Reference no: EM13780001
Information Security
Module Overview:
A computer forensics investigator needs to develop an understanding about security standards and formal procedures within an organisation. This module will provide knowledge in addressing issues around security in the organisational environment. This module aims to introduce the main concept areas around information security and assurance.
Learning Outcomes:
On successful completion of this module, you will be able to:
1. Evaluate the available techniques to secure and manage an information system in a corporate environment.
2. Understand the challenges and evaluate the risks in managing the security of an information system
3. Critically analyse using a threat and risk assessment.
Assignment Part 1 (50%)
Your report should be up to 2,000 words in total.
Title: Security Issues
Assignment
This assignment assesses learning outcome 1:
- Evaluate the available techniques to secure and manage an information system in a corporate environment.
This will be a report-based assignment, where you will discuss and evaluate issues in information security. Specifically, you must attempt the following tasks...
(a) Describe and critically evaluate the information security techniques available to secure the hardware and operating system platform that supports higher-level applications.
(b) Describe and critically evaluate the information security techniques available to a database administrator, including the tools and technique available to examine historical user actions.
(c) Describe and critically evaluate the information security techniques available to a network engineer in configuring web and email communications, including the option of anonymous communication.
For each task you should be prepared to do your own further research to find additional explanations, diagrams or examples that support or extend the techniques covered in the unit or perhaps alternative techniques not raised in the unit. In either case, as well as describing the technique, you must clearly evaluate its strengths, weaknesses and suitability.
You must fully cite and reference all material you use via the Harvard referencing notation.
Marking scheme
This report will be marked against four distinct criteria...
Technical Knowledge (40%)
This aspect covers the depth, clarity and quality of your technical explanations - which can be drawn from the material in this unit but should be expressed in your own words and using your own examples. Only students showing clear and strong evidence of going beyond the unit materials will get very high marks (see next criterion). The inclusion of good-quality, well-annotated diagrams to support your technical narrative will gain bonus marks.
Research (30%)
This aspect covers the amount, range and quality of wider reading - as evidenced by the citations and references - plus your summary and evaluation of how that new-found knowledge aligns with (or maybe contradicts) the ideas presented in this unit. The quality of Harvard referencing will also be a factor. For good marks here, try and get beyond simple web searches. It is fine to use (good-quality) websites but also incorporate high-quality textbooks and more academic sources such as journal articles and conference papers. Seek advice from the library if needed. Also get a guide to Harvard referencing.
Critical Analysis (20%)
This aspect covers the level to which you go beyond simple explanation ('what it does' issues) and move into evaluation and analysis ('why/why not and when to use' issues). Good marks will be awarded for detailed insights on the strengths and weaknesses of each technique, plus comments upon the most suitable situations to apply these techniques (and when not to).
Presentation & Writing (10%)
This aspect covers issues such as the general quality of writing and spelling, good presentation, neat layout, inclusion of quality diagrams, tables and other non-text items plus evidence of a logical flow and coherence to the whole report (clear introduction, well-structured main body and a firm summary and conclusion).
End of Assignment - Part 1
Part 2 is covered below...
Assignment Part 2 (50%)
Your report should be up to 2,000 words in total
Title: Security Case Study Report
Assignment
This assignment assesses learning outcomes 2 and 3:
- Understand the challenges and evaluate the risks in managing the security of an information system
- Critically analyse using a threat and risk assessment.
This will be based on a case study, in which you will demonstrate your ability to manage an information system and conduct threat and risk assessment.
CASE STUDY
'Dog World' is a very successful retailer of all things related to dogs - from canine health care products, dog toys & chews through to dog food & supplements to in-house vet advice and dog books/DVDs. They also have a community bulletin board where local business can advertise canine services (like dog walking or grooming) and local people can advertise puppies for sale or dogs that need re-homing. Each store has a local paper-based board.
The company operates a national chain of 100 out-of-town retail stores plus its own successful website called www.dogworld.com which operates a full e-commerce facility backed up by a multi-terabyte database. The website supports a national (and often international) dog-lovers community chat forum. The website also runs paid-for adverts from other companies in the dog sector.
