Fundamental Concepts of Data Security | My Assignment Tutor

Computing @ Curtin UniversityFundamental Concepts of Data SecurityISEC5006ASSIGNMENTDue Date: Friday 14-May-2021, 12:00pm Perth time.Weight: 30% of the unit mark.Note: This document is subject to minor corrections and updates. Announcements willbe made promptly on Blackboard and during lectures. Always check for the latest version ofthe assignment. Failure to do so may result in you not completing the tasks according to thespecifications.1 OverviewThis assignment provides you an opportunity to perform risk assessment for a fictional business. Youwill need to make use of the relevant data security concepts discussed in the lecture and perform yourown research on topics related to the task.2 The TaskIn this assignment, you will play the role of a security consultant. Your client is a fictional organisation –MasterBuild construction company. The client has requested you to perform a security risk assessmentof the organisation. You are expected to deliver a formal written report which will be presented to theboard. It is required that the information security risk assessment is performed in accordance withNIST SP 800-30 Rev.1 – Guide for Conducting Risk Assessments on the background information about the company given in Appendix 1, perform the requiredrisk assessment and submit a written report. Note that you may make an assumption on informationrequired to complete the task if it is not described in Appendix 1.3 The Report3.1 StructureThe report must be formally written and follow the required structure given below:UpdatedApril 6, 2021Fundamental Concepts of Data Security ISEC5006ASSIGNMENT- Semester 1, 2021Page1/6Computing @ Curtin University• Cover page: It must clearly show your name and student ID and it must indicate to a reader thatthis is a security risk assessment report for the company.• Table of contents: Provide a table of contents.• Executive summary: This must summarise the task and the major findings.• Introduction– Purpose: It must clearly state the reasons for conducting the risk assessment and theobjectives that the work aims to achieve.– Scope: It must clearly state what are covered and what are not.• Recommendations: This section must list and explain the most (and only the most) importantfindings from the analysis. Typically, they correspond to the items that have the highestrisk values as detailed in the risk assessment results subsequently. The recommendationsmust indicate the vulnerabilities and the possible consequences if they are not immediatelyaddressed. All recommendations need to have correct references to the individual items in therisk assessment results.• Risk assessment approach– Participants: You will need to list all people involved in the risk assessment, their roles andcontact details.– Techniques: You will need to clearly state which methods you use to find out necessaryinformation to identify vulnerabilities, estimate loss, and determine risk values (you mustalso clearly indicate the information).– Risk model: You need to explain in detail which risk assessment approach (qualitative/quantitative) you use. If you use the qualitative approach, you need to clearly indicate the differentlevels, explain their interpretations, and finally construct the risk matrix that you will follow. Ifyou use the quantitative approach, you will also need to explain the mathematical equationsthat you use to calculate the risk values. Importantly, all the risk calculations that youpresent subsequently need to be consistent with the risk model you choose.• System characterisation: In this section, you will detail all the six components of the informationsystem that you are performing the risk assessment on, including hardware, software, data,procedure, people (or users), and networks. Where applicable, you must show detailed technicalinformation such as model, version, diagrams etc. You should also provide further categorisationfor each component for improved clarity.• Vulnerability statement: In this section, you will list all the vulnerabilities that you have found andbriefly describe them.• Threat statement: In this section, you will identify all possible threat sources. For each threatsource, you list possible threat actions they may perform.• Risk assessment results: In this section, you will assess the risk for each of the vulnerabilities youhave discovered above. You must clearly state or make reference to the identified vulnerability,describe the consequent risk, determine the impact and likelihood with justification, evaluate theoverall risk, identify the existing control, and evaluate the residual risk. Your risk assessmentmust address all three security goals: Availability, Integrity, and Confidentiality. Finally, you willrecommend relevant control to address the residual risk.• Conclusion: Summarise the task you have performed, most importantly the findings, and otherpossible implications of this report.UpdatedApril 6, 2021Fundamental Concepts of Data Security ISEC5006ASSIGNMENT- Semester 1, 2021Page2/6Computing @ Curtin University• References: Include all relevant references that are used in the assessment. The referencesmust follow the Chicago referencing style.• Appendices: Include additional information that you may have.3.2 Page LimitThe report must not exceed 30 pages.Note: Any material beyond the page limit will not be marked.4 Mark AllocationThe total mark of this assignment is 100, and it is distributed as follows Submission and presentation as per assignment requirements10 marksOverall presentation including table of contents5 marksExecutive summary5 marksIntroduction5 marksRecommendations10 marksRisk assessment approach5 marksSystem characterisation5 marksVulnerability statement10 marksThreat statement10 marksRisk assessment results30 marksConclusion and references5 marks 5 Important Information5.1 Pass RequirementYou need to score at least 30 marks out of 100 marks for this assignment to be considered areasonable attempt. If you do not achieve this basic pass mark you will fail the unit regardless ofhow well you perform in the final exam and the average score.5.2 Submission The report must be in PDF format and submitted via Blackboard. Use your full name and studentID as the name of the PDF file that you submit, for exampletrump donald 12345678.pdfSubmission in Word or any other format is NOT accepted. A completed and signed ‘Declaration of Originality’ must also be submitted electronically viaBlackboard by the deadline.UpdatedApril 6, 2021Fundamental Concepts of Data Security