Assignment Problem: The assessment plan will overview student on the unit of competency that will be assessed and provides an idea on how, when and what kinds of assessment, types of activities and evidence will be expected from the student. It will guide the student on using the tools to collect their evidence and will make them clear on criteria for the judgment of their performance.
Element:
Assessment Part 1: Research ICT security requirements
Assessment Part 2: Conduct risk analysis
Assessment Part 3: Develop ICT security policy and operational procedures
Assessment Task 1:
Exercise 1 (Answer in approximately 150 words)
Question A: What is a Standard?
Question B: What are the three categories of standards?
Exercise 2 (Answer in approximately 50 words)
Question: Why is it necessary for an organization to have an information security framework?
Exercise 3 (Answer in approximately 100 words)
Question A: What is ISO?
Question B: How does an Australian Standard differ from an ISO Standard?
Exercise 4:
Question: Name the International Standard that relates to Information Security Management Systems? List all versions.
Exercise 5:
Question Below is examples of Australian/Commonwealth legislation which is applicable to information management and security policies. Match the relevant legislation to the correct definition.
Exercise 6 (Answer in approximately 50 words)
Question: What is a Security Policy and what are three main reasons for having a security policy?
Exercise 7 (Answer in approximately 50 words)
Question: What is 128 bit encryption, and what is its benefit in network encryption?
Exercise 8 (Answer in approximately 50 words)
Question: Encrypting servers is a requirement for securing a server from hackers. In relation to this, describe what the software application 'True Crypt' does. Include details of the failings of this software in your answer.
Case Study Scenario 1:
Instructions: You are to take the role of Fred.
You are required to carry out a risk assessment following the standard steps and document the outcomes. Each of the steps is described below, including guidance to help you to understand the Assessment Task and its objective.
Step 1: Identify sensitive information and critical systems
Identify the types of sensitive information and critical systems associated with the operation of a small school, district-wide computer network.
Step 2: Estimate the value of system components
You are required to calculate a reasonable approximation of the replacement value of each component of the system-both equipment and information.
Step 3: Identify threats
Hold a collaborative brainstorming session with your fellow students and create a list of threats to information security and categorize them as one of the following:
- Natural
- Manmade unintentional
- Manmade intentional.
Step 4: Identify vulnerabilities
Identify vulnerabilities in relation to each of the natural, intentional manmade and unintentional manmade threats as identified in Step 4 'Identify threats'.
Categorize each of the vulnerabilities as:
- Physical concerns (e.g., room access, building construction, and climate)
- Hardware- and software-related issues (e.g., equipment, programs, and compatibility)
- Media liabilities (e.g., disks, tapes, hard drives, and print copies)
- Communications (e.g., access points and encryption)
- Human concerns (e.g., personnel and office behaviour)
Step 5: Estimate the likelihood of a potential penetration becoming an actual penetration
Likelihood of potential vulnerabilities can be estimated in terms of probability.
Security penetration testing is one of the assessment methods to identify potential vulnerabilities in a system being tested. A system is said to be penetrated if any of identified vulnerability is exploited and threat agent gets access to network and have full control over system and its data.
Estimate the likelihood of potential loss or penetration.
Step 6: Identify countermeasures against perceived threats and vulnerabilities
Identify potential solutions to the concerns caused by your identified threats and vulnerabilities.
Step 7: Estimate costs of implementing countermeasures
Determine the costs associated with the countermeasures identified in Step 7 'Identify countermeasures against perceived threats and vulnerabilities'.
Step 8: Select suitable countermeasures for implementation
Decide which of the identified countermeasures are to be implemented by comparing the costs identified in Step 7 against the benefits for each.
Step 9: Review the Security requirements
Once you have finished Assessment Tasks 1-8, submit the output to your trainer/facilitator for review and approval. You should then complete the document 'Review and Approval of Security Requirements'.
Case Study Scenario 2:
You work for a security auditing firm as an ICT Analyst and have been assigned a team project to perform a security audit of the well-renowned Federation University. In the team meeting, the Project Manager decided to assign you the Assessment Task of researching the security standards practiced in the ICT operation of the university.
Instructions:
You are required to provide a report of the findings of your research, assess the impact on the ICT operation of the client and provide recommendations or comments on your research outcome.
Assessment Task 1: Identify Security Requirements
Identify and list the statutory, commercial and application security requirements for Federation University based on the documented Information Security Policy of Federation University ,'Scenario Document 1'.
Assessment Task 2: Perform Gap Analysis
Guide: The ISO standard, also known as ISO 27001 ISMS, has control requirements which will be the benchmark for this analysis. ISO 27001 takes a risk assessment based approach. An information security risk assessment is used to identify the security requirements of the organisation, and then to identify the security controls needed to bring that risk within an acceptable level for the organisation.
Instructions:
Perform a gap analysis using the scenario information and output of Step 1 and complete the template named 'GAP Analysis for ISO 27001 Template.xls'.
Exercise 1: Consult with your supervisor (trainer)to clarify which of the controls mentioned in the template are applicable or not for the given scenario(Federation University Information Security Policy).
Exercise 2: Scale each of the identified controls using a capability maturity level rating. The provided template contains information on using Capability Maturity level for rating.
Exercise 3: Based on your findings, then document the analysis and recommendations by using the gap analysis template.
Assessment Task 3: Review the Security requirements
Once you have finished Assessment Tasks 1 and 2, submit your work to the trainer/facilitator for reviewing and approval and complete 'Review and Approval of Security Requirements'document.
