Project assessment: Contribute toworkplacesecurity inavirtual environment

Project assessment: Contribute toworkplacesecurity inavirtual environment

Criteria

Unit code, name and release number

BSBXCS404 - Contribute to cyber security risk management (1)

ICTICT443 - Work collaboratively in the ICT industry (1)

ICTICT451 - Comply with IP, ethics and privacy policies in ICT environments (1)Qualification/Course code, name and release number

ICT40120 - Certificate IV in Information Technology (3)Student details

Student number

Student name

Assessment declaration

Note: If you are an online student, you will be required to complete this declaration on the TAFE NSW online learning platform when you upload your assessment.

This assessment is my original work and has not been:

plagiarised or copied from any source without providing due acknowledgement.

written for me by any other person except where such collaboration has been authorised by the Teacher/Assessor concerned.

Student signature and Date

Version:20211028

Date created:1 June 2021

Date modified:28 October 2021

For queries, please contact:

Contact Details: Technology and Business Services SkillsPoint

Location: Parramatta

2021 TAFE NSW, SydneyRTO Provider Number 90003 | CRICOS Provider Code: 00591E

This assessment can be found in the: Learning BankThe contents in this document is copyright TAFE NSW 2021 and should not be reproduced without the permission of TAFE NSW. Information contained in this document is correct at the time of printing: DATE @ "d MMMM yyyy" * MERGEFORMAT 11 November 2021. For current information please refer to our website or your Teacher/Assessor as appropriate.

Assessment instructions

Table SEQ Table * ARABIC 1 Assessment instructions

Assessment details Instructions

Assessment overview The objective of this assessment is to assess your knowledge and performance in contributing to cyber security risk management, working collaboratively in ICT and implementing and complying with IP, ethics and privacy policies and procedures.

Assessment Event number 1 of 2

Instructions for this assessment This is a project-based assessment that assesses your knowledge and performance of the unit.

This assessment is in four parts:

Part 1: Plan strategies and protocols

Part 2: Consult with stakeholders

Part 3: Implement and monitor protocols and strategies

Part 4: Review protocols and strategies

And is supported by:

Assessment Checklist

Assessment feedback

Supporting documents (as listed in the Scenario).

Submission instructions On completion of this assessment, you are required to submit it to your Teacher/Assessor for marking. Where possible, submission and upload of all required assessment files should be via the TAFE NSW online learning platform.

Ensure you have included your name at the bottom of each page of documents you submit.

It is important that you keep a copy of all electronic and hardcopy assessments submitted to TAFE and complete the assessment declaration when submitting the assessment.

What do I need to do to achieve a satisfactory result? To achieve a satisfactory result for this assessment you must answer all the questions correctly.

If a resit is required to achieve a satisfactory result it will be conducted at an agreed time after a suitable revision period.

What do I need to provide? TAFE NSW student account username and password. If you do not know your username and password, contact your campus or service centre on 131601.

Computer or other device with word processing software and internet access

Writing materials, if required.

What the Teacher/Assessor will provide Access to this assessment and learning resources, including the student workbook and any supporting documents or links.

Organisational documentation, policies and procedures

Case studies

Relevant legislation, codes of practice and standards, which can be accessed via the internet

Cyber security information and data.

Due date

Time allowed

Location Indicative time to complete assessment:

In class: One hour

Out of class: Five hours.

Supervision Part of this is an unsupervised, take-home assessment. Your Teacher/Assessor may ask for additional evidence to verify the authenticity of your submission and confirm that the assessment task was completed by you.

You may access your referenced text, learning notes and other resources.

Assessment feedback, review or appeals In accordance with the TAFE NSW policy Manage Assessment Appeals, all students have the right to appeal an assessment decision in relation to how the assessment was conducted and the outcome of the assessment. Appeals must be lodged within 14 working days of the formal notification of the result of the assessment.

If you would like to request a review of your results or if you have any concerns about your results, contact your Teacher/Assessor or Head Teacher. If they are unavailable, contact the Student Administration Officer.

Contact your Head Teacher/Assessor for the assessment appeals procedures at your college/campus.

Specific task instructions

The instructions and the criteria in the tasks and activities will be used by your Teacher/Assessor to determine if you have satisfactorily completed this assessment event. Use these instructions as a guide to ensure you demonstrate the required knowledge and skills.

