changes to a system or application.

An audit trail of all backup activities must be maintained.

Documentation

For all departmental information assets, documented procedures must exist for the
backup and recovery processes and these documents must be readily accessible. Backup
and recovery operations and the specified period of maximum acceptable outage must be
documented for all systems.

At a minimum documentation must contain:

 A description of the system to be backed up

 The individual or group responsible for ensuring that the backup and recovery
occurs

 Backup and recovery requirements

 Backup media storage locations, including off-site storage

 Required backup frequency e.g. daily, weekly

 Backup cycles required

21 | P a g e
  Backup retention period (as prescribed by the University Data Retention Policy)

 Testing process

 Recovery schedule and plan

 Locations of relevant software and licenses

Backup media

Backups must be regularly tested as determined by a risk assessment or at a minimum on

an annual basis to ensure data can be restored in case of a catastrophic event.

Protection mechanisms and access controls for backup media must be commensurate
with the security requirements and criticality of the information stored in the backup.

Backup media must be stored and transported in an appropriate, safe and secure manner
and access to backup media must be restricted to only authorized personnel.

Off-site storage

Based on backup requirements and backup cycles, at least one instance of a backup
within a cycle must be stored off-site (physically separate from the data or system being
backed up) or geographically separate, as determined by a risk assessment.

Backup media stored off site must be stored in a secure location with environmental
controls (if available) and appropriate access controls commensurate with the security
requirements and criticality of the information stored in the backup.

Back-up tapes will be stored off-site on a basis that is determined by the risk assessment.

Backup media disposal

Obsolete backup media must be disposed of in a safe and secure manner, in accordance
with University policy. Backup media to be disposed of must be rendered unreadable
through an appropriate means and an audit trail of disposal of backup media must be
maintained. See Data Sanitization Standard for further guidance.

3.10 DISASTER RECOVERY PLANS (DRP)

 A disaster recovery plan (DR or DRP) is a formal document created by an

organization that contains detailed instructions on how to respond to unplanned

22 | P a g e
 incidents such as natural disasters, power outages, cyber attacks and any other
disruptive events.

 The plan contains strategies to minimize the effects of a disaster, so an

organization can continue to operate or quickly resume key operations.

 A DR plan is more focused than a business continuity plan and does not
necessarily cover all contingencies for business processes, assets, human
resources and business partners.

 A successful DR solution typically addresses all types of operation disruption and

not just the major natural or man-made disasters that make a location unavailable.

 Disruptions can include power outages, telephone system outages, temporary loss
of access to a facility due to bomb threats, a "possible fire" or a low-impact non-
destructive fire, flood or other event. A DR plan should be organized by type of
disaster and location. It must contain scripts (instructions) that can be
implemented by anyone.

KEY REASONS

 To minimize interruptions to normal operations.

 To limit the extent of disruption and damage.
 To minimize the economic impact of the interruption.
 To establish alternative means of operation in advance.
 To train personnel with emergency procedures.
 To provide for smooth and rapid restoration of service

DISASTER RECOVERY PLAN IMPORTANTANCE

The compelling need to drive superior customer experience and business outcome is
fueling the growing trend of hybrid multicloud adoption by enterprises. Hybrid
multicloud, however, creates infrastructure complexity and potential risks that require
specialized skills and tools to manage. As a result of the complexity, organizations are
suffering frequent outages and system breakdown, coupled with cyber-attacks, lack of
skills, and supplier failure. The business impact of outages or unplanned downtime is
extremely high, more so in a hybrid multicloud environment. Delivering resiliency in a
hybrid multicloud requires a disaster recovery plan that includes specialized skills, an
integrated strategy and advanced technologies, including orchestration for data
protection and recovery. Organizations must have comprehensive enterprise resiliency
with orchestration technology to help mitigate business continuity risks in hybrid
multicloud, enabling businesses to achieve their digital transformation goals.

Other key reasons why a business would want a detailed and tested disaster recovery
plan include:

23 | P a g e
  To minimize interruptions to normal operations.
 To limit the extent of disruption and damage.
 To minimize the economic impact of the interruption.
 To establish alternative means of operation in advance.
 To train personnel with emergency procedures.
 To provide for smooth and rapid restoration of service.
To meet today's expectation of continuous business operations, organizations must be
able to restore critical systems within minutes, if not seconds of a disruption.

ORGANIZATIONS USING DISASTER RECOVERY PLANS

Many organizations struggle to evolve their DR plan strategies quickly enough to address
today’s hybrid-IT environments and complex business operations. In an always-on, 24/7-
world, an organization can gain a competitive advantage –or lose market share –
depending on how quickly it can recover from a disaster and recover core business
services.

Some organizations use external disaster recovery and business continuity consulting
services to address a company’s needs for assessments, planning and design,
implementation, testing and full resiliency program management.

There are proactive services to help businesses overcome disruptions with flexible, cost-
effective IT DR solutions.

With the growth of cyber attacks, companies are moving from a traditional/manual
recovery approach to an automated and software-defined resiliency approach. Other
companies turn to cloud-based backup services provide continuous replication of critical
applications, infrastructure, data and systems for rapid recovery after an IT outage. There
are also virtual server options to protect critical servers in real-time. This enables rapid
recovery of your applications to keep businesses operational during periods of
maintenance or unexpected downtime.

