IFQ541 Team and Organisation Template

IFQ541 Team and Organisation Template

Assignment 2: Risk management report

Complete the following template as part of your submission for Assignment 2: Risk management report (Part A).

Student Names: Dimitrios VasiliadisOrganisation names: CyberArk.ltd Name of the client organisation: Sydney Methodist Private Hospital

Item Details Main points and comments

(include the main concepts - in point form - you intend to use in your report) Supporting evidence

(record reference details for articles)

About your selected organisation Industry Healthcare Focuses on providing healthcare services including medical treatment, diagnostics, and preventive care

Organisational Size Medium-sized Hospital.

Sydney Medium-sized hospital with approximately 300 employees

Products and/or services provided by your organisation Offers Healthcare services to patientsMedical Treatment, Diagnostic Services, Surgical Procedures, Emergency Care, Rehabilitation Services Offers a wide range of healthcare services to patients including medical treatment, diagnostic testing, surgical interventions, emergency care, and rehabilitation programs.

Critical Information Assets Patient Health Records, Medical Imaging Data, Physician Orders, Treatment Plans, Billing Information

Patient health records contain sensitive medical information necessary for providing appropriate care. Medical imaging data aids in diagnosis and treatment planning. Physician orders and treatment plans guide patient care. Billing information is crucial for financial management.

Organisational objectives 1. Provide High-Quality Patient Care

2. Ensure Patient Safety and Well-being

3. Maintain Regulatory Compliance

4. Enhance Operational Efficiency

aims to deliver high-quality patient care by prioritizing safety, effectiveness, and compassion. Ensuring compliance with healthcare regulations and optimizing operational processes are also key objectives.

How does your report topic relate to this organisation?

Is there a similar real-life case? Information security threats can compromise patient confidentiality, disrupt healthcare services, and lead to legal consequences (The New York Times, 2023). Implementing robust cybersecurity measures is essential to protect patient data and maintain trust with patients and regulatory authorities.

The cyberattack likely utilized methods such as phishing emails, system vulnerabilities, or compromised credentials. The motive was likely financial gain, as ransomware attacks typically involve demanding payment for restoring access (The New York Times, 2023). The attack impacted Prospect Medical Holdings and its affiliates across multiple states, disrupting various healthcare services (Avi-Yonah & Rempfer, 2023). While specific financial details were not provided, ransomware attacks can lead to significant losses (Brooks, 2023). Avi-Yonah, S., & Rempfer, K. (2023). Cyberattack disrupts health-care systems services in several states. The Washington Post. Retrieved from https://www.washingtonpost.com/technology/2023/08/05/cyberattack-hospital-system-california-ransomware/Brooks, K. J. (2023). Cyberattack causes multiple hospitals to shut emergency rooms and divert ambulances. CBS News. Retrieved from https://www.cbsnews.com/news/prospect-medical-cyberattack-california-pennsylvania-hospital/The New York Times. (2023). Cyberattack on Hospitals in California Forces Some to Close. Retrieved from https://www.nytimes.com/2023/08/05/us/cyberattack-hospitals-california.html

Reference Details:

Avi-Yonah, S., & Rempfer, K. (2023). Cyberattack disrupts health-care systems services in several states. The Washington Post. Retrieved from https://www.washingtonpost.com/technology/2023/08/05/cyberattack-hospital-system-california-ransomware/Brooks, K. J. (2023). Cyberattack causes multiple hospitals to shut emergency rooms and divert ambulances. CBS News. Retrieved from https://www.cbsnews.com/news/prospect-medical-cyberattack-california-pennsylvania-hospital/The New York Times. (2023). Cyberattack on Hospitals in California Forces Some to Close. Retrieved from https://www.nytimes.com/2023/08/05/us/cyberattack-hospitals-california.htmlComplete the following teamwork discussion agreementStudent Names: Anrio Carver Sam Hashmi

Did you form a team agreement using the teamwork agreement template provided? Yes Yes

Threat Threat Agent Intentionality Asset Asset Value EF, ARO Vulnerability Exploit Org. Risk Impact (High, Medium, Low) Mitigation Justification Annualised Control Cost

Ransomware Attack Human Intentional User Workstations $50,000 40%, 12 Anti-malware software not up to date User opens attachment from unknown email (containing ransomware) H Install up-to-date internet security software Detects malware and prevents installation $24,000

Insider Data Theft Employees Intentional or Unintentional Customer Data $100,000 30%, 10 Lack of access controls, inadequate monitoring Unauthorized access, misuse of privileges, negligent handling H Implement strict access controls, conduct regular employee training, monitor employee activities Reduce likelihood of insider threats, mitigate impact on organization and customers $30,000

Phishing Attacks External Cybercriminals Intentional Employee Email Accounts $80,000 25%, 8 Lack of employee awareness/training Employees falling victim to phishing emails M Employee cybersecurity training programs Reduce susceptibility to social engineering attacks $4,000

Outdated Software Technology Unintentional IT Systems $150,000 35%, 10 Failure to regularly update software Exploitation of known vulnerabilities in outdated software H Regular software updates and security patches Reduce susceptibility to cyberattacks $52,500

Inadequate Security Controls System Weaknesses Unintentional Data Storage Systems $200,000 30%, 9 Insufficient security measures Attackers exploiting weaknesses in security controls H Enhance access controls, encryption, and authentication mechanisms Prevent unauthorized access and data breaches $54,000

Lack of Employee Training Human Unintentional Employee Knowledge $80,000 20%, 6 Employees lacking awareness of cybersecurity best practices Unintentional actions leading to security breaches M Regular cybersecurity training programs Increase employee awareness of security risks $6,000

5.6 Activity 1: RACI chart

Step 1 R.A.C.I

Threat Functional Roles Responsibilities

Ransomware Attack IT Security Specialist, System Administrator, End Users R: IT Security Specialist, System Administrator, End Users

A: IT Security Specialist, System Administrator

C: IT Security Specialist, System Administrator

I: End Users

Insider Data Theft IT Security Specialist, Database Administrator, System Administrator, Compliance Officer R: IT Security Specialist, Database Administrator, System Administrator

A: IT Security Specialist, Compliance Officer

C: IT Security Specialist, Compliance Officer

I: Database Administrator, System Administrator

Phishing Attacks IT Security Specialist, Email Administrator, End Users R: IT Security Specialist, Email Administrator, End Users

A: IT Security Specialist, Email Administrator

C: IT Security Specialist, Email Administrator

I: End Users

Outdated Software IT Security Specialist, System Administrator, Network Administrator R: IT Security Specialist, System Administrator, Network Administrator

A: IT Security Specialist, System Administrator

C: IT Security Specialist, System Administrator

I: Network Administrator

Inadequate Security Controls IT Security Specialist, System Administrator, Network Administrator, Compliance Officer R: IT Security Specialist, System Administrator, Network Administrator

A: IT Security Specialist, Compliance Officer

C: IT Security Specialist, Compliance Officer

I: System Administrator, Network Administrator

Lack of Employee Training IT Security Specialist, HR Manager, Training Coordinator, End Users R: IT Security Specialist, HR Manager, Training Coordinator

A: IT Security Specialist, Training Coordinator

C: IT Security Specialist, Training Coordinator I: End Users

Step 2

Responsible (R):

The IT Security Specialist is responsible for developing the content and structure of the training program. They possess the technical expertise and understanding of cybersecurity principles necessary to design effective training modules tailored to the organization's specific needs.

The System Administrator is responsible for facilitating the deployment and management of the training program. They ensure that the training platform is set up correctly, user accounts are created, and technical support is provided as needed.

Accountable (A):

The IT Security Specialist is designated as accountable because they oversee the entire training initiative. They are ultimately responsible for ensuring that the program meets its objectives, aligns with organizational goals, and effectively addresses the threat of phishing attacks.

The System Administrator is accountable for the execution of the training program. While they may not have the final decision-making authority, they play a crucial role in ensuring that the technical aspects of the program run smoothly and efficiently.

Consulted (C) or Informed (I):

Compliance Officers may be consulted to ensure that the training program adheres to relevant regulatory requirements and industry standards. Their input helps ensure that the program meets compliance obligations and mitigates legal risks associated with inadequate training.

End Users are informed about the training program as they are the primary audience. Their participation and engagement are essential for the success of the initiative. Keeping them informed builds awareness and encourages active involvement in combating phishing threats.

Step 3: ????

ACSC. (2020).Australian Government Information Security Manual. https://www.cyber.gov.au/acsc/view-all-content/ism

ACSC. (2023).Guidelines for cryptography. https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptographyAustralian Government. (2010).Critical infrastructure resilience strategy.https://www.tisn.gov.au/Documents/Australian+Government+s+Critical+Infrastructure+Resilience+Strategy.pdfBright, P. (2011, June 7). RSA finally comes clean: SecurID is compromised.ARS Technica. https://arstechnica.com/information-technology/2011/06/rsa-finally-comes-clean-securid-is-compromised/

Cimpanu, C. (2019). Over 100,000 GitHub repos have leaked API or cryptographic keys.ZDNet. https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/

CryptoTool-Online. (n.d.). https://www.cryptool.org/en/cryptool-online

ISO. (2013).ISO/IEC 27002:2013 Information technology Security techniques Code of practice for information security controls (second edition). https://www.iso27001security.com/html/27002.html

Clark, L. (2019, December 11).Beware of bad Santas this Xmas: Piles of insecure smart toys fill retailers' shelves.The Register. https://www.theregister.com/2019/12/11/top_toys_still_toppled_by_security_testing/

Corfield, G. (2019, March 5).Smart home owner? Don't make your crib easy pickings for the smart home pwner.The Register. https://www.theregister.com/2019/03/05/smart_home_iot_security_risks_trend_micro/

Dragos. (2019).Lessons learned from the front lines of ICS cybersecurity.https://www.dragos.com/wp-content/uploads/Lessons_Learned_from_the_Front_Lines_of_ICS_Cybersecurity.pdf#page=4

Forcepoint. (2020).What is IoT Cybersecurity?.Forecepoint. https://www.forcepoint.com/cyber-edu/iot-cybersecurity

Graff, G. (2017, December 13).How a dorm room Minecraft scam brought down the internet.Wired. https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/

Gupta, A. (2019).The IoT hacker's handbook: A practical guide to hacking the internet of things.Apress.

