CSI2102 Principles of Information Security Case Study Assignment 2 Answers

Questions Answers

CSI2102 Principles of Information Security Assignment 2

This assignment’s goal is to get you to use the tools and techniques to perform a basic risk assessment. Your goal is to identify assets, evaluate and communicate risks, risk control strategies. As part of this you will also need to quantify risks using a weighted factor analysis, classify data, and propose recommendations.

Searching for CSI2102 Principles of Information Security Case Study Assignment Answers? Get Answers Case Study on CSI2102 Principles of Information Security Assignment 2. We Provide Data Privacy Impact Assessment, Programming Assignment Help & Free Assignments Sample from Masters and PhD Expert at affordable price? Acquire HD Quality research work with 100% Plagiarism free content.

Principles-of-Information-Security

Assignment 2: Information Security

Details

Title:                 Information Security Assignment 2

Due Date:         As Per Required

Value:              30% of the final mark for the unit

Length:             2000 words, maximum 2500 (excluding cover page and references)

 

Case Study

Overview

In this Assignment you will be required to perform an information security analysis that includes a risk assessment, and data classification recommendation for a small dance club. The assignment will rely on concepts covered from week 1 through to week 10. The deliverable is a 2000 (maximum 2500) word report summarising the information assets and threats to information.

Background

All Stars Dance (ASD) is a small dance club operated by six staff and currently has a member base of approximately 200 dancers.

All Stars Dance operate from a dance studio with a small office located on the second floor of a three-storey building. ASD share a common lift to the second floor. The dance club operate during the day and in the evenings between 6pm and 10pm. Currently anyone can access the second floor via the lift 24 hours a day, however the studio locks the entry door when they close for the day, thus restricting access to the studio to opening hours only.

The dance club have two networked desktop computers on site, one printer and are connected to the internet via a modem-router supplied to them by their ISP. New member applications and other information such as policy, procedures, and member information are stored both digitally (on computers or website) and on-site in locked cabinets. The computers currently do not have authentication enabled.

The dance club has just launched a new web portal that provides its members the ability to apply and pay for:

  • dance club membership
  • enter dance competitions
  • register for testing. Dancers will generally apply for a test when they have reached a certain level in preparation for the next level, i.e., beginner, intermediate, advanced, elite.
  • make general enquiries

To become a member of the dance club, dancers are required to visit the website and apply for membership or renew their existing membership. Once a dancer enters the systems for the first time, i.e., pay for their first membership, they are provided with a username and password for the website in order to enter competitions and register for dance tests.

The web portal is an open source Content Management System (Joomla CMS) that is hosted in Australia by a third-party hosting provider. The CMS handles memberships, competition events and member information such as dance levels (beginner to advanced) and personal information (age, gender, address).

Club membership runs from January 1 through to December 31 each year regardless of the application date. The CMS allows members to purchase membership, read member only news and register for events or dance tests online; thus, the CMS is responsible for most of the member data processing.

Member payments are processed using a third-party merchant gateway, SecurePay, and deposited directly into the club’s nominated bank account. Once a member has paid for membership, the system adds the member to a mailing list and updates permissions on the user account which authorises access to member resources on the CMS.

The mailing list is stored and processed by Mailchimp, a third-party provider located in the United States. Personal information collected for the mailing list includes full name and email address. No other information is transferred to Mailchimp.

The dance club also receives emails from parents and other members, either via the website contact page or directly via email. The emails are accessed using Microsoft Outlook on the computers located in the office.

Enquires submitted through the website are stored on the CMS and emailed to the staff admin email account that is accessed on the desktop computers in the office.

Dance club staff have access to administer the CMS remotely using portable devices, or on-site using the computers in the office. Staff change frequently and currently there are no controls in place to restrict system privileges either on the desktop office computers or the CMS. When a staff member is granted access by the system admin, they have full administrative rights to the desktop computers and the CMS.

The owner of the dance club acts as the system administrator for the CMS and desktop computers but has very little technical knowledge and lacks understanding of information security practices. The owner knows only how to create new user accounts with full system access.

There are four primary functions staff need to perform for the club and its members:

  1. Update member information via the CMS when necessary
  2. Answer emails
  3. Update the latest news on the CMS
  4. Add events to the CMS so members can register online
  5. Add testing sessions to the CMS each month
  6. Perform bank reconciliations, i.e., match the income from the CMS to the bank statements. Staff can see all the transactions from the events and membership applications running within the CMS.

Assessment Task

All Stars Dance would like an Information Security assessment on the threats facing their information system and a recommendation on how to protect the information assets.

Note: The assessment and recommendations should be realistic and reflect the case study.

Order-now

Action Steps

Introduction: introduce your report and what it will cover.

