ICTNWK520 Design ICT system security controls an agile team to complete in one iteration MGT600: Management, People and Teams AC…

FIND A SOLUTION AT Academic Writers Bay

Details of Assessment
Term and Year
 
Time allowed
 
Assessment No
1
Assessment Weighting
60%
Assessment Type
Written Response
Due Date
Week No. 4
Room
 
Details of Subject
Qualification
ICT50118 Diploma of Information Technology
Subject Name
System Security
Details of Unit(s) of competency
Unit Code (s) and Names
ICTNWK520 Design ICT system security controls
Details of Student
Student Name
 
College
 
Student ID
 
Student Declaration: I declare that the work submitted is my own and has not been copied or plagiarised from any person or source. I acknowledge that I understand the requirements to complete the assessment tasks. I am also aware of my right to appeal. The feedback session schedule and reassessment procedure were explained to me.
Student’s Signature: ____________________ Date:         _____/_____/_________
Details of Assessor
Assessor’s Name
 
Assessment Outcome
Assessment Result
 Competent        Not Yet Competent  
Marks
                  /100
Feedback to Student Progressive feedback to students, identifying gaps in competency and comments on positive improvements:
__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________  
Assessor Declaration:  I declare that I have conducted a fair, valid, reliable and flexible assessment with this student.  Student attended the feedback session.  Student did not attend the feedback session.
Assessor’s Signature: ___________________ Date:         _____/_____/________

Purpose of the assessment
The purpose of this assessment is to assess the student in the following outcomes:
Competent (C)
Not yet Competent (NYC)
Performance Criteria: ICTNWK520 Design ICT system security controls
1. Review organisational security policy and procedures
1.1 Review business environment to identify existing requirements
 
 
1.2 Determine organisational goals for legal and security requirements
 
 
1.3 Verify security needs in a policy document
 
 
1.4 Determine legislative impact on business domain
 
 
1.5 Gather and document objective evidence on current security threats
 
 
1.6 Identify options for using internal and external expertise
 
 
1.7 Establish and document a standard methodology for performing security tests
 
 
2. Develop security plan
2.1 Investigate theoretical attacks and threats on the business
 
 
2.2 Evaluate risks and threats associated with the investigation
 
 
2.3 Prioritise assessment results and write security policy
 
 
2.4 Document information related to attacks, threats, risks and controls in a security plan
 
 
2.5 Review the security strategy with security approved key stakeholders
 
 
2.6 Integrate approved changes into business plan and ensure compliance with statutory requirements
 
 
Assessment/evidence gathering conditions
Each assessment component is recorded as either Competent (C) or Not Yet Competent (NYC). A student can only achieve competence when all assessment components listed under “Purpose of the assessment” section are recorded as competent. Your trainer will give you feedback after the completion of each assessment. A student who is assessed as NYC (Not Yet Competent) is eligible for re-assessment.
Resources required for this assessment
Computer with relevant software applications and access to internet Weekly eLearning notes relevant to the tasks/questions
Instructions for Students
Please read the following instructions carefully This assessment must be completed  In class  At home The assessment is to be completed according to the instructions given by your assessor. Feedback on each task will be provided to enable you to determine how your work could be improved. You will be provided with feedback on your work within two weeks of the assessment due date. All other feedback will be provided by the end of the term. Should you not answer the questions correctly, you will be given feedback on the results and your gaps in knowledge. You will be given another opportunity to demonstrate your knowledge and skills to be deemed competent for this unit of competency. If you are not sure about any aspect of this assessment, please ask for clarification from your assessor. Please refer to the College re-assessment for more information (Student handbook).
Case Study
Located in Sydney, Devon Accounting is a medium sized accounting company that offers tools and technologies to prepare all types of tax returns, including individual, sole trader, partnership, trust and company returns. They also provide a broad range of small business accounting services, including bookkeeping, financial statement preparation, tax planning, and advice.
The company headquarters is located in Sydney in a three-storey building with each floor being approximately 2000 square meters. The regional offices are located in Dubbo, Orange, Ballina and Kiama. All of the offices have at least one wireless access point and several of the offices have three or more. Each office has its own local internet connection. All the remote offices are connected to headquarters via a leased WAN connection.
Floor
Department
Employees
Year 1
Year 2
Ground
Showroom
3
4
Accounts
30
45
Payroll
3
6
IT
5
9
1st
Sales & Marketing
45
(15 remote)
90
(50 remote)
Customer Service
7
12
2nd
Corporate
5
7
Administration
8
12
Human Resources
3
5
Total
109
190
Most of the workstations are running a mix Windows and Macintosh operating system. The graphics department uses Apple computers. Static IP addresses are typically assigned to common resources and DHCP is used for workstations. When the network was originally designed, IP subnets were assigned to different offices and departments. However, over time and as the network has grown, this subnet organisation has broken down. Over the last several years IP subnets have been assigned and reassigned without any regard to location.
All connections to the internet are protected by firewalls and network intrusion detection systems. All the workstations have virus-scanning software and a central console is used to push out signature updates. Workstations and servers are generally kept up to date with patches and service packs. The networking staff has employed all the standard security practices one would expect to find at most organisations of this size.
Although network security is well established in this company, there are still several IT security vulnerabilities that the company faces on a regular basis, mostly from human-machine interactions.
For example, a salesperson who frequently holds meetings in a conference room near his office was frustrated by the lack of available network connections for meeting participants. He decided to pick up an inexpensive wireless access point at his local electronics store and plugged it in. The salesman didn’t consider that the conference room was next to the parking
lot, making the access point available to the public.
Another problem they face is the amount of time it takes for the network administrator to locate infected computers whenever virus strikes throughout the enterprise. It is always a challenge to quickly identify, locate and disable the switch ports of machines infected. It can take up to 45 minutes per workstation for a potential total of 75 hours to locate and identify the infected users. This process usually includes logging into and querying routers and switches; and physically going to the switch to identify the port and trace the wire to the workstation. This process would have been even more difficult if the workstation happened to be in a remote location should the company expand in future.
This process is unproductive, costly and time consuming. Additionally, it assumes some knowledge of the network architecture. A new network administrator who did not possess knowledge of the network topology would have a much more difficult time locating the infected workstations.
Another serious issue company must address is IT security in order to protect its information and digital assets from compromise, theft or loss since Devon Accounting stores commercial assets and personal information on smart phones, computers, hard drives and online. The attack can be from a determined attacker outside, or an insider threat within your business. Devon Accounting could be the victim of hacking because of its online presence.
Devon Accounting has been increasingly using cloud computing for various business processes. Xero is accounting software stored in the cloud and provides integration between the small business’s accounting software and its accounting advisors. Xero have recently become popular a choice of tool at Devon Accounting. Office 365 is another tool used by some of the employees at Devon Accounting
One new management headache created by cloud computing is the fragmentation of where the files are stored. There is no consistency in the storage of these files which are stored on Dropbox, Google Drive, and OneDrive. It is easy to forget where the data is. Backing up all this data from different locations, or moving from one provider to another, is complex and difficult.
The use of mobile devices has increased exponentially and employees at Devon Accounting have taken up these devices enthusiastically because of convenience in the workplace. Employees felt they would get more tasks done on time if allowed to choose their own mobile tools – and even their sceptical bosses felt that the use of these consumer mobile devices in the workplace increases employee productivity.
This concept of ‘Bring Your Own Device’ (BYOD) – where employees use their personal devices to store business data – opens up new concerns and issues for Devon Accounting. In addition to worries about where exactly the business’s data might be ‘in the cloud’, BYOD means that any small – and easily-lost – device can easily contain vast amounts of relevant business information. Spreadsheets with pricing models, client lists, usernames and access can easily be stored on a mobile device.