TheEllenShow. (2013, April 10).Out of your password minder[Video]. YouTube. https://www.youtube.com/watch?v=Srh_TV_J144

Haveibeenpwned. (n.d.).;--have I been pwned?https://haveibeenpwned.com/

Nichols, S. (2020, May 14).There's Norway you're going to believe this: Government investment fund conned out of $10m in cyber-attack. The Register. https://www.theregister.com/2020/05/14/norway_investment_fund_hack/

Spitzner, L. (2019, June 27). Time for password expiration to die.Security Awareness.https://www.sans.org/security-awareness-training/blog/time-password-expiration-die

Verizon. (2020).2020 data breach investigations report. https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf

Whittaker, Z. (2018, December 25). Cybersecurity 101: Why you need to use a password manager.Tech Crunch. https://techcrunch.com/2018/12/25/cybersecurity-101-guide-password-manager/

Wnuk, P. (2018, August 8). Millions of health records exposed to public in Mexico.PharmaPhorum. https://pharmaphorum.com/news/health-records-publically-exposed/

Homeland Security. (2016).Recommended practice: Improving industrial control system cybersecurity with defense-in-depth strategies.https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf

Nichols, S. (2020, January 7).Beset by lawsuits over poor security protections, Ring rolls out 'privacy dashboard' for its creepy surveillance cams, immediately takes heat.The Register. https://www.theregister.com/2020/01/07/ring_cameras_security_measures/

Office of the Information Commissioner. (2018).Privacy and mobile apps.https://www.oic.qld.gov.au/__data/assets/pdf_file/0010/33877/report-privacy-and-mobile-apps-audit.pdf#page=5

saltbushgroup. (2012).Generic SCADA Risk Management Framework for Australian Critical Infrastructure Developed by the IT Security Expert Advisory Group (ITSEAG).TISN for critical infrastructure resilience. https://www.tisn.gov.au/Documents/SCADA-Generic-Risk-Management-Framework.pdf#page=16

Sayfayn, N., & Madnick, S. (2017).Cybersafety analysis of the Maroochy Shire Sewage spill.MIT Management Sloan School. http://web.mit.edu/smadnick/www/wp/2017-09.pdf

Schwab, K. (2016).The fourth industrial revolution. Crown Publishing Group.

Stouffer, K., Pillitteri, V., Lightman, S., Abrams, M., & Hahn, A. (2015).Guide to industrial control systems (ICS) security. NIST Special Publication 800-82. Revision 2. http://dx.doi.org/10.6028/NIST.SP.800-82r2

Thomson, I. (2018, November 15).Up to three million kids' GPS watches can be tracked by parents... and any miscreant: Flaws spill pick-and-choose catalog for perverts.The Register. https://www.theregister.com/2018/11/15/gps_tracking_children_hack/

Unit 42. (2020).2020 Unit 42 IoT Threat Report.paloalto networks Unit 42. https://unit42.paloaltonetworks.com/iot-threat-report-2020/

U.S. Department of Homeland Security. (2016, September).Recommended practice: Improving industrial control system cybersecurity with defense-in-depth strategies. https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf

Veracity Industrial Networks. (2017, December 16).Introduction to industrial control systems threats risks and future cybersecurity trends[Video]. YouTube. https://youtu.be/luxCKSnIpng

Australian Government. (2018).Decision making during a crisis: A practical guide. https://www.organisationalresilience.gov.au/Documents/decision-making-during-a-crisis-a-practical-guide.pdf

AWS. (2020).Shared responsibility model.https://aws.amazon.com/compliance/shared-responsibility-model/

Council of Supply Chain Management Professionals. (2020).CSCMP supply chain management definitions and glossary. https://cscmp.org/CSCMP/Educate/SCM_Definitions_and_Glossary_of_Terms.aspx

Germano, J. (2017).Third-party cyber risk & corporate responsibility. https://www.lawandsecurity.org/wp-content/uploads/2017/02/Germano.NYU_.ThirdPartyRiskWhitepaper.Feb2017.pdf

Hopkin, P. (2013).Risk management. Kogan Page, Limited.

National Cyber Security Centre. (2018).Supply chain security guidance. https://www.ncsc.gov.uk/collection/supply-chain-security

Wikipedia. (n.d.).Deepwater Horizon oil spill. https://en.wikipedia.org/wiki/Deepwater_Horizon_oil_spill

Abrams, L. (2020, March 18).Ransomware gangs to stop attacking health orgs during pandemic.Bleeping Computer. https://www.bleepingcomputer.com/news/security/ransomware-gangs-to-stop-attacking-health-orgs-during-pandemic/

ACS. (2014, April).ACS Code of professional conduct case studies.https://www.acs.org.au/content/dam/acs/elected-members/pab/EthicsCommittee/ACS%20Code%20of%20Professional%20Conduct%20Case%20Studies.pdf

ACS. (2014, April).ACS Code of professional conduct.https://www.acs.org.au/content/dam/acs/rules-and-regulations/Code-of-Professional-Conduct_v2.1.pdf

ACS. (2017).ACS strategy 20172022. https://www.acs.org.au/governance/2017-22-acs-strategy.html

ACS. (n.d.).ACS Code of ethics. https://www.acs.org.au/content/dam/acs/acs-documents/Code-of-Ethics.pdf%20

AustCyber. (2019).Australias cyber security sector competitiveness plan 2019. https://www.austcyber.com/resources/sector-competitiveness-plan

AustCyber. (2020). SCP - Chapter 3 - The challenge: Australia needs to fill the workforce gap, remove startup barriers and strengthen research and development. https://www.austcyber.com/resources/sector-competitiveness-plan/chapter3

Australian Council of Professions. (n.d.).What is a profession?. https://www.professions.org.au/what-is-a-professional/#:~:text=A%20Profession%20is%20a%20disciplined,and%20who%20are%20prepared%20to

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2009). Roles of information security awareness and perceived fairness in information security policy compliance.AMCIS 2009 Proceedings, (pp. 419).

Diversity Council Australia. (2020).Diversity & inclusion explained. https://www.dca.org.au/di-planning/getting-started-di/diversity-inclusion-explained

Diversity Council Australia. (2020).Inclusion @ work index. https://www.dca.org.au/sites/default/files/inclusion-at-work-index/dca_inclusive_index_2019_synopsis_online_new_accessible.pdf

Egan, G. (2019, August 14).What is security awareness training?. Proofpoint. https://www.proofpoint.com/au/security-awareness/post/what-security-awareness-training

ENISA. (2019, April 16).Cybersecurity culture guidelines: Behavioural aspects of cybersecurity. https://www.enisa.europa.eu/publications/cybersecurity-culture-guidelines-behavioural-aspects-of-cybersecurity

Ernst & Young. (2018).Is cybersecurity about more than protection? Ernst and Young Global Information Security Survey 2018-2019. https://assets.ey.com/content/dam/ey-sites/ey-com/en_ca/topics/advisory/ey-global-information-security-survey-2018-19.pdf

FDA. (2017, August 29).Firmware update to address cybersecurity vulnerabilities identified in Abbott's (formerly St. Jude Medical's) implantable cardiac pacemakers: FDA safety communication. https://www.fda.gov/medical-devices/safety-communications/firmware-update-address-cybersecurity-vulnerabilities-identified-abbotts-formerly-st-jude-medicals

FDA. (2019, June 27).Certain Medtronic MiniMed insulin pumps have potential cybersecurity risks: FDA safety communication. https://www.fda.gov/medical-devices/safety-communications/certain-medtronic-minimed-insulin-pumps-have-potential-cybersecurity-risks-fda-safety-communication

Frankfurt School of Finance & Management. (2019, June 21).What is behavioural economics?[Video]. Youtube. https://youtu.be/FHAhaUMmNlU

Harvard University. (2011).Project implicit. https://implicit.harvard.edu/implicit/

ISC2. (2018). Cybersecurity professionals focus on developing new skills as workforce gap widens. (ISC)2 cybersecurity workforce study, 2018. https://www.isc2.org/-/media/7CC1598DE430469195F81017658B15D0.ashx

ISC2. (2019).Strategies for building and growing strong cybersecurity teams. (ISC)2 cybersecurity workforce study, 2019. https://www.isc2.org/-/media/ISC2/Research/2019-Cybersecurity-Workforce-Study/ISC2-Cybersecurity-Workforce-Study-2019.ashx

Jouini, M., Rabai, L. B. A., Aissa, A. B (2014). Classification of security threats in information systems.Procedia Computer Science,32, 489496. https://doi.org/10.1016/j.procs.2014.05.452

King, T. (2017, September 29).Difference between code of ethics & code of conduct. Classroom. https://classroom.synonym.com/difference-between-code-of-ethics-code-of-conduct-12080924.html

Layer 8. (2019, February).Developing secure behaviours 10 practical principles for effective change. https://layer8ltd.co.uk/resources/

Maiberg, E., Franceschi-Bicchierai, L., & Koebler, J. (2020, March 14).A mobile voting app that's already in use is filled with critical flaws. VICE. https://www.vice.com/en_us/article/3azzpj/corellium-says-its-just-like-a-playstation-emulator-apple-lawsuit

MediaPro. (n.d.).Staying secure when working from home. https://mediapro-training-preview.s3-us-west-2.amazonaws.com/work_from_home_secure/course/codebase.html

Mirsky, Y., Mahler, T., Shelef, I., & Elovici, Y. (2019). CT-GAN: Malicious tampering of 3D medical imagery using deep learning. In28th {USENIX} Security Symposium, (pp. 461478).

Renaud, K., Otondo, R., & Warkentin, M. (2019). This is the way I create my passwords ... does the endowment effect deter people from changing the way they create their passwords?Computers & Security, 82(May), 241260. https://doi.org/10.1016/j.cose.2018.12.018

Rock, D., & Grant, H. (2016, November 4).Why diverse teams are smarter.Harvard Business Review. https://hbr.org/2016/11/why-diverse-teams-are-smarter

Rock, D., Grant, H., & Grey, J. (2016, September 22).Diverse teams feel less comfortable and thats why they perform better. Harvard Business Review. https://hbr.org/2016/09/diverse-teams-feel-less-comfortable-and-thats-why-they-perform-better

Satter, R., Stubbs, J., Bing, C., & Reuters. (2020, March 24).Hackers tried to infiltrate the World Health Organization, the latest in a string of cyberattacks aimed at health officials during the coronavirus pandemic. Business Insider. https://www.businessinsider.com/world-health-organization-hack-tried-steal-passwords-with-fake-website-2020-3?r=US&IR=T

Teaching Tolerance. (n.d).Test yourself for hidden bias. https://www.tolerance.org/professional-development/test-yourself-for-hidden-bias

Tversky, A., & Kahneman, D. (1974). Judgment under uncertainty: Heuristics and biases.Science, 185(4157), 11241131.