For a growing number of organizations, the solution is with resiliency orchestration, a

cloud-based approach that uses disaster recovery automation and a suite of continuity-
management tools designed specifically for hybrid-IT environments and protecting
business process dependencies across applications, data and infrastructure components.
The solution increases the availability of business applications so that companies can
access necessary high-level or in-depth intelligence regarding Recovery Point Objective
(RPO), Recovery Time Objective (RTO) and the overall health of IT continuity from a
centralized dashboard.

In today’s always-on world, your business can’t afford downtime, which can result in
revenue loss, reputational damage, and regulatory penalties. Learn how Kyndryl can help
transform your IT recovery management through automation to simplify disaster
recovery process, increase workflow efficiency, and reduce risk, cost, and system testing
time.

24 | P a g e
KEY STEPS OF A DISASTER RECOVERY PLAN

25 | P a g e
3.11 DEVELOPMENT OF PROCEDURES FOR OFFSITE PROCESSING IN RISK
MANAGEMENT

Developing procedures for offsite processing in risk management is essential for

maintaining business continuity and mitigating potential risks. Offsite processing
involves conducting critical business operations at an alternate location in the event of
disasters, emergencies, or disruptions to the primary facility. Here's a step-by-step guide
on how to develop such procedures:

1. Risk Assessment:

 Identify the potential risks that could disrupt your primary facility, such as
natural disasters, power outages, cyberattacks, and pandemics.

 Assess the impact of these risks on your business operations, including data
loss, revenue, and customer satisfaction.

2. Business Impact Analysis (BIA):

 Determine the critical functions and processes within your organization.

 Evaluate the maximum allowable downtime (Recovery Time Objective or

RTO) for each critical process.

 Identify the resources and data necessary for these processes to function.

3. Identify Offsite Processing Requirements:

 Determine which processes and data need to be processed offsite during a

disruption.

 Select a suitable offsite location or service provider, which may include

cloud providers, colocation centers, or disaster recovery sites.

4. Develop Offsite Processing Procedures:

26 | P a g e
  Create detailed procedures for transitioning to offsite processing during a
disruption.

 Include specific steps for data backup, system configuration, and resource
allocation.

 Define roles and responsibilities for employees involved in the offsite

processing.

5. Data Backup and Recovery:

 Establish a robust data backup and recovery strategy.

 Specify how data will be backed up and transferred to the offsite location.

 Ensure that backup data is regularly tested for integrity and recoverability.

6. Communication and Notification:

 Develop a communication plan to inform employees, customers, and

stakeholders about the offsite processing procedures during a disruption.

 Create an escalation process for reporting issues or emergencies.

7. Testing and Training:

 Regularly test the offsite processing procedures through simulated disaster

recovery exercises.

 Provide training to employees involved in offsite processing to ensure they

are familiar with the procedures.

8. Security and Compliance:

 Implement security measures to protect data and systems during offsite

processing.

 Ensure compliance with relevant regulations and standards, such as GDPR,

HIPAA, or industry-specific requirements.

9. Monitoring and Maintenance:

 Set up monitoring tools to track the status and performance of offsite

processing systems.

 Establish a maintenance schedule to keep offsite resources up to date.

10. Documentation and Documentation Management:

 Maintain comprehensive documentation of all offsite processing

procedures and configurations.

27 | P a g e
  Keep documentation up to date and easily accessible.

11. Review and Continuous Improvement:

 Regularly review and update your offsite processing procedures to reflect

changes in technology, business operations, and risks.

 Use post-incident reviews to identify areas for improvement and

implement necessary changes.

12. Supplier Relationships:

 If you're using third-party offsite processing services, maintain a strong

relationship with service providers and review their disaster recovery
capabilities.

13. Legal and Contractual Considerations:

 Ensure that contracts with service providers and partners outline the terms
and conditions related to offsite processing, including data protection and
recovery obligations.

Developing and implementing offsite processing procedures in risk management is an

ongoing process that requires thorough planning, testing, and continuous improvement
to ensure your organization can effectively recover from disruptions and minimize
business impact.

PHYSICAL HAZARDS:

Injuries during Project operation are typically related to slips, trips, and falls; contact with falling /
moving objects; and lifting / over-exertion. Other injuries may occur due to contact with, or capture in,
moving machinery (e.g. dump trucks, front loaders, forklifts). Activities related to maintenance of
equipment, including mills, mill separators, fans and belt conveyors, represent a significant source of
exposure to physical hazards. Such hazards may include the following: Falling / impact with objects
Transportation Contact with allergic substances.

Following management measures will be implemented to prevent the physical hazards in

the plant:

 Any person working on equipment with moving parts will personally ensure the equipment is
de-energized, isolated and locked/tagged out.

28 | P a g e
  Any person working from a position with the potential risk for a fall from height will use fall
protection. Any person doing flame welding, cutting or brazing in the proximity of any
flammable material will use PPE.
 Prescribed PPE will be provided to all workers exposed to open processes or systems.
 In case of any accident immediate & proper medical care will be provided at the plant site.

DISASTER MANAGEMENT PLAN

29 | P a g e
30 | P a g e
31 | P a g e
32 | P a g e
33 | P a g e