Reference no: EM133696293
Information Security Management
Assessment
Part A: Written Report
For this part, you need to complete the following tasks and write a report on your findings.
Task 1: Review of a System Specific Security Policy
To accomplish this task, you need to review the System-Specific Security Policy: Secure File Storage System carefully (see Appendix A). Afterwards, you will examine each of the requirements in the policy and explain the justification of the requirements in your report.
For example, one of the requirements in Section 2.1 says, "Implement strong authentication mechanisms, such as two-factor authentication (2FA), for all users accessing the SFSS." You should put a note under it as follows.
Implement strong authentication mechanisms, such as two-factor authentication (2FA), for all users accessing the SFSS.
Justification: The most common single factor authentication mechanism i.e., password based authentication has some pitfalls such as passwords can be guessed, stolen or compromised using brute force, rainbow or phishing attacks. Implementation of two factor authentications will make sure that there is an extra layer of protection such as something you have (hardware token), or something you are (fingerprint scanning). This will make the attacker's task difficult as they will need access to multiple authentication factors to break into the secure file storage system."
Task 2: Risk Assessment
To accomplish this task, you need to read the Scenario for Risk Management (see Appendix B). Afterwards, you will complete the following subtasks.
Subtask 2.1: Total Risk Calculation
The given scenario provides clues about a number of security threats or vulnerabilities. For example, ‘The backup copies are kept on-site', which indicates if there is a natural disaster causing destruction to the storage media, both the main and backup copies of data might get lost at the same time. You will find several other threats and vulnerabilities in the given scenario. You may also assume some threats and vulnerabilities that are not explicitly mentioned in the scenario. However, the assumed threats and vulnerabilities must be well justified and consistent with the scenario.
In this subtask, you have to identify nine (9) other security risks, besides the risk mentioned in Table 1. Afterwards, you need to estimate the asset value, exposure factor (EF), annualised rate of occurrence (ARO), and finally calculate the risk value in terms of annualised loss expectancy (ALE) for each risk item. Please note that in order to identify a risk, you need to find an asset-threat pair, which means you need to find a threat that has the potential to cause harm or disruption to an asset. All these values must be determined quantitatively.
Subtask 2.2: Determination of Risk Response
For this subtask, you need to identify the risk response for each of the security risks identified in the previous subtask. In the Risk Response column of Table 2, you need to specify what kind of risk response(s) you would undertake for each of the risks identified. Possible options are: risk mitigation, risk assignment, risk deterrence, risk avoidance, risk acceptance, risk rejection (this is the least preferred option). In the Response Summary column of Table 2 below, you need to provide details of each of the risk responses that you are going to accomplish.
In the example of Table 2, there are two responses of type risk mitigation, which are accomplished through (i) using a cloud service to keep an off-site backup of data and (ii) installing fire protection equipment, flood barriers, and seismic isolation systems.
Subtask 2.3: Residual Risk Calculation
For this subtask, you need to calculate the residual risk values after risk responses are undertaken through implementation of safeguards, controls or countermeasures. The undertaking of a risk response would either reduce the annualised rate of occurrence (ARO), or exposure factor (EF). The residual risk values should be determined in terms of annualised loss expectancy (ALE). You can have more than one risk responses for each of the risk items.
In the example of Table 3, the safeguard for Response 1.1 (using a cloud backup service to keep a backup copy of data off-site) would reduce the exposure factor (EF) from 0.5 to 0.02. The safeguard would not reduce the rate of natural disaster happening but it would reduce the chance of data loss. This is because only the main copy of data will be destroyed in case of a natural disaster impacting the on-site storage, however, the off-site back up copy will remain intact. No more than the latest updates in the data, which were not backed up could be lost. On the other hand, the safeguard for Response 1.2 (installing fire protection equipment, flood barriers, and seismic isolation systems) would reduce the exposure factor (EF) from 0.5 to 0.25.
Subtask 2.4: Cost /Benefit Analysis
For this subtask, you have to perform a cost benefit analysis of the safeguards for the risk responses. You have to calculate the control gap from the pre-response ALE and the post-response-ALE. You have to estimate the annualised cost of safeguard (ACS). Finally, you will calculate the value of each safeguard to the company.
In the example of Table 4, the ACS of the safeguard used in Response 1.1 is $25,000 which is the cost of the cloud backup service. The ACS of the safeguard used in Response 1.2 is $180,000 which is the cost of installation of the fire protection equipment, flood barriers, and seismic isolation systems.
Subtask 2.5: Countermeasure Selection
For this subtask, you need to select and prioritise the safeguards, controls or countermeasures based on the cost benefit analysis performed in the previous task. In the Feasible column of Table 4, you need to specify whether the countermeasure is feasible or not, and you need to explain the reason in the Reason column. You need to consider the following factors to determine the feasibility:
• The cost of the countermeasure should be less than the value of the asset.
• The cost of the countermeasure should be less than the benefit of the countermeasure.
• The result of the applied countermeasure should make the cost of an attack greater for the perpetrator than the derived benefit from an attack.
• The countermeasure should provide a solution to a real and identified problem.
• The benefit of the countermeasure should not be dependent on its secrecy.
• The benefit of the countermeasure should be testable and verifiable.
The priority of a risk response must be set in the Priority column based on the criticality of the asset being protected and the value of the safeguard to the company. Priority must be set as a number such 1, 2, 3, ..., the top priority response having priority 1. Do not assign a priority to a risk response if it is not feasible.
Subtask 2.6: NIST Risk Management Framework
In this subtask:
• Provide a brief overview of the NIST Risk Management Framework (RMF).
• Explain which phases of RMF the Subtasks 2.1-2.5 fall under.
For each of Subtasks 2.1-2.6, you should create a subsection in your report. For each of the Subtasks 2.1-2.5, you have to provide a brief introduction explaining the method followed in that subtask and present the relevant table with calculations.
Part B: Oral Assessment
There will be an oral assessment on the written report, during which you will need to answer questions regarding your written report verbally. The purpose of the Oral Assessment is to clarify students' understanding of the written report. For on-campus students, the Oral Assessment will be conducted face-to-face during the Week 12 workshop. Online students will be contacted by the Unit Coordinator to schedule an Oral Assessment.
Task Description:
For this assessment, you are required to work in a group to develop and deliver a presentation on an information security topic. You have to choose a topic from the following list for your presentation.
• Common Web Application Vulnerabilities, Consequences, and Remedies
• Common Software Vulnerabilities, Consequences, and Remedies
• Common Network Vulnerabilities, Consequences, and Remedies
• Common Access Control Attacks and Remedies
• A comprehensive Review of Vulnerability Assessment Methods and Tools
• A comprehensive Review of Configuration and Change Management
• Security and Privacy Controls in Information Systems and Organizations (NIST SP 800-53 Rev 5)
• Australian Signals Directorate Strategies to Mitigate Cybersecurity Incidents - Mitigation Details
(February 2017)
• Cloud Security Alliance Security Guidance for Critical Areas of Focus in Cloud Computing V3.0
• Payment Card Industry Data Security Standard (PCI DSS)
• Supply Chain Risk Management
• Threat Modelling: Significance, Methods and Advantages
To prepare your presentation, you have to do some significant research on your chosen topic. Your presentation should illustrate contemporary information and analysis beyond what is covered in the lecture slides. You can use information provided in scholarly articles as well as online resources. You can present figures and diagrams where appropriate. The presentation should be organised and maintain a continuous and logical flow of information.