Vallor, S., & Rewak, W. J. (n.d.).An introduction to cybersecurity ethics. https://www.scu.edu/media/ethics-center/technology-ethics/IntroToCybersecurityEthics.pdf

The Vern Myers Company. (n.d.).Diversity doesnt stick without inclusion. https://vernamyers.com/diversity-doesnt-stick-without-inclusion/

Winder, D. (2020, April 8).Cyber attacks against hospitals have significantly increased as hackers seek to maximize profits. Forbes. https://www.forbes.com/sites/daveywinder/2020/04/08/cyber-attacks-against-hospitals-fighting-covid-19-confirmed-interpol-issues-purple-alert/#6c1c1d5558bc

Atkinson, S. (2018).Cybersecurity Tech Basics: Vulnerability Management: Overview.Thomson Reuters. https://www.cisecurity.org/wp-content/uploads/2018/07/Cybersecurity-Tech-Basics-Vulnerability-Management-Overview.pdf

Bannister, A. (2020, May 11). Ransomware attack: Maastricht University pays out $220,000 to cybercrooks.The Daily Swig.https://portswigger.net/daily-swig/ransomware-attack-maastricht-university-pays-out-220-000-to-cybercrooks

Cimpanu, C. (2020, June 26).Ripple20 vulnerabilities will haunt the IoT landscape for years to come. ZD Net. https://www.zdnet.com/article/ripple20-vulnerabilities-will-haunt-the-iot-landscape-for-years-to-come/

CIS. (2020). https://www.cisecurity.org/

CVE. (2020).CVE: Common vulnerabilities and exposures.https://cve.mitre.org/

CVE. (2019).CVE and NVD relationship. https://cve.mitre.org/about/cve_and_nvd_relationship.html

Death, D. (2018, October 5).The cyber kill chain explained. Forbes. https://www.forbes.com/sites/forbestechcouncil/2018/10/05/the-cyber-kill-chain-explained/#630d90166bdf

Deloitte. (2017).7 stages of cyber kill chain. https://www2.deloitte.com/content/dam/Deloitte/sg/Documents/risk/sea-risk-cyber-101-july2017.pdf

FIRST. (2020).Common vulnerability scoring system v3.1: Specification document. https://www.first.org/cvss/v3.1/specification-document

Maastricht University. (2020).Response of Maastricht University to FOX-IT report. https://www.maastrichtuniversity.nl/um-cyber-attack-symposium-%E2%80%93-lessons-learnt

MITRE. (2020).MITRE ATT&CK. https://attack.mitre.org/groups/G0045/

National Cyber Security Centre. (2017).Penetration testing.https://www.ncsc.gov.uk/guidance/penetration-testing

Pompon, R. (2016).IT security risk control management. Apress.

Security Awareness. (2019, May 31).Applying security awareness to the cyber kill chain. SANS. https://www.sans.org/security-awareness-training/blog/applying-security-awareness-cyber-kill-chain

CIS. (2019, March 28).CIS controls[Video]. YouTube. https://www.youtube.com/watch?v=CX4UE9zT69Y

CIS. (2020).About the CIS Controls. https://controls-assessment-specification.readthedocs.io/en/stable/about/controls.html

CIS. (n.d.).The 20 CIS controls & resources. https://www.cisecurity.org/controls/cis-controls-list/

CSA. (2009).Industry leaders form cloud security alliance; will unveil inaugural findings at RSA conference 2009. https://cloudsecurityalliance.org/pr20090331.html

ISO. (n.d.).ISO/IEC 27001 Information security management. https://www.iso.org/isoiec-27001-information-security.html

ISO. (n.d.).ISO/IEC 27002:2013Information technology Security techniques Code of practice for information security controls. https://www.iso.org/standard/54533.html

National Institute of Standards and Technology. (2016, September 14).The cybersecurity framework[Video]. YouTube. https://www.youtube.com/watch?v=J9ToNuwmyF0&feature=emb_logo

NIST. (2012).SP 800-61: Computer security incident handling guide.https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

OAIC. (n.d.).What is a data breach?. https://www.oaic.gov.au/privacy/data-breaches/what-is-a-data-breach/

Pompon, R. (2016).IT security risk control management. Apress.

SCF. (2019).Secure Controls Framework (SCF). https://www.securecontrolsframework.com/secure-controls-framework

SecAware. (n.d.).ISO/IEC 27002:2013 Information technology Security techniques Code of practice for information security controls (second edition). https://www.iso27001security.com/html/27002.html

Taylor, C. (n.d.).Incident response playbook creation. https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1559689083.pdf

Thompson, E. (2018).Cybersecurity incident response. Apress.https://doi.org/10.1007/978-1-4842-3870-7

UpGuard. (2020).What are the CIS controls for effective cyber defense?https://www.upguard.com/blog/cis-controls

Action Fraud. (2016, July 5).How private is your personal information?[Video]. YouTube. https://www.youtube.com/watch?v=yrjT8m0hcKU

Australian Government. (2021).Stay smart online.https://www.directory.gov.au/portfolios/defence/department-defence/stay-smart-online

Australian Government. (n.d.-a.).What is privacy?https://www.oaic.gov.au/privacy/your-privacy-rights/what-is-privacy/

Australian Government. (n.d.-b.).What is personal information?https://www.oaic.gov.au/privacy/your-privacy-rights/your-personal-information/what-is-personal-information/

Australian Information Security Association. (n.d.).AISA.https://www.aisa.org.au/

Australian Women in Security Network. (2020).AWSN.https://www.awsn.org.au/

Firoiu, M. (2015). General considerations on risk management and information system security assessment according to ISO/IEC 27005:2011 and ISO 31000:2009 standards.Acces la Success; Bucharest 16(149), pp. 9397.

Grosslight, K. (2010, January 14).Minimize risk by maximizing accountability. CSO. https://www.csoonline.com/article/2124764/minimize-risk-by-maximizing-accountability.html

Guardian News. (2020, January 22).Jeff Bezos, the Saudi crown prince, and the alleged phone-hacking plot[Video]. YouTube. https://www.youtube.com/watch?time_continue=2&v=IPmbjXZSuXQ&feature=emb_logo

Hak5. (2017, September 12).Equifax hacked! Your social security number is probably public - threat wire[Video]. YouTube. https://www.youtube.com/watch?v=nrU6BoeixhY&feature=youtu.be&start=42

ISO/IEC. (2018).International standard 27000. Information technology Security techniques Information security management systems Overview and vocabulary. https://standards.iso.org/ittf/PubliclyAvailableStandards/c073906_ISO_IEC_27000_2018_E.zip

Kirchgaessner, S. (2020, January 22).Jeff Bezos hack: Amazon boss's phone 'hacked by Saudi crown prince. The Guardian. https://www.theguardian.com/technology/2020/jan/21/amazon-boss-jeff-bezoss-phone-hacked-by-saudi-crown-prince

Krebs. (2020).Krebs on security.https://krebsonsecurity.com/

National Cyber Security Centre. (n.d.).https://www.ncsc.gov.uk/

O'Donnell, L. (2020, February 3).Ashley Madison breach extortion scam targets hundreds. Threat Post. https://threatpost.com/ashley-madison-breach-extortion-scam-targets-hundreds/152481/

Office of the Australian Information Commissioner. (n.d.).Consent to the handling of personal information.https://www.oaic.gov.au/privacy/your-privacy-rights/your-personal-information/consent-to-the-handling-of-personal-information/

Online Cambridge English Dictionary. (2020).Reputation.https://dictionary.cambridge.org/dictionary/english/reputation

Payment Card Industry Security Standards Council. (2018, May). Payment Card Industry (PCI) data security standard. Requirements and security assessment procedures. Version 3.2.1. Payment Card Industry Security Standards Council.

Queensland Government. (2018).ICT risk matrix. Queensland Government Enterprise Architecture. https://www.qgcio.qld.gov.au/information-on/ict-risk-management/ict-risk-matrix

The Register. (2020).Security. https://www.theregister.com/security

Rhysider. (2020).Darknet diaries. https://darknetdiaries.com/

Risky Business. (2020).The risky business podcast. https://risky.biz/

SANS Institute. (2020).Newsletters: Newsbites. https://www.sans.org/newsletters/newsbites.

Schneier on Security. (2020).Crypto-gram newsletter. https://www.schneier.com/crypto-gram/

Spark Media Solutions. (2019).Introducing defense in depth podcast.https://cisoseries.com/introducing-defense-in-depth-podcast/

Standards Australia. (2011).ISO/IEC 27005:2011 Information technology Security techniques Information security risk management. Standards Australia Ltd./Standards New Zealand.

Waring, A. (2016).Corporate risk and governance: An end to mismanagement, tunnel vision and quackery.Routledge.

Whooshkaa. (n.d.).Cyber security cafe.https://player.whooshkaa.com/shows/cyber-security-caf

IFQ541 Information Security Management

Assignment 2: Risk management report (Part B)

Team/Individual task:Team

Word limit:3600 words including tables (+/- 10%)

Weighting:35%

Due date:11.59pm AEST Sunday24 March 2024(Week 7)

After you have read this information, head over to theHYPERLINK "https://canvas.qutonline.edu.au/courses/1498/discussion_topics/122587" t "_blank"Assignment 2 Q&Adiscussion board to ask any questions and see what your peers are saying about this assignment.

Assignment overview

For this assignment, you will work in a team of three to write a risk management report which provides advice to a client (the CEO) about how to manage the risk of information security threats to their organisation. Your report should briefly describe the hypothetical organisation, provide a comprehensive explanation of information security threats, discuss the threats and vulnerabilities associated with information security threats about your client, and the controls that you recommend should be applied to mitigate these kinds of security risks.

This assignment supportsunit learning outcomes 1, 3, 4, 5 and 6.

The use of artificial intelligence tools (for example Chat GPT) is not permitted in any assessment in this unit. The use of such tools when not authorised may be treated as a breach ofHYPERLINK "https://www.mopp.qut.edu.au/C/C_05_03.jsp" t "_blank"MOPP C/5.3 Academic integrityand appropriate penalties imposed.

Assignment details

As inAssignment 2: Risk management report (Part A), your report will be based on the following scenario, although here you will incorporate more discussion, and analysis and provide recommendations:

You are an employee of an information security consultancy company. Following recent news stories about organisations being badly impacted by various information security threats, the Chief Executive Officer (CEO) of a local organisation has asked your company for advice about how to manage the risk that such threats represent to their organisation. You and your team are assigned the task of providing a risk management plan to the client (the CEO) in the form of a risk management report.

Watch the following video where Tony Rhodes explains the assignment in more detail. Once you have finished watching the video explore each phase before beginning your report.