Assessment Task 2:
Case Study Scenario:
Security Environment for the Assessment
This is simulated workplace assessment in which you will take on the role of a Team Member and perform a risk analysis to identify security threats and document the output of the following Assessment Tasks:
a. Evaluating assets and threats
b. Assigning a risk level to each area of vulnerability
c. Identifying the areas of costs associated with the contingencies
d. Comparing actual controls in place with minimum requirements and identifying gaps
e. Forwarding the recommenation from the analysis for approval and development of an action plan to mitigate risk
Your facilitator will provide you with access to two different security environments, of which you are required to choose ONLY ONE option to use in your risk analysis.
Security Environment A:
Your trainer or assessor will provide you with the details to get an overview of your actual training environment (i.e. your school ICT infrastructure).
Security Environment B:
Your trainer will provide you with the virtual environment created using virtualizati n servers workstations (VMware).
Activities:
Exercise 1: Select your security environment (or B) and what is the main reason for your selection.
Exercise 2:
(a) What are the three generic categories of security threats for your chosen environment?
(b) List 10 different impacts of the threats that you believe are likely to occur in terms of loss and security failure.
Exercise 3:
You have participated in a meeting with other team members in the risk assessment and have developed a list of access control elements. This access control elements will serve as a tool for documenting the selected system's compliance or noncompliance with specific control techniques established in the company's security standards for operating systems, networks, data stores, and applications. Based on your chosen security environment (either it is the training organization or the simulated environment of training organization), you need to complete the following questionnaire.
Exercise 4:
You are required to identify at least three threats (most commonly discovered in the provided security environment) and consider a server and two workstations where you have access, to determine the threats and document your security analysis using the table below.
Exercise 5:
You are required to determine the risk level by assigning a risk level of high(H), moderate(M) or low(L) for each area of vulnerability to show the possible effect of damage if the threat were to occur. You need to use the table below for this analysis.
Exercise 6:
You are required to review and gain approval of your risk assessment (done in Exercise 2-6) by examining the important aspects of the Risk assessment using the review document 'Review and Approval of Risk Analysis' and getting approval from your supervisor. You need to attach the signed document during the assessment submission.
Exercise 7: Assume that you have identified the following threats during the risk assessment.
a. Access to personal information
b. Corrupt Databases
c. Server being unavailable
d. IP Address Spoofing
Make a list of counter measures to manage the above threats.
Assessment Task 3
Case Study Scenario
You have been working in a training school as a System Administrator who looks after the local area network and IT Infrastructure with support and configuration of the PC and servers. You have been assigned to a new project where you will undertake the role of System Administrator with some of the responsibilities including to:
- Assist in the development and maintenance of System security plans and contingency plans
- Participate in risk assessments to evaluate the risk and its mitigation strategies associated with the IT and systems.
- Provide support for proposing, coordinating, implementing and enforcing security policies, standards and methodologies.
- Document the security framework and develop the security policies and operating procedures
- Align the organizational security requirements with that of internationally accepted and local security standards (ISO Standards)
Recently the training school decided to review its security policies as they had not been reviewed for a number of years. The Director of the training school has assigned you the job of creating a new security framework for the training school.
You are required to complete the following Assessment Tasks covering design of the security framework and the creation of related policies and procedures.
Exercise 1: Role Play
You are to participate in a role play meeting to review some aspects of ISMS (Information Security Management System). The agenda for the meeting is provided in your learning resources.
You are participating in this meeting as a System Administrator for the company as provided in the given case scenario. Your trainer/facilitator will act as the Security Compliance Officer and will provide you with information on current information security risk management practices within the training school.
Once the meeting is finished, you will need to document the points discussed in the meeting.
Exercise 2: Develop ICT Security Framework
Using the information from Assessment Task 1, describe the ICT security framework for the case study organization based on the framework provided in figure 1 below. Your description should cover the following topics:
- Introduction
- Objectives
- Application
- Scheme of Delegation under the ICT Security Framework,
- Legislation and internationally recognized standards.
(The description should be approximately 300 words.)
Exercise 3 Develop Information Security Policies
Develop Information Security Policies for the case study organization to fulfill the requirement of the framework developed in Assessment Task 2.
The policies should cover areas of information security including:
- Physical Security
- System Security
- Authorization
- Access to Network
- Passwords
- Backups
- Endpoint Security and Antivirus
- Disposal of Equipment
- Repair and Maintenance of Equipment
- Security Incident Management
- Acceptable Use Policy
Exercise 4: Develop Procedures for Implementation of Security Policies
a. You are required to develop a list of procedures that each employee would follow to implement the policies developed in Assessment Task 3. Compile your list and submit it to the Operations Manager (your trainer) to review an approval. Complete the document, 'Review and Approval of Procedure for Policies' and have it signed off by the Operations Manager. Once you have got the approval for the procedures, you need to perform part b of this Assessment Task.
b. Develop procedures for at least five of your policies on your list.
Exercise 5:
Describe three actions that could be taken to maintain the confidentiality of information relating to students and/or employees in the training organization. (Answer in approximately 50 words)
Exercise 6:
List all the legislations that has been applied in your training organization as developed in Assessment Task 2 and explain the importance of statutory legislation in making policies.
Struggling to precisely finish your university assignments related to the topic ICT Security framework? Our ICT Security framework Assignment Help service is the most reliable online platform to overcome all your academic troubles and worries!
Tags: ICT Security framework Assignment Help, ICT Security framework Homework Help, ICT Security framework Coursework, ICT Security framework Solved Assignments, Information Security Policies Assignment Help, Information Security Policies Homework Help, Risk Analysis Assignment Help, Risk Analysis Homework Help, Gap Analysis Assignment Help, Gap Analysis Homework Help