CIS 2103 – Principles of Information Assurance, Security & Privacy

  1. Scenario

 

Part 1: Risk Control and Cost Benefit Analysis (CLO2):

You are the new information security consultant company for the XYZ Group, a medium-sized software development company. Before hiring you, the company had been plagued with security incidents that are listed below. Management has asked you to help assess the risk and conduct a cost/benefit analysis of proposed solutions.

 

  • Incident #1: Two years ago, plans for a new product were leaked onto the Internet, and as a result a competitor was able to produce a rival version of the software and get it to market first. XYZ estimates that sales of that software, which were expected to be at $1 million annually, were reduced by 50% due to the information leakage. Next year, the company is planning to introduce a new software that will be a major upgrade to the previous model. It should regain the company’s market share in that product line. The cost for averting a similar information leak for the new product is not yet known, but training the staff, which would cost about $50,000 per year, is expected to reduce the risk by half.

 

  • Incident #2: This year, the company had a virus attack that took half of their customer support help desk offline for two days. Contracts fulfilled using the system are worth $10,000 every day. A similar virus attack is expected to happen every year. Upgrading the antivirus would cost $20,000 in licensing annually.

 

  • Incident #3: Last year’s wildfire in the surrounding hills closed access to the business for two days. Wildfires happen every year. Additionally, the area is in an earthquake fault zone. An earthquake of enough magnitude to severely disrupt operations for several months happens about once every 10 years.

Answer the following questions as part of your analysis:

Note: You need to provide full detail of your analysis of the case study. Providing answers to the below questions should help you with your analysis and must be viewed as guidance for your full answer. Refer to the detailed Rubric at the end of this document for full detail of the requirements for each grade category.

  • With regards to Incident #1, the information leakage event, would training the staff be a cost-effective measure to mitigate future incidents?
  • With regards to Incident #2, the virus attack, would purchasing the antivirus license be a cost-effective solution?
  • With regards to Incident #3, which scenario (earthquakes or wildfires) should management devote more of its resources towards mitigating? What would be an appropriate risk response?

 

Part 2: Threat Assessment and Countermeasures (CLO1,3):

Management of the XYZ Group attended a seminar and came back with a list of threat agents who could possibly harm the network. These are:

  • The inept user
  • The malicious hacker
  • The corporate spy

Management is wondering if any of these might have played a role in the previous information leakage incident that has so far cost the company $500,000 in lost sales annually.

 

Answer the following questions as part of your analysis:

Note: You need to provide full detail of your analysis of the case study. Providing answers to the below questions should help you with your analysis and must be viewed as guidance for your full answer. Refer to the detailed Rubric at the end of this document for full detail of the requirements for each grade category.

  • Which of the three threat agents might have played a role in the information leakage incident?
  • What possible threat agent actions occurred during the information leakage incident?
  • How do you think the product plans were stolen? What do you think were the possible avenues of attack?
  • What recommendations would you make to mitigate this risk for the upcoming product?

Part 3: Contingency Planning (CLO2)

Your recent threat modeling activity at XYZ Group really opened management’s eyes to the need for risk management. Now the company is concerned that a major incident could severely disrupt the company, or even put it out of business. The senior management team flew to an executive retreat last week where they were introduced to the idea of business continuity planning. They have just returned from the retreat, and have asked you to help them to better understand the BCP process.

Answer the following questions as part of your analysis:

Note: You need to provide full detail of your analysis of the case study. Providing answers to the below questions should help you with your analysis and must be viewed as guidance for your full answer. Refer to the detailed Rubric at the end of this document for full detail of the requirements for each grade category.

  • What business continuity disasters do the XYZ Group face?
  • What are some of the critical business processes that XYZ needs to sustain during a disaster?
  • Which processes do you think XYZ should recover first?
  • After developing the BCP, what do you think will be the most critical exercise to perform to ensure that the BCP will save the company during a disaster?
  • How can you ensure that the BCP will be executed properly during the disaster?

 

Part 4: Security Outsourcing (CLO5)

The company is about to launch a new online product. Realizing that it will soon have to support customers in all time zones, management is considering outsourcing its help desk to provide round-the-clock customer care. Three competing vendors, two of which are offshore, are being considered for the contract. Each vendor is being championed by a different manager. You have been tasked with assisting the vetting process of the prospective vendors.

Answer the following questions as part of your analysis:

Note: You need to provide full detail of your analysis of the case study. Providing answers to the below questions should help you with your analysis and must be viewed as guidance for your full answer. Refer to the detailed Rubric at the end of this document for full detail of the requirements for each grade category.

