Reference no: EM132847598
Business Case Specification
Furniture Barn
Samuel Manton is the owner/proprietor of Furniture Barn, a medium-sized furniture store. The store usually has about 10 staff serving customers and setting up displays during the week, but hires extra staff for periods of heavier trading, such as weekends, holidays, etc.
All financial data, and staff and inventory records are held in a database in a server room, a small room which opens directly onto the holding space out the back of the store. The room has no extra cooling, other than the store's A/C, and it is locked with a padlock for which Samuel has the only key. He keeps a duplicate at his own premises. The store has 2 CCTV cameras in the store but there is only one camera in back of the store, and it is not pointed at the server room. The camera recordings are kept only for one day, and they are reviewed only in the event of a security concern.
The software for the staff handling and inventory system was designed by Henry Simmons, who now has the job of maintaining the server. Backups are done by Henry on an ad hoc basis, copying the database file to CD as he sees fit, and storing onsite.
Staff have username and password combinations for log in. To make it easier to check staff work, Henry has a username and password system where the staff take their first and last names as the username, and combine the first two letters of their first name and last two of their last name as the password. There is no other system for staff access control.
Storewide Wi-Fi is used for all networking, including staff data retrieval terminals and the checkout system.
The server is an old Pentium running apache. There is no hardware firewall. Henry runs two open-source anti-virus programs which he checks and patches every "few weeks". The server room is next to a water outlet in the staff tearoom. The room does not have any of the following features: firewall-grade walls, fire door, UPS, or electromechanical lock. The door to the room is locked at night and on weekends with a key available from the CFO's main office.
Henry has recently become aware of an attack which has been made against the server (the attack is similar to a real-world attack which has occurred recently). Henry has described the attack to Samuel who would like a short account of the (real-world) attack and what impact it is likely to have on his business (as part of the report for this assignment).
Samuel's main requirement from you is an asset valuation and risk analysis.
Part A Specification and Requirements
Goal
You will be in front of the board of the company to present a summary of your findings. Time is limited and the board members have other commitments afterwards. You aim to deliver the most important threats, their impact on the business, the mitigation plan and the associated costs and returns. If you present a convincing analysis and mitigation plan, the board might decide to hire your team for the next phase of the work, that is, implementation.
Project Outline Report
This is a Word document (.docx) containing the following sections.
1. A cut-down and presentable table of your risk assessment results. This is based on your calculations in the spreadsheet; however, it is not a copy of your spreadsheet. You need to take out the most important elements of your calculations from the spreadsheet, and reformat to make them presentable to top management. Visual presentation of your findingsis strongly encouraged.
2. The most important risk to consider and the justification.
3. The total cost of the mitigation scheme, and how you calculated it.
4. A brief outline of how you discovered the top risk in your analysis. This can be a made-up story of how you discovered the risk. Keep this description short to a couple of sentences.
5. Explain why you chose the accept decision for a risk in your analysis. No more than one paragraph.
6. Your nominated real-world attack (or vulnerability). You do not need to describe the attack for Part A (that comes in Part B). Just give the name of the attack and a web link to the attack: provide a link to a simple, easy-to-understand explanation of the attack. You could also supplya link to a CERT page on the attack. For more information, refer to Sec 4.8.
3.1 Risk Calculation Spreadsheet
Your spreadsheet must contain at least 12 risks. Not all risks decisions should be "transfer" or "mitigate". At least one must be "accept". Seek permission from your lecturer to include any "avoid" decisions. In one of the risks, the control should be some form of policy.
Each control in the quantitative analysis should be clearly mapped against a control in Table A.1 in ISO/IEC 27001:2013. This will require additional columns to be added to the template. Give the code for the control and the brief name of the control. For example, with A.5.1.1, give A.5.1.1, Policies for information security in the sheet.
In a separate worksheet from the ALE analysis, include a calculated field for the total cost of your mitigation plan. This should be based on the first table. You can include your consultancy fee in this as well.
The spreadsheet must have two worksheets. Each worksheet must be named meaningfully and formatted professionally.
4. Part B Specification and Requirements
Goal
After your presentation to the board, you are providing them with the final report detailing all your findings and laying down the costs. You have paid a special attention to the questions raised during your presentation and made a genuine attempt to address them in the report. The report contains all the necessary information, and you have worked hard to make it very easy for the board members to understand your findings and recommendations by visualising information. You hope that this report will secure your next contract.
Report Structure
The report must contain the following sections (i.e. headings).
1. Executive Summary
This is the most important part of your report and needs to be written carefully and effectively. If you have not written an executive summary before, you will need to do researchto learn how a good executive summary is written.
2. Introduction
3. Fact Finding/Discovery (see section 4.4)
Be sure to clearly explain techniques and give short examples.
4. Qualitative Analysis (see section 4.5)
Contains an effective summary of your spreadsheet.
5. Quantitative Analysis
Contains an accurate conversion of quantitative for 3 threat/control pairs.
6. Real-World Attack (see section 4.8)
7. Conclusion
8. References (Harvard citation style)
9. Appendix
This section contains all the detailed findings forming the basis of conclusions and recommendation in the body of the report. When there are more than one appendix sections, name them Appendix 1, Appendix 2, etc.
You are encouraged to further organise the report content into meaningful subsections.
Discovery Requirements
You need to select a discovery technique and give a report (make up a discovery story) for how you discovered three of the risks in your analysis. The goal here is to visualise the report as being the resultof discovery. Only a short paragraph is required.
One of the three risks must be discovered using a questionnaire and you need to include an exampleof one Likert scale question (question only). In the explanation of the response "discovery", you can suppose a particular median response, or mean and standard deviations if numbers were used. Of course, explain what threat this revealed.
Qualitative Analysis
You need to convert the ALE analysis into a risk matrix as discussed in class. You can have three separate matrices or include all three in one matrix clearly labelled. You need to:
- convert only the three "discovered" risks,
- derive the matrix rigorously from the quantitative analysis, and
- show unambiguously stated cell (bin) boundaries. You can use your own levels, but they must correctly translate the same threats from quantitative analysis.
It is up to you how you divide up the cells, but they need to be clearly stated and properly transformed.
Attachment:- Business Case Specification.rar