BIT361 Security Management and Governance

Flat 50% Off Order New Solution

Subject Code :
BIT361
University :
Melbourne Polytechnic Exam Question Bank is not sponsored or endorsed by this college or university.
Country :
Australia

BIT361 Security Management and Governance

Assessment Report Two

All assignments are due at the day of your lecture on the specified week!

Due Dates - See Moodle for Submission Date and Requirements:

Draft Week 5 13 Jan 2023

Final Week 6 22 Jan 2023

The Case study scenario: (continued from Report 2)

Your report on the need for a Security Management Program at KORI has been accepted, but they management have requested more information on policy development and the need for a risk management program. Specifically, they have asked for an explanation of benefits of a risk management plan, the steps for creating a risk management plan, a description of risk assessment process.

To meet the clients request, you need to do the following:

What does the client want you to do?

Document contents:

A discussion of the types of policies needed for information security at KORI.
- This will be a list of MORE than 5 things
- Contingency plans for the Bairnsdale Facilities, this includes the;
  - Bairnsdale Treatment Centre
  - The Administrative Centre and
  - The Research Veterinary Laboratory
- What Risk Management is trying to do

2. A discussion on what KORI policy documents should look like (Structure and main components you may provide an example if this would assist you).

3. Explanation of benefits and purpose of a risk assessment at KORI.

4. Description of risk assessment process for KORIs requirements.

5. Outline the steps for creating a risk management plan for KORI.

6. A set of asset and risk priorities using the tables below (additional tables in the Appendix may be used as required):

Identification of Information Assets (The Information Assets Register) at KORI.
- One asset (or more) from each of the different categories:
  - People,
  - Process,
  - Hardware and
  - Software
- List the Assets in order of importance by creating an Asset Priority Table in the form of a Weighted Factor Analysis Worksheet (Table 2) at KORI show all calculations please.
- Identification of Threats/Vulnerabilities for KORI and complete the Threat, Vulnerability, Asset (TVA) (Table 2).
  - One threat from each of the different categories:
    - Internal,
    - External,
    - Deliberate, and
    - Accidental.
  - Determine Priorities, preliminary impact of risks in a Ranked Vulnerability Risk WorkSheet (Table 3) show all calculations please

7.Discuss controls/Safeguards for the issues identified in the last Ranked Vulnerability Risk WorkSheet (Table 3)

The Information Asset Register

This step should be done without prejudging the value of each asset; values will be assigned later in the process.

ID No.	Information Asset Name	Asset Type (People, Process, Network, Hardware, Software)	Data Classification (Secret, Confidential, Private, Public)	Department	Location	Retention	Threats ?
Eg. (0)	Web Server	Hardware	Private	Marketing	Head office	Security Disposal	DDOS Hardware failure
1
2
3
4
5
6
7
8
9

Listing Assets in Order of Importance The Asset Priority Table (Weighted Factor Analysis Worksheet)

To assist with their understanding of risk assessment and management you have decided to consider 4 assets and 4 threats to be used to complete the tables below. To effectively demonstrate your skill, the tables would need to include examples of assets from different categories: people, process, hardware, software, and network. Threats should also include examples from different categories: Internal, external, deliberate, and accidental.

Table 1: Asset Priority Table (Weighted Factor Analysis Worksheet)
Information Assets	Criterion 1: Impact on __________	Criterion 2: Impact on __________	Criterion 2: Impact on __________	Weighted Score
Criterion weight (1100); must total 100
(Asset 1)
(Asset 2)
(Asset 3)
(Asset 4)
(Asset ..)

Threat, Vulnerability, Asset (TVA) Table

Table 2: Threat, Vulnerability, Asset (TVA) Table
Threats	Assets->	*Asset 1 Name ___________*	*Asset 2 Name ___________*	*Asset 3 Name ___________*	*Asset 4 Name ___________*
Threat 1 ________________
Threat 2 ________________
Threat 3 ________________
Threat 4 ________________
Threat ______________
Threat ______________
Threat ______________
Threat ______________


Notes*

Priority Risk Table

Table 3: Risk.
Asset	Threat	Vulnerability	Vulnerability Likelihood	Impact	Priority

The Assignment Report 2 - Document Format

The format for submission for this document is less formal than for the original report:

Cover page

Introduction (What is the purpose and why the report was needed/requested.

