Title: ISMS Programme Report
Title: ISMS Programme Report
Individual Report Weighting: 100 Magnitude: 4000
Format: Word
Turnitin submission: Yes
(Originality Checking)
Mode of feedback:
Feedback rubric In-module retrieval available:
Yes
Module Learning Outcomes
Apply appropriate secure methodologies and principles to manage several aspects of information security.
Plan, implement and operate standards-based information security management systems.
Demonstrate the ability to work as part of a team in a variety of roles in performing information security tasks to a professional level.
Critically review current technologies and methods for achieving information security
Refer to the case study in this document. You have been tasked by Julie Girdham to create an ISMS to prevent the current or future breaches in the case study. The report must include the below sub-tasks.
Sub-task Marking Criteria Comment Total weight
1 Information Security Governance Create a mind map to represent the obligations of the ISMS for the case study, like:Why have an ISMS?Who is it for?Who will benefit?How will it help?What could it help protect against? 20%
Create a scope of the ISMS for the case study. What aspects would you focus on keeping in mind costings and manageability. What is the boundary of the scope: like Process(es), Department(s), Whole Company? As per Clause 5.2 of ISO 27001, one the mandatory document is an information security policy. Create a one- or two-page information security policy for the case study, that
sets out the management direction for information security,
is in line with the security objectives of the case study,
meets the business, contractual, legal or regulatory requirements. Propose an Information Security Team organization chart for the case study. Map the team members to the existing organization chart and what would be their information security roles and responsibilities. 3 Information Security Risk Management Risk assessment is very important to build an affective ISMS.
Provide the benefits of performing risk management for the case study and what would be shortcomings of not conducting risk assessment. Provide the internal and external factors that contribute towards the risk to the organization in the case study. Does each factor affect the whole company or stakeholders or both? Identify different incidents from the case study and cite them where necessary. What about legal requirements, what if they are not considered?In a tabular format provide a list of existing 4 risk management frameworks/standards with brief description with phases, relevant to which industries, and their pros and cons. Using these frameworks/standards create a tailored risk management approach and present it flowchart and map the relevant frameworks/standards for each phase. Then provide critical analysis for each phase, phases could include but not limited to: Identification, Analysis and Treatment.
Risk identification should start with asset management. Considering the sub-task 1 (Security Governance), create a tailored asset management approach and present it pictorially. For each stage, map the relevant Annex. Stages could include but not limited to: Categorization, Classification, Valuation and Prioritization.
As part of conducting analysis within a process, you will have to consider a particular approach like Qualitative, Quantitative, Mixed, etc. Explain the approach you have used and why the other approaches did not fit for your process for the case study.
A full Asset register must be produced, ideally in a spreadsheet. Ensure to include all the aspects in the register like asset information, category, classification, criticality and so on. The register should be in line with the analysis provided above. Asset register has to reflect based on the case study.A full Risk register must be produced, ideally in a spreadsheet. Ensure to include all the aspects in the register like Identification, Analysis and Treatment. Do not forget to include Cost Benefit Analysis and Residual Risk and so on. The register should be in line with the tailored risk management provided for this section. Risk register has to reflect based on the case study. 40%
4 Information Security Incident Management Incident handling process is applied in complex computer incidents scenarios and complex security incidents. Demonstrate your skills to apply all the steps of an incident handling process.
Provide the benefits of performing security incident management for the case study and what would be shortcomings of not conducting incident assessment.
In a tabular format provide a list of existing 4 security incident management frameworks/standards with brief description with phases, relevant to which industries, and their pros and cons. Using these frameworks/standards create a tailored incident management approach and present it in a flowchart and map the relevant frameworks/standards for each phase. Map relevant inputs, process and output for each phase. 30%
5 Formatting, Referencing and continual evaluation Assessment must be uploaded to the official submission point & Turnitin point only in word format (.docx). Font must in Calibri Body and size 11, with 1 line spacing. The document must be names as StudentID_StudentName_ISM_2022 (Student ID replaced by your student ID, and StudentName replaced by your First Name).
The referencing/bibliography must be in line with SHU guidance; and the work submitted is your own and not plagiarised. Turnitin score must be within the acceptable range.
Proof-read your work to check your spelling and grammar.
Keep to the word count. 10%
Note: Turnitin is used only for the checking of assessments for the originality of text. If you are uploading final assessments to Turnitin, please be aware that this is not your formal submission for marking. Assessments must be submitted to the official submission point on Blackboard as specified in the assessment submission instructions. If you are in any doubt, please contact your Module Leader or College Student Support Advisers.
CASE STUDY
Shameless Insurance LTD
Below section contains the Case Study information for a fictitious organization called Shameless Insurance LTD.
Please keep in mind that the contents presented in this Case Study include mistakes only for training and assessment reasons. These contents should not be used as a guide to create information security management system documents.
Case Study Table of Contents:
TOC o "1-3" n h z u 1.Background2.Organisational Chart3.Network Architecture4.Recent Incident (Sep 2022 to Sep 2023)
BackgroundYou are an Information security consultant employed by InfoSec Limited, an information security, risk mitigation and management organisation. You will be working on behalf of one of your largest clients Shameless Insurance Ltd. Julie has enlisted you to create the ISMS, who has already made some positive changes in the organization.
Shameless Insurance is a multinational insurance company with 300 employees spread over 3 sites Sheffield (UK), New Delhi (India) and Kansas City (USA). Initially starting with mobile device and house contents insurance, they have recently started to sell cyber security insurance.
