Due Dates: Week 4, 7, 10, 12
Power AI (PAI) is a company that develops software for industrial, business and home use. Its main focus is on development of artificial intelligence systems to control power use, storage and generation in different environments. PAI has developed many unique solutions for these applications. Protection of their designs is extremely important. They have contracted your consulting service, Secure Security Services (SSS), to provide a framework for the development of an ongoing security management program that oversees security concerns across their business.
You have been asked to develop a report that presents the needs and requirements to implement an ICT Security Program for PAI. This plan should discusses how information security could be better managed by developing a Security Management Program and provide a program including tasks and roles for the Security Management Program development. In addition an appendix for this report must include a preliminary Risk Assessment/Management Plan for the protection of its intellectual property that includes a contingency plan. Some discussion of Costs and Benefits must be included.
PAI is privately owned company located in Preston and has 50 employees, approximately 25 are directly involved in the design, development, testing and implementing the products. They have two major organizational units that relate directly to their products: Sales; Development and Support. Other vital parts of PAI’s business structure are Finance and Accounts, IT Services and Human Resources. Though most of the employee positions are stable, the turnover of employees in the Development Unit is fairly high because of the large demand for IT employees with detailed knowledge of AI systems. Senior management consists of 3 employees. IT manager, Finance manager and Sales Manager plus the business owner. HR is overseen by the owner.
Products differ in their development requirements: industrial applications are usually custom designed for each installation and though they contain the same AI engine, the engine has to be configured to make the best use of the data available from the purchaser, general business products need to be configurable to a wide range of businesses, while home use products are much less configurable.
PAI’s major security concern is with its intellectual property. The algorithms it has developed for its products are a considerable investment. Currently all development work is completed on a closed on-site network that is managed internally by the IT Services employees (3). Completed products in executable form are ported to the Sales System which is provided by a cloud application provider – Cloud Services International.
Loss or illegal copies of the source code and associated documentation would be a significant blow to PAI. Perhaps of greater concern is the possibility that concept and design information is either lost or provided to competitors. This information could give competitors a significant cost advantage in the development of similar products. Much of this information is held by the development employees as it is necessary for them to perform their work. The estimated value of this knowledge is approximately $3million. This information is kept as trade secrets, where the source code and end products are protected through copyright laws.
PAI has asked that you prepare a sample risk management plan for the protection of their intellectual property. They would like you to consider 4 assets and 4 threats in the risk assessment and management plan. To effectively demonstrate your skill, the plan would need to include examples of assets from different categories: people, process, hardware and software. Threats should also include examples from different categories: Internal, external, deliberate, and accidental.
You are to complete and submit in written and online form, a report that outlines the need for a security management program and suggest how the organisation may proceed with developing an ongoing Security Management Program. You have also been requested to supply an example of a small risk assessment task to demonstrate what risk assessment/management is about. To assist you in producing the final report, you will complete and submit three small assignment pieces:
Weekly questions for each tutorial (included in each weeks tutorial questions. Submitted online only.)
A report outline (see below for details. Submitted online only.) A report draft (see below for details. Submitted online only.)
Assignment (Part A Report Body) - Report for a security management and governance program
Discuss the benefits derived from seeing Security Management as an ongoing process and the reasons for having a policy?
Discuss the development of a Security Policy and Security Management Plan.?
Identify and present a description of the functions, tasks, roles and responsibilities that need to be defined for the Security Management Program for PIA. Discuss the roles of different individuals/groups would play in terms of governance in general.?
Identify any models or methods that may be relevant for the development of a Security Management Program?
Discuss the implications of legal and statutory requirements and the benefits your formal approach would bring?
Assignment (Part B – Appendix) Risk Assessment/Management – Patient Information
Briefly explain the benefits a Risk Management Plan can bring to a company and the steps necessary to build one. Include a discussion on the importance of Contingency Planning to PIA, as well as the risk analysis and CBA mentioned above?
For the Patient Information area, list the threats, vulnerabilities, and attacks that your formal plan would manage. This should not be an exhaustive, detailed list. Keep the focus on PIA’s context?
Work on this aspect and draw up a Risk Management Plan for it and include a recommendation based on a Cost-Benefit Analysis.?
Where does the responsibility for the user and the vendor begin?? Both draft and final reports must include the following:
Assignment Cover Page (only with the. Final report hard copy). Use the cover sheet provided by Melb Poly. . Include the Title, Assignment name, Student Name and ID, Subject;?
Microsoft Word “Cover Page”. Include the name of the report, who it has been prepared for, and the author
(Student Name and ID, Subject.);?
Executive summary (1 paragraph: Who the report is for, scope/purpose of report; action required);? Table of contents;?
Body (Numerous headings and text at the writer’s discretion) This will include an introduction that describes the scope of the document and its structure as well as the information discussed in part A above;? References (List of works used in the document)/Bibliography(Materials relevant to the report, but not directly used);?
Appendix for the Risk management plan (See part B above).?
The final report will be at least 2000 words (maximum 2500 words) addressing the following:
? Discuss the fit of your formal approach to security with the company’s values. Discuss too the role your approach would play in terms of governance in general.
? Discuss the development of a Security Policy, including a methodology and the reason for having a policy
? List the threats, vulnerabilities, and attacks that your formal plan would manage. This should not be an exhaustive, detailed list. Keep the focus on PAI’s context.
