Edith Cowan UniversitySchool of ScienceAssignment 2: Information SecurityDetails
Information Security Assignment 205.00 PM (GMT+8) Friday May 15, 202030% of the final mark for the unit2000 words, maximum 2500 (excluding cover page and references)
Case StudyOverviewIn this Assignment you will be required to perform an information security analysis that includes a risk assessment,and data classification recommendation for a small dance club. The assignment will rely on concepts covered fromweek 1 through to week 10. The deliverable is a 2000 (maximum 2500) word report summarising the informationassets and threats to information.BackgroundAll Stars Dance (ASD) is a small dance club operated by six staff and currently has a member base ofapproximately 200 dancers.All Stars Dance operate from a dance studio with a small office located on the second floor of a three-storeybuilding. ASD share a common lift to the second floor. The dance club operate during the day and in the eveningsbetween 6pm and 10pm. Currently anyone can access the second floor via the lift 24 hours a day, however thestudio locks the entry door when they close for the day, thus restricting access to the studio to opening hours only.The dance club have two networked desktop computers on site, one printer and are connected to the internet via amodem-router supplied to them by their ISP. New member applications and other information such as policy,procedures, and member information are stored both digitally (on computers or website) and on-site in lockedcabinets. The computers currently do not have authentication enabled.The dance club has just launched a new web portal that provides its members the ability to apply and pay for:• dance club membership• enter dance competitions• register for testing. Dancers will generally apply for a test when they have reached a certain level inpreparation for the next level, i.e., beginner, intermediate, advanced, elite.• make general enquiriesTo become a member of the dance club, dancers are required to visit the website and apply for membership orrenew their existing membership. Once a dancer enters the systems for the first time, i.e., pay for their firstmembership, they are provided with a username and password for the website in order to enter competitions andregister for dance tests.The web portal is an open source Content Management System (Joomla CMS) that is hosted in Australia by athird-party hosting provider. The CMS handles memberships, competition events and member information such asdance levels (beginner to advanced) and personal information (age, gender, address).Club membership runs from January 1 through to December 31 each year regardless of the application date. TheCMS allows members to purchase membership, read member only news and register for events or dance testsonline; thus, the CMS is responsible for most of the member data processing.CSI2102 Principles of Information SecurityAssignment 2CSI2102-Assignment 2 – 201.docx 2Member payments are processed using a third-party merchant gateway, SecurePay, and deposited directly into theclub’s nominated bank account. Once a member has paid for membership, the system adds the member to amailing list and updates permissions on the user account which authorises access to member resources on theCMS.The mailing list is stored and processed by Mailchimp, a third-party provider located in the United States. Personalinformation collected for the mailing list includes full name and email address. No other information is transferred toMailchimp.The dance club also receives emails from parents and other members, either via the website contact page ordirectly via email. The emails are accessed using Microsoft Outlook on the computers located in the office.Enquires submitted through the website are stored on the CMS and emailed to the staff admin email account that isaccessed on the desktop computers in the office.Dance club staff have access to administer the CMS remotely using portable devices, or on-site using thecomputers in the office. Staff change frequently and currently there are no controls in place to restrict systemprivileges either on the desktop office computers or the CMS. When a staff member is granted access by thesystem admin, they have full administrative rights to the desktop computers and the CMS.The owner of the dance club acts as the system administrator for the CMS and desktop computers but has verylittle technical knowledge and lacks understanding of information security practices. The owner knows only how tocreate new user accounts with full system access.There are four primary functions staff need to perform for the club and its members:1. Update member information via the CMS when necessary2. Answer emails3. Update the latest news on the CMS4. Add events to the CMS so members can register online5. Add testing sessions to the CMS each month6. Perform bank reconciliations, i.e., match the income from the CMS to the bank statements. Staff can seeall the transactions from the events and membership applications running within the CMS.Assessment TaskAll Stars Dance would like an Information Security assessment on the threats facing their information system and arecommendation on how to protect the information assets.Note: The assessment and recommendations should be realistic and reflect the case study.
Introduction: introduce your report and what it will cover.
Identify and categorise information assets. This includes both digital and physical assets. Minimum of 20assets (max 30). Assets should be categorised and spread across the system component categories
Prioritise the information assets using a weighted factor analysis. Consider the critical impact factors andtheir associated weightings. The critical impact factors should be documented and discussed. Forexample, why these particular factors were chosen and their weightings.