Worryingly though, use of personal mobile devices, cloud computing services is not even mentioned in the current IT policy. Mobile devices can be gateways for new viruses, Trojan horses, and other IT-security problems and currently Devon Accounting is not be well-equipped to address such problems.
IT security planning is important for every organisation. Recently, you have been hired by your company to work as a IT Security consultant. Security controls at Devon Accounting was implemented 5 years ago. New systems, services and IT equipment have been added into the network since then. If any small or large disaster occurs, it is not prepared to recover itself after the disaster, the result of which is the high possibility that its business processes and functions would be disrupted for a long period of time. This would also result in different kinds of losses to the company.
Devon Accounting performs its different functions and business processes with the help of different IT equipment and computer systems. You are told that it mainly wants to implement a IT Security plan and implement for its IT system. There is different IT equipment in the company networks such as servers, workstations, printers, and so on. There are also web applications which employees use in their daily operation.
Current Security Controls:
SWOT analysis was used to identify the risks which led to the implementation of current security controls, and that was developed 5 years ago; since then a lot has changed in the company.
The security control was implemented by the Network administrator Bill Simmons whose role was to manage the day to day operation of the network. Maintenance and management of IT security was not Bill’s forte. The company at that time chose not to recruit a specialised IT security personnel. The plan was never revisited since and did not include various changes and updates made to the system processes and networking devices over the years.
Furthermore, the current security policy implemented at Devon Accounting only accounts for Assets, Access Control, Password Control, and Email. It is very surprising that for a business which deals with financial information of clients does not have any security policies in place for critical security issues such as Internet, Anti-Virus, Remote access, Outsourcing, Acceptable Usage, Web Access, Wireless Security, Server Access, Information Classification, Social Media, Cloud Computing Services and Storage, external devices etc. The consequences of employees purposely violating company’s rules for their personal gain should also be emphasised.
With the increase of employee numbers and relocation, company director Andrew Jacobs is concerned about the IT security of the system in place and the protection of customer data stored on the system and server.
With this and the recent reports on threats to the systems of companies worldwide, the Director together with the company’s CEO, are more aware of having a IT Security controls in place.
To address all issues the company has appointed you as an IT Security consultant, your primary role is to understand the system and processes of the company. For this case study, your Facilitator will act as an IT Manager who will provide you with the required information regarding different IT equipment, operations and business processes of the company.
You must consult your IT Manager (your facilitator) regarding the progress of each stage during IT Security planning process.
Network diagram for the organisation is shown below. This diagram is essential for understanding how the network works and what changes are possible in it.
Network diagram for the organisation is shown below. This diagram is essential for understanding how the network works and what changes are possible in it.
Figure 1: Sample Network Diagram of a typical Devon Accounting office
Figure 2: Sample Network Architecture of a Devon Accounting
(Appendix 1): Please see below the memorandum sent by email from the Company’s Director.
Memorandum – Devon Accounting Sydney Office
To: Staff
From: Director Andre Jacobs
Re: IT Security Issues and Requirements
Dear all
As you probably already know, the new Devon Accounting office is being relocated.
With this change of location and thinking about the greater security of our current and prospective customers, the company’s steering committee decided to hire an IT IT security consultant.
This hiring aims at the best structure of our security systems so that we can protect the data with customers, employees and all our database.
This decision was also made, after realizing some issues which needed to be investigated our system and procedures, such as:
Data loss during a recent malware attack on the company’s network which affected the company economically
Some of the operating systems used by staff are old and difficult to get support (Application and Operating Systems Patches)
Some of the staff are given remote access to but no monitoring is done, and no controls are in place (Remote access controls)
Staff have been receiving too many spams and malicious mails (Email filter and web content)
Network services such as printing and scanning down frequently due to Server issues (capacity and networking equipment)
Several laptops have gone missing from the office (Physical Security)
An occurrence of black out due to storm resulted in the whole systems to go offline resulting in productivity loss which was severe to the company (UPS)
Staff has been using easy to remember passwords and there have also been instances where a staff had written the password in a sticky note and placed it in the computer screen. Staff are also not locking their workstation in their lunch break. Serious issues can arise when the staff involved is responsible for processing payments and invoices (Password policies and authentications).
IT department is having difficulties dealing with issues relating virus, worms, and malware. Staff are using their personal USB in company’s workstation and accessing external websites which may have contained malicious codes (Firewall updates)
Some staff also access company’s network and Intranet via wireless devices. Staff are not happy about the speed being too slow or taking too long for the information to download (Wireless security and wireless access points)
Employees are using their personal wireless devices to store business data.
One new management headache created by cloud computing is the fragmentation of the files stored. There is no consistency in the storage of these files. Files are stored on Dropbox, Google Drive, or OneDrive. Backing up all this data from different locations, has become complex and difficult.
Besides these key points, the company’s management is concerned with possible data breaches caused by employees who normally access data from their mobile devices or remotely.
For these and other reasons, it is critical that we review our current security policies and prepare a detailed security plan and investigate what actions and measures can be taken.
We count on the collaboration of all during this process to assist IT security consultant to conduct a security analysis and recommendation on the controls to be implemented.
Regards,
AJ.   
Bill Simmons responsibilities (Appendix 2):
Responsibilities included:
installing and configuring computer networks and systems
identifying and solving any problems that arise with computer networks and systems
budgeting for equipment and assembly costs
assembling new systems
maintaining existing software and hardware and upgrading any that have become obsolete
monitoring computer networks and systems to identify how performance can be improved
working with IT support personnel
providing network administration and support