The head office has the operations help desk and communications staff work on a 24-hour shift pattern. The two satellite offices operate on standard 9-5 shift patterns.
Financials as of last year:
Revenue - 50 million
Operating income - 20 million
Net income - 15 million
Expected budget for ISMS Project - 300,000
Mission Statement:
Every day, we work to uphold our values, seek out and value diversity, listen, teach, and learn, offer solutions, create a good vibe, and support our local community.
Vision:
We aim to be the insurance company of preference, committed to educating, serving, and protecting people and businesses by providing the finest insurance plans at the greatest price.
Values:
Respect - We give our clients and one another respect, humility, and kindness.
Integrity - We conduct ourselves responsibly and transparently in everything we do.
Teamwork - Together, we achieve outcomes that go beyond the aggregate of our individual efforts.
Professionalism - We endeavour to be polite, fair, and responsible in our interactions with clients and other businesses.
Commitment - We pay close attention to each customer, anticipating their needs and being upfront and honest about all information, terms, and conditions.
Organisational Chart
Some important roles:
Name Designation Background
James Mackenzie CEO Secondary School.
Business inherited from family.
Profit oriented, hasty decisions, abrasive and narrow minded.
Julie Gardham Head of IT MSc Business Management
PMP, ITIL and CRISC.
Amenable & assertive
Steve Drake Network manager BSc Information Technology Infrastructure
ITIL & MCSA
Alice Rose Help desk
Operations operative BSc (Hons) IT Management
Brings ideas, information, and suggestions.
Michael Clover Security personnel Secondary School.
Bored of the job.
Network Architecture
The below diagram shows the network architecture provided by Shameless Insurance LTD, however their network manager has not updated it for couple of years now, so come components are missing. As a consultant, it is your responsibility to complete the network diagram by collecting the information from various sources.
Network Architecture (Only Head Office)
Network Architecture (Branch Office New Delhi, India)
Network Architecture (Branch Office Kansas, USA)
Network Components
Solution Component Version Location
Computers HP Pavilion Desktop TP01-2012a (Windows 10, Microsoft Office, Google Drive, Standalone McAfee) All offices
Laptops Vizio CT14-A2 (Windows 10, Microsoft Office, Google Drive, Standalone McAfee, Marketing Software)
Western Digital My Passport 2TB
Logitech HD Pro Webcam C920 All offices
Windows Active Directory Dell PowerEdge T620 (Windows server 2012 R2, Active Directory server 2012) Head Office
LDAP Active Directory Dell PowerEdge T620 (Linux
AD All offices
My SQL DB Dell
Windows server 2012 R2
MySQL 5.6
McAfee (Standalone) All offices
Printers HP Business InkJet 2250
Epson WorkForce WP-4540 All offices
Switches (Access, Distribution and Core) Cisco All offices
Router + Firewall Cisco
IPSEC VPN All offices
Backups Seagate Momentus XT Hybrid All offices
Wireless Linksys WUMC710 Media Connector
Asus RT-N66U All offices
Security Cameras D-Link DCS-5222L Head Office
Recent Incident (Sep 2022 to Sep 2023)
Date Incident
10 Sep 2022 A new worm spreads through portable media and can replicate itself to open Windows shares. It installs a DDoS agent on the target. The worm was widespread in the computers and laptops before it was noticed by the NCA. The Agency asked an investigation to be conducted in the organization for cyber threats originating from the organization and to fix the issue.
30 Sep 2022 Been a target of malware attack, most probably the cause is phishing email sent to the CEO. It was undetected till Julie Gardham used the CEO laptop to make some changes in the financial files.
23 Nov 2022 A friend of the CEO, Stare Jamali (Penetration tester), tries her new skills of denial of service on the company firewall. In this attempt the firewall becomes unavailable, and all the internet services fail for 2 days. When Stare informs the CEO, he laughs at the friend and blames the network engineer for it. Therefore, CEO deducts a percentage of the network engineer salary.
14 Dec 2022 The same friend of the CEO, Stare Jamali (Penetration tester), come to the Head Office and is waiting for the CEO to arrive. In the meanwhile, she decides to have a peak into the exchange server. She decides to connect her laptop to the network and run the OWASP Zed Attack Proxy (ZAP) tool to see what weaknesses are on the exchange server. The server goes down and the server engineer is blamed for it by the CEO. This time, CEO deducts a percentage of the server engineer salary.
17 Feb 2023 One of the clients (another friend of CEO) found some client details of the company on Pastebin. He emailed the details to the CEO and asked him if this was a cybercrime. CEO being CEO, he said that it was done for business purposes. The friend being unaware of cybersecurity, left it there. After 2 weeks when CEO came across Julie, he informed her about this casually. Julie found out that the customer information was leaked but no action was taken further.
7 Mar 2023 During an update activity, the database crashed, and backup was attempted from the latest tape, but it failed. With luck, backup was restored from 5 previous tape. Tapes are always kept in CEO office, and everyone has access to his office. Julie and Steve know the CEO username, password, and have a replica of ID card.
26 April 2023 An unknown person leaves the finance office, runs down a floor and exits the building. The administrator sees this unknown person leaving the finance office and the security guard sees the same person running out of the exit. The finance officer had left his computer unlocked, when he returns from the bathroom, he realizes that different confidential documents are open on the screen. The finance office, administrator and security guard have a quick discussion about this incident just outside the office during the working hours; but decide not to report being frightened about salary cut.