  • What would you consider to be the most important factors when evaluating the three competing vendors? Why?
  • Would you handle your evaluation of the offshore vendors differently from the local vendor? If so, what would you focus on the most and why?

 

Part 5: Personnel and Security Policies (CLO4,5):

Response to the company’s new online product has been overwhelming. In order keep up with demand, the company must quickly expand itself. Management is using this opportunity to implement a more formal organizational structure at corporate headquarters. New roles are being created in all departments. Some employees will be promoted into new positions, and some who have not performed will be reassigned, demoted, or terminated. Many new people will be hired to fill sales, marketing, customer service, accounting, and management positions. Some staffers who used to enjoy broad privileges (particularly IT personnel) will find their new duties more focused and restrictive. The company is planning to hire contractors and temporary employees to help with the work until more permanent employees are hired.

 

You have been tasked with assisting management in applying personnel security best practices during the expansion process.

 

 

Answer the following questions as part of your analysis:

Note: You need to provide full detail of your analysis of the case study. Providing answers to the below questions should help you with your analysis and must be viewed as guidance for your full answer. Refer to the detailed Rubric at the end of this document for full detail of the requirements for each grade category.

  • As the company prepares to rapidly expand, which personnel security practice do you think should be implemented first and why?
  • Of all the employee roles mentioned, which ones do you think require the most job position sensitivity profiling and why?
  • How would you mitigate risk when reassigning, demoting, or terminating under-performing staff?

 

Part 6: Education, Training and Awareness (CLO3,4):

After the organization’s restructuring, management is concerned that new employees, and even existing employees in new roles, don’t have the adequate security knowledge that they should to keep the organization safe. Up until now, there hasn’t been any formal process for getting people trained on the company’s security policies, standards, and guidelines. Rather than continue to take a passive approach to people-based security, you’ve been tasked with planning a training program for all employees to go through.

Answer the following questions as part of your analysis:

Note: You need to provide full detail of your analysis of the case study. Providing answers to the below questions should help you with your analysis and must be viewed as guidance for your full answer. Refer to the detailed Rubric at the end of this document for full detail of the requirements for each grade category.

  • What security issues need to be addressed in this training program?
  • What are the objectives and expected outcomes for the training?
  • What are the key points that your training should include for general staff?
  • Other than general staff, how would you customize the training program for different job roles/levels (e.g., board of directors, management, IT staff, security personnel, etc.)?

 

 

  1. Project Tasks and Deliverables
  2. Group Report

This is a group effort and is worth 50% of the project grade.

 

Prepare a professional report which should address “at least” all the questions associated with each of the Parts (1-6) of the given scenario. Refer to the marking rubric for detail of the expectations.

 

Note: You need to provide full detail of your analysis of the whole case study. Providing answers to the guidance questions associated with each part should help you with your analysis and is the “minimum requirement”. It must be viewed as guidance for your full answer.

 

Refer to the detailed Rubric at the end of this document for full detail of the requirements for each grade category.

 

  1. Individual Reflection and Presentation

This is an individual effort and is worth 50% of the project grade.

 

Students are required to present their project and be ready to defend it. Each group member is expected to demonstrate knowledge of all the sections of the report.

The following are some points you need to take in consideration while working on the second part of this project:

First: The Final Presentation

  • The presentation will start with a general discussion about what you did during working on your group project.
  • A PowerPoint presentation or any other presentation tool can be used to prepare the slides.
  • The presentation slides should include a reference to each one of the required tasks.

 

Second: The Question & Answer Session (Oral Defense)

  • The presentation will be followed by a question/answer session in which each one of the team members will be asked to answer some questions related to what they did in the project.
  • The question/answer session is an individual mark. The way students answer questions will be evaluated individually.

 

Project Evaluation

1 – Group Report – Rubric for Marking the Report

Criteria Absent Insufficient (1-59%) (F) Emerging (60-69%) (D/D+/C-) Satisfactory (70-76%) (C/C+) Competent (77-86%) (B-/B/B+) Mastering (87-100%) (A-/A)
CLO1 Deliverable: Discuss the need to secure information as an organizational asset [10 %]: Part 2 (Partial [10 Marks]) Content is none existent. Content submitted but does not answer the question. Possible threat agents are identified and are somewhat justified. Mitigations are identified and are somewhat justified. Possible threat agents are identified and are justified to reasonable detail. Mitigