May 2023
ITSC1001
INFORMATION SYSTEMS RISK AND SECURITY
Report
Weightage: 40%
Project Submission deadline: Session 12/13
Report (Group activity)
The purpose of project is to assess students on the following Learning Outcomes:
LO3 Identify security management standards and frameworks for securing Information Systems and discuss possible countermeasures in case-based scenarios.
LO4 Discuss countermeasures that are used in managing risks in Information systems acknowledging cost, complexity of implementation and impact for the users.
LO5 Communicate the application of security management standards, frameworks, and implementation of countermeasures to stakeholders in order to manage risks in Information systems
__________________________________________________________________
Assignment Overview:
All Stars Dance (ASD) is a small dance club operated by six staff and currently has a member base of approximately two hundred dancers.
All Stars Dance operate from a dance studio with a small office located on the second floor of a three-storey building. ASD share a common lift to the second floor. The dance club operate during the day and in the evenings between 6 pm and 10 pm. Currently, anyone can access the second floor via the lift 24 hours a day, however, the studio locks the entry door when they close for the day, thus restricting access to the studio to opening hours only.
The dance club have two networked desktop computers on site, and one printer and is connected to the internet via a modem-router supplied to them by their ISP. New member applications and other information such as policy, procedures, and member information are stored both digitally (on computers or websites) and on-site in locked cabinets. The computers currently do not have authentication enabled.
The dance club has just launched a new web portal that provides its members with the ability to apply and pay for:
Dance club membership
Enter dance competitions
Register for testing. Dancers will apply for a test when they have reached a certain level in preparation for the next level, i.e., beginner, intermediate, advanced, and elite.
Make general enquiries
To become a member of the dance club, dancers are required to visit the website and apply for membership or renew their existing membership. Once a dancer enters the systems for the first time, i.e., pay for their first membership, they are provided with a username and password for the website to enter competitions and register for dance tests.
The web portal is an open-source Content Management System (Joomla CMS) that is hosted in Australia by a third-party hosting provider. The CMS handles memberships, competition events and member information such as dance levels (beginner to advanced) and personal information (age, gender, address).
Club membership runs from January 1 through to December 31 each year regardless of the application date. The CMS allows members to purchase a membership, read member-only news and register for events or dance tests online; thus, the CMS is responsible for most of the member data processing.
Member payments are processed using a third-party merchant gateway, SecurePay, and deposited directly into the club’s nominated bank account. Once a member has paid for membership, the system adds the member to a mailing list and updates permissions on the user account which authorises access to member resources on the CMS.
The mailing list is stored and processed by Mailchimp; a third-party provider located in the United States. Personal information collected for the mailing list includes full name and email address. No other information is transferred to Mailchimp.
The dance club also receives emails from parents and other members, either via the website contact page or directly via email. The emails are accessed using Microsoft Outlook on the computers located in the office.
Enquires submitted through the website are stored on the CMS and emailed to the staff admin email account that is accessed on the desktop computers in the office.
Dance club staff have access to administer the CMS remotely using portable devices, or on-site using the computers in the office. Staff change frequently and currently there are no controls in place to restrict system privileges either on the desktop office computers or the CMS. When a staff member is granted access by the system admin, they have full administrative rights to the desktop computers and the CMS.
The owner of the dance club acts as the system administrator for the CMS and desktop computers but has little technical knowledge and lacks an understanding of information security practices. The owner knows only how to create new user accounts with full system access.
There are four primary functions staff need to perform for the club and its members:
Update member information via the CMS when necessary
Answer emails
Update the latest news on the CMS
Add events to the CMS so members can register online
Add testing sessions to the CMS each month
Perform bank reconciliations, i.e., match the income from the CMS to the bank statements. Staff can see all the transactions from the events and membership applications running within the CMS.
Assessment Tasks
All Stars Dance would like an Information Security assessment on the threats facing their information system and a recommendation on how to protect the information assets.
