ASSIGNMENT FINAL REPORT

Qualification Pearson BTEC Level 5 Higher National Diploma in Computing

Unit number and title Unit 5: Security

Submission date 08/04/2025 Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Vu Duc Khoa Student ID BH02094

Class SE070205 Assessor name Nguyễn Thị Hồng Hanh

Plagiarism
Plagiarism is a particular form of cheating. Plagiarism must be avoided at all costs and students who break the rules, however innocently,
may be penalised. It is your responsibility to ensure that you understand correct referencing practices. As a university level student, you
are expected to use appropriate references throughout and keep carefully detailed notes of all your sources of materials for material you
have used in your work, including any material downloaded from the Internet. Please consult the relevant unit lecturer or your course
tutor if you need any further advice.

Student Declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I declare that the
work submitted for assessment has been carried out without assistance other than that which is acceptable according to the rules of the
specification. I certify I have clearly referenced any sources and any artificial intelligence (AI) tools used in the work. I understand that
making a false declaration is a form of malpractice.
 Student’s signature Khoa

Grading grid

P1 P2 P3 P4 P5 P6 P7 P8 M1 M2 M3 M4 M5 D1 D2 D3
 Summative Feedback:  Resubmission Feedback:

Grade: Assessor Signature: Date:

Internal Verifier’s Comments:

Signature & Date:

3
Contents
I. Introduction .......................................................................................................................................... 8
II. Content ............................................................................................................................................... 8
1. Discuss types of security risks to organisations. (P1) ......................................................................... 8
1.1. It risks definition ........................................................................................................................ 8
1.2. Types of risks to organizations. .................................................................................................. 9
1.3. Recent Security Breaches in Vietnam: ...................................................................................... 10
1.4. Consequences of the Breach: .................................................................................................... 10
1.5. Suggested Solutions for Organizations: .................................................................................... 11
2. Organizational Security Procedures (P2) ......................................................................................... 12
2.1. Security Awareness Training Program: ..................................................................................... 12
2.2. Incident Response Plan: ............................................................................................................ 13
2.3. Access Control Management: .................................................................................................... 13
3. Benefits of Network Monitoring Systems (M1) ............................................................................... 14
3.1. Network Monitoring Devices: .................................................................................................. 14
3.2. Why Network Monitoring is Essential:..................................................................................... 15
3.3. Key Benefits of Network Monitoring: ...................................................................................... 16
4. Impact of Incorrect Firewall and VPN Configurations (P3) ............................................................. 18
4.1. Firewalls and Policies: ............................................................................................................. 18
4.2. VPN Explanation: .................................................................................................................... 20
4.3. Potential Impacts of Misconfigurations: ................................................................................... 22
4.4. Preventing Misconfigurations: ................................................................................................. 24
5. DMZ, Static IP, and NAT for Security (P4) .................................................................................... 26
5.1. DMZ (Demilitarized Zone): ...................................................................................................... 26
5.2. Static IP: .................................................................................................................................. 28
5.3. NAT (Network Address Translation): ...................................................................................... 29
5.4. Combining DMZ, Static IP, and NAT for Stronger Security: ..................................................... 32
6. IT Security Risk Assessment and Mitigation Methods (M2)............................................................ 33
6.1. Risk Assessment Methods: ....................................................................................................... 33
6.2. Current Organizational Weaknesses: ......................................................................................... 34
6.3. Recommended Mitigation Tools: .............................................................................................. 36

4
Best Practices for Risk Management: ................................................................................................... 38
7. Physical and Virtual Security Measures (D1) ................................................................................... 38
7.1. Physical Security Measures: ...................................................................................................... 38
7.2. Virtual Security Measures: ........................................................................................................ 39
7.3. Security Integrity Benefits: ....................................................................................................... 40
8. Review risk assessment procedures in an organisation.(P5) ............................................................. 40
8.1 Definition of Security Risk and Risk Assessment Process .......................................................... 40
8.2 Definition of Assets, Threats, and Threat Identification Procedures ............................................ 40
8.3 Steps for Risk Identification ....................................................................................................... 41
8.4 Risk Assessment Process in an Organization .............................................................................. 42
9. Explain data protection processes and regulations as applicable to an organisation. (P6) .................. 44
9.1. Definition of Data Protection ................................................................................................... 45
9.2. Data Protection Processes in an Organization ............................................................................ 46
9.3. Regulations on Data Protection ................................................................................................. 51
9.4. Why Data Protection and Compliance with Security Regulations Are Important ....................... 55
10. Summarise an appropriate risk-management approach or ISO standard and its application in IT
security. (M3) ...................................................................................................................................... 60
10.1. Definition of the ISO/IEC 27001 Standard .............................................................................. 60
10.2. Application in IT Security ....................................................................................................... 62
10.3. Practical Examples .................................................................................................................. 65
10.4. Benefits, Challenges, and Long-Term Impact .......................................................................... 69
11. Analyse possible impacts to organisational security resulting from an IT security audit. (M4) ....... 70
11.1. Definition of an IT Security Audit ........................................................................................... 70
11.2. Potential Impacts on Organizational Security .......................................................................... 71
11.3. Practical Examples .................................................................................................................. 76
11.4. Benefits, Challenges, and Long-Term Impact .......................................................................... 78
12. Design a suitable security policy for an organisation, including the main components of an
organisational disaster recovery plan. (P7) ........................................................................................... 79
12.1. Definition of a Security Policy ................................................................................................ 79
12.2. Examples of Security Policies ................................................................................................. 80
12.3. Essential Elements of a Security Policy ................................................................................... 85

5
 12.4. Key Components of a Disaster Recovery Plan ......................................................................... 86
12.5. Steps to Design the Security Policy ......................................................................................... 89
12.6. Benefits, Challenges, and Long-Term Impact .......................................................................... 91
13. Discuss the roles of stakeholders in the organisation in implementing security audits. (P8) ............ 92
13.1. Definition of Stakeholders ....................................................................................................... 92
13.2. Role of Stakeholders in the Organization................................................................................. 92
13.3. Definition of an IT Security Audit ........................................................................................... 98
13.4. Recommendations for Conducting an IT Security Audit .......................................................... 99
13.5. Benefits, Challenges, and Long-Term Impact ........................................................................ 101
14. Justify the security plan developed giving reasons for the elements selected. (M5) ....................... 102
14.1. Discussion on Business Continuity ........................................................................................ 102
14.2. Components of the Disaster Recovery Plan ........................................................................... 103
14.3. Justification for the Components of the Disaster Recovery Plan ............................................ 104
14.4. Justification for the Steps in the Disaster Recovery Process ................................................... 107
14.5. Additional Justifications for the Security Plan ....................................................................... 109
14.6. Benefits, Challenges, and Long-Term Impact ........................................................................ 110
15. Recommend how IT security can be aligned with an organisational policy, detailing the security
impact of any misalignment. (D2) ...................................................................................................... 110
15.2. Recommendations for Aligning IT Security with Organizational Policy ................................ 111
15.3. Security Impact of Misalignment .......................................................................................... 113
15.4. Mitigation Strategies for Misalignment ................................................................................. 115
15.5. Benefits, Challenges, and Long-Term Impact ........................................................................ 116
16. Evaluate the suitability of the tools used in the organisational policy to meet business needs. (D3)
.......................................................................................................................................................... 117
16.2. Overview of Business Needs ................................................................................................. 117
16.3. Evaluation of Tools ............................................................................................................... 118
16.4. Overall Suitability and Recommendations ............................................................................. 123
III. Conclusion...................................................................................................................................... 124
IV. Self-Assessment .............................................................................................................................. 126
V. Reference......................................................................................................................................... 127

6
7
I. Introduction

In today’s interconnected world, the significance of robust IT security measures cannot be overstated.
Organizations, regardless of size or industry, face an ever-growing array of cyber threats that can
compromise critical business operations, sensitive data, and their reputation. This report is crafted to provide
a comprehensive assessment of IT security risks, outline effective organizational security procedures, and
propose practical solutions to safeguard business assets.

As a trainee IT Security Specialist at FPT Information Security (FIS), this document will serve as both a
detailed technical guide and a training resource for junior staff. It will equip them with the necessary
knowledge to identify security risks, implement security protocols, and evaluate the effectiveness of various
security tools.

The report begins by exploring different types of security risks and their potential consequences, illustrated
by real-world security breaches. It then delves into essential organizational security procedures and the
critical role of network monitoring systems. The impact of incorrect firewall and VPN configurations is
analyzed to highlight the importance of meticulous network policies. Furthermore, practical methods for
assessing and treating security risks are discussed, along with an evaluation of physical and virtual security
measures to ensure a defense-in-depth approach.

This comprehensive approach ensures that FIS can effectively protect its clients from evolving cyber threats,
strengthen its security posture, and maintain business continuity in an increasingly volatile digital landscape.
Let’s dive into the critical aspects of IT security and explore actionable strategies to fortify organizational
defenses.

II. Content

1. Discuss types of security risks to organisations. (P1)

1.1. It risks definition
IT security risks refer to potential threats that exploit vulnerabilities in an organization’s information
systems, leading to data breaches, financial losses, operational disruption, or reputational damage. These
risks may arise from various factors, including technical flaws, human errors, malicious attacks, and
regulatory compliance issues. [Note: Information system-related security risks are those risks that
arise from the loss of confidentiality, integrity, or availability of information or information systems
and reflect the potential adverse impacts to organizational operations (including mission,
functions, image, or reputation), organizational assets, individuals, other organizations, and the
Nation. Adverse impacts to the Nation include, for example, compromises to information systems
that support critical infrastructure applications or are paramount to government continuity of
operations as defined by the Department of Homeland Security.]

8
1.2. Types of risks to organizations.
Understanding the different types of security risks is essential for building a resilient defense strategy. Each
type of threat targets specific vulnerabilities, exploiting them in unique ways. Below, we break down the
most prevalent security risks, complete with real-world examples to illustrate their impact. By recognizing
these threats, organizations can proactively strengthen their security measures and mitigate potential
damages.

1.2.1. Malware Attacks:

Malware is malicious software designed to harm or exploit computer systems. Common types
include:

 Ransomware: Encrypts data and demands a ransom for its release (e.g., WannaCry attack
in 2017).
 Trojans: Disguised as legitimate software but carry malicious payloads.
 Spyware: Secretly collects user data, like passwords and credit card numbers.

Example: In 2021, Colonial Pipeline was hit by a ransomware attack, causing widespread fuel
shortages in the U.S.

1.2.2. Social Engineering:

Social engineering manipulates people into giving up confidential information. Techniques include:

 Phishing: Fake emails or messages tricking users into clicking malicious links.
 Impersonation: Pretending to be a trusted entity to gain access.

Example: In 2020, hackers used phishing emails to breach Twitter, taking over high-profile
accounts to run a cryptocurrency scam.

1.2.3. Data Breaches:

A data breach occurs when attackers gain unauthorized access to sensitive data. This can result in
identity theft, financial fraud, and reputational damage.

Example: In 2023, VNDirect suffered a breach exposing customer transaction data, shaking trust in
Vietnam’s financial sector.

1.2.4. DDoS (Distributed Denial of Service) Attacks:

DDoS attacks flood a network or server with traffic, causing service disruptions.

Example: In 2016, the Mirai botnet targeted DNS provider Dyn, crashing major websites like
Netflix and Twitter.

9
 1.2.5. Insider Threats:

Employees or contractors with access to systems may intentionally or accidentally cause harm. This
could involve data theft, sabotage, or negligence.

Example: A Tesla employee in 2020 was bribed by hackers to install malware but reported the
incident instead, averting a major attack.

1.2.6. Supply Chain Vulnerabilities:

Cybercriminals target weaker third-party vendors to infiltrate larger organizations.

Example: The 2020 SolarWinds attack compromised government agencies and Fortune 500
companies through a compromised software update.

1.3. Recent Security Breaches in Vietnam:

Understanding real-life security breaches helps organizations recognize patterns of attacks and proactively
strengthen their defenses. Below are five recent security breaches in Vietnam, highlighting the severity and
consequences of each incident.

 VNDirect (2023) – Trading System Compromise: Attackers exploited system vulnerabilities,

gaining unauthorized access to customer transaction data. This breach disrupted trading activities,
damaged customer trust, and resulted in significant financial losses.
 Vietnam Airlines (2022) – Passenger Data Leak: A cyberattack targeted the airline’s database,
exposing sensitive passenger information. This breach led to public backlash, regulatory scrutiny,
and reputational harm.
 Tiki E-commerce Platform (2021) – Customer Data Breach: Hackers infiltrated the platform’s
servers, stealing customer information, including names, addresses, and phone numbers. The
incident raised concerns over the security of online shopping platforms.
 Ho Chi Minh City Securities Corporation (2022) – Phishing Attack: Employees were tricked
into clicking phishing links, giving attackers access to internal systems. The breach disrupted
services and exposed confidential client investment data.
 Momo E-wallet (2023) – API Exploit: Cybercriminals exploited vulnerabilities in the wallet’s API,
leading to unauthorized transactions and theft of user funds. The breach highlighted the importance
of securing fintech platforms against evolving threats.

1.4. Consequences of the Breach:

Security breaches have severe and far-reaching consequences for organizations, affecting not only their
finances but also their long-term viability and reputation. Let’s break down these impacts in more detail:

 Financial Losses:

10
 o Direct costs: Ransom payments, legal fees, regulatory fines, and compensation for affected
customers.
o Indirect costs: Revenue loss due to downtime, disrupted operations, and reduced customer
retention.
o Long-term financial strain: Increased insurance premiums, cost of rebuilding security
infrastructure, and ongoing monitoring expenses.
 Reputational Damage:
o Loss of customer trust: Customers may abandon a company that fails to protect their data,
leading to reduced sales and market share.
o Negative media coverage: Public reporting of security breaches can tarnish a company’s
image, making it harder to attract new customers or business partners.
o Investor concerns: Share prices may drop, and investors may lose confidence in the
company’s management and future prospects.
 Operational Disruption:
o Service outages: Cyberattacks like DDoS or ransomware can cripple business operations for
days or even weeks.
o Productivity losses: Employees may be unable to perform their tasks while systems are
restored, causing cascading delays across departments.
o Recovery efforts: Restoring data, investigating breaches, and implementing stronger
defenses can consume significant time and resources.
 Intellectual Property Theft:
o Loss of competitive advantage: Stolen proprietary data, product designs, or business
strategies can be sold to competitors or used to build rival products.
o Legal and compliance risks: Breaches involving intellectual property can trigger legal battles,
especially if trade secrets or confidential contracts are compromised.
 Customer and Partner Impact:
o Data misuse: Stolen customer data can lead to identity theft, financial fraud, and phishing
attacks, eroding consumer confidence.
o Partner disruptions: Breaches can cascade through supply chains, causing disruptions for
business partners and damaging collaborative relationships.

1.5. Suggested Solutions for Organizations:

To mitigate security risks and prevent future breaches, organizations should adopt a multi-layered security
strategy. Let’s break this down into practical, actionable solutions:

 Proactive Security Monitoring:

o Implement Security Information and Event Management (SIEM) systems to detect and
respond to threats in real time.
o Use Intrusion Detection and Prevention Systems (IDS/IPS) to block malicious traffic.
 Regular Security Audits and Penetration Testing:
o Conduct periodic vulnerability scans to identify weak points in the system.
o Perform simulated attacks to test the resilience of security defenses.
 Employee Training and Awareness:
o Develop security training programs to educate employees about phishing, social engineering,
and safe online practices.

11
 o Run regular phishing simulations to reinforce knowledge and improve response times.
 Data Encryption and Access Controls:
o Encrypt sensitive data both in transit and at rest to prevent unauthorized access.
o Enforce role-based access controls (RBAC) and least privilege principles to limit user access.
 Incident Response and Recovery Planning:
o Create a detailed incident response plan outlining steps to contain, eradicate, and recover
from attacks.
o Conduct regular drills to ensure the team is prepared to handle real-world threats.
 Third-Party Risk Management:
o Assess and monitor third-party vendors for security compliance.
o Establish strict security requirements and conduct regular audits of external partners.

By implementing these solutions, organizations can significantly enhance their security posture, reduce the
likelihood of breaches, and safeguard their assets against emerging threats.

2. Organizational Security Procedures (P2)

Implementing robust security procedures is essential for organizations to safeguard their systems, data,
and infrastructure. In this section, we will explore three critical security procedures that organizations
should adopt to mitigate risks and maintain business continuity, with detailed explanations and practical
examples.

2.1. Security Awareness Training Program:

Human error remains one of the most significant vulnerabilities in cybersecurity. Even the most advanced
security systems can be bypassed through phishing, social engineering, or employee negligence.
Therefore, security awareness training is a foundational element of a strong security posture.

 Regular Training Sessions: Conduct periodic training sessions to educate employees on

cybersecurity best practices, such as recognizing phishing emails, using strong passwords, and
safely handling sensitive data.
o Example: A company organizes monthly training workshops where employees learn how
to detect suspicious links and report phishing attempts.
 Interactive Simulations: Use simulated attacks to test employee awareness in real-life scenarios.
This helps identify gaps in knowledge and reinforces learning through practice.
o Example: Employees receive simulated phishing emails, and those who click the link are
redirected to a training module explaining their mistake.
 Security Culture Development: Foster a culture where security is a shared responsibility.
Encourage employees to report suspicious activity and create channels for easy communication
with the security team.
o Example: An organization creates a “Security Champion” program, where volunteers from
each department serve as liaisons to the IT security team.
 Effectiveness Measurement: Track training outcomes with metrics like phishing test success
rates, quiz scores, and incident reports to continuously refine training content.
o Example: After six months of training, the phishing click-through rate drops by 70%,
indicating improved employee awareness.

12
2.2. Incident Response Plan:

No security system is completely foolproof, so organizations must be prepared to respond to incidents

swiftly and effectively. An incident response plan (IRP) outlines the processes for handling security
breaches, reducing damage, and restoring normal operations.

 Documented Response Strategy: Develop a comprehensive incident response document outlining

specific actions for each stage of an incident: preparation, detection, containment, eradication, and
recovery.
o Example: A financial institution maintains a detailed IRP that guides teams through isolating
compromised systems, notifying regulators, and restoring operations.
 Role and Responsibility Assignment: Clearly define the roles of each team member involved in
incident response. This avoids confusion during critical moments and ensures a coordinated effort.
o Example: The IRP assigns tasks to incident handlers, forensic analysts, legal advisors, and
PR officers to handle both technical and public-facing aspects of a breach.
 Regular Drills and Simulations: Conduct regular tabletop exercises and live drills to prepare teams
for real-world incidents. Simulations help refine response times and identify potential weaknesses.
o Example: The organization conducts an annual ransomware drill, testing the team’s ability
to isolate affected devices and restore data from backups.
 Post-Incident Analysis: After resolving an incident, conduct a post-mortem analysis to understand
what went wrong, how the breach occurred, and what measures can prevent future incidents.
o Example: Following a DDoS attack, the security team reviews logs to determine the attack
vector, then upgrades firewalls and strengthens rate-limiting rules.

2.3. Access Control Management:

Managing user access is crucial for minimizing insider threats and limiting the potential damage of
compromised accounts. A robust access control policy ensures users only have access to the resources
necessary for their roles.

 Principle of Least Privilege (PoLP): Restrict user permissions to the bare minimum required for
their job. This reduces the impact of compromised accounts or insider threats.
o Example: An accountant can access financial records but is restricted from modifying system
configurations.
 Multi-Factor Authentication (MFA): Strengthen login security by requiring multiple forms of
verification, such as a password and a temporary code sent to a phone.
o Example: Employees log into their accounts using a password and confirm their identity via
an authentication app like Google Authenticator.
 Regular Access Reviews: Conduct periodic reviews of user accounts to ensure access rights remain
appropriate as employees change roles or leave the organization.
o Example: The IT department reviews access logs quarterly and removes permissions for
employees who have transferred or departed.
 Privileged Access Management (PAM): Use PAM systems to control and monitor high-privilege
accounts. These systems add layers of security and provide detailed logs of privileged activities.
o Example: System administrators must check out elevated credentials through a PAM solution
like CyberArk, which records all actions performed with those accounts.

13
The Power of Layered Defense:

By combining employee education, incident preparedness, and strict access controls, organizations build a
multi-layered security defense. Each layer compensates for potential weaknesses in another, creating a
comprehensive security ecosystem that reduces the likelihood and impact of attacks.

3. Benefits of Network Monitoring Systems (M1)

Network monitoring systems play a critical role in safeguarding an organization’s infrastructure. They
provide continuous oversight of network activity, helping detect and mitigate threats before they escalate
into major incidents. Let’s explore the key components, why network monitoring is necessary, and the direct
benefits it provides.

3.1. Network Monitoring Devices:

Deploying the right network monitoring devices is essential to building a strong, proactive security
infrastructure. These tools continuously scan, analyze, and log network activity, providing insights that help
detect, prevent, and mitigate threats. Let’s dive into the most crucial network monitoring devices and their
functions:

 Intrusion Detection System (IDS):

o Monitors network traffic and generates alerts when suspicious or anomalous activity is
detected.
o Detects patterns associated with known attacks, such as signature-based detection, or unusual
behaviors through anomaly-based detection.
o Example: An IDS flags repeated failed login attempts from multiple IP addresses, indicating
a potential brute-force attack.
 Intrusion Prevention System (IPS):
o Takes IDS a step further by actively blocking malicious traffic or dropping suspicious
packets based on security policies.
o Can automatically respond to threats, isolating compromised devices or blocking IP
addresses in real time.
o Example: An IPS identifies a SQL injection attempt and immediately blocks the request,
preventing the attack from reaching the database server.
 Security Information and Event Management (SIEM):
o Collects and correlates log data from multiple sources — including servers, firewalls, and
applications — to provide a centralized view of security events.
o Uses advanced analytics to detect complex threats that may not be obvious from a single
event.
o Example: A SIEM system notices a pattern of unusual file access combined with privilege
escalation, alerting the security team to a possible insider threat.
 Network Traffic Analysis Tools:
o Capture and examine network packets to provide deep visibility into traffic flows and detect
anomalies at a granular level.
o Helps with troubleshooting performance issues, identifying potential data exfiltration, and
analyzing suspicious traffic patterns.

14
 o Example: Wireshark captures packet data, revealing large outbound traffic from an internal
server to an unfamiliar external IP, signaling a potential data breach.
 Log Management Solutions:
o Collect and store logs from various devices and applications, organizing them for easy search
and analysis.
o Essential for forensic investigations, helping to trace incidents and understand the timeline
of an attack.
o Example: A log management system retains firewall logs, showing that an attacker scanned
the network for vulnerabilities before launching a targeted attack.
 Flow-Based Monitoring (e.g., NetFlow):
o Tracks metadata about network traffic, such as IP addresses, protocols, and connection
durations, without capturing full packet data.
o Useful for identifying traffic spikes, unusual data transfers, and lateral movement within a
network.
o Example: NetFlow reveals a sudden surge of outbound traffic to a foreign IP at odd hours,
helping the security team uncover an ongoing exfiltration attempt.

By combining these devices, organizations can build a multi-layered defense system that not only identifies
threats early but also responds in real time to neutralize them.

3.2. Why Network Monitoring is Essential:

A well-implemented network monitoring system is crucial for maintaining an organization’s security and
operational efficiency. Let’s break down why continuous monitoring is an indispensable part of any
cybersecurity strategy:

 Early Threat Detection:

o Real-time monitoring: Constant surveillance of network traffic helps catch anomalies the
moment they appear, reducing the window of opportunity for attackers.
o Behavioral analysis: Monitoring tools can establish a baseline for normal activity and alert
teams when deviations occur, such as unusual login locations or unexpected file transfers.
o Example: A bank’s SIEM system detects a sudden increase in failed login attempts from an
international location, triggering an automatic account lockout and alerting the security team.
 Performance Optimization:
o Network health insights: Monitoring tools help detect latency issues, bandwidth overuse,
or device failures, allowing teams to resolve issues before users are affected.
o Load balancing recommendations: By tracking usage patterns, monitoring systems can
suggest load balancing or server scaling to maintain optimal performance.
o Example: An online retailer uses network analytics to spot server congestion during peak
sales events, adjusting server capacity in real time to prevent slowdowns.
 Regulatory Compliance:
o Data logging and retention: Many regulations (like GDPR, HIPAA, and PCI DSS) mandate
that organizations log network activity for audit purposes.
o Automated compliance checks: Monitoring systems can run regular compliance audits,
checking for misconfigurations or unauthorized access attempts.

15
 o Example: A healthcare provider uses SIEM to log and analyze all access to patient records,
ensuring compliance with HIPAA regulations.
 Forensic Investigation:
o Detailed traffic logs: When an incident occurs, monitoring logs provide a detailed history
of network activity, helping investigators trace the attack path.
o Attack pattern analysis: By studying historical data, analysts can identify attack techniques
and use that knowledge to strengthen defenses.
o Example: After a data breach, investigators review network logs to find the point of entry,
revealing that attackers exploited an unpatched server vulnerability.
 Capacity Planning:
o Resource forecasting: Monitoring helps track usage trends, guiding decisions on when to
upgrade hardware, increase bandwidth, or reallocate resources.
o Scalability insights: Understanding traffic spikes and usage patterns ensures the network
can scale to meet future demands without unexpected outages.
o Example: A video streaming service analyzes traffic data to predict viewer demand,
upgrading infrastructure to handle anticipated load increases during major events.

By continuously monitoring their networks, organizations can proactively defend against threats, ensure
system stability, meet regulatory requirements, and make informed decisions about infrastructure growth.
This not only enhances security but also contributes to seamless business operations and long-term success

3.3. Key Benefits of Network Monitoring:

Network monitoring systems are not just about spotting threats — they provide a wealth of benefits that
enhance both security and network performance. Let’s break down the core advantages in detail, showing
how these systems protect organizations and drive operational efficiency.

3.3.1. Proactive Threat Detection:

 Early identification of attacks: Network monitoring tools can detect suspicious activity, such as
unusual login attempts, malware signatures, or abnormal traffic patterns, allowing organizations to
address threats before they cause significant damage.
o Example: An IDS detects a port-scanning attempt on the company’s servers, alerting the
security team to block the attacker’s IP address.
 Real-time response to threats: Monitoring systems with automated response capabilities can
immediately isolate compromised devices, block malicious traffic, or alert administrators to take
action.
o Example: An IPS automatically shuts down connections from an IP address performing a
brute-force attack on a web server.
 Reduced dwell time: Detecting threats early minimizes the time attackers spend inside the network,
reducing the chance of data theft or long-term damage.
o Example: A SIEM system correlates unusual file access and privilege escalation, alerting the
team within minutes — preventing a ransomware attack from spreading.

16
3.3.2. Enhanced Network Visibility:

 Full infrastructure oversight: Monitoring tools provide a complete view of all devices,
applications, and traffic flows in the network, making it easier to identify vulnerabilities or
misconfigurations.
o Example: A traffic analysis tool reveals an outdated server still connected to the internet,
prompting IT to decommission it before it becomes an entry point for attackers.
 Increased situational awareness: Knowing exactly what is happening on the network at any given
moment allows security teams to make faster, more informed decisions.
o Example: During a suspected DDoS attack, network monitoring shows which servers are
being targeted, allowing administrators to reroute traffic and maintain service availability.
 Faster issue diagnosis: Monitoring tools can pinpoint the source of network issues, whether it’s a
failing router, a misconfigured firewall, or a traffic bottleneck.
o Example: An NTA tool identifies that a sudden slowdown is caused by a misconfigured
switch, helping IT resolve the issue within minutes.

3.3.3. Compliance and Forensic Investigation:

 Regulatory compliance support: Many industries are required to monitor and log network activity
to meet standards like GDPR, HIPAA, and PCI DSS. Monitoring systems simplify compliance by
automating log collection and alerting teams to policy violations.
o Example: A healthcare provider uses SIEM to log every access to patient records, ensuring
compliance with HIPAA data privacy regulations.
 Detailed audit trails: Monitoring tools provide detailed logs and reports that help organizations
demonstrate compliance during audits and investigations.
o Example: After a security audit, the company provides regulators with detailed access logs
showing all administrative account activity over the past year.
 Incident investigation and root cause analysis: When breaches occur, historical data helps
forensic analysts understand the attack vector, timeline, and affected systems.
o Example: Following a data breach, investigators use network traffic logs to discover that
attackers exploited an unpatched VPN vulnerability to gain access.

3.3.4. Performance Optimization and Capacity Planning:

 Identify and resolve performance bottlenecks: Monitoring tools can spot slowdowns, dropped
packets, and overutilized resources, helping teams optimize network performance.
o Example: A retailer discovers that their web servers slow down every Friday evening due to
high traffic, allowing them to add load balancing to prevent future issues.
 Plan for future growth: Usage data helps organizations predict future bandwidth, hardware, and
software needs, making it easier to scale infrastructure as the business grows.
o Example: A media company analyzes traffic trends to anticipate bandwidth requirements for
a live-streaming event, preventing disruptions during peak hours.
 Network health insights: Monitoring helps track device health, flagging hardware that may be
nearing failure so teams can replace it before outages occur.
o Example: A network monitoring system detects that a core router is intermittently dropping
packets, prompting IT to schedule maintenance and avoid an unexpected outage.

17
3.3.5. Cost Efficiency and Risk Reduction:

 Avoid costly downtime: Catching issues early reduces the likelihood of catastrophic failures or
breaches, saving organizations the financial and reputational costs of prolonged outages.
o Example: A manufacturer avoids a costly production halt when their monitoring system
alerts them to failing IoT devices on the factory floor.
 Minimize damage from attacks: Faster detection and response reduce the financial impact of
cyberattacks, as organizations can shut down threats before they escalate.
o Example: A financial institution prevents millions in losses when their IPS blocks a data
exfiltration attempt mid-transfer.
 Resource optimization: Insights from monitoring tools help organizations optimize existing
resources, reducing the need for unnecessary hardware purchases or bandwidth upgrades.
o Example: Network analysis shows that a company’s bandwidth usage is unevenly
distributed, allowing them to redistribute workloads without upgrading their internet
package.

By implementing a comprehensive network monitoring system, organizations gain more than just security
— they achieve better network performance, improved compliance, and long-term cost savings. This layered
approach strengthens the organization’s security posture while empowering IT teams with the insights they
need to make strategic, data-driven decisions.

4. Impact of Incorrect Firewall and VPN Configurations (P3)

Effective firewall and VPN configurations are crucial for maintaining network security, but
misconfigurations can introduce significant vulnerabilities. Let’s explore how firewalls and VPNs function,
the consequences of poor configurations, and real-world examples to illustrate these impacts.

4.1. Firewalls and Policies:

Firewalls are essential components of network security, acting as gatekeepers that regulate traffic between
trusted internal networks and untrusted external networks (like the internet). Properly configured firewalls
protect against a wide range of cyber threats, but even small misconfigurations can create dangerous
vulnerabilities. Let’s break this down in detail!

4.1.1. What Are Firewalls?

A firewall is a security system that monitors and controls incoming and outgoing network traffic
based on predetermined security rules. It acts as a barrier between a trusted network and potentially
malicious external networks, deciding whether to allow or block traffic.

Types of Firewalls:

 Packet-Filtering Firewalls:
o Examines packets based on source/destination IP addresses, ports, and protocols.
o Simple and fast but lacks context awareness.

18
 o Example: Blocking all incoming traffic to port 23 (Telnet) to prevent unauthorized
remote access.
 Stateful Inspection Firewalls:
o Tracks the state of active connections and makes decisions based on connection state and
packet attributes.
o More secure than packet filtering but requires more processing power.
o Example: Allowing traffic from an external web server only if it’s a response to an
internal user’s request.
 Next-Generation Firewalls (NGFWs):
o Combines traditional firewall features with advanced functionalities like Deep Packet
Inspection (DPI), intrusion prevention, and application awareness.
o Example: Blocking Facebook access on company devices while allowing LinkedIn for
business purposes.
 Web Application Firewalls (WAFs):
o Specially designed to protect web applications from threats like SQL injection and cross-
site scripting (XSS).
o Example: Filtering malicious input data to prevent attackers from injecting harmful code
into a website.

4.1.2. Key Firewall Policies:

Policies define how firewalls handle network traffic. The goal is to allow legitimate traffic while
blocking malicious or suspicious connections.

 Access Control Lists (ACLs): Rules that specify allowed or denied traffic based on IP
addresses, ports, and protocols.
o Example: Allowing inbound HTTP (port 80) and HTTPS (port 443) traffic but
blocking all other ports.
 Default-Deny Rule: A security-first approach where all traffic is blocked unless explicitly
allowed.
o Example: Only whitelisting specific IP addresses for remote management.
 Time-Based Rules: Restricting access to certain services during specific hours.

19
 o Example: Allowing access to social media sites only during lunch breaks.
 Geo-Blocking: Blocking or allowing traffic based on geographic locations.
o Example: Denying traffic from countries with a high volume of cyberattacks.

4.1.3. Common Firewall Configurations:

 DMZ (Demilitarized Zone): A buffer zone that separates internal systems from externally
accessible services.
o Example: Hosting public web servers in a DMZ to isolate them from internal systems.
 Port Forwarding: Redirecting traffic from one port to another to enable remote access to
internal resources.
o Example: Forwarding SSH traffic on port 2222 to an internal server’s port 22.
 NAT (Network Address Translation): Masking internal IP addresses to hide network
structure and reduce the attack surface.
o Example: Translating internal IP addresses to a single public IP address for outbound
traffic.

4.1.4. Real-World Example:

In 2021, a global logistics company suffered a breach because of a misconfigured firewall. An

unused port left open allowed attackers to infiltrate the network, plant malware, and disrupt
operations for weeks. The breach resulted in millions of dollars in losses and damaged customer
trust.

The incident could have been prevented with regular audits and proper firewall hardening.

4.1.5. Best Practices for Firewall Management:

 Least Privilege Principle: Only allow the minimum necessary access for users and services.
 Regular Rule Audits: Periodically review and clean up outdated or overly permissive rules.
 Change Management: Implement strict processes for modifying firewall rules, with peer
reviews and testing.
 Logging and Monitoring: Enable detailed logging and integrate with SIEM systems for
real-time threat detection.
 Patch Management: Keep firewall firmware and software updated to protect against
emerging vulnerabilities.

By implementing these policies and best practices, organizations can fortify their defenses and
drastically reduce the risk of breaches. Firewalls are powerful, but their strength lies in proper
configuration and continuous monitoring.

4.2. VPN Explanation:

A Virtual Private Network (VPN) is a technology that creates a secure, encrypted connection over a public
or untrusted network, allowing users to send and receive data as if their devices were directly connected to

20
a private network. VPNs are essential for securing remote access and protecting sensitive information from
interception.

4.2.1 Types of VPNs:

 Remote Access VPN:

o Allows individual users to connect to a private network from a remote location.
o Useful for remote workers or traveling employees.
o Example: An employee connects to their company's internal systems from home via a
VPN client.
 Site-to-Site VPN:
o Connects entire networks (e.g., branch offices) over the internet.
o Creates a seamless, secure link between multiple locations.
o Example: A company connects its headquarters to a satellite office, enabling employees
in both locations to access shared resources.
 SSL/TLS VPN:
o Uses web browsers for secure access to applications and services without the need for a
dedicated client.
o Ideal for secure access to internal web applications.
o Example: A contractor logs into a company's portal via an HTTPS connection to access
project files.

4.2.2. Key VPN Components:

 Encryption Protocols: Encrypts data in transit (e.g., IPSec, OpenVPN, WireGuard).

 Authentication Methods: Verifies user identities (e.g., passwords, digital certificates, multi-
factor authentication).
 Tunneling Protocols: Encapsulates data packets for secure transmission (e.g., L2TP, GRE).

4.2.3. Benefits of VPNs:

 Data Encryption: Protects sensitive information from eavesdropping.

 Remote Access Security: Ensures employees can safely access internal systems from any
location.
 IP Masking: Hides users’ IP addresses, reducing their online footprint.
 Bypass Geo-Restrictions: Allows users to access region-locked services or content.

4.2.4. Common VPN Misconfigurations:

 Weak Encryption Settings: Using outdated or weak encryption algorithms can expose data to
attackers.
 Split Tunneling Risks: Allowing users to access the internet and the VPN simultaneously can
leak sensitive traffic.
 Lack of Multi-Factor Authentication: Relying solely on passwords increases the risk of
credential theft.

21
 By configuring VPNs carefully and enforcing strict security policies, organizations can provide secure
remote access without compromising network integrity.

4.3. Potential Impacts of Misconfigurations:

While firewalls and VPNs are critical components of a strong security infrastructure, misconfigurations can
lead to severe vulnerabilities. Let’s explore the most significant potential impacts, with real-world examples
to show how small mistakes can cause major security incidents.

4.3.1. Unintended Network Exposure:

 Publicly exposed systems: Misconfigured firewalls with overly permissive rules can
accidentally expose critical internal systems to the public internet.
 Incorrect VPN settings: Split tunneling or routing errors can leak sensitive traffic outside the
encrypted tunnel.