You may have the option to record your participation and submit as video evidence. If you are submitting video evidence, you must:

provide a video clearly meeting all requirements listed below and in the Observation Checklist

ensure you have access to the equipment and resources required to participate in the demonstration

follow the Video recording instructions (pdf), which includes useful tips, links to resources and a demonstration video.URL: https://share.tafensw.edu.au/share/items/744af7d4-a241-45e2-adb0-0e13f2fe4950/0/?attachment.uuid=01c3c87a-4599-48c2-91f0-68a00b5bbb4c.

Scenario

You are working as an ICT Technician for Gelos Enterprises (Gelos), reporting to the ICT Support Senior Manager, Madison Mathews. Gelos has changed and become a more mobile workforce. Most sales employees are working out of customer premises or in remote locations rather than from the Gelos offices. Businesses in general are embracing the move to enable most employees to work remotely from home for one or more days a week and Gelos would like to be part of this trend.

Gelos management has recognised that, because of this adjustment to remote work options for all employees, they need to update their policies and procedures for offsite working. The updated policies and procedures will ensure that project teams are able to meet the Gelos business objectives of individuals and teams collaborating and engaging across the organisation while maintaining the correct level of ICT security to mitigate any cyber security risks. Gelos also has a business objective to ensure that all intellectual property (IP), ethics and privacy policies are in place and complied with by all employees and teams.

You have been asked to assist in the development and deployment of the protocols, policies and procedures necessary to ensure Gelos has a collaborative workplace, manages cyber security risks and complies with all relevant IP, ethics and privacy policies.

You have been supplied with the following documentation to assist you with this project:

Communication Procedure (GE_Communication_procedure.pdf)

Data Backup Policy (GE_Data-Backup_policy.pdf)

Data Protection Policy (GE_Data-Protection_policy.pdf)

ICT Governance Policy (GE_ICT-Governance_policy.pdf)

Intellectual Property Policy (GE_Intellectual-Property_policy.pdf)

New staff IT induction kit (GE_New-Staff-ICT-Induction-Kit_policy.pdf)

Privacy Policy (GE_Privacy_policy.pdf)

Standard Operating Environment (GE_SOE.pdf).

Gelos requires its management and employees to abide by the ITPA (Information Technology Professional Association) code of ethics policy.

Relevant legislation, regulations and codes of practice/industry standards can be accessed from:

Federal Register of LegislationNSW legislationAustralian Government Australian Signals Directorate

Part 1: Plan strategies and protocols

Madison has asked for your assistance in evaluating risks and identifying any organisational protocols that apply to staff who are working in a remote environment. These will also assist with maintaining the organisation's IP, ethics and privacy policy and procedures.

Task 1

Madison has identified four cyber security areas of risk that need to be reviewed and assessed with the increase of staff moving to remote working.

The identified cyber risks are as follows:

A breach of security and/or protocol compliance while working in a home office.

A breach of security and/or protocol compliance while working in a caf.

A breach of cyber security guidelines when working on emails.

A breach of security and/or protocol compliance by a contractor.

To successfully evaluate these identified risks, you will need to access, analyse and filter the risk assessment data, and integrate and organise your findings in the Risk Register. You will include the Risk Register in a report, which will be shared with relevant stakeholders for approval.

Make sure that you use clear and specific cyber security-related terminology, where appropriate.

You need to review these cyber security risks and capture them in the Gelos Risk Register template (GE_Risk-Register_template.dotx).

Assess each risk as follows:

Describe the risk.

Describe the potential vulnerabilities of assets that could be affected by this risk, including those that relate to IP, ethics and privacy.

Analyse the likelihood of the risk occurring (E = Rare to A = Almost certain).

Analyse the impact on the business if the risk does occur (1 = Insignificant to 5 = Catastrophic).

Calculate the severity (= Likelihood meets Impact in matrix).

Select an appropriate control option/risk strategy for the risk level.

Review relevant cyber risk mitigation strategies to determine appropriate mitigation strategies/action plans to recommend for the two highest severity risks.

To support your recommendations and assist with updating the Gelos Incident Response Plan, you will also need to include the following:

Identify the key benchmarks/indicators that the organisation could use to track the effectiveness of the risk management strategies. Make sure you have at least key one benchmark/indicator for each risk strategy recommended in the risk register.