Assignment 2B overview (2022) courtesy of Dr Tony Rhodes

The following phases will help you and your team to complete your risk management report. Read each carefully before you begin your report writing.

Phase 1Phase 2Phase 3Phase 4Phase 1: Understand the context of the organisation you are advisingSummarise the relevant data on your chosen organisation, including industry sector, size of the organisation, its products and services, and their business objectives and critical information assets. Use the template in Assignment 1: Risk management report to complete your team and organisation document.

Note: This should have been completed inAssignment 1: Risk management report (Part A), if you haven't completed this task, ensure that you go back to complete and submit it before continuing this assignment.

Report structureThis report should be written to your client (CEO) and structured as follows:

Title page.

Table of contents.

Introduction (500 words approx)

A description of the client organisation and the context. This should include:

the name of the client organisationthe size of the organisation

the industry the client organisation is in

the products and/or services the client organisation provides.

Discuss why it is important to management to be knowledgeable about cybersecurity, and specifically which cyberthreats are important to your client organisation. Note how these threats relate to the organisation's business objectives.

Risk management plan

Section 1: Threats vulnerability mitigation table

Complete4.8 Activity 1: Thread, vulnerability, and mitigation table.

Include 6 threats and vulnerabilities.(2 TV pairs per student, For example , 4 TV pairs are required for a group with two members,8 TVs pairs for a group with 4 members)

Briefly explain for each of your 6 threats (T) and vulnerabilities (V) how they specifically relate to your organisation. For example, in the context of your organisation, why are these TV pairs relevant (300 words approx).

Section 2: RACI ChartComplete5.6 Activity 1: RACI chart.

Includeone risk mitigationfor each threat and vulnerability pair.

Justify the activities you assigned the R and A roles. Consider why you assigned this person (for example, the IT Manager) the role of R and another person the role of A for that activity/mitigation. You will also need to explain why you allocated any C or I roles for these activities (600 words approx).

Section 3: Analysis and recommendations

Complete6.11 Activity 1: Analysis and recommendations.

Complete the analysis and recommendations for all 6 items.

Analyse the data you have collected and write recommendations, with justification, outlining to management what actions they could/should take now and in the future. Include how these recommendations will ensure that the client company will be safe and secure from the risk environment that they are currently encountering (Hint: you may want to consider the organisation's risk appetite) (500 words approx).

Appendix: Teamwork reflectionCritically reflect (250 words approx) on how your group developed this report. Record observations about:

your team processeshow you organised meetingshow you negotiated and allocated tasks across the phases of the investigation to make the best use of each team member's strengthsthe extent to which the planned tasks were carried out.

Reflect on both the planning and group performance, clearly state (250 words approx):

what your group thought worked well

what your group thought didn't work well or was the least effective aspect of your group's teamwork

what your group learned that could be used to improve group effectiveness/group dynamics in the future.

ReferencesNote on academic writingAn important aspect of this assignment is locating relevant information, either in online resources or in print media. However, it is also important that the report is written in your own words. Do not just 'cut and paste' or copy information from any source into your reportthat is considered plagiarism (a breach of academic integrity) and is not acceptable in Australian universities.

Supporting resources4.8 Activity 1: Thread, vulnerability, and mitigation table.

5.6 Activity 1: RACI chart.

6.11 Activity 1: Analysis and recommendations.

IFQ541 Assignment 2 Part B common mistakesDownload IFQ541 Assignment 2 Part B common mistakes. Use this document to help you understand the marking guide.

The following chapters from this textManagement of information securityLinks to an external site.(Whitman & Mattford, 2019) are complementary readings, you are not required to read through each:

Chapter 1: Introduction to the management of information securityLinks to an external site.(pp. 162).

Chapter 6: Risk management: Assessing RiskLinks to an external site.(pp. 303364).

Chapter 7: Risk management: Treating RiskLinks to an external site.(pp. 365410).

QUT cite|write: How to write a report.

QUT cite|write: APA.

ReferencesAustralian Bureau of Statistics. (2013, June 26).Division definitions. https://www.abs.gov.au/ausstats/abs@.nsf/Latestproducts/0C2B177A0259E8FFCA257B9500133E10?opendocument

Whitman, M. E. & Mattord, H. J. (2019).Management of information security. Cengage Learning.

Assignment criteriaConduct industry research for clients.

Identify, critically evaluate and justify security risks.

Critical analysis of vulnerabilities and potential impact.

Make and justify recommendations.

Professional written communication skills.

Referencing.

Sydney Methodist Private Hospital

RISK MANAGEMENT

REPORT2967355370205

QUT2024

Table of Contents

Introduction

Risk management planSection 1: Threats vulnerability mitigation table

Section 2: RACI Chart

Section 3: Analysis and recommendations

Conclusion

Appendix: Teamwork reflection

Critically reflectReflect on both the planning and group performanceReferences

Introduction (500 words approx)

A description of the client organisation and the context. This should include:

the name of the client organisationthe size of the organisation

the industry the client organisation is in

the products and/or services the client organisation provides.

Discuss why it is important to management to be knowledgeable about cybersecurity, and specifically which cyberthreats are important to your client organisation. Note how these threats relate to the organisation's business objectives.

Risk management planSection 1: Threats vulnerability mitigation table

Complete4.8 Activity 1: Thread, vulnerability, and mitigation table.

Include 6 threats and vulnerabilities.(2 TV pairs per student, For example , 4 TV pairs are required for a group with two members,8 TVs pairs for a group with 4 members)

Briefly explain for each of your 6 threats (T) and vulnerabilities (V) how they specifically relate to your organisation. For example, in the context of your organisation, why are these TV pairs relevant (300 words approx).

Section 2: RACI ChartComplete5.6 Activity 1: RACI chart.

Includeone risk mitigationfor each threat and vulnerability pair.

Justify the activities you assigned the R and A roles. Consider why you assigned this person (for example, the IT Manager) the role of R and another person the role of A for that activity/mitigation. You will also need to explain why you allocated any C or I roles for these activities (600 words approx).

Section 3: Analysis and recommendations

Complete6.11 Activity 1: Analysis and recommendations.

Complete the analysis and recommendations for all 6 items.

Analyse the data you have collected and write recommendations, with justification, outlining to management what actions they could/should take now and in the future. Include how these recommendations will ensure that the client company will be safe and secure from the risk environment that they are currently encountering (Hint: you may want to consider the organisation's risk appetite) (500 words approx).

Appendix: Teamwork reflection

Critically reflect (250 words approx) on how your group developed this report. Record observations about:

your team processeshow you organised meetingshow you negotiated and allocated tasks across the phases of the investigation to make the best use of each team member's strengthsthe extent to which the planned tasks were carried out.

Reflect on both the planning and group performance, clearly state (250 words approx):

what your group thought worked well

what your group thought didn't work well or was the least effective aspect of your group's teamwork

what your group learned that could be used to improve group effectiveness/group dynamics in the future.

References

Australian Bureau of Statistics. (2013, June 26).Division definitions. https://www.abs.gov.au/ausstats/abs@.nsf/Latestproducts/0C2B177A0259E8FFCA257B9500133E10?opendocument.

Whitman, M. E. & Mattord, H. J. (2019).Management of information security. Cengage Learning.

IFQ541 Information Security Management

Assignment 2: Risk management report (Part B)

Team/Individual task:Team

Word limit:3600 words including tables (+/- 10%)

Weighting:35%

Due date:11.59pm AEST Sunday24 March 2024(Week 7)

After you have read this information, head over to theHYPERLINK "https://canvas.qutonline.edu.au/courses/1498/discussion_topics/122587" t "_blank"Assignment 2 Q&Adiscussion board to ask any questions and see what your peers are saying about this assignment.

Assignment overview

For this assignment, you will work in a team of three to write a risk management report which provides advice to a client (the CEO) about how to manage the risk of information security threats to their organisation. Your report should briefly describe the hypothetical organisation, provide a comprehensive explanation of information security threats, discuss the threats and vulnerabilities associated with information security threats about your client, and the controls that you recommend should be applied to mitigate these kinds of security risks.

This assignment supportsunit learning outcomes 1, 3, 4, 5 and 6.

The use of artificial intelligence tools (for example Chat GPT) is not permitted in any assessment in this unit. The use of such tools when not authorised may be treated as a breach ofHYPERLINK "https://www.mopp.qut.edu.au/C/C_05_03.jsp" t "_blank"MOPP C/5.3 Academic integrityand appropriate penalties imposed.

Assignment details

As inAssignment 2: Risk management report (Part A), your report will be based on the following scenario, although here you will incorporate more discussion, and analysis and provide recommendations:

You are an employee of an information security consultancy company. Following recent news stories about organisations being badly impacted by various information security threats, the Chief Executive Officer (CEO) of a local organisation has asked your company for advice about how to manage the risk that such threats represent to their organisation. You and your team are assigned the task of providing a risk management plan to the client (the CEO) in the form of a risk management report.

Watch the following video where Tony Rhodes explains the assignment in more detail. Once you have finished watching the video explore each phase before beginning your report.

Assignment 2B overview (2022) courtesy of Dr Tony Rhodes

The following phases will help you and your team to complete your risk management report. Read each carefully before you begin your report writing.

Phase 1Phase 2Phase 3Phase 4Phase 1: Understand the context of the organisation you are advisingSummarise the relevant data on your chosen organisation, including industry sector, size of the organisation, its products and services, and their business objectives and critical information assets. Use the template in Assignment 1: Risk management report to complete your team and organisation document.

Note: This should have been completed inAssignment 1: Risk management report (Part A), if you haven't completed this task, ensure that you go back to complete and submit it before continuing this assignment.

Report structureThis report should be written to your client (CEO) and structured as follows:

Title page.

Table of contents.

Introduction (500 words approx)

A description of the client organisation and the context. This should include:

the name of the client organisationthe size of the organisation

the industry the client organisation is in

the products and/or services the client organisation provides.

Discuss why it is important to management to be knowledgeable about cybersecurity, and specifically which cyberthreats are important to your client organisation. Note how these threats relate to the organisation's business objectives.

Risk management plan

Section 1: Threats vulnerability mitigation table

Complete4.8 Activity 1: Thread, vulnerability, and mitigation table.

Include 6 threats and vulnerabilities.(2 TV pairs per student, For example , 4 TV pairs are required for a group with two members,8 TVs pairs for a group with 4 members)

Briefly explain for each of your 6 threats (T) and vulnerabilities (V) how they specifically relate to your organisation. For example, in the context of your organisation, why are these TV pairs relevant (300 words approx).

Section 2: RACI ChartComplete5.6 Activity 1: RACI chart.