? Discuss the implications of legal and statutory requirements and the benefits your formal approach would bring
? Explain the benefits a Risk Management Plan can bring to a company and the steps you would go through to build one. Include a discussion on the importance of Contingency Planning to PIA, as well as the risk analysis and CBA mentioned above
? Discuss the benefits derived from seeing Security Management as an ongoing process
This assessment is to be completed individually. You may discuss the assignment with other students, but your submitted work must be your own work.
Submissions is in 4 parts
Week 4 Report Part A outline
Assessed as part of test. Major headings, some minor headings named to match the case study. Overall structure described.
Week 7 Report Part A structure and Part B (Appendix)Risk assessment started structure
The report plan should include the main headings for each part of the final document. The key points for the executive summary must be listed. The structure of the body with bullet points must be outlined and comments relevant to each section included. Some references should be listed and appendices identified. The Risk Assessment will include a prioritized list of Assets, Threats and Vulnerabilities for the patient information system.
Week 10: Draft Report and Risk Assessment
The draft report should not just be an outline or template. It should be an attempt to develop the completed, final report.
The Risk Assessment must also include suggested controls and an outline of a contingency plan for the patient information system.
Week 12 (Start of class): Final Report and Risk Assessment/Management Plan
Your submission must be compatible with the software in Melbourne Polytechnic’s computer Laboratories/Classrooms. A .docx file is preferred.
Assignments must be submitted using the Moodle links provided AND in hard copy to your tutor.
In some cases your tutor may allow a resubmission of a failed assignment. Resubmitted assignments will be capped at a maximum mark of 50%
See Subject outline for formal Assessment overview and feedback Plagiarism
All used sources must be properly acknowledged with references and citations. Quotations and paraphrasing are allowed but the sources must be acknowledged. Failure to do so is regarded as plagiarism and the penalty for plagiarism is failure for the assignment. The act of giving your assignment to another student is classified as a plagiarism offence. Copying large chucks and supplying a reference will result in zero marks as you have not contributed to the report.
Penalties: Academic misconduct such as cheating and plagiarism incur penalties ranging from a zero result to program exclusion.
Late submission of assignments
Penalties may apply for late submission without an approved extension.
For assignments 1 to 7 days late, a penalty of up to 20% (of earned marks) will apply.?
For assignments more than 7 days late, a penalty up to of 50% (of earned marks) will apply.? No assignment will be accepted after the end of the teaching period (week 13 of classes) unless accompanied by completed special consideration request approved by the department.?
Extensions: Extensions are granted only for reasonable cause such as illness. A Special Consideration form, accompanied by supporting documentation, must be received before 3 working days from the due date. If granted, an extension will be only granted only by the time period stated on the documentation; that is, if the illness medical certificate was for one day, an extension will be granted for one day only. Accordingly the student must submit within that time limit.
Preparation Week 7 Report plan
(weight 2%) Submission on time
(1) Major sections of report identified with brief explanation of expected contents.
(3) Risk Assessment task requirements outlined with brief explanation of expected contents and relevance to CASE
Study(3) Completion of weekly tutorials (3)
Total for plan (Max 10)
Week 10 Draft report (Weight 3%) Submission on time
(1) Report structure complete. Most sections have info relevant to topic some portions incomplete or just bullet points. (3) Most parts of risk assessment complete with bullet points listing what needs to be done to complete the risk assessment
(3) Completion of weekly tutorials (3)
Total for draft and plan (Max 10)
Part A Report (Weight 20%)
Good Very Good
Report has an identified purpose
i) States the purpose of the report; (2.5) ii) Describes the report structure. (2.5)
i) Executive summary (2.5) ii) Discussion of benefits of a Security management plan.(5)
iii) Discuss the development of a Security Policy and Security Management Plan. (5)
iv) Functions, tasks, roles and responsibilities that need to be defined for the Security Management
v) the roles of different individuals/groups would play in terms of governance in general. (5)
vi) Identify any models or methods that may be relevant for the development of a Security
Management Program (5) vii) The legal and statutory requirements that will be addressed (2.5)
References & Grammar
i) Citations are used and indicated correctly (Harvard);
(2.5) ii) Grammar and expression. (2.5)
Turnitin Score: Gross Result:
Turnitin adjustment (these deductions are a guidelines only, each situation needs separate evaluation by the lecturer): No significant matches (No reduction), Minor matches and score between 15 and 50 (-5 marks), Major matches with significant unreferenced matches or large
‘matching’ sections (-15), Not submitted to Turnitin (-20 marks)
Late submission deduction: Net Result (Max 40):
Part B Risk Assessment/management
Good Very Good Excel
i) Description of risk assessment process (5) ii) Explanation of benefits of a risk management plan and description of how they are performed. (5)
iii) Identification of Assets (5)
iv) Identification of threats/vulnerabilities (5) v) Priorities set (5) vi) Suggested controls (5)
Turnitin Score: Gross Result:
Late submission deduction: Net Result (Max 30):
ASSESSMENT OVERVIEW AND FEEDBACK SUMMARY
All assessments (except for final examination) and feedback are provided via the MOODLE site and in classes.
Assessment Tasks: Due Date Subject Learning
Outcomes MP Graduate
Test Week 4 a 3 A, C, F 10% Individual
Report - Suggested topic: A report detailing a security management plan for an organisation, including: risk analysis; incident reporting; disaster recovery; tools to manage security; legal and statutory obligations.
(2000 words) Week 12 a, b, c, d ,e ,f 1,2,3,4,5 A,B,C,D,E,F 40% Individual
Examination End of Semester a, b, c, d, e ,f 1,2,3,4,5 A,B,C,D,E,F 50% Individual