What feedback processes would you recommend for providing warning of new risks?

Task 2

To assist staff members, develop a Standard Operating Procedure (SOP) to define and improve the way Gelos teams work in a virtual environment. These will also help support the maintenance and development of Gelos' IP, ethics, privacy policy and procedures.

Use the Gelos SOP (Standard Operating Procedure) template (GE_SOP-template.dotx) to develop the SOP. Make sure that you use appropriate language for the staff members.

Your SOP must include the following:

Develop at least two protocols to help the team to complete work tasks and meet team objectives. They must include the following:

Discuss how the team should share information when collaborating in a virtual environment.

Discuss how the team will follow organisational cyber security procedures when collaborating; include the two recommended risk management strategies (the risk strategy and action plan) (from Task 1)

Discuss how the IP, ethics and privacy policy and procedures are to be used to avoid infringing IP and privacy when working in a remote environment (determine the organisational and legal requirements to be complied with by all employees (including you), as outlined in the organisations IP, ethics and privacy policy and procedures).

Review and identify at least two tools and technologies that will aid the team in working collaboratively in a virtual environment.

Outline the roles and responsibilities for the team (including you) for communicating collaboratively in a virtual environment.

Outline how the following will be monitored:

Cyber security risk, according to the two recommended risk management strategies.

Whether personnel are adhering to the organisational IP, ethics and privacy policy and procedures.

Submit the following for Part 1:

Risk Register

Standard Operating Procedure

Part 2: Consult with stakeholders

Task 1

For in-class students: You will participate in a role play, whichwill be observed by yourTeacher/Assessor.

Your demonstration will be used as part of the overall evidence requirements of the unit.

You should refer to the list of criteria provided in the Observation Checklist 1 to understand what skills you need to demonstrate in this section of the assessment. This Checklist outlines the Performance Criteria, Performance Evidence and Assessment Conditions yourTeacher/Assessorwill be marking you on.

For online students: You will participate in a role play, whichwill be digitally recorded and submitted as evidence.

Your demonstration will be used as part of the overall evidence requirements of the unit.

You should refer to the list of criteria provided in the Observation Checklist 1 to understand what skills you need to demonstrate in this section of the assessment. This Checklist outlines the Performance Criteria, Performance Evidence and Assessment Conditions yourTeacher/Assessorwill be marking you on.

The scenario

As the ICT Technician, you need to meet with the ICT Support Senior Manager and a Gelos business stakeholder todiscuss your risk strategy recommendations and obtain approval for implementation. You will bring to this meeting three copies of the Risk Register and SOP you prepared in Part 1. Hand a copy to your manager and the business stakeholder at the beginning of the meeting.

Before participating in this role play, make sure that you have read the requirements in the scenario and are preparedwith questions to askyour manager.

Role of the student being assessed

During the role play you must ask open and closed questions, use active listening and use language and terminology to suit your audience.

Complete the following activities in your role play:

Discuss the requirements (outlined in the Scenario) with your manager and the business stakeholder so that you can clarify the scope of the risk management tasks. This includes identifying the approach you used to assess the risks and how you prioritised the top two risks.

Discuss the risks you have assessed and the opportunities for improvement to the IP, ethics and privacy policy and procedures.

Present the options you have developed for the risk management strategies to obtain approval.

Role of the people in the supporting roles

For in-class students: Ask a colleague or another student to act in the supporting roles. Make sure each person hasthe scenario instructions to work from.Ensure there isenoughinformation so that they can effectively contribute to the demonstration.

These people will act as the Gelos ICT Support Senior Manager and the Gelos business stakeholder.

If your teacher or assessor is available to perform the role of the Gelos ICT Support Senior Manager, then that should be your first choice.

For online students: Ask a colleague or another student to act in the supporting roles. You will also need to organise a suitable time for this role play to take place over a MS Teams call, with your Assessor. Make sure each person hasthe scenario instructions to work from.Ensure there isenoughinformation so that they can effectively contribute to the demonstration.

These people will act as the Gelos ICT Support Senior Manager and the Gelos business stakeholder.

If your teacher or assessor is available to perform the role of the Gelos ICT Support Senior Manager, then that should be your first choice.

Time allowed

Therole play should takeapproximately10 15 minutes to complete.

