Information Technology Individual Assignment Help

Question1.The following scenario relates to Questions 1 (a), (b) and (c) below.

A large organization, similar to the University of Canberra, is in the process of implementing new human resource management (HRM)* system that includes aspects of workflow. An example of the workflow includes facilitating the online submission of leave forms and the subsequent approval (or not) of the leave applications by supervisors. It will also allow staff to have online access to relevant personnel and payroll records where appropriate (for example, checking payslips and leave balances, submitting performance assessment reports, etc.). The system would also facilitate activities normally undertaken by senior managers.

Note: For those unfamiliar with HR/HRM systems, these are the systems that organizations use to manage their staffing. This may include payroll (making sure staff are paid the right amount at the right time); the recording of leave and leave balances (holidays, sick leave, long service leave, etc.); and a repository for performance management data. They are frequently connected with finance systems and sometimes include other details, but the list mentioned here is sufficient for this exercise

Question1 Part (a).As part of the implementation of this system, relevant security policies need to be reviewed, redeveloped, replaced, or modified. Assume that the organization already has a general information security policy in place along with a range of issue-specific security policies, but no current system-specific security policy for an HRM system.

Outline the major issues you would expect to see covered in a system-specific security policy for the HRM system. Discuss this in broad terms, mostly using the headings and brief statements covering the issues that you would expect to find in the system-specific policy (you are not expected to provide the detailed clauses of the policy). Do NOT include things that you would normally find in the general University information security policy or issue specific policies

Question1 Part (b).A system-specific information security policy for the HRM system may include access control lists, or ACLs. This question will require you to create some of the details you might find in the ACLs for the HRM system. For the purposes of this question, the ACLs will be kept relatively simple.

The general classes of users that should be used for this question are:

1. Staff (these are all staff not included in one of the other categories, but staff in the other categories would have this staff level access in addition to that proposed for their specific category);
2. Supervisors;
3. HR department admin staff;
4. IT systems administration staff;
5. Senior management.

The IT data resources should include:

1. Staff personal details (names, address, phone numbers, date of birth, sex, etc.);
2. Payslip records (current and previous payslips);
3. Leave records (including balances and planned leave);
4. Leave applications (yet to be approved);
5. Performance assessments.

Note that the system is likely to use more specific user groups (particularly for admin and IT roles), and it is likely to include other data, but these dimensions have been kept simple for this exercise.

Draw up an access control matrix (in the form of a table) for this situation. The table should have the various classes of users in the rows, and the IT resources of the system in the columns.

The cells within the matrix should note the appropriate level of access for the relevant user to the data resource. The access permissions can include: read; update; delete; or other particular privileges or restrictions.

For the purposes of this exercise you should assume that someone with limited knowledge of HR systems will then implement this system and associated access security using the data provided in your table. As such, avoid omitting data because you think it might seem obvious.

You do not need to provide a rationale for any of the access privileges in your answer to this part – just populate the table in such a way that it describes the relevant privileges.

Question1 Parts (c).In your answer to part (b), you should have described the access privileges for all of the classes of users. Provide a rationale that justifies the level of access that you have given to the following two classes of users of the HRM system:

• IT systems administration staff
• senior management

Question 2.Part (a).One of the challenges with ICT security is selling the notion of investing in ICT security. One approach is to use a traditional return on investment approach with an emphasis on information security issues. This is referred to as a Return on Security Investment (ROSI) and ROSI calculations can be presented to management to justify security investments.

The ROSI elements discussed during the semester included the following formula components: Single Loss Expectancy (SLE); Annual Rate of Occurrence (ARO); Annual Loss Expectancy (ALE) which is calculated: ALE = ARO * SLE; Modified Annual Loss Expectancy (MALE) (this is the ALE after the implementation of the proposed security controls). The ROSI takes account of the ALE, the MALE, and the cost of the proposed controls.

Considering the following scenario involving the help desk staff responsible for providing support to the HRM system from question 1:

The help desk staff reset hundreds of passwords annually for various reasons. On average the help desk staff reset 10 passwords annually without properly verifying the staff member's identity correctly and providing access to the wrong person. The damages in reputational and privacy breaches are estimated to cost $10,000 per incident. By implementing a verification software package with a license cost of $5,000 per annum, the loss expectancy would be reduced by 75%.

Calculate the ROSI for this scenario.

Given this scenario, discuss the limitations of using a ROSI calculation in this manner. You should provide 5 issues that highlight limitations with the application of a ROSI used as a primary means to justify this control.

Question 2. Part (b).Your information security section within the university (as per Q1) conducts a series of rolling security evaluations of its general IT environment and specific core application systems. You have been allocated the task of conducting the evaluation of the baseline controls in the general IT environment. An activity early in this process is the construction of a suitable normative model for the evaluation.

Using the ISO 27002 information security framework discussed during the semester, identify 5 controls that would be important elements of the normative model. It is quite likely that there will be many more than 5 controls relevant to this baseline security situation, but you should try to select 5 of the more important controls.

You should provide a brief rationale for the selection of the controls for the normative model.

Question 3. Part (a).Information security should be balanced against the business goals of the organization. What symptoms might be exhibited by an organization in which information security considerations have been overdone

Question 3. Part (b).What role should the top-level management of an organization (usually the CEO and associated executive level management committee) play in relation to the security of the organization's information assets?

Question 3. Part (c).During the semester, we discussed the concept of the normalization of information security.Provide two examples to illustrate how this could work in the context of the scenario in Q1.

Question 4.Insider threats describe security threats to an organization coming from people working inside the organization. As the CISO (Chief Information Security Officer) of an organization, you are aware that insider threats are an increasing exposure for all organizations.

For each of these insider threats listed below:

1. identify controls that could reduce the risk the threat occurring (prevention);
2. identify controls that would assist with the detection of these threats, should they occur.

The solutions can use some technology, but the human factor is also important in addressing these issues. The solutions shouldn't prevent the normal work of the organization from occurring.

Answer by listing the number of the threat and associated control type (1a,1b, 2a, 2b) and your answer. You should briefly describe two controls for each of the parts (hence, 8 controls in total).