Each local store has a manager and between 10-15 staff, each with varying degrees of access to the company IT systems. For example, a junior-level sales assistant can only log onto the EPOS (electronic point-of-sale) terminals to make sales (cash or card) and pull up prices and product details. They cannot delete or modify anything nor make refunds. Supervisor level staff can do all this plus make refunds but nothing else. Only managers can modify product data or prices - perhaps because of a local temporary sales event.
All EPOS systems are linked to the central corporate data centre where the central IT team are responsible for uploading and maintaining all product and pricing data and for developing and maintaining the corporate website.
Every member of staff - from local sales assistant to chief executive has email access and their own email address using the format [email protected] - so for example, the chief executive uses [email protected].
The chief executive of Dog World has become very concerned recently about two data theft incidents. Firstly, some confidential corporate data has found its way into the public domain (which could be abused by competitors and suppliers) and secondly, several thousand sets of customer records have been hacked - including personal and card payment details. This latter attack has not been publicized but could obviously seriously damage the company image. The in-house IT staff lack the necessary technical knowledge and skills to get on top of this security problem - much to the annoyance of the chief executive.
So to address this potentially disastrous situation form escalating, the chief executive has contracted you - an information security consultant - to advise him on how to secure the corporate data assets and to highlight and evaluate the different types of threat (internal or external) that the company faces and how to contain or eliminate those risks. You will thus produce a threat & risk assessment, supplemented by recommended solutions and actions.
Specifically, the chief executive has requested that your report covers the following areas:
(a) A brief summary of the 'data architecture' of the company - how/where data is captured, where it is transmitted to/from (and how), where it is stored and how/where it is backed-up and audited. A clearly annotated diagram would greatly help here. (Worth 10%)
(b) A detailed breakdown of all possible 'access points' into that data architecture - both internally by staff at different levels/roles/sites and externally by third parties (customers, competitors, suppliers and malicious attackers). What data can they see and what can they do? (Worth 20%)
(c) A detailed analysis of what risks each 'access point' presents - how could any person (internal or external) exploit that access point for malicious reasons? What damage could they do via that access point? (Worth 20%)
(d) A detailed set of solutions and actions for each identified risk - so as to minimize or ideally eliminate that risk, even if the access point cannot (or perhaps should not) be closed itself. Such solutions and actions could be technical, social, legal, managerial or procedural. (Worth 30%)
(e) A comparison of the company's present and recommended security plan as compared against industry standard IT security frameworks or benchmarks. How well does the company compare now against the best and how will it compare once all your solutions and actions are implemented? (Worth 20%)
See below for the marking scheme and further advice...
The above provides a basic outline of the company. It is expected that you will have to supplement this case study with your own intelligent assumptions and additional research. You must fully document and explain all such assumptions and fully reference any external sources you use via the Harvard referencing system.
Marking scheme
(a) A large, clearly annotated diagram is clearly needed here. It should include all hardware, data communications and servers. This is one aspect where research and intelligent extensions/assumptions come into play. Worth 10%
(b) An 'access point' is defined as any interaction opportunity between the corporate data (including customer personal & card data) and a human user - who could be a member of staff in a local sore, a member of staff at central IT or corporate HQ, an external member of the public looking on the website, an attacker probing the website etc. For each you should list all legitimate access rights and all potential or illegitimate actions. A table may be best to display all this work. Worth 20%
(c) The risks could be accidental data loss or damage to outright hostile and malicious attack - internally or externally. Using the ideas presented in the unit plus your own research, itemize each risk - real or potential - for each type of user and access point. Again, perhaps a tabular layout would help here. Worth 20%
(d) The recommended solutions and actions can come from ideas presented in the unit but for a high mark on this criterion you are strongly advised to conduct your own private research. Every risk should be aligned with a solution or action. Worth 30%
(e) This task firstly demands that you research what IT security frameworks and standards are out there in the real world and then compare the present case study - before and after implementing your recommendations - against these findings. For example, in the unit we discuss a set of guidelines for cloud-based data security. Your job is to find others. Worth 20%