User Account

All Pages

Review the system-specific security policy

Assignment Help Other Subject
Reference no: EM133696293

Information Security Management

Assessment

Part A: Written Report

For this part, you need to complete the following tasks and write a report on your findings.

Task 1: Review of a System Specific Security Policy

To accomplish this task, you need to review the System-Specific Security Policy: Secure File Storage System carefully (see Appendix A). Afterwards, you will examine each of the requirements in the policy and explain the justification of the requirements in your report.

For example, one of the requirements in Section 2.1 says, "Implement strong authentication mechanisms, such as two-factor authentication (2FA), for all users accessing the SFSS." You should put a note under it as follows.

Implement strong authentication mechanisms, such as two-factor authentication (2FA), for all users accessing the SFSS.

Justification: The most common single factor authentication mechanism i.e., password based authentication has some pitfalls such as passwords can be guessed, stolen or compromised using brute force, rainbow or phishing attacks. Implementation of two factor authentications will make sure that there is an extra layer of protection such as something you have (hardware token), or something you are (fingerprint scanning). This will make the attacker's task difficult as they will need access to multiple authentication factors to break into the secure file storage system."

Task 2: Risk Assessment
To accomplish this task, you need to read the Scenario for Risk Management (see Appendix B). Afterwards, you will complete the following subtasks.
Subtask 2.1: Total Risk Calculation
The given scenario provides clues about a number of security threats or vulnerabilities. For example, ‘The backup copies are kept on-site', which indicates if there is a natural disaster causing destruction to the storage media, both the main and backup copies of data might get lost at the same time. You will find several other threats and vulnerabilities in the given scenario. You may also assume some threats and vulnerabilities that are not explicitly mentioned in the scenario. However, the assumed threats and vulnerabilities must be well justified and consistent with the scenario.
In this subtask, you have to identify nine (9) other security risks, besides the risk mentioned in Table 1. Afterwards, you need to estimate the asset value, exposure factor (EF), annualised rate of occurrence (ARO), and finally calculate the risk value in terms of annualised loss expectancy (ALE) for each risk item. Please note that in order to identify a risk, you need to find an asset-threat pair, which means you need to find a threat that has the potential to cause harm or disruption to an asset. All these values must be determined quantitatively.

Subtask 2.2: Determination of Risk Response
For this subtask, you need to identify the risk response for each of the security risks identified in the previous subtask. In the Risk Response column of Table 2, you need to specify what kind of risk response(s) you would undertake for each of the risks identified. Possible options are: risk mitigation, risk assignment, risk deterrence, risk avoidance, risk acceptance, risk rejection (this is the least preferred option). In the Response Summary column of Table 2 below, you need to provide details of each of the risk responses that you are going to accomplish.
In the example of Table 2, there are two responses of type risk mitigation, which are accomplished through (i) using a cloud service to keep an off-site backup of data and (ii) installing fire protection equipment, flood barriers, and seismic isolation systems.

Subtask 2.3: Residual Risk Calculation
For this subtask, you need to calculate the residual risk values after risk responses are undertaken through implementation of safeguards, controls or countermeasures. The undertaking of a risk response would either reduce the annualised rate of occurrence (ARO), or exposure factor (EF). The residual risk values should be determined in terms of annualised loss expectancy (ALE). You can have more than one risk responses for each of the risk items.
In the example of Table 3, the safeguard for Response 1.1 (using a cloud backup service to keep a backup copy of data off-site) would reduce the exposure factor (EF) from 0.5 to 0.02. The safeguard would not reduce the rate of natural disaster happening but it would reduce the chance of data loss. This is because only the main copy of data will be destroyed in case of a natural disaster impacting the on-site storage, however, the off-site back up copy will remain intact. No more than the latest updates in the data, which were not backed up could be lost. On the other hand, the safeguard for Response 1.2 (installing fire protection equipment, flood barriers, and seismic isolation systems) would reduce the exposure factor (EF) from 0.5 to 0.25.

Subtask 2.4: Cost /Benefit Analysis
For this subtask, you have to perform a cost benefit analysis of the safeguards for the risk responses. You have to calculate the control gap from the pre-response ALE and the post-response-ALE. You have to estimate the annualised cost of safeguard (ACS). Finally, you will calculate the value of each safeguard to the company.
In the example of Table 4, the ACS of the safeguard used in Response 1.1 is $25,000 which is the cost of the cloud backup service. The ACS of the safeguard used in Response 1.2 is $180,000 which is the cost of installation of the fire protection equipment, flood barriers, and seismic isolation systems.

Subtask 2.5: Countermeasure Selection
For this subtask, you need to select and prioritise the safeguards, controls or countermeasures based on the cost benefit analysis performed in the previous task. In the Feasible column of Table 4, you need to specify whether the countermeasure is feasible or not, and you need to explain the reason in the Reason column. You need to consider the following factors to determine the feasibility:
• The cost of the countermeasure should be less than the value of the asset.
• The cost of the countermeasure should be less than the benefit of the countermeasure.
• The result of the applied countermeasure should make the cost of an attack greater for the perpetrator than the derived benefit from an attack.
• The countermeasure should provide a solution to a real and identified problem.
• The benefit of the countermeasure should not be dependent on its secrecy.
• The benefit of the countermeasure should be testable and verifiable.
The priority of a risk response must be set in the Priority column based on the criticality of the asset being protected and the value of the safeguard to the company. Priority must be set as a number such 1, 2, 3, ..., the top priority response having priority 1. Do not assign a priority to a risk response if it is not feasible.