Task 2

Following the feedback discussion with your manager and the Gelos business stakeholder, you need to document the outcomes of the meeting and update the Risk Register based on the feedback you received. Make sure that you write clearly and use specific cyber security-related terminology where required.

Record the minutes of the meetings using the Gelos minutes template (GE_Meeting-Minutes-template.dotx), covering key discussion points, approvedstrategiesand any action items.

Update the Risk Registeryoupresented at the meeting with the approved risk strategies discussed in your role play meeting.

Submit the following for Part 2:

Minutes of the meeting

Updated risk register

Part 3: Implement and monitor protocols and strategies

It is now time to implement the strategies and protocols that you have assisted your manager with developing. Your manager, Madison, has asked that you complete the following activities.

Task 1

To assist with the implementation of the strategies and protocols, Madison has asked you to send a copy of the risk strategies and SOPs you have helped develop to all Gelos employees.

Write an email to the employees using the Gelos email template (GE_Email-template.docx) referring to the risk register and SOP. Your email should include details of the specific purpose of the email and any actions that the recipients need to take. This may include reading the documents you have attached to ensure they understand and can comply with the requirements and guidelines.

Task 2

You have been advised that there have been two incidents that have breached cyber security guidelines and the SOP for IP, Privacy and Ethics.

The first incident involved an employee working at a client site opening an attachment to a spam email, which had the potential to infect the Gelos client database.

The second incident involved an employee unknowingly disclosing personal client information in an email sent to an external party.

Madison has asked you to assist in determining whether staff members are complying with the approved cyber security risk strategies. Review the two incidents (outlined above) and complete the following:

Referring to your approved cyber security risk management strategies and SOPs, analyse whether the employees complied with the strategies and where any non-compliance occurred.

Update the risk register with these incidents, completing a risk assessment for each.

Submit the following for Part 3:

Email to employees

Updated risk register

Part 4: Review protocols and strategies

Task 1

You will participate in a role play, whichwill be observed by yourTeacher/Assessoror can be digitally recorded and submitted as evidence. This role play is a group activity where your fellow students or colleagues will play the other members of the team. Each team member will be expected to participate and collaborate in the meeting.

The team review meeting will need a minimum of three team members, including yourself. This meeting can occur at a time defined by your teacher or recorded and submitted as evidence.

Your demonstration will be used as part of the overall evidence requirements of the unit.

You should refer to the list of criteria provided in Observation Checklist 2 to understand what skills you need to demonstrate in this section of the assessment. This Checklist outlines the Performance Criteria, Performance Evidence and Assessment Conditions your Teacher/Assessor will be marking you on.

The scenario

The Gelos risk strategies and protocols for working in a remote environment that you worked on with your manager have been developed and implemented. You need to review and report on the effectiveness of the strategies and implementation.

You will need to attend a risk review meeting with your manager, one of your team members and a team member from another department in the organisation, who have also been using the protocols.

You need to evaluate the effectiveness of the implemented risk management strategies against the benchmarks agreed to in Part 2, in particular, the strategies relating to the incidents mentioned in Part 3.

As an outcome of this meeting, your manager will make recommendations to update the risk management plan and the working remotely protocols that you will need to incorporate in the Risk Register and the SOP.

The agenda for the Team Review meeting should be as follows:

Introduction of the items to be covered

Discussion of the incident at the client site

Exploration of the potential root cause of the incidents including discussion of the benchmark that was in place for this type of risk

Recommendation and agreement for the amended risk strategy and working remotely protocols that will mitigate this risk occurring in future.

Role of the student being assessed

During the role play you must ask open and closed questions, use active listening and use language and terminology to suit your audience. You must facilitate the group interaction, leading and directing when required.

Complete the following activities in your role play:

Review the implemented protocols on working collaboratively in a virtual environment.

Obtain feedback from the team on the communication practices implemented in the protocols, responding as appropriate.

Review the incidents and collaborate with your team members to:

evaluate the effectiveness of the risk mitigation strategies using the benchmarks that you identified in Part 1

evaluate whether the implemented IP, ethics and privacy policies and procedures help prevent infringement and ensure compliance.

develop recommendations to improve compliance.

Escalate any non-compliance to your Manager, where required.

Collaborate with others to achieve a joint outcome

At the end of the roleplay, make sure you clarify any amendments that are required prior to you commencing the Part 4 Task 2 activities and tasks.