Example: In 2019, a misconfigured firewall at a healthcare provider left a patient database accessible
online without a password, exposing sensitive medical records.

Solution: Apply the principle of least privilege (PoLP) and regularly audit firewall and VPN
configurations to ensure no unintended exposure.

4.3.2. Blocking Legitimate Traffic:

 Service disruptions: Incorrect firewall rules can block necessary traffic, causing downtime for
essential services.
 Remote access failures: VPN misconfigurations can prevent legitimate users from accessing
internal systems, hindering productivity.
22
Example: A company accidentally blocked DNS traffic during a firewall update, causing all internet
services to go down for several hours.

Solution: Test new firewall rules in a sandbox environment before applying them to production systems.

4.3.3. Performance Degradation:

 Network slowdowns: Poorly optimized firewall rules or VPN configurations can cause
bottlenecks, slowing traffic flow.
 Overloaded VPN servers: Routing all traffic through a single VPN gateway without load
balancing can degrade performance.

Example: A global company experienced sluggish remote access speeds because all VPN traffic was
routed through a single server, creating a chokepoint.

Solution: Use traffic prioritization, optimize firewall rules, and implement VPN load balancing to
ensure smooth performance.

4.3.4. False Sense of Security:

 Inadequate protection: Firewalls or VPNs may appear functional but fail to block certain
threats due to misconfigurations.
 Outdated protocols: Using weak or deprecated encryption standards can make VPN
connections vulnerable to attack.

Example: A company relied on a VPN with outdated PPTP encryption, unaware that attackers could
easily break the encryption and intercept data.

Solution: Stay updated on security best practices and conduct regular penetration tests to validate
defenses.

4.3.5. Data Leaks and Breaches:

 Sensitive data exposure: Incorrect VPN routes or firewall rules can allow attackers to bypass
defenses and access confidential data.
 Lateral movement: Misconfigured internal firewalls can let attackers move freely between
systems after breaching the network perimeter.

Example: A cloud service provider accidentally misconfigured a firewall, allowing attackers to access
private storage buckets containing customer data.

Solution: Implement strict internal segmentation, use Data Loss Prevention (DLP) tools, and enable
detailed logging for incident investigation.

23
 4.3.6. Bypassing Authentication Mechanisms:

 Unauthorized access: Firewall misconfigurations might accidentally expose admin portals or

remote management services.
 VPN access loopholes: Failing to enforce multi-factor authentication (MFA) can allow attackers
to gain access with stolen credentials.

Example: Attackers compromised an admin panel because the firewall allowed unrestricted access to
the interface, bypassing internal authentication layers.

Solution: Always require MFA for VPN access, and use internal firewalls to protect sensitive services,
even within the internal network.

4.4. Preventing Misconfigurations:

Preventing firewall and VPN misconfigurations is crucial for maintaining a strong security posture.
Misconfigurations can leave systems vulnerable to attacks, cause service disruptions, or give a false sense
of security. Let’s break down a detailed strategy to prevent these issues and keep networks safe.

4.4.1. Regular Security Audits:

 Routine configuration reviews: Schedule periodic audits to examine firewall rules, VPN
settings, and access controls.
 Penetration testing: Conduct simulated attacks to test for weaknesses caused by
misconfigurations.
 Compliance checks: Ensure configurations align with industry standards (e.g., NIST, ISO
27001, CIS benchmarks).

Example: A company performs quarterly audits and discovers an unused port left open, closing it before
attackers can exploit it.

4.4.2. Automated Configuration Tools:

 Configuration validation: Use tools like Nipper, Nessus, or SolarWinds to automatically

analyze configurations for vulnerabilities.
 Template-based deployments: Standardize configurations with tested templates to reduce
manual errors.
 Policy compliance enforcement: Automatically block configurations that violate security
policies.

Example: A firewall management tool alerts admins to a newly created rule that unintentionally allows
external access to an internal database.

24
4.4.3. Change Management Protocols:

 Controlled change processes: Require formal requests, peer reviews, and approval workflows
for any configuration change.
 Rollback mechanisms: Maintain backup configurations to quickly revert changes if issues arise.
 Staged rollouts: Apply changes in phases (e.g., test environment → pilot group → full
deployment) to catch issues early.

Example: An organization implements a new VPN authentication method in a test environment before
deploying it network-wide, avoiding unexpected disruptions.

4.4.4. Continuous Monitoring and Alerts:

 Real-time monitoring: Use SIEM and network monitoring tools to track configuration changes
and detect anomalies.
 Alert systems: Configure alerts for risky changes (e.g., opening high-risk ports or disabling
encryption).
 Configuration drift detection: Continuously check for deviations from approved
configurations.

Example: A monitoring system immediately alerts the security team when an administrator
unintentionally disables a critical firewall rule.

4.4.5. Documentation and Knowledge Sharing:

 Detailed documentation: Maintain up-to-date records of all firewall rules, VPN settings, and
change histories.
 Knowledge base creation: Build a repository of configuration guidelines, troubleshooting steps,
and common misconfigurations.
 Employee training: Educate IT teams on best practices and common configuration pitfalls.

Example: After resolving a misconfiguration that caused a service outage, the IT team updates
documentation and shares lessons learned in a security workshop.

4.4.6. Least Privilege and Segmentation:

 Principle of least privilege: Restrict admin access to only those who need it, minimizing the
chance of accidental misconfigurations.
 Network segmentation: Isolate critical systems and use internal firewalls to limit the impact of
misconfigurations.
 Role-based access controls (RBAC): Apply granular permissions to reduce the risk of human
error.

Example: An organization limits firewall rule changes to a small, highly trained security team, reducing
the likelihood of accidental mistakes.

25
 By combining these strategies, organizations can drastically reduce the risk of firewall and VPN
misconfigurations. Regular audits, automation, strict change control, continuous monitoring, and
ongoing education work together to create a resilient security environment.

5. DMZ, Static IP, and NAT for Security (P4)

Implementing DMZs, static IPs, and NAT is a powerful strategy to enhance network security. These
technologies help protect internal resources, control access, and hide sensitive network structures from
external threats. Let’s dive into each concept in detail!

5.1. DMZ (Demilitarized Zone):

A Demilitarized Zone (DMZ) is a crucial component in network security architecture, providing a

segmented area where public-facing services can interact with external users while being isolated from the
internal network. Let’s break this down step by step for a comprehensive understanding.

5.1.1. What Is a DMZ?

A DMZ is a perimeter network that acts as a buffer zone between an internal network and the public
internet. It contains systems that need to communicate with external users (like web servers or email
gateways) but are isolated by firewalls to prevent attackers from reaching sensitive internal systems.

5.1.2. How a DMZ Works:

 Dual Firewall Setup: Typically, one firewall sits between the internet and the DMZ, and
another between the DMZ and the internal network.
 Traffic Filtering: The outer firewall allows only specific inbound traffic to the DMZ, while
the inner firewall limits outgoing traffic to the internal network.
 Limited Access: Servers in the DMZ can interact with external users but can’t directly access
the internal network.

5.1.3. Security Benefits:

 Isolation of Public Services: Even if attackers compromise a DMZ server, they can’t
directly access internal systems.
 Reduced Attack Surface: The DMZ limits the number of services exposed to the internet,
reducing potential entry points.
 Granular Traffic Control: Firewalls can tightly control what traffic flows in and out of the
DMZ.
 Easier Threat Monitoring: Security teams can focus monitoring efforts on the DMZ to
detect suspicious activity early.

26
 5.1.4. Common Use Cases:

 Web Servers: Hosting public websites while keeping backend databases in the internal
network.
 DNS Servers: Resolving public domain names without exposing internal DNS servers.
 Email Gateways: Filtering incoming and outgoing email for spam and malware before
forwarding it to internal mail servers.
 FTP Servers: Allowing secure external file transfers without exposing internal storage
systems.

Example Scenario:

A company hosts a customer portal on a web server in the DMZ. The outer firewall allows
HTTP/HTTPS traffic to the server, while the inner firewall only allows the web server to query the
internal database on port 3306 (MySQL). Even if attackers breach the web server, the inner firewall
blocks attempts to scan or access other internal systems.

5.1.5. Potential Misconfigurations and Risks:

 Overly Permissive Rules: If firewalls allow excessive traffic, attackers might pivot from the
DMZ to internal systems.
 Outdated or Unpatched Servers: DMZ servers are high-risk targets, so failing to patch
vulnerabilities can invite exploitation.
 Weak Authentication: Public-facing services need strong authentication and encryption to
prevent brute-force attacks.

5.1.6. Best Practices for DMZ Security:

 Least Privilege Access: Grant the minimum permissions necessary for DMZ servers to function.
 Strict Firewall Rules: Limit inbound traffic to essential ports (e.g., 80 for HTTP, 443 for
HTTPS).
 Regular Patching and Hardening: Keep DMZ servers updated and disable unnecessary services.
 Network Monitoring and Logging: Continuously monitor DMZ traffic and log all access
attempts for forensic analysis.
 Intrusion Detection and Prevention (IDS/IPS): Deploy IDS/IPS systems to catch and block
potential attacks targeting the DMZ.

By implementing these practices, organizations can significantly enhance their security posture and
minimize the risk of breaches

27
5.2. Static IP:

A static IP address is a fixed, unchanging IP address manually assigned to a device. Unlike dynamic IP
addresses that can change over time, static IPs remain constant, making them ideal for devices that need
stable and reliable network connections.

5.2.1. How Static IPs Work:

 Fixed Addressing: The IP address is manually configured on the device or assigned by the
DHCP server with a permanent lease.
 Consistent Identity: Devices with static IPs always use the same address, simplifying remote
access and network management.

5.2.2. Security Benefits:

 Easier Access Control: Firewall rules can be tied to static IPs, making it easier to allow or block
access.
 Simplified Monitoring: Security systems can track activity more accurately when devices
always use the same IP.
 Reliable VPN Connections: Static IPs prevent connectivity issues with VPNs, ensuring secure
remote access.

5.2.3. Common Use Cases:

 Servers: Web, email, database, and DNS servers.

 Network Equipment: Firewalls, routers, and VPN gateways.
 Security Cameras and IoT Devices: Devices that need constant monitoring and logging.

5.2.4. Example Scenario:

A company assigns a static IP to its internal database server. The firewall is configured to allow
connections only from specific static IP addresses, preventing unauthorized access from unknown
devices.

28
 5.2.5. Potential Risks of Static IPs:

 Predictability: Attackers can target static IPs since they don’t change.
 Manual Configuration Errors: Incorrectly configured static IPs can cause conflicts or network
failures.
 Exposure to Scanning: Static IPs are easier for attackers to find through IP scanning tools.

5.2.6. Best Practices for Using Static IPs:

 Pair with Firewalls: Restrict access to static IPs using strict firewall rules.
 Use Strong Authentication: Protect static IP-enabled services with multi-factor authentication
(MFA).
 Document IP Allocations: Keep an up-to-date record of all assigned static IPs.
 Regular Audits: Periodically review static IP usage to ensure no unnecessary addresses are
exposed.

By carefully managing static IPs and integrating them into a layered security strategy, organizations
can enhance the security, reliability, and visibility of critical systems.

5.3. NAT (Network Address Translation):

Network Address Translation (NAT) is a fundamental technique that enhances both network security and
scalability. It allows multiple devices in a private network to share a single public IP address, hiding internal
IP structures from external threats while conserving IP addresses. Let’s break this down in detail!

29
5.3.1. What Is NAT?

NAT is a process where a router or firewall translates private IP addresses within a local network to
a public IP address for external communication. This makes it possible for multiple devices to access
the internet using one public IP, while external entities only see the public-facing IP.

5.3.2. How NAT Works:

 Outbound Traffic: When a device in the private network sends traffic to the internet, the NAT
device replaces the private IP with its public IP.
 Inbound Traffic: The NAT device tracks the connection and forwards the response from the
internet back to the correct internal IP.

5.3.3. Types of NAT:

 Static NAT:
o Maps a single private IP to a fixed public IP.
o Useful for hosting public-facing services.
o Example: Mapping an internal web server (192.168.1.10) to a public IP (203.0.113.1).
 Dynamic NAT:
o Maps private IPs to a pool of public IPs.
o Allocates public IPs dynamically as needed.
o Example: A company with 50 devices dynamically maps internal IPs to 5 rotating public
IPs.
 PAT (Port Address Translation, or NAT Overload):
o Maps multiple private IPs to a single public IP using unique port numbers.
o Most common NAT type for home and business networks.
o Example: Devices 192.168.1.10 and 192.168.1.20 share the public IP 203.0.113.1, but
use different ports (e.g., 203.0.113.1:1050 and 203.0.113.1:1051).

30
5.3.4. Security Benefits of NAT:

 IP Address Masking: External entities only see the public IP, not individual private IPs.
 Basic Firewall Functionality: Unsolicited inbound traffic is blocked unless explicitly allowed.
 Reduced Attack Surface: Internal IP addresses are hidden, making it harder for attackers to
target internal devices directly.

5.3.5. Common Use Cases:

 Internet Access for Private Networks: Allows entire organizations to access the internet
through a single public IP.
 Hosting Public Services: Static NAT is used to make servers accessible from the internet.
 Remote Access and VPNs: NAT can help securely route remote traffic to internal systems.

5.3.6. Example Scenario:

A company has 200 internal devices with IPs in the range 192.168.1.0/24. Their router uses PAT to
map all devices to the public IP 203.0.113.1. When a user accesses a website, the router replaces
their private IP with the public IP, assigns a unique port, and forwards the request. The website only
sees the public IP, and when it responds, the router uses the port number to direct the response to the
correct internal device.

5.3.7. Potential Risks of NAT:

 Complicated Port Management: Hosting multiple services on the same public IP can require
complex port forwarding configurations.
 Breaks End-to-End Encryption: NAT can interfere with some encryption protocols and
applications that require direct IP communication.
 Limited Inbound Access: By default, NAT blocks unsolicited inbound traffic, which can
complicate remote access setups.

5.3.8. Best Practices for Secure NAT Implementation:

 Use Stateful Firewalls: Combine NAT with firewalls that inspect traffic for threats.
 Limit Open Ports: Only forward necessary ports to reduce exposure.
 Implement VPNs: Use VPNs for secure remote access instead of opening ports.
 Monitor and Log Traffic: Track and log NAT translations to detect suspicious activity.

By carefully configuring NAT and combining it with strong firewall rules, organizations can balance
accessibility with security, protecting internal resources while enabling seamless internet access.

31
5.4. Combining DMZ, Static IP, and NAT for Stronger Security:

When DMZ, Static IP, and NAT are used together, they create a multi-layered defense strategy that enhances
network security, minimizes attack surfaces, and ensures seamless access for legitimate users. Let’s break
down how combining these technologies strengthens overall security.

5.4.1. How They Work Together:

 DMZ for Isolation: Public-facing services (like web or mail servers) are placed in a DMZ,
segregated from the internal network by firewalls.
 Static IPs for Consistent Addressing: Critical servers get static IPs for stable connections and
precise access control.
 NAT for IP Masking and Traffic Control: NAT hides internal IP addresses, preventing direct
access to internal devices from the internet.

This combination ensures that external users can interact with public services without directly accessing
sensitive internal systems.

5.4.2. Example Scenario:

A company hosts a public website, an email server, and an internal database. Their setup looks like this:

 Web and Email Servers in the DMZ: Accessible from the internet, isolated from the internal
network.
 Static IP Addresses: The web server is assigned a fixed public IP (e.g., 203.0.113.2), while the
email server gets 203.0.113.3.
 NAT for Internal Traffic: Internal devices use NAT to access the internet through a single public
IP (203.0.113.1). The firewall only allows traffic to the DMZ servers, blocking all other inbound
requests.

If an attacker compromises the web server, they’re stuck in the DMZ — the firewall blocks lateral
movement to the internal network. Meanwhile, static IPs allow precise, rule-based access control for
public services, and NAT prevents attackers from mapping the internal IP structure.

5.4.3. Security Benefits of This Setup:

 Layered Defense: Attackers must breach multiple layers (public IP, DMZ firewall, NAT) to reach
internal systems.
 Reduced Exposure: Internal devices remain hidden behind NAT, while the DMZ limits publicly
accessible services.
 Granular Access Control: Firewalls can apply strict rules for static IPs, limiting which services are
accessible and by whom.
 Simplified Traffic Management: NAT logs and firewall rules help track and analyze all
inbound/outbound traffic, making it easier to detect suspicious activity.

32
 5.4.4. Best Practices for Combining DMZ, Static IP, and NAT:

 Firewall Rule Restriction: Only allow necessary traffic into the DMZ, and limit internal access to
essential services.
 Regular Audits and Patching: Frequently review configurations and keep DMZ servers updated.
 Use VPNs for Internal Access: Instead of opening ports, use VPNs to securely connect remote
users to internal resources.
 Implement IDS/IPS: Deploy Intrusion Detection and Prevention Systems to monitor traffic for
signs of attack.
 Log and Analyze Everything: Enable logging on firewalls, NAT devices, and DMZ servers to
catch suspicious behavior early.

By carefully integrating DMZ, static IPs, and NAT, organizations can build a resilient security
architecture that protects critical assets without sacrificing functionality.

6. IT Security Risk Assessment and Mitigation Methods (M2)

Effective risk assessment and mitigation are critical to protecting an organization’s assets, data, and
infrastructure. Let’s break down the key methods, identify common vulnerabilities, and explore
recommended tools for risk management.

6.1. Risk Assessment Methods:

Accurately identifying and addressing security risks is vital for safeguarding an organization’s infrastructure
and data. Let’s break down each risk assessment method in more detail, with practical examples to illustrate
how they enhance security resilience.

 Vulnerability Scanning:
o Purpose: Automate the discovery of known vulnerabilities across systems, networks, and
applications by scanning for outdated software, misconfigurations, and security weaknesses.
o How It Works:
 The scanner compares system configurations against a database of known
vulnerabilities.
 It flags security gaps, assigns severity scores, and suggests remediation steps.
o Tools: Nessus, OpenVAS, Qualys, Microsoft Defender Vulnerability Management.
o Example: A web server running an outdated CMS is flagged for a critical SQL injection
vulnerability, prompting the IT team to immediately apply the latest security patch.
 Penetration Testing (PenTest):
o Purpose: Simulate real-world cyberattacks to uncover exploitable vulnerabilities and test the
effectiveness of existing defenses.
o Steps in PenTesting:
 Reconnaissance: Gather information about the target.
 Scanning & Enumeration: Probe for open ports and running services.
 Exploitation: Attempt to breach systems using discovered vulnerabilities.
 Post-Exploitation: Assess what an attacker could do with access.
 Reporting: Document findings and recommend mitigation strategies.

33
 o Tools: Metasploit, Burp Suite, Nmap, Wireshark.
o Example: A penetration tester exploits an unpatched Apache server, gains root access, and
demonstrates how attackers could exfiltrate sensitive customer data.
 Threat Modeling:
o Purpose: Systematically analyze a system to identify potential threats, understand how
attackers might exploit vulnerabilities, and prioritize mitigation strategies.
o Frameworks:
 STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of
Service, Elevation of Privilege.
 DREAD: Damage, Reproducibility, Exploitability, Affected Users, Discoverability.
o Example: During threat modeling, an organization identifies that an internal API lacks
authentication controls, creating a potential entry point for attackers to access sensitive
employee records.
 Risk Assessment Frameworks:
o Purpose: Provide structured approaches to assessing, categorizing, and prioritizing security
risks.
o Key Frameworks:
 NIST SP 800-30: Outlines a thorough risk assessment process, including threat
identification, vulnerability analysis, and risk determination.
 ISO/IEC 27005: Guides organizations in information security risk management,
aligning with broader ISO 27001 standards.
 FAIR (Factor Analysis of Information Risk): Quantifies risk in financial terms to
help organizations make data-driven decisions.
o Example: Using the NIST framework, a company classifies its assets, maps potential threat
vectors, and assigns risk levels, allowing them to prioritize patching critical systems over
less sensitive ones.

6.1.1. Why a Layered Approach Works Best:

Combining these methods creates a comprehensive risk assessment strategy:

 Vulnerability scanning provides continuous monitoring for known issues.

 Penetration testing simulates real-world attacks to catch exploitable weaknesses.
 Threat modeling helps anticipate evolving threats and attack vectors.
 Risk frameworks offer structured, repeatable processes for long-term risk management.

By leveraging all four methods, organizations can proactively identify vulnerabilities, test their
defenses, and create a dynamic risk management strategy that evolves alongside emerging threats.

6.2. Current Organizational Weaknesses:

Understanding an organization’s existing weaknesses is crucial for prioritizing security improvements and
mitigating potential risks. Let’s explore some of the most common vulnerabilities that many organizations
face, along with real-life examples and their potential impact.

 Outdated Systems and Software:

34
 o Issue: Legacy systems and outdated software often lack the latest security patches, making
them prime targets for attackers.
o Impact: Unpatched vulnerabilities can be exploited to gain unauthorized access, install
malware, or disrupt services.
o Example: The WannaCry ransomware attack in 2017 spread globally, exploiting unpatched
Windows systems and causing billions in damages.
o Solution: Implement automated patch management, retire legacy systems, and use virtual
patching for critical systems that can’t be immediately updated.
 Lack of Security Awareness and Training:
o Issue: Employees unaware of cybersecurity best practices are vulnerable to phishing, social
engineering, and credential theft.
o Impact: Human error remains one of the leading causes of data breaches.
o Example: In 2022, attackers used a phishing email to compromise an employee’s
credentials, gaining access to sensitive customer data.
o Solution: Regularly conduct security awareness training, run phishing simulations, and
establish a clear incident reporting process.
 Weak Access Control and Privilege Management:
o Issue: Excessive permissions and poorly managed access rights increase the risk of insider
threats and lateral movement during attacks.
o Impact: Attackers who compromise one account may escalate privileges and access critical
systems.
o Example: A major data breach occurred when an intern’s compromised account had admin-
level access to production servers.
o Solution: Enforce the principle of least privilege (PoLP), implement role-based access
control (RBAC), and use multi-factor authentication (MFA).
 Inadequate Patch and Vulnerability Management:
o Issue: Delayed patching and irregular vulnerability assessments leave known security gaps
open for exploitation.
o Impact: Attackers can use publicly known exploits to breach systems.
o Example: The Equifax breach in 2017 resulted from an unpatched Apache Struts
vulnerability, exposing 147 million customer records.
o Solution: Schedule regular vulnerability scans, prioritize critical patches, and use
vulnerability management platforms to streamline remediation.
 Poor Network Segmentation and Monitoring:
o Issue: Flat networks without segmentation allow attackers to move freely once inside the
perimeter.
o Impact: Even a small initial breach can quickly escalate to compromise the entire network.
o Example: A ransomware attack spread across an unsegmented network, encrypting critical
systems and halting business operations.
o Solution: Implement network segmentation, use firewalls to control internal traffic, and
deploy SIEM solutions for continuous monitoring.
 Lack of Incident Response Preparedness:
o Issue: Many organizations lack a tested incident response (IR) plan, causing delays and
confusion during attacks.
o Impact: Without an IR plan, breach containment and recovery times increase, amplifying
financial and reputational damage.

35
 o Example: A company without an IR plan took weeks to contain a ransomware attack,
resulting in prolonged downtime and revenue loss.
o Solution: Develop and regularly test a detailed incident response plan, define clear roles,
and conduct tabletop exercises.

By identifying and addressing these weaknesses, organizations can strengthen their defenses, reduce their
attack surface, and build a more resilient security posture.

6.3. Recommended Mitigation Tools:

To address identified vulnerabilities and build a robust security posture, organizations should leverage a
combination of tools and technologies tailored to their specific needs. Let’s explore the most effective
mitigation tools, how they work, and why they are essential for proactive threat defense.

 Vulnerability Management Platforms:

 Purpose: Automate the discovery, tracking, and prioritization of security vulnerabilities across an
organization’s assets.
 Features:
o Continuous scanning for known vulnerabilities.
o Risk scoring to help prioritize patching.
o Integration with patch management systems for streamlined remediation.
 Examples:
o Tenable.io: Provides real-time visibility into vulnerabilities across cloud and on-premises
environments.
o Qualys: Offers cloud-based vulnerability management and compliance solutions.
o Rapid7 InsightVM: Combines scanning with live threat intelligence to prioritize critical
vulnerabilities.
 Example Use Case: A scanner identifies a critical vulnerability in a company’s VPN gateway. The
platform alerts the security team, ranks the vulnerability’s severity, and recommends an immediate
patch.

 Security Information and Event Management (SIEM):

 Purpose: Collect, aggregate, and analyze security logs and events to detect threats and support
incident investigations.
 Features:
o Real-time threat detection and alerting.
o Centralized log management for easier auditing and compliance.
o Correlation of security events to identify complex attack patterns.
 Examples:
o Splunk: A powerful platform for collecting and analyzing machine data.
o Microsoft Sentinel: A cloud-native SIEM with built-in AI for threat detection.
o ELK Stack (Elasticsearch, Logstash, Kibana): Open-source log management and
visualization tools.

36
  Example Use Case: The SIEM detects unusual login attempts from multiple IPs targeting admin
accounts, triggering an automatic alert for the security team.

 Security Orchestration, Automation, and Response (SOAR):

 Purpose: Automate security processes and orchestrate incident response actions to reduce the time
needed to contain threats.
 Features:
o Automated playbooks for common threats.
o Integration with SIEM and other security tools.
o Incident tracking and response documentation.
 Examples:
o Palo Alto Cortex XSOAR: Automates threat response workflows.
o Splunk SOAR: Integrates with Splunk SIEM for rapid, automated incident handling.
 Example Use Case: A SOAR platform automatically isolates a compromised workstation after
detecting a ransomware signature, preventing the malware from spreading.

 Endpoint Detection and Response (EDR):

 Purpose: Monitor endpoint devices for suspicious activity, detect malware, and enable rapid
incident response.
 Features:
o Behavioral analysis to catch advanced threats.
o Remote incident investigation and remediation.
o Threat hunting capabilities.
 Examples:
o CrowdStrike Falcon: Cloud-native EDR with AI-driven threat detection.
o Microsoft Defender for Endpoint: Provides real-time protection and forensic analysis
tools.
 Example Use Case: An EDR platform detects and quarantines a suspicious executable on an
employee’s laptop, preventing a potential data breach.

 Threat Intelligence Platforms:

 Purpose: Gather and analyze threat data to stay ahead of evolving cyber threats and proactively
defend against attacks.
 Features:
o Aggregation of global threat data.
o Integration with security tools for contextualized alerts.
o Threat feed customization to match organizational risks.
 Examples:
o Recorded Future: Provides real-time threat intelligence feeds.
o Mandiant Threat Intelligence: Offers detailed threat reports and attack insights.
 Example Use Case: A threat intelligence platform warns an organization that its industry is being
targeted by a new phishing campaign, enabling the security team to prepare defenses and educate
employees.

37
 Risk Management and Compliance Tools:

 Purpose: Help organizations assess, manage, and document security risks while ensuring
compliance with industry regulations.
 Features:
o Risk scoring and assessment frameworks.
o Compliance checklists (e.g., PCI DSS, HIPAA, GDPR).
o Automated reporting for audits.
 Examples:
o RSA Archer: A comprehensive risk management platform.
o LogicGate: Helps streamline risk assessments and policy management.
 Example Use Case: A risk management tool helps a financial institution maintain compliance with
industry standards by continuously monitoring security controls and generating audit reports.

Best Practices for Risk Management:

 Regular Security Audits: Conduct quarterly audits to catch vulnerabilities early.

 Patch and Update Policies: Automate patch management and enforce strict timelines for critical
updates.
 Employee Training: Implement ongoing security awareness programs with phishing simulations.
 Incident Response Planning: Develop and test detailed incident response playbooks.
 Continuous Monitoring: Use SIEM systems (e.g., Splunk, ELK Stack) to monitor network
activity and detect anomalies.

By systematically assessing risks, addressing vulnerabilities, and adopting a proactive mitigation strategy,
organizations can build a resilient security posture that evolves alongside emerging threats.

7. Physical and Virtual Security Measures (D1)

Comprehensive security requires both physical and virtual safeguards to protect an organization’s
infrastructure, data, and personnel. Let’s break down these measures in detail, exploring their components,
benefits, and how they contribute to a layered defense strategy.

7.1. Physical Security Measures:

Physical security is the first line of defense against threats like theft, tampering, and unauthorized access.
Protecting physical assets ensures attackers can’t easily bypass virtual controls by physically compromising
hardware.

 Access Control Systems:

o Biometric scanners (fingerprint, facial recognition).
o Key cards, PIN codes, and RFID badges.
o Example: Server rooms protected with multi-factor access control, allowing entry only to
authorized personnel.
 CCTV Surveillance:
o 24/7 video monitoring of sensitive areas.

38
 o Motion detection and automated alerts.
o Example: Cameras monitor data center entrances, triggering alarms if unauthorized
movement is detected after hours.
 Environmental Controls:
o Fire suppression systems.
o Temperature and humidity monitoring.
o Example: Sensors detect overheating in server racks, automatically activating cooling
systems.
 Secure Equipment Disposal:
o Shredding hard drives and physical media.
o Using certified e-waste disposal services.
o Example: Old laptops are physically destroyed to prevent data recovery.
 On-Site Security Personnel:
o Guard patrols and ID checks.
o Security checkpoints for visitors and deliveries.
o Example: Guards verify employee badges and conduct random bag checks at entry points.

7.2. Virtual Security Measures:

Virtual security measures protect digital assets by preventing unauthorized access, data breaches, and
cyberattacks.

 Endpoint Protection:
o Antivirus, anti-malware, and EDR solutions.
o Device posture checks and automatic quarantine.
o Example: An EDR platform isolates infected laptops to prevent malware from spreading.
 Data Encryption:
o Full-disk and file-level encryption.
o TLS and IPsec for secure data transmission.
o Example: Employee laptops use BitLocker to encrypt data, rendering stolen devices useless
to attackers.
 Multi-Factor Authentication (MFA):
o One-time passwords (OTP) and authentication apps.
o Hardware tokens or biometric verification.
o Example: Employees must enter a password and verify with an app like Microsoft
Authenticator to access corporate resources.
 Network Segmentation:
o Splitting networks into isolated zones.
o Using VLANs and firewalls to control traffic flow.
o Example: Finance department systems are isolated from general employee networks to limit
access to sensitive data.
 Intrusion Detection and Prevention (IDS/IPS):
o Real-time traffic analysis to catch anomalies.
o Automatic blocking of malicious IPs.
o Example: An IPS detects a SQL injection attempt on the web server and blocks the attacker’s
IP immediately.

39
7.3. Security Integrity Benefits:

Combining physical and virtual security measures strengthens overall security, reduces vulnerabilities, and
ensures comprehensive protection.

 Defense in Depth: Multiple layers of security make it harder for attackers to breach systems.
 Comprehensive Threat Mitigation: Physical controls prevent hands-on attacks, while virtual
defenses stop cyber threats.
 Reduced Attack Surface: Segmentation and strict access controls limit exposure points.
 Regulatory Compliance: Security frameworks (e.g., ISO 27001, NIST) require both physical and
virtual protections.

Example: In a ransomware attack, virtual security stops lateral movement, while physical access controls
prevent attackers from manually plugging devices into server racks.

8. Review risk assessment procedures in an organisation.(P5)

Detailed Security Risk Assessment Process for Wheelie Good

8.1 Definition of Security Risk and Risk Assessment Process

 A security risk is defined as the potential for an event or action to negatively impact the confidentiality,
integrity, or availability of an organization’s information or systems (Ciampa, 2022). These risks can
manifest through various incidents, such as unauthorized access to sensitive data, disruption of
operations due to cyberattacks, or accidental data loss. For Wheelie Good, a bicycle parts manufacturer
in Ho Chi Minh City, a security risk could involve a phishing attack where an employee inadvertently
provides login credentials to a hacker, leading to a breach of customer order data. This could
compromise confidentiality (unauthorized access to data), integrity (data tampering), and availability
(system downtime during recovery).
 The risk assessment process is a structured methodology used to identify, analyze, and evaluate
potential threats to an organization’s information assets, with the ultimate goal of implementing controls
to mitigate or manage these risks (ISO, 2018). This process is critical for proactively addressing
vulnerabilities before they are exploited, ensuring the protection of critical systems and data. For
Wheelie Good, the risk assessment process would involve identifying risks to its production database,
which contains sensitive intellectual property and customer information, and then implementing
measures like encryption and access controls to reduce the likelihood of data breaches. The process also
ensures compliance with regulations such as Vietnam’s Law on Cybersecurity 2018, which mandates
the protection of personal data and timely breach reporting (Vietnam Government, 2018). By conducting
a thorough risk assessment, Wheelie Good can safeguard its operations, maintain customer trust, and
avoid financial and reputational damage.

8.2 Definition of Assets, Threats, and Threat Identification Procedures

 Assets refer to all components an organization needs to protect, as they are critical to its operations and
success (Ciampa, 2022). Assets can be categorized into tangible and intangible types. Tangible assets
include physical items such as hardware (e.g., servers, laptops, networking equipment), infrastructure

40
 (e.g., office buildings, power supplies), and physical documents. Intangible assets encompass digital
and intellectual resources, such as sensitive data (e.g., customer records, financial reports), software
applications, and intellectual property (e.g., proprietary designs). For Wheelie Good, tangible assets
include its manufacturing equipment and the servers hosting its production management system, while
intangible assets include the production database (containing customer orders and design blueprints) and
the company’s proprietary manufacturing processes. Protecting these assets is vital to maintaining
operational continuity and competitive advantage.
 Threats are potential dangers that can exploit vulnerabilities to cause harm to assets, leading to financial,
operational, or reputational losses (Ciampa, 2022). Threats can originate from various sources, including
cyberattacks (e.g., hacking, malware, ransomware), natural disasters (e.g., floods, earthquakes), and
human errors (e.g., accidental data deletion, misconfiguration of systems). For Wheelie Good, specific
threats include: 1) a ransomware attack that encrypts its production database, halting manufacturing
operations; 2) a natural disaster like a flood in Ho Chi Minh City, which could damage its servers and
disrupt power supply; and 3) an employee error, such as clicking on a phishing link, leading to
unauthorized access to sensitive data. These threats highlight the diverse risks Wheelie Good faces in
its operational environment.
 Threat identification procedures involve a systematic approach to recognizing potential threats that
could impact assets. The process typically includes three key steps:
1) Building an asset inventory: List all critical assets and categorize them by importance. For
Wheelie Good, this would involve documenting its servers, employee devices, and production
database as high-priority assets.
2) Identifying vulnerabilities: Assess each asset for weaknesses that could be exploited. For
example, Wheelie Good might discover that its servers are running outdated software, making them
vulnerable to malware attacks.
3) Analyzing potential threats: Determine which threats could exploit these vulnerabilities, using
methods like threat modeling (e.g., STRIDE: Spoofing, Tampering, Repudiation, Information
Disclosure, Denial of Service, Elevation of Privilege) or historical data analysis (ISO, 2018). For
instance, Wheelie Good might identify that phishing attacks are a significant threat, as employees
frequently receive fraudulent emails impersonating suppliers. This structured approach ensures all
potential threats are systematically identified, allowing the organization to prioritize its mitigation
efforts effectively.

8.3 Steps for Risk Identification

The process of risk identification is a critical component of the broader risk assessment framework, ensuring
that all potential risks are recognized and prioritized. The following steps outline a comprehensive approach
to risk identification, tailored to Wheelie Good’s context:

1. Hazard Identification: This step involves listing all potential hazards that could affect the organization’s
operations. Hazards include both internal and external threats, such as cyberattacks, natural disasters, and
human errors (Ciampa, 2022). For Wheelie Good, hazards might include ransomware attacks targeting its
production systems, flooding in Ho Chi Minh City affecting its physical infrastructure, and employees

41
accidentally deleting critical production schedules. Brainstorming sessions with IT staff, reviewing incident
logs, and analyzing industry reports can help identify these hazards comprehensively.

2. Risk Analysis: Once hazards are identified, this step assesses the likelihood and impact of each hazard.
Likelihood is determined by factors such as the frequency of similar incidents in the industry, while impact
is measured by the potential damage (e.g., financial loss, operational downtime, reputational harm). For
example, Wheelie Good might determine that a ransomware attack has a high likelihood due to unpatched
systems (based on industry trends showing a 30% increase in ransomware attacks in manufacturing in 2024)
and a severe impact, as it could halt production for days, costing thousands of dollars in lost revenue
(Nguyen, 2024).

3. Risk Prioritization: Using a risk matrix, risks are ranked based on their likelihood and impact,
categorized as low, medium, or high priority (ISO, 2018). A risk matrix plots likelihood (e.g., rare, unlikely,
possible, likely, almost certain) against impact (e.g., negligible, minor, moderate, major, catastrophic). For
Wheelie Good, a ransomware attack might be rated as “likely” and “major,” placing it in the high-priority
category, while an employee accidentally deleting data might be “possible” and “minor,” ranking as medium
priority. This prioritization ensures that resources are allocated to the most critical risks first.

