This is an individual assignment and requires students to conduct a risk-based security evaluation of their personal information management and report on the results of this evaluation.
The main body of the report is expected to be around 2500 words. You are expected to support your commentary with supportive reseach and insight.
4 of your references should have been published 2017 or more recent and be peer reviewed.
Probability estimates can be sourced from reputable newspaper articles.
Impact estimates should be used from journals and reputable papers.
The total value of this assignment 30 grading marks in the unit.
The intention of this review is to give you exposure to some of the issues that organisations might face when conducting such an information security review around the use of information and technology within the organisation and around their personnel.
This assignment is intended to address the management of your personal your personal situation with respect to information and its management – this will include any technology, as it relates to information processing and storage (such as home computers, laptops and home networks; and any mobile devices that you may have including smart phones and tablets) and any other storage media that you use to store relevant information. Any online (or cloud-based) storage should be included this in the review.
You should avoid including workplace or university storage activities in this review.
There are three primary parts to this assignment. Each part attracts up to 10 marks.
Note that style, readability and critical thinking can affect your grade in each part and overall in the assignment.
Imagine that your mobile phone, wallet/purse and laptop have been stolen.
You have just received a call from your bank describing suspicious activity against your accounts. Your credit rating has dropped to credit warning as “you have submitted” several personal loan applications have been filed (your identity has been stolen).
You can also assume that the people who stole your electronic equipoment are technically competant and have harvested all unprotected personal information from your devices. They may have attempted to compromise all your contacts as well.
1. The first step in the review is to
a) Identify all of the relevant information assets and any associated technology resources that you use in your daily life.
b) Describe each of these assets should be described with a focus on the information manage, store and access. Each asset is to be described so that the reader has a context within which to situate the investigation and its findings.
The nature of these assets and their use influences the risk environment, so your overview is important for the reader the make a judgement about the reliability of your review and findings.
2. For each asset,
a) Note the risk probability of some adverse event taking place;
b) Note the impact should major compromises occur.
Note your IR (Incident Reponse), BC (Business Continuity) and DRP (Disaster Recovery Planning) against each of these assets being compomised considering the scenario below.
You might create a table/s of vulnerabilities as shown:
Asset Probability Impact Incident Tolerance Incident Reponse Business Continuity Disaster recovery Plan
Note that an asset may have several tolerance levels with a correspnding response for each of the tolerances. Your business continuity may be simplistic for minor incidetns and more significant for major incidents. Your disaster recover plan may also change nature depending upon the severaity of the incident.
3) Post Review
a) After completing the review you should reflect on how well this whole process (or could be expected) to work.
b) Is a review of this nature worth the effort? Give reasons for and against the review.
c) Are there easier/more practical ways that could be used to provide reasonable assurance about your information security risks?
d) Is it likely to uncover the main information security issues and make reasonable recommendations for change?
e) Has your adaption of the security model provided an adequate coverage of the issues for a personal situation such as the one you are in?
f) How easy would it be for others (particularly people without a strong IT or security background) to use these materials to assure themselves that they are not exposing themselves to unwarranted information security risks?
In summary, your report should include the following:
• An overview of your personal situation and the key risks areas that may be present;
• What steps did you follow in conducting the review?
• What evidence did you consider in helping you form your views?
• What tests did you perform in order to verify the answers to key review questions?
• You should provide a summary of the good and bad issues that arose from the review.
• What issues from the situation came up looking good in the review, and where was there room for improvement?
• What things would you change in order to improve the information security environment?
• It is important that this section only presents a summary of the key issues from the review;
• A reflection on the methodology or review approach, following your experience of applying it to your personal computing situation.
• A reference list
The assignment is worth up to 30% of the marks for Information Security. The deadline for submissions is Sunday at the end of week 28 April 2018).
You are envouraged to discuss issues and questions with this assignment and their review during the tutorials in the weeks leading up to the submission deadline.
Make sure that you are familiar with what is required of this assignment and take advantage of this opportunity.
The main body of the report is expected to be around 2500 words – please include a word count, but words from any quotations, your bibliography, and the appendix with the review details, should not be included in this word count.
It is not necessary to include an executive summary.
In marking the report, attention will be given to your understanding of information security concepts and how well you have met the requirements detailed above. Style and technique of your writing will also be considered.
All work quoted from written sources should be appropriately referenced using the UC version of the Harvard author-date style (both with in-text references and all sources included in the bibliography). This style is described in detail (including electronic sources) in referencing guides available at:
http://canberra.libguides.com/referencing (Links to an external site.)Links to an external site.
Submission: All assignments should be submitted in electronic format (via the Canvas online assignment submission process). A coversheet is not required, but you should include your student id, assessment item name and the word count.
NIST 2013, Special Publications SP 800 series, viewed 18 February, 2013, http://csrc.nist.gov/publications/PubsSPs.html
Standards Australia 2015, AS ISO/IEC 27002:2015 Information technology - Security techniques - Code of practice for information security controls, Standards Australia International, Sydney.
Whitman, ME & Mattord, HJ 2011, Roadmap to Information Security: For IT and InfoSec Managers, Cengage Learning