CSG3309 IT Security Management
Group Assignment
Information Security Management
Assignment 2: Group Case Study: Pandora WebDev Solutions
Unit Value: 40%
Page Limit 20 pages (excluding references)
Group size Max 4
Learning Outcomes
The purpose of this assignment is to support the following Unit Learning Outcomes (LO) for this unit.
2 Collaboratively analyse and report on information technology security management issues and emergent trends.
3 Propose a solution for information technology security management issues
Background
Pandora WebDev Solutions (PWDS) is undertaking a security improvement programme. The programme aims to reduce information security risks to PWDS by implementing a range of security measures.
• You are to take on the role of an IT Security Management consultant
• PWDS ™ is a Perth based business struggling with IT security. Their business has already seen several security incidents occur.
• The CTO has approached you to help advise on the best way forward as they attempt to establish a security division. You have been provided with the attached background
confidential briefing document.
Task:
Your task is to analyse the security issues with PWDS and create a plan to implement programs and projects to improve the IT Security of the company. You have to work with another security consultant as a group.
• The specific requirement is to prepare a professional quality risk assessment and recommendation for PWDS.
• The proposed plan must address the IT Security issues and improve their security status both immediately and into the future.
• The report must demonstrate that you have thoroughly analysed and understood the IT security management issues of PWDS.
• The report structure and scope of the implementation plan is up to you.
• Include individual contribution statements at the end of the report.
In a real work environment, you will not be given explicit details how you should write the report. Quite often, the content of a report will be entirely your discretion; this means you need to carefully consider the scope of your report so that you do not exceed your time or budget (in this case available study hours).
Remember: Your goal is to improve the IT Security of PWDS by advising the CTO on the best course of action. They ve paid you good money and they want a detailed report outlining the risks to the company and potential remediation strategies. The company also wants to know that if they implement your recommendations, they will get a good return on their security investment. There is no right solution, and the security problems are acknowledged to be significant.
Task: Create a detailed response document that will solve the security problems for PWDS.
Submit: ONE response document Maximum 20 pages including all attachments, appendices, diagrams etc. (NOT including, cover pages, table of contents or references)
• Your response document should be a professional report that demonstrates the considerations given by each of your teams.
• Only one team member will submit the document.
• ALL team members will submit a peer review (download from canvas)
• Insert at the end of your document, the Change Contribution (file on canvas)
• Word Limit: There is no word limit, moreover a page limit. The document will be marked on quality rather than quantity of words or pages. Keep in mind that only 20 pages of content will be assessed so be concise and be clear on what you are trying to
communicate in every section.
Assignment Deliverables and Requirements
1. Risk Assessment:
An information security risk assessment (assets, threats, vulnerabilities). The risk assessment should be prioritised to handle the greatest risks to the business first. This task will require:
a) asset identification (Maximum of 30 assets) and;
b) a weighted factor analysis (WFA) to prioritise business assets. You need only perform WFA on 20 assets, BUT select the most obvious information assets for analysis, i.e., production servers and critical business machines.
c) justification of your WFA criteria and weightings. The criteria must align with the business model.
identification of threats and vulnerabilities for the prioritised asset list
d) assess the risk using some method, i.e., NIST SP 800-30 or some other standard.
e) write up the recommendations for the top 5 risks, i.e., control the risk (defend, mitigate, accept, transfer, terminate). You should have a risk register, preferably in the
appendices, that contains the remaining identified risks. You should refer to the risk register where appropriate.
Note on assets: Consider all components that are involved in IT Security Management (i.e., People, Procedures, Hardware, Software, Data, IoT, Network.
2. Project Management:
Create a Work Breakdown Structure (WBS) to manage the tasks for this project.
Note: This is NOT a project management unit, but there are some aspects required for this
assignment. It is important that your client understands what work you propose to do. This
means you do not need to apply full project management methods to the problem, but you
should describe the overall list of tasks/processes (WBS) that will help secure your client. This will include costs. It is recognised these costs will only be estimates and you may apply a range, i.e., between 10-15,000.
3. Demonstrate understanding of current Industry Standards and Best Practices:
Reference the relevant industry standards, benchmarks, whitepapers, or best practices
(researched or proposed). For example, if you base any solution, control or program on standards, reference which standards are used (e.g., ISO27001/2. NIST publications, CIS Controls, ISM).
Standards should be referenced throughout the report, not a written section on how good standards are.
4. Policy and Compliance:
Address compliance requirements (if any) at the executive level of the business. Consider the following;
• Are there specific information security laws / policy governing certain technologies?
• Do you need to create any supporting policy for legal obligations?
• Can you use compliance requirements to justify your recommendations to the client?
• Consider SIEM software, is it overkill or appropriate?
5. IT Security Programme Implementation:
Describe the proposed implementation strategy, i.e., Direct, Phased, Parallel, Direct
Changeover. This criterion will form part of a work package and can be addressed in the WBS. It is not necessary to write a section about implementation, however you may want to estimate an approximate timeframe. for the program implementation.
6. Operational security (Recommendations):
What security controls would be suitable for the identified risks, list the controls and
remediation. This section should closely align with the risk assessment. Note: you are not
required to write about every risk assuming you have a minimum of 20, based on the prioritised assets. You should summarise your findings including the top 5 - 10 risks. You can refer the
reader to the risk register or some other document in the appendices for the remaining risks (that outlines the controls).
Include in the proposal a recommendation for contingency planning. This need only be an
outline of how you propose to address Business Continuity. For example, what plans you
recommend for PWDS (IRP, DRP, BCP). The proposal does not need to include these plans, BUT you do need to demonstrate you understand the importance of, and have thought about, contingency planning.
7. Cost/Budget Estimates
A draft budget on how much these changes will cost (rough estimates are fine – BUT you must support your numbers if you use them). This could include estimated:
• staffing costs
• IT technology costs
• training costs
• hardware costs
• insurances
• funding for additional research.
Hint: you may include most, if not all, of this information in the WBS. Any supporting
documentation to support costing may be included in the Appendices. It is also ok to include a
short paragraph when writing the recommendations about the estimated overall cost and time to implement.
8. Ares for future security programmes, research, and improvement:
There will undoubtedly be security problems that are out of scope for this proposal, attributed to time and financial constraints, Nonetheless, in concluding, provide a brief overview of future
projects that PWDS will need to address in the near future. This can be a written sub section, or table format. This section need not be exhaustive, you do not need to think of every problem
imaginable, moreover, describe the problems that are out of scope, i.e., a set of contingency plans or Risks outside the top 10.
Future projects will likely include low information security risks derived from the Risk Assessment. You should refer to these risks where appropriate.
All your recommendations should be derived from the Risk Assessment. Understandably you cannot address all of risks, but you need to address at a minimum, the top 5 at a minimum. You will need to use critical thinking to determine what is realistic. Take into account the business
goals, size and structure of the business and the sensitivity of the information this business processes and stores.
NOTE: It is UNDERSTOOD that you will need to make guesses and assumptions to complete
this assignment. Just make sure these are realistic and well documented as you go. E.g., Find a few reputable online sources for vulnerabilities, equipment, security services or job
advertisements – cite these as your sources.
You are being assessed on your ability to anticipate and analyse IT security issues and the
solutions you create for these issues, not the technology recommended in the solution.
However, you should try to keep any technical recommendations realistic and helpful – support your work with citations.
To be successful in this assignment you will need to work together. This is a large piece of
assessment that can be broken down into smaller very achievable goals. It is recommended
you run your OWN project plan to ensure your group delivers on this assignment successfully. Each week you are given Assignment preparation tasks designed to address one section of the assignment. Please do not ignore them.