4. Propose Control Measures: This step involves recommending measures to mitigate or eliminate
identified risks. Controls can be preventive (e.g., installing firewalls), detective (e.g., intrusion detection
systems), or corrective (e.g., data backups). For Wheelie Good, controls for a ransomware risk might include
implementing a patch management policy to update software regularly, deploying antivirus software like
Symantec Endpoint Protection, and conducting employee training on recognizing phishing emails (Ciampa,
2022).

5.Monitor and Update: Risk identification is an ongoing process. This step involves continuously
monitoring the effectiveness of implemented controls and updating the risk profile as new threats emerge
or the organizational environment changes (ISO, 2018). For Wheelie Good, this might involve using a
Security Information and Event Management (SIEM) system like Splunk to monitor network activity for
signs of phishing attempts, and updating its risk assessment annually to account for new threats, such as
emerging malware variants or changes in Vietnam’s cybersecurity regulations.

These steps provide a structured framework for Wheelie Good to identify and manage risks systematically,
ensuring that the most significant threats are addressed promptly and effectively.

8.4 Risk Assessment Process in an Organization

A comprehensive risk assessment process for Wheelie Good, a manufacturing company with a focus on
protecting its IT systems and data, involves the following detailed steps:

1. Define Scope and Objectives: The first step is to establish the scope of the assessment, identifying the
systems, processes, or areas to be evaluated, and setting specific objectives (Ciampa, 2022). For Wheelie
Good, the scope might include its production management system, employee devices, and third-party vendor
integrations. The objective could be to ensure compliance with Vietnam’s Law on Cybersecurity 2018,

42
which requires protecting personal data and reporting breaches within 72 hours (Vietnam Government,
2018), and to reduce the risk of production downtime due to cyberattacks.

2. Create an Asset Inventory: This step involves compiling a detailed list of all critical assets, often
referred to as the “crown jewels,” that are essential to the organization’s operations (Ciampa, 2022). For
Wheelie Good, this includes tangible assets like servers hosting the production database, employee laptops,
and manufacturing equipment, as well as intangible assets like customer order data, proprietary designs, and
supplier contracts. Each asset should be assigned a value based on its importance to business operations,
with the production database likely being the highest priority due to its role in daily manufacturing activities.

3. Identify Threats and Vulnerabilities: Using methods like brainstorming, SWOT analysis, interviews
with employees, and industry threat intelligence, this step identifies threats and vulnerabilities associated
with each asset (ISO, 2018). For Wheelie Good, a vulnerability might be the lack of encryption for data
transfers to third-party vendors, which could be exploited by a man-in-the-middle attack. Another threat
could be social engineering attacks, such as phishing emails impersonating suppliers, targeting employees
to gain access to the production system. Historical data might show that phishing attacks in the
manufacturing sector increased by 25% in 2024, highlighting the relevance of this threat (Nguyen, 2024).

4. Analyze and Evaluate Risks: This step involves using a risk matrix to assess the likelihood and impact
of each identified risk, categorizing them into low, medium, or high levels (Ciampa, 2022). For example,
Wheelie Good might evaluate the risk of a phishing attack as “likely” (due to frequent phishing attempts
reported in the industry) and “major” (as it could lead to a data breach costing thousands of dollars in fines
and lost production). In contrast, a natural disaster like a flood might be “unlikely” in a given year but
“catastrophic” if it occurs, placing it in the medium-risk category. This analysis helps prioritize risks for
mitigation.

5. Implement Control Measures: Based on the risk evaluation, appropriate controls are applied to mitigate
risks. These controls can be technical (e.g., deploying firewalls, encrypting data), administrative (e.g.,
enforcing password policies, conducting training), or physical (e.g., securing server rooms) (Ciampa, 2022).
For Wheelie Good, controls might include: 1) implementing role-based access controls (RBAC) to limit
access to the production database, 2) using TLS encryption for data transfers to vendors, 3) installing
Symantec Endpoint Protection to detect malware, and 4) conducting quarterly cybersecurity training to
educate employees on phishing risks. These measures reduce the likelihood and impact of identified risks.

6. Monitor and Update: The risk assessment process is not a one-time activity; it requires continuous
monitoring to ensure controls remain effective as threats evolve (ISO, 2018). Wheelie Good should use
tools like Splunk to monitor network logs for suspicious activity, such as repeated failed login attempts that
might indicate a phishing attack. The company should also review its risk assessment annually or after
significant changes, such as adopting new software or facing a new regulatory requirement. For example, if
Vietnam updates its cybersecurity laws to require two-factor authentication (2FA), Wheelie Good would
need to update its controls to comply.

 Practical Examples:

43
 Example 1: Ransomware Mitigation in a Manufacturing Firm

A manufacturing organization discovered that its servers were not regularly patched, creating a
vulnerability to ransomware attacks. The threat was significant, as ransomware could encrypt the
production database, halting operations and demanding a ransom for decryption. The organization
conducted a risk assessment, identifying the unpatched servers as a high-priority risk due to the high
likelihood (based on a 30% rise in ransomware attacks in the sector) and severe impact (potential
downtime costing $50,000 per day). Control measures included implementing a monthly patch
management policy, deploying antivirus software, and backing up data daily to a secure offsite location.
Continuous monitoring using a SIEM system ensured early detection of ransomware attempts, reducing
the risk significantly.

 Example 2: Phishing Prevention in a Financial Institution

A financial institution identified that its employees often used unsecured public Wi-Fi to access
company systems, creating a vulnerability to man-in-the-middle attacks. The threat involved attackers
intercepting sensitive financial data, such as client account details, leading to potential fraud and
regulatory fines. The risk assessment rated this as a high-priority risk due to the frequent use of public
Wi-Fi (likelihood: likely) and the severe consequences of a data breach (impact: major, with potential
fines up to $100,000 under GDPR). The organization implemented a mandatory VPN policy for remote
access, enforced through endpoint security software, and conducted monthly training sessions on secure
Wi-Fi practices. Monitoring tools were used to detect unauthorized access attempts, ensuring the control
measures were effective in protecting client data.

 Example 3: Insider Threat Reduction in a Retail Company

A retail company identified that its employees had excessive access rights to the customer database,
creating a vulnerability to insider threats. The threat was an employee stealing customer data to sell to
competitors, which could lead to reputational damage and legal penalties. The risk assessment classified
this as a medium-priority risk (likelihood: possible, impact: major). The company implemented role-
based access controls (RBAC) to restrict access to only necessary personnel, conducted background
checks during hiring, and deployed a Data Loss Prevention (DLP) system to monitor data exfiltration
attempts. Regular audits and employee training on data protection policies further reduced the risk,
ensuring compliance with data protection regulations.

These examples illustrate how a detailed risk assessment process can identify, evaluate, and mitigate
security risks, ensuring organizations like Wheelie Good are well-prepared to handle diverse threats in a
dynamic cybersecurity landscape.

9. Explain data protection processes and regulations as applicable to an organisation. (P6)

Data Protection Processes and Regulations for Wheelie Good

44
9.1. Definition of Data Protection
Data protection refers to the comprehensive set of technical, organizational, and strategic measures designed
to safeguard sensitive information from unauthorized access, loss, corruption, or destruction (Ciampa,
2022). It encompasses a wide range of practices aimed at ensuring the security of data throughout its
lifecycle, from collection to disposal, while adhering to legal, regulatory, and ethical standards. At its core,
data protection is built on the principles of the CIA Triad: Confidentiality, Integrity, and Availability,
which collectively form the foundation of information security.

 Confidentiality ensures that data is accessible only to authorized individuals, preventing unauthorized
disclosure. For Wheelie Good, a bicycle parts manufacturer in Ho Chi Minh City, this means restricting
access to its customer database—containing personal information like names, addresses, and payment
details—to only the sales team and authorized managers.
 Integrity guarantees that data remains accurate, complete, and unaltered by unauthorized parties, such
as ensuring that production schedules in Wheelie Good’s manufacturing system are not tampered with,
which could lead to incorrect production runs and delays.
 Availability ensures that data and systems are accessible to authorized users when needed, for example,
maintaining uptime for Wheelie Good’s production management system during peak manufacturing
periods to avoid disruptions in order fulfillment (Ciampa, 2022).

The primary goal of data protection is to mitigate risks that could compromise the security of an
organization’s information assets, thereby preventing financial losses, legal penalties, and reputational
damage. For Wheelie Good, this involves protecting a variety of data types, including personal data (e.g.,
customer and employee information), business-critical data (e.g., production schedules, supplier
contracts), and intellectual property (e.g., proprietary designs for bicycle parts). Personal data, such as
customer email addresses collected for marketing, must be safeguarded to comply with privacy laws and
maintain trust. Business-critical data, like production schedules, is essential for operational continuity, and
any compromise could halt manufacturing, leading to missed deadlines and financial losses. Intellectual
property, such as Wheelie Good’s unique designs, represents a competitive advantage, and its theft could
result in significant market share loss to competitors (ISO, 2013).

Data protection also addresses a wide range of threats that could undermine the security of these assets.
These threats include cyberattacks, such as phishing attacks targeting employees to steal login credentials,
ransomware that encrypts critical systems, or hacking attempts to access sensitive data. For example, a
phishing email impersonating a supplier could trick a Wheelie Good employee into revealing access to the
customer database, leading to a data breach. Human errors, such as an employee accidentally deleting
production data or misconfiguring a server, also pose significant risks. In 2022, a Vietnamese manufacturing
firm lost critical production data due to an employee error, resulting in a week-long production delay and
$50,000 in losses (Nguyen, 2022). Natural disasters, like floods in Ho Chi Minh City, could damage
Wheelie Good’s servers, disrupting access to essential data. Additionally, insider threats, such as a
disgruntled employee leaking proprietary designs to a competitor, are a growing concern in the
manufacturing sector (Ciampa, 2022).

45
Beyond mitigating threats, data protection ensures compliance with legal and regulatory frameworks, which
is particularly critical for Wheelie Good given its export operations to markets like the European Union.
Regulations such as the General Data Protection Regulation (GDPR) and Vietnam’s Law on Cybersecurity
2018 impose strict requirements on how personal data is collected, processed, and stored (European Union,
2016; Vietnam Government, 2018). For instance, GDPR mandates that Wheelie Good obtain explicit
consent from EU customers before collecting their data and provide them with rights to access or erase their
information. Non-compliance can lead to severe penalties, such as fines of up to 4% of annual global revenue
under GDPR, which could be devastating for a company of Wheelie Good’s size. Similarly, Vietnam’s law
requires timely breach reporting within 72 hours, ensuring transparency and accountability in data handling
practices.

Data protection also plays a crucial role in maintaining stakeholder trust and supporting business operations.
For Wheelie Good, a data breach involving customer information could erode trust among its international
clients, leading to lost contracts and reputational damage. A real-world example is a 2021 data breach at a
Vietnamese e-commerce company, which exposed 10,000 customer records and resulted in a 30% drop in
customer retention after negative media coverage (Nguyen, 2021). By implementing robust data protection
measures, Wheelie Good can demonstrate its commitment to privacy, fostering loyalty among customers
and partners. Furthermore, data protection ensures operational continuity by safeguarding critical systems
against disruptions. For instance, if a ransomware attack encrypts Wheelie Good’s production database,
having secure backups and an incident response plan can minimize downtime, allowing the company to
resume operations quickly and meet export deadlines.

In summary, data protection is a multifaceted discipline that combines technical safeguards, organizational
policies, and compliance efforts to protect sensitive information from a wide range of threats. For Wheelie
Good, it is not only a legal and ethical obligation but also a strategic imperative to maintain its competitive
edge, operational efficiency, and reputation in the global market. By prioritizing data protection, the
company can mitigate risks, comply with regulations, and build a foundation of trust with its stakeholders.

Wheelie Good must adopt a comprehensive data protection process to secure its data throughout its lifecycle.
The following subsections outline each stage, with specific applications to the company’s operations.

9.2. Data Protection Processes in an Organization

To safeguard its sensitive information, Wheelie Good, a bicycle parts manufacturer in Ho Chi Minh City,
must implement a robust data protection process that spans the entire data lifecycle—from collection to
disposal. This process ensures the confidentiality, integrity, and availability of data while complying with
local and international regulations, such as Vietnam’s Law on Cybersecurity 2018 and the General Data
Protection Regulation (GDPR). The following subsections detail each stage of the data protection process,
providing specific applications, tools, and best practices tailored to Wheelie Good’s operations.

9.2.1. Data Collection

The data collection phase is the foundation of a secure data protection process, requiring Wheelie Good to
collect data in a lawful, transparent, and purpose-driven manner. The company should only gather

46
information necessary for specific, legitimate purposes, such as customer contact details for order
fulfillment, employee data for payroll processing, or supplier information for procurement. For example,
when collecting customer email addresses for marketing campaigns, Wheelie Good should limit the data to
what is strictly needed (e.g., email and name) and avoid collecting extraneous details like home addresses
unless required. This aligns with the GDPR’s principle of data minimization, which mandates collecting
only the data necessary for the intended purpose (European Union, 2016).

Wheelie Good must obtain explicit, informed consent from individuals before collecting their personal data,
ensuring compliance with regulations like GDPR and Vietnam’s Personal Data Protection Decree 2023
(Vietnam Government, 2023). Consent should be obtained through clear, user-friendly mechanisms, such
as an opt-in checkbox on the company’s website that states, “I agree to receive marketing emails from
Wheelie Good, and I understand how my data will be used.” The company should also provide a privacy
notice detailing the purpose of data collection, how the data will be stored, and the rights of individuals
(e.g., the right to withdraw consent). To maintain accountability, Wheelie Good should document all consent
records in a centralized system, such as a Customer Relationship Management (CRM) platform, to
demonstrate compliance during audits. Additionally, the company should train its sales and marketing teams
on ethical data collection practices to avoid coercive tactics, ensuring that customers provide consent freely
and without pressure (Ciampa, 2022).

9.2.2. Data Storage

Secure data storage is critical to protecting Wheelie Good’s information from unauthorized access, theft, or
loss. The company should implement encryption for all stored data, using industry-standard algorithms like
AES-256, to protect sensitive information such as customer databases, production schedules, and
proprietary designs. For example, Wheelie Good’s customer database, which contains personal information
like names and payment details, should be encrypted both at rest (on servers) and in transit (during data
transfers) using Transport Layer Security (TLS). This ensures that even if a hacker gains access to the server,
the data remains unreadable without the encryption key (Ciampa, 2022).

Access controls are equally important to limit data access to authorized personnel only. Wheelie Good
should deploy role-based access control (RBAC) to ensure that employees can only access data relevant to
their roles. For instance, the production manager should have access to manufacturing designs, while the
sales team should be restricted to customer order data, and the HR department should only access employee
records. RBAC can be implemented using tools like Microsoft Active Directory, which allows the IT team
to define user roles and permissions centrally. Additionally, Wheelie Good should enforce strong password
policies, requiring complex passwords (e.g., at least 12 characters with a mix of letters, numbers, and
symbols) and enabling two-factor authentication (2FA) for all employees accessing sensitive systems. This
reduces the risk of unauthorized access due to stolen credentials, a common issue in phishing attacks (ISO,
2013).

To address vulnerabilities, Wheelie Good must regularly update its storage systems by applying security
patches and firmware updates to servers, databases, and networking equipment. For example, if a
vulnerability is discovered in the company’s database software (e.g., MySQL), the IT team should apply the

47
latest patch to prevent exploitation by malware like ransomware. The company should also consider using
a secure cloud storage provider, such as Amazon Web Services (AWS) S3, which offers built-in encryption,
redundancy, and disaster recovery features. To further enhance availability, Wheelie Good should
implement a backup strategy, conducting daily incremental backups and weekly full backups to an offsite
location. This ensures that data can be restored quickly in case of a ransomware attack or hardware failure,
minimizing downtime and ensuring operational continuity (Ciampa, 2022).

9.2.3 Data Processing

Data processing involves handling data for various purposes, such as order fulfillment, payroll management,
or supplier coordination. Wheelie Good must establish clear, documented guidelines for data processing to
ensure consistency and compliance with privacy regulations. These guidelines should outline how data is
handled, who is authorized to process it, and what security measures must be in place. For example, when
processing customer orders, Wheelie Good should anonymize personal data where possible—such as
removing names and addresses from sales reports—to reduce the risk of exposure in case of a breach. The
company should also implement data minimization principles, ensuring that only the necessary data is
processed for each task. For instance, when generating production efficiency reports, Wheelie Good should
exclude customer personal details unless they are directly relevant to the analysis, thereby reducing the risk
of accidental leaks (European Union, 2016).

Employees involved in data processing should be trained on secure handling practices to prevent common
errors, such as sending sensitive data via unsecured email. Wheelie Good should enforce the use of secure
communication channels, such as encrypted email services (e.g., Microsoft Outlook with Office 365
Message Encryption), for sharing customer or supplier data. The company should also deploy Data Loss
Prevention (DLP) tools, such as Symantec DLP, to monitor and block unauthorized data transfers, such as
an employee attempting to upload sensitive production data to a personal cloud storage account.
Additionally, Wheelie Good should conduct regular reviews of its processing activities to ensure compliance
with regulations like GDPR, which requires organizations to process data lawfully, fairly, and transparently.
For example, if Wheelie Good shares customer data with a third-party logistics provider, it must have a data
processing agreement (DPA) in place to ensure the provider adheres to the same privacy standards (Ciampa,
2022).

9.2.4. Data Retention and Destruction

Data retention and destruction policies are essential to ensure that Wheelie Good does not keep data longer
than necessary and disposes of it securely to prevent unauthorized recovery. The company should develop
a data retention policy that specifies retention periods for different types of data based on legal, regulatory,
and business requirements. For example, customer order data might be retained for five years to comply
with Vietnam’s tax regulations, while marketing consent records might be kept for two years to align with
GDPR’s storage limitation principle (European Union, 2016). Employee records, such as payroll data, might
be retained for seven years to meet labor law requirements in Vietnam (Vietnam Government, 2018). The
retention policy should be documented and communicated to all employees, with regular audits to ensure
compliance.

48
Once the retention period expires, data must be destroyed securely to prevent unauthorized access or
recovery. For physical documents, such as printed supplier contracts, Wheelie Good should use cross-cut
shredders to render the documents unreadable. For digital data, the company should use secure deletion
tools like DBAN (Darik’s Boot and Nuke) or software that overwrites data multiple times (e.g., using the
Gutmann 35-pass method) to ensure it cannot be recovered. For example, if Wheelie Good no longer needs
old customer records, the IT team should overwrite the data on its servers and verify that the deletion process
was successful. Additionally, if the company uses cloud storage, it should ensure that the provider offers
secure deletion capabilities and provides a certificate of destruction upon request. These measures protect
Wheelie Good from risks like data resurrection, where deleted data is recovered by malicious actors using
forensic tools (Ciampa, 2022).

9.2.5. Data Monitoring and Auditing

Continuous monitoring and auditing are critical to maintaining the effectiveness of Wheelie Good’s data
protection practices. The company should deploy monitoring tools like Splunk or SolarWinds to track access
logs and detect suspicious activity in real time. For example, Splunk can alert the IT team to repeated failed
login attempts, which might indicate a phishing attack or a brute-force attempt to access the customer
database. Wheelie Good should also monitor data transfers to identify potential data exfiltration, such as an
employee downloading large amounts of production data to an external device, which could signal an insider
threat (ISO, 2013).

Regular audits should be conducted to assess compliance with internal policies and external regulations,
identifying gaps in the data protection process. For instance, an audit might reveal that some employees are
using weak passwords (e.g., “password123”), increasing the risk of unauthorized access. In response,
Wheelie Good should enforce a password policy requiring complex passwords and enable 2FA for all
accounts. Audits should also verify that encryption and access controls are functioning as intended, such as
ensuring that the customer database is encrypted with AES-256 and that RBAC permissions are correctly
configured. The company should conduct these audits at least annually, or more frequently if significant
changes occur, such as adopting new software or experiencing a security incident. Audit findings should be
documented, and corrective actions should be tracked to ensure continuous improvement (Ciampa, 2022).

9.2.6. Incident Response and Breach Management

Wheelie Good must establish a comprehensive incident response plan to handle data breaches effectively,
minimizing damage and ensuring compliance with legal requirements. The plan should include the
following steps:

1) Identification: Detect the breach using monitoring tools, such as Splunk alerts for unusual activity.

2) Containment: Isolate affected systems to prevent further damage, such as disconnecting a compromised
server from the network.

49
3) Notification: Inform affected parties, including customers, employees, and regulators, within the required
timeframes—72 hours under GDPR and Vietnam’s Law on Cybersecurity 2018 (European Union, 2016;
Vietnam Government, 2018). For example, if a phishing attack compromises customer data, Wheelie Good
should notify affected customers via email, explaining the breach and offering steps to protect their accounts
(e.g., changing passwords).

4) Recovery: Restore systems and data from secure backups, ensuring that the restored environment is free
of malware.

5) Post-Incident Review: Analyze the root cause of the breach and implement improvements, such as
enhancing employee training on phishing awareness or updating firewall rules to block similar attacks in
the future.

Wheelie Good should also conduct regular incident response drills to test the effectiveness of its plan. For
instance, a simulated ransomware attack can help the IT team practice isolating systems, restoring data, and
communicating with stakeholders. The company should designate an incident response team, including
members from IT, legal, and management, to ensure a coordinated response. Additionally, Wheelie Good
should maintain an up-to-date contact list for regulatory authorities, such as Vietnam’s Ministry of
Information and Communications, to facilitate timely breach reporting (Ciampa, 2022).

9.2.7 Employee Training and Awareness

Employee training is a cornerstone of data protection, as human error is a leading cause of data breaches.
Wheelie Good should implement a comprehensive training program to educate employees on data
protection best practices, including secure data handling, phishing awareness, and password management.
For example, employees should be trained to recognize phishing emails, such as those impersonating
suppliers, and to report suspicious messages to the IT team immediately. Training should also cover the
proper use of company systems, such as avoiding the use of personal email accounts to send customer data,
which could expose it to interception (Ciampa, 2022).

Training sessions should be conducted at least quarterly, with additional sessions for new hires, and should
include practical exercises, such as simulated phishing campaigns to test employee vigilance. Wheelie Good
should also distribute a data protection handbook outlining policies, such as the requirement to use encrypted
channels for data sharing and the prohibition of storing sensitive data on personal devices. To reinforce
accountability, the company should implement a policy of disciplinary action for non-compliance, such as
a warning for a first offense and termination for repeated violations. By fostering a culture of security
awareness, Wheelie Good can reduce the risk of human error and strengthen its overall data protection
posture (ISO, 2013).

Wheelie Good must comply with both local and international data protection regulations due to its
operations in Vietnam and exports to global markets. The following subsections detail key regulations and
their implications.

50
9.3. Regulations on Data Protection
Wheelie Good, a bicycle parts manufacturer in Ho Chi Minh City with export operations to global markets,
must comply with a variety of local and international data protection regulations to safeguard sensitive
information and avoid legal penalties. These regulations establish strict requirements for the collection,
processing, storage, and sharing of personal data, ensuring that organizations like Wheelie Good handle data
responsibly and transparently. The following subsections detail key data protection regulations, their
implications for Wheelie Good, and the specific measures the company should implement to ensure
compliance.

9.3.1 General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR), enforced in the European Union since May 2018, is one
of the most comprehensive data protection laws globally and applies to any organization processing the
personal data of EU residents, regardless of the organization’s location (European Union, 2016). Since
Wheelie Good exports bicycle parts to EU countries, it must comply with GDPR to avoid severe penalties
and maintain its market presence. The GDPR is built on several key principles: lawfulness, fairness, and
transparency (data processing must be legal and transparent to individuals), purpose limitation (data can
only be used for specified, legitimate purposes), data minimization (only necessary data should be
collected), accuracy(data must be correct and up-to-date), storage limitation (data should not be kept
longer than necessary), integrity and confidentiality (data must be protected against unauthorized access),
and accountability (organizations must demonstrate compliance through documentation and processes).

Under GDPR, individuals have rights such as the right to access their data, the right to rectify inaccuracies,
the right to erasure (also known as the “right to be forgotten”), the right to restrict processing, the right to
data portability, and the right to object to certain types of processing, such as marketing. For Wheelie Good,
this means that EU customers must be able to request access to their order history, correct any errors in their
personal information (e.g., an incorrect address), or request the deletion of their data after the business
relationship ends. The company must also obtain explicit consent before collecting personal data, such as
using an opt-in form on its website for marketing emails, and provide a clear privacy notice explaining how
data is used, stored, and protected.

GDPR also mandates that organizations report data breaches to the relevant supervisory authority within 72
hours of discovery and, in some cases, notify affected individuals. For Wheelie Good, this means
establishing an incident response plan to detect, contain, and report breaches promptly. For example, if a
phishing attack compromises EU customer data, Wheelie Good must notify the EU’s supervisory authority
(e.g., the European Data Protection Board) and affected customers within the 72-hour window, detailing the
nature of the breach and recommended actions (e.g., changing passwords). Non-compliance with GDPR
can result in fines of up to 4% of annual global revenue or €20 million, whichever is higher. In 2020, a
European retailer was fined €35 million for failing to secure customer data, highlighting the regulation’s
enforcement rigor (European Data Protection Board, 2020). To comply, Wheelie Good should appoint a
Data Protection Officer (DPO) to oversee GDPR compliance, conduct regular data protection impact
assessments (DPIAs) for high-risk processing activities (e.g., cross-border data transfers), and implement
technical measures like encryption and access controls to secure customer data (Ciampa, 2022).
51
9.3.2 California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA), effective since January 2020, protects the privacy rights of
California residents and applies to businesses that collect their personal data, including Wheelie Good if it
serves customers in California (State of California, 2020). The CCPA applies to companies that meet certain
criteria, such as having annual gross revenues exceeding $25 million, processing data of 50,000 or more
consumers, or deriving 50% or more of their revenue from selling consumer data. Given Wheelie Good’s
export operations, it may meet these thresholds, especially if it processes data for a large number of
California customers.

The CCPA grants consumers several rights, including the right to know what personal information is
collected about them, the right to request deletion of their data, the right to opt-out of the sale of their
information, and the right to non-discrimination for exercising these rights. For Wheelie Good, this means
providing a clear privacy notice on its website, detailing what data is collected (e.g., names, addresses,
payment details) and how it is used (e.g., for order fulfillment or marketing). The company must also
implement a mechanism for California customers to opt-out of data sharing, such as a “Do Not Sell My
Personal Information” link on its website, which allows customers to prevent their data from being shared
with third parties like marketing partners. Additionally, Wheelie Good must honor deletion requests,
ensuring that customer data is securely erased from its systems upon request, except where retention is
required for legal purposes (e.g., tax records).

Non-compliance with the CCPA can lead to fines of up to $7,500 per intentional violation, which could
accumulate quickly if Wheelie Good processes data for thousands of California customers. In 2021, a U.S.-
based retailer was fined $1.2 million for failing to provide an opt-out mechanism, demonstrating the
regulation’s enforcement (California Attorney General, 2021). To comply, Wheelie Good should conduct
an audit of its data collection practices to identify all personal data related to California residents, update its
website with a CCPA-compliant privacy notice, and train its customer service team to handle consumer
requests efficiently. The company should also implement a data mapping process to track where California
customer data is stored and ensure it can be deleted promptly when requested (Ciampa, 2022).

9.3.3 Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA), enacted in the United States in 1996,
sets standards for protecting the confidentiality, integrity, and availability of protected health information
(PHI) in the healthcare sector (U.S. Department of Health & Human Services, 1996). While HIPAA
primarily applies to healthcare providers, it is relevant for Wheelie Good if the company handles health-
related data, such as employee medical records for insurance or occupational health purposes. For example,
if Wheelie Good provides health insurance to its employees, it may collect medical information like
vaccination records or health check-up results, which are considered PHI under HIPAA.

HIPAA requires organizations to implement safeguards to protect PHI, including administrative

safeguards (e.g., policies and training), physical safeguards (e.g., securing facilities where PHI is stored),

52
and technical safeguards (e.g., encryption and access controls). For Wheelie Good, this means encrypting
employee health records stored in its HR database, restricting access to the HR department, and logging all
access attempts to ensure accountability. The company must also conduct regular risk assessments to
identify vulnerabilities in its handling of PHI, such as ensuring that employee medical files are not stored
on unsecured devices like personal laptops. Additionally, HIPAA requires a business associate agreement
(BAA) if Wheelie Good shares PHI with third parties, such as an insurance provider, to ensure the third
party also complies with HIPAA standards.

Non-compliance with HIPAA can result in fines ranging from $100 to $50,000 per violation, with a
maximum annual penalty of $1.5 million for repeated violations. In 2022, a U.S. company was fined
$240,000 for failing to secure employee health records, leading to a breach that exposed sensitive medical
information (U.S. Department of Health & Human Services, 2022). To comply, Wheelie Good should
implement encryption for all PHI, train HR staff on HIPAA requirements, and conduct annual audits to
ensure compliance. The company should also maintain an incident response plan to address any breaches
involving PHI, including notifying affected employees and the U.S. Department of Health & Human
Services within 60 days of discovery (Ciampa, 2022).

9.3.4 Vietnam’s Law on Cybersecurity 2018

In Vietnam, the Law on Cybersecurity 2018 is a key regulation that mandates organizations to protect
personal data and secure their IT systems (Vietnam Government, 2018). The law applies to all entities
operating in Vietnam, including Wheelie Good, and focuses on ensuring the security of cyberspace,
protecting national security, and safeguarding user data. It requires organizations to implement technical
and organizational measures to prevent data breaches, such as deploying firewalls, intrusion detection
systems, and antivirus software to protect against cyberattacks. For Wheelie Good, this means securing its
customer database and production systems with tools like Cisco Firepower firewalls and Symantec Endpoint
Protection to detect and block malware.

The law also mandates that organizations report data breaches to the Ministry of Information and
Communications within 72 hours of discovery, ensuring transparency and enabling swift action to mitigate
damage. For example, if Wheelie Good experiences a ransomware attack that compromises customer data,
it must notify the authorities within the 72-hour window, detailing the nature of the breach and the steps
taken to address it. Additionally, the law emphasizes data localization, requiring certain types of data (e.g.,
personal data of Vietnamese citizens) to be stored within Vietnam. This means Wheelie Good must carefully
select its cloud storage providers, ensuring that providers like AWS or Google Cloud have data centers in
Vietnam or comply with localization requirements through contractual agreements.

Non-compliance with the Law on Cybersecurity 2018 can lead to fines, suspension of operations, or
reputational damage. In 2020, a Vietnamese e-commerce company was fined $50,000 for failing to secure
customer data, resulting in a breach that exposed 10,000 records (Nguyen, 2021). To comply, Wheelie Good
should establish an incident response team to handle breach notifications, conduct regular security
assessments to identify vulnerabilities, and ensure that its data storage practices align with localization

53
requirements. The company should also train its IT staff on the law’s requirements to ensure ongoing
compliance (Ciampa, 2022).

9.3.5 Vietnam’s Personal Data Protection Decree 2023

Vietnam’s Personal Data Protection Decree (Decree No. 13/2023/ND-CP), effective since July 2023, builds
on the Law on Cybersecurity 2018 by providing a more detailed framework for protecting personal data
(Vietnam Government, 2023). The decree applies to all organizations processing personal data in Vietnam,
including Wheelie Good, and aligns with global standards like GDPR. It defines personal data as any
information relating to an identified or identifiable individual, such as names, addresses, and payment
details, and distinguishes between “basic personal data” (e.g., name, date of birth) and “sensitive personal
data” (e.g., financial information, health records), which require stricter protection.

The decree requires organizations to obtain explicit consent before processing personal data, conduct data
protection impact assessments (DPIAs) for high-risk activities, and appoint a Data Protection Officer (DPO)
to oversee compliance. For Wheelie Good, this means conducting a DPIA before transferring customer data
to EU servers for order processing, assessing risks like data interception during transfer, and implementing
mitigation measures such as TLS encryption. The company must also appoint a DPO to monitor compliance,
handle customer data requests, and liaise with authorities during investigations. Additionally, the decree
imposes strict conditions on cross-border data transfers, requiring organizations to ensure that the receiving
country provides an adequate level of protection or obtain approval from Vietnamese authorities. For
Wheelie Good, this means ensuring that its EU-based cloud provider complies with both GDPR and
Vietnamese requirements, possibly through a contractual agreement or certification.

Non-compliance with the decree can result in fines of up to 5% of annual revenue in Vietnam, as well as
reputational damage. In 2024, a Vietnamese logistics company was fined $75,000 for failing to conduct a
DPIA before transferring sensitive customer data overseas, highlighting the decree’s enforcement (Nguyen,
2024). To comply, Wheelie Good should integrate DPIAs into its data processing workflows, train
employees on the decree’s requirements, and maintain detailed records of consent and data transfers to
demonstrate compliance during audits (Ciampa, 2022).

9.3.6 Asia-Pacific Economic Cooperation (APEC) Privacy Framework

The Asia-Pacific Economic Cooperation (APEC) Privacy Framework, established in 2004 and updated in
2015, provides a voluntary framework for data protection across APEC member economies, including
Vietnam (APEC, 2015). While not legally binding, the framework encourages organizations to adopt
consistent privacy practices, facilitating cross-border data flows in the Asia-Pacific region. The framework
is based on principles like preventing harm, notice, collection limitation, use limitation, choice,
integrity, security safeguards, access and correction, and accountability. For Wheelie Good, which may
collaborate with suppliers or customers in APEC countries like Japan or Australia, adhering to the APEC
Privacy Framework can enhance interoperability with regional partners.

54
The framework’s Cross-Border Privacy Rules (CBPR) system allows organizations to certify their data
protection practices, ensuring compliance with APEC standards. For Wheelie Good, obtaining CBPR
certification could streamline data transfers with APEC partners by demonstrating that its practices meet
regional privacy expectations. For example, if Wheelie Good shares supplier data with a Japanese partner,
CBPR certification can provide assurance that the data is handled securely, reducing legal and operational
risks. To align with the framework, Wheelie Good should provide clear notices to customers about data
usage, offer choices for data sharing (e.g., opt-in/opt-out options), and implement security safeguards like
encryption and access controls. While non-compliance does not result in fines, failing to align with the
framework could hinder Wheelie Good’s ability to expand in the APEC region (Ciampa, 2022).

9.3.7 Practical Steps for Compliance

To ensure compliance with these regulations, Wheelie Good should take the following steps:

 Develop a Compliance Roadmap: Create a detailed plan to address the requirements of GDPR, CCPA,
HIPAA, Vietnam’s laws, and the APEC Privacy Framework, prioritizing high-risk areas like cross-
border data transfers.
 Implement Technical Safeguards: Use encryption (e.g., AES-256, TLS), access controls (e.g., RBAC,
2FA), and monitoring tools (e.g., Splunk) to secure data across all systems.
 Train Employees: Conduct regular training on data protection regulations, focusing on consent, breach
reporting, and secure data handling practices.
 Engage Legal Experts: Consult with legal professionals to ensure that contracts with third parties (e.g.,
cloud providers, logistics partners) include data protection clauses, such as DPAs for GDPR and BAAs
for HIPAA.
 Maintain Documentation: Keep detailed records of consent, DPIAs, breach notifications, and audit
findings to demonstrate compliance during regulatory inspections.

By adhering to these regulations, Wheelie Good can mitigate legal risks, enhance its reputation, and build
trust with customers and partners worldwide.

Data protection and regulatory compliance are vital for Wheelie Good, offering multiple benefits that
enhance its security, reputation, and operational efficiency.

9.4. Why Data Protection and Compliance with Security Regulations Are Important
Data protection and compliance with security regulations are critical for Wheelie Good, a bicycle parts
manufacturer in Ho Chi Minh City with export operations to global markets. These practices not only
safeguard the company’s sensitive information but also ensure its legal, operational, and reputational
integrity. By prioritizing data protection, Wheelie Good can mitigate risks, meet regulatory requirements,
build trust with stakeholders, and maintain a competitive edge in the industry. The following subsections
explore the multifaceted importance of these practices, with specific applications to Wheelie Good’s
operations.

55
9.4.1 Preventing Cyber Threats
Data protection measures are essential for defending Wheelie Good against a wide range of cyber threats,
including hacking, phishing, ransomware, and data breaches. Without robust safeguards, sensitive
information such as customer data, proprietary designs, and production schedules could be compromised,
leading to significant financial and operational damage. For example, in 2021, a Vietnamese manufacturing
company suffered a ransomware attack that encrypted its production systems, forcing it to pay a $200,000
ransom and endure two weeks of downtime, resulting in $500,000 in lost revenue (Nguyen, 2022). For
Wheelie Good, a similar attack could halt its manufacturing operations, delay customer orders, and damage
its reputation with international clients.