Identify and categorise information assets. This includes both digital and physical assets. Minimum of 20 assets (max 30). Assets should be categorised and spread across the system component categories.

Prioritise the information assets using a weighted factor analysis. Consider the critical impact factors and their associated weightings. The critical impact factors should be documented and discussed. For example, why these particular factors were chosen and their weightings.

Identify potential threats and vulnerabilities to the information assets. Given the number of threats, a threat category may suffice, i.e., for the CMS you may simply use the threat category software attacks as opposed to every software attack that may occur. One or two threat categories will suffice, however, the threat categories chosen must be realistic.

Create a risk rating for each asset. You may use the simple method (likelihood x impact)

Recommend an appropriate classification scheme. You do not need to classify assets; just write a paragraph on what classification schema you would recommend for this business and why. Use references where appropriate.

Include with your risk assessment table a control strategy, i.e., mitigate, defend, accept for each vulnerability / asset.

Recommend security controls where necessary, i.e., access control, physical security. Think of the McCumber cube here, you might want to include Policy, Education, Technology. When recommending a technology be specific, i.e., Access Control, but for Policy and Education you may simply state policy or education.

Reference ISO27001 / ISO27002 where appropriate. For example, if you recommend Access Control or data Classification see where ISO27001 or ISO27002 recommends this and make reference to it.

Report Requirements

Cover / Title page:

You do not need to include the ECU cover page. Create your own cover page that includes the Unit Code, Unit Title and Assignment Title, your name, student number and who the report is prepared for.

Table of Contents:

This must accurately reflect the content of your report and must be generated automatically in Microsoft Word with page numbers.

Introduction:

Introduce the report, define its scope and state any assumptions. Use in- text references where appropriate. The introduction should introduce the case study and discuss what the report will cover.

Main report content

  • The report must address the task as defined above.
  • The report must contain your definition of the problem.
  • You must include a risk assessment (inclusive of a weighted factor analysis).
  • Critical factors chosen for the weighted factor analysis must be justified in your report, i.e., why you chose them.
  • Threats, vulnerabilities, control strategy and recommended controls must be identified.
  • Data classification schema recommended.

References

A list of end-text references formatted according to the ECU requirements using APA 6th or 7th formatting style.

Endnote is a good tool for managing referencing and can be downloaded free of charge from the ECU Software Download Service. See the Academic Skills canter for help.

Your references should ideally comprise of books, journal articles and conference papers.

Format

  • This report should be no more than 2500 words (excluding title page, table of contents, references and diagrams) and labelled as <CSI2102_your studentid_ lastname_firstname>.docx in a single
  • Your assignments must be word-processed. The text must be no smaller than 12pt, font Times New Roman

Late Submission

Edith Cowan University Assessment, Examination and Moderation Procedures (Procedure 3.28) for late submission may be applied.

  1. Where the assessment task is submitted not more than 7 calendar days late, the penalty will, for each calendar day that it is late, be 5% of the maximum marks available for the assessment.
  2. Where the assessment task is more than 7 calendar days late, a mark of zero will be awarded.

Academic Misconduct (Including Plagiarism):

Edith Cowan University regards academic misconduct of any form as unacceptable. Academic misconduct, which includes but is not limited to: plagiarism, unauthorised collaboration, cheating in examinations, theft of others students work, collusion and inadequate and incorrect referencing will be dealt with in accordance with the ECU Rule 40 Academic Misconduct (including Plagiarism) Policy.

Marking Key

Language and Presentation

  • Formal language
  • Professionally formatted/drawn diagrams
  • Keeping to required format
  • Logically structured
  • Introduction reflects body of report

(3 Marks)

Asset Identification

  • Assets identified appropriate to the case study
  • Minimum of 20 assets identified and correctly categorised.

(5 Marks)

Weighted Factor Analysis

  • Critical impact factors appropriate to case
  • study
  • Critical impact factors justified
  • Performed weighted factor analysis on information assets

(5 Marks)

Risk

  • Risk rating calculated (likelihood / impact matrices)
  • Appropriate threats / vulnerabilities identified to asses risk
  • Control strategy identified for threats to assets

(6 Marks)

Data Classification

  • Data classification schema recommendation appropriate for case study
  • Justified recommended tier system

(3 Marks)

Recommendations

  • Recommended security controls where necessary
  • Recommendations adequately reflect the case study
  • Referenced ISO27001 / ISO27002

(5 Marks)

Referencing

  • Appropriate use of APA referencing conventions
  • Appropriate use of academic references

(3 Marks)

 

 

Reference ID: #getanswers2001221

Content Page Removal Request:

If you are the original writer or copyright-authorized owner of this article/post and no longer wish to have, your work published www.assignmenttask.com, then please email us with page link. help@Assignmenttask.Com