Task 1 – Identify and categorize information assets
Students are required to identify both digital and physical assets. Minimum of twenty assets. Assets should be categorised and spread across the system component categories. Prioritise the information assets using their importance to the business process. The critical importance of each asset should be discussed. For example, why these assets were chosen and their weightings.
Task 2 – Identify potential threats, vulnerabilities, and risks to the information assets
Given the number of threats, a threat category may suffice, i.e., for the CMS you may simply use the threat category software attacks as opposed to every software attack that may occur. One or two threat categories will suffice, however, the threat categories chosen must be realistic.
Task 3 – Identify the security management standards and framework
In this task students are required to discuss the implementation steps for the ISO27001 and NIST (National Institute of Standards and Technology) Cybersecurity frameworks.
Task 4 – Critically discuss the possible countermeasure framework
In this task you are going to critique both ISO27001 and NIST frameworks and explain which framework you would choose with comprehensive justification.
Task 5 – Propose an improved IT (Information Technology) infrastructure
Based on the identified framework, propose an Improved IT infrastructure. You are free to use any drawing tool to illustrate your proposed IT system. I would recommend using draw.io for depicting the infrastructure design. The solution should have the following components:
Network Security Mechanisms
Encryption & Intrusion Detection System
Software Controls
Hardware security
Policies & Physical Controls.
Data security policies
Physical & digital storage solutions.
Access control.
Email security
Task 6 – Acknowledgement of cost and complexity of implementation and impact on the users
This section should discuss the usable security and additional steps introduced for all the stakeholders. The usability of the security measures discussion should comprise the following factors:
Psychological Acceptability
Economic Acceptability
Reconfigurability/Scalability/Sustainability/Manageability
Group composition instructions:
The maximum number of students in one group is FOUR. The same group should be used for the presentation assessment.
All the groups will be finalised according to lecturer’s instructions.
Only one member from the group should submit the report and the remaining members should submit the group participation form.
The student who did not submit the participation form will not be marked for the assessment.
Marking Guide
S.No
Assessment Item
Marks allocated
Task 1 – Identify and categorize information assets
10 Marks
Task 2 – Identify potential threats, vulnerabilities, and risks to the information assets
10 Marks
Task 3 – Identify the security management standards and framework
25 Marks
Task 4 – Critically discuss the possible countermeasure framework
25 Marks
Task 5 – Propose an improved IT infrastructure
20 Marks
Task 6 – Acknowledgement of cost and complexity of implementation and impact on the users
10 Marks
Marking Rubrics
Assessment criteria
Exceptional >=80%
Admirable
70% – 79%
Creditable 60% – 69%
Acceptable 50% – 59%
Unsatisfactory <=49
Task 1
10 Marks
More than twenty relevant digital and physical assets were identified.
Excellent description of their importance and weightage.
Almost twenty relevant digital and physical assets were identified.
A good description of their importance and weightage.
At least fifteen relevant digital and physical assets were identified.
A decent description of their importance and weightage.
Several identified digital and physical assets were irrelevant.
The description of their importance and weightage is not comprehensive.
Most of the identified digital and physical assets were irrelevant.
The description of their importance and weightage is not provided.
Task 2
10 Marks
Provided an excellent analysis of all the threats, vulnerabilities and risks posed by all seven domains is presented.
Provided a good analysis of most of the threats, vulnerabilities and risks posed by all seven domains is presented.
Provided a decent analysis of most of the threats, vulnerabilities and risks posed but did not cover all the seven domains.
Provided a limited analysis of the threats, vulnerabilities and risks posed and did not cover all the seven domains.
Provided a remotely relevant analysis of the threats, vulnerabilities and risks posed and did not cover all the seven domains.
Task 3
25 Marks
An excellent discussion of both ISO 27001 and NIST cyber security frameworks was discussed. All the external sources were referenced properly.