Role of the people in supporting roles

You will need to organise the following roles:

At least two other people as your team members.

One of the people will act as the ICT Support Senior Manager.

The participants in the meeting should be other students enrolled in this unit with you or colleagues. You will need to provide them with sufficient information to participate in the session.

Time allowed

Therole play should takeapproximately20 - 30 minutes to complete with other team members to review the breach, understand the cause and recommend new strategies and protocols to address.

Task 2

Following the risk evaluation meeting with your manager and the team, you need to update the risk strategies/ incident response plan in the Risk Register based on the feedback you received and make any changes to the SOP that cover remote working.

Record the key discussion points from the meeting and the actions your manager has requested that you undertake as part of the meeting feedback, using the Gelos minutes template (GE_Meeting-Minutes-template.dotx). This should be documented in the form of simple meeting minutes using the template provided.

Update the Risk Register from Part 3 with the amended risk strategies discussed in your meeting.

Submit the following for Part 4:

Minutes of meeting

Updated risk register

Observation Checklist 1

The Observation Checklist will be used by your Teacher/Assessor to mark your performance in Part 2 of this assessment. Use this Checklist to understand what skills you need to demonstrate in Part 2. The Checklist lists the assessment criteria used to determine whether you have successfully completed this assessment event. All the criteria must be met. Your demonstration will be used as part of the overall evidence requirements of the unit. The Teacher/Assessor may ask questions while the demonstration is taking place or if appropriate directly after the task/activity has been completed.

Table SEQ Table * ARABIC 2 Observation Checklist 1

Task # Task/Activity Performed S U/S Assessor Comments(Describe the students ability in demonstrating the required skills and knowledge)

1 Asks open and closed questions and actively listens to clarify the scope of risk management

Date of Observation:

Assessors are to record their observations in enough detail to demonstrate their judgement of the students performance against the criteria required.

Q1 Enter Question to Support Observation.Comments/responses

Q2 Enter Question to Support Observation.Comments/responses

2 Discusses risks and opportunities for improvement to the IP, ethics and privacy policy and procedures using appropriate language and terminology

3 Presents options for risk management strategies for approval using project-specific terminology

Observation Checklist 2

The Observation Checklist will be used by your Teacher/Assessor to mark your performance in Part 4 of this assessment. Use this Checklist to understand what skills you need to demonstrate in Part 4. The Checklist lists the assessment criteria used to determine whether you have successfully completed this assessment event. All the criteria must be met. Your demonstration will be used as part of the overall evidence requirements of the unit. The Teacher/Assessor may ask questions while the demonstration is taking place or if appropriate directly after the task/activity has been completed.

Table SEQ Table * ARABIC 2 Observation Checklist 2

Task # Task/Activity Performed S U/S Assessor Comments(Describe the students ability in demonstrating the required skills and knowledge)

1 Used appropriate language and terminology to review the implemented protocols

Date of Observation:

Assessors are to record their observations in enough detail to demonstrate their judgement of the students performance against the criteria required.

Q1 Enter Question to Support Observation.Comments/responses

Q2 Enter Question to Support Observation.Comments/responses

2 Used listening and questioning techniques to obtain and respond to feedback on communication practices according to required protocols

3 Reviewed the non-compliance incident 4 Worked collaboratively with team members, facilitating and assisting the group interaction, to:

evaluate the effectiveness of the risk mitigation strategies

evaluate whether the IP, ethics and privacy policies and procedures help prevent infringement and ensure compliance

discuss recommendations to improve compliance.

5 Escalates non-compliance as required and according to organisational requirements

Assessment Feedback

NOTE: This section must have the Teacher/Assessor and student signature to complete the feedback. If you are submitting through the TAFE NSW online learning platform, your Teacher/Assessor will give you feedback via the platform.

Assessment outcome

Satisfactory

Unsatisfactory

Assessor feedback

Has the Assessment Declaration for this assessment event been signed and dated by the student?

Are you assured that the evidence presented for assessment is the students own work?

Was reasonable adjustment in place for this assessment event?

If yes, ensure it is detailed on the assessment document.

Comments:

Assessor name, signature and date:

Student acknowledgement of assessment outcome

Would you like to make any comments about this assessment?

Student name, signature and date