READ ALSO...   The policies of the IMF after the financial crisis in East Asia - No Plagiarism

Current Cyber Security Controls (Appendix 3):
Below are the details of security controls implemented by Bill Simmons at Devon Accounting 5 years ago.
Security Controls
Description / Issues
Security Control in Place
Update Required
Password
Password chosen by staff are weak. Not secure and do not use multi factor authentication where possible. Passwords and not changed regularly and is shared among other users.
Yes
Yes
System Access
Access privileges are not properly implemented
Yes
Yes
Secure Wi-Fi & Devices
Employees are able to use company and public wireless network on the company’s devices.
No
Yes
Legitimate Software
Staff are allowed to download and install software of their choice
No
Yes
Patches and Anti-Virus
Anti-Virus software is very old
Yes
Yes
‘Clean’ devices
Staff are allowed to use personal USB or external hard drives on company’s PC’s.
No
Yes
Social Media
Staff are allowed to access social media sites such as Facebook, YouTube, Twitter, Instagram on company’s network
No
Yes
Email
Staff have been receiving too many spams and junk mails which is clogging up the network
No
Yes
Cloud Computing Services and Storage
Company use Accounting cloud-based application Xero, Office 365. Back up for cloud storage has become an issue.
No
Yes
Remote Access
Staff are given remote access to but no monitoring is done, and no controls are in place
No
Yes
Appendix 4
current Security Policy
for
DEVON ACCOUNTING
Version
Description
Date
Author
1.0
DevonSecurityPolicy_v.1
10 October 2014
Bill Simmons
Introduction
This Security Policy document is aimed to define the security requirements for the proper and secure use of the Information Technology services at Devon Accounting. Its goal is to protect Devon Accounting asset and users to the maximum extent possible against security threats that could jeopardize their integrity, privacy, reputation and business outcomes.
This document applies to all the users at Devon Accounting, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services. Compliance with policies in this document is mandatory for this constituency.
The security policy was created to follow the legal and ethical standards and to meet the obligations under the Privacy Act and Australian Privacy Principles.
IT Assets Policy
The IT Assets Policy section defines the requirements for the proper and secure handling of all the IT assets at Devon Accounting.
The policy applies to desktops, laptops, printers and other equipment, to applications and software, to anyone using those assets including internal users, temporary workers and visitors, and in general to any resource and capabilities involved in the provision of the IT services.
IT assets must only be used in connection with the business activities they are assigned and / or authorized.
Every user is responsible for the preservation and correct use of the IT assets they have been assigned.
All the IT assets must be in locations with security access restrictions
Active desktop and laptops must be secured if left unattended.
Access to assets is forbidden for non-authorized personnel.
All personnel interacting with the IT assets must have the proper training.
Users shall maintain the assets assigned to them clean and free of accidents or improper use. They shall not drink or eat near the equipment.
Company’s laptops, PDAs and other equipment used at external location must be periodically checked and maintained.
The IT Technical Teams are the sole responsible for maintaining and upgrading configurations. None other users are authorized to change or upgrade the configuration of the IT assets. That includes modifying hardware or installing software.
Special care must be taken for protecting laptops, PDAs and other portable assets from being stolen. Be aware of extreme temperatures, magnetic fields and falls.
When travelling by plane, portable equipment like laptops and PDAs must remain in possession of the user as hand luggage.
Whenever possible, encryption and erasing technologies should be implemented in portable assets in case they were stolen.
Losses, theft, damages, tampering or other incident related to assets that compromises security must be reported as soon as possible to the Information Security Officer.
Disposal of the assets must be done according to the specific procedures for the protection of the information. Assets storing confidential information must be physically destroyed in the presence of an Information Security Team member. Assets storing sensitive information must be completely erased in the presence of an Information Security Team member before disposing.
Access Control Policy
The Access Control Policy section defines the requirements for the proper and secure control of access to IT services and infrastructure at Devon Accounting.
This policy applies to all the users, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
Any system that handles valuable information must be protected with a password-based access control system.
Any system that handles confidential information must be protected by a two factor -based access control system.
Discretionary access control list must be in place to control the access to resources for different groups of users.
Mandatory access controls should be in place to regulate access by process operating on behalf of users.
Access to resources should be granted on a per-group basis rather than on a per-user basis.
Access shall be granted under the principle of “less privilege”, i.e., each identity should receive the minimum rights and access to resources needed for them to be able to perform successfully their business functions.
Whenever possible, access should be granted to centrally defined and centrally managed identities.
Users should refrain from trying to tamper or evade the access control in order to gain greater access than they are assigned.
Automatic controls, scan technologies and periodic revision procedures must be in place to detect any attempt made to circumvent controls.
 
