Edith Cowan University
School of Science
Assignment 2: Information Security
Details
| Title: Due Date: Value: Length: |
Information Security Assignment 2 05.00 PM (GMT+8) Friday May 15, 2020 30% of the final mark for the unit 2000 words, maximum 2500 (excluding cover page and references) |
Case Study
Overview
In this Assignment you will be required to perform an information security analysis that includes a risk assessment,
and data classification recommendation for a small dance club. The assignment will rely on concepts covered from
week 1 through to week 10. The deliverable is a 2000 (maximum 2500) word report summarising the information
assets and threats to information.
Background
All Stars Dance (ASD) is a small dance club operated by six staff and currently has a member base of
approximately 200 dancers.
All Stars Dance operate from a dance studio with a small office located on the second floor of a three-storey
building. ASD share a common lift to the second floor. The dance club operate during the day and in the evenings
between 6pm and 10pm. Currently anyone can access the second floor via the lift 24 hours a day, however the
studio locks the entry door when they close for the day, thus restricting access to the studio to opening hours only.
The dance club have two networked desktop computers on site, one printer and are connected to the internet via a
modem-router supplied to them by their ISP. New member applications and other information such as policy,
procedures, and member information are stored both digitally (on computers or website) and on-site in locked
cabinets. The computers currently do not have authentication enabled.
The dance club has just launched a new web portal that provides its members the ability to apply and pay for:
• dance club membership
• enter dance competitions
• register for testing. Dancers will generally apply for a test when they have reached a certain level in
preparation for the next level, i.e., beginner, intermediate, advanced, elite.
• make general enquiries
To become a member of the dance club, dancers are required to visit the website and apply for membership or
renew their existing membership. Once a dancer enters the systems for the first time, i.e., pay for their first
membership, they are provided with a username and password for the website in order to enter competitions and
register for dance tests.
The web portal is an open source Content Management System (Joomla CMS) that is hosted in Australia by a
third-party hosting provider. The CMS handles memberships, competition events and member information such as
dance levels (beginner to advanced) and personal information (age, gender, address).
Club membership runs from January 1 through to December 31 each year regardless of the application date. The
CMS allows members to purchase membership, read member only news and register for events or dance tests
online; thus, the CMS is responsible for most of the member data processing.
CSI2102 Principles of Information Security
Assignment 2
CSI2102-Assignment 2 – 201.docx 2
Member payments are processed using a third-party merchant gateway, SecurePay, and deposited directly into the
club’s nominated bank account. Once a member has paid for membership, the system adds the member to a
mailing list and updates permissions on the user account which authorises access to member resources on the
CMS.
The mailing list is stored and processed by Mailchimp, a third-party provider located in the United States. Personal
information collected for the mailing list includes full name and email address. No other information is transferred to
Mailchimp.
The dance club also receives emails from parents and other members, either via the website contact page or
directly via email. The emails are accessed using Microsoft Outlook on the computers located in the office.
Enquires submitted through the website are stored on the CMS and emailed to the staff admin email account that is
accessed on the desktop computers in the office.
Dance club staff have access to administer the CMS remotely using portable devices, or on-site using the
computers in the office. Staff change frequently and currently there are no controls in place to restrict system
privileges either on the desktop office computers or the CMS. When a staff member is granted access by the
system admin, they have full administrative rights to the desktop computers and the CMS.
The owner of the dance club acts as the system administrator for the CMS and desktop computers but has very
little technical knowledge and lacks understanding of information security practices. The owner knows only how to
create new user accounts with full system access.
There are four primary functions staff need to perform for the club and its members:
1. Update member information via the CMS when necessary
2. Answer emails
3. Update the latest news on the CMS
4. Add events to the CMS so members can register online
5. Add testing sessions to the CMS each month
6. Perform bank reconciliations, i.e., match the income from the CMS to the bank statements. Staff can see
all the transactions from the events and membership applications running within the CMS.
Assessment Task
All Stars Dance would like an Information Security assessment on the threats facing their information system and a
recommendation on how to protect the information assets.
