CSG3309- IT Security Management
Case Study
Semester 2, 2014
Details:
Title: IT Security Management Case Study.
Due Date: 09.00 AM (GMT+8) Friday October 27, 2014.
Value: 50 % of the final mark for the unit.
Aim
The aim of this unit and this assessment is to bring together the core concepts of information security management. In relation to the assessment in particular, it combines the knowledge domains of project management, policy development, risk management and security education awareness and training. With increased connectivity of information assets and exposure of these assets to the internet, the threats and mitigations to and from them are now very much tied to end user behaviour. That is, threats to information assets are no longer technically based, and neither are the solutions. A large part of mitigating threats to information assets is now about educating end users to the threats, and attempting to modify their behaviour through awareness and training
Background
Get A Life Adventures (GALA) will soon appoint a new Information Security Manager (ISM) to look after their information assets. The role has been vacant for some time, and was previously filled by a systems administrator, where information security was a secondary role.
As such, some of the core areas of information security have been neglected and will need to be assessed and improved before the new ISM commences. In particular, the issues faced by the new ISM are as follows:
? Information security policies have not kept up with emerging and constantly changing technology;
? There is no current risk assessment or risk register for the organization;
? There have been numerous USB drop attacks, to which staff have unfortunately become victims of; and
? There is no security education or awareness training planned or occurring.
The task
Your team has been hired as consultants to bring GALA’s information security up to an acceptable standard. To achieve this, you will need to undertake and complete the following activities:
1. A project plan which incorporates the essential components of project management. This will include personnel, the activities to be undertaken by each team member, a timeline using an appropriate planning tool, the risks and threats to successful completion of the project.
2. A risk assessment of the threats faced by GALA's information assets. Your risk assessment must be conducted according to ISO 31000:2009, the risk assessment standard. Also consider HB167 in your reading for this task. The information assets to be considered are: data storage (staff home drives etc), email, student records database, course management system (database), and the student enquiry management system. You will also need to identify and assess other information assets, risks and threats that Get A Life Advanetures may be subject to.
3. Develop an information security policy for GALA. As well as internal considerations about protecting information assets, you also need to consider the external compliance issues. e.g. Western Australian State legislation, Federal legislation, telecommunications legislation etc. This policy must be completely your own work, however it is suggested that you use ISO27002 5.1 Information Security Policy as a guideline to help you achieve this particular task. This two page document outlines all the key areas. Polices which contain any elements of “copy and paste” will result in a grade of zero (0) for this element of the assignment, and may also lead to a reduction in marks for the assignment overall.
4. Develop a security awareness and training (SEAT) program for users of GALA information assets relevant to USB dropping or the use of social networking media (Your group will be assigned ONE of these topics when you submit your group members to Blackboard). This will consist of a set of training materials to educate users about the risks and threats they face as end users of GALA's information assets.
This needs to consist of the following components:
a. An information document about the threats to GALA's information assets. This will be no more than a few pages, and must be written in non-technical language that the lay person can understand.
b. A PowerPoint presentation summarising the key points of the information document
c. An awareness and training video which explains the threats to GALA's information assets, educates users about what these look like, and what actions they need to take if they think they are being targeted by an attacker. The video can use people, can use machinima (e.g. Source Filmmaker), but must be “live action” and not a series of still photos or PowerPoint slides. Consider the use of humour or some other device to get the point across to the end users.
d. Develop a short multiple choice test to determine what end users learnt from your awareness and training materials. You get to test someone else!
Marking Guide
1. Project Management Plan (5 Marks)
a. Timeline (critical path, Gant chart, Network diagram etc)
b. Allocation of activities to group members
c. Risks to the project
d. Other project management elements relevant to the project e.g. evidence of communication between group members
2. Risk Assessment (10 Marks)
a. Critical systems documented
b. All relevant information assets identified and ranked
c. Threats determined
d. Assessment conducted according to ISO 31000:2009 using a formal framework
e. Risks assessed and ranked using a risk matrix (use Excel)
3. Information Security Policy
a. Policy and not procedure
b. Developed according to ISO 27002
c. Threats and risks fully identified and explained
d. External compliance factors considered and addressed (10 Marks)
4. Security awareness and training (SEAT) (20 Marks)
a. Written materials (document, Powerpoint), Video and Test
b. Video is live action, not stills
c. Issues and threats explained using non-technical terms
d. Video not to exceed 5 minutes (+/- 30 seconds)
5. Formatting / Referencing (5 Marks)
a. Documentation accessible and appropriate to audience
b. Referencing guide followed and references appropriately cited
c. All work is original (NB – failure to adhere to this will result in additional penalties!!!)
TOTAL MARKS (50 Marks)
Referencing
All sources of references must be cited (in text citation) and listed (end reference list).
For details about referencing and the required format, please refer to the ECU Referencing Guide, which can be found from the following URL: http://www.ecu.edu.au/research/refguide/refguide.html It is expected that you demonstrate a wide range of reading on your selected topics through the judicious use of references to construct and validate argument. You should gather your references from only erudite sources such as journals, books and conference proceedings.
Academic Misconduct (Including Plagiarism):
Edith Cowan University regards academic misconduct of any form as unacceptable. Academic misconduct, which includes but is not limited to, plagiarism; unauthorized collaboration; cheating in examinations; theft of others students work; collusion; inadequate and incorrect referencing; will be dealt with in accordance with the ECU Rule 40 Academic Misconduct (including Plagiarism) Policy. More information can be found from the following URL:
http://www.ecu.edu.au/GPPS/legal_legis/resource_file/academic_misconduct_rules_stude nts(070327).pdf