Evaluateanorganisation'scompliancewithcybersecuritystandardsand Law ICTCYS606

Studentname:

Studentmustinclude.

Assessor:

Studentmustinclude.

Business this assessment is based on:

ThiswillbethecasestudybusinessprovidedasAppendix1.

Documentation reviewed as preparation:

Studentmustlistthedocumentationreviewede.g.CaseStudy.

Cyber securitystandardsandlaws

Identifyanddescribethe cyber securitylaws and standards that arerelevant to the business.Includeasmany examples as arerelevant.

Howarethelawsandstandardsrelevanttothebusiness?Providean analysis.

The student must identify and describe the cyber security laws and standards that are relevant to the business.

Theirresponsesmayrefertolegislation,forexample:

The Criminal Code Act 1995 this Act makes a number of cyber incidents illegal e.g. hacking, denialofserviceandmalware.

The Australian Federal Governments regulations relating to managing cybersecurity through the Notifiable Data Breach Scheme, legislation requires many businesses to notify customers at riskof serious harm due to unauthorised access to personal and financial information.

Standards,forexample:

ISO/IEC 27001 Information Security Management this standard provides the requirements for an information security management system,enabling organisations to manage the security of assetse.g.,financialinformation,intellectualpropertyetc.

The laws and standards are relevant to the business as theyset standards and benchmarks that businessneedtomeettoensuretheiroperationsaresecure.Forexample,failuretoprevent, mitigate, manage or respond to an incident may result in a breach of the Corporations Act 2001 whereanorganisationhasnotexercisedduecareanddiligence.

Current compliancestrategies

Describe the cybersecurity compliancestrategies that arecurrentlyinplaceandtheir effectiveness.

Thestudentmustdescribecurrentcybersecuritycompliancestrategiesinplace.

Timingandbenchmarks

Whatwillbethe timeperiod during whichyouwill undertake yourcompliance assessment?

Whatbenchmarkswillyou apply to thecompliance assessment?

Giveyour rationaleforboth questions.

The student must set timing and benchmarks for the compliance assessment. For example: Thecomplianceassessmentwilltakeplaceduringoneweek.

The benchmarks that apply could include that if significance non-compliance is identified, it will be critical it is to the organisation to implement any new compliances or to align to business activities immediately

Compliance assessmentquestions

Developatleast10questionstofindoutabout employeesknowledgeofcybersecurityand

complianceissues.

Thestudentmustdevelopatleast10questionstofindoutaboutemployeeslevelofcyber

securityandcomplianceissues.

Survey question can be open questions or closed questions where the student indicates their responseona scale.

Anopenquestionmightbe:

What is your understanding of the term cyber security? Aclosedquestionmightbe:

Documentthemherefor use in the nextactivity.

Rateyourunderstandingofcybersecurityaccordingtothescaleprovided.

Studentsquestionneedstofindoutasmuchaspossibleaboutcybersecurityawarenessand

practicessoastoidentifycomplianceissues.Questionscouldaddressareassuchas:

Recognisingsecuritythreats

Understandinghowtoavoidsecurityrisks

Whattodoifasecurityriskarisesandhowtodealwithit

Understandingwhatcybersecurityriskscandotoacompany

Protectingthemselves

Followingcomplianceregulationsandlegislation

Usingorganisationalpoliciesandprocedurestosupportcybersecurityintheirjobrole

Understandingtheirresponsibilitytowardcybersecurityintheirworkarea

Complianceassessment-survey

Describeyourfindingsinrelation to knowledgeof cyber securityand compliance issues.

The student mustdescribe their findings in relation to the employeesurvey. This will be dependent on the discussion but may indicate non-compliances around lack of understanding of cyber security and compliance issues

Discussnon- compliancesandissuesthatneedtobeaddressed.

Discussyourrecommendationsin relation to achievingcompliance.

Complianceassessment policyreview

The student must describe their findings in relation to the policy review. They could determine that the information security policy is reasonable but needs to be stronger to embrace cyber security laws and standards.

Describeyourfindings in relation to review ofthe cyber securitypolicyandprocedure.

For example, the including the eight essential mitigation strategies as recommended by the Australian Government and as at:

https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-explained

Discussnon- compliancesandissuesthatneedtobeaddressed.

Discussyourrecommendationsin relation to achievingcompliance.

Andimplementingthemitigationstrategyasindicatedat:https://www.cyber.gov.au/resources-business-and-government/essential-cyber-

security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details

Anddeterminingthematurityoftheessentialeightmitigationstrategiesasindicatedat:

https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-modelThey could also recommend specific ideas for inclusion in the policy such as:

Updated information on password setting. Eg. how to store password, how often to update and the importantofuniquepasswordsfordifferentlogins.

And2morerecommendations.

Compliancerequirements

Describe all of thecompliancerequirementsthat theorganisationmust adhereto.

The student must describe all of the compliance requirements that the organisation must adhereto and their evaluation strategy to ensure this occurs.

E.g.CompliancerequirementscouldrelatetoaligningtotheISO27001standards.

EvaluationStrategy

Documentyourevaluationstrategytoensure that allcompliancerequirements are met.

The student must document their evaluation strategy to ensure that all compliance requirements aremet.Thismayincludespecificexamplesinrelationto:

Key performance criteria/indicators e.g. level of awareness of employees of cyber security compliance survey conducted every 6 months

Regularreviewofpoliciesandprocedurestoseeiftheyarefollowingcompliancesidentified

e.g.aspoliciesandprocedureschangeorannual.

Review of cyber incidences for reduction in threat or attacks to demonstrate compliance has been successful.

Reviewofriskassessmentandriskmanagementproceduresandplans.

Annualauditstocheckcompliance.

Submission

Write an emailhere toyour assessorsummarising the workinyourPortfolioand seekingfeedback.

SubmityourPortfolionow to your assessor,they will review and provide you with feedback. Once thishas occurred, completethe next section and submityourPortfolio.

DearAssessor

Iampleasedtoprovideyouwithmyrecommendedcompliancestrategyforcybersecurity. Ilookforwardtoyourfeedback.

Kindregards,

StudentsName

Feedback

Write the feedback you received here and yourresponse to thefeedback.

This will be dependent on the feedback provided by the assessor. If there have been any suggestionsforchange,thestudentshouldmakethem.