Includeone risk mitigationfor each threat and vulnerability pair.

Justify the activities you assigned the R and A roles. Consider why you assigned this person (for example, the IT Manager) the role of R and another person the role of A for that activity/mitigation. You will also need to explain why you allocated any C or I roles for these activities (600 words approx).

Section 3: Analysis and recommendations

Complete6.11 Activity 1: Analysis and recommendations.

Complete the analysis and recommendations for all 6 items.

Analyse the data you have collected and write recommendations, with justification, outlining to management what actions they could/should take now and in the future. Include how these recommendations will ensure that the client company will be safe and secure from the risk environment that they are currently encountering (Hint: you may want to consider the organisation's risk appetite) (500 words approx).

Appendix: Teamwork reflectionCritically reflect (250 words approx) on how your group developed this report. Record observations about:

your team processeshow you organised meetingshow you negotiated and allocated tasks across the phases of the investigation to make the best use of each team member's strengthsthe extent to which the planned tasks were carried out.

Reflect on both the planning and group performance, clearly state (250 words approx):

what your group thought worked well

what your group thought didn't work well or was the least effective aspect of your group's teamwork

what your group learned that could be used to improve group effectiveness/group dynamics in the future.

ReferencesNote on academic writingAn important aspect of this assignment is locating relevant information, either in online resources or in print media. However, it is also important that the report is written in your own words. Do not just 'cut and paste' or copy information from any source into your reportthat is considered plagiarism (a breach of academic integrity) and is not acceptable in Australian universities.

Supporting resources4.8 Activity 1: Thread, vulnerability, and mitigation table.

5.6 Activity 1: RACI chart.

6.11 Activity 1: Analysis and recommendations.

IFQ541 Assignment 2 Part B common mistakesDownload IFQ541 Assignment 2 Part B common mistakes. Use this document to help you understand the marking guide.

The following chapters from this textManagement of information securityLinks to an external site.(Whitman & Mattford, 2019) are complementary readings, you are not required to read through each:

Chapter 1: Introduction to the management of information securityLinks to an external site.(pp. 162).

Chapter 6: Risk management: Assessing RiskLinks to an external site.(pp. 303364).

Chapter 7: Risk management: Treating RiskLinks to an external site.(pp. 365410).

QUT cite|write: How to write a report.

QUT cite|write: APA.

ReferencesAustralian Bureau of Statistics. (2013, June 26).Division definitions. https://www.abs.gov.au/ausstats/abs@.nsf/Latestproducts/0C2B177A0259E8FFCA257B9500133E10?opendocument

Whitman, M. E. & Mattord, H. J. (2019).Management of information security. Cengage Learning.

Assignment criteriaConduct industry research for clients.

Identify, critically evaluate and justify security risks.

Critical analysis of vulnerabilities and potential impact.

Make and justify recommendations.

Professional written communication skills.

Referencing.

ACSC. (2020).Australian Government Information Security Manual. https://www.cyber.gov.au/acsc/view-all-content/ism

ACSC. (2023).Guidelines for cryptography. https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptographyAustralian Government. (2010).Critical infrastructure resilience strategy.https://www.tisn.gov.au/Documents/Australian+Government+s+Critical+Infrastructure+Resilience+Strategy.pdfBright, P. (2011, June 7). RSA finally comes clean: SecurID is compromised.ARS Technica. https://arstechnica.com/information-technology/2011/06/rsa-finally-comes-clean-securid-is-compromised/

Cimpanu, C. (2019). Over 100,000 GitHub repos have leaked API or cryptographic keys.ZDNet. https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/

CryptoTool-Online. (n.d.). https://www.cryptool.org/en/cryptool-online

ISO. (2013).ISO/IEC 27002:2013 Information technology Security techniques Code of practice for information security controls (second edition). https://www.iso27001security.com/html/27002.html

Clark, L. (2019, December 11).Beware of bad Santas this Xmas: Piles of insecure smart toys fill retailers' shelves.The Register. https://www.theregister.com/2019/12/11/top_toys_still_toppled_by_security_testing/

Corfield, G. (2019, March 5).Smart home owner? Don't make your crib easy pickings for the smart home pwner.The Register. https://www.theregister.com/2019/03/05/smart_home_iot_security_risks_trend_micro/

Dragos. (2019).Lessons learned from the front lines of ICS cybersecurity.https://www.dragos.com/wp-content/uploads/Lessons_Learned_from_the_Front_Lines_of_ICS_Cybersecurity.pdf#page=4

Forcepoint. (2020).What is IoT Cybersecurity?.Forecepoint. https://www.forcepoint.com/cyber-edu/iot-cybersecurity

Graff, G. (2017, December 13).How a dorm room Minecraft scam brought down the internet.Wired. https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/

Gupta, A. (2019).The IoT hacker's handbook: A practical guide to hacking the internet of things.Apress.

TheEllenShow. (2013, April 10).Out of your password minder[Video]. YouTube. https://www.youtube.com/watch?v=Srh_TV_J144

Haveibeenpwned. (n.d.).;--have I been pwned?https://haveibeenpwned.com/

Nichols, S. (2020, May 14).There's Norway you're going to believe this: Government investment fund conned out of $10m in cyber-attack. The Register. https://www.theregister.com/2020/05/14/norway_investment_fund_hack/

Spitzner, L. (2019, June 27). Time for password expiration to die.Security Awareness.https://www.sans.org/security-awareness-training/blog/time-password-expiration-die

Verizon. (2020).2020 data breach investigations report. https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf

Whittaker, Z. (2018, December 25). Cybersecurity 101: Why you need to use a password manager.Tech Crunch. https://techcrunch.com/2018/12/25/cybersecurity-101-guide-password-manager/

Wnuk, P. (2018, August 8). Millions of health records exposed to public in Mexico.PharmaPhorum. https://pharmaphorum.com/news/health-records-publically-exposed/

Homeland Security. (2016).Recommended practice: Improving industrial control system cybersecurity with defense-in-depth strategies.https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf

Nichols, S. (2020, January 7).Beset by lawsuits over poor security protections, Ring rolls out 'privacy dashboard' for its creepy surveillance cams, immediately takes heat.The Register. https://www.theregister.com/2020/01/07/ring_cameras_security_measures/

Office of the Information Commissioner. (2018).Privacy and mobile apps.https://www.oic.qld.gov.au/__data/assets/pdf_file/0010/33877/report-privacy-and-mobile-apps-audit.pdf#page=5

saltbushgroup. (2012).Generic SCADA Risk Management Framework for Australian Critical Infrastructure Developed by the IT Security Expert Advisory Group (ITSEAG).TISN for critical infrastructure resilience. https://www.tisn.gov.au/Documents/SCADA-Generic-Risk-Management-Framework.pdf#page=16

Sayfayn, N., & Madnick, S. (2017).Cybersafety analysis of the Maroochy Shire Sewage spill.MIT Management Sloan School. http://web.mit.edu/smadnick/www/wp/2017-09.pdf

Schwab, K. (2016).The fourth industrial revolution. Crown Publishing Group.

Stouffer, K., Pillitteri, V., Lightman, S., Abrams, M., & Hahn, A. (2015).Guide to industrial control systems (ICS) security. NIST Special Publication 800-82. Revision 2. http://dx.doi.org/10.6028/NIST.SP.800-82r2

Thomson, I. (2018, November 15).Up to three million kids' GPS watches can be tracked by parents... and any miscreant: Flaws spill pick-and-choose catalog for perverts.The Register. https://www.theregister.com/2018/11/15/gps_tracking_children_hack/

Unit 42. (2020).2020 Unit 42 IoT Threat Report.paloalto networks Unit 42. https://unit42.paloaltonetworks.com/iot-threat-report-2020/

U.S. Department of Homeland Security. (2016, September).Recommended practice: Improving industrial control system cybersecurity with defense-in-depth strategies. https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf

Veracity Industrial Networks. (2017, December 16).Introduction to industrial control systems threats risks and future cybersecurity trends[Video]. YouTube. https://youtu.be/luxCKSnIpng

Australian Government. (2018).Decision making during a crisis: A practical guide. https://www.organisationalresilience.gov.au/Documents/decision-making-during-a-crisis-a-practical-guide.pdf

AWS. (2020).Shared responsibility model.https://aws.amazon.com/compliance/shared-responsibility-model/

Council of Supply Chain Management Professionals. (2020).CSCMP supply chain management definitions and glossary. https://cscmp.org/CSCMP/Educate/SCM_Definitions_and_Glossary_of_Terms.aspx

Germano, J. (2017).Third-party cyber risk & corporate responsibility. https://www.lawandsecurity.org/wp-content/uploads/2017/02/Germano.NYU_.ThirdPartyRiskWhitepaper.Feb2017.pdf

Hopkin, P. (2013).Risk management. Kogan Page, Limited.

National Cyber Security Centre. (2018).Supply chain security guidance. https://www.ncsc.gov.uk/collection/supply-chain-security

Wikipedia. (n.d.).Deepwater Horizon oil spill. https://en.wikipedia.org/wiki/Deepwater_Horizon_oil_spill

Abrams, L. (2020, March 18).Ransomware gangs to stop attacking health orgs during pandemic.Bleeping Computer. https://www.bleepingcomputer.com/news/security/ransomware-gangs-to-stop-attacking-health-orgs-during-pandemic/

ACS. (2014, April).ACS Code of professional conduct case studies.https://www.acs.org.au/content/dam/acs/elected-members/pab/EthicsCommittee/ACS%20Code%20of%20Professional%20Conduct%20Case%20Studies.pdf

ACS. (2014, April).ACS Code of professional conduct.https://www.acs.org.au/content/dam/acs/rules-and-regulations/Code-of-Professional-Conduct_v2.1.pdf

ACS. (2017).ACS strategy 20172022. https://www.acs.org.au/governance/2017-22-acs-strategy.html

ACS. (n.d.).ACS Code of ethics. https://www.acs.org.au/content/dam/acs/acs-documents/Code-of-Ethics.pdf%20

AustCyber. (2019).Australias cyber security sector competitiveness plan 2019. https://www.austcyber.com/resources/sector-competitiveness-plan

AustCyber. (2020). SCP - Chapter 3 - The challenge: Australia needs to fill the workforce gap, remove startup barriers and strengthen research and development. https://www.austcyber.com/resources/sector-competitiveness-plan/chapter3

Australian Council of Professions. (n.d.).What is a profession?. https://www.professions.org.au/what-is-a-professional/#:~:text=A%20Profession%20is%20a%20disciplined,and%20who%20are%20prepared%20to

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2009). Roles of information security awareness and perceived fairness in information security policy compliance.AMCIS 2009 Proceedings, (pp. 419).