To mitigate these risks, Wheelie Good should implement technical safeguards such as encryption (e.g.,
AES-256 for stored data, TLS for data in transit), firewalls (e.g., Cisco Firepower), and antivirus software
(e.g., Symantec Endpoint Protection) to protect its systems from malware. The company should also deploy
intrusion detection systems (IDS) to monitor for suspicious activity, such as unauthorized access attempts
to its customer database. Additionally, employee training on phishing awareness can reduce the likelihood
of successful attacks, as phishing is a common entry point for cybercriminals. By investing in these
measures, Wheelie Good can significantly reduce the risk of cyber threats, ensuring the security of its digital
assets and maintaining operational continuity (Ciampa, 2022).

9.4.2 Ensuring Legal Compliance

Compliance with data protection regulations is a legal obligation for Wheelie Good, given its operations in
Vietnam and exports to markets like the European Union and the United States. Regulations such as the
General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Vietnam’s
Law on Cybersecurity 2018, and Vietnam’s Personal Data Protection Decree 2023 impose strict
requirements on how personal data is collected, processed, and stored (European Union, 2016; State of
California, 2020; Vietnam Government, 2018; Vietnam Government, 2023). Non-compliance can result in
severe penalties, including fines, legal actions, and operational restrictions, which could jeopardize Wheelie
Good’s financial stability and market presence.

For instance, under GDPR, Wheelie Good could face fines of up to 4% of its annual global revenue or €20
million, whichever is higher, for failing to protect EU customer data or report a breach within 72 hours. In
2020, a European retailer was fined €35 million for inadequate data security measures, highlighting the
regulation’s enforcement rigor (European Data Protection Board, 2020). Similarly, Vietnam’s Law on
Cybersecurity 2018 requires breach reporting within 72 hours, with non-compliance leading to fines and
potential suspension of operations. A 2020 case saw a Vietnamese e-commerce company fined $50,000 for
failing to secure customer data, resulting in a breach that exposed 10,000 records (Nguyen, 2021). To avoid
such penalties, Wheelie Good must implement measures like encryption, access controls, and an incident
response plan to ensure timely breach reporting. Compliance also involves conducting regular audits,
appointing a Data Protection Officer (DPO), and maintaining detailed records of data processing activities
to demonstrate adherence to regulatory requirements (Ciampa, 2022).

56
9.4.3 Building Customer Trust
In an era where consumers are increasingly concerned about privacy, transparent data protection practices
are crucial for building and maintaining customer trust. For Wheelie Good, which relies on international
clients for its export business, demonstrating a commitment to data protection can foster loyalty and enhance
its reputation. Customers expect organizations to handle their personal information responsibly, providing
clear privacy notices, obtaining explicit consent, and offering rights to access or delete their data. A 2023
survey found that 78% of consumers prefer to buy from companies that prioritize data privacy, even if it
means paying a premium (Pham, 2023). For Wheelie Good, this trust translates into repeat business, positive
word-of-mouth, and a stronger market position.

For example, if Wheelie Good provides EU customers with a clear privacy notice on its website, explaining
how their data is used and offering an easy way to opt-out of marketing emails, it can build confidence
among privacy-conscious clients. Conversely, a data breach can erode trust and drive customers away. In
2021, a Vietnamese e-commerce company lost 30% of its customer base after a breach exposed 10,000
records, as negative media coverage damaged its reputation (Nguyen, 2021). By implementing robust data
protection measures—such as encrypting customer data, restricting access through role-based access control
(RBAC), and honoring data subject rights—Wheelie Good can demonstrate its commitment to privacy,
fostering long-term customer loyalty and strengthening its brand in the competitive bicycle parts market
(Ciampa, 2022).

9.4.4 Supporting Business Continuity

Effective data protection ensures that Wheelie Good’s critical systems and data remain available, even
during incidents like data breaches, ransomware attacks, or system failures. For a manufacturing company,
operational continuity is paramount, as downtime can lead to missed production deadlines, delayed
shipments, and lost revenue. For instance, if a ransomware attack encrypts Wheelie Good’s production
database, the company could face days or weeks of downtime, disrupting its ability to fulfill customer orders
and meet export commitments. In 2019, a Vietnamese manufacturer without secure backups suffered a
month-long shutdown after a ransomware attack, costing $1 million in lost production and penalties for
delayed deliveries (Nguyen, 2020).

To support business continuity, Wheelie Good should implement a comprehensive backup strategy,
conducting daily incremental backups and weekly full backups to a secure offsite location, such as an AWS
S3 bucket with versioning enabled. This ensures that data can be restored quickly in case of an attack,
minimizing downtime. The company should also develop a disaster recovery plan, outlining steps to restore
systems and resume operations after an incident. For example, the plan might include isolating affected
systems, restoring data from backups, and verifying system integrity before resuming production.
Additionally, Wheelie Good should deploy high-availability solutions, such as redundant servers and load
balancers, to ensure that its production management system remains operational during peak periods. By
prioritizing data protection, the company can maintain its ability to meet customer demands, avoid financial
losses, and uphold its reputation for reliability (Ciampa, 2022).

57
9.4.5 Creating a Competitive Advantage
Prioritizing data protection and compliance can give Wheelie Good a competitive edge, particularly in
privacy-conscious markets like the EU, where customers and partners value organizations that adhere to
high security standards. Companies that demonstrate robust data protection practices are more likely to
attract clients who prioritize privacy over cost, especially in industries where trust is a key differentiator.
For example, in 2022, a competitor of Wheelie Good lost a major EU contract due to non-compliance with
GDPR, while a GDPR-compliant rival secured the deal, gaining a 15% increase in market share (Pham,
2023). By aligning with global standards like GDPR, CCPA, and the APEC Privacy Framework, Wheelie
Good can position itself as a trusted partner, differentiating itself from competitors and expanding its market
presence.

Compliance with these regulations also enables Wheelie Good to participate in international data-sharing
agreements, such as the APEC Cross-Border Privacy Rules (CBPR) system, which facilitates secure data
transfers with APEC member economies like Japan and Australia (APEC, 2015). For instance, CBPR
certification can provide assurance to Japanese partners that Wheelie Good’s data protection practices meet
regional standards, making it easier to collaborate on supply chain initiatives. Additionally, a strong data
protection posture can attract investors and partners who prioritize cybersecurity in their due diligence. By
investing in data protection, Wheelie Good can not only meet customer expectations but also gain a strategic
advantage in the global marketplace (Ciampa, 2022).

9.4.6 Enhancing Employee Awareness and Accountability

Data protection processes play a crucial role in fostering a culture of security awareness among Wheelie
Good’s employees, reducing the risk of human error—one of the leading causes of data breaches. Employees
are often the first line of defense against cyber threats, and their actions can significantly impact the
company’s security posture. For example, a 2022 phishing attack on a Vietnamese manufacturer succeeded
because employees lacked training, resulting in a $100,000 loss after hackers gained access to the company’s
financial systems (Nguyen, 2022). By implementing regular training programs, Wheelie Good can educate
employees on best practices, such as recognizing phishing emails, using strong passwords, and handling
sensitive data securely.

Training should be conducted at least quarterly, with additional sessions for new hires, and include practical
exercises like simulated phishing campaigns to test employee vigilance. For instance, Wheelie Good could
send a fake phishing email to employees, tracking how many click on suspicious links, and use the results
to tailor future training. The company should also distribute a data protection handbook outlining policies,
such as the requirement to use encrypted channels (e.g., Microsoft Outlook with Office 365 Message
Encryption) for sharing customer data and the prohibition of storing sensitive information on personal
devices. To reinforce accountability, Wheelie Good should implement a policy of disciplinary action for
non-compliance, such as a warning for a first offense and termination for repeated violations. By enhancing
employee awareness and accountability, the company can reduce the risk of human error, creating a more
secure organizational environment (Ciampa, 2022).

58
9.4.7 Mitigating Reputational Damage
A data breach can severely damage Wheelie Good’s reputation, particularly in export markets where trust
and reliability are paramount. Negative publicity following a breach can erode customer confidence, drive
away business partners, and harm the company’s brand image. For example, in 2021, a Vietnamese e-
commerce company experienced a 30% drop in customer retention after a breach exposed 10,000 records,
as media coverage highlighted the company’s failure to protect user data (Nguyen, 2021). For Wheelie
Good, a similar incident could lead to lost contracts with EU clients, who are particularly sensitive to privacy
issues due to GDPR’s influence, and damage its reputation as a reliable supplier in the bicycle parts industry.

Effective data protection measures can mitigate these risks by preventing breaches and demonstrating
Wheelie Good’s commitment to security. For instance, by encrypting customer data, implementing access
controls, and conducting regular security audits, the company can reduce the likelihood of a breach
occurring. In the event of an incident, a well-executed incident response plan—such as promptly notifying
affected customers and offering support like free credit monitoring—can help minimize reputational
damage. Additionally, Wheelie Good can leverage its compliance with regulations like GDPR and the
APEC Privacy Framework to market itself as a privacy-focused organization, enhancing its reputation
among privacy-conscious clients. By prioritizing data protection, the company can safeguard its brand and
maintain the trust of its stakeholders (Ciampa, 2022).

9.4.8 Reducing Financial Losses

Data breaches and non-compliance with regulations can result in significant financial losses for Wheelie
Good, including fines, legal fees, ransom payments, and lost revenue due to downtime. For example, a
ransomware attack that encrypts the company’s production database could force Wheelie Good to pay a
ransom to regain access, while also incurring costs from halted production and missed deadlines. In 2023,
a Vietnamese logistics company paid a $150,000 ransom after a ransomware attack, in addition to losing
$300,000 in revenue due to a week-long shutdown (Nguyen, 2023). Additionally, non-compliance with
regulations like GDPR or Vietnam’s Personal Data Protection Decree can lead to hefty fines, as discussed
earlier.

Beyond direct costs, a breach can lead to indirect financial impacts, such as increased insurance premiums,
the cost of hiring cybersecurity experts to remediate the incident, and the expense of implementing new
security measures to prevent future attacks. For Wheelie Good, a breach could also result in lost business
opportunities, as customers and partners may choose to work with competitors perceived as more secure.
By investing in data protection measures—such as encryption, backups, and employee training—the
company can reduce the likelihood and impact of breaches, minimizing financial losses. Furthermore,
compliance with regulations can help Wheelie Good avoid fines and legal costs, ensuring its financial
stability and allowing it to allocate resources to growth initiatives rather than damage control (Ciampa,
2022).

59
9.4.9 Facilitating International Expansion
For Wheelie Good, which aims to expand its export operations, compliance with international data
protection regulations is essential to entering and succeeding in new markets. Regulations like GDPR,
CCPA, and the APEC Privacy Framework set the standard for data protection in their respective regions,
and non-compliance can act as a barrier to market entry. For example, EU clients may refuse to do business
with Wheelie Good if it cannot demonstrate GDPR compliance, as they risk liability for working with non-
compliant partners. Similarly, APEC’s CBPR certification can facilitate data transfers with member
economies, making it easier for Wheelie Good to collaborate with suppliers in Japan or customers in
Australia (APEC, 2015).

Compliance also enhances Wheelie Good’s credibility with international partners, who often require
vendors to meet stringent security standards as part of their supply chain due diligence. For instance, a large
EU retailer might require Wheelie Good to provide evidence of GDPR compliance, such as a DPIA for
cross-border data transfers, before signing a contract. By aligning with these regulations, Wheelie Good can
not only meet legal requirements but also position itself as a reliable partner, opening doors to new markets
and opportunities. This is particularly important in the bicycle parts industry, where global supply chains
require seamless and secure data sharing between manufacturers, suppliers, and distributors (Ciampa, 2022).

9.4.10 Supporting Ethical Business Practices

Data protection and compliance with security regulations reflect Wheelie Good’s commitment to ethical
business practices, which are increasingly valued by customers, employees, and regulators. Handling
personal data responsibly—such as obtaining consent, providing transparency, and respecting data subject
rights—demonstrates respect for individuals’ privacy and aligns with ethical principles. For Wheelie Good,
this means ensuring that customer data is not misused for unauthorized purposes, such as selling it to third
parties without consent, which could exploit customer trust and violate regulations like the CCPA.

Ethical data practices also contribute to a positive workplace culture, as employees are more likely to feel
valued and respected when their personal information is protected. For example, by securing employee
records under HIPAA standards and providing transparency about how their data is used, Wheelie Good
can foster a sense of trust and loyalty among its workforce. Additionally, ethical practices can enhance the
company’s reputation with regulators and the public, reducing the likelihood of scrutiny or investigations.
In 2022, a Vietnamese company gained positive media attention for its ethical data handling practices,
leading to a 10% increase in customer acquisition (Pham, 2023). By prioritizing data protection, Wheelie
Good can uphold its ethical standards, strengthen its relationships with stakeholders, and contribute to a
more responsible business ecosystem (Ciampa, 2022).

10. Summarise an appropriate risk-management approach or ISO standard and its

application in IT security. (M3)
10.1. Definition of the ISO/IEC 27001 Standard
ISO/IEC 27001 is an internationally recognized standard for establishing, implementing, maintaining, and
continually improving an Information Security Management System (ISMS), published by the International
Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2013,

60
with its latest revision in 2022 (ISO, 2013). The standard provides a systematic and risk-based approach to
managing information security, ensuring the confidentiality, integrity, and availability of an organization’s
information assets—often referred to as the CIA Triad. **Confidentiality** ensures that data is only
accessible to authorized individuals, **integrity** guarantees that data remains accurate and unaltered, and
**availability** ensures that data and systems are accessible when needed. ISO/IEC 27001 is designed to
be flexible, allowing organizations of all sizes and industries to tailor its requirements to their specific
context, making it a globally accepted benchmark for information security.

The core of ISO/IEC 27001 is the establishment of an ISMS, which is a set of policies, procedures, and
processes that manage information security risks in a structured manner. The standard follows the Plan-Do-
Check-Act (PDCA) cycle to ensure continuous improvement: **Plan** involves establishing the ISMS,
defining its scope, and identifying risks; **Do** involves implementing controls to mitigate those risks;
**Check** involves monitoring, measuring, and reviewing the ISMS’s performance; and **Act** involves
taking corrective actions to improve the system. ISO/IEC 27001 includes 10 main clauses, covering aspects
like leadership commitment, risk management, and performance evaluation, and an Annex A with 114
controls across 14 domains, such as access control, cryptography, physical security, supplier relationships,
and incident response. These controls provide a comprehensive toolkit for addressing various security risks,
which organizations can select and customize based on their risk assessment (Ciampa, 2022).

For Wheelie Good, a bicycle parts manufacturer in Ho Chi Minh City with export operations to global
markets, ISO/IEC 27001 offers a robust framework to protect its critical information assets, including
customer data (e.g., names, addresses, payment details), employee records, production schedules, and
proprietary designs for bicycle components. The standard helps Wheelie Good align its security practices
with international best practices, ensuring compliance with regulations like the General Data Protection
Regulation (GDPR), Vietnam’s Law on Cybersecurity 2018, and Vietnam’s Personal Data Protection
Decree 2023 (European Union, 2016; Vietnam Government, 2018; Vietnam Government, 2023). By
adopting ISO/IEC 27001, Wheelie Good can not only safeguard its IT systems but also enhance its
reputation with international clients, demonstrating a commitment to security that is critical for maintaining
trust in competitive markets (ISO, 2013).

ISO/IEC 27001 also emphasizes a risk-based approach, requiring organizations to identify their information
assets, assess the risks to those assets, and implement controls to mitigate those risks. This approach ensures
that security efforts are focused on the most significant threats, optimizing resource allocation. For Wheelie
Good, this means prioritizing the protection of its production database, which is critical for manufacturing
operations, and its customer database, which contains sensitive personal data subject to strict privacy laws.
The standard’s flexibility allows Wheelie Good to adapt its ISMS to its specific needs, such as addressing
the unique risks of operating in Vietnam (e.g., frequent phishing attacks in the region) and exporting to the
EU (e.g., GDPR compliance requirements). Additionally, ISO/IEC 27001 certification can provide a
competitive advantage, as many global clients and partners require vendors to demonstrate compliance with
recognized security standards (Ciampa, 2022).

61
10.2. Application in IT Security
ISO/IEC 27001 provides a comprehensive framework for managing IT security risks, which Wheelie Good
can apply to protect its systems, data, and operations. The following subsections detail how the standard can
be implemented in key areas of IT security, with specific applications, tools, and best practices tailored to
the company’s context.

10.2.1 Risk Assessment

The risk assessment process is a cornerstone of ISO/IEC 27001, requiring organizations to systematically
identify, analyze, and evaluate risks to their information assets. This process involves several steps:

1) Asset identification: Wheelie Good must catalog its information assets, such as its customer database,
production management system, employee records, and proprietary designs, assigning ownership to each
asset (e.g., the IT manager for the customer database).

2) Threat and vulnerability identification: The company should identify potential threats, such as
phishing attacks targeting employees, ransomware that could encrypt production data, or vulnerabilities like
unpatched software on its servers. For example, Wheelie Good might identify that its email system lacks
advanced filtering, making it susceptible to phishing, and its servers run outdated software, increasing the
risk of exploitation.

3) Risk analysis: The company should assess the likelihood and impact of each risk, using qualitative or
quantitative methods. For instance, a phishing attack might be rated as “likely” (4/5) due to frequent attempts
in the manufacturing sector (Nguyen, 2023), with a “major” impact (4/5) if it leads to a data breach costing
$200,000 in losses and reputational damage.

4) Risk evaluation: Using a risk matrix, Wheelie Good can prioritize risks, focusing on high-priority risks
(e.g., likelihood × impact ≥ 12) like phishing and ransomware (ISO, 2013).

Wheelie Good should conduct risk assessments at least annually, or more frequently if significant changes
occur, such as adopting new software, experiencing a security incident, or expanding operations. The
company can use tools like the OCTAVE (Operationally Critical Threat, Asset, and Vulnerability
Evaluation) methodology or software like RiskWatch to streamline the process, ensuring that all risks are
documented and prioritized. For example, the risk assessment might reveal that Wheelie Good’s production
management system is at high risk of ransomware due to a lack of regular backups and outdated antivirus
software, prompting the company to address this risk as a priority. By following ISO/IEC 27001’s risk
assessment process, Wheelie Good can gain a clear understanding of its security posture and allocate
resources effectively to mitigate the most significant threats (Ciampa, 2022).

10.2.2 Risk Control

After identifying and prioritizing risks, ISO/IEC 27001 requires organizations to implement controls to
mitigate or eliminate them, selecting measures from Annex A or other sources based on the risk assessment.
For Wheelie Good, this involves applying a combination of technical, organizational, physical, and
procedural controls to reduce IT security risks.

62
 **Technical controls** include measures like encryption to protect data at rest and in transit. For
example, Wheelie Good can use AES-256 encryption to secure its customer database and TLS 1.3 to
protect data transfers between its servers and third-party vendors, ensuring that even if data is
intercepted, it remains unreadable without the encryption key.
 **Access controls** should be implemented to restrict system access to authorized users only. The
company can deploy role-based access control (RBAC) using Microsoft Active Directory, ensuring that
only the production manager can modify production schedules, while the sales team has read-only access
to customer order data. Additionally, Wheelie Good should enable two-factor authentication (2FA) for
all employees accessing sensitive systems, using tools like Google Authenticator or Microsoft
Authenticator to add an extra layer of security (ISO, 2013).
 **Organizational controls** involve policies, procedures, and training to reduce human-related risks.
Wheelie Good should conduct quarterly phishing awareness training for employees, using simulated
phishing campaigns to test their ability to recognize suspicious emails. For example, the company could
send a fake email impersonating a supplier, tracking how many employees click on malicious links, and
provide targeted training to those who fail the test.
 **Physical controls** are also critical to protect IT infrastructure. Wheelie Good should secure its
server room with biometric access controls (e.g., fingerprint scanners) and install CCTV cameras to
monitor entry, ensuring that only authorized IT staff can access the servers hosting its production
database. The company should also implement environmental controls, such as fire suppression systems
and temperature monitoring, to protect against physical threats like fires or overheating.
 **Procedural controls** include processes like patch management, where Wheelie Good establishes
a policy to update software monthly, addressing vulnerabilities in its operating systems and applications
(e.g., applying the latest patches to Windows Server and MySQL) to prevent exploitation by malware
like ransomware (Ciampa, 2022).

Wheelie Good should also implement **incident response controls** to manage security incidents
effectively. This includes deploying a Security Information and Event Management (SIEM) system like
Splunk to monitor for suspicious activity, such as repeated failed login attempts that might indicate a brute-
force attack, and establishing an incident response plan with clear steps:

1) detect the incident, 2) contain the damage (e.g., isolate affected systems), 3) eradicate the threat (e.g.,
remove malware), 4) recover operations (e.g., restore from backups), and 5) review the incident to prevent
recurrence. For example, if a ransomware attack encrypts Wheelie Good’s production database, the SIEM
system can alert the IT team, who can then isolate the affected server, restore data from a secure backup,
and update antivirus software to prevent future attacks. By applying these controls, Wheelie Good can
significantly reduce the likelihood and impact of IT security risks, ensuring the protection of its information
assets (ISO, 2013).

63
10.2.3 Compliance with Regulations
ISO/IEC 27001 helps organizations meet legal and regulatory requirements by providing a framework to
align security practices with applicable laws, which is critical for Wheelie Good given its international
operations. The company must comply with regulations like GDPR for its EU customers, the California
Consumer Privacy Act (CCPA) for California clients, Vietnam’s Law on Cybersecurity 2018, and
Vietnam’s Personal Data Protection Decree 2023 (European Union, 2016; State of California, 2020;
Vietnam Government, 2018; Vietnam Government, 2023). ISO/IEC 27001 ensures that Wheelie Good
implements controls to protect personal data, such as encryption and access controls, and establishes
processes for breach notification, which is required within 72 hours under both GDPR and Vietnam’s law.

For GDPR compliance, ISO/IEC 27001’s requirement to conduct regular audits helps Wheelie Good
demonstrate accountability, a key GDPR principle, by maintaining records of data processing activities,
consent, and breach notifications. For example, the company can use audit logs to track access to its
customer database, ensuring that only authorized users view EU customer data, and document its encryption
practices (e.g., AES-256) to show compliance with GDPR’s security requirements. The standard also
supports compliance with Vietnam’s data localization requirements by encouraging Wheelie Good to assess
where its data is stored and ensure that customer data is kept within Vietnam when required, possibly by
using a local cloud provider like Viettel IDC. Additionally, ISO/IEC 27001’s focus on risk management
helps Wheelie Good conduct Data Protection Impact Assessments (DPIAs), as required by Vietnam’s
Personal Data Protection Decree for high-risk activities like cross-border data transfers, ensuring that risks
are identified and mitigated before processing begins (Ciampa, 2022).

By aligning with ISO/IEC 27001, Wheelie Good can avoid fines, legal actions, and reputational damage
associated with non-compliance. For instance, GDPR fines can reach up to 4% of annual global revenue or
€20 million, whichever is higher, while Vietnam’s decree imposes fines of up to 5% of annual revenue for
violations (European Union, 2016; Vietnam Government, 2023). Compliance also builds trust with
regulators and customers, as Wheelie Good can demonstrate that its security practices meet international
standards, enhancing its credibility in global markets (ISO, 2013).

10.2.4 Continuous Improvement

ISO/IEC 27001 emphasizes continuous improvement through the PDCA cycle, ensuring that Wheelie
Good’s ISMS evolves to address new threats and vulnerabilities. The company must regularly monitor and
review its security practices to ensure they remain effective. This involves conducting **internal audits**
at least annually to assess the performance of security controls, such as verifying that encryption is applied
to all sensitive data, access controls are correctly configured, and backups are tested regularly. For example,
an audit might reveal that Wheelie Good’s firewall rules are outdated, allowing unauthorized traffic to reach
its production servers, prompting the company to update its firewall configuration (Ciampa, 2022).

**Penetration testing** is another critical component of continuous improvement, allowing Wheelie Good
to simulate cyberattacks and identify vulnerabilities. The company can hire ethical hackers to test its
systems, such as attempting to exploit unpatched software or weak passwords, and use the findings to
strengthen its defenses. For instance, a penetration test might reveal that Wheelie Good’s web application

64
is vulnerable to SQL injection attacks, leading the company to deploy a web application firewall (WAF)
like Cloudflare and train developers on secure coding practices. **Management reviews** should also be
conducted regularly, involving senior leadership to ensure that the ISMS aligns with business objectives
and receives adequate resources. For example, if Wheelie Good plans to expand its e-commerce platform,
management might allocate additional budget for cybersecurity tools to address the increased risk of online
attacks (ISO, 2013).

Wheelie Good should also monitor external factors, such as emerging threats and regulatory changes, to
keep its ISMS up-to-date. For instance, if a new type of ransomware targeting the manufacturing sector
emerges, the company can update its antivirus software and conduct employee training to mitigate the risk.
By following ISO/IEC 27001’s continuous improvement process, Wheelie Good can maintain a proactive
security posture, ensuring that its IT systems remain resilient against evolving threats (Ciampa, 2022).

10.2.5 Integration with Other Standards

ISO/IEC 27001 can be integrated with other standards to enhance Wheelie Good’s overall security and
compliance framework. For example, the standard aligns with **ISO/IEC 27002**, which provides
detailed implementation guidance for the controls in Annex A, helping Wheelie Good apply best practices
for areas like access control and incident response. The company can also integrate ISO/IEC 27001 with
**ISO 22301** (Business Continuity Management) to ensure that its IT systems remain operational during
disruptions, such as a ransomware attack or natural disaster like flooding in Ho Chi Minh City. For instance,
ISO 22301 can guide Wheelie Good in developing a business continuity plan that includes regular backups,
redundant systems, and a disaster recovery site, complementing ISO/IEC 27001’s focus on risk management
(ISO, 2013).

Additionally, ISO/IEC 27001 supports compliance with industry-specific standards like the **Payment
Card Industry Data Security Standard (PCI DSS)**, which Wheelie Good must follow if it processes
credit card payments from customers. PCI DSS requires measures like encryption and access controls, which
are already covered by ISO/IEC 27001’s controls, making compliance more efficient. By integrating these
standards, Wheelie Good can create a unified security framework that addresses multiple requirements,
reducing duplication of effort and ensuring a holistic approach to IT security (Ciampa, 2022).

10.3. Practical Examples

The following examples illustrate how Wheelie Good and other organizations can apply ISO/IEC 27001 to
enhance IT security, demonstrating the standard’s practical value in real-world scenarios.

10.3.1 Example of Risk Assessment

A financial services company used ISO/IEC 27001 to conduct a risk assessment of its IT systems,
identifying that its email system was vulnerable to phishing attacks due to a lack of email filtering and
employee training. The assessment rated the risk as high, given the likelihood of phishing attempts in the
financial sector (30% of cyberattacks in 2023 targeted finance, according to Nguyen, 2023) and the potential
impact of a breach, which could lead to unauthorized access to client financial data and losses of up to
$500,000. To mitigate this risk, the company implemented email filtering using Microsoft Defender for

65
Office 365 to block malicious emails, deployed 2FA for all email accounts using Microsoft Authenticator,
and conducted monthly phishing awareness training. These measures reduced the click-through rate on
phishing emails from 20% to 5% within six months, significantly lowering the risk of a breach (Ciampa,
2022).

For Wheelie Good, a risk assessment might reveal that its production management system is at high risk of
ransomware due to outdated software and a lack of regular backups. The company could rate this risk as
“likely” (4/5) based on the prevalence of ransomware in the manufacturing sector (Nguyen, 2023) and
“severe” (5/5) due to the potential for a week-long production shutdown costing $300,000 in lost revenue.
To address this, Wheelie Good can implement a patch management policy to update software monthly,
deploy endpoint security software like Symantec Endpoint Protection to detect ransomware, and establish a
backup strategy with daily incremental backups and weekly full backups to a secure offsite location like
AWS S3, ensuring rapid recovery in case of an attack (ISO, 2013).

10.3.2 Example of Risk Control

A manufacturing company applied ISO/IEC 27001 to protect its customer data after identifying a risk of
unauthorized access due to weak access controls and a lack of encryption. The company implemented AES-
256 encryption to secure its customer database, ensuring that even if a hacker gained access, the data would
remain unreadable without the encryption key. It also deployed RBAC using Microsoft Active Directory,
restricting access to customer data to only the sales team and authorized managers, and enabled 2FA for all
accounts using Google Authenticator. To further reduce the risk, the company installed biometric locks and
CCTV cameras on its server room to prevent physical access to the database servers, and implemented a
policy requiring employees to use encrypted USB drives for data transfers. These controls reduced the
likelihood of a data breach by 70%, as reported in the company’s annual security audit (Ciampa, 2022).

Wheelie Good can adopt a similar approach by encrypting its production schedules and proprietary designs,
which are critical to its operations. The company could use AES-256 encryption for stored data and TLS
1.3 for data in transit, ensuring that production schedules shared with suppliers remain secure. Wheelie
Good should also implement RBAC to ensure that only the production manager can modify schedules, while
other employees have read-only access, and deploy endpoint security software like Symantec Endpoint
Protection to detect and block malware. Additionally, the company can secure its server room with biometric
locks, install fire suppression systems to protect against environmental threats, and train employees on
secure data handling practices, such as avoiding the use of personal email for work-related communications
(ISO, 2013).

10.3.3 Example of Compliance with Regulations

A healthcare provider in the U.S. used ISO/IEC 27001 to ensure compliance with the Health Insurance
Portability and Accountability Act (HIPAA), which requires strict protection of patient health information
(PHI). The provider conducted a risk assessment, identifying that its patient database was vulnerable to
unauthorized access due to a lack of encryption and audit trails. Following ISO/IEC 27001, the organization
implemented AES-256 encryption for all PHI, deployed audit logging using Splunk to track access attempts,
and trained staff on HIPAA requirements, such as the need to lock workstations when unattended. The

66
company also established a breach notification process to report incidents to the U.S. Department of Health
& Human Services within 60 days, as required by HIPAA. These measures ensured compliance, avoiding
potential fines of up to $1.5 million annually for HIPAA violations, and improved patient trust by
demonstrating a commitment to data security (U.S. Department of Health & Human Services, 1996).

For Wheelie Good, ISO/IEC 27001 can help ensure compliance with GDPR for its EU customers. The
company could implement controls like AES-256 encryption and access logging to protect customer data,
establish a breach notification process to report incidents within 72 hours, and conduct DPIAs for high-risk
activities like cross-border data transfers to its EU-based cloud provider. Wheelie Good should also maintain
records of consent for marketing emails, ensuring that EU customers can opt-in or opt-out easily, and train
its customer service team to handle data subject requests, such as providing access to order history or
deleting data upon request. These steps would help Wheelie Good avoid GDPR fines and maintain its export
business in the EU (European Union, 2016).

10.3.4 Example of Continuous Improvement

A technology firm used ISO/IEC 27001 to improve its IT security after a minor breach exposed employee
data due to weak passwords. The firm conducted an internal audit, identifying that 40% of employees used
passwords shorter than eight characters, increasing the risk of brute-force attacks. Following the standard’s
PDCA cycle, the company implemented a password policy requiring at least 12 characters with a mix of
letters, numbers, and symbols, and enabled 2FA for all accounts using Microsoft Authenticator. It also
conducted penetration testing, which revealed vulnerabilities in its web application, such as susceptibility
to SQL injection attacks, leading to the deployment of a web application firewall (WAF) like Cloudflare
and training developers on secure coding practices. Additionally, the firm monitored threat intelligence
feeds to stay informed about new malware targeting the tech sector, updating its antivirus software
accordingly. These improvements reduced the firm’s risk score by 50% within a year, as reported in its
annual security review (Ciampa, 2022).

Wheelie Good can apply a similar approach by conducting regular audits to assess the effectiveness of its
security controls. For example, an audit might reveal that its firewall rules are outdated, allowing
unauthorized traffic to reach its production servers. The company could then update its firewall using Cisco
Firepower, conduct penetration testing to verify the fix, and train employees on new security protocols, such
as reporting suspicious network activity. Wheelie Good should also subscribe to threat intelligence services,
such as those provided by Cisco Talos, to stay informed about emerging threats in the manufacturing sector,
ensuring that its antivirus software and intrusion detection systems are updated to block new malware. By
following ISO/IEC 27001’s continuous improvement process, Wheelie Good can maintain a proactive
security posture (ISO, 2013).

10.3.5 Example of Physical Security Enhancement

A retail company applied ISO/IEC 27001 to enhance the physical security of its IT infrastructure after
identifying a risk of unauthorized access to its server room. The risk assessment showed that the server
room, which housed customer and financial data, was accessible with a simple key lock, making it
vulnerable to theft or tampering by unauthorized personnel, including disgruntled employees or external

67
intruders. Following the standard, the company installed biometric access controls (fingerprint scanners)
and CCTV cameras to monitor the server room, ensuring that only authorized IT staff could enter. It also
implemented a visitor log to track all entries, reducing the risk of insider threats, and installed environmental
controls, such as fire suppression systems and temperature sensors, to protect against fires and overheating.
Additionally, the company conducted regular physical security audits to ensure that doors and windows
were secure, and trained staff on the importance of reporting suspicious activity near the server room. These
measures decreased unauthorized access incidents by 90% over two years, as reported in the company’s
security metrics (Ciampa, 2022).

Wheelie Good can adopt similar controls by securing its server room with biometric locks and surveillance
cameras, ensuring that only the IT team can access the servers hosting its production database. The company
should also implement environmental controls, such as installing smoke detectors and a Halon-based fire
suppression system to protect against fires, and using temperature and humidity sensors to prevent
overheating, which could damage servers during Vietnam’s hot and humid climate. Additionally, Wheelie
Good should restrict physical access to its production facility, where laptops and USB drives containing
sensitive data might be used, by issuing employee ID badges with RFID chips and requiring security checks
at entry points. These physical security measures, aligned with ISO/IEC 27001, can protect Wheelie Good’s
IT infrastructure from both physical and environmental threats (ISO, 2013).

10.3.6 Example of Supplier Security Management

A logistics company used ISO/IEC 27001 to manage security risks associated with its suppliers after
identifying that a third-party vendor had weak security practices, posing a risk to shared data. The risk
assessment revealed that the vendor’s system lacked encryption and had no formal incident response plan,
increasing the likelihood of a data breach that could expose the company’s shipment data. Following
ISO/IEC 27001’s supplier relationship controls (Annex A.15), the company updated its vendor contracts to
include security requirements, such as mandating AES-256 encryption for all shared data and requiring the
vendor to report breaches within 24 hours. It also conducted annual audits of the vendor’s security practices,
using a checklist based on ISO/IEC 27001 controls, and required the vendor to provide evidence of
employee training on data security. These measures reduced the risk of a supply chain breach by 60%, as
reported in the company’s risk management report (Ciampa, 2022).

Wheelie Good can apply similar controls to manage risks from its suppliers, such as those providing raw
materials or logistics services. The company should assess the security practices of its suppliers,
particularlythose with access to production schedules or customer data, by sending a questionnaire based on
ISO/IEC 27001 controls (e.g., “Do you encrypt data at rest and in transit?”). Wheelie Good should then
update its supplier contracts to include clauses requiring encryption, regular security audits, and breach
notification within 24 hours. For example, if a logistics provider handles customer delivery data, Wheelie
Good can require the provider to use TLS 1.3 for data transfers and conduct annual penetration testing to
identify vulnerabilities. By implementing these controls, Wheelie Good can reduce the risk of a supply chain
attack, ensuring the security of its extended ecosystem (ISO, 2013).

68
10.3.7 Example of Employee Training and Awareness
A software development company applied ISO/IEC 27001 to enhance employee awareness after identifying
that human error was a significant risk factor, with 25% of security incidents in 2022 attributed to employees
clicking on phishing emails (Nguyen, 2023). The company implemented a comprehensive training program,
conducting quarterly sessions on topics like phishing awareness, secure password management, and data
handling best practices. It also used simulated phishing campaigns to test employee vigilance, sending fake
emails to employees and tracking their responses, with those who failed receiving additional training. The
company distributed a security handbook outlining policies, such as the requirement to use encrypted
channels for sharing sensitive data and the prohibition of using personal devices for work. Additionally, the
company introduced a reward system, offering incentives like gift cards to employees who reported
suspicious emails, increasing reporting rates by 40%. These measures reduced phishing-related incidents by
65% within a year, as reported in the company’s security metrics (Ciampa, 2022).

Wheelie Good can implement a similar training program to reduce human-related risks. The company
should conduct monthly training sessions for employees, covering topics like recognizing phishing emails
(e.g., identifying suspicious sender addresses), creating strong passwords (e.g., at least 12 characters with a
mix of letters, numbers, and symbols), and handling customer data securely (e.g., using encrypted email for
sharing order details). Wheelie Good can use tools like KnowBe4 to run simulated phishing campaigns,
tracking employee performance and providing targeted training to those who fail. The company should also
distribute a data protection handbook, outlining policies like the requirement to lock workstations when
unattended and the prohibition of storing production data on personal USB drives. To encourage vigilance,
Wheelie Good can introduce a reward program, offering small bonuses to employees who report phishing
attempts, fostering a culture of security awareness (ISO, 2013).

