I WANT HD MARKS BCZ THISN IS MY FINAL ASSIGNMENT
Page 1 ISYS1003 Assignment 1 Unit code ISYS1003 Assignment 2 Report (Cyber security program and policy development) Due Date Learning 30 April, 2021 1100pm AEST (Qld Time) Outcomes 2, 3 Weight 30% of overall unit assessment Suggestion This assignment is developmental and cumulative. Leaving your starting date to the week before the due date is a very poor strategy for success in the unit. Scenario developments Since your preliminary report was delivered and you have become more comfortable in the CISO chair, the Norman Joe organisation has experienced great success and extraordinary growth due to an increased demand in e-commerce and online shopping in COVID-19. The company is even considering acquiring a specialised “research and development” (R&D) group specialising in e- commerce software development. The entity is a small but very successful software start-up. However, it is infamous for its very “flexible” work practices and you have some concerns about its security. As such, in anticipation of your employer’s acquisition of this new business you wish to ensure the company’s cyber risk management program and security policy library is sufficient. Requirements: 1. Carefully read the Case Study scenario document. You may use information provided in the case study but do not simply just copy and paste information. This will result in poor grades. Well researched and high-quality external content will be necessary for you to succeed in this assignment. 2. Align all Assignment 2 documents to those in Assignment 1 as the next stage of a comprehensive Cyber Security program. Tasks: 1. Identify, select and devise the top 5 security policies that are essential for Norman Joe’s. Hint: You may refer to security policies from the external sources such as the SANS policy library. However, you are required to draft these policies on your own, i.e., to be written in your own words (10%). 2. Risk Management Framework (10%) a. Outline what is meant by Risk Assessment, Risk Appetite and Risk Treatment. i. Use this information when developing a Risk Management Framework for Norman Joe. Be sure to include: 1. Risk Treatment Cycle 2. Cost Benefit analysis 3. Establishing feasibility – (all that are appropriate) https://www.sans.org/information-security-policy/ https://www.sans.org/information-security-policy/ Page 2 ISYS1003 Assignment 1 b. What Risk Management Framework would be most appropriate for Norman Joe moving forward? Considering what you now know about the direction of Norman Joe, explain your decision based on the requirements that you believe Norman Joe would need to address. 3. Update the company’s Risk Management Plan (10%). You must address: a. Based on the information given for Norman Joe and based on the preliminary threat modelling exercise in Assignment 1, develop an appropriate access control policy for this company. What types of access controls do you recommend protecting the assets of the company? Justify your choices. You should have physical and logical access controls, which do not let unauthorized access to the assets (assets include information, software, and hardware). b. Determine and recommend data security solutions for three different data states in the company: data in use, data in motion, and data at rest. c. What authentication method do you recommend for Norman Joe for effective and efficient management of user identify verification, especially for remote users. d. Explain how a single sign-on service (SSO) can help Norman Joe to manage authentication. Which protocol will be used to implement this SSO service and why? Explain the protocol. e. Describe six phases of developing an incident response plan. For this question, you should explain each phase and propose at least two activities for each phase in Norman Joe. In addition to analysing the case study materials carefully, you will need to do conduct independent research to answer this question. Requirements and marking rubric out of 30 marks (30%): 1. Update security policy library [10%] a. Clearly identified what security policies Norman Joe needs to have and why (2.5%) b. Each policy is comprehensively justified for inclusion (2.5%) Ci Each policy is clearly and comprehensively constructed in own words (5%) 2. Security Program Update Part 1: Risk Management Framework [10%] a. Clearly outlined Risk Assessment, Risk Appetite and Risk Treatment for Norman Joe as specified (6%) b. Clearly identified the Risk Management Framework most appropriate for Norman Joe and comprehensively justified why (4%) 3. Security Program Update Part 2: Risk Management Plan [10%] a. A comprehensive access control policy that clearly identifies types of access controls that are clearly justified (2%) b. Detailed data security solutions for three different data states (2%) c. Clearly identified the authentication method (1%) d. Clearly explained how SSO can help Norman Joe to manage authentication and identified and clearly explained the protocol (2%) e. Clearly detailed six phases of developing an incident