Headings for each part of the clients request.

References

Submission Instructions - Submissions is in 2 parts.

Week 10 Report 2 Draft

Major headings, some minor headings named to match the case study. Overall structure described. The structure of the body with bullet points must be outlined and comments relevant to each section included. Some references should be listed. The information for the requirements of this assignment is specified above.

Week 12 Final Risk

Assessment/Management Document

A document that covers all the information requested by the Case Study client. The Risk Assessment will include a prioritized list of Assets, Threats, and Vulnerabilities to meet the request of the client. The Risk Assessment must also include suggested controls for the risks you have identified for the Case Study.

Your submission must be compatible with the software in Melbourne Polytechnics computer Laboratories/Classrooms. A .docx file is required. Other formats will not be accepted.

The file must be named using the following format:

S9999999_Surname_ReportNo._ClassGroup.docx

Where S9999999 is replaced with your student ID, and the class group with SS, 1A, 1B, 2A, 2B (ask your tutor which code applies to you)

e. S22000_Robinson_Report2_SS.docx.

The assignment must be submitted using the Moodle link provided.

In some cases, your tutor may allow a resubmission of a failed assignment. Resubmitted assignments will be capped at a maximum mark of 50%.

See Subject outline for formal Assessment overview and feedback Plagiarism

All used sources must be properly acknowledged with references and citations. Quotations and paraphrasing are allowed but the sources must be acknowledged. Failure to do so is regarded as plagiarism and the penalty for plagiarism is failure for the assignment. The act of giving your assignment to another student is classified as a plagiarism offence. Copying large chucks and supplying a reference will result in zero marks as you have not contributed to the report.

Penalties: Academic misconduct such as cheating, and plagiarism incur penalties ranging from a zero result to program exclusion.

Late submission of assignments

As per Subject outline

Extensions: Extensions are granted only for reasonable cause such as illness. A Special Consideration form, accompanied by supporting documentation, must be received before the due date. If granted, an extension will be only granted only by the time period stated on the documentation; that is, if the illness medical certificate was for one day, an extension will be granted for one day only. Accordingly, the student must submit within that time limit.