Password Control Policy
The Password Control Policy section defines the requirements for the proper and secure handling of passwords in the Organization.
This policy applies to all the users at Devon Accounting, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
Any system that handles valuable information must be protected with a password-based access control system.
Every user must have a separate, private identity for accessing IT network services.
Each identity must have a password at least 5 characters long.
Sharing of passwords is forbidden. They should not be revealed or exposed to public sight.
Whenever a password is deemed compromised, it must be changed immediately.
For critical applications, digital certificates and multiple factor authentication using smart cards should be used whenever possible.
Identities must be locked if password guessing is suspected on the account.
Email Policy
The Email Policy section defines the requirements for the proper and secure use of electronic mail at Devon Accounting.
This policy applies to all the users at Devon Accounting, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
All the assigned email addresses, mailbox storage and transfer links must be used only for business. Occasional use of personal email address on the Internet for personal purpose may be permitted if in doing so there is no perceptible consumption in the Organization system resources and the productivity of the work is not affected.
In no way may the email resources be used to reveal confidential or sensitive information from the Organization outside the authorized recipients for this information.
Using the email resources of the Organization for disseminating messages regarded as offensive, racist, obscene or in any way contrary to the law and ethics is absolutely discouraged.
Use of the Organization email resources is maintained only to the extent and for the time is needed for performing the duties. When a user ceases his/her relationship with the company, the associated account must be deactivated according to established procedures for the lifecycle of the accounts.
Privacy is not guaranteed. When strongest requirements for confidentiality, authenticity and integrity appear, the use of electronically signed messages is encouraged. However, only the Information Security Officer may approve the interception and disclosure of messages.
Outbound messages from corporate users should have approved signatures at the foot of the message.
Attachments must be limited in size according to the specific procedures of the Organization. Whenever possible, restrictions should be automatically enforced.
Threat and Risk Assessment of current asset (Appendix 5):
Role
Participant
System Owner
Bill Simmons
Network Administrator
Bill Simmons
Director
Director Andre Jacobs
Techniques Used
Technique
Description
Risk assessment questionnaire
The assessment team used a customized version of the self-assessment questionnaire in NIST SP-26 “Security Self-Assessment Guide for Information Technology Systems”. This questionnaire assisted the team in identifying risks.
Assessment Tools
The assessment team used several security testing tools to review system configurations and identify vulnerabilities in the application. The tools included NMAP, NESSUS, APPSCAN
Vulnerability sources
The team accessed several vulnerability sources to help identify potential vulnerabilities. The sources consulted included: SANS Top 20 (www.sans.org/top20) OWASP Top 10 (www.owasp.org/documentation/topte n.html) NIST I-CAT vulnerability database (HTTP://icat.nist.gov) Microsoft Security Advisories (www.microsoft.com/security)
Review of documentation
The assessment team reviewed system documentation, network diagrams and operational manuals.
Interviews
Interviews were conducted to validate information.
Site visit
The team conducted a site visits and reviewed physical access and environmental controls

READ ALSO...   Brainstorming Exercise #2

In determining risks associated with the for Devon Accounting, the team utilized the following model for classifying risk:
Risk = Threat Likelihood x Magnitude of Impact
Impact
Definition
High
The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Examples: A severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions Major damage to organizational assets Major financial loss Severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.
Medium
The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. Significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced Significant damage to organizational assets Significant financial loss Significant harm to individuals that does not involve loss of life or serious life-threatening injuries.
Low
The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Examples: Degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced Minor damage to organizational assets Minor financial loss Minor harm to individuals.