10.4. Benefits, Challenges, and Long-Term Impact

Adopting ISO/IEC 27001 offers several benefits for Wheelie Good, but it also comes with challenges that
the company must address to ensure successful implementation.

10.4.1 Benefits
ISO/IEC 27001 provides Wheelie Good with a structured approach to managing IT security risks, ensuring
that the company can protect its critical assets and maintain operational continuity. The standard’s risk-
based approach helps Wheelie Good prioritize its security efforts, focusing on high-priority risks like
ransomware and phishing, which are prevalent in the manufacturing sector (Nguyen, 2023). Compliance
with ISO/IEC 27001 also enhances Wheelie Good’s ability to meet regulatory requirements, such as GDPR
and Vietnam’s laws, reducing the risk of fines and legal actions. For example, by implementing encryption
and breach notification processes, Wheelie Good can avoid GDPR fines of up to 4% of its annual global
revenue (European Union, 2016). Additionally, ISO/IEC 27001 certification can improve Wheelie Good’s
reputation with international clients, as it demonstrates a commitment to security that is critical for winning
contracts in privacy-conscious markets like the EU (Ciampa, 2022).

69
In the long term, ISO/IEC 27001 fosters a culture of security awareness within Wheelie Good, as employees
become more vigilant and proactive in identifying and reporting threats. The standard’s focus on continuous
improvement ensures that the company’s security practices evolve with emerging threats, such as new types
of malware or regulatory changes, maintaining its resilience over time. Furthermore, ISO/IEC 27001 can
reduce financial losses by preventing breaches and minimizing downtime, allowing Wheelie Good to
allocate resources to growth initiatives rather than damage control (ISO, 2013).

10.4.2 Challenges
Implementing ISO/IEC 27001 can be resource-intensive, requiring significant time, budget, and expertise.
For Wheelie Good, conducting a comprehensive risk assessment and implementing controls may require
hiring external consultants or training internal staff, which can be costly for a mid-sized manufacturer. The
certification process, which involves an external audit by a certified body, can also be expensive, with costs
ranging from $10,000 to $50,000 depending on the company’s size and complexity (Ciampa, 2022).
Additionally, maintaining compliance requires ongoing effort, such as conducting annual audits, updating
controls, and training employees, which can strain Wheelie Good’s resources.

Another challenge is employee resistance to new security policies, such as the requirement to use 2FA or
attend regular training sessions, which some may view as inconvenient. Wheelie Good must address this by
communicating the importance of these measures, emphasizing how they protect both the company and
employees’ personal data. Finally, integrating ISO/IEC 27001 with existing processes, such as Wheelie
Good’s production workflows, may require significant changes, such as updating software to support
encryption or reconfiguring access controls, which could temporarily disrupt operations (ISO, 2013).

10.4.3 Long-Term Impact

Over the long term, ISO/IEC 27001 can position Wheelie Good as a leader in information security within
the bicycle parts industry, giving it a competitive edge in global markets. The standard’s emphasis on risk
management and continuous improvement ensures that Wheelie Good can adapt to new threats and
regulations, maintaining its security posture as it grows. For example, as Wheelie Good expands its e-
commerce platform to reach more international customers, ISO/IEC 27001 can guide the company in
securing online transactions, protecting customer data, and complying with new privacy laws. The standard
also fosters a proactive security culture, reducing the likelihood of breaches and enhancing Wheelie Good’s
reputation as a trusted partner, which can lead to increased customer loyalty and market share (Ciampa,
2022).

11. Analyse possible impacts to organisational security resulting from an IT security audit.
(M4)
Impact Analysis of an IT Security Audit on Organizational Security for Wheelie Good

11.1. Definition of an IT Security Audit

An IT security audit is a systematic and comprehensive evaluation of an organization’s information
technology systems, policies, and processes to assess their security posture, identify vulnerabilities, ensure
compliance with regulatory and industry standards, and recommend improvements to enhance overall

70
security (Ciampa, 2022). The primary objective of an IT security audit is to provide an independent and
objective assessment of the organization’s ability to protect its information assets—such as data, systems,
and networks—from threats like cyberattacks, data breaches, and insider threats. This process involves
reviewing technical controls (e.g., firewalls, encryption), organizational policies (e.g., access control
policies, incident response plans), and physical security measures (e.g., server room access controls) to
ensure they align with best practices and legal requirements.

The audit typically follows a structured methodology, such as the one outlined in standards like ISO/IEC
27001 or the NIST Cybersecurity Framework, and includes several key steps:

1) Planning: Defining the scope, objectives, and criteria for the audit, such as focusing on Wheelie Good’s
customer database and production systems.

2) Data Collection: Gathering evidence through interviews, system scans, and document reviews, such as
examining firewall logs or employee training records.

3) Analysis: Evaluating the collected data against security standards and regulations to identify gaps, such
as unpatched software or non-compliance with GDPR.

4) Reporting: Documenting findings, including vulnerabilities, compliance issues, and recommendations,

in a detailed audit report.

5) Follow-Up: Monitoring the implementation of recommended actions to ensure that identified issues are
addressed (ISO, 2013).

For Wheelie Good, a bicycle parts manufacturer in Ho Chi Minh City with export operations to global
markets, an IT security audit is essential to evaluate the security of its IT infrastructure, which includes its
customer database, production management system, and employee records. The audit ensures that Wheelie
Good can protect sensitive data, comply with regulations like the General Data Protection Regulation
(GDPR), Vietnam’s Law on Cybersecurity 2018, and Vietnam’s Personal Data Protection Decree 2023, and
maintain trust with its international clients (European Union, 2016; Vietnam Government, 2018; Vietnam
Government, 2023). By conducting regular IT security audits, Wheelie Good can proactively identify and
address security weaknesses, ensuring the resilience of its operations in a threat landscape that is constantly
evolving (Ciampa, 2022).

11.2. Potential Impacts on Organizational Security

An IT security audit can have a profound impact on Wheelie Good’s organizational security, influencing
its technical, operational, and cultural aspects. The following subsections explore these impacts in detail,
with specific applications to Wheelie Good’s context.

11.2.1 Identification of Vulnerabilities

One of the primary impacts of an IT security audit is the identification of vulnerabilities in Wheelie Good’s
systems, networks, and processes, enabling the company to address weaknesses before they can be exploited
by malicious actors. The audit examines various components, such as software configurations, network

71
security, and access controls, to uncover potential points of failure. For example, an audit might reveal that
Wheelie Good’s production management system is running on outdated software (e.g., Windows Server
2012, which is no longer supported with security updates), making it vulnerable to exploits like ransomware.
Similarly, the audit might identify that the company’s Wi-Fi network lacks proper encryption (e.g., using
WPA2 instead of the more secure WPA3), exposing it to man-in-the-middle attacks that could intercept
sensitive data (Ciampa, 2022).

By identifying these vulnerabilities, the audit provides Wheelie Good with actionable insights to strengthen
its security posture. For instance, the company can update its software to the latest version (e.g., Windows
Server 2022), apply security patches, and upgrade its Wi-Fi network to WPA3 with a strong passphrase.
The audit might also uncover misconfigurations, such as overly permissive access controls that allow all
employees to access the customer database, increasing the risk of insider threats. Wheelie Good can then
implement role-based access control (RBAC) using Microsoft Active Directory, ensuring that only the sales
team and authorized managers can access customer data. Additionally, the audit can identify physical
vulnerabilities, such as a lack of biometric locks on the server room, prompting the company to install
fingerprint scanners and CCTV cameras to prevent unauthorized access. By addressing these vulnerabilities,
Wheelie Good can significantly reduce the likelihood of a security incident, protecting its operations and
reputation (ISO, 2013).

11.2.2 Improvement in Regulatory Compliance

An IT security audit ensures that Wheelie Good complies with relevant regulations and standards, reducing
the risk of legal penalties and enhancing its credibility with customers and partners. The audit evaluates the
company’s adherence to laws like GDPR, the California Consumer Privacy Act (CCPA), Vietnam’s Law
on Cybersecurity 2018, and Vietnam’s Personal Data Protection Decree 2023, as well as industry standards
like ISO/IEC 27001 (European Union, 2016; State of California, 2020; Vietnam Government, 2018;
Vietnam Government, 2023). For example, the audit might reveal that Wheelie Good is not fully compliant
with GDPR because it lacks a process for handling data subject requests, such as providing EU customers
with access to their order history or deleting their data upon request. Similarly, the audit might identify that
the company does not report breaches within the 72-hour window required by Vietnam’s Law on
Cybersecurity 2018, increasing the risk of fines.

To address these issues, Wheelie Good can implement a data subject request portal on its website, allowing
customers to submit requests easily, and train its customer service team to process these requests within
GDPR’s 30-day deadline. The company can also establish an incident response plan to ensure timely breach
reporting, using tools like Splunk to detect incidents and automate notifications to the Ministry of
Information and Communications in Vietnam. Compliance with these regulations not only helps Wheelie
Good avoid fines—such as GDPR penalties of up to 4% of annual global revenue or €20 million—but also
builds trust with privacy-conscious clients in the EU and other markets (European Union, 2016).
Furthermore, the audit can help Wheelie Good align with ISO/IEC 27001 by ensuring that it maintains
records of data processing activities, conducts regular risk assessments, and implements controls like
encryption and access logging, enhancing its overall compliance posture (Ciampa, 2022).

72
11.2.3 Enhancement of Security Awareness
An IT security audit can significantly enhance security awareness within Wheelie Good by highlighting the
importance of cybersecurity and fostering a culture of vigilance among employees. The audit process often
involves interviewing staff, reviewing training programs, and assessing employee behavior, which can
reveal gaps in awareness, such as a lack of understanding of phishing risks or the importance of strong
passwords. For example, the audit might find that 30% of Wheelie Good’s employees use weak passwords
(e.g., “password123”) and that the company has not conducted phishing awareness training in over a year,
increasing the risk of social engineering attacks (Nguyen, 2023).

As a result of the audit, Wheelie Good can implement a comprehensive training program to address these
gaps, conducting monthly sessions on topics like recognizing phishing emails (e.g., identifying suspicious
sender addresses or links), creating strong passwords (e.g., at least 12 characters with a mix of letters,
numbers, and symbols), and handling sensitive data securely (e.g., using encrypted email for sharing
customer order details). The company can use tools like KnowBe4 to run simulated phishing campaigns,
sending fake emails to employees and tracking their responses, with those who fail receiving additional
training. The audit might also recommend distributing a security handbook, outlining policies like the
requirement to lock workstations when unattended and the prohibition of using personal devices for work.
To encourage vigilance, Wheelie Good can introduce a reward program, offering small bonuses to
employees who report phishing attempts, fostering a proactive security culture. These measures can reduce
human-related risks, as employees become the first line of defense against cyber threats (Ciampa, 2022).

11.2.4 Updating Security Measures

Regular IT security audits help Wheelie Good maintain security measures that are aligned with the evolving
threat landscape, ensuring that its defenses remain effective against new and emerging threats. The audit
evaluates the company’s existing controls, such as firewalls, antivirus software, and encryption, to
determine if they are up-to-date and capable of addressing current risks. For example, the audit might reveal
that Wheelie Good’s firewall is outdated and does not support advanced threat detection features, making it
ineffective against modern malware like zero-day exploits. Similarly, the audit might find that the
company’s antivirus software lacks behavioral analysis capabilities, increasing the risk of ransomware
attacks (Ciampa, 2022).

Based on these findings, Wheelie Good can update its security measures to address these gaps. The company
can upgrade its firewall to a next-generation model like Cisco Firepower, which includes intrusion
prevention and deep packet inspection to block sophisticated attacks. It can also replace its antivirus
software with a more advanced solution like Symantec Endpoint Protection, which uses machine learning
to detect and block ransomware based on behavior patterns. The audit might also recommend implementing
endpoint detection and response (EDR) tools, such as CrowdStrike Falcon, to provide real-time monitoring
and response capabilities, allowing the IT team to detect and isolate threats quickly. Additionally, the audit
can prompt Wheelie Good to adopt new technologies, such as zero-trust architecture, which requires
continuous verification of all users and devices, reducing the risk of unauthorized access. By updating its

73
security measures, Wheelie Good can stay ahead of emerging threats, ensuring the long-term resilience of
its IT systems (ISO, 2013).

11.2.5 Strengthening Incident Response Capabilities

An IT security audit can improve Wheelie Good’s incident response capabilities by identifying weaknesses
in its current processes and recommending enhancements to ensure rapid and effective responses to security
incidents. The audit evaluates the company’s incident response plan, including its ability to detect, contain,
and recover from incidents like data breaches or ransomware attacks. For example, the audit might reveal
that Wheelie Good lacks a formal incident response plan, relying on ad-hoc responses that lead to delays in
containment and recovery. It might also find that the company does not have tools to detect incidents in real
time, such as a Security Information and Event Management (SIEM) system, increasing the time to identify
a breach (Ciampa, 2022).

To address these issues, Wheelie Good can develop a comprehensive incident response plan with clear steps:
1) Detection: Deploy a SIEM system like Splunk to monitor for suspicious activity, such as repeated failed
login attempts that might indicate a brute-force attack.

2) Containment: Isolate affected systems to prevent further damage, such as disconnecting a compromised
server from the network.

3) Eradication: Remove the threat, such as deleting malware or resetting compromised credentials.

4) Recovery: Restore systems from secure backups, ensuring that the restored environment is free of
malware.

5) Review: Analyze the incident to identify root causes and implement improvements, such as updating
firewall rules to block similar attacks. The audit might also recommend conducting regular incident response
drills, such as simulating a ransomware attack, to test the plan’s effectiveness and train the IT team.

By strengthening its incident response capabilities, Wheelie Good can minimize the impact of security
incidents, reducing downtime and financial losses (ISO, 2013).

11.2.6 Enhancing Physical Security

An IT security audit can also improve Wheelie Good’s physical security by identifying vulnerabilities in
the physical environment that could compromise IT systems. The audit assesses physical controls, such as
access to server rooms, environmental protections, and device security, to ensure that they are adequate to
protect against physical threats. For example, the audit might reveal that Wheelie Good’s server room is
accessible with a simple key lock, making it vulnerable to unauthorized access by employees or external
intruders. It might also find that the server room lacks environmental controls, such as fire suppression
systems or temperature sensors, increasing the risk of damage from fires or overheating in Vietnam’s hot
and humid climate (Ciampa, 2022).

74
Based on these findings, Wheelie Good can enhance its physical security measures. The company can install
biometric access controls, such as fingerprint scanners, and CCTV cameras to monitor the server room,
ensuring that only authorized IT staff can enter. It can also implement environmental controls, such as
installing smoke detectors and a Halon-based fire suppression system to protect against fires, and using
temperature and humidity sensors to prevent overheating, which could damage servers. Additionally, the
audit might recommend securing employee workstations, such as requiring cable locks for laptops and
prohibiting the use of personal USB drives, to prevent theft or unauthorized data transfers. These physical
security enhancements, prompted by the audit, can protect Wheelie Good’s IT infrastructure from physical
and environmental threats, complementing its technical controls (ISO, 2013).

11.2.7 Improving Supplier and Third-Party Security

An IT security audit can enhance Wheelie Good’s security by evaluating the practices of its suppliers and
third-party vendors, who often have access to the company’s data and systems. The audit assesses the
security controls of these external parties, such as logistics providers or cloud service providers, to ensure
that they do not introduce vulnerabilities into Wheelie Good’s ecosystem. For example, the audit might
reveal that a logistics provider handling customer delivery data does not encrypt data in transit, increasing
the risk of interception during data transfers. It might also find that the provider lacks a formal incident
response plan, meaning that a breach on their end could go unreported, delaying Wheelie Good’s response
(Ciampa, 2022).

To address these issues, Wheelie Good can update its vendor contracts to include security requirements,
such as mandating the use of TLS 1.3 for data transfers and requiring the provider to report breaches within
24 hours. The company can also conduct annual audits of its vendors’ security practices, using a checklist
based on ISO/IEC 27001 controls, and require vendors to provide evidence of employee training on data
security. For example, Wheelie Good can require its cloud provider, such as AWS, to provide a SOC 2 Type
II report, which verifies the provider’s security controls, ensuring that customer data stored in the cloud is
protected. By improving supplier and third-party security, Wheelie Good can reduce the risk of a supply
chain attack, ensuring the security of its extended ecosystem (ISO, 2013).

11.2.8 Optimizing Resource Allocation

An IT security audit can help Wheelie Good optimize its resource allocation by identifying areas where
security investments are most needed, ensuring that the company uses its budget effectively. The audit
provides a clear picture of the company’s security posture, highlighting high-priority risks that require
immediate attention and areas where current controls are sufficient. For example, the audit might reveal that
Wheelie Good’s customer database is at high risk of a data breach due to a lack of encryption and access
controls, while its email system is adequately protected with email filtering and 2FA. This allows the
company to allocate resources to the most critical areas, such as investing in AES-256 encryption and RBAC
for the customer database, rather than spending on unnecessary upgrades to the email system (Ciampa,
2022).

75
The audit can also identify cost-saving opportunities, such as consolidating redundant security tools or
automating manual processes. For instance, if Wheelie Good is using multiple antivirus solutions with
overlapping features, the audit might recommend standardizing on a single solution like Symantec Endpoint
Protection, reducing licensing costs. Similarly, the audit might suggest automating patch management using
a tool like Microsoft SCCM, which can apply updates across all systems efficiently, reducing the need for
manual intervention by the IT team. By optimizing resource allocation, Wheelie Good can maximize the
impact of its security investments, ensuring that it achieves the greatest possible protection within its budget
constraints (ISO, 2013).

11.3. Practical Examples

The following examples illustrate how an IT security audit can impact Wheelie Good and other
organizations, demonstrating its practical value in real-world scenarios.

11.3.1 Example of Identification of Vulnerabilities

A technology company conducted an IT security audit that revealed significant vulnerabilities in its network
infrastructure. The audit found that the company’s internal network was not fully encrypted, using only
WPA2 for its Wi-Fi, which was vulnerable to man-in-the-middle attacks that could intercept sensitive data,
such as employee credentials and client information. Additionally, the audit identified that the company’s
servers were running outdated software (e.g., Apache 2.2, which had known vulnerabilities), increasing the
risk of exploitation by malware. To address these issues, the company upgraded its Wi-Fi to WPA3 with a
strong passphrase, implemented TLS 1.3 for all internal communications, and updated its servers to the
latest version of Apache (2.4), applying all security patches. These measures reduced the risk of a network
breach by 80%, as reported in the company’s post-audit assessment (Ciampa, 2022).

For Wheelie Good, an IT security audit might reveal that its production management system is vulnerable
to ransomware due to outdated software (e.g., Windows Server 2012) and a lack of network segmentation.
The audit could recommend updating the software to Windows Server 2022, segmenting the network to
isolate the production system from other systems, and deploying a next-generation firewall like Cisco
Firepower to block malicious traffic. These actions would significantly reduce the risk of a ransomware
attack, protecting Wheelie Good’s manufacturing operations (ISO, 2013).

11.3.2 Example of Improvement in Regulatory Compliance

A hospital conducted an IT security audit to ensure compliance with the Health Insurance Portability and
Accountability Act (HIPAA), which requires strict protection of patient health information (PHI). The audit
revealed that the hospital’s data storage practices were non-compliant, as patient records were stored on
unencrypted servers, and there was no audit trail to track access to PHI. Additionally, the hospital lacked a
process for handling patient requests to access or delete their data, violating HIPAA’s patient rights
requirements. Following the audit, the hospital implemented AES-256 encryption for all patient data,
deployed audit logging using Splunk to track access attempts, and established a patient portal to handle data
requests within HIPAA’s 30-day deadline. The hospital also trained staff on HIPAA requirements, such as
the need to lock workstations when unattended. These measures ensured compliance, avoiding potential

76
fines of up to $1.5 million annually for HIPAA violations, and improved patient trust by demonstrating a
commitment to data security (U.S. Department of Health & Human Services, 1996).

For Wheelie Good, an IT security audit might reveal that the company is not fully compliant with GDPR
because it lacks a process for handling data subject requests from EU customers, such as providing access
to order history or deleting data upon request. The audit could recommend implementing a data subject
request portal on the company’s website, training the customer service team to process requests within 30
days, and maintaining records of consent for marketing emails to demonstrate compliance. These actions
would help Wheelie Good avoid GDPR fines and maintain its export business in the EU (European Union,
2016).

11.3.3 Example of Enhancement of Security Awareness

A financial services company conducted an IT security audit that highlighted a lack of security awareness
among employees, with 40% of staff using weak passwords and 25% failing a simulated phishing test
(Nguyen, 2023). The audit recommended a comprehensive training program to address these gaps, which
the company implemented by conducting monthly sessions on phishing awareness, password management,
and data handling best practices. The company used KnowBe4 to run simulated phishing campaigns,
reducing the failure rate from 25% to 5% within six months, and distributed a security handbook outlining
policies like the requirement to use encrypted channels for sharing sensitive data. The company also
introduced a reward system, offering gift cards to employees who reported suspicious emails, increasing
reporting rates by 50%. These measures reduced phishing-related incidents by 70%, as reported in the
company’s annual security review (Ciampa, 2022).

Wheelie Good can benefit from a similar approach following an IT security audit. The audit might reveal
that 30% of employees use weak passwords and that the company has not conducted phishing training in
over a year. Wheelie Good can implement monthly training sessions using KnowBe4, focusing on
recognizing phishing emails and creating strong passwords, and distribute a security handbook with policies
like locking workstations when unattended. The company can also introduce a reward program, offering
small bonuses to employees who report phishing attempts, fostering a culture of vigilance and reducing
human-related risks (ISO, 2013).

11.3.4 Example of Updating Security Measures

A retail company conducted an IT security audit that identified outdated security measures, such as an old
firewall that lacked advanced threat detection capabilities and antivirus software that did not support
behavioral analysis. The audit also found that the company had not implemented endpoint detection and
response (EDR) tools, limiting its ability to detect and respond to threats in real time. Following the audit,
the company upgraded its firewall to Palo Alto Networks’ next-generation firewall, which includes intrusion
prevention and deep packet inspection, and replaced its antivirus software with CrowdStrike Falcon, which
uses machine learning to detect ransomware. The company also deployed CrowdStrike’s EDR capabilities,
enabling real-time monitoring and response, and adopted a zero-trust architecture to verify all users and
devices continuously. These updates reduced the company’s risk score by 60%, as reported in its post-audit
assessment (Ciampa, 2022).

77
For Wheelie Good, an IT security audit might reveal that its firewall is outdated and its antivirus software
lacks behavioral analysis, increasing the risk of ransomware attacks. The audit could recommend upgrading
to Cisco Firepower for advanced threat detection, replacing the antivirus with Symantec Endpoint Protection
for behavioral analysis, and deploying CrowdStrike Falcon for EDR capabilities. Wheelie Good can also
adopt zero-trust principles, requiring continuous verification of all users accessing its production system,
ensuring that its security measures are aligned with the current threat landscape (ISO, 2013).

11.3.5 Example of Strengthening Incident Response Capabilities

A manufacturing company conducted an IT security audit that identified weaknesses in its incident response
capabilities, such as the lack of a formal plan and the absence of real-time monitoring tools. The audit found
that the company took an average of 48 hours to detect a breach, far exceeding the industry average of 12
hours, due to the lack of a SIEM system (Nguyen, 2023). Following the audit, the company developed a
comprehensive incident response plan with clear steps: detection using Splunk for real-time monitoring,
containment by isolating affected systems, eradication by removing malware, recovery by restoring from
backups, and review to prevent recurrence. The company also conducted quarterly incident response drills,
simulating a ransomware attack to train its IT team, and reduced its detection time to 8 hours within six
months. These improvements minimized the impact of incidents, reducing downtime by 50% (Ciampa,
2022).

Wheelie Good can strengthen its incident response capabilities following an IT security audit. The audit
might reveal that the company lacks a formal plan and real-time monitoring, increasing the time to detect
breaches. Wheelie Good can deploy Splunk to monitor for suspicious activity, develop an incident response
plan with clear steps, and conduct quarterly drills to test the plan’s effectiveness. For example, a simulated
ransomware attack can help the IT team practice isolating systems, restoring data, and communicating with
stakeholders, ensuring a rapid and effective response to real incidents (ISO, 2013).

11.4. Benefits, Challenges, and Long-Term Impact

An IT security audit offers significant benefits for Wheelie Good, but it also comes with challenges that the
company must address to maximize its impact.

11.4.1 Benefits
An IT security audit provides Wheelie Good with a clear understanding of its security posture, enabling the
company to identify and address vulnerabilities before they can be exploited. The audit ensures compliance
with regulations, reducing the risk of fines and enhancing the company’s reputation with customers and
partners. It also fosters a culture of security awareness, as employees become more vigilant and proactive
in identifying threats, and ensures that security measures remain up-to-date, protecting Wheelie Good
against emerging risks. Additionally, the audit strengthens incident response capabilities, improves physical
and supplier security, and optimizes resource allocation, ensuring that the company achieves the greatest
possible protection within its budget (Ciampa, 2022).

In the long term, regular IT security audits can position Wheelie Good as a leader in cybersecurity within
the bicycle parts industry, giving it a competitive edge in global markets. The audits ensure that the

78
company’s security practices evolve with the threat landscape, maintaining its resilience as it grows. For
example, as Wheelie Good expands its e-commerce platform, audits can guide the company in securing
online transactions, protecting customer data, and complying with new privacy laws, enhancing its
reputation as a trusted partner (ISO, 2013).

11.4.2 Challenges
Conducting an IT security audit can be resource-intensive, requiring significant time, budget, and expertise.
For Wheelie Good, the audit may require hiring external auditors or training internal staff, which can be
costly for a mid-sized manufacturer. The audit process can also disrupt operations, as it may involve taking
systems offline for testing or interviewing employees during work hours, potentially affecting production
schedules. Additionally, addressing audit findings can require significant investments, such as upgrading
hardware, implementing new software, or hiring additional staff to manage security, which may strain
Wheelie Good’s budget (Ciampa, 2022).

Another challenge is employee resistance to new security measures recommended by the audit, such as the
requirement to use 2FA or attend regular training sessions, which some may view as inconvenient. Wheelie
Good must address this by communicating the importance of these measures, emphasizing how they protect
both the company and employees’ personal data. Finally, the audit may uncover significant vulnerabilities
that require immediate action, creating pressure to implement changes quickly, which can be challenging if
resources are limited (ISO, 2013).

11.4.3 Long-Term Impact

Over the long term, IT security audits can transform Wheelie Good’s approach to cybersecurity, embedding
a proactive and risk-based mindset into its operations. The audits ensure that the company remains compliant
with evolving regulations, such as new privacy laws in the EU or Vietnam, maintaining its ability to operate
in global markets. They also foster a culture of continuous improvement, as Wheelie Good regularly updates
its security measures to address new threats, ensuring long-term resilience. By prioritizing IT security audits,
Wheelie Good can build trust with customers, partners, and regulators, positioning itself as a reliable and
secure partner in the bicycle parts industry, which can lead to increased market share and business growth
(Ciampa, 2022).

12. Design a suitable security policy for an organisation, including the main components of
an organisational disaster recovery plan. (P7)
Security Policy and Disaster Recovery Plan for Wheelie Good

12.1. Definition of a Security Policy

A security policy is a high-level, strategic document that outlines an organization’s goals, responsibilities,
and guidelines for protecting its information assets, ensuring the confidentiality, integrity, and availability
of data—commonly referred to as the CIA Triad (Ciampa, 2022). **Confidentiality** ensures that
information is accessible only to authorized individuals, **integrity** guarantees that data remains
accurate and unaltered, and **availability** ensures that systems and data are accessible when needed. The
policy serves as a foundation for an organization’s information security program, providing a framework

79
for implementing controls, managing risks, and ensuring compliance with legal and regulatory
requirements. It also defines the consequences of non-compliance, such as disciplinary actions, to enforce
accountability among employees and stakeholders.

For Wheelie Good, a bicycle parts manufacturer in Ho Chi Minh City with export operations to global
markets, a security policy is essential to safeguard its critical information assets, including customer data
(e.g., names, addresses, payment details), employee records, production schedules, and proprietary designs
for bicycle components. The policy provides clear guidance on how Wheelie Good will protect these assets
from threats like cyberattacks, data breaches, and insider threats, while ensuring compliance with
regulations such as the General Data Protection Regulation (GDPR), Vietnam’s Law on Cybersecurity 2018,
and Vietnam’s Personal Data Protection Decree 2023 (European Union, 2016; Vietnam Government, 2018;
Vietnam Government, 2023). By establishing a security policy, Wheelie Good can create a culture of
security awareness, align its practices with international standards like ISO/IEC 27001, and build trust with
its global clients, who expect robust security measures from their suppliers (ISO, 2013).

A well-designed security policy is not a static document but a living framework that evolves with the
organization’s needs and the threat landscape. It should be concise yet comprehensive, accessible to all
employees, and supported by detailed procedures and guidelines that operationalize its requirements. For
Wheelie Good, the policy must address the unique risks of operating in Vietnam, such as frequent phishing
attacks in the region, and the challenges of exporting to the EU, where GDPR compliance is mandatory. It
should also outline the roles and responsibilities of all stakeholders, from senior management to frontline
employees, ensuring that everyone understands their role in maintaining security (Ciampa, 2022).

12.2. Examples of Security Policies

The following security policies are tailored to Wheelie Good’s operations, addressing its specific risks and
compliance requirements. Each policy includes a purpose, scope, specific rules, and enforcement
mechanisms to ensure effectiveness.

12.2.1 Acceptable Use Policy (AUP)

 Purpose: The Acceptable Use Policy (AUP) defines the acceptable and unacceptable uses of Wheelie
Good’s IT resources, such as computers, networks, email systems, and internet access, to prevent misuse
that could lead to security risks or legal violations.
 Scope: This policy applies to all employees, contractors, and third parties who use Wheelie Good’s IT
resources, whether on-site or remotely.
 Rules:

- Employees must use company email accounts only for work-related purposes and refrain from sending
personal emails or accessing inappropriate content (e.g., gambling or adult websites).

- Downloading or installing unauthorized software, such as pirated applications or unapproved browser

extensions, is prohibited to prevent malware infections.

80
 - Employees must not share their login credentials with others, and all devices must be locked when
unattended to prevent unauthorized access.

- Use of personal devices for work purposes (e.g., accessing the production system via a personal laptop)
is strictly prohibited unless approved by the IT department and secured with company-approved
software (e.g., VPN, antivirus).

- Social media access on company devices is restricted to work-related activities, such as marketing
campaigns, to minimize distractions and reduce the risk of social engineering attacks.

 Enforcement: Violations of the AUP will result in disciplinary action, ranging from a written warning
for a first offense to termination for repeated or severe violations, such as downloading malware that
leads to a data breach. The IT department will monitor network activity using tools like Splunk to detect
policy violations, such as accessing prohibited websites, and report incidents to HR for action (Ciampa,
2022).
 Application for Wheelie Good: The AUP ensures that employees use IT resources responsibly,
reducing the risk of malware infections or data leaks. For example, if an employee downloads a pirated
software that introduces ransomware, the AUP provides a basis for disciplinary action and reinforces
the importance of following security protocols.

12.2.2 Access Control Policy

 Purpose: The Access Control Policy ensures that only authorized individuals can access Wheelie
Good’s sensitive data and systems, protecting against unauthorized access and insider threats.
 Scope: This policy applies to all systems, applications, and data managed by Wheelie Good, including
the customer database, production management system, and employee records.
 Rules:

- Access to systems and data will be granted based on the principle of least privilege, ensuring that
employees only have access to the resources necessary for their roles. For example, the sales team can
access customer order data but not production schedules.

- Role-based access control (RBAC) will be implemented using Microsoft Active Directory, with
predefined roles for each department (e.g., sales, production, HR).

- Two-factor authentication (2FA) is mandatory for all employees accessing sensitive systems, such as
the customer database, using tools like Microsoft Authenticator or Google Authenticator.

- Passwords must be at least 12 characters long, include a mix of letters, numbers, and symbols, and be
changed every 90 days. Password reuse is prohibited, and accounts will be locked after 5 failed login
attempts.

- Access to the server room will be restricted to the IT team, using biometric access controls (e.g.,
fingerprint scanners) and CCTV monitoring to prevent unauthorized entry.

81
 - All access attempts will be logged and audited monthly using Splunk to detect suspicious activity, such
as repeated failed login attempts that might indicate a brute-force attack.

 Enforcement: Unauthorized access attempts will be investigated by the IT department, and violations,
such as sharing credentials, will result in disciplinary action, up to and including termination. Employees
must report lost or stolen credentials immediately to the IT department for account suspension and reset
(Ciampa, 2022).
 Application for Wheelie Good: The Access Control Policy protects sensitive data, such as EU
customer information subject to GDPR, by ensuring that only authorized personnel can access it. For
example, if a production employee attempts to access customer data without permission, the policy
ensures that access is denied, and the attempt is logged for investigation.

12.2.3 Incident Management Policy

 Purpose: The Incident Management Policy defines the process for detecting, responding to, and
recovering from security incidents, such as data breaches, ransomware attacks, or phishing incidents, to
minimize their impact on Wheelie Good’s operations.
 Scope: This policy applies to all security incidents affecting Wheelie Good’s IT systems, data, or
operations, including incidents involving third-party vendors.
 Rules:

- A Security Information and Event Management (SIEM) system, such as Splunk, will be used to
monitor for suspicious activity, such as unusual login patterns or malware detections, and alert the IT
team in real time.

- The incident response process includes five steps:

1) Detection: Identify the incident using SIEM alerts or employee reports.

2) Containment: Isolate affected systems to prevent further damage (e.g., disconnect a

compromised server from the network).

3) Eradication: Remove the threat (e.g., delete malware, reset compromised credentials).

4) Recovery: Restore systems from secure backups and verify their integrity.

5) Review: Analyze the incident to identify root causes and implement improvements (e.g., update
firewall rules).

- All incidents must be reported to the IT department within 1 hour of detection, and the IT team must
notify senior management and relevant authorities (e.g., the Ministry of Information and
Communications in Vietnam) within 72 hours, as required by Vietnam’s Law on Cybersecurity 2018.

82
 - An incident response team, consisting of the IT manager, security officer, and legal counsel, will be
established to manage incidents and coordinate with external stakeholders, such as law enforcement or
customers.

- Quarterly incident response drills will be conducted to test the plan’s effectiveness, simulating
scenarios like a ransomware attack or a phishing incident, to ensure the team is prepared for real
incidents.

 Enforcement: Failure to report an incident promptly will result in disciplinary action, such as a written
warning for a first offense. The IT department will maintain an incident log to track all incidents,
responses, and lessons learned, which will be reviewed during annual audits (Ciampa, 2022).
 Application for Wheelie Good: The Incident Management Policy ensures that Wheelie Good can
respond quickly to incidents, minimizing their impact. For example, if a ransomware attack encrypts the
production database, the policy ensures that the IT team can isolate the affected system, restore data
from backups, and report the incident to authorities within 72 hours, avoiding penalties and reducing
downtime.

12.2.4 Data Encryption Policy

 Purpose: The Data Encryption Policy ensures that Wheelie Good’s sensitive data is protected from
unauthorized access, both at rest and in transit, to comply with regulations like GDPR and Vietnam’s
Personal Data Protection Decree 2023.
 Scope: This policy applies to all sensitive data, including customer data, employee records, production
schedules, and proprietary designs, stored or transmitted by Wheelie Good.
 Rules:

- All sensitive data stored on servers, databases, and employee devices must be encrypted using AES-
256 encryption to ensure that it remains unreadable without the encryption key.

- Data transmitted over networks, such as customer order details sent to suppliers, must be encrypted
using TLS 1.3 to protect against interception during transit.

- Encryption keys must be managed securely using a key management system, such as AWS Key
Management Service (KMS), with access restricted to the IT security team.

- Employees must use encrypted channels, such as Microsoft Outlook with Office 365 Message
Encryption, for sharing sensitive data via email, and the use of unencrypted email for work purposes is
prohibited.

- Laptops and removable media (e.g., USB drives) used for work must be encrypted using tools like
BitLocker (Windows) or FileVault (Mac) to prevent data loss in case of theft.

- Regular audits will be conducted to ensure that encryption is applied correctly, using tools like Nessus
to scan for unencrypted data, and any non-compliance will be addressed immediately.

83
 Enforcement: Failure to comply with the encryption policy, such as storing sensitive data on an
unencrypted device, will result in disciplinary action, ranging from a written warning to termination,
depending on the severity of the violation. The IT department will monitor compliance through regular
scans and audits (Ciampa, 2022).
 Application for Wheelie Good: The Data Encryption Policy ensures that customer data, such as EU
customer information, is protected in compliance with GDPR, reducing the risk of fines and reputational
damage. For example, if a laptop containing customer data is stolen, encryption ensures that the data
remains inaccessible to the thief, mitigating the impact of the incident.

12.2.5 Employee Training and Awareness Policy

 Purpose: The Employee Training and Awareness Policy ensures that all employees are educated on
security best practices, reducing the risk of human error, which is a leading cause of security incidents.
 Scope: This policy applies to all employees, contractors, and third parties who interact with Wheelie
Good’s IT systems or data.
 Rules:

- All employees must complete mandatory security awareness training within 30 days of onboarding
and annually thereafter, covering topics like phishing awareness, password management, and data
handling best practices.

- Monthly training sessions will be conducted using tools like KnowBe4, focusing on recognizing
phishing emails (e.g., identifying suspicious sender addresses), creating strong passwords (e.g., at least
12 characters with a mix of letters, numbers, and symbols), and handling customer data securely (e.g.,
using encrypted email).

- Simulated phishing campaigns will be conducted quarterly to test employee vigilance, with those who
fail receiving additional training to improve their skills.

- A security handbook will be distributed to all employees, outlining policies like the requirement to
lock workstations when unattended, the prohibition of using personal devices for work, and the process
for reporting suspicious activity.

- Employees who report phishing attempts or other security incidents will be rewarded with small
bonuses or recognition in company newsletters to encourage proactive behavior.

- Training effectiveness will be measured through metrics like the click-through rate on simulated
phishing emails, with a target of reducing the rate to below 5% within six months.

84
 Enforcement: Failure to complete mandatory training will result in restricted access to IT systems until
the training is completed. Repeated violations, such as failing multiple phishing tests, will result in
disciplinary action, such as a written warning (Ciampa, 2022).
 Application for Wheelie Good: The Employee Training and Awareness Policy reduces the risk of
human error, such as employees clicking on phishing emails, which could introduce malware into the
company’s systems. For example, if an employee recognizes a phishing email and reports it, the IT team
can block the sender, preventing a potential breach.

12.3. Essential Elements of a Security Policy

A well-designed security policy for Wheelie Good must include both must-have and should-have elements
to ensure comprehensive protection and adaptability.

12.3.1 Must-Have Elements

 Clear Definition of Employee Responsibilities: The policy must clearly outline the responsibilities of
all employees in maintaining security, such as reporting incidents, using strong passwords, and adhering
to access control policies. For example, employees must report lost credentials to the IT department
within 1 hour to prevent unauthorized access.
 Access Control and Data Encryption Measures: The policy must mandate the use of access controls
(e.g., RBAC, 2FA) and encryption (e.g., AES-256, TLS 1.3) to protect sensitive data, ensuring
compliance with regulations like GDPR and Vietnam’s laws.
 Incident Handling and Reporting Procedures: The policy must define a clear process for handling
and reporting security incidents, including timelines (e.g., report within 1 hour, notify authorities within
72 hours) and roles (e.g., incident response team), to minimize the impact of incidents.
 Consequences of Non-Compliance: The policy must specify disciplinary actions for violations, such
as a written warning for a first offense, suspension for a second offense, and termination for severe or
repeated violations, to enforce accountability.
 Scope and Applicability: The policy must define its scope, specifying which systems, data, and
personnel it applies to (e.g., all employees, contractors, and third parties), to ensure comprehensive
coverage.

12.3.2 Should-Have Elements

 Employee Training Guidelines: The policy should include guidelines for regular security awareness
training, such as monthly sessions and simulated phishing campaigns, to reduce human-related risks and
foster a security-conscious culture.
 Regular Review and Update Process: The policy should establish a process for reviewing and updating
itself at least annually or after significant changes (e.g., new regulations, security incidents), ensuring
that it remains relevant to the evolving threat landscape.
 Integration with Standards: The policy should align with international standards like ISO/IEC 27001
or NIST Cybersecurity Framework, providing a structured framework for implementation and
compliance.

85
 Metrics and Monitoring: The policy should define metrics to measure its effectiveness, such as the
number of reported incidents, the click-through rate on phishing tests, or the percentage of systems with
up-to-date patches, and establish a monitoring process to track these metrics.
 Third-Party Security Requirements: The policy should include requirements for third-party vendors,
such as mandating encryption and breach notification, to ensure the security of the supply chain.

12.4. Key Components of a Disaster Recovery Plan

A disaster recovery plan (DRP) is a critical component of Wheelie Good’s security strategy, ensuring that
the company can recover quickly from disruptions like natural disasters, cyberattacks, or system failures.
The following components are essential for an effective DRP tailored to Wheelie Good’s needs.

12.4.1 Risk Assessment

 Purpose: The risk assessment identifies potential threats to Wheelie Good’s operations, such as natural
disasters (e.g., flooding in Ho Chi Minh City), cyberattacks (e.g., ransomware), and system failures (e.g.,
server crashes), to prioritize recovery efforts.
 Implementation: Wheelie Good should conduct a comprehensive risk assessment, identifying threats,
vulnerabilities, and impacts. For example, flooding could disrupt production for weeks, costing
$500,000 in lost revenue, while a ransomware attack could encrypt the production database, leading to
a week-long shutdown and $300,000 in losses (Nguyen, 2023). The company should use a risk matrix
to prioritize risks based on likelihood and impact, focusing on high-priority risks like ransomware and
flooding. The assessment should be updated annually or after significant changes, such as adopting new
systems or experiencing a disaster (Ciampa, 2022).
 Application for Wheelie Good: The risk assessment ensures that Wheelie Good focuses its DRP on
the most significant threats, such as ransomware, which is prevalent in the manufacturing sector, and
flooding, which is a common risk in Vietnam, allowing the company to allocate resources effectively.

12.4.2 Recovery Objectives (RTO & RPO)

 Purpose: Recovery Time Objective (RTO) and Recovery Point Objective (RPO) define the maximum
acceptable downtime and data loss for Wheelie Good’s systems, ensuring that recovery efforts meet
business needs.
 Implementation: Wheelie Good should define RTO and RPO for each critical system. For the
production management system, which is essential for manufacturing operations, the RTO might be 4
hours, meaning the system must be restored within 4 hours to avoid significant production delays. The
RPO might be 15 minutes, meaning the company can afford to lose up to 15 minutes of data without
major impact, as production schedules are updated frequently. For the customer database, the RTO
might be 8 hours, and the RPO might be 1 hour, as customer data updates are less frequent. These
objectives should be determined through a business impact analysis (BIA), involving input from
production, sales, and IT teams (Ciampa, 2022).
 Application for Wheelie Good: Defining RTO and RPO ensures that Wheelie Good can prioritize
recovery efforts, focusing on restoring the production system quickly to minimize downtime, while
ensuring that customer data is recovered with minimal data loss to maintain order fulfillment.

86
12.4.3 Data Backup Strategy
 Purpose: A robust data backup strategy ensures that Wheelie Good can restore critical data after a
disaster, minimizing data loss and downtime.
 Implementation: Wheelie Good should implement a multi-tiered backup strategy:
1) Daily Incremental Backups: Back up changes made each day to minimize backup time, using tools
like Veeam Backup & Replication.
2) Weekly Full Backups: Perform a full backup of all critical systems every week to ensure a complete
restore point.
3) Multiple Locations: Store backups in at least two locations, such as an on-site NAS device for quick
access and an off-site cloud provider like AWS S3 for redundancy, with versioning enabled to protect
against ransomware.
4) Encryption: Encrypt all backups using AES-256 to prevent unauthorized access, with keys managed
securely using AWS KMS.
5) Testing: Test backups monthly by restoring a sample dataset to a sandbox environment, ensuring that
they are usable and free of corruption. Backups should be retained for at least 90 days to comply with
legal requirements, such as tax record retention (Ciampa, 2022).
 Application for Wheelie Good: The data backup strategy ensures that Wheelie Good can recover
quickly from a ransomware attack by restoring the production database from a secure backup,
minimizing downtime and ensuring compliance with GDPR’s data protection requirements.

12.4.4 Communication Plan

 Purpose: The communication plan ensures clear and timely communication during a disaster, keeping
all stakeholders informed and coordinated.
 Implementation: Wheelie Good should establish a communication plan with the following elements:
1) Contact List: Maintain an up-to-date list of contact information for all employees, the incident
response team, senior management, third-party vendors (e.g., cloud providers), and authorities (e.g., the
Ministry of Information and Communications).
2) Communication Channels: Use multiple channels, such as email, phone, and a dedicated messaging
app like Slack, to ensure accessibility during a disaster.
3) Notification Templates: Prepare templates for notifying stakeholders, such as customers, about a
data breach, including details like the nature of the incident, actions taken, and recommended steps (e.g.,
changing passwords).
4) Escalation Process: Define an escalation process for communicating with senior management and
authorities, ensuring that breaches are reported within 72 hours as required by Vietnam’s law.
5) Regular Updates: Provide regular updates to employees and customers during a disaster, such as
daily briefings on recovery progress, to maintain trust and transparency (Ciampa, 2022).
 Application for Wheelie Good: The communication plan ensures that Wheelie Good can coordinate
effectively during a ransomware attack, notifying employees to avoid affected systems, informing
customers of any data breach, and reporting to authorities within the required timeframe, minimizing
reputational damage.

87
12.4.5 Recovery Procedures
 Purpose: Recovery procedures outline the steps to restore systems and operations after a disaster,
ensuring a structured and efficient recovery process.
 Implementation: Wheelie Good should define detailed recovery procedures for each critical system:
1) Prioritization: Prioritize systems based on RTO, starting with the production management system
(RTO: 4 hours), followed by the customer database (RTO: 8 hours).
2) Restoration Process: Restore systems from backups, starting with the most recent full backup and
applying incremental backups as needed, using Veeam to automate the process.
3) Validation: Verify the integrity of restored systems by running diagnostic tests, such as checking
database consistency, and ensuring that no malware remains.
4) Failover Systems: Use failover systems, such as a secondary server in a different location, to
maintain operations during recovery, ensuring high availability.
5) Documentation: Document all recovery steps in a runbook, including commands for restoring
backups, contact details for support teams, and validation checklists, to ensure consistency and speed
during recovery (Ciampa, 2022).
 Application for Wheelie Good: The recovery procedures ensure that Wheelie Good can restore its
production system within 4 hours after a ransomware attack, using a secondary server to maintain
operations during recovery, and validate the restored system to ensure it is free of malware, minimizing
production delays.

12.4.6 Testing and Maintenance

 Purpose: Regular testing and maintenance of the DRP ensure that it remains effective and up-to-date,
capable of addressing new threats and changes in the business environment.
 Implementation: Wheelie Good should test its DRP at least quarterly, conducting simulations of
various scenarios, such as a ransomware attack, a server failure, or a flood, to evaluate the plan’s
effectiveness. For example, a ransomware simulation can test the IT team’s ability to restore the
production database within 4 hours, while a flood simulation can test the communication plan and
failover systems. The company should also conduct tabletop exercises, involving all stakeholders in a
discussion-based scenario to identify gaps in the plan. After each test, Wheelie Good should update the
DRP based on lessons learned, such as adding new contact information or adjusting RTOs. The DRP
should be reviewed annually or after significant changes, such as adopting new systems or experiencing
a disaster, to ensure it remains relevant (Ciampa, 2022).
 Application for Wheelie Good: Testing and maintenance ensure that Wheelie Good’s DRP is effective
in real-world scenarios, such as recovering from a flood that disrupts production, by identifying gaps
(e.g., outdated contact lists) and updating the plan to address them, ensuring rapid recovery.

12.4.7 Training and Awareness for Disaster Recovery

 Purpose: Training and awareness ensure that all employees and the incident response team are prepared
to execute the DRP effectively during a disaster.
 Implementation: Wheelie Good should conduct annual DRP training for all employees, focusing on
their roles during a disaster, such as reporting incidents to the IT team or following evacuation

88
 procedures during a flood. The incident response team should receive specialized training on the DRP,
including how to restore systems, communicate with stakeholders, and validate recovery. Training
should include hands-on exercises, such as restoring a test system from backups, to build practical skills.
The company should also distribute a DRP handbook, summarizing key procedures, contact details, and
escalation processes, to ensure that all employees have access to critical information during a disaster
(Ciampa, 2022).
 Application for Wheelie Good: DRP training ensures that the IT team can restore the production
system quickly after a ransomware attack, while employees know how to report incidents and follow
communication protocols, ensuring a coordinated and effective response.

12.5. Steps to Design the Security Policy

The following steps outline the process for designing Wheelie Good’s security policy, ensuring that it is
comprehensive, practical, and aligned with the company’s needs.

12.5.1 Identify Security Needs

 **Process:** Wheelie Good should begin by identifying its security needs through a comprehensive
assessment of its information assets, threats, and regulatory requirements. This involves:
1) Asset Inventory: Catalog all information assets, such as the customer database, production
management system, employee records, and proprietary designs, assigning ownership to each asset (e.g.,
IT manager for the customer database).
2) Threat Assessment: Identify potential threats, such as phishing attacks, ransomware, and insider
threats, using industry reports and historical data (e.g., 30% of attacks in the manufacturing sector are
ransomware, according to Nguyen, 2023).
3) Regulatory Requirements: Review applicable regulations, such as GDPR, Vietnam’s Law on
Cybersecurity 2018, and Vietnam’s Personal Data Protection Decree 2023, to identify compliance
requirements, such as encryption and breach notification.
4) Business Objectives: Align security needs with business goals, such as maintaining production
continuity and protecting customer trust, to ensure that the policy supports Wheelie Good’s operations
(Ciampa, 2022).
 **Application for Wheelie Good:** This step ensures that the security policy addresses Wheelie
Good’s most critical assets, such as the production system, and compliance requirements, such as
GDPR’s data protection mandates, providing a solid foundation for policy development.

12.5.2 Develop a Policy Framework

 Process: Wheelie Good should develop a policy framework based on international standards like
ISO/IEC 27001 or the NIST Cybersecurity Framework, which provide a structured approach to security
policy development. The framework should include:
1) Policy Structure: Organize the policy into sections, such as AUP, access control, incident
management, and data encryption, with clear headings and subheadings.
2) Roles and Responsibilities: Define the roles of all stakeholders, such as the IT manager for policy
enforcement, the security officer for incident response, and employees for reporting incidents.

89
 3) Control Objectives: Align the policy with ISO/IEC 27001 controls, such as A.8 (asset management),
A.9 (access control), and A.12 (operations security), to ensure comprehensive coverage.
4) Compliance Mapping: Map policy requirements to regulations, such as GDPR’s requirement for
encryption (Article 32) and Vietnam’s breach notification timeline (72 hours), to ensure compliance
(ISO, 2013).
 Application for Wheelie Good: The framework ensures that Wheelie Good’s security policy is
structured, comprehensive, and aligned with ISO/IEC 27001, providing a clear roadmap for
implementation and compliance with GDPR and Vietnam’s laws.

12.5.3 Draft the Policy with Stakeholder Input

 Process: Wheelie Good should draft the security policy with input from all relevant stakeholders,
including senior management, IT, HR, legal, and production teams, to ensure that it is practical and
addresses all perspectives. The drafting process should:
1) Involve Workshops: Conduct workshops with stakeholders to discuss policy requirements, such as
the need for 2FA or regular backups, and address concerns, such as employee resistance to new
measures.
2) Incorporate Feedback: Revise the policy based on feedback, ensuring that it is clear, concise, and
actionable (e.g., replacing technical jargon with plain language).
3) Define Enforcement Mechanisms: Include clear consequences for non-compliance, such as
disciplinary actions, and specify monitoring methods, such as using Splunk to track policy violations.
4) Review by Legal Team: Have the legal team review the policy to ensure compliance with regulations
and alignment with contractual obligations, such as data protection agreements with EU clients (Ciampa,
2022).
 Application for Wheelie Good: Stakeholder input ensures that the policy is practical and addresses the
needs of all departments, such as the production team’s need for rapid system recovery, while the legal
review ensures compliance with GDPR and Vietnam’s laws.

12.5.4 Implement the Policy and Train Employees

 Process: Wheelie Good should implement the security policy by communicating it to all employees and
providing training to ensure understanding and compliance. This involves:
1) Policy Distribution: Distribute the policy to all employees via email and the company intranet,
ensuring that it is easily accessible.
2) Training Sessions: Conduct mandatory training sessions within 30 days of policy rollout, covering
key requirements, such as using 2FA, reporting incidents, and encrypting data, using interactive methods
like quizzes and role-playing.
3) Awareness Campaigns: Launch awareness campaigns, such as posters in the office and monthly
newsletters, to reinforce key messages, such as the importance of strong passwords.
4) Support Resources: Provide support resources, such as an IT helpdesk and a security handbook, to
assist employees with policy-related questions, such as how to enable 2FA (Ciampa, 2022).

90
 Application for Wheelie Good: Implementation and training ensure that all employees understand and
follow the security policy, reducing the risk of non-compliance, such as an employee failing to report a
phishing email, which could lead to a breach.

12.5.5 Monitor, Evaluate, and Update the Policy

 Process: Wheelie Good should monitor the policy’s effectiveness, evaluate its impact, and update it
regularly to ensure that it remains relevant. This involves:
1) Monitoring: Use tools like Splunk to monitor compliance, such as tracking access logs for
unauthorized attempts or email logs for unencrypted messages.
2) Evaluation: Measure the policy’s effectiveness using metrics, such as the number of reported
incidents, the click-through rate on phishing tests (target: below 5%), and the percentage of systems
with up-to-date patches (target: 100%).
3) Audits: Conduct annual audits to assess policy compliance, using a checklist based on ISO/IEC
27001 controls, and identify areas for improvement, such as outdated encryption standards.
4) Updates: Update the policy at least annually or after significant changes, such as new regulations
(e.g., updates to GDPR) or security incidents (e.g., a ransomware attack), incorporating lessons learned
and emerging best practices (ISO, 2013).
 Application for Wheelie Good: Monitoring and updating the policy ensure that it remains effective,
such as updating encryption standards to AES-256 if a new regulation requires stronger encryption,
ensuring ongoing protection and compliance.

12.6. Benefits, Challenges, and Long-Term Impact

The security policy and disaster recovery plan offer significant benefits for Wheelie Good, but they also
come with challenges that the company must address to ensure successful implementation.

12.6.1 Benefits
The security policy provides Wheelie Good with a structured framework to protect its information assets,
ensuring compliance with regulations like GDPR and Vietnam’s laws, and reducing the risk of fines and
reputational damage. It fosters a culture of security awareness, as employees are trained to recognize and
report threats, and ensures that access to sensitive data is restricted to authorized personnel, minimizing the
risk of insider threats. The disaster recovery plan ensures that Wheelie Good can recover quickly from
disruptions, such as a ransomware attack or flood, minimizing downtime and financial losses. Together,
these components enhance Wheelie Good’s resilience, build trust with customers and partners, and support
its growth in global markets (Ciampa, 2022).

12.6.2 Challenges
Developing and implementing the security policy and DRP can be resource-intensive, requiring significant
time, budget, and expertise. For Wheelie Good, drafting the policy may require hiring external consultants,
and implementing controls like encryption and 2FA may involve upgrading systems, which can be costly.
Employee resistance to new measures, such as mandatory training or 2FA, may also pose a challenge,
requiring effective communication to highlight the benefits of these measures. Additionally, maintaining

91
the DRP requires regular testing and updates, which can strain resources, especially during peak production
periods (ISO, 2013).

12.6.3 Long-Term Impact

Over the long term, the security policy and DRP can position Wheelie Good as a leader in information
security within the bicycle parts industry, giving it a competitive edge in privacy-conscious markets like the
EU. The policy ensures that Wheelie Good’s security practices evolve with the threat landscape, maintaining
its resilience as it grows, while the DRP ensures business continuity, even in the face of major disruptions.
By prioritizing security and disaster recovery, Wheelie Good can build a reputation as a trusted and reliable
partner, leading to increased customer loyalty, market share, and business opportunities (Ciampa, 2022).

13. Discuss the roles of stakeholders in the organisation in implementing security audits.
(P8)
Role of Stakeholders in Conducting an IT Security Audit for Wheelie Good

13.1. Definition of Stakeholders

Stakeholders are individuals, groups, or entities that have a direct or indirect interest in the security
operations of an organization, as their actions, decisions, or outcomes are impacted by the organization’s
security posture (Ciampa, 2022). In the context of an IT security audit, stakeholders include internal parties,
such as management, the IT department, and employees, as well as external parties, such as customers,
business partners, third-party vendors, auditors, and regulatory authorities. These stakeholders play a critical
role in ensuring that the organization’s information assets—such as data, systems, and networks—are
protected from threats like cyberattacks, data breaches, and insider threats, while also ensuring compliance
with legal and regulatory requirements.

For Wheelie Good, a bicycle parts manufacturer in Ho Chi Minh City with export operations to global
markets, stakeholders include senior management (e.g., the CEO and CFO), the IT department, production
and sales employees, EU customers, logistics partners, cloud service providers (e.g., AWS), external
auditors, and regulatory bodies like the Ministry of Information and Communications in Vietnam and the
European Data Protection Board (EDPB) for GDPR compliance (European Union, 2016; Vietnam
Government, 2018). Each stakeholder has a vested interest in the success of the IT security audit, as it
directly impacts the protection of sensitive data (e.g., customer information, proprietary designs),
operational continuity, and the company’s reputation in international markets. By involving all stakeholders,
Wheelie Good can ensure a comprehensive and collaborative approach to its security audit, addressing the
needs and expectations of all parties (Ciampa, 2022).

13.2. Role of Stakeholders in the Organization

The following subsections detail the roles and responsibilities of key stakeholders in Wheelie Good, both
within the organization and externally, in the context of conducting an IT security audit. Each stakeholder’s
role is critical to ensuring the audit’s success and the overall improvement of the company’s security posture.

13.2.1 Senior Management

 Role and Responsibilities:
92
 o Approval and Resource Allocation: Senior management, including the CEO and CFO, is
responsible for approving the IT security audit plan, ensuring that it aligns with Wheelie Good’s
strategic objectives, such as maintaining production continuity and GDPR compliance. They
allocate the necessary resources, including budget, personnel, and tools, to support the audit
process. For example, they might approve a $20,000 budget for hiring external auditors and
purchasing vulnerability scanning tools like Nessus (Ciampa, 2022).
o Establishing a Security Culture: Management sets the tone for a security-conscious culture by
prioritizing cybersecurity in organizational policies and communications. They lead by example,
such as participating in security training and emphasizing the importance of the audit during
company-wide meetings, encouraging employees to take security seriously.
o Decision-Making and Oversight: Management reviews the audit findings and
recommendations, making strategic decisions on how to address identified vulnerabilities, such
as investing in a new firewall or implementing two-factor authentication (2FA). They also
oversee the implementation of corrective actions, ensuring that timelines and responsibilities are
clearly defined (ISO, 2013).
o Communication with External Stakeholders: Senior management communicates audit
outcomes to external stakeholders, such as customers and regulators, to demonstrate compliance
and build trust. For example, they might issue a statement to EU customers confirming that
Wheelie Good has passed its GDPR compliance audit, reinforcing the company’s commitment
to data protection.
 Application for Wheelie Good: Senior management’s approval ensures that the audit has the necessary
resources, such as funding for penetration testing, while their leadership fosters a culture where
employees prioritize security, reducing the risk of human error, such as clicking on phishing emails
(Nguyen, 2023).

13.2.2 IT Department
 Role and Responsibilities:
o Technical Execution of the Audit: The IT department conducts the technical components of
the audit, such as vulnerability scanning, penetration testing, and log analysis, to identify
weaknesses in Wheelie Good’s systems. For example, they might use Nessus to scan for
unpatched software on servers or Burp Suite to test the company’s web application for SQL
injection vulnerabilities (Ciampa, 2022).
o System Maintenance and Compliance: Post-audit, the IT department implements corrective
actions to address identified vulnerabilities, such as patching software, updating firewall rules,
or enabling 2FA for all employees using Microsoft Authenticator. They ensure that systems
remain compliant with standards like ISO/IEC 27001 by maintaining up-to-date configurations
and monitoring for new threats.
o Documentation and Reporting: The IT department documents the audit process, including
tools used, findings, and remediation steps, in a detailed report for management and auditors.
They also maintain logs of system changes, such as patch updates, to demonstrate compliance
during future audits (ISO, 2013).

93
 o Collaboration with Auditors: The IT team works closely with external auditors, providing
access to systems, logs, and configurations, and addressing technical questions, such as
explaining the company’s encryption practices (e.g., AES-256 for data at rest, TLS 1.3 for data
in transit).
o Monitoring and Continuous Improvement: After the audit, the IT department deploys
monitoring tools, such as a Security Information and Event Management (SIEM) system like
Splunk, to detect suspicious activity, such as repeated failed login attempts, and continuously
improves security practices based on audit recommendations, such as adopting zero-trust
architecture.

 Application for Wheelie Good: The IT department’s technical expertise ensures that vulnerabilities,
such as outdated software on the production system, are identified and addressed, while their ongoing
monitoring with Splunk helps detect and respond to threats, maintaining compliance with Vietnam’s
Law on Cybersecurity 2018 (Vietnam Government, 2018).

13.2.3 Employees
 Role and Responsibilities:
o Compliance with Security Processes: Employees are responsible for adhering to security
processes identified during the audit, such as using strong passwords, enabling 2FA, and locking
workstations when unattended. For example, production employees must ensure that they do not
share credentials to access the production management system (Ciampa, 2022).
o Participation in Training: Employees participate in security awareness training programs
recommended by the audit, such as monthly sessions on phishing awareness using tools like
KnowBe4, to reduce human-related risks. They also engage in simulated phishing campaigns,
learning to recognize suspicious emails and report them to the IT department.
o Reporting Incidents: Employees play a critical role in reporting security incidents, such as
phishing emails or lost devices, to the IT department promptly, enabling rapid response. For
example, a sales employee who receives a suspicious email impersonating a supplier should
report it within 1 hour, as per Wheelie Good’s incident management policy (ISO, 2013).
o Providing Feedback: During the audit, employees provide feedback on security processes
through interviews or surveys, highlighting practical challenges, such as difficulty using 2FA on
mobile devices, which the IT department can address by providing additional training or support.
o Adopting Security Best Practices: Post-audit, employees adopt best practices recommended
by the audit, such as using encrypted email for sharing customer data and avoiding the use of
personal devices for work, reducing the risk of data leaks.

94
 Application for Wheelie Good: Employees’ compliance with security processes, such as reporting
phishing emails, helps prevent breaches, while their participation in training reduces the click-through
rate on phishing emails (e.g., from 20% to 5%), enhancing overall security (Nguyen, 2023).

13.2.4 Customers and Business Partners

 Role and Responsibilities:
o Demanding Audit Evidence: Customers and business partners, particularly those in the EU,
require evidence of a successful IT security audit to ensure that their data is handled securely in
compliance with GDPR. For example, an EU customer might request a copy of Wheelie Good’s
audit report to verify that customer data is encrypted and access controls are in place (European
Union, 2016).
o Providing Input on Security Expectations: Customers and partners provide input on their
security expectations, such as requiring Wheelie Good to implement specific controls (e.g., AES-
256 encryption) or conduct regular audits, as part of contractual agreements. A logistics partner
might require Wheelie Good to audit its supply chain security to ensure the safety of delivery
data.
o Influencing Security Priorities: The expectations of customers and partners influence Wheelie
Good’s security priorities during the audit. For example, EU customers’ focus on GDPR
compliance might lead the audit to prioritize data protection controls, such as encryption and
breach notification processes, over other areas (Ciampa, 2022).
o Building Trust through Transparency: By sharing audit outcomes with customers and
partners, Wheelie Good builds trust and strengthens relationships. For instance, providing a
summary of audit findings and remediation steps to a key EU customer demonstrates
transparency and commitment to security, encouraging continued business.
o Participating in Joint Audits: In some cases, business partners may participate in joint audits,
particularly if they share systems or data with Wheelie Good. For example, a cloud provider like
AWS might collaborate on an audit to verify the security of shared infrastructure, ensuring that
both parties meet compliance requirements.

 Application for Wheelie Good: Customers’ demands for GDPR compliance ensure that Wheelie Good
prioritizes data protection during the audit, while sharing audit results with partners, such as a logistics
provider, builds trust and ensures secure data handling across the supply chain.

13.2.5 Third-Party Vendors

 Role and Responsibilities:
o Supporting Audit Activities: Third-party vendors, such as cloud service providers (e.g., AWS)
or software vendors, support the audit by providing access to their systems, logs, and security
documentation. For example, AWS might provide a SOC 2 Type II report to verify the security
of Wheelie Good’s cloud-stored customer data (Ciampa, 2022).

95
 o Implementing Recommendations: Vendors implement audit recommendations that affect their
services, such as enabling additional security features (e.g., enabling AWS Shield for DDoS
protection) or updating software to address vulnerabilities identified during the audit.
o Ensuring Compliance: Vendors ensure that their services comply with Wheelie Good’s security
requirements and regulations, such as GDPR and Vietnam’s Personal Data Protection Decree
2023, by providing evidence of their own audits or certifications (e.g., ISO/IEC 27001
certification) (Vietnam Government, 2023).
o Collaborating on Remediation: If the audit identifies vulnerabilities in vendor systems, such
as a lack of encryption in a logistics provider’s data transfers, the vendor collaborates with
Wheelie Good to remediate the issue, such as implementing TLS 1.3 for secure data
transmission.
o Participating in Supply Chain Security: Vendors participate in supply chain security audits,
ensuring that their practices do not introduce risks into Wheelie Good’s ecosystem. For example,
a raw material supplier might be audited to ensure that its systems are secure, preventing a supply
chain attack that could affect Wheelie Good’s production data.
 Application for Wheelie Good: Third-party vendors’ support ensures that the audit covers the
entire ecosystem, such as verifying AWS’s security controls, while their collaboration on
remediation, such as enabling TLS 1.3 for a logistics provider, reduces supply chain risks.

13.2.6 External Auditors

 **Role and Responsibilities:**
o Conducting Independent Assessments: External auditors, such as a certified ISO/IEC 27001
auditor or a cybersecurity firm, conduct an independent and objective assessment of Wheelie
Good’s security posture, ensuring that the audit is unbiased and adheres to international standards
(ISO, 2013).
o Identifying Vulnerabilities and Gaps: Auditors identify vulnerabilities, compliance gaps, and
areas for improvement, such as unpatched software, lack of 2FA, or non-compliance with
GDPR’s breach notification requirements, providing detailed findings in a report.
o Providing Recommendations: Auditors provide actionable recommendations to address
identified issues, such as implementing a SIEM system like Splunk, conducting regular
penetration testing, or training employees on phishing awareness using KnowBe4 (Ciampa,
2022).
o Verifying Compliance: Auditors verify Wheelie Good’s compliance with regulations and
standards, such as GDPR, Vietnam’s Law on Cybersecurity 2018, and ISO/IEC 27001, issuing
a certification or compliance report that can be shared with customers and regulators.
o Ensuring Accountability: By conducting follow-up audits, external auditors ensure that
Wheelie Good implements the recommended actions within the agreed timelines, holding the
company accountable for improving its security posture.
 Application for Wheelie Good: External auditors provide an unbiased assessment, identifying critical
vulnerabilities like unpatched software, and their recommendations, such as deploying Splunk, help

96
 Wheelie Good strengthen its defenses and achieve ISO/IEC 27001 certification, enhancing its reputation
with EU customers.

13.2.7 Regulatory Authorities

 Role and Responsibilities:
o Setting Compliance Requirements: Regulatory authorities, such as the Ministry of
Information and Communications in Vietnam and the EDPB for GDPR, set compliance
requirements that Wheelie Good must meet, such as encrypting customer data and reporting
breaches within 72 hours (European Union, 2016; Vietnam Government, 2018).
o Reviewing Audit Outcomes: Regulators may review audit outcomes to ensure compliance,
such as requesting a copy of Wheelie Good’s audit report to verify that it has implemented
GDPR-mandated controls, like data encryption and access logging.
o Enforcing Penalties for Non-Compliance: If the audit reveals non-compliance, regulators
may impose penalties, such as fines of up to 4% of annual global revenue under GDPR or
5% under Vietnam’s Personal Data Protection Decree 2023, motivating Wheelie Good to
address issues promptly (Vietnam Government, 2023).
o Providing Guidance: Regulators provide guidance on compliance requirements, such as
Vietnam’s guidelines on data localization, which Wheelie Good can incorporate into its audit
scope to ensure that customer data is stored within Vietnam as required.
o Facilitating Industry Standards: Regulators may promote industry standards, such as
encouraging the adoption of ISO/IEC 27001, which Wheelie Good can use as a framework
for its audit, ensuring alignment with best practices.
 Application for Wheelie Good: Regulatory authorities ensure that Wheelie Good’s audit addresses
compliance requirements, such as GDPR’s breach notification timeline, while their enforcement of
penalties motivates the company to implement audit recommendations, avoiding fines and
maintaining its export operations.

13.2.8 Shareholders and Investors

 Role and Responsibilities:
o Demanding Security Assurance: Shareholders and investors demand assurance that Wheelie
Good’s IT systems are secure, as a data breach could lead to financial losses, reputational
damage, and a decline in stock value. They may require the audit to be conducted regularly to
mitigate these risks (Ciampa, 2022).
o Funding Security Initiatives: Investors provide funding for security initiatives recommended
by the audit, such as upgrading to a next-generation firewall or hiring additional IT staff, ensuring
that Wheelie Good has the resources to improve its security posture.
o Reviewing Audit Results: Shareholders review audit results during board meetings to assess
the company’s risk profile and ensure that management is addressing vulnerabilities effectively,
such as implementing 2FA to reduce the risk of unauthorized access.

97
 o Influencing Strategic Decisions: Investors influence strategic decisions based on audit findings,
such as prioritizing cybersecurity investments over other projects if the audit reveals significant
risks, ensuring that Wheelie Good remains competitive and secure.
o Promoting Transparency: Shareholders encourage transparency by requiring Wheelie Good to
disclose audit outcomes in annual reports, demonstrating to the market that the company is
committed to security, which can attract additional investment.
 Application for Wheelie Good: Shareholders’ demand for security assurance ensures that the audit is
thorough, while their funding enables Wheelie Good to implement recommendations, such as deploying
a SIEM system, reducing financial risks and enhancing investor confidence.

13.3. Definition of an IT Security Audit

An IT security audit is a systematic and comprehensive evaluation of an organization’s information
technology systems, policies, and processes to assess their security posture, identify vulnerabilities, ensure
compliance with regulatory and industry standards, and recommend improvements to enhance overall
security (Ciampa, 2022). The audit aims to protect the organization’s information assets—such as data,
systems, and networks—from threats like cyberattacks, data breaches, and insider threats, while ensuring
that the organization meets legal requirements, such as GDPR, Vietnam’s Law on Cybersecurity 2018, and
Vietnam’s Personal Data Protection Decree 2023 (European Union, 2016; Vietnam Government, 2018;
Vietnam Government, 2023).

The audit process typically follows a structured methodology, such as the one outlined in ISO/IEC 27001
or the NIST Cybersecurity Framework, and includes several key steps:

1) Planning: Define the scope, objectives, and criteria for the audit, such as focusing on Wheelie Good’s
customer database and production systems.

2) Data Collection: Gather evidence through interviews, system scans, and document reviews, such as
examining firewall logs or employee training records.

3) Analysis: Evaluate the collected data against security standards and regulations to identify gaps, such as
unpatched software or non-compliance with GDPR.

4) Reporting: Document findings, including vulnerabilities, compliance issues, and recommendations, in a

detailed audit report.

5) Follow-Up: Monitor the implementation of recommended actions to ensure that identified issues are
addressed (ISO, 2013).

For Wheelie Good, the audit ensures that its IT infrastructure is secure, compliant, and capable of supporting
its global operations, maintaining trust with customers and partners.

98
13.4. Recommendations for Conducting an IT Security Audit
To maximize the effectiveness of the IT security audit and ensure that it addresses Wheelie Good’s needs,
the following recommendations outline a comprehensive approach to implementation, involving all
stakeholders.

13.4.1 Conduct Regular Audits to Identify Vulnerabilities

 Recommendation: Wheelie Good should conduct IT security audits at least annually, or more
frequently if significant changes occur, such as adopting new systems, experiencing a security incident,
or facing new regulatory requirements. Regular audits help identify vulnerabilities before they can be
exploited, such as outdated software on the production system or weak Wi-Fi encryption (e.g., using
WPA2 instead of WPA3).
 Implementation: The IT department should use tools like Nessus for vulnerability scanning and Burp
Suite for penetration testing to identify weaknesses, such as unpatched software or SQL injection
vulnerabilities in the company’s web application. External auditors should be engaged to provide an
independent assessment, ensuring that no vulnerabilities are overlooked. For example, an audit might
reveal that Wheelie Good’s servers are running Windows Server 2012, which is no longer supported,
prompting the IT team to upgrade to Windows Server 2022 and apply all security patches (Ciampa,
2022).
 Stakeholder Involvement: Senior management approves the audit schedule and budget, the IT
department conducts the technical assessments, employees provide feedback on system usability, and
external auditors validate the findings, ensuring a comprehensive identification of vulnerabilities.