Marking Criteria

Criteria	Excellent	Very Good	Good	Acceptable	Unsatisfactory	N
	HD - 80%	D - 70% - 79%	CR > 60% - 69%	P 50% - 59%	Fail < 50>
InfoSec Policy Elements: Discussion of why policies are needed in an organisation. (5 marks)	Clear and detailed discussion of why policies are needed in an organisation. No Inconsistencies evident.	Clear and detailed discussion of why policies are needed in an organisation. Inconsistencies may be evident.	Some discussion of why policies are needed in an organisation. Some inconsistencies evident	Brief discussion of why policies are needed in an organisation. Some significant inconsistencies or poor details	Very brief discussion of why policies are needed in an organisation. Some significant inconsistencies or poor details	Not completed
InfoSec Policy Documentation: Describe the elements that make up an information security policy document, using a document as required by the Case Study (5 marks)	Clear and detailed description of the elements that make up an information security policy document, using a document as required by the Case Study. No Inconsistencies evident.	Clear and detailed description of the elements that make up an information security policy document with some reference to the case study. Inconsistencies may be evident.	Some description of the elements that make up an information security policy document with little reference to the case study. Some inconsistencies evident	Brief description of the elements that make up an information security policy document with little or no reference to the case study. Some significant inconsistencies or poor details	Very brief description of the elements that make up an information security policy document with little or no reference to the case study. Some significant inconsistencies or poor details	Not completed
InfoSec Policy Elements: Discussion of the types of policies needed for information security as applied to the Case Study (10 marks)	Clear and detailed discussion of the types of policies needed for information security with reference to the case study. No Inconsistencies evident.	Clear and detailed discussion of the types of policies needed for information security with some reference to the case study. Inconsistencies may be evident.	Some discussion of the types of policies needed for information security with little reference to the case study. Some inconsistencies evident	Brief discussion of the types of policies needed for information security with little or no reference to the case study. Some significant inconsistencies or poor details	Very brief discussion of the types of policies needed for information security with little or no reference to the case study. Some significant inconsistencies or poor details	Not completed
Risk Assessment Plan: Describe the Benefits and Purposes of a Risk Assessment Plan. (5 marks)	Clear and detailed description of the Benefits and Purposes of a Risk Assessment Plan. No Inconsistencies evident.	Clear and detailed description of the Benefits and Purposes of a Risk Assessment Plan. Inconsistencies may be evident.	Some description of the Benefits and Purposes of a Risk Assessment Plan. Some inconsistencies evident	Brief description of the Benefits and Purposes of a Risk Assessment Plan. Some significant inconsistencies or poor details	Very brief description of the Benefits and Purposes of a Risk Assessment Plan. Some significant inconsistencies or poor details	Not completed
Risk Assessment Process: Describe the Risk Assessment Process with reference to the case study. (10 marks)	Clear and detailed description of the Risk Assessment Process with reference to the case study. No Inconsistencies evident.	Clear and detailed description of the Risk Assessment Process with reference to the case study. Inconsistencies may be evident.	Some description of the Risk Assessment Process with little reference to the case study. Some inconsistencies evident	Brief description of the Risk Assessment Process with little or no reference to the case study. Some significant inconsistencies or poor details	Very brief description of the Risk Assessment Process with little or no reference to the case study. Some significant inconsistencies or poor details	Not completed
Creating a Risk Assessment Plan: vi. Outline the steps involved in creating a Risk Management Plan. (10 marks)	Clear and detailed outline the steps involved in creating a Risk Management Plan. Reference is made to the case study to provide examples. No Inconsistencies evident.	Clear and detailed outline the steps involved in creating a Risk Management Plan. Inconsistencies may be evident.	Detailed outline of the steps involved in creating a Risk Management Plan. Some inconsistencies evident	Brief description of the steps involved in the outline to create a Risk Management Plan. Some significant inconsistencies or poor details	Very brief description of the steps involved in the outline to create a Risk Management Plan. Some significant inconsistencies or poor details	Not completed
Simple Risk Assessment: Identify the *Information Assets* from the Case Study (5 marks) and List them in an Asset Priority Table (Table 1 Provided) (5 marks)	Clear and detailed identification of the Information Assets from the Case Study and appropriate allocation via the Asset Priority Table. No Inconsistencies evident.	Clear and detailed identification of the Information Assets from the Case Study and appropriate allocation via the Asset Priority Table. Inconsistencies may be evident.	Brief identification of Threats, Vulnerabilities and Assets (TVA) using a TVA table from data provided in the Case study and presented in the Asset Priority Table with little or no reference to the case study. Some significant inconsistencies or poor details	Brief identification of Threats, Vulnerabilities and Assets (TVA) using a TVA table with little or no reference to the case study. Some significant inconsistencies or poor details	Very Brief identification of Threats, Vulnerabilities and Assets (TVA) using a TVA table with little or no reference to the case study. Some significant inconsistencies or poor details	Not completed
Simple Risk Assessment: Identification of Threats, Vulnerabilities and Assets (TVA) using *a TVA table* from data provided in the Case study and presented in the Asset Priority Table (10 marks)	Clear and detailed identification of Threats, Vulnerabilities and Assets (TVA) using a TVA table from data provided in the Case study and presented in the Asset Priority Table. No Inconsistencies evident.	Detailed identification of Threats, Vulnerabilities and Assets (TVA) using a TVA table from data provided in the Case study and presented in the Asset Priority Table. Inconsistencies may be evident.	Some detailed identification of Threats, Vulnerabilities and Assets (TVA) using a TVA table from data provided in the Case study and presented in the Asset Priority Table. Some inconsistencies evident	Brief identification of Threats, Vulnerabilities and Assets (TVA) using a TVA table from data provided in the Case study and presented in the Asset Priority Table. with little or no reference to the case study. Some significant inconsistencies or poor details	Very Brief identification of the Information Assets from the Case Study and some allocation via the Asset Priority Table with little or no reference to the case study. Some significant inconsistencies or poor details	Not completed
Simple Risk Assessment: Create a *Priorities Risk Table*, including the appropriate; Assets, Threat, Vulnerabilities, Likelihood, and Impact as derived from the TVA table and data provided in the Case study and presented in the Asset Priority Table (10 marks)	Clear and detailed table of Risk Priorities, including all attributes derived from the TVA table and based on data provided in the Case study and presented in the Asset Priority Table. No Inconsistencies evident.	Detailed table of Risk Priorities, including attributes derived from the TVA table and based on data provided in the Case study and presented in the Asset Priority Table. Inconsistencies may be evident.	Some identification of Risk Priorities, including some attributes derived from the TVA table and based on data provided in the Case study and presented in the Asset Priority Table. Some inconsistencies evident	Brief identification of Risk Priorities, including some attributes derived from the TVA table with some evidence based on data provided in the Case study and presented in the Asset Priority Table. Some significant inconsistencies or poor details	Very Brief identification/description and some justification of Security Controls based on the Priorities Risk Table, addressing some of the Assets, Threat, Vulnerabilities, Likelihood, and Impact. Some significant inconsistencies or poor details		Not completed
Simple Risk Assessment: Describe and justify appropriate *Security Controls* based on the Priorities Risk Table, addressing the Assets, Threat, Vulnerabilities, Likelihood, and Impact. (10 marks)	Clear and detailed description and justification of appropriate Security Controls based on the Priorities Risk Table, addressing the Assets, Threat, Vulnerabilities, Likelihood, and Impact. No Inconsistencies evident.	Detailed description and justification of appropriate Security Controls based on the Priorities Risk Table, addressing the Assets, Threat, Vulnerabilities, Likelihood, and Impact. Inconsistencies may be evident.	Some description and justification of appropriate Security Controls based on the Priorities Risk Table, addressing some of the Assets, Threat, Vulnerabilities, Likelihood, and Impact. Some inconsistencies evident	Brief identification / description and some justification of Security Controls based on the Priorities Risk Table, addressing some of the Assets, Threat, Vulnerabilities, Likelihood, and Impact. Some significant inconsistencies or poor details	Very Brief identification of Risk Priorities, including some attributes derived from the TVA table with little or no evidence based on data provided in the Case study or presented in the Asset Priority Table. Some significant inconsistencies or poor details		Not completed
Report Format Elements (Draft): The Report Draft is delivered with the required report format; cover/title page, executive summary, table of comments, major headings, with minor headings named to match the case study, page numbering, references in the correct style. (5 marks)	The Report has all the required format elements. No Inconsistencies evident.	The Report has most of the required format elements. Inconsistencies may be evident.	The Report has many of the required format elements. Some inconsistencies evident	The Report has some of the required format elements. Some significant inconsistencies or poor details	The Report has few of the required format elements. Some significant inconsistencies or poor details		Not completed
Referencing Elements: The Report is delivered with correct and adequate referencing in the Harvard style, appropriate in text use of referencing and Reference List. (5 marks)	The Report is delivered with sufficient referencing in the Harvard style, appropriate in text use of referencing and Reference List. No Inconsistencies evident.	The Report is delivered with sufficient referencing in the Harvard style, appropriate in text use of referencing and Reference List. Inconsistencies may be evident.	The Report is delivered with referencing in the Harvard style, some in text use of referencing and Reference List. Some inconsistencies evident	The Report is delivered with insufficient referencing in the Harvard style, and inadequate in text use of referencing and Reference List. Some significant inconsistencies or poor details	The Report is delivered with insufficient referencing in the Harvard style, and inadequate or inappropriate in text use of referencing and Reference List. Some significant inconsistencies or poor details		Not completed
Grammar and Expression Evidence: Has been proof-read for structure, consistency and vocabulary, spell and grammar checked. (5 marks)	Free of any grammatical errors; use correct sentence structure and range of vocabulary.	Well organized and the logic is easy to follow. There are very few spelling or grammatical errors. The terminology is clearly defined.	Generally, well organized and most of the logic is easy to follow. There are only a few minor spelling or grammatical errors, or terms are not clearly defined. Writing is mostly clear.	Shows some organization. There are some spelling and/or grammatical errors; technical terms are generally poorly defined. Writing is mostly clear but is confusing in parts.	Is poorly organized and difficult to read does not flow logically from one part to another. There are several spelling and/or grammatical errors; technical terms are not clear. Writing lacks clarity		Not completed