Subtask 2.6: NIST Risk Management Framework
In this subtask:
• Provide a brief overview of the NIST Risk Management Framework (RMF).
• Explain which phases of RMF the Subtasks 2.1-2.5 fall under.
For each of Subtasks 2.1-2.6, you should create a subsection in your report. For each of the Subtasks 2.1-2.5, you have to provide a brief introduction explaining the method followed in that subtask and present the relevant table with calculations.

Part B: Oral Assessment
There will be an oral assessment on the written report, during which you will need to answer questions regarding your written report verbally. The purpose of the Oral Assessment is to clarify students' understanding of the written report. For on-campus students, the Oral Assessment will be conducted face-to-face during the Week 12 workshop. Online students will be contacted by the Unit Coordinator to schedule an Oral Assessment.

Task Description:

For this assessment, you are required to work in a group to develop and deliver a presentation on an information security topic. You have to choose a topic from the following list for your presentation.

• Common Web Application Vulnerabilities, Consequences, and Remedies
• Common Software Vulnerabilities, Consequences, and Remedies
• Common Network Vulnerabilities, Consequences, and Remedies
• Common Access Control Attacks and Remedies
• A comprehensive Review of Vulnerability Assessment Methods and Tools
• A comprehensive Review of Configuration and Change Management
• Security and Privacy Controls in Information Systems and Organizations (NIST SP 800-53 Rev 5)
• Australian Signals Directorate Strategies to Mitigate Cybersecurity Incidents - Mitigation Details
(February 2017)
• Cloud Security Alliance Security Guidance for Critical Areas of Focus in Cloud Computing V3.0
• Payment Card Industry Data Security Standard (PCI DSS)
• Supply Chain Risk Management
• Threat Modelling: Significance, Methods and Advantages

To prepare your presentation, you have to do some significant research on your chosen topic. Your presentation should illustrate contemporary information and analysis beyond what is covered in the lecture slides. You can use information provided in scholarly articles as well as online resources. You can present figures and diagrams where appropriate. The presentation should be organised and maintain a continuous and logical flow of information.

Reference no: EM133696293

Questions Cloud

What is the time frame you have set for completing that goal : For this problem, you will work on setting goals for yourself using the SMART method. What is the time frame you have set for completing that goal?
Do smaller companies do better at innovation : Do smaller companies do better at innovation? Is that because most of them are private companies and not accountable to outside stakeholders?
Why ford is unwilling to make concessions in the workplace : View the video on Ford and the union strike. Please provide your analysis on why Ford is unwilling to make concessions in the workplace.
Why are american chains like pizza hut-starbucks : Why are American chains like Pizza Hut, Starbucks and McDonald's experiencing fast growth and strong success in China?
Review the system-specific security policy : COIT2063 Information Security Management, CQUniversity - review the System-Specific Security Policy: Secure File Storage System carefully (see Appendix A)
Address the three key purposes : Explain these uses applications and how it will benefit yourself and the company auditors in a report - Describe in detail how and why blockchain can be applied
Does this apply to recently failed american health care act : Is it right for nurses to endorse health reform legislation even if legislation is not perfect? Does this apply to the recently failed American Health Care Act?
Explain components of multidimensional nursing care : Explain components of multidimensional nursing care for clients with musculoskeletal disorders. Two scholarly sources to support information in the care map.
What would be the first pediatric policy that you recommend : What would be the first pediatric policy that you would recommend? What are one or more reasons why many nurses do not engage in lobbying efforts?

Reviews

Write a Review

Other Subject Questions & Answers

  Cross-cultural opportunities and conflicts in canada

Short Paper on Cross-cultural Opportunities and Conflicts in Canada.

  Sociology theory questions

Sociology are very fundamental in nature. Role strain and role constraint speak about the duties and responsibilities of the roles of people in society or in a group. A short theory about Darwin and Moths is also answered.

  A book review on unfaithful angels

This review will help the reader understand the social work profession through different concepts giving the glimpse of why the social work profession might have drifted away from its original purpose of serving the poor.

  Disorder paper: schizophrenia

Schizophrenia does not really have just one single cause. It is a possibility that this disorder could be inherited but not all doctors are sure.

  Individual assignment: two models handout and rubric

Individual Assignment : Two Models Handout and Rubric,    This paper will allow you to understand and evaluate two vastly different organizational models and to effectively communicate their differences.

  Developing strategic intent for toyota

The following report includes the description about the organization, its strategies, industry analysis in which it operates and its position in the industry.

  Gasoline powered passenger vehicles

In this study, we examine how gasoline price volatility and income of the consumers impacts consumer's demand for gasoline.

  An aspect of poverty in canada

Economics thesis undergrad 4th year paper to write. it should be about 22 pages in length, literature review, economic analysis and then data or cost benefit analysis.

  Ngn customer satisfaction qos indicator for 3g services

The paper aims to highlight the global trends in countries and regions where 3G has already been introduced and propose an implementation plan to the telecom operators of developing countries.

  Prepare a power point presentation

Prepare the power point presentation for the case: Santa Fe Independent School District

  Information literacy is important in this environment

Information literacy is critically important in this contemporary environment

  Associative property of multiplication

Write a definition for associative property of multiplication.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd