Fundamental Concepts of Data Security ISEC5006
ASSIGNMENT
Due Date: Friday 22-May-2020
1 Overview
This assignment provides you an opportunity to perform risk assessment for a fictional business. You will need to make use of the relevant data security concepts discussed in the lecture and perform your own research on topics related to the task.
2 The Task
In this assignment, you will play the role of a security consultant. Your client is a fictional organisation IISC consulting company. The client has requested you to perform a security risk assessment of the organisation. You are expected to deliver a formal written report which will be presented to the board. It is required that the information security risk assessment is performed in accordance with NIST SP 800-30 Rev.1 – Guide for Conducting Risk Assessments
https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
BasedonthebackgroundinformationaboutthecompanygiveninAppendix1,performtherequired risk assessment and submit a written report. Note that you may make an assumption on information required to complete the task if it is not described in Appendix 1.
3 The Report
3.1 Structure The report must be formally written and follow the required structure given below:
Updated April 14, 2020
Fundamental Concepts of Data Security ISEC5006 ASSIGNMENT- Semester 1, 2020
• Cover page: It must clearly show your name and student ID and it must indicate to a reader that this is a security risk assessment report for the company. • Table of contents: Provide a table of contents. • Executive summary: This must summarise the task and the major findings. • Introduction – Purpose: It must clearly state the reasons for conducting the risk assessment and the objectives that the work aims to achieve. – Scope: It must clearly state what are covered and what are not. • Recommendations: This section must list and explain the most (and only the most) important findings from the analysis. Typically, they correspond to the items that have the highest risk values as detailed in the risk assessment results subsequently. The recommendations must indicate the vulnerabilities and the possible consequences if they are not immediately addressed. All recommendations need to have correct references to the individual items in the risk assessment results. • Risk assessment approach – Participants: You will need to list all people involved in the risk assessment, their roles and contact details. – Techniques: You will need to clearly state which methods you use to find out necessary information to identify vulnerabilities, estimate loss, and determine risk values (you must also clearly indicate the information). –
Riskmodel: Youneedtoexplainindetailwhichriskassessmentapproach(qualitative/quantitative)youuse. Ifyouusethequalitativeapproach,youneedtoclearlyindicatethedifferent levels, explain their interpretations, and finally construct the risk matrix that you will follow. If you use the quantitative approach, you will also need to explain the mathematical equations that you use to calculate the risk values. Importantly, all the risk calculations that you present subsequently need to be consistent with the risk model you choose. • System characterisation: In this section, you will detail all the six components of the information system that you are performing the risk assessment on, including hardware, software, data, procedure, people (or users), and networks. Where applicable, you must show detailed technical information such as model, version, diagrams etc. You should also provide further categorisation for each component for improved clarity. • Vulnerability statement: In this section, you will list all the vulnerabilities that you have found and briefly describe them. • Threat statement: In this section, you will identify all possible threat sources. For each threat source, you list possible threat actions they may perform. • Riskassessmentresults: Inthissection,youwillassesstheriskforeachofthevulnerabilitiesyou have discovered above. You must clearly state or make reference to the identified vulnerability, describe the consequent risk, determine the impact and likelihood with justification, evaluate the overall risk, identify the existing control, and evaluate the residual risk. Your risk assessment must address all three security goals: Availability, Integrity, and Confidentiality. Finally, you will recommend relevant control to address the residual risk. • Conclusion: Summarise the task you have performed, most importantly the findings, and other possible implications of this report.
Updated April 14, 2020
Fundamental Concepts of Data Security ISEC5006 ASSIGNMENT- Semester 1, 2020
• References: Include all relevant references that are used in the assessment. The references must follow the Chicago referencing style. • Appendices: Include additional information that you may have.
3.2 Page Limit
The report must not exceed 30 pages.
Note: Any material beyond the page limit will not be marked.
4 Mark Allocation
The total mark of this assignment is 100, and it is distributed as follows
Submission and presentation as per assignment requirements 10 marks Overall presentation including table of contents 5 marks Executive summary 5 marks Introduction 5 marks Recommendations 10 marks Risk assessment approach 5 marks System characterisation 5 marks Vulnerability statement 10 marks Threat statement 10 marks Risk assessment results 30 marks Conclusion and references 5 marks
5 Important Information
5.1 Pass Requirement
You need to score at least 30 marks out of 100 marks for this assignment to be considered a reasonable attempt. If you do not achieve this basic pass mark you will fail the unit regardless of how well you perform in the final exam and the average score.
5.2 Submission The report must be in PDF format and submitted via Blackboard. Use your full name and student ID as the name of the PDF file that you submit, for example
trump donald 12345678.pdf
Submission in Word or any other format is NOT accepted. A completed and signed ‘Declaration of Originality’ must also be submitted electronically via Blackboard by the deadline.
Updated April 14, 2020
Fundamental Concepts of Data Security ISEC5006 ASSIGNMENT- Semester 1, 2020
5.3 Important Notes You are required to submit your assignment (both print and electronic copies) by Friday 22-May-2020, 12:00pm Perth time.
You are responsible for ensuring that your electronic submission is correct and not corrupted. You may make multiple submissions, but only your newest submission will be marked.
6 Academic Misconduct Plagiarism and Collusion
Please note that this is an individual assignment, what you submit must be entirely your own work except where clearly cited. Mark will be awarded based on your actual work only.
Please note the following, which is standard across all units in the department:
Copying material (from other students, websites or other sources) and presenting it as your own work is plagiarism. Even with your own (possibly extensive) modifications,it is still plagiarism.
If you simply reproduce any parts of the NIST or other risk assessment standards in your work, you still must clearly indicate where they come from.
Exchanging assignment solutions, or parts thereof, with other students is collusion. Engaging in such activities may lead to a grade of ANN (Result Annulled Due to Academic Misconduct) being awarded for the unit, or other penalties. Serious or repeated offences may result in termination or expulsion.
You are expected to understand this at all times, across all your university studies, with or without warnings like this.
Updated April 14, 2020
Fundamental Concepts of Data Security ISEC5006 ASSIGNMENT- Semester 1, 2020