Appendix - Worksheets

Appendix Table of Contents

Appendix - Worksheets. 12

The Information Asset Register. 12

Classifying and Categorizing Assets. 14

Listing Assets in Order of Importance The Asset Priority Table (Weighted Factor Analysis Worksheet) 15

Threat, Vulnerability, Asset (TVA) Table. 16

The Information Asset Register

This step should be done without prejudging the value of each asset; values will be assigned later in the process.

ID No.	Information Asset Name	Asset Type (People, Process, Network, Hardware, Software)	Data Classification (Secret, Confidential, Private, Public)	Department	Location	Retention	Threats ?
Eg. (0)	Web Server	Hardware	Private	Marketing	Head office	Security Disposal	DDOS Hardware failure
1
2
3
4
5
6
7
8

Threats

A list like the one should be created for each information asset to document its vulnerability to each possible or likely attack.

Asset Name: ________________________ eg (Webserver) Date Evaluated: ________________________ Evaluated By: __________________________
Threat	Possible Vunerability
Software Attacks	IP is vulnerable to denial-of-service attacks (DDOS). Outsider IP fingerprinting activities can reveal sensitive information unless suitable controls are implemented.

Classifying and Categorizing Assets

Once the initial inventory is assembled, you must determine whether its asset categories aremeaningful to the organizations risk management program.

System Name: ________________________ Date Evaluated: ________________________ Evaluated By: __________________________
Information Assets	Data Classification	Impact to Profitability
Classification 1:






Classification 2:




Classification 3:




Notes:

Listing Assets in Order of Importance The Asset Priority Table (Weighted Factor Analysis Worksheet)


Information Assets	Criterion 1: Impact on __________	Criterion 2: Impact on __________	Criterion 2: Impact on __________	Weighted Score
Criterion weight (1100); must total 100
(Asset 1)
(Asset 2)
(Asset 3)
(Asset 4)
(Asset ..)
(Asset ..)
(Asset ..)
(Asset ..)
(Asset ..)
(Asset ..)
(Asset ..)

Threat, Vulnerability, Asset (TVA) Table (Short Version)

Table 2: Threat, Vulnerability, Asset (TVA) Table
Threats	Assets->	Asset 1 Name ___________	Asset 2 Name ___________	Asset 3 Name ___________	Asset 4 Name ___________
Threat 1 ________________
Threat 2 ________________
Threat 3 ________________
Threat 4 ________________
Threat ______________
Threat ______________

Threat, Vulnerability, Asset (TVA) Table (Long Version)

Table 2: Threat, Vulnerability, Asset (TVA) Table
Threats	Assets->	*Asset 1 Name ___________*	*Asset 2 Name ___________*	*Asset 3 Name ___________*	*Asset 4 Name ___________*
Threat 1 ________________
Threat 2 ________________
Threat 3 ________________
Threat 4 ________________
Threat ______________
Threat ______________
Threat ______________
Threat ______________


Notes*

Priority Risk Table

Table 3: Risk.
Asset	Threat	Vulnerability	Vulnerability Likelihood	Impact	Priority

Order New Solution

Uploaded By : Akshita
Posted on : November 27th, 2024
Downloads : 0
Views : 78

BIT361 Security Management and Governance