Information Security and Management Strategy -8018
Information Security and Management Strategy -8018
Assignment – 1
You are expected to submit professionally presented word-processed assessment documents. This includes:
- A title page showing: ID number/s, name/s, lecturers’ name/s, and assessment title.
- Correct spelling and appropriate use of grammar.
- Pages numbered including a contents page.
- Questions correctly labelled and numbered with clear and consistent headings
- Line spacing no less than 1.5 and no greater than double.
- A complete reference list should be included at the back of the assessment using Harvard AGPS style of referencing with in-text citation.
|Learning Objectives||:||Applicable course objective:||Question No.#||Wtg. %||Marks|
|LO-1: Identify and solve complex organisational problems creatively and practically through planning for security to increase the effectiveness of management processes through the development implementation and evaluation of a security policy and programs.||Q 2 &Q5||10%||40|
|LO-4: Demonstrate an understanding of the impact of interpersonal communication on specific management processes and outcomes using relevant theories and concepts by understanding the relationships between security and personnel, between security and law, between security and ethics.||Q 1||8.75%||35|
|LO-5: Communicate professionally and effectively in written communication to various audiences to achieve targeted outcomes demonstrating and collating concepts of information security.||Q1, Q3&Q5||6.25%||25|
|Word Limit||:||3000 words (+/- 10%)|
|Plagiarism||:||Maximum 20% similarity|
|Assessment||Marks||Weighting||Issue Date||Due Date|
Information Security and Management Strategy
Submission Guidelines on UPortal:
Attach the Microsoft Word files (using any version from Word 2010 to current) using the naming convention below, to your online assignment submission link on the course dashboard before or on the day the assignment is due.
[Student First Name] _ [student id] _ [course code] _ Asg1.docx
- If any
other format is used and assignment files cannot be opened by the marker,
the late assignment submission penalty may apply until a replacement is received.
- Upon submission you are required to verify that this is the correct file. Please check before
submitting. If an incorrect version is submitted, late assignment submission penalties will apply.
- Computer problems must be reported immediately to your lecturer and the late
assignment submission penalty may apply
This written assignment is to be electronically submitted through the UPortal system. Hardcopy or email submission will NOT be accepted. Length: The total word limit for the assignment is 3000 words.
Over the years, there has been several cases of cyber-attacks and data breaches in New Zealand business domain. On Jan 18th, 2019, tvnz reported that about nine New Zealand companies have been compromised in a huge online data breach. When such data breach occurs, the overall impact on the affected businesses and their customers is usually damaging. Several organizations have fallen victim to data breaches due to the lack of investment in their information security. According to a survey by Spark Lab, almost 70 per cent of New Zealand Small and Medium Enterprises (SMEs) are unprepared for cyber-attacks and have no crisis management plan for cyber-attacks, 40 per cent have no virus protection installed on their company computers and devices. Also, recent reports have shown some specific industries such health, entertainment and hospitality as main targets of data hacks and breaches.
For instance, consider the case of Sermelles limited, one of the leading health insurance providers in NZ with more than 3000 employees and 80 branches across NZ and net income of NZ$150 million in 2015. In January 2017, Sermelles Limited experienced an enormous data breach with more than 470,000 records being stolen by cyber-hackers.
Security experts placed the beginning of the attack somewhere in November 2016.
In November 2016, some employees of Sermelles Limited had received emails that looked as an internal email, prompting them to click on a link to backup their emails. Employees failed to report this immediately. In addition, some employees noticed suspicious data queries being made. In December 2016, Sermelles Limited’s clients received suspicious emails and phone calls from Sermelles Limited regarding updating/confirming some of their personal information. Sermelles Limited’s systems got impacted and investigators confirmed unauthorised data queries to the Sermelles Limited’s network server.
Investigators reported that cyber-attackers executed a sophisticated attack and successfully stolen client details including full name, birth date, addresses (email and physical), insurance IDs, employment information, some details of credit/debit cards, income data and medical IDs.
Sources: The Breach of Anthem Health – The Largest Healthcare Breach in History; Adapted from INFOSEC Institute
Conduct a research survey and write a report capturing the following aspects of information security management in New Zealand:
- Analyse possible causes and effects
of data breach
in New Zealand. Support your analysis with either real
data or quality
- Identify key security issues, threats and vulnerabilities peculiar to New Zealand cases. You can either base your discussion on the above cases or use another New-Zealand based data breach case that meets the task requirements. You need to specify resources (human and IT) associated with these issues in your chosen case.
- Suggest possible security solutions for the identified issues in your chosen scenario in 1.2. Clearly discuss how your suggested solutions will benefit NZ business environment.
- Critically analyze the Sermelles Limited case discussed in the above scenario. Develop a comprehensive security policy that could have averted the events described in the scenario if properly implemented.
Visit the SANS Information Security Policy
Templates page: https://www.sans.org/security- resources/policies/ . Download
an appropriate template
for developing the policy.
Modify the template to meet the requirements of the case study
organisation. In the policy, include
a reference to the template you have used and state any assumptions have made.
nd two technical controls that can be used to support the information security policy and processes. Describe how these controls would be implemented. (10
- (i) Clearly describe
the coverage, scope, generality of your policy. (4 marks)
- Compliance: How
would your policy be enforced, and monitored? (3 marks)
evaluation metrics: Describe two metrics one for measuring the effectiveness of the policy and the other to measure its efficiency. (3 marks)
- Read the supplementary article A1
attached to the appendix of this assignment. Consider the security-related behaviour described in Section 4 and presented in table 2 of the article. Describe how you have been able to reflect situations relating to all aspects of “security behaviour” outlined in the table in your policy. Does your policy cover situations relating to all aspects of “security behaviour” outlined in the table? If yes, how and where? If otherwise, why? (10
TASK 3: Report Writing and Presentation 30 Marks LO-5
- Write a research report and analyse the scenario to meet
the following requirements:
- Title (you are required to decide your paper’s title related to the scenario concept)
- Your name and student number
- Abstract (e.g., 100 words)
- Introduction (e.g., 300 words)
- Literature Review (e.g., 800 words)
- Review of the literature about topics such as information security, information security issue, information security policies, information security awareness, etc.
- Identify and interpret the security issues/threats/vulnerabilities of the given scenario. (e.g., 500 words)
- Suggest possible security solutions for the identified issues of the given scenario. (e.g., 400 words).
- Information Security Police Development. Should include among
others the following:
- Describe all the components of your policy
- How it works.
- The support required to make this policy effective.
- Technical control that might be used in implementing the policy
- Recommend related policies to overcome the identified issues of the given scenario. (e.g., 200 words)
- Using Microsoft PowerPoint, develop a professional presentation to present your policy Provide basic details of the policy you use with your submission. Maximum number of PowerPoint slides is 15.
Report presentation and structure =
(15 marks) Power point
presentation = (10 marks)
Referencing = (5
— End of Assignment 1 —
Article A1: Security-related behaviour in using information systems in the workplace: A review and synthesis- https://www.sciencedirect.com/science/article/pii/S0167404812001666