Diversity Council Australia. (2020).Diversity & inclusion explained. https://www.dca.org.au/di-planning/getting-started-di/diversity-inclusion-explained

Diversity Council Australia. (2020).Inclusion @ work index. https://www.dca.org.au/sites/default/files/inclusion-at-work-index/dca_inclusive_index_2019_synopsis_online_new_accessible.pdf

Egan, G. (2019, August 14).What is security awareness training?. Proofpoint. https://www.proofpoint.com/au/security-awareness/post/what-security-awareness-training

ENISA. (2019, April 16).Cybersecurity culture guidelines: Behavioural aspects of cybersecurity. https://www.enisa.europa.eu/publications/cybersecurity-culture-guidelines-behavioural-aspects-of-cybersecurity

Ernst & Young. (2018).Is cybersecurity about more than protection? Ernst and Young Global Information Security Survey 2018-2019. https://assets.ey.com/content/dam/ey-sites/ey-com/en_ca/topics/advisory/ey-global-information-security-survey-2018-19.pdf

FDA. (2017, August 29).Firmware update to address cybersecurity vulnerabilities identified in Abbott's (formerly St. Jude Medical's) implantable cardiac pacemakers: FDA safety communication. https://www.fda.gov/medical-devices/safety-communications/firmware-update-address-cybersecurity-vulnerabilities-identified-abbotts-formerly-st-jude-medicals

FDA. (2019, June 27).Certain Medtronic MiniMed insulin pumps have potential cybersecurity risks: FDA safety communication. https://www.fda.gov/medical-devices/safety-communications/certain-medtronic-minimed-insulin-pumps-have-potential-cybersecurity-risks-fda-safety-communication

Frankfurt School of Finance & Management. (2019, June 21).What is behavioural economics?[Video]. Youtube. https://youtu.be/FHAhaUMmNlU

Harvard University. (2011).Project implicit. https://implicit.harvard.edu/implicit/

ISC2. (2018). Cybersecurity professionals focus on developing new skills as workforce gap widens. (ISC)2 cybersecurity workforce study, 2018. https://www.isc2.org/-/media/7CC1598DE430469195F81017658B15D0.ashx

ISC2. (2019).Strategies for building and growing strong cybersecurity teams. (ISC)2 cybersecurity workforce study, 2019. https://www.isc2.org/-/media/ISC2/Research/2019-Cybersecurity-Workforce-Study/ISC2-Cybersecurity-Workforce-Study-2019.ashx

Jouini, M., Rabai, L. B. A., Aissa, A. B (2014). Classification of security threats in information systems.Procedia Computer Science,32, 489496. https://doi.org/10.1016/j.procs.2014.05.452

King, T. (2017, September 29).Difference between code of ethics & code of conduct. Classroom. https://classroom.synonym.com/difference-between-code-of-ethics-code-of-conduct-12080924.html

Layer 8. (2019, February).Developing secure behaviours 10 practical principles for effective change. https://layer8ltd.co.uk/resources/

Maiberg, E., Franceschi-Bicchierai, L., & Koebler, J. (2020, March 14).A mobile voting app that's already in use is filled with critical flaws. VICE. https://www.vice.com/en_us/article/3azzpj/corellium-says-its-just-like-a-playstation-emulator-apple-lawsuit

MediaPro. (n.d.).Staying secure when working from home. https://mediapro-training-preview.s3-us-west-2.amazonaws.com/work_from_home_secure/course/codebase.html

Mirsky, Y., Mahler, T., Shelef, I., & Elovici, Y. (2019). CT-GAN: Malicious tampering of 3D medical imagery using deep learning. In28th {USENIX} Security Symposium, (pp. 461478).

Renaud, K., Otondo, R., & Warkentin, M. (2019). This is the way I create my passwords ... does the endowment effect deter people from changing the way they create their passwords?Computers & Security, 82(May), 241260. https://doi.org/10.1016/j.cose.2018.12.018

Rock, D., & Grant, H. (2016, November 4).Why diverse teams are smarter.Harvard Business Review. https://hbr.org/2016/11/why-diverse-teams-are-smarter

Rock, D., Grant, H., & Grey, J. (2016, September 22).Diverse teams feel less comfortable and thats why they perform better. Harvard Business Review. https://hbr.org/2016/09/diverse-teams-feel-less-comfortable-and-thats-why-they-perform-better

Satter, R., Stubbs, J., Bing, C., & Reuters. (2020, March 24).Hackers tried to infiltrate the World Health Organization, the latest in a string of cyberattacks aimed at health officials during the coronavirus pandemic. Business Insider. https://www.businessinsider.com/world-health-organization-hack-tried-steal-passwords-with-fake-website-2020-3?r=US&IR=T

Teaching Tolerance. (n.d).Test yourself for hidden bias. https://www.tolerance.org/professional-development/test-yourself-for-hidden-bias

Tversky, A., & Kahneman, D. (1974). Judgment under uncertainty: Heuristics and biases.Science, 185(4157), 11241131.

Vallor, S., & Rewak, W. J. (n.d.).An introduction to cybersecurity ethics. https://www.scu.edu/media/ethics-center/technology-ethics/IntroToCybersecurityEthics.pdf

The Vern Myers Company. (n.d.).Diversity doesnt stick without inclusion. https://vernamyers.com/diversity-doesnt-stick-without-inclusion/

Winder, D. (2020, April 8).Cyber attacks against hospitals have significantly increased as hackers seek to maximize profits. Forbes. https://www.forbes.com/sites/daveywinder/2020/04/08/cyber-attacks-against-hospitals-fighting-covid-19-confirmed-interpol-issues-purple-alert/#6c1c1d5558bc

Atkinson, S. (2018).Cybersecurity Tech Basics: Vulnerability Management: Overview.Thomson Reuters. https://www.cisecurity.org/wp-content/uploads/2018/07/Cybersecurity-Tech-Basics-Vulnerability-Management-Overview.pdf

Bannister, A. (2020, May 11). Ransomware attack: Maastricht University pays out $220,000 to cybercrooks.The Daily Swig.https://portswigger.net/daily-swig/ransomware-attack-maastricht-university-pays-out-220-000-to-cybercrooks

Cimpanu, C. (2020, June 26).Ripple20 vulnerabilities will haunt the IoT landscape for years to come. ZD Net. https://www.zdnet.com/article/ripple20-vulnerabilities-will-haunt-the-iot-landscape-for-years-to-come/

CIS. (2020). https://www.cisecurity.org/

CVE. (2020).CVE: Common vulnerabilities and exposures.https://cve.mitre.org/

CVE. (2019).CVE and NVD relationship. https://cve.mitre.org/about/cve_and_nvd_relationship.html

Death, D. (2018, October 5).The cyber kill chain explained. Forbes. https://www.forbes.com/sites/forbestechcouncil/2018/10/05/the-cyber-kill-chain-explained/#630d90166bdf

Deloitte. (2017).7 stages of cyber kill chain. https://www2.deloitte.com/content/dam/Deloitte/sg/Documents/risk/sea-risk-cyber-101-july2017.pdf

FIRST. (2020).Common vulnerability scoring system v3.1: Specification document. https://www.first.org/cvss/v3.1/specification-document

Maastricht University. (2020).Response of Maastricht University to FOX-IT report. https://www.maastrichtuniversity.nl/um-cyber-attack-symposium-%E2%80%93-lessons-learnt

MITRE. (2020).MITRE ATT&CK. https://attack.mitre.org/groups/G0045/

National Cyber Security Centre. (2017).Penetration testing.https://www.ncsc.gov.uk/guidance/penetration-testing

Pompon, R. (2016).IT security risk control management. Apress.

Security Awareness. (2019, May 31).Applying security awareness to the cyber kill chain. SANS. https://www.sans.org/security-awareness-training/blog/applying-security-awareness-cyber-kill-chain

CIS. (2019, March 28).CIS controls[Video]. YouTube. https://www.youtube.com/watch?v=CX4UE9zT69Y

CIS. (2020).About the CIS Controls. https://controls-assessment-specification.readthedocs.io/en/stable/about/controls.html

CIS. (n.d.).The 20 CIS controls & resources. https://www.cisecurity.org/controls/cis-controls-list/

CSA. (2009).Industry leaders form cloud security alliance; will unveil inaugural findings at RSA conference 2009. https://cloudsecurityalliance.org/pr20090331.html

ISO. (n.d.).ISO/IEC 27001 Information security management. https://www.iso.org/isoiec-27001-information-security.html

ISO. (n.d.).ISO/IEC 27002:2013Information technology Security techniques Code of practice for information security controls. https://www.iso.org/standard/54533.html

National Institute of Standards and Technology. (2016, September 14).The cybersecurity framework[Video]. YouTube. https://www.youtube.com/watch?v=J9ToNuwmyF0&feature=emb_logo

NIST. (2012).SP 800-61: Computer security incident handling guide.https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

OAIC. (n.d.).What is a data breach?. https://www.oaic.gov.au/privacy/data-breaches/what-is-a-data-breach/

Pompon, R. (2016).IT security risk control management. Apress.

SCF. (2019).Secure Controls Framework (SCF). https://www.securecontrolsframework.com/secure-controls-framework

SecAware. (n.d.).ISO/IEC 27002:2013 Information technology Security techniques Code of practice for information security controls (second edition). https://www.iso27001security.com/html/27002.html

Taylor, C. (n.d.).Incident response playbook creation. https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1559689083.pdf

Thompson, E. (2018).Cybersecurity incident response. Apress.https://doi.org/10.1007/978-1-4842-3870-7

UpGuard. (2020).What are the CIS controls for effective cyber defense?https://www.upguard.com/blog/cis-controls

Action Fraud. (2016, July 5).How private is your personal information?[Video]. YouTube. https://www.youtube.com/watch?v=yrjT8m0hcKU

Australian Government. (2021).Stay smart online.https://www.directory.gov.au/portfolios/defence/department-defence/stay-smart-online

Australian Government. (n.d.-a.).What is privacy?https://www.oaic.gov.au/privacy/your-privacy-rights/what-is-privacy/

Australian Government. (n.d.-b.).What is personal information?https://www.oaic.gov.au/privacy/your-privacy-rights/your-personal-information/what-is-personal-information/

Australian Information Security Association. (n.d.).AISA.https://www.aisa.org.au/

Australian Women in Security Network. (2020).AWSN.https://www.awsn.org.au/

Firoiu, M. (2015). General considerations on risk management and information system security assessment according to ISO/IEC 27005:2011 and ISO 31000:2009 standards.Acces la Success; Bucharest 16(149), pp. 9397.