A comprehensive discussion of both ISO 27001 and NIST cyber security frameworks was discussed. Most of the external sources were referenced properly.
A decent report of both ISO 27001 and NIST cyber security frameworks was discussed. Some of the information missing references.
The description shows a lack of understanding of ISO 27001 and NIST cyber security frameworks. Very few references were used.
The description contains very generic and limited relevance to the given case study.
No references were used.
Task 4
25 Marks
An excellent critical analysis was provided. A comprehensive justification to choose a suitable security framework is given.
References were properly provided.
A good critical analysis was provided. A justification to choose a suitable security framework is given.
Some References were not appropriate.
A decent critical analysis was provided. The justification for choosing a suitable security framework is missing some key arguments.
Very few References were given.
A critical analysis was provided with limited relevance. The justification for choosing a suitable security framework is missing.
References were mostly online sources.
A critical analysis was provided with clumsy and choppy details. The justification for choosing a suitable security framework is missing.
References were not used.
Task 5
20 Marks
An excellent IT infrastructure that covers both Network & data components was provided.
The IT framework diagram illustrates the proposed solution efficiently.
A good IT infrastructure that covers both Network & data components was provided.
The IT framework diagram illustrates the proposed solution.
A decent IT infrastructure that covers both Network & data components was provided.
The IT framework diagram does not cover the entire proposed solution.
The IT infrastructure does not cover most of the Network & data components. The IT framework diagram is basic.
The IT infrastructure does not cover all the Network & data components. The IT framework diagram is not provided.
Task 6
10 Marks
The usability discussion based on the required three factors was very efficient.
The usability discussion based on the required three factors was good.
The usability discussion based on the required three factors is brief and lacks research.
The usability discussion does not cover all three factors.
The usability discussion is very generic and remotely related to the case study.
Referencing guides
You must reference all the sources of information you have used in your assessments. Please use the IEEE referencing style when referencing your assessments in this unit. Refer to the library’s reference guides for more information.
Academic misconduct
VIT enforces that the integrity of its students’ academic studies follows an acceptable level of excellence. VIT will adhere to its VIT Policies, Procedures and Forms which explain the importance of staff and student honesty about academic work. It outlines the kinds of behaviours that are “academic misconduct”, including plagiarism.
Late submissions
In cases where there are no accepted mitigating circumstances as determined through VIT Policies, Procedures and Forms, late submission of assessments will lead automatically to the imposition of a penalty. Penalties will be applied as soon as the deadline is reached.
Short extensions and special consideration
Special Consideration is a request for:
Extensions of the due date for an assessment, other than an examination (e.g., assignment extension).
Special Consideration (Special Consideration concerning a Completed assessment, including an end-of-unit Examination).
Students wishing to request Special Consideration concerning an assessment the due date of which has not yet passed must engage in written emails to the teaching team to Request Special Consideration as early as possible and before the start time of the assessment due date, along with any enclosed documents, such as medical certificates.
Contract Cheating
Contract cheating usually involves the purchase of an assignment or piece of research from another party. This may be facilitated by a fellow student, or friend or purchased on a website. Other forms of contract cheating include paying another person to sit an exam in the student’s place.
Contract cheating warning:
By paying someone else to complete your academic work, you do not learn as much as you could have if you did the work yourself.
You are not prepared for the demands of your future employment.
You could be found guilty of academic misconduct.
Many for–pay contract cheating companies recycle assignments despite guarantees of “Original, plagiarism-free work” so the similarity is easily detected by Turnitin.
Penalties for academic misconduct include suspension and exclusion.
Students in some disciplines are required to disclose any findings of guilt for academic misconduct before being accepted into certain professions (e.g., law).
You might disclose your personal and financial information in an unsafe way, leaving yourself open to many risks including identity theft.
You also leave yourself open to blackmail – if you pay someone else to do an assignment for you, they know you have engaged in fraudulent behaviour and can always blackmail you.