Identify potential threats and vulnerabilities to the information assets. Given the number of threats, athreat category may suffice, i.e., for the CMS you may simply use the threat category software attacks asopposed to every software attack that may occur. One or two threat categories will suffice, however, thethreat categories chosen must be realistic.
Create a risk rating for each asset. You may use the simple method (likelihood x impact)
Recommend an appropriate classification scheme. You do not need to classify assets; just write aparagraph on what classification schema you would recommend for this business and why. Usereferences where appropriate.
Include with your risk assessment table a control strategy, i.e., mitigate, defend, accept for eachvulnerability / asset.
Recommend security controls where necessary, i.e., access control, physical security. Think of theMcCumber cube here, you might want to include Policy, Education, Technology. When recommending a
CSI2102-Assignment 2 – 201.docx 3
technology be specific, i.e., Access Control, but for Policy and Education you may simply state policy oreducation.
Reference ISO27001 / ISO27002 where appropriate. For example, if you recommend Access Control ordata Classification see where ISO27001 or ISO27002 recommends this and make reference to it.
Cover / Title page:You do not need to include the ECU cover page. Create your own cover page that includes the Unit Code,Unit Title and Assignment Title, your name, student number and who the report is prepared for.
Table of Contents:This must accurately reflect the content of your report and must be generated automatically in MicrosoftWord with page numbers.
Introduction:Introduce the report, define its scope and state any assumptions. Use in- text references whereappropriate. The introduction should introduce the case study and discuss what the report will cover.
Main report content• The report must address the task as defined above.• The report must contain your definition of the problem.• You must include a risk assessment (inclusive of a weighted factor analysis).• Critical factors chosen for the weighted factor analysis must be justified in your report, i.e., whyyou chose them.• Threats, vulnerabilities, control strategy and recommended controls must be identified.• Data classification schema recommended.
ReferencesA list of end-text references formatted according to the ECU requirements using APA 6th or 7th formattingstyle.Endnote is a good tool for managing referencing and can be downloaded free of charge from the ECUSoftware Download Service. See the Academic Skills canter for help.Your references should ideally comprise of books, journal articles and conference papers.
Format• This report should be no more than 2500 words (excluding title page, table of contents,references and diagrams) and labelled as <CSI2102_your studentid_ lastname_firstname>.docxin a single file.• Your assignments must be word-processed. The text must be no smaller than 12pt, font TimesNew Roman
Late SubmissionEdith Cowan University Assessment, Examination and Moderation Procedures (Procedure 3.28) for latesubmission may be applied.a) Where the assessment task is submitted not more than 7 calendar days late, the penalty will, for eachcalendar day that it is late, be 5% of the maximum marks available for the assessment.b) Where the assessment task is more than 7 calendar days late, a mark of zero will be awarded.CSI2102-Assignment 2 – 201.docx 4Academic Misconduct (Including Plagiarism):Edith Cowan University regards academic misconduct of any form as unacceptable. Academic misconduct, whichincludes but is not limited to: plagiarism, unauthorised collaboration, cheating in examinations, theft of othersstudents work, collusion and inadequate and incorrect referencing will be dealt with in accordance with the ECURule 40 Academic Misconduct (including Plagiarism) Policy.Marking Key
Language and Presentation Marks
• Formal language• Professionally formatted/drawn diagrams• Keeping to required format• Logically structured• Introduction reflects body of report3
• Asset Identification Marks
• Assets identified appropriate to the case study• Minimum of 20 assets identified and correctlycategorised.5
• Weighted Factor Analysis Marks
• Critical impact factors appropriate to casestudy• Critical impact factors justified• Performed weighted factor analysis oninformation assets5
• Risk Marks
• Risk rating calculated (likelihood / impactmatrices)• Appropriate threats / vulnerabilities identifiedto asses risk• Control strategy identified for threats to assets6
• Data Classification Marks
• Data classification schema recommendationappropriate for case study• Justified recommended tier system3
• Recommendations Marks
• Recommended security controls wherenecessary• Recommendations adequately reflect the casestudy• Referenced ISO27001 / ISO270025
• Referencing Marks
• Appropriate use of APA referencingconventions• Appropriate use of academic references3
CSI2102-Assignment 2 – 201.docx 5
The post Assignment 2: Information Security appeared first on My Assignment Online.