Grosslight, K. (2010, January 14).Minimize risk by maximizing accountability. CSO. https://www.csoonline.com/article/2124764/minimize-risk-by-maximizing-accountability.html

Guardian News. (2020, January 22).Jeff Bezos, the Saudi crown prince, and the alleged phone-hacking plot[Video]. YouTube. https://www.youtube.com/watch?time_continue=2&v=IPmbjXZSuXQ&feature=emb_logo

Hak5. (2017, September 12).Equifax hacked! Your social security number is probably public - threat wire[Video]. YouTube. https://www.youtube.com/watch?v=nrU6BoeixhY&feature=youtu.be&start=42

ISO/IEC. (2018).International standard 27000. Information technology Security techniques Information security management systems Overview and vocabulary. https://standards.iso.org/ittf/PubliclyAvailableStandards/c073906_ISO_IEC_27000_2018_E.zip

Kirchgaessner, S. (2020, January 22).Jeff Bezos hack: Amazon boss's phone 'hacked by Saudi crown prince. The Guardian. https://www.theguardian.com/technology/2020/jan/21/amazon-boss-jeff-bezoss-phone-hacked-by-saudi-crown-prince

Krebs. (2020).Krebs on security.https://krebsonsecurity.com/

National Cyber Security Centre. (n.d.).https://www.ncsc.gov.uk/

O'Donnell, L. (2020, February 3).Ashley Madison breach extortion scam targets hundreds. Threat Post. https://threatpost.com/ashley-madison-breach-extortion-scam-targets-hundreds/152481/

Office of the Australian Information Commissioner. (n.d.).Consent to the handling of personal information.https://www.oaic.gov.au/privacy/your-privacy-rights/your-personal-information/consent-to-the-handling-of-personal-information/

Online Cambridge English Dictionary. (2020).Reputation.https://dictionary.cambridge.org/dictionary/english/reputation

Payment Card Industry Security Standards Council. (2018, May). Payment Card Industry (PCI) data security standard. Requirements and security assessment procedures. Version 3.2.1. Payment Card Industry Security Standards Council.

Queensland Government. (2018).ICT risk matrix. Queensland Government Enterprise Architecture. https://www.qgcio.qld.gov.au/information-on/ict-risk-management/ict-risk-matrix

The Register. (2020).Security. https://www.theregister.com/security

Rhysider. (2020).Darknet diaries. https://darknetdiaries.com/

Risky Business. (2020).The risky business podcast. https://risky.biz/

SANS Institute. (2020).Newsletters: Newsbites. https://www.sans.org/newsletters/newsbites.

Schneier on Security. (2020).Crypto-gram newsletter. https://www.schneier.com/crypto-gram/

Spark Media Solutions. (2019).Introducing defense in depth podcast.https://cisoseries.com/introducing-defense-in-depth-podcast/

Standards Australia. (2011).ISO/IEC 27005:2011 Information technology Security techniques Information security risk management. Standards Australia Ltd./Standards New Zealand.

Waring, A. (2016).Corporate risk and governance: An end to mismanagement, tunnel vision and quackery.Routledge.

Whooshkaa. (n.d.).Cyber security cafe.https://player.whooshkaa.com/shows/cyber-security-caf

IFQ541 Team and Organisation Template

Assignment 2: Risk management report

Complete the following template as part of your submission for Assignment 2: Risk management report (Part A).

Student Names: Dimitrios VasiliadisOrganisation names: CyberArk.ltd Name of the client organisation: Sydney Methodist Private Hospital

Item Details Main points and comments

(include the main concepts - in point form - you intend to use in your report) Supporting evidence

(record reference details for articles)

About your selected organisation Industry Healthcare Focuses on providing healthcare services including medical treatment, diagnostics, and preventive care

Organisational Size Medium-sized Hospital.

Sydney Medium-sized hospital with approximately 300 employees

Products and/or services provided by your organisation Offers Healthcare services to patientsMedical Treatment, Diagnostic Services, Surgical Procedures, Emergency Care, Rehabilitation Services Offers a wide range of healthcare services to patients including medical treatment, diagnostic testing, surgical interventions, emergency care, and rehabilitation programs.

Critical Information Assets Patient Health Records, Medical Imaging Data, Physician Orders, Treatment Plans, Billing Information

Patient health records contain sensitive medical information necessary for providing appropriate care. Medical imaging data aids in diagnosis and treatment planning. Physician orders and treatment plans guide patient care. Billing information is crucial for financial management.

Organisational objectives 1. Provide High-Quality Patient Care

2. Ensure Patient Safety and Well-being

3. Maintain Regulatory Compliance

4. Enhance Operational Efficiency

aims to deliver high-quality patient care by prioritizing safety, effectiveness, and compassion. Ensuring compliance with healthcare regulations and optimizing operational processes are also key objectives.

How does your report topic relate to this organisation?

Is there a similar real-life case? Information security threats can compromise patient confidentiality, disrupt healthcare services, and lead to legal consequences (The New York Times, 2023). Implementing robust cybersecurity measures is essential to protect patient data and maintain trust with patients and regulatory authorities.

The cyberattack likely utilized methods such as phishing emails, system vulnerabilities, or compromised credentials. The motive was likely financial gain, as ransomware attacks typically involve demanding payment for restoring access (The New York Times, 2023). The attack impacted Prospect Medical Holdings and its affiliates across multiple states, disrupting various healthcare services (Avi-Yonah & Rempfer, 2023). While specific financial details were not provided, ransomware attacks can lead to significant losses (Brooks, 2023). Avi-Yonah, S., & Rempfer, K. (2023). Cyberattack disrupts health-care systems services in several states. The Washington Post. Retrieved from https://www.washingtonpost.com/technology/2023/08/05/cyberattack-hospital-system-california-ransomware/Brooks, K. J. (2023). Cyberattack causes multiple hospitals to shut emergency rooms and divert ambulances. CBS News. Retrieved from https://www.cbsnews.com/news/prospect-medical-cyberattack-california-pennsylvania-hospital/The New York Times. (2023). Cyberattack on Hospitals in California Forces Some to Close. Retrieved from https://www.nytimes.com/2023/08/05/us/cyberattack-hospitals-california.html

Reference Details:

Avi-Yonah, S., & Rempfer, K. (2023). Cyberattack disrupts health-care systems services in several states. The Washington Post. Retrieved from https://www.washingtonpost.com/technology/2023/08/05/cyberattack-hospital-system-california-ransomware/Brooks, K. J. (2023). Cyberattack causes multiple hospitals to shut emergency rooms and divert ambulances. CBS News. Retrieved from https://www.cbsnews.com/news/prospect-medical-cyberattack-california-pennsylvania-hospital/The New York Times. (2023). Cyberattack on Hospitals in California Forces Some to Close. Retrieved from https://www.nytimes.com/2023/08/05/us/cyberattack-hospitals-california.htmlComplete the following teamwork discussion agreementStudent Names: Anrio Carver Sam Hashmi

Did you form a team agreement using the teamwork agreement template provided? Yes Yes

Sydney Methodist Private Hospital

RISK MANAGEMENT

REPORT2967355370205

QUT2024

Table of Contents

Introduction

Risk management planSection 1: Threats vulnerability mitigation table

Section 2: RACI Chart

Section 3: Analysis and recommendations

Conclusion

Appendix: Teamwork reflection

Critically reflectReflect on both the planning and group performanceReferences

Introduction (500 words approx)

A description of the client organisation and the context. This should include:

the name of the client organisationthe size of the organisation

the industry the client organisation is in

the products and/or services the client organisation provides.

Discuss why it is important to management to be knowledgeable about cybersecurity, and specifically which cyberthreats are important to your client organisation. Note how these threats relate to the organisation's business objectives.

Risk management planSection 1: Threats vulnerability mitigation table

Complete4.8 Activity 1: Thread, vulnerability, and mitigation table.

Include 6 threats and vulnerabilities.(2 TV pairs per student, For example , 4 TV pairs are required for a group with two members,8 TVs pairs for a group with 4 members)

Briefly explain for each of your 6 threats (T) and vulnerabilities (V) how they specifically relate to your organisation. For example, in the context of your organisation, why are these TV pairs relevant (300 words approx).

Section 2: RACI ChartComplete5.6 Activity 1: RACI chart.

Includeone risk mitigationfor each threat and vulnerability pair.

Justify the activities you assigned the R and A roles. Consider why you assigned this person (for example, the IT Manager) the role of R and another person the role of A for that activity/mitigation. You will also need to explain why you allocated any C or I roles for these activities (600 words approx).

Section 3: Analysis and recommendations

Complete6.11 Activity 1: Analysis and recommendations.

Complete the analysis and recommendations for all 6 items.

Analyse the data you have collected and write recommendations, with justification, outlining to management what actions they could/should take now and in the future. Include how these recommendations will ensure that the client company will be safe and secure from the risk environment that they are currently encountering (Hint: you may want to consider the organisation's risk appetite) (500 words approx).

Appendix: Teamwork reflection

Critically reflect (250 words approx) on how your group developed this report. Record observations about:

your team processeshow you organised meetingshow you negotiated and allocated tasks across the phases of the investigation to make the best use of each team member's strengthsthe extent to which the planned tasks were carried out.

Reflect on both the planning and group performance, clearly state (250 words approx):

what your group thought worked well

what your group thought didn't work well or was the least effective aspect of your group's teamwork

what your group learned that could be used to improve group effectiveness/group dynamics in the future.

References

Australian Bureau of Statistics. (2013, June 26).Division definitions. https://www.abs.gov.au/ausstats/abs@.nsf/Latestproducts/0C2B177A0259E8FFCA257B9500133E10?opendocument.

Whitman, M. E. & Mattord, H. J. (2019).Management of information security. Cengage Learning.