READ ALSO...   Digital Recording Handbook

Asset or service
Business value
Threat
Existing controls
Still existing vulnerabilities/ weaknesses
Description of Impact
Impact
Likelihood
Risk Rating
Actions items
Reviewed
Server
High
Hacking
User authentication / Locked door
lack of strong password policy enforcement
improper use of system resources
High
High
Medium
check the credential policies (getting credentials and enforcing password policy)
01/03/2015
Back up drive
Medium
Accidental Data removal / deletion
Current Backup solution
Backup/restore not tested
Data Availability and integrity
High
High
Medium
Run backup restore tests every x months
01/06/2015
Data
high
software leaks information which is sensitive
policy for software development, training, advice on choosing software
people make errors?
If sensitive data leaked could be bad for reputation, could be illegal
High
High
Medium
Training and consequences of illegal actions in policy
01/09/2015
Switch/ Router, Printers, Scanner, and Copier, Wireless Access Point, Microsoft Surface Tablet, Firewall, Smart Phones, Telephone Systems  
Medium
Hardware/Equipment Failure or theft
Only locked doors
Locks easy to break
Failure or malfunction of hardware may cause denial of service to system users. Additionally, hardware configuration may be altered in an unauthorized manner, leading to inadequate configuration control or other situations that may impact the system.
High
High
High
Implement physical security and CCTV cameras, Alarm systems
01/03/2016
Malicious Code
Medium
Malicious software such as viruses or worms may be introduced to the system
Anti-Virus
Virus definition list not updated
Damage to the data or software.
High
High
Medium
Update to latest Anit-Virus. Update virus definition. Update Firewall. Security policy.
01/16/2016
Remote Access
Medium
Remote OS authentica­tion is enabled but not monitored.
None
Remote access is not currently monitored;
Malici­ous Use / Compu­ter Crime / Compromise of confiden­tial­ity & integrity data.
High
High
Medium
Remote Access monitoring software / Disable access when not in use
01/09/2016
Login encryption setting is not properly configured.
 
No login encryption
 
Unencrypted passwords could be compromised, resulting in compromise of confidentiality & integrity of sensitive data.
Malici­ous Use / Compu­ter Crime / Compromise of confiden­tial­ity & integrity data.
High
High
Medium
Require encryption of passwords but have not been enforced. Physical security should be in place that would limit the ability to sniff the network to exploit this vulnerability.
01/09/2016

Project task
Your task is to prepare a comprehensive report for Devon Accounting which must include reviewing the current security policies to preparing a detailed security plan and providing recommendation on actions and measures to be taken.
Task 1: Review organizational security policies and procedures
Determining the critical business requirements of the network is the first step in developing the security and controls design of the Devon Accounting network, as it means understanding what we need the network to achieve. Careful consideration must be given in the early stages as it will reap rewards later in the design, by identifying and addressing out the problems early.
To begin reviewing organizational security policies and procedures of the Devon Accounting network, you will need to:
Identify security requirements for Devon Accounting by reviewing the business requirements
Identify current security threats for Devon Accounting
Recommend a solution to the threats identified
Determine the need for the update in security policy for Devon Accounting. The updated policy must meet the obligations under the Privacy Act and Australian Privacy Principles.
List the job description for the IT security personnel
Recommend a methodology for performing security tests to these solutions
Task 2: Develop security plan
To begin developing a security plan for Devon Accounting, you will need to:         
Investigate and identify possible attacks and threats on the business
Evaluate risks and threats associated with the investigation (threat assessment matrix)
Recommend the security controls to be implemented. Update security policy and document the changes made. The security policy must follow the legal and ethical standards and must meet the obligations under the Privacy Act and Australian Privacy Principles. References for legislation and regulation could be considered from:
Australian Privacy Principles (‘APPs’).
APP 11 and Information Technology Act 2014
Commonwealth Copyright Act 1968
Commonwealth Fair Work Act 2009
Information Privacy Act 2000
Information Technology – Code of practice for information security management
ACS Code of Ethics

Recommend a solution to the security threats identified and prepare a security plan
Investigate and review security strategy with security-approved key stakeholders (Auscert)
Document the changes made
Your supervisor will provide assistance and feedback throughout the various stages of this report.
Table of Contents
Introduction
Security requirements
Current security threats
Risk and threat assessment

Solution to the threats
Security policy updates
Security tests methodologies
Future attacks and threats on the business
Future risk and threat assessment

Security Plan – Solution to the future threats
Security policy updates
Updated Policy
Legal and ethical standards
Privacy Act
Australian Privacy Principles
ACS Code of Ethics and others

Review Security plan (approved key stakeholders)
Change (Security plan upon review)
Conclusion
References
Marking Scale
 