ISEC5006ASSIGNMENT- Semester 1, 2021Page3/6Computing @ Curtin University5.3 Important NotesYou are required to submit your assignment (both print and electronic copies) by Friday 14-May-2021,12:00pm Perth time.You are responsible for ensuring that your electronic submission is correct and not corrupted. Youmay make multiple submissions, but only your newest submission will be marked.6 Academic Misconduct Plagiarism and CollusionPlease note that this is an individual assignment, what you submit must be entirely your own workexcept where clearly cited. Mark will be awarded based on your actual work only.Please note the following, which is standard across all units in the department:Copying material (from other students, websites or other sources) and presenting it as your ownwork is plagiarism. Even with your own (possibly extensive) modifications,it is still plagiarism.If you simply reproduce any parts of the NIST or other risk assessment standards in your work,you still must clearly indicate where they come from.Exchanging assignment solutions, or parts thereof, with other students is collusion. Engaging insuch activities may lead to a grade of ANN (Result Annulled Due to Academic Misconduct) beingawarded for the unit, or other penalties. Serious or repeated offences may result in termination orexpulsion.You are expected to understand this at all times, across all your university studies, with or withoutwarnings like this.UpdatedApril 6, 2021Fundamental Concepts of Data Security ISEC5006ASSIGNMENT- Semester 1, 2021Page4/6Computing @ Curtin UniversityAppendix 1 – Case Study DescriptionMasterBuild Construction Company InformationMasterBuild is an established building company that has been specializing in designing andconstructing a large variety of buildings ranging from personalized homes to customized 50 levelhigh towers. MasterBuild also bid for government contracts that involve designing and constructingbuildings for the military and intelligence organizations. Each center has the same structure whichconsists of four Departments: Design, Finance, Construction and Customer Service. The Departmentshave a preset organization with 10% of the staff being high level management, 20% being mid-levelmanagement, 10% IT staff and 60% general staff.The company has seven major local offices around the country: Sydney (Head quarter), Canberra,Melbourne, Brisbane, Adelaide, Perth, and Hobart. The centers in Sydney and Melbourne are oldheritage buildings located in the CBD. The Brisbane office is a two-storey renovated complex locatedright on the south bank overlooking the Brisbane river. The other offices are modern multi-levelbuildings located on the outskirts of the city.The Sydney and Melbourne offices occupy levels 2-6 of the heritage building. Access to the levelsis provided via a public lift. Both offices have the reception on level 2, which also hosts managementand finance departments. There is a swipe card access for other levels 3-6. Visitors may obtain atemporary swipe card at the reception and are asked to return it at the conclusion of the visit. Theserver room is located within level 5 and requires additional keypad access, with the code being onlyknown to authorised ICT support staff.The Brisbane office has a front reception and a meeting room on the ground floor. Access tothe rest of the Brisbane office via the security glass door behind the reception is restricted only toemployees presenting a valid swipe card. Two server rooms are located on the ground floor withspecialised air-conditioning systems installed at the back of the building.The other local offices occupy relatively modern 8-level buildings with the first four floors leasedto other businesses. Access to levels 5-8 is facilitated by a state-of-the-art facial recognition system.There is no secretary on the ground floor and the only means of communication with staff via anIP-based phone. All visitors need to have their photos taken as part of the access process.The IT team consists of the main group in Brisbane and local support teams at other branches.The company has both servers and desktops at every center. The servers mainly use a combination of Windows-based and Linux-based server operating systems, including Windows Server 2019,Windows Server 2016, Redhat Enterprise Linux and Suse Linux Enterprise Server. The Sydney andMelbourne branches also have some servers running Windows Server 2003 for legacy purposes. Theworkstations use Windows 7, macOS, Linux Ubuntu and Fedora. The company also allows employeesto bring their own laptops and tablets to work. Hardware is procured from different vendors.The server rooms are secured with a keypad mechanism. For the Melbourne and Sydney offices,all confidential data is stored on level 4 whereas other information is stored on the servers on level 5.The Brisbane center stores the backups made for the critical data from all the other centers. For otheroffices, the server storing confidential data are located on level 8.MasterBuild’s employees and contractors are allowed to work remotely from all over the world.The access to the company’s ICT infrastructure is provided via web portal for which a two-factorUpdatedApril 6, 2021Fundamental Concepts of Data Security ISEC5006ASSIGNMENT- Semester 1, 2021Page5/6Computing @ Curtin Universityauthentication method is used (password + randomly generated token).All centers have WiFi networks deployed to augment the wired networks in place. In addition,guest wireless limited access is provided for clients visiting the centers (including the new buildings).The guest wireless is via a token, which can be obtained from the secretarial staff, that allows accessfor 24 hours to the guest network.Management and general staff have regular teleconference calls between the offices. Each centerhas a dedicated meeting room that is equipped with IP-based phones and cameras. The heritagebuildings use a typical office format while the new buildings use an open plan layout with only themanagement having private offices.MasterBuild has a main website covering the entire company and it is hosted on the cloud byAmazon Web Services (AWS). The main website is managed by a developer which provides regularupdates to the site. The company also has an employee dedicated website which provides access topay and leave information with the content being updated by the same developer.END OF ASSIGNMENTUpdatedApril 6, 2021Fundamental Concepts of Data Security ISEC5006ASSIGNMENT- Semester 1, 2021Page6/6


Leave a Reply

Your email address will not be published. Required fields are marked *