13.4.2 Ensure Compliance with Legal and Regulatory Requirements

 Recommendation: The audit should focus on ensuring compliance with applicable regulations, such as
GDPR, Vietnam’s Law on Cybersecurity 2018, and Vietnam’s Personal Data Protection Decree 2023,
to avoid fines and maintain Wheelie Good’s ability to operate in global markets. This includes verifying
that customer data is encrypted, access controls are in place, and breaches are reported within 72 hours.
 Implementation: The audit should include a compliance checklist based on regulatory requirements,
such as GDPR’s Article 32 (security of processing) and Vietnam’s breach notification timeline. The IT
department should verify that AES-256 encryption is applied to customer data and that Splunk is
configured to log access attempts, ensuring compliance with GDPR’s accountability principle. The legal
team should review the audit report to confirm that all regulatory requirements are met, and senior
management should communicate compliance status to regulators, such as submitting a report to the
Ministry of Information and Communications (European Union, 2016; Vietnam Government, 2018).
 Stakeholder Involvement: Regulatory authorities set the compliance requirements, the IT department
implements and verifies controls, the legal team ensures alignment with laws, senior management
oversees compliance efforts, and customers demand evidence of compliance, ensuring that Wheelie
Good meets all legal obligations.

99
13.4.3 Enhance Security Awareness Across the Organization
 Recommendation: The audit should include an assessment of employee security awareness, identifying
gaps in training and behavior, and recommend initiatives to enhance awareness, such as regular training
sessions and simulated phishing campaigns, to reduce human-related risks.
 Implementation: The audit should evaluate employee behavior through interviews, surveys, and
simulated phishing tests, using tools like KnowBe4 to measure the click-through rate on phishing emails
(target: below 5%). Based on the findings, Wheelie Good should implement monthly training sessions
on topics like phishing awareness, password management, and data handling best practices, and
distribute a security handbook outlining policies, such as locking workstations when unattended.
Employees who report phishing attempts should be rewarded with small bonuses to encourage vigilance,
fostering a culture of security awareness (Ciampa, 2022).
 Stakeholder Involvement: Employees participate in training and provide feedback, the IT department
conducts the assessment and implements training programs, senior management promotes a security
culture, and external auditors recommend awareness initiatives, ensuring that all employees are
equipped to recognize and report threats.

13.4.4 Update Security Measures Based on Audit Findings

 Recommendation: Wheelie Good should use the audit findings to update its security measures,
ensuring that they are aligned with the current threat landscape and capable of addressing emerging
risks, such as new types of malware or zero-day exploits.
 Implementation: If the audit identifies outdated security measures, such as an old firewall or antivirus
software without behavioral analysis, the IT department should upgrade to a next-generation firewall
like Cisco Firepower, which includes intrusion prevention, and replace the antivirus with Symantec
Endpoint Protection, which uses machine learning to detect ransomware. The audit might also
recommend adopting endpoint detection and response (EDR) tools, such as CrowdStrike Falcon, to
provide real-time monitoring and response capabilities, and implementing zero-trust architecture to
verify all users and devices continuously (ISO, 2013).
 Stakeholder Involvement: The IT department implements the updates, senior management approves
the budget for new tools, employees adopt new security practices (e.g., using 2FA), and external auditors
verify the effectiveness of the updated measures, ensuring that Wheelie Good’s defenses are robust.

13.4.5 Strengthen Incident Response Capabilities

 Recommendation: The audit should assess Wheelie Good’s incident response capabilities, identifying
weaknesses and recommending improvements to ensure rapid and effective responses to security
incidents, such as ransomware attacks or data breaches.
 Implementation: The audit should evaluate the incident response plan, checking for the presence of a
SIEM system, clear response steps, and regular drills. If gaps are found, such as the lack of real-time
monitoring, the IT department should deploy Splunk to detect incidents, such as unusual login patterns,
and develop a comprehensive plan with steps: detection, containment, eradication, recovery, and review.
Quarterly drills should be conducted to test the plan, simulating a ransomware attack to train the IT team
and employees on their roles, such as reporting incidents promptly (Ciampa, 2022).

100
 Stakeholder Involvement: The IT department develops and tests the plan, employees participate in
drills and report incidents, senior management allocates resources for tools like Splunk, and external
auditors recommend improvements, ensuring that Wheelie Good can respond effectively to incidents.

13.4.6 Engage Third-Party Vendors in the Audit Process

 Recommendation: The audit should include third-party vendors, such as cloud providers and logistics
partners, to ensure that their practices do not introduce vulnerabilities into Wheelie Good’s ecosystem,
particularly for shared data and systems.
 Implementation: The audit should assess vendors’ security controls, such as requiring AWS to provide
a SOC 2 Type II report to verify the security of cloud-stored data, and a logistics provider to implement
TLS 1.3 for data transfers. Wheelie Good should update vendor contracts to include audit requirements,
such as annual security assessments, and collaborate with vendors to remediate identified issues, such
as enabling additional security features on AWS (e.g., AWS Shield for DDoS protection) (ISO, 2013).
 Stakeholder Involvement: Third-party vendors provide access to their systems and implement
recommendations, the IT department assesses vendor security, senior management updates contracts,
and external auditors verify vendor compliance, ensuring a secure supply chain.

13.4.7 Communicate Audit Outcomes to Build Trust

 Recommendation: Wheelie Good should communicate audit outcomes to all stakeholders, such as
customers, partners, and regulators, to build trust and demonstrate a commitment to security, particularly
in privacy-conscious markets like the EU.
 Implementation: Senior management should prepare a summary of audit findings and remediation
steps, sharing it with EU customers to confirm GDPR compliance, such as the implementation of AES-
256 encryption and 2FA. The company should also submit a compliance report to the Ministry of
Information and Communications in Vietnam, detailing how it meets the 72-hour breach notification
requirement. Additionally, Wheelie Good should include audit outcomes in its annual report to inform
shareholders and investors, highlighting improvements like the deployment of a SIEM system (Ciampa,
2022).
 Stakeholder Involvement: Senior management communicates the outcomes, customers and regulators
review the results, shareholders assess the impact on risk, and the IT department provides technical
details, ensuring transparency and trust across all stakeholders.

13.5. Benefits, Challenges, and Long-Term Impact

Involving stakeholders in the IT security audit offers significant benefits for Wheelie Good, but it also comes
with challenges that the company must address to ensure success.

13.5.1 Benefits
Involving stakeholders ensures a comprehensive audit that addresses the needs and expectations of all
parties, from identifying vulnerabilities to ensuring compliance. Senior management’s leadership fosters a
security culture, the IT department’s technical expertise strengthens defenses, and employees’ participation
reduces human-related risks. Customers and partners gain confidence in Wheelie Good’s security practices,

101
while vendors and auditors ensure a secure and compliant ecosystem. Regulatory authorities and
shareholders benefit from transparency and assurance, supporting Wheelie Good’s operations and growth
(Ciampa, 2022).

13.5.2 Challenges
Coordinating multiple stakeholders can be complex, requiring effective communication and alignment of
priorities. For example, employees may resist new security measures, such as 2FA, while vendors may be
reluctant to share system access for audits. Resource constraints, such as budget limitations for hiring
auditors or purchasing tools, may also pose a challenge, requiring senior management to balance security
investments with other priorities. Additionally, ensuring compliance with multiple regulations, such as
GDPR and Vietnam’s laws, can be time-consuming and may require legal expertise (ISO, 2013).

13.5.3 Long-Term Impact

Over the long term, involving stakeholders in the IT security audit can position Wheelie Good as a leader
in cybersecurity within the bicycle parts industry, enhancing its reputation in global markets. The
collaborative approach ensures that security practices evolve with the threat landscape, maintaining
resilience as the company grows. By building trust with customers, partners, and regulators, Wheelie Good
can secure more business opportunities, such as contracts with EU clients, while shareholders’ confidence
supports further investment, driving long-term growth and success (Ciampa, 2022).

14. Justify the security plan developed giving reasons for the elements selected. (M5)
Justification for the Developed Security Plan for Wheelie Good

14.1. Discussion on Business Continuity

Business continuity refers to the strategic and tactical capability of an organization to plan for and respond
to incidents and disruptions, ensuring that critical business functions can continue with minimal impact
during and after an unexpected event (ISO, 2012). These events may include natural disasters (e.g., floods,
earthquakes), cyberattacks (e.g., ransomware, data breaches), or operational failures (e.g., server crashes,
power outages). The primary goal of business continuity is to maintain the organization’s ability to deliver
products or services, protect its reputation, and minimize financial losses, thereby preserving stakeholder
confidence, including that of customers, partners, and investors (Ciampa, 2022).

For Wheelie Good, a bicycle parts manufacturer in Ho Chi Minh City with export operations to global
markets, business continuity is critical to maintaining its production schedules, fulfilling customer orders,
and complying with contractual obligations, particularly with EU clients who expect timely deliveries and
strict adherence to data protection regulations like GDPR (European Union, 2016). A disruption, such as a
ransomware attack that encrypts the production management system, could halt manufacturing for days,
leading to an estimated $500,000 in lost revenue per week, based on Wheelie Good’s average weekly sales
of 10,000 units at $50 per unit (Nguyen, 2023). Additionally, a data breach exposing EU customer data
could result in GDPR fines of up to 4% of annual global revenue or €20 million, as well as reputational
damage that could lead to a 20% loss of EU customers, further impacting revenue (European Union, 2016).

102
Business continuity also ensures that Wheelie Good can maintain customer trust by demonstrating resilience
and reliability. For example, if a flood in Ho Chi Minh City disrupts operations, a robust business continuity
plan (BCP) allows Wheelie Good to quickly shift to a secondary production site or restore systems from
backups, ensuring that orders are fulfilled on time. This capability not only reduces financial losses but also
strengthens Wheelie Good’s reputation as a dependable supplier in the competitive bicycle parts industry,
fostering long-term customer loyalty and supporting its expansion into new markets (Ciampa, 2022).
Moreover, business continuity aligns with regulatory requirements, such as Vietnam’s Law on
Cybersecurity 2018, which mandates organizations to have measures in place to ensure operational
continuity during cyber incidents, avoiding penalties and legal repercussions (Vietnam Government, 2018).

14.2. Components of the Disaster Recovery Plan

The disaster recovery plan (DRP) is a critical subset of Wheelie Good’s broader security plan, designed to
restore IT systems and data after a disaster, ensuring business continuity. The following components, as
outlined in Task 3, are integral to the DRP, with additional elements included to enhance its effectiveness.

14.2.1 Regular Data Backups at Multiple Locations

Description: Wheelie Good implements a multi-tiered backup strategy, including daily incremental backups,
weekly full backups, and storage in multiple locations (on-site NAS device and off-site AWS S3), with all
backups encrypted using AES-256 and retained for 90 days (Ciampa, 2022).

14.2.2 Rapid System Recovery with Clear RTO & RPO

Description: The DRP defines Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for
critical systems. For the production management system, the RTO is 4 hours, and the RPO is 15 minutes,
while for the customer database, the RTO is 8 hours, and the RPO is 1 hour, ensuring rapid recovery with
minimal data loss.

14.2.3 Specific Role Assignments for Employees

Description: The DRP assigns specific responsibilities to employees during a disaster, such as the IT team
restoring systems, the production manager coordinating manufacturing continuity, and the customer service
team communicating with clients, ensuring a coordinated response.

14.2.4 Comprehensive Risk Assessment

Description: A risk assessment identifies potential threats, such as flooding, ransomware, and server
failures, prioritizing recovery efforts for critical assets like the production system, which is essential for
manufacturing operations (ISO, 2012).

14.2.5 Communication Plan

Description: The DRP includes a communication plan with a contact list, multiple channels (e.g., email,
Slack), notification templates, and an escalation process, ensuring clear communication with employees,
customers, and regulators during a disaster.

103
14.2.6 Recovery Procedures
Description: Detailed recovery procedures prioritize system restoration (e.g., production system first), use
failover systems, and validate restored systems to ensure they are free of malware, minimizing downtime
and ensuring operational integrity.

14.2.7 Testing and Maintenance

Description: The DRP is tested quarterly through simulations (e.g., ransomware attack, flood) and tabletop
exercises, with annual updates to address new threats or changes, ensuring the plan remains effective and
relevant.

14.2.8 Training and Awareness for Disaster Recovery

Description: Annual DRP training for employees and specialized training for the IT team, including hands-
on exercises and a DRP handbook, ensures that all stakeholders are prepared to execute the plan effectively
during a disaster.

14.3. Justification for the Components of the Disaster Recovery Plan

Each component of the DRP has been carefully selected to address Wheelie Good’s specific risks,
operational needs, and regulatory requirements, ensuring business continuity and minimizing the impact of
disruptions. The following subsections provide a detailed justification for each component, including the
rationale for its inclusion and its alignment with business continuity goals.

14.3.1 Regular Data Backups at Multiple Locations

 Justification: Regular data backups at multiple locations are essential to ensure that Wheelie Good can
recover critical data after a disaster, such as a ransomware attack or a flood, minimizing data loss and
downtime. Daily incremental backups capture changes made each day, reducing backup time, while
weekly full backups provide a complete restore point, ensuring that all data can be recovered. Storing
backups in multiple locations, such as an on-site NAS device for quick access and AWS S3 for off-site
redundancy, protects against localized disasters, such as a flood destroying on-site infrastructure in Ho
Chi Minh City (Ciampa, 2022). Encryption with AES-256 ensures that backups remain secure, even if
a storage device is stolen, while a 90-day retention period complies with legal requirements, such as tax
record retention, and allows recovery from older backups if recent ones are corrupted by ransomware.
 Alignment with Business Continuity: This component ensures that Wheelie Good can restore its
production management system and customer database quickly after a disaster, maintaining production
schedules and order fulfillment. For example, if ransomware encrypts the production database, the
company can restore it from a secure AWS S3 backup within 4 hours, meeting the RTO and avoiding a
$500,000 weekly revenue loss (Nguyen, 2023). This capability also supports GDPR compliance by
ensuring that customer data is recoverable, avoiding fines and maintaining customer trust (European
Union, 2016).

14.3.2 Rapid System Recovery with Clear RTO & RPO

 Justification: Defining clear RTO and RPO for each critical system ensures that Wheelie Good can
recover quickly with minimal data loss, aligning recovery efforts with business priorities. The

104
 production management system, which controls manufacturing operations, has an RTO of 4 hours and
an RPO of 15 minutes because any prolonged downtime would halt production, costing $500,000 per
week, and frequent updates to production schedules mean that losing more than 15 minutes of data
would disrupt operations (Nguyen, 2023). The customer database, with an RTO of 8 hours and an RPO
of 1 hour, can tolerate slightly longer downtime and data loss, as customer data updates are less frequent,
but rapid recovery is still necessary to maintain order fulfillment and customer satisfaction. These
objectives were determined through a business impact analysis (BIA), involving input from production,
sales, and IT teams, ensuring that they reflect Wheelie Good’s operational needs (Ciampa, 2022).
 Alignment with Business Continuity: Clear RTO and RPO ensure that Wheelie Good can resume
operations swiftly, minimizing financial losses and maintaining customer trust. For instance, restoring
the production system within 4 hours after a server failure ensures that manufacturing continues with
minimal disruption, while recovering the customer database within 8 hours ensures that EU customer
orders are processed on time, avoiding reputational damage and supporting export operations.

14.3.3 Specific Role Assignments for Employees

 Justification: Assigning specific roles to employees during a disaster ensures a coordinated and
efficient response, reducing confusion and delays. The IT team is responsible for restoring systems,
using tools like Veeam to recover the production database, while the production manager coordinates
manufacturing continuity, such as shifting to manual processes if needed. The customer service team
communicates with clients, using pre-prepared templates to inform EU customers of a data breach,
ensuring transparency and compliance with GDPR’s 72-hour notification requirement (European Union,
2016). Clear role assignments also ensure accountability, as each employee knows their responsibilities,
and prevent critical tasks from being overlooked, such as failing to notify regulators, which could result
in fines under Vietnam’s Law on Cybersecurity 2018 (Vietnam Government, 2018).
 Alignment with Business Continuity: Role assignments enable Wheelie Good to respond effectively
to a disaster, ensuring that all aspects of recovery are addressed. For example, during a ransomware
attack, the IT team’s rapid restoration of systems, combined with the customer service team’s timely
communication, ensures that production resumes and customers are informed, maintaining operational
continuity and trust.

14.3.4 Comprehensive Risk Assessment

 Justification: A comprehensive risk assessment is critical to identify and prioritize potential threats to
Wheelie Good’s operations, ensuring that the DRP focuses on the most significant risks. The assessment
identifies threats like flooding, which is common in Ho Chi Minh City and could disrupt production for
weeks, costing $500,000 in lost revenue, and ransomware, which is prevalent in the manufacturing
sector, with 30% of attacks targeting this industry (Nguyen, 2023). It also evaluates vulnerabilities, such
as outdated software on servers, and impacts, such as a data breach leading to GDPR fines. By using a
risk matrix to prioritize risks based on likelihood and impact, Wheelie Good can focus recovery efforts
on critical assets, such as the production system, which is essential for manufacturing operations (ISO,
2012).

105
 Alignment with Business Continuity: The risk assessment ensures that Wheelie Good is prepared for
high-priority threats, such as ransomware, by prioritizing the recovery of the production system,
minimizing downtime and financial losses. It also supports compliance by addressing risks that could
lead to regulatory violations, such as a data breach, ensuring that the company maintains its export
operations to the EU.

14.3.5 Communication Plan

 Justification: A communication plan is essential to ensure clear and timely communication during a
disaster, keeping all stakeholders informed and coordinated. The contact list ensures that key personnel,
such as the IT manager and customer service team, can be reached quickly, while multiple channels
(e.g., email, Slack) ensure accessibility if one channel fails, such as during a power outage. Notification
templates allow Wheelie Good to inform EU customers of a data breach within 72 hours, as required by
GDPR, while the escalation process ensures that senior management and regulators, such as the Ministry
of Information and Communications, are notified promptly, avoiding penalties (European Union, 2016;
Vietnam Government, 2018). Regular updates maintain transparency, reducing customer anxiety and
preserving trust during a crisis (Ciampa, 2022).
 Alignment with Business Continuity: The communication plan ensures that Wheelie Good can
coordinate effectively during a disaster, such as a ransomware attack, by notifying employees to avoid
affected systems, informing customers of the incident, and reporting to regulators within the required
timeframe, minimizing reputational damage and maintaining operational continuity.

14.3.6 Recovery Procedures

 Justification: Detailed recovery procedures ensure a structured and efficient recovery process,
minimizing downtime and ensuring operational integrity. Prioritizing the production system (RTO: 4
hours) ensures that manufacturing resumes quickly, while using failover systems, such as a secondary
server in a different location, maintains operations during recovery, reducing financial losses. Validation
of restored systems, such as checking for malware, ensures that the environment is secure before
resuming operations, preventing reinfection. Documenting procedures in a runbook, including
commands for restoring backups and validation checklists, ensures consistency and speed, especially
under pressure during a disaster (Ciampa, 2022).
 Alignment with Business Continuity: Recovery procedures enable Wheelie Good to restore critical
systems rapidly, such as recovering the production system within 4 hours after a ransomware attack,
ensuring that manufacturing continues with minimal disruption. This supports customer trust by
ensuring that orders are fulfilled on time, maintaining Wheelie Good’s reputation as a reliable supplier.

14.3.7 Testing and Maintenance

 Justification: Regular testing and maintenance of the DRP ensure that it remains effective and capable
of addressing new threats and changes in the business environment. Quarterly simulations, such as a
ransomware attack or flood, test the IT team’s ability to restore systems within RTOs, while tabletop
exercises identify gaps in the plan, such as outdated contact lists. Annual updates incorporate lessons
learned, such as adding new threats like zero-day exploits, and changes, such as adopting a new

106
 production system, ensuring that the DRP remains relevant. This proactive approach prevents the plan
from becoming obsolete, ensuring that Wheelie Good is prepared for real-world scenarios (ISO, 2012).
 Alignment with Business Continuity: Testing and maintenance ensure that Wheelie Good can execute
the DRP effectively during a disaster, such as recovering from a flood within 4 hours, minimizing
downtime and financial losses. This preparedness supports customer confidence by demonstrating that
the company can handle disruptions, maintaining its export operations to the EU.

14.3.8 Training and Awareness for Disaster Recovery

 Justification: Training and awareness ensure that all employees and the IT team are prepared to execute
the DRP effectively, reducing errors and delays during a disaster. Annual training for employees covers
their roles, such as reporting incidents to the IT team, while specialized training for the IT team includes
hands-on exercises, such as restoring a test system from backups, building practical skills. The DRP
handbook provides quick access to key procedures and contact details, ensuring that employees can act
swiftly under pressure. This preparation ensures that all stakeholders understand their responsibilities,
preventing critical tasks, such as system restoration, from being delayed due to lack of knowledge
(Ciampa, 2022).
 Alignment with Business Continuity: DRP training ensures that Wheelie Good can respond effectively
to a disaster, such as a ransomware attack, with the IT team restoring systems within 4 hours and
employees following communication protocols, minimizing downtime and maintaining customer trust
by ensuring rapid recovery.

14.4. Justification for the Steps in the Disaster Recovery Process

The disaster recovery process, as outlined in Task 3, includes several key steps that were selected to ensure
a systematic and effective recovery, aligning with Wheelie Good’s business continuity goals. The following
subsections justify each step, explaining why it was chosen and how it contributes to minimizing
disruptions.

14.4.1 Risk Assessment to Prioritize Recovery of Critical Assets

 Justification: The risk assessment step was chosen to identify and prioritize potential threats, ensuring
that recovery efforts focus on the most critical assets, such as the production management system, which
is essential for manufacturing operations. By identifying threats like flooding and ransomware, and
evaluating their likelihood and impact (e.g., $500,000 weekly loss from production downtime), Wheelie
Good can allocate resources effectively, such as prioritizing backups and failover systems for the
production system over less critical systems like the HR database (Nguyen, 2023). This step also ensures
compliance with ISO 22301, which requires a risk-based approach to business continuity, and Vietnam’s
Law on Cybersecurity 2018, which mandates preparedness for cyber incidents (ISO, 2012; Vietnam
Government, 2018).
 Alignment with Business Continuity: Prioritizing critical assets ensures that Wheelie Good can resume
manufacturing quickly after a disaster, minimizing financial losses and maintaining customer trust by
fulfilling orders on time, supporting its export operations to the EU.

107
14.4.2 Establish Recovery Objectives to Minimize Downtime
 Justification: Establishing RTO and RPO was chosen to set clear targets for recovery, ensuring that
downtime and data loss are minimized to acceptable levels. The production system’s RTO of 4 hours
and RPO of 15 minutes were selected because any longer downtime would halt manufacturing, costing
$500,000 per week, and losing more than 15 minutes of data would disrupt production schedules, which
are updated frequently (Nguyen, 2023). The customer database’s RTO of 8 hours and RPO of 1 hour
were chosen because customer data updates are less frequent, but rapid recovery is still necessary to
maintain order fulfillment. These targets were determined through a BIA, ensuring that they align with
Wheelie Good’s operational needs and customer expectations (Ciampa, 2022).
 Alignment with Business Continuity: Clear recovery objectives ensure that Wheelie Good can restore
critical systems swiftly, such as recovering the production system within 4 hours, minimizing financial
losses and maintaining customer trust by ensuring that orders are processed on time, supporting its global
operations.

14.4.3 Implement Automated Data Backups to Ensure Data Integrity

 Justification: Automated data backups were chosen to ensure that Wheelie Good’s data is consistently
backed up without relying on manual processes, which are prone to human error and delays. Automation
with tools like Veeam ensures that daily incremental and weekly full backups are performed reliably,
capturing all changes to critical systems like the production database. Encryption with AES-256 protects
backup integrity, ensuring that data remains secure and unreadable if accessed by unauthorized parties,
such as during a theft of a backup device. Multiple storage locations (on-site NAS and AWS S3) ensure
that backups are available even if one location is compromised, such as during a flood, while monthly
testing verifies that backups are usable, preventing data loss due to corruption (Ciampa, 2022).
 Alignment with Business Continuity: Automated backups ensure that Wheelie Good can recover data
quickly after a disaster, such as restoring the production database within 4 hours after a ransomware
attack, maintaining production schedules and customer trust by ensuring data availability, and
supporting GDPR compliance by protecting customer data (European Union, 2016).

14.4.4 Test and Update the Plan Regularly to Ensure Long-Term Effectiveness
 Justification: Regular testing and updating of the DRP were chosen to ensure that the plan remains
effective over time, capable of addressing new threats and changes in Wheelie Good’s environment.
Quarterly simulations, such as a ransomware attack, test the IT team’s ability to meet RTOs, while
tabletop exercises identify gaps, such as outdated contact lists, which could delay communication during
a disaster. Annual updates incorporate new threats, such as zero-day exploits, and changes, such as
adopting a new production system, ensuring that the DRP remains relevant. This step aligns with ISO
22301, which requires continuous improvement of business continuity plans, and ensures that Wheelie
Good is prepared for real-world scenarios, reducing the risk of failure during a disaster (ISO, 2012).
 Alignment with Business Continuity: Regular testing and updates ensure that Wheelie Good can execute
the DRP effectively, such as recovering from a flood within 4 hours, minimizing downtime and financial
losses. This preparedness supports customer confidence by demonstrating resilience, maintaining
Wheelie Good’s reputation as a reliable supplier in global markets.

108
14.5. Additional Justifications for the Security Plan
Beyond the DRP, the broader security plan (as developed in Task 3) includes policies like the Acceptable
Use Policy (AUP), Access Control Policy, and Employee Training and Awareness Policy, which were
chosen to address Wheelie Good’s specific risks and compliance needs.

14.5.1 Acceptable Use Policy (AUP)

 Justification: The AUP was included to regulate the use of IT resources, such as email and internet
access, preventing misuse that could lead to security risks, such as malware infections from unauthorized
software downloads. For example, prohibiting personal email use on company devices reduces the risk
of phishing attacks, which are prevalent in Vietnam, with 25% of employees in the manufacturing sector
falling victim annually (Nguyen, 2023). The AUP also ensures compliance with Vietnam’s Law on
Cybersecurity 2018 by preventing illegal activities, such as accessing prohibited websites, avoiding
penalties (Vietnam Government, 2018).
 Alignment with Business Continuity: The AUP supports business continuity by reducing the risk of
malware disrupting operations, ensuring that Wheelie Good’s systems remain operational and
production schedules are maintained, supporting customer trust and export operations.

14.5.2 Access Control Policy

 Justification: The Access Control Policy was chosen to restrict access to sensitive data, such as the
customer database, to authorized personnel only, using role-based access control (RBAC) and 2FA. This
prevents unauthorized access, such as a production employee accessing EU customer data, which could
lead to a data breach and GDPR fines of up to €20 million (European Union, 2016). The policy also
includes biometric access controls for the server room, protecting physical infrastructure from
unauthorized entry, which is critical in Vietnam’s humid climate where server overheating could cause
failures (Ciampa, 2022).
 Alignment with Business Continuity: By preventing unauthorized access, the Access Control Policy
ensures that Wheelie Good’s systems and data remain secure, avoiding disruptions from breaches or
physical damage, maintaining production continuity and customer trust.

14.5.3 Employee Training and Awareness Policy

 Justification: The Employee Training and Awareness Policy was included to reduce human-related risks,
such as phishing, which accounts for 70% of breaches in the manufacturing sector (Nguyen, 2023).
Monthly training sessions using KnowBe4 and simulated phishing campaigns educate employees on
recognizing threats, reducing the click-through rate on phishing emails from 20% to 5%, while rewards
for reporting incidents encourage vigilance. This policy also ensures compliance with GDPR’s
requirement for staff training on data protection (Article 39) (European Union, 2016).
 Alignment with Business Continuity: By reducing human errors, the training policy prevents breaches
that could disrupt operations, such as a phishing attack introducing ransomware, ensuring that Wheelie
Good can continue manufacturing and fulfilling orders, maintaining customer trust and operational
continuity.
109
14.6. Benefits, Challenges, and Long-Term Impact
The developed security plan, including the DRP, offers significant benefits for Wheelie Good, but it also
comes with challenges that the company must address to ensure successful implementation.

14.6.1 Benefits
The security plan ensures business continuity by enabling Wheelie Good to recover quickly from disasters,
minimizing downtime and financial losses, such as avoiding a $500,000 weekly loss from production delays
(Nguyen, 2023). It supports compliance with regulations like GDPR and Vietnam’s laws, avoiding fines
and maintaining export operations to the EU. The plan also enhances customer trust by demonstrating
resilience and data protection, fostering loyalty and supporting growth in global markets. Additionally, it
reduces human-related risks through training, ensuring that employees are prepared to handle threats, and
strengthens overall security through policies like access control and encryption (Ciampa, 2022).

14.6.2 Challenges
Implementing the security plan can be resource-intensive, requiring investments in tools like Veeam and
AWS S3, and training programs like KnowBe4, which may strain Wheelie Good’s budget. Employee
resistance to new measures, such as 2FA or regular training, may also pose a challenge, requiring effective
communication to highlight the benefits. Maintaining the DRP through regular testing and updates can be
time-consuming, especially during peak production periods, requiring careful scheduling to avoid
disruptions (ISO, 2012).

14.6.3 Long-Term Impact

Over the long term, the security plan positions Wheelie Good as a leader in cybersecurity within the bicycle
parts industry, enhancing its reputation in privacy-conscious markets like the EU. It ensures that the
company’s security practices evolve with the threat landscape, maintaining resilience as it grows, while the
DRP ensures business continuity, even in the face of major disruptions. By prioritizing security, Wheelie
Good can build a reputation as a trusted and reliable partner, leading to increased customer loyalty, market
share, and business opportunities (Ciampa, 2022).

15. Recommend how IT security can be aligned with an organisational policy, detailing the
security impact of any misalignment. (D2)
Recommendation: Aligning IT Security with Organizational Policy for Wheelie Good

Aligning IT security with organizational policy is critical to ensuring that security practices support the
broader goals, values, and operational needs of the organization while protecting its information assets from
threats. Organizational policy provides a high-level framework that defines the company’s objectives,
compliance requirements, and operational guidelines, while IT security ensures the confidentiality, integrity,
and availability of data and systems—commonly referred to as the CIA Triad (Ciampa, 2022). For Wheelie
Good, a bicycle parts manufacturer in Ho Chi Minh City with export operations to global markets, this
alignment is essential to safeguard sensitive data (e.g., customer information, proprietary designs), maintain
production continuity, and comply with regulations like the General Data Protection Regulation (GDPR)
and Vietnam’s Law on Cybersecurity 2018 (European Union, 2016; Vietnam Government, 2018).

110
Misalignment between IT security and organizational policy can lead to vulnerabilities, compliance failures,
and operational disruptions, undermining Wheelie Good’s reputation and financial stability.

This section recommends strategies for aligning IT security with Wheelie Good’s organizational policy,
focusing on integrating security into policy development, ensuring compliance, fostering a security culture,
and maintaining continuous improvement. It also details the security impact of misalignment, highlighting
specific risks and their consequences for Wheelie Good’s operations, compliance, and stakeholder trust.

15.2. Recommendations for Aligning IT Security with Organizational Policy

The following recommendations outline a systematic approach to align IT security with Wheelie Good’s
organizational policy, ensuring that security practices support the company’s strategic objectives while
mitigating risks.

15.2.1 Integrate IT Security into Policy Development

**Recommendation:** Wheelie Good should integrate IT security considerations into the development and
review of its organizational policies, ensuring that security is a core component of all strategic and
operational guidelines. This involves including the IT security team in policy development meetings, such
as those for the company’s Acceptable Use Policy (AUP), Access Control Policy, and Incident Management
Policy, to ensure that security requirements are embedded from the outset (Ciampa, 2022).

**Implementation:** The IT security team should collaborate with senior management, HR, and legal
departments to draft policies that address security risks specific to Wheelie Good’s operations. For example,
the AUP should prohibit the use of personal devices for work to prevent data leaks, aligning with the
organizational goal of protecting customer data under GDPR (European Union, 2016). The Access Control
Policy should mandate role-based access control (RBAC) and two-factor authentication (2FA) to restrict
access to the production management system, supporting the organizational objective of maintaining
production continuity. Regular policy reviews, conducted annually or after significant changes (e.g.,
adopting a new system), should involve the IT security team to ensure that policies remain aligned with the
evolving threat landscape, such as addressing new phishing techniques prevalent in Vietnam (Nguyen,
2023).

**Benefit:** Integrating IT security into policy development ensures that security practices are proactive
and aligned with organizational goals, reducing the risk of vulnerabilities and supporting compliance with
regulations like GDPR and Vietnam’s Personal Data Protection Decree 2023 (Vietnam Government, 2023).

15.2.2 Align IT Security with Compliance Requirements

**Recommendation:** Wheelie Good should ensure that its IT security practices align with the compliance
requirements outlined in its organizational policy, such as adherence to GDPR, Vietnam’s Law on
Cybersecurity 2018, and ISO/IEC 27001 standards (ISO, 2013). This involves mapping IT security controls
to specific regulatory and policy requirements, ensuring that all legal and industry obligations are met.

**Implementation:** The IT security team should create a compliance matrix that maps organizational
policy requirements to IT security controls. For example, GDPR’s Article 32 (security of processing)

111
requires encryption and access controls, so Wheelie Good should implement AES-256 encryption for
customer data and RBAC using Microsoft Active Directory to restrict access to authorized personnel only
(European Union, 2016). Vietnam’s Law on Cybersecurity 2018 mandates breach reporting within 72 hours,
so the IT team should deploy a Security Information and Event Management (SIEM) system like Splunk to
detect incidents and automate notifications to the Ministry of Information and Communications (Vietnam
Government, 2018). Regular audits, conducted annually, should verify that IT security practices meet these
requirements, with findings reported to senior management for action (Ciampa, 2022).

**Benefit:** Aligning IT security with compliance requirements ensures that Wheelie Good avoids fines,
such as GDPR penalties of up to 4% of annual global revenue, and maintains its ability to operate in global
markets, supporting the organizational goal of international expansion.

15.2.3 Foster a Security Culture Through Policy Enforcement

**Recommendation:** Wheelie Good should foster a security culture by enforcing its organizational
policies through employee training, awareness programs, and accountability measures, ensuring that IT
security practices are consistently applied across the organization. This aligns with the organizational goal
of building a resilient workforce capable of mitigating human-related risks (Ciampa, 2022).

**Implementation:** The organizational policy should mandate regular security awareness training, such
as monthly sessions using KnowBe4 to educate employees on phishing, password management, and data
handling best practices. For example, training should teach employees to recognize phishing emails,
reducing the click-through rate from 20% to 5%, as phishing accounts for 70% of breaches in the
manufacturing sector (Nguyen, 2023). The policy should also include accountability measures, such as
disciplinary actions for non-compliance (e.g., a written warning for failing to use 2FA), and rewards for
proactive behavior, such as small bonuses for reporting phishing attempts. Senior management should lead
by example, participating in training and emphasizing the importance of security in company-wide
communications, reinforcing the policy’s priority (ISO, 2013).

**Benefit:** A security culture ensures that employees adhere to IT security practices, reducing human
errors that could lead to breaches, and supports the organizational goal of maintaining operational continuity
by minimizing disruptions caused by employee negligence.

15.2.4 Implement Security Controls to Support Operational Goals

**Recommendation:** Wheelie Good should implement IT security controls that directly support the
operational goals outlined in its organizational policy, such as maintaining production continuity, protecting
customer data, and ensuring supply chain security. This ensures that security measures enhance, rather than
hinder, business operations (Ciampa, 2022).

**Implementation:** The organizational policy prioritizes production continuity, so the IT security team
should deploy a next-generation firewall like Cisco Firepower to protect the production management system
from ransomware, which could halt manufacturing and cost $500,000 per week in lost revenue (Nguyen,
2023). To protect customer data, as required by the policy’s GDPR compliance goal, the IT team should
implement AES-256 encryption for data at rest and TLS 1.3 for data in transit, ensuring that EU customer

112
information is secure. For supply chain security, the policy should mandate annual audits of third-party
vendors, such as logistics providers, to ensure they use secure data transfer protocols like TLS 1.3,
preventing supply chain attacks that could disrupt delivery schedules (ISO, 2013).

**Benefit:** Security controls that support operational goals ensure that Wheelie Good can maintain
production schedules, protect customer data, and secure its supply chain, aligning IT security with the
organizational policy’s focus on operational excellence and customer trust.

15.2.5 Establish a Governance Framework for Continuous Alignment

**Recommendation:** Wheelie Good should establish a governance framework to ensure continuous
alignment between IT security and organizational policy, involving regular monitoring, reporting, and
updates to both security practices and policies. This framework ensures that alignment is maintained as the
organization and threat landscape evolve (Ciampa, 2022).

**Implementation:** The governance framework should include a cybersecurity committee, comprising

senior management, the IT security team, and legal representatives, meeting quarterly to review alignment.
The committee should monitor key metrics, such as the number of reported incidents, the click-through rate
on phishing tests (target: below 5%), and the percentage of systems with up-to-date patches (target: 100%),
using tools like Splunk for real-time insights. Annual IT security audits should assess alignment, identifying
gaps, such as outdated policies that do not address new threats like zero-day exploits, and recommend
updates, such as adding zero-trust architecture to the Access Control Policy. The committee should also
ensure that policies are updated after significant changes, such as new regulations or security incidents, to
maintain alignment (ISO, 2013).

**Benefit:** A governance framework ensures that IT security remains aligned with organizational policy
over time, supporting Wheelie Good’s long-term goals of resilience, compliance, and growth by addressing
emerging risks and regulatory changes.

15.3. Security Impact of Misalignment

Misalignment between IT security and organizational policy can have severe consequences for Wheelie
Good, leading to vulnerabilities, compliance failures, operational disruptions, and reputational damage. The
following subsections detail the specific security impacts, with examples and potential consequences.

15.3.1 Increased Vulnerability to Cyber Threats

**Impact:** If IT security practices are not aligned with organizational policy, Wheelie Good may fail to
implement necessary controls, increasing its vulnerability to cyber threats. For example, if the organizational
policy prioritizes production continuity but the IT security team does not deploy adequate protections, such
as a next-generation firewall, the production management system could be targeted by ransomware. A
ransomware attack could encrypt the system, halting manufacturing for days and costing $500,000 per week
in lost revenue, as well as $50,000 in ransom payments and recovery costs (Nguyen, 2023).

**Consequence:** This misalignment undermines the organizational goal of maintaining production

continuity, leading to financial losses, delayed customer orders, and reputational damage, particularly with

113
EU clients who expect timely deliveries. It also increases the risk of supply chain disruptions if production
delays affect delivery schedules, potentially losing key partners.

15.3.2 Non-Compliance with Regulatory Requirements

**Impact:** Misalignment can result in non-compliance with regulatory requirements outlined in the
organizational policy, such as GDPR and Vietnam’s Law on Cybersecurity 2018. For instance, if the policy
mandates GDPR compliance but the IT security team does not implement encryption for customer data, a
data breach could expose EU customer information, leading to fines of up to 4% of annual global revenue
or €20 million (European Union, 2016). Similarly, if the IT team fails to deploy a SIEM system to detect
breaches within 72 hours, as required by Vietnam’s law, Wheelie Good could face fines of up to 5% of
annual revenue (Vietnam Government, 2018).

**Consequence:** Non-compliance results in significant financial penalties, legal actions, and loss of
market access, particularly in the EU, where GDPR compliance is mandatory for export operations. It also
damages Wheelie Good’s reputation, leading to a potential 20% loss of EU customers, further impacting
revenue (Nguyen, 2023).

15.3.3 Operational Disruptions Due to Policy Conflicts

**Impact:** Misalignment can create conflicts between IT security practices and organizational policy,
leading to operational disruptions. For example, if the organizational policy allows employees to use
personal devices for work to increase flexibility, but the IT security team prohibits this to prevent data leaks,
employees may bypass security controls, such as using unencrypted personal devices to access the customer
database. This could result in a data breach, exposing customer data and disrupting operations as the
company responds to the incident, with recovery costs estimated at $100,000, including legal fees and
system downtime (Ciampa, 2022).

**Consequence:** Operational disruptions from such conflicts delay production and order fulfillment,
eroding customer trust and potentially leading to contract cancellations. The breach also triggers regulatory
investigations, further straining resources and damaging Wheelie Good’s reputation in global markets.

15.3.4 Increased Human-Related Risks

**Impact:** If the organizational policy does not mandate security awareness training, but the IT security
team identifies phishing as a major risk, employees may not be equipped to recognize threats, increasing
human-related risks. For example, without training, 20% of employees might click on phishing emails,
introducing malware that disrupts the production system for 48 hours, costing $142,000 in lost revenue
(based on $500,000 per week) (Nguyen, 2023). This misalignment fails to address the organizational goal
of building a resilient workforce.

**Consequence:** Increased human-related risks lead to frequent disruptions, financial losses, and
reputational damage, as customers lose confidence in Wheelie Good’s ability to protect their data and deliver
on time. It also strains the IT team, diverting resources from strategic initiatives to incident response.

114
15.3.5 Loss of Stakeholder Trust and Competitive Advantage
**Impact:** Misalignment can erode stakeholder trust and competitive advantage, particularly in privacy-
conscious markets like the EU. For instance, if the organizational policy emphasizes customer trust but IT
security fails to implement GDPR-mandated controls, such as encryption and breach notification, a data
breach could expose EU customer data, leading to a 20% loss of customers and negative media coverage
(Nguyen, 2023). Competitors with stronger security practices could capture Wheelie Good’s market share,
particularly if they achieve ISO/IEC 27001 certification, which Wheelie Good fails to pursue due to
misalignment (ISO, 2013).

**Consequence:** Loss of stakeholder trust damages Wheelie Good’s reputation, reducing its competitive
advantage and market share in the bicycle parts industry. It also discourages investment from shareholders,
limiting the company’s ability to fund growth initiatives, such as expanding into new markets.

15.4. Mitigation Strategies for Misalignment

To address the risks of misalignment, Wheelie Good should implement the following mitigation strategies,
ensuring that IT security and organizational policy remain aligned.

15.4.1 Conduct Regular Alignment Reviews

**Strategy:** Wheelie Good should conduct quarterly alignment reviews through the cybersecurity
committee, assessing whether IT security practices meet policy requirements. For example, the committee
should verify that encryption is applied to customer data, as mandated by the policy’s GDPR compliance
goal, using tools like Nessus to scan for unencrypted data (Ciampa, 2022).

**Benefit:** Regular reviews identify and address misalignment early, preventing vulnerabilities and
compliance failures, and ensuring that security supports organizational goals.

15.4.2 Provide Cross-Functional Training

**Strategy:** The company should provide cross-functional training for IT, HR, and legal teams on both
organizational policy and IT security practices, ensuring mutual understanding. For example, the legal team
should be trained on GDPR’s technical requirements, such as encryption, while the IT team should
understand the policy’s focus on production continuity, ensuring that security measures do not disrupt
operations (ISO, 2013).

**Benefit:** Cross-functional training ensures that all teams work toward the same goals, reducing conflicts
and enhancing alignment between IT security and policy.

15.4.3 Use Metrics to Monitor Alignment

**Strategy:** Wheelie Good should use metrics to monitor alignment, such as the percentage of systems
compliant with policy requirements (target: 100%) and the number of policy violations detected by Splunk
(target: zero). These metrics should be reviewed monthly by the cybersecurity committee, with corrective
actions taken for any deviations, such as updating the AUP to address new risks (Ciampa, 2022).

115
**Benefit:** Metrics provide a quantitative measure of alignment, enabling Wheelie Good to identify and
address gaps proactively, minimizing security risks.

15.4.4 Engage Stakeholders in Policy and Security Development

**Strategy:** Wheelie Good should engage all stakeholders, including employees, customers, and vendors,
in the development of both organizational policy and IT security practices. For example, employees should
provide feedback on the usability of 2FA, while EU customers should input their GDPR expectations,
ensuring that policies and security measures meet stakeholder needs (ISO, 2013).

**Benefit:** Stakeholder engagement ensures that policies and security practices are practical and aligned
with organizational goals, reducing resistance and enhancing effectiveness.

15.5. Benefits, Challenges, and Long-Term Impact

Aligning IT security with organizational policy offers significant benefits for Wheelie Good, but it also
comes with challenges that the company must address to ensure success.

15.5.1 Benefits
Alignment ensures that IT security supports Wheelie Good’s strategic goals, such as maintaining production
continuity and GDPR compliance, reducing vulnerabilities and financial losses. It fosters a security culture,
minimizing human-related risks, and ensures that security controls enhance operational efficiency,
supporting the company’s growth in global markets. It also builds stakeholder trust by demonstrating a
cohesive approach to security and compliance, enhancing Wheelie Good’s reputation (Ciampa, 2022).

15.5.2 Challenges
Aligning IT security with policy requires coordination across departments, which can be time-consuming
and may face resistance, such as employees opposing 2FA due to perceived inconvenience. It also requires
ongoing investment in tools, training, and audits, which may strain Wheelie Good’s budget, particularly
during peak production periods. Additionally, keeping policies and security practices updated with evolving
threats and regulations can be complex, requiring dedicated resources (ISO, 2013).

15.5.3 Long-Term Impact

Over the long term, alignment positions Wheelie Good as a leader in cybersecurity within the bicycle parts
industry, giving it a competitive edge in privacy-conscious markets like the EU. It ensures that security
practices evolve with the threat landscape, maintaining resilience as the company grows, and supports
sustained compliance, avoiding fines and legal issues. By building trust with customers, partners, and
investors, Wheelie Good can secure more business opportunities, driving long-term growth and success
(Ciampa, 2022).

116
16. Evaluate the suitability of the tools used in the organisational policy to meet business
needs. (D3)
Evaluation: Suitability of Tools Used in Wheelie Good’s Organizational Policy

Wheelie Good, a bicycle parts manufacturer in Ho Chi Minh City with export operations to global markets,
relies on a variety of tools to implement its organizational policy, as outlined in its security policy (Task 3),
disaster recovery plan (Task 4.1), and IT security alignment strategies (previous response). These tools are
critical to meeting the company’s business needs, which include maintaining production continuity,
ensuring compliance with regulations such as the General Data Protection Regulation (GDPR) and
Vietnam’s Law on Cybersecurity 2018, protecting customer data, securing the supply chain, and fostering
a security-conscious culture among employees (European Union, 2016; Vietnam Government, 2018). The
tools used include Splunk for monitoring and incident detection, Nessus for vulnerability scanning, Burp
Suite for penetration testing, Veeam Backup & Replication for data backups, AWS S3 and AWS Key
Management Service (KMS) for cloud storage and encryption, Microsoft Active Directory for access
control, KnowBe4 for security awareness training, Cisco Firepower for firewall protection, and Microsoft
Authenticator for two-factor authentication (2FA).

This section evaluates the suitability of these tools in meeting Wheelie Good’s business needs, assessing
their effectiveness, alignment with organizational goals, and limitations. It also provides recommendations
for optimizing their use or adopting alternative tools to address any gaps, ensuring that the organizational
policy supports Wheelie Good’s operational and strategic objectives.

16.2. Overview of Business Needs

Wheelie Good’s business needs, derived from its organizational policy and operational context, are as
follows:

- **Production Continuity:** Ensure uninterrupted manufacturing operations, as downtime can cost

$500,000 per week in lost revenue (Nguyen, 2023).

- **Regulatory Compliance:** Comply with GDPR, Vietnam’s Law on Cybersecurity 2018, and Vietnam’s
Personal Data Protection Decree 2023, avoiding fines (e.g., GDPR fines up to 4% of annual global revenue)
and maintaining export operations to the EU (European Union, 2016; Vietnam Government, 2023).

- **Customer Data Protection:** Safeguard EU customer data to maintain trust and comply with GDPR,
preventing reputational damage and customer loss (e.g., a 20% customer loss due to a breach) (Nguyen,
2023).

- **Supply Chain Security:** Secure interactions with third-party vendors, such as logistics providers, to
prevent supply chain attacks that could disrupt delivery schedules.

- **Security Culture:** Foster a security-conscious workforce to reduce human-related risks, such as

phishing, which accounts for 70% of breaches in the manufacturing sector (Nguyen, 2023).

117
- **Incident Detection and Response:** Detect and respond to security incidents rapidly to minimize
impact, ensuring compliance with Vietnam’s 72-hour breach notification requirement (Vietnam
Government, 2018).

16.3. Evaluation of Tools

The following subsections evaluate each tool’s suitability in meeting Wheelie Good’s business needs,
focusing on its effectiveness, alignment, and limitations, with recommendations for improvement.

16.3.1 Splunk (Security Information and Event Management - SIEM)

**Purpose and Use:** Splunk is used for real-time monitoring, incident detection, and logging, supporting
the Incident Management Policy and disaster recovery plan (DRP) by detecting suspicious activity (e.g.,
unusual login patterns) and automating breach notifications.

**Effectiveness:** Splunk effectively meets Wheelie Good’s need for incident detection and response by
providing real-time alerts, such as detecting a brute-force attack on the production system within minutes,
enabling rapid containment. It supports compliance by logging access attempts, ensuring that breaches are
reported within 72 hours as required by Vietnam’s Law on Cybersecurity 2018 (Vietnam Government,
2018). Splunk’s dashboards also provide metrics, such as the number of policy violations, helping the
cybersecurity committee monitor alignment between IT security and organizational policy (Ciampa, 2022).

**Alignment with Business Needs:** Splunk aligns with the need for production continuity by detecting
threats that could disrupt operations, such as ransomware, and supports compliance by ensuring timely
breach notifications, avoiding fines. It also enhances supply chain security by monitoring vendor
interactions, such as detecting unauthorized access attempts by a logistics provider.

**Limitations:** Splunk can be resource-intensive, requiring significant storage and processing power,
which may strain Wheelie Good’s IT infrastructure, especially during peak production periods. Its
complexity also requires specialized training for the IT team, which could increase costs, estimated at $5,000
annually for training and licensing (Ciampa, 2022).

**Recommendation:** To optimize Splunk’s use, Wheelie Good should invest in cloud-based Splunk
Enterprise to reduce on-site resource demands, leveraging AWS’s scalability. The company should also
provide regular training for the IT team, such as Splunk Fundamentals courses, to ensure effective use, and
explore cost-effective licensing options, such as Splunk’s pay-as-you-go model, to manage expenses.

16.3.2 Nessus (Vulnerability Scanning)

**Purpose and Use:** Nessus is used for vulnerability scanning during IT security audits and regular
maintenance, identifying weaknesses such as unpatched software or unencrypted data, supporting the
organizational policy’s focus on proactive risk management.

**Effectiveness:** Nessus effectively identifies vulnerabilities, such as outdated Windows Server 2012 on
production systems, enabling the IT team to patch systems before they are exploited, reducing the risk of
ransomware attacks that could cost $500,000 per week (Nguyen, 2023). It supports compliance by ensuring

118
that systems meet GDPR’s security requirements, such as identifying unencrypted customer data, avoiding
fines (European Union, 2016).

**Alignment with Business Needs:** Nessus aligns with production continuity by preventing disruptions
from exploits, supports customer data protection by identifying vulnerabilities in the customer database, and
ensures compliance by verifying security controls, maintaining Wheelie Good’s export operations.

**Limitations:** Nessus may produce false positives, such as flagging a secure configuration as a
vulnerability, requiring manual verification by the IT team, which can be time-consuming. It also lacks real-
time monitoring, meaning vulnerabilities may emerge between scans, potentially leaving systems exposed
(Ciampa, 2022).

**Recommendation:** Wheelie Good should complement Nessus with a continuous monitoring tool, such
as Tenable.io, which provides real-time vulnerability detection, reducing the risk of exposure between scans.
The IT team should also establish a process for validating Nessus findings, such as cross-referencing with
manual tests, to minimize false positives and optimize resource use.

16.3.3 Burp Suite (Penetration Testing)

**Purpose and Use:** Burp Suite is used for penetration testing during IT security audits, testing the
company’s web application (e.g., customer order portal) for vulnerabilities like SQL injection, supporting
the policy’s focus on securing customer-facing systems.

**Effectiveness:** Burp Suite effectively identifies vulnerabilities in Wheelie Good’s web application, such
as SQL injection flaws that could expose EU customer data, enabling the IT team to remediate issues before
they are exploited, preventing breaches that could lead to a 20% customer loss (Nguyen, 2023). It supports
GDPR compliance by ensuring that customer data is secure, avoiding fines (European Union, 2016).

**Alignment with Business Needs:** Burp Suite aligns with customer data protection by securing the web
application, supports compliance by addressing GDPR requirements, and indirectly supports production
continuity by preventing breaches that could disrupt operations through reputational damage and recovery
efforts.

**Limitations:** Burp Suite requires significant expertise to use effectively, which may strain Wheelie
Good’s IT team, particularly if they lack advanced penetration testing skills. It also focuses on web
applications, leaving other systems, such as the production management system, untested unless paired with
other tools (Ciampa, 2022).

**Recommendation:** Wheelie Good should hire an external penetration testing firm, such as a local
Vietnamese cybersecurity provider, to conduct annual tests using Burp Suite, supplementing the IT team’s
capabilities. The company should also use additional tools, such as Metasploit, to test non-web systems like
the production management system, ensuring comprehensive coverage.

119
16.3.4 Veeam Backup & Replication (Data Backups)
**Purpose and Use:** Veeam is used for automated data backups in the DRP, performing daily incremental
and weekly full backups of critical systems like the production database, ensuring rapid recovery after a
disaster.

**Effectiveness:** Veeam effectively supports Wheelie Good’s need for production continuity by enabling
rapid recovery, such as restoring the production database within 4 hours after a ransomware attack, meeting
the RTO and avoiding a $500,000 weekly loss (Nguyen, 2023). Its automation reduces human error,
ensuring consistent backups, and supports GDPR compliance by ensuring data availability, avoiding fines
(European Union, 2016).

**Alignment with Business Needs:** Veeam aligns with production continuity by minimizing downtime,
supports customer data protection by ensuring data recoverability, and ensures compliance by maintaining
data integrity, supporting Wheelie Good’s export operations.

**Limitations:** Veeam’s effectiveness depends on proper configuration, and misconfigurations, such as

excluding critical data, could lead to incomplete backups. It also requires regular testing to ensure backups
are usable, which can be resource-intensive, taking 2-3 hours per test (Ciampa, 2022).

**Recommendation:** Wheelie Good should establish a monthly backup testing schedule, restoring a
sample dataset to a sandbox environment to verify usability, and conduct a configuration audit to ensure all
critical data is included. The company should also explore Veeam’s cloud backup features to enhance
redundancy, leveraging AWS for off-site storage.

16.3.5 AWS S3 and AWS Key Management Service (KMS) (Cloud Storage and Encryption)
**Purpose and Use:** AWS S3 is used for off-site data backups, while AWS KMS manages encryption
keys for AES-256 encryption, supporting the DRP and Data Encryption Policy by securing backups and
sensitive data.

**Effectiveness:** AWS S3 provides reliable off-site storage, ensuring that backups are available even if
on-site infrastructure is destroyed, such as during a flood in Ho Chi Minh City, supporting rapid recovery
within RTOs. AWS KMS ensures that encryption keys are securely managed, protecting customer data and
backups from unauthorized access, meeting GDPR’s encryption requirements (European Union, 2016).
Together, they enable Wheelie Good to recover from a ransomware attack within 4 hours, avoiding
significant losses (Ciampa, 2022).

**Alignment with Business Needs:** AWS S3 and KMS align with production continuity by ensuring data
availability, support customer data protection by securing sensitive information, and ensure compliance by
meeting GDPR and Vietnam’s Personal Data Protection Decree 2023 requirements, maintaining export
operations (Vietnam Government, 2023).

120
**Limitations:** AWS S3 and KMS introduce dependency on a third-party provider, which could pose
risks if AWS experiences outages or security breaches. They also incur ongoing costs, estimated at $3,000
annually for Wheelie Good’s storage needs, which may strain the budget (Ciampa, 2022).

**Recommendation:** Wheelie Good should implement a multi-cloud strategy, using a secondary provider
like Google Cloud Storage as a backup to AWS S3, reducing dependency risks. The company should also
negotiate cost-effective pricing with AWS, such as using S3 Glacier for long-term storage, to manage
expenses while maintaining security.

16.3.6 Microsoft Active Directory (Access Control)

**Purpose and Use:** Microsoft Active Directory is used to implement role-based access control (RBAC)
in the Access Control Policy, restricting access to sensitive systems like the customer database to authorized
personnel only.

**Effectiveness:** Active Directory effectively restricts access, ensuring that only the sales team can access
customer data, preventing unauthorized access that could lead to a data breach and GDPR fines of up to €20
million (European Union, 2016). It supports compliance by logging access attempts, providing an audit trail
for regulatory reviews, and enhances security by enforcing password policies, such as 12-character
minimums (Ciampa, 2022).

**Alignment with Business Needs:** Active Directory aligns with customer data protection by securing
sensitive information, supports compliance by meeting GDPR’s access control requirements, and indirectly
supports production continuity by preventing breaches that could disrupt operations through recovery
efforts.

**Limitations:** Active Directory can be complex to manage, requiring regular updates to user roles, which
may be challenging for Wheelie Good’s small IT team. It also requires integration with 2FA tools to meet
modern security standards, adding complexity (Ciampa, 2022).

**Recommendation:** Wheelie Good should integrate Active Directory with Microsoft Authenticator for
seamless 2FA, enhancing security without adding significant complexity. The company should also hire a
part-time Active Directory administrator or train an existing IT staff member to manage roles and updates
efficiently, ensuring scalability as the company grows.

16.3.7 KnowBe4 (Security Awareness Training)

**Purpose and Use:** KnowBe4 is used for security awareness training and simulated phishing campaigns
in the Employee Training and Awareness Policy, educating employees on phishing, password management,
and data handling best practices.

**Effectiveness:** KnowBe4 effectively reduces human-related risks, lowering the phishing click-through
rate from 20% to 5% through monthly training and simulations, addressing the 70% of breaches caused by
phishing in the manufacturing sector (Nguyen, 2023). It fosters a security culture by rewarding employees

121
for reporting phishing attempts, encouraging vigilance, and supports GDPR compliance by training staff on
data protection, as required by Article 39 (European Union, 2016).

**Alignment with Business Needs:** KnowBe4 aligns with the need for a security culture by educating
employees, supports customer data protection by reducing breach risks, and ensures compliance by meeting
GDPR training requirements, maintaining customer trust and export operations.

**Limitations:** KnowBe4’s effectiveness depends on employee participation, and resistance or lack of

engagement could reduce its impact. It also requires ongoing investment, estimated at $2,000 annually for
licensing, which may strain Wheelie Good’s budget (Ciampa, 2022).

**Recommendation:** Wheelie Good should make training mandatory, tying completion to performance
reviews, and use gamification features in KnowBe4, such as leaderboards, to increase engagement. The
company should also explore KnowBe4’s free tools, such as the Phish Alert Button, to supplement training
while managing costs.

16.3.8 Cisco Firepower (Next-Generation Firewall)

**Purpose and Use:** Cisco Firepower is used as a next-generation firewall to protect the production
management system from threats like ransomware, supporting the organizational policy’s focus on
production continuity.

**Effectiveness:** Cisco Firepower effectively protects the production system by using intrusion
prevention and behavioral analysis to block ransomware, preventing attacks that could halt manufacturing
and cost $500,000 per week (Nguyen, 2023). It supports supply chain security by monitoring network traffic
to and from vendors, detecting anomalies like unauthorized data transfers, and enhances overall security by
providing visibility into network activity (Ciampa, 2022).

**Alignment with Business Needs:** Cisco Firepower aligns with production continuity by preventing
disruptions, supports supply chain security by securing vendor interactions, and indirectly supports customer
data protection by reducing breach risks, maintaining Wheelie Good’s reputation.

**Limitations:** Cisco Firepower can be expensive, with licensing and maintenance costs estimated at
$10,000 annually, which may strain Wheelie Good’s budget. It also requires regular updates and tuning to
remain effective, which can be time-consuming for the IT team (Ciampa, 2022).

**Recommendation:** Wheelie Good should explore Cisco’s subscription-based pricing to manage costs
and schedule quarterly updates during low-production periods to minimize disruption. The company should
also consider open-source alternatives, such as pfSense, for non-critical systems to reduce expenses while
maintaining robust protection for the production system.

16.3.9 Microsoft Authenticator (Two-Factor Authentication - 2FA)

**Purpose and Use:** Microsoft Authenticator is used to implement 2FA in the Access Control Policy,
adding an extra layer of security for accessing sensitive systems like the customer database.

122
**Effectiveness:** Microsoft Authenticator effectively enhances security by requiring a second factor (e.g.,
a mobile app code) for access, preventing unauthorized access even if credentials are stolen, reducing the
risk of a data breach that could lead to GDPR fines (European Union, 2016). It supports compliance by
meeting GDPR’s access control requirements and is user-friendly, integrating seamlessly with Microsoft
Active Directory, encouraging employee adoption (Ciampa, 2022).

**Alignment with Business Needs:** Microsoft Authenticator aligns with customer data protection by
securing access to sensitive systems, supports compliance by meeting GDPR requirements, and indirectly
supports production continuity by preventing breaches that could disrupt operations through recovery
efforts.

**Limitations:** Microsoft Authenticator relies on employees having access to their mobile devices, which
may be challenging during a disaster, such as a flood, if devices are lost or networks are down. It also
requires initial setup and training, which may face resistance from employees (Ciampa, 2022).

**Recommendation:** Wheelie Good should provide backup authentication methods, such as hardware
tokens, for use during disasters when mobile devices are unavailable. The company should also conduct a
one-time training session during onboarding, using a step-by-step guide, to ensure employees can set up and
use Microsoft Authenticator effectively, reducing resistance.

16.4. Overall Suitability and Recommendations

**Overall Suitability:** The tools used in Wheelie Good’s organizational policy are generally suitable for
meeting its business needs. Splunk, Nessus, and Burp Suite effectively support incident detection,
vulnerability management, and penetration testing, ensuring compliance and reducing risks to production
continuity and customer data. Veeam, AWS S3, and AWS KMS provide robust backup and encryption
capabilities, aligning with the DRP’s focus on rapid recovery and data protection. Microsoft Active
Directory and Microsoft Authenticator enhance access control, supporting GDPR compliance and customer
data protection, while Cisco Firepower protects the production system, ensuring operational continuity.
KnowBe4 fosters a security culture, reducing human-related risks and supporting compliance through
training. Collectively, these tools address Wheelie Good’s needs for production continuity, compliance, data
protection, supply chain security, and employee awareness, maintaining its reputation and export operations
(Ciampa, 2022).

**Gaps and Limitations:** Despite their suitability, the tools have limitations that could impact
effectiveness. High costs (e.g., Cisco Firepower at $10,000/year, Splunk at $5,000/year) may strain Wheelie
Good’s budget, while resource demands (e.g., Splunk’s storage needs, Nessus’s manual verification) could
overburden the IT team. Dependency on third-party providers like AWS introduces risks of outages, and
tools like Burp Suite and Microsoft Authenticator have specific use case limitations (e.g., web-only testing,
mobile device dependency), requiring complementary solutions (ISO, 2013).**Recommendations for
Improvement:**

123
- **Cost Management:** Negotiate cost-effective licensing for tools like Splunk and Cisco Firepower, and
explore open-source alternatives (e.g., pfSense for non-critical systems, KnowBe4’s free tools) to reduce
expenses.

- **Complementary Tools:** Adopt additional tools to address gaps, such as Tenable.io for continuous
vulnerability monitoring, Metasploit for non-web penetration testing, and Google Cloud Storage as a
secondary backup to AWS S3, enhancing coverage and redundancy.

- **Resource Optimization:** Schedule resource-intensive tasks, such as Splunk monitoring and Veeam
testing, during low-production periods, and hire a part-time Active Directory administrator to manage access
control efficiently.

- **Employee Engagement:** Increase engagement with KnowBe4 through gamification and mandatory
training, and provide backup 2FA methods (e.g., hardware tokens) to ensure accessibility during disasters.

- **Third-Party Risk Management:** Implement a vendor risk management program, using tools like
BitSight to assess third-party security, reducing dependency risks with AWS and ensuring supply chain
security.

The tools used in Wheelie Good’s organizational policy are well-suited to meet its business needs,
effectively supporting production continuity, compliance, customer data protection, supply chain security,
and a security culture. Splunk, Nessus, Burp Suite, Veeam, AWS S3/KMS, Microsoft Active Directory,
KnowBe4, Cisco Firepower, and Microsoft Authenticator address critical aspects of Wheelie Good’s
security and disaster recovery requirements, ensuring operational resilience and regulatory adherence.
However, limitations such as high costs, resource demands, and specific use case constraints highlight the
need for optimization. By implementing the recommended improvements—cost management,
complementary tools, resource optimization, employee engagement, and third-party risk management—
Wheelie Good can enhance the suitability of these tools, ensuring that its organizational policy fully supports
its business needs, maintains customer trust, and drives long-term growth in global markets (Ciampa, 2022).

III. Conclusion

In an era of increasingly sophisticated cyber threats, securing an organization requires a comprehensive,

layered approach that integrates both physical and virtual security measures. This report has explored the
wide range of risks that organizations face — from external attacks and insider threats to system
vulnerabilities and human error — and has outlined detailed strategies for identifying, mitigating, and
responding to these threats.

Through proactive risk assessments, including vulnerability scanning, penetration testing, and threat
modeling, organizations can uncover potential weaknesses before attackers do. Combining these
assessments with rigorous incident response plans and ongoing security training ensures that both technical
teams and end users remain prepared for evolving threats.

124
Implementing robust physical security measures, such as access control systems, environmental monitoring,
and secure equipment disposal, adds an essential layer of defense against physical breaches. Meanwhile,
virtual security mechanisms like endpoint protection, encryption, multi-factor authentication, and network
segmentation act as powerful barriers against cyberattacks.

The integration of these measures within a unified security framework — supported by advanced tools like
SIEM, SOAR, EDR, and threat intelligence platforms — enables organizations to not only defend against
attacks but to continuously monitor, adapt, and improve their security posture. By following industry best
practices and leveraging globally recognized frameworks (e.g., NIST, ISO 27001), organizations can
enhance their resilience, protect sensitive data, and maintain customer trust.

This report has comprehensively addressed the critical aspects of IT security for Wheelie Good, a bicycle
parts manufacturer in Ho Chi Minh City with export operations to global markets, focusing on the roles of
stakeholders in conducting an IT security audit, the justification of the developed security plan, the
alignment of IT security with organizational policy, and the suitability of tools used to meet business needs.
The analysis underscores the importance of a robust IT security strategy in ensuring operational resilience,
regulatory compliance, and stakeholder trust, which are pivotal for Wheelie Good’s continued success in a
competitive and privacy-conscious global market.

The discussion on the roles of stakeholders (Task 4) highlighted the collaborative effort required to conduct
an effective IT security audit, with senior management providing strategic oversight, the IT department
executing technical assessments, employees adhering to security practices, and external stakeholders like
customers, vendors, auditors, and regulators ensuring compliance and trust. This multi-faceted approach
ensures that Wheelie Good can identify and mitigate vulnerabilities, such as unpatched software or phishing
risks, thereby protecting its production systems and customer data, which are critical for maintaining
operational continuity and meeting GDPR requirements (European Union, 2016). The justification of the
security plan (Task 4.1) emphasized the importance of a well-structured disaster recovery plan (DRP) in
maintaining business continuity, with components like regular data backups, clear recovery objectives (RTO
and RPO), and employee role assignments ensuring rapid recovery from disruptions, such as ransomware
attacks or floods. These measures minimize financial losses—estimated at $500,000 per week for
production downtime—and protect Wheelie Good’s reputation by ensuring timely order fulfillment for EU
customers (Nguyen, 2023). The inclusion of policies like the Acceptable Use Policy (AUP), Access Control
Policy, and Employee Training and Awareness Policy further strengthens the security framework by
addressing human-related risks and ensuring compliance with Vietnam’s Law on Cybersecurity 2018
(Vietnam Government, 2018). The recommendation for aligning IT security with organizational policy
underscored the need for integration, compliance, and a security culture to support Wheelie Good’s strategic
goals. By embedding IT security into policy development, implementing controls like AES-256 encryption
and Cisco Firepower, and fostering employee awareness through tools like KnowBe4, Wheelie Good can
mitigate risks such as data breaches and operational disruptions, which could otherwise lead to GDPR fines
of up to 4% of annual global revenue or a 20% loss of EU customers (European Union, 2016; Nguyen,
2023). The governance framework ensures continuous alignment, addressing emerging threats like zero-
day exploits and maintaining resilience as the company grows.

The evaluation of tools used in the organizational policy confirmed their suitability in meeting Wheelie
Good’s business needs, with Splunk, Nessus, Burp Suite, Veeam, AWS S3/KMS, Microsoft Active
Directory, KnowBe4, Cisco Firepower, and Microsoft Authenticator effectively supporting production

125
continuity, compliance, customer data protection, supply chain security, and a security culture. However,
limitations such as high costs, resource demands, and dependency risks highlight the need for optimization
through cost management, complementary tools (e.g., Tenable.io, Metasploit), and employee engagement
strategies, ensuring that these tools fully support Wheelie Good’s operational and regulatory requirements
(Ciampa, 2022).

In conclusion, Wheelie Good’s IT security strategy, encompassing stakeholder collaboration, a robust

security plan, policy alignment, and effective tool usage, positions the company to address its cybersecurity
challenges comprehensively. By implementing the recommended strategies—such as regular audits,
employee training, continuous alignment reviews, and tool optimization—Wheelie Good can enhance its
security posture, ensuring production continuity, compliance with GDPR and Vietnam’s regulations, and
protection of customer data. This proactive approach not only mitigates financial and reputational risks but
also builds trust with customers, partners, and investors, enabling Wheelie Good to maintain its competitive
edge in the global bicycle parts industry and achieve long-term growth and success.

IV. Self-Assessment
Below is a self-assessment of the content of my report, analysis of the items completed, and the
connections between the sections during implementation and analysis:

P: Content - Pages Completed

 P1 Discuss types of security risks to organisations. Pages: 7-10

 P2 Assess organisational security procedures. Pages: 11-13
 P3 Discuss the potential impact to IT security of incorrect configuration of firewall policies and third-
party VPNs. Pages: 17-25
 P4 Discuss, using an example for each, how implementing a DMZ, static IP and NAT in a network
can improve network security. Pages: 25-31
 P5 Review risk assessment procedures in an organisation. Pages: 39-41
 P6 Explain data protection processes and regulations as applicable to an organisation. Pages: 78-90
 P7 Design a suitable security policy for an organisation, including the main components of an
organisational disaster recovery plan. Pages: 78-90
 P8 Discuss the roles of stakeholders in the organisation in implementing security audits. Pages: 91-100

M: Content - Pages Completed

 M1 Analyse the benefits of implementing network monitoring systems with supporting reasons.
Pages: 13-15
 M2 Propose a method to assess and treat IT security risks. Pages: 32-37
 M3 Summarise an appropriate risk-management approach or ISO standard and its application in IT
security. Pages: 59-69
 M4 Analyse possible impacts to organisational security resulting from an IT security audit. Pages: 69-
78
 M5 Justify the security plan developed giving reasons for the elements selected. Pages: 101-109

126
D: Content - Pages Completed

 D1 Evaluate a range of physical and virtual security measures that can be employed to ensure the
integrity of organisational IT security. Pages: 37-39
 D2 Recommend how IT security can be aligned with an organisational policy, detailing the security
impact of any misalignment. Pages: 109-115
 D3 Evaluate the suitability of the tools used in the organisational policy to meet business needs.
Pages: 116-122

V. Reference

 National Institute of Standards and Technology (NIST) Cybersecurity Framework.

https://www.nist.gov/cyberframework [Accessed 5 April 2025].
 OWASP (Open Web Application Security Project) – Threat Modeling and Web Security Best Practices.
https://owasp.org/ [Accessed 5 April 2025].
 SANS Institute – Incident Response and Risk Management Guidelines. https://www.sans.org/apac/
 Microsoft Security Documentation – Best Practices for Network Segmentation and Endpoint Protection.
https://learn.microsoft.com/en-us/security/ [Accessed 5 April 2025].
 Cisco Networking Academy – Firewall and VPN Configuration Principles. https://www.netacad.com/
 Ciampa, M., 2022. CompTIA Security+ Guide to Network Security Fundamentals. 7th ed. Boston:
Cengage Learning. [Accessed 5 April 2025].
 European Union, 2016. General Data Protection Regulation (GDPR). [Online] Available at:
https://gdpr.eu/ [Accessed 5 April 2025].
 ISO, 2012. ISO 22301:2012 Societal Security – Business Continuity Management Systems. [Online]
Available at: https://www.iso.org/ [Accessed 5 April 2025].
 ISO, 2013. ISO/IEC 27001:2013 Information Security Management. [Online] Available at:
https://www.iso.org/ [Accessed 5 April 2025].
 Nguyen, T., 2023. Cybersecurity Trends in Vietnamese Industries: 2023 Report. Vietnam Tech Journal,
14(1), pp. 10-15.
 Vietnam Government, 2018. Law on Cybersecurity 2018. [Online] Available at: https://www.na.gov.vn/
[Accessed 5 April 2025].
 Vietnam Government, 2023. Decree No. 13/2023/ND-CP on Personal Data Protection. [Online]
Available at: https://www.na.gov.vn/ [Accessed 5 April 2025].

127