Note: The assessment and recommendations should be realistic and reflect the case study.
| Action Steps |
| Introduction: introduce your report and what it will cover. |
| Identify and categorise information assets. This includes both digital and physical assets. Minimum of 20 assets (max 30). Assets should be categorised and spread across the system component categories |
| Prioritise the information assets using a weighted factor analysis. Consider the critical impact factors and their associated weightings. The critical impact factors should be documented and discussed. For example, why these particular factors were chosen and their weightings. |
| Identify potential threats and vulnerabilities to the information assets. Given the number of threats, a threat category may suffice, i.e., for the CMS you may simply use the threat category software attacks as opposed to every software attack that may occur. One or two threat categories will suffice, however, the threat categories chosen must be realistic. |
| Create a risk rating for each asset. You may use the simple method (likelihood x impact) |
| Recommend an appropriate classification scheme. You do not need to classify assets; just write a paragraph on what classification schema you would recommend for this business and why. Use references where appropriate. |
| Include with your risk assessment table a control strategy, i.e., mitigate, defend, accept for each vulnerability / asset. |
| Recommend security controls where necessary, i.e., access control, physical security. Think of the McCumber cube here, you might want to include Policy, Education, Technology. When recommending a |
CSI2102-Assignment 2 – 201.docx 3
| technology be specific, i.e., Access Control, but for Policy and Education you may simply state policy or education. |
| Reference ISO27001 / ISO27002 where appropriate. For example, if you recommend Access Control or data Classification see where ISO27001 or ISO27002 recommends this and make reference to it. |
| Report Requirements |
| Cover / Title page: You do not need to include the ECU cover page. Create your own cover page that includes the Unit Code, Unit Title and Assignment Title, your name, student number and who the report is prepared for. |
| Table of Contents: This must accurately reflect the content of your report and must be generated automatically in Microsoft Word with page numbers. |
| Introduction: Introduce the report, define its scope and state any assumptions. Use in- text references where appropriate. The introduction should introduce the case study and discuss what the report will cover. |
| Main report content • The report must address the task as defined above. • The report must contain your definition of the problem. • You must include a risk assessment (inclusive of a weighted factor analysis). • Critical factors chosen for the weighted factor analysis must be justified in your report, i.e., why you chose them. • Threats, vulnerabilities, control strategy and recommended controls must be identified. • Data classification schema recommended. |
| References A list of end-text references formatted according to the ECU requirements using APA 6th or 7th formatting style. Endnote is a good tool for managing referencing and can be downloaded free of charge from the ECU Software Download Service. See the Academic Skills canter for help. Your references should ideally comprise of books, journal articles and conference papers. |
| Format • This report should be no more than 2500 words (excluding title page, table of contents, references and diagrams) and labelled as <CSI2102_your studentid_ lastname_firstname>.docx in a single file. • Your assignments must be word-processed. The text must be no smaller than 12pt, font Times New Roman |
Late Submission
Edith Cowan University Assessment, Examination and Moderation Procedures (Procedure 3.28) for late
submission may be applied.
a) Where the assessment task is submitted not more than 7 calendar days late, the penalty will, for each
calendar day that it is late, be 5% of the maximum marks available for the assessment.
b) Where the assessment task is more than 7 calendar days late, a mark of zero will be awarded.
CSI2102-Assignment 2 – 201.docx 4
Academic Misconduct (Including Plagiarism):
Edith Cowan University regards academic misconduct of any form as unacceptable. Academic misconduct, which
includes but is not limited to: plagiarism, unauthorised collaboration, cheating in examinations, theft of others
students work, collusion and inadequate and incorrect referencing will be dealt with in accordance with the ECU
Rule 40 Academic Misconduct (including Plagiarism) Policy.
Marking Key
| Language and Presentation Marks |
| • Formal language • Professionally formatted/drawn diagrams • Keeping to required format • Logically structured • Introduction reflects body of report 3 |
| • Asset Identification Marks |
| • Assets identified appropriate to the case study • Minimum of 20 assets identified and correctly categorised. 5 |
| • Weighted Factor Analysis Marks |
| • Critical impact factors appropriate to case study • Critical impact factors justified • Performed weighted factor analysis on information assets 5 |
| • Risk Marks |
| • Risk rating calculated (likelihood / impact matrices) • Appropriate threats / vulnerabilities identified to asses risk • Control strategy identified for threats to assets 6 |
| • Data Classification Marks |
| • Data classification schema recommendation appropriate for case study • Justified recommended tier system 3 |
| • Recommendations Marks |
| • Recommended security controls where necessary • Recommendations adequately reflect the case study • Referenced ISO27001 / ISO27002 5 |
| • Referencing Marks |
| • Appropriate use of APA referencing conventions • Appropriate use of academic references 3 |
CSI2102-Assignment 2 – 201.docx 5
The post Assignment 2: Information Security appeared first on My Assignment Online.