Information Security - IT Assignment

Introduction

This assignment will involve students undertaking research into an information security topic and reporting the outcomes in a briefing paper and annotated bibliography.  Students will also need to provide a brief presentation to the tutorial group on the more interesting aspects of their topic. A range of topics are listed below – you will be randomly allocated to one of the topics.  The focus of the topics for 2020 will be recent security incidents and breaches.

This is an individual assignment, however, students in the same tutorial doing the same topic can combine into groups for the presentations if they wish.

Requirements

The assignment is worth 20% of the marks for Information Security.  The deadline for submissions is Sunday at the end of week 6 (22 March 2020).

A range of information security incidents have recently been reported in the media and links to these reports have been provided for this assignment.  These are listed below. You will be randomly allocated to one of these incident reports based on your student id number. If you make a submission on a different incident to the one allocated, your mark will be reduced by 50%.

You will need to write a briefing paper to a hypothetical manager on the incident to which you have been allocated.  A range of issues that should be addressed in the briefing paper is noted below.

In marking the report, attention will be given to your understanding of information security concepts and how well you have met the requirements detailed in this document.  Style and technique of your writing will also be considered.

Issues to be addressed

You should use the linked article as a starting point for your briefing of managers in a relevant organisation.  You can assume that senior management in your organisation saw the article and wants to know more about the issues raised.  This means that you will need to find other literature dealing with the issues connected with the topic and article. The nature of this literature is described below in the section on the ‘Report’.

The different incidents may have different aspects at play and perhaps not all of the questions raised in this section are relevant to every incident – so use judgement as to what should be reported on given the particular circumstances.  Note that this should not be an excuse for leaving out major elements of your report.

You should assume you are within an organisation where the issues raised by the topic are relevant.

Different organisational circumstances may well have differing realisations of the risks, so where this is relevant, note the assumptions you are making.  For example, security organisations like the Department of Defence versus operational government agencies (ATO, Services Australia etc) versus commercial organisations.  If the choice is not obvious, you should assume you are in a mid-size government agency with minimal levels of highly classified sensitive information.

Report on major issues with the incident and other incidents like this one.  What were the major control weaknesses? Are these common? The extent to which human or technical issues played a role (or both).

What should be done to reduce the risks of such incidents – may need to consider both the likelihood and impact side of things.  Also consider issues around prevention, detection and overall resilience.

Consider the overall cost of the controls.  Are these mitigation measures likely to be cost-effective?  What sort of residual risks would be reasonable to retain given the cost picture?

Report

Managers and executives frequently rely on their support staff to research particular subjects and present concise summaries of the relevant issues in the form of briefing papers.  With this assignment, you should prepare a briefing paper as if you were a middle-level manager in an organisation advising an executive-level manager about the topic of concern. You should do this by providing a good overview of the key issues associated with the topic along with pointers to additional reading that could be helpful if the reader wanted to explore the issues further.  To help the senior manager, this additional reading should be sign-posted with comments on why an article is relevant to some part of the issues covered by the briefing paper, and why this article is a good choice to consider that aspect of the topic.

It is important that you keep your briefing paper concise and to the point as you should assume that your executive manager will not have time to read a lengthy document.  While three pages may be seen as a long document in the business context, the briefing paper produced here can be a little longer than this, but penalties will be imposed on submissions that are too long.  The upper limit, in this case, is 1500 words for the main body of the paper.