Topics
Marks allocated
1
Security requirements
/4
2
Current security threats
/4
3
Risk and threat assessment
/4
4
Solution to the threats
/4
5
Security policy updates
/4
6
Security tests methodologies
/4
7
Future attacks and threats on the business
/7
8
Future risk and threat assessment
/7
9
Security Plan – Solution to the future threats
/7
10
Security policy updates with legal and ethical standards
/7
11
Review Security plan (approved key stakeholders)
/4
12
Change (Security plan upon review)
/4
 
TOTAL
/60
1. Introduction
2. Security Requirements
Security requirement should cover:
Confidentiality
Integrity
Authentication
Non-repudiation
Availability
Access control
3. Current Security Threats
See Appendix 1, Appendix 3, Appendix 5
4. Risk and Threat Assessment
Current security threats and explain the threats
Internal Threats
Vulnerability Area
 
 
 
 
External Threats
 
 
 
 
 
Risk Assessment Matrix
Risk Assessment Matrix
  Possible Effect
  Personnel
Facilities and equipment
  Applications
  Communications
Software and operating systems
 
 
 
 
 
 
 
 
 
 
 
 
Explain the Risk to Organisation
5. Solution to the Threats
Website resource:
Cisco: http://www.cisco.com/cisco/web/solutions/small_business/resource_center/articles/secure_my_business/network_security_checklist/index.html
Technology Options
Threat
Technology Options
Vendor Details
Example: Unauthorized users off your network
Firewall
Cisco Website: http://www.cisco.com
 
 
 
 
 
 
 
 
 
List the recommended Solution
6. Security Policy Updates
Current Security policy in Appendix 4. Other policies should cover:
Password
System Access
Secure Wi-Fi & Devices
Legitimate Software
Patches and Anti-Virus
‘Clean’ devices
Social Media
Email
Cloud Computing Services and Storage
Remote Access
Encryption
Security tests methodologies
7. Security Testing Methodology
Methodology for performing security tests.
Website resource:
Security Testing Methodology

Security Testing Methodology

Penetration testing methodology and standards
https://www.owasp.org/index.php/Penetration_testing_methodologies

Penetration Testing Redefined with the Kali Linux Distribution
https://www.kali.org/

8. Future attacks and threats on the business
Investigate and list the possible future attacks.
9. Future Risk and Threat Assessment
Possible Threats and attacks
Acts of human error or failure
Compromise of intellectual property
Deliberate acts of espionage or trespass
Deliberate acts of information extortion
Deliberate acts of sabotage or vandalism
Deliberate act of theft
Deliberate software attacks
Force of nature
Deviations in quality of service from service providers
Technical hardware failures or errors
Technical software failures or errors
Technological obsolescence
Threat source
Threat Actions
Threat Motivations
 
 
 
 
 
 
 
 
 
Example: Threat Assessment Matrix
Areas of Threat / Vulnerability and possible effects of Damage
Risk of Financial loss
Risk of Productivity loss
Risk Of loss of Customer Confidence
H
M
L
H
M
L
H
M
L
Antivirus
Programs are not updated
H
 
 
H
 
 
 
 
L
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
10. Security Plan – Solution to the future threats
Write your recommended solution for the identified security risk
Example: Security Threat – Malware
Describe the threat
Impact on the organisation
Mitigation strategies
Technology/Training solution
11. Security Policy Updates with Legal and Ethical Standards
Priorities Assessment using Risk Register
Example of Risk register
Threat
Predisposing conditions  
Vulnerabilities Entities
Confidentiality
Integrity [H,M,L]
Availability [H,M,L]
Overall Impact
Likelihood of attack initiation
Likelihood Success
Total likelihood
Overall risk rating
Cost effectiveness
Example:  Lost or stolen laptop leads to exposure of sensitive data.
No encryption on almost all laptops
All servers, network devices, and laptops
H
L
H
H
H
H
H
H
M
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Update the Security Policy
12. Review Security Plan (approved key stakeholders)
Website resource:
Auscert Security Bulletins
https://www.auscert.org.au/1
13. Change (Security Plan upon Review)
Update the Revision History and security plan
Revision History
Revision Number
Summary of Revision
Revision Author
Date
Accepted By

Initial Draft
 
 
 
 
 
 
 
 
 
 
 
 
 
14. Conclusion
15. References

Order from Academic Writers Bay
Best Custom Essay Writing Services

QUALITY: 100% ORIGINAL PAPERNO PLAGIARISM – CUSTOM PAPER