Threat Threat Agent Intentionality Asset Asset Value EF, ARO Vulnerability Exploit Org. Risk Impact (High, Medium, Low) Mitigation Justification Annualised Control Cost

Ransomware Attack Human Intentional User Workstations, Office Workstations in Various Departments $50,000 40%, 12 Anti-malware software not up to date User opens attachment from unknown email (containing ransomware) H Install up-to-date internet security software Detects malware and prevents installation $24,000

Insider Data Theft Employees Intentional or Unintentional Customer Data, Customer Relationship Management (CRM) Systems $100,000 30%, 10 Lack of access controls, inadequate monitoring Unauthorized access, misuse of privileges, negligent handling H Implement strict access controls, conduct regular employee training, monitor employee activities Reduce likelihood of insider threats, mitigate impact on organization and customers $30,000

Phishing Attacks External Cybercriminals Intentional Employee Email Accounts,

Cloud-Based Email Service Provider $80,000 25%, 8 Lack of employee awareness/training Employees falling victim to phishing emails M Employee cybersecurity training programs Reduce susceptibility to social engineering attacks $4,000

Outdated Software Technology Unintentional IT Systems, Server Rooms $150,000 35%, 10 Failure to regularly update software Exploitation of known vulnerabilities in outdated software H Regular software updates and security patches Reduce susceptibility to cyberattacks $52,500

Inadequate Security Controls System Weaknesses Unintentional Data Storage Systems, Network-Attached Storage (NAS) Devices or Storage Area Networks (SANs) $200,000 30%, 9 Insufficient security measures Attackers exploiting weaknesses in security controls H Enhance access controls, encryption, and authentication mechanisms Prevent unauthorized access and data breaches $54,000

Lack of Employee Training Human Unintentional Employee Knowledge, Learning Management Systems

$80,000 20%, 6 Employees lacking awareness of cybersecurity best practices Unintentional actions leading to security breaches M Regular cybersecurity training programs Increase employee awareness of security risks $6,000

5.6 Activity 1: RACI chart

Step 1 R.A.C.I

Threat Functional Roles Responsibilities

Ransomware Attack IT Security Specialist, System Administrator, End Users R: IT Security Specialist, System Administrator, End Users

A: IT Security Specialist, System Administrator

C: IT Security Specialist, System Administrator

I: End Users

Insider Data Theft IT Security Specialist, Database Administrator, System Administrator, Compliance Officer R: IT Security Specialist, Database Administrator, System Administrator

A: IT Security Specialist, Compliance Officer

C: IT Security Specialist, Compliance Officer

I: Database Administrator, System Administrator

Phishing Attacks IT Security Specialist, Email Administrator, End Users R: IT Security Specialist, Email Administrator, End Users

A: IT Security Specialist, Email Administrator

C: IT Security Specialist, Email Administrator

I: End Users

Outdated Software IT Security Specialist, System Administrator, Network Administrator R: IT Security Specialist, System Administrator, Network Administrator

A: IT Security Specialist, System Administrator

C: IT Security Specialist, System Administrator

I: Network Administrator

Inadequate Security Controls IT Security Specialist, System Administrator, Network Administrator, Compliance Officer R: IT Security Specialist, System Administrator, Network Administrator

A: IT Security Specialist, Compliance Officer

C: IT Security Specialist, Compliance Officer

I: System Administrator, Network Administrator

Lack of Employee Training IT Security Specialist, HR Manager, Training Coordinator, End Users R: IT Security Specialist, HR Manager, Training Coordinator

A: IT Security Specialist, Training Coordinator

C: IT Security Specialist, Training Coordinator I: End Users

Step 2

Responsible (R):

The IT Security Specialist is responsible for developing the content and structure of the training program. They possess the technical expertise and understanding of cybersecurity principles necessary to design effective training modules tailored to the organization's specific needs.

The System Administrator is responsible for facilitating the deployment and management of the training program. They ensure that the training platform is set up correctly, user accounts are created, and technical support is provided as needed.

Accountable (A):

The IT Security Specialist is designated as accountable because they oversee the entire training initiative. They are ultimately responsible for ensuring that the program meets its objectives, aligns with organizational goals, and effectively addresses the threat of phishing attacks.

The System Administrator is accountable for the execution of the training program. While they may not have the final decision-making authority, they play a crucial role in ensuring that the technical aspects of the program run smoothly and efficiently.

Consulted (C) or Informed (I):

Compliance Officers may be consulted to ensure that the training program adheres to relevant regulatory requirements and industry standards. Their input helps ensure that the program meets compliance obligations and mitigates legal risks associated with inadequate training.

End Users are informed about the training program as they are the primary audience. Their participation and engagement are essential for the success of the initiative. Keeping them informed builds awareness and encourages active involvement in combating phishing threats.

Step 3: ????

6.11 Activity 1: Analysis and recommendations

Likelihood, Impact and Risk Value associated with the assets and threats.

TV pair (from section 1) Critical, Normal, Minor? Likelihood (within the next 12 months) (0-100) Impact (0 -1) Risk Value Critical

TV1 Critical 76 0.6 45.6 75-100;

TV2 Critical 88 0.9 79.2 Normal

TV3 Normal 60 0.8 48 30-74;

TV4 Critical 80 1 80 Minor

TV5 Critical 90 1 90 1-29

TV6 Normal 50 0.7 35 Cost Benefit Analysis

TV pair Asset Asset valuation Exposure factor Single loss expectancy Annual rate of occurrence (pre-control) Annualised loss expectancy (pre control) Annualised control cost Annual rate of occurrence (post-control) Annualised loss expectancy (post control) Cost benefit analysis

AV EF SLE =AV*EF ARO ALE=SLE*ARO ACC ARO1 ALE=SLE*ARO1 CBA=ALEpre - ALEpost -ACC

TV1 User Workstations $50,000 40% $20,000 12 $240,000 $100,000 6 $120,000 $20,000

TV2 Customer Data $100,000 30% $30,000 10 $300,000 $80,000 5 $150,000 $70,000

TV3 Employee Email Accounts $80,000 25% $20,000 8 $160,000 $70,000 4 $80,000 $10,000

TV4 IT Systems $150,000 35% $52,500 10 $525,000 $100,000 5 $262,500 $162,500

TV5 Data Storage Systems $200,000 30% $60,000 9 $540,000 $120,000 3 $180,000 $240,000

TV6 Employee Knowledge $80,000 20% $16,000 6 $96,000 $60,000 2 $32,000 $4,000

$506,500

Based on the analysis of the TV pair data and the risk assessment, here are recommendations for management to enhance the organization's security posture:

Priority-Based Mitigation Strategy: Prioritize mitigation efforts based on the criticality of assets and the associated risks. Focus on addressing vulnerabilities and implementing controls for assets with the highest risk values, such as Customer Data (TV2), IT Systems (TV4), and Data Storage Systems (TV5).

Invest in Endpoint Security Solutions: Given the criticality of User Workstations (TV1), which have a high likelihood of cyber incidents and moderate impact, invest in robust endpoint security solutions. This includes deploying advanced anti-malware software, implementing endpoint detection and response (EDR) solutions, and ensuring regular security updates.

Enhance Data Protection Measures: Strengthen security measures to protect sensitive data, such as Customer Data (TV2) and Employee Email Accounts (TV3). Implement encryption protocols, access controls, and data loss prevention (DLP) solutions to prevent unauthorized access and data breaches.

Regular Security Assessments and Updates: Conduct regular security assessments and audits to identify vulnerabilities in IT systems and infrastructure. Implement a proactive patch management process to ensure software and systems are up to date with the latest security patches.

Employee Training and Awareness: Invest in comprehensive cybersecurity training programs to educate employees about common threats like phishing attacks and the importance of following security best practices. Increase awareness of social engineering tactics and encourage reporting of suspicious emails or activities.

Incident Response Preparedness: Develop and regularly update an incident response plan to guide the organization's response to cybersecurity incidents. Define roles and responsibilities, establish communication protocols, and conduct regular tabletop exercises to test the effectiveness of the plan.

Continuous Monitoring and Threat Intelligence: Implement continuous monitoring solutions and leverage threat intelligence to detect and respond to emerging threats in real-time. Stay informed about the latest cyber threats and adjust security strategies accordingly.

By implementing these recommendations, the organization can strengthen its security posture, mitigate risks effectively, and ensure resilience against the evolving threat landscape. These actions align with the organization's risk appetite by prioritizing resources and efforts to address the most critical risks while fostering a proactive approach to cybersecurity.

Assignment 2 Part B common mistakes guide

There are some common mistakes that groups can often make when completing Assignment 2: Risk management report (Part B). This guide has been designed to highlight what these mistakes are and why marks may be deducted from your final assignment.

Common mistakes

Each heading covers a section of your report. Read through each carefully.

Introduction

Marks will be deducted if the introduction lacks the general cyberthreat overview or only discusses why cyberthreats are important to your organisation. That is, you must discuss cyberthreats in general, and then narrow it down more specifically to your organisation.

Threats, vulnerabilities and mitigations

Reasons for marks to be deducted in this section:

Not using all 3 threat agent types (human, technological, environmental), and not stating whether intentional or unintentional.

Not specifying a different IT asset for each threat/vulnerability (TV) pair.

Exploit is not relevant to how the threat can exploit the vulnerability.

Specifying more than one risk mitigation per TV pair (only need one per TV pair).

Missing information for any of the other required fields in the table to be completed for this section.

Not linking your threats/vulnerabilities to your organisation (i.e. why are the ones you chose relevant to your organisation).

Roles, responsibilities and justifications RACI chart

Reasons for marks to be deducted in this section:

The activities listed in the RACI chart are not the mitigations from the previous section there should be a 1:1 mapping between the RACI chart and the previous section.

Not having 1 A role for each activity/mitigation must be 1 A per row of the chart.

Not having 1 or more R role(s) for each activity/mitigation must be at least 1 R per row of the chart.

Not providing justification for the activities and why you assigned the R, A, [C, I if used] roles.

Analysis and recommendations

Reasons for marks to be deducted in this section:

Not categorising threats/vulnerabilities from Threats, vulnerabilities and mitigations section 1 above into critical, normal and minor that align to the Impact (organisational risk) specified in that section 1, for example, a high impact organisational risk would be categorised as Critical etc.

The threat-likelihood-impact matrix table risk priority generated using a probability and impact scale DOES NOT match the category assigned for a TV pair. For example, if you categorised a TV pair as having a critical risk impact on the organisation, then its risk priority value should be in the range of 75-100 etc.

The following fields do not match what was specified in the Threats, vulnerabilities and mitigations section 1: asset, asset value, exposure factor, annual rate of occurrence, and annualised control cost.

In other words, they should have been copied into the spreadsheet from that earlier section. Other values will be calculated using the given formulas, and you nominate a new ARO post-control implementation.

Marks will also be deducted for not using or poorly using an analysis of the data from a), b), and c) to develop recommendations (with justification/s) outlining to management what actions they could/should take and when.

Hint:if appropriate, you could tie your recommendations to your organisation's risk appetite, in addition to your data analysis of parts a) b) c).

Other things to consider

Remember this is a document to your organisation which could be read by Senior Managers and Board Members, and marks could be deducted for the following reasons:

Not all components of the group reflection addressed.

Referencing incomplete or not present.

Report is not written to a professional standard.