Part One -Conducting A Risk Assessment (10 marks)
You are the Chief Information Security Officer (CISO) at a reputable Australian University. You have been directed by your supervisor to conduct a review of the organisations Digital Security risks, more specifically you have been asked to provide a risk register. The risk register should contain at a minimum:
· A description of the risk.
· A summary of the impact or consequence if the risk was to arise.
· Inherent risk assessment,that is the assessed, raw/ untreated risk inherent in a process or activity without doing anything to reduce the likelihood or consequence.
· Key controls to mitigate the risk.
· Residual risk assessment,that is the assessed, risk in a process or activity in terms of likelihood and consequence after controls are applied to mitigate the risk.
· Prioritisation of the risk using a standardised framework such as the ANSI B11.0.TR3 Risk Assessment Matrix
Given the fact there is no clear prioritisation framework NOR risk appetite framework, the risk register is your professional assessment of the likelihood and consequence of the risks you identify. When preparing your risk register you should think carefully about the assets a University may have and how these may be compromised from the perspective of Information Security.
In the event you are not confortable conducting a risk assessment on a University, you are free to conduct it on a entity you are affiliated with. If you elect to do this, you need not specify the name of the business, rather provide a summary as to what the entity does.
MUST be accompanied with a covering note outlining the rationale for your assessment and any pertinent points to your argument. Be sure to reference accordingly.
Part Two
Option One - Developing a Security Policy (10 marks)
Lets imagine you work for the Commonwealth Scientific and Industrial Research Organisation (CSIRO)
Information Technology at CSIRO is controlled by the Division of Information Technology. CSIRO employ’s a number of administrators to maintain IT resources across site – this includes production systems which offer services and user workstations. In addition to this CSIRO employs on a full/part time basis a number of staff to perform operational roles in various units such as Research Operations, HR and Payroll. There are currently 5000 operational staff. Some staff are employed under fixed term contracts whilst others may be contractors to CSIRO i.e. they own a business and contract to the organization.
That said from time to time people would need Administrator privileges to Enterprise systems or workstations. CSIRO needs a policy to decide who, when and why someone should receive these privileges. By default everyone is given normal user privileges.
You are employed as the Security Advisor for the organization. The task that is handed to you by the Chief Information Officer now is to write a policy for the granting of privileged accounts to users. When granting privileges such as the administrator account you really need to think of the role and type of employment of the individual. You also need to think about the attributes this individual must possess and the requirements they must have met. How will you implement this? For example if a person from HR wants the administrator account to their desktop computer – what would you do? What if they wanted administrator privileges to a production system? What if a person who is responsible for Information Technology wants administrator accounts to a desktop workstation or production – what would you do, would you always grant them this right?
In your policy you should:
- define the intent and rationale of the policy
- any definitions which are used through out the document.
- responsibilities of individuals i.e. those who enforce the guideline
- scope of the policy i.e. who and what it effects
- anything else you think is reasonable to place into a policy based on what you have learnt
You should note that CSIRO has a Chief Information Officer responsible for Information Technology across the site, and an IT security advisor responsible for the formulation of such policies. The IT Security advisor is responsible for enforcing this guideline. The policy covers CSIRO corporate and research assets, its does not cover use facilities such as the PAWSEY Super Computing Centre or corporate subsidiaries of CSIRO. The policy document should NOT be any more than 3 pages in length.
Option Two - Recommendations on the Appointment of a CISO (10 marks)
You have recently been appointed as the Chief Information Officer (CIO) of a newly established Pharmaceuticals startup which as part of its business model conducts research and development into medical products, manufactures medical products and distributes them. The startup has recently been given significant venture capital money with the requirement to improve organisational risk management and governance.
You have been tasked by the Chief Executive Officer (CEO) to prepare a paper for consideration by the board of directors regarding the need to appointment a Chief Information Security Officer (CISO). The CEO has expressed the view that other members of the board are sceptical about the need to appoint a CISO, in particular one that operates at the C-Level within the organisation.
Prepare a paper no more then 3 pages outlining your recommendation to the CEO and the Board regarding the appointment of a CISO. Clearly articulate the case for or against making reference to reporting lines if you believe the appointment is appropriate. In preparing your response be sure to include referenced examples to substantiate your claims.