response plan for the company (3%) 4. Referencing a. Not well researched [-1%] b. Low quality references [-1%] c. Inconsistent format [-1%] Page 3 ISYS1003 Assignment 1 Submission Format No SCU cover sheet is required – do not include an SCU cover sheet. A simple table of contents and simple introduction is required. While there is no enforced word limit for this assignment, simply writing more does not equal better grades! You will be assessed on how effectively you can communicate your responses to tasks and report on these activities. When you have completed the assignment, you are required to submit your assignment in the DOC or PDF format. The file will be named using the following convention: filename = FirstInitialYourLastName_ISYS1003_A2_S1_20xx.doc (i.e. NJoe_ISYS1003_A2_S1_2021.doc) Original Work It is a University requirement that a student’s work complies with the Academic Integrity Policy. It is a student’s responsibility to be familiar with the Policy. Failure to comply with the Policy can have severe consequences in the form of University sanctions. For information on this Policy please refer to Student Academic Integrity policy at the following website: http://policies.scu.edu.au/view.current.php?id=00141 As part of a University initiative to support the development of academic integrity, assessments may be checked for plagiarism, including through an electronic system, either internally or by a plagiarism checking service, and be held for future checking and matching purposes. A Turnitin link has been set up to provide you with an opportunity to check the originality of your work until your due date. Please make sure you review the report generated by the system and make changes (if necessary!) to minimise the issues of improper citation or potential plagiarism. Retain Duplicate Copy Before submitting the assignment, you are advised to retain electronic copies of original work. In the event of any uncertainty regarding the submission of assessment items, you may be requested to reproduce a final copy. School Extension Policy In general, I will NOT give extension unless where there are exceptional circumstances in line with University policy. Students wanting an extension must make a request at least 24 hours before the assessment item is due and the request must be received in writing by the unit assessor or designated staff Page 4 ISYS1003 Assignment 1 member through the formal process outlined on the unit site. Extensions within 24 hours of submission or following the submission deadline will not be granted (unless supported by a doctor’s certificate or where there are exceptional circumstances – this will be at unit assessor’s discretion and will be considered on a case by case basis). Extensions will be for a maximum of 48 hours (longer extensions supported by a doctor’s certificate or alike to be considered on a case by case basis). A penalty of 5% of the total available grade will accrue for each 24-hour period that an assessment item is submitted late. Therefore, an assessment item worth 30 marks will have 1.5 marks deducted for every 24-hour period and at the end of 20 days will receive 0 marks. Students who fail to submit following the guidelines will be deemed to have not submitted the assessment item and the above penalty will be applied until the specified submission guidelines are followed. Submission Format Original Work Retain Duplicate Copy School Extension Policy ISYS1003 Cybersecurity Management Page 1 ISYS1003 Case Study Case Study Table of Contents Introduction 1. Aim and Scope 2. Company Description 3. Motivation 4. Driving Cyber Security for the Fleet 5. Norman Joe’s Cyber Security Company Administration 6. Norman Joe’s Cyber Security Threat Prevention and Defence 7. Norman Joe’s Response 8. Antivirus 9. Norman Joe’s personnel Online Behaviour 10. Norman Joe’s Network Design as it applies to Cyber Security 11. Training 12. Recovery Introduction You have just been appointed to be the Chief Information Security Officer (CISO) for the multi-national retailer ‘Norman Joe’ (Aust) Pty Ltd. Norman Joe seek to sell “the most affordable white goods, computer and electronics, furniture and furnishings, and household appliances “. The brand tagline of the company is “for good value!” You and your team are based in Australia. While Norman Joe has been in the online sales arena for many years, the new Australian operation is just being established and it is expected to be fully operational for customer orders and shipments by the end of 2021. Due to Covid-19, the company made a strategic decision to take most of their business operations online, closing a number of “bricks and mortar” stores. Norman Joe knows that, as it is dealing online for most of its business, it is working in a high-risk area; there are constant threats of cyber-attacks. As such, there is a constant requirement to secure electronic data, online ordering, billing services and other transactional processes, customer and employee data, communications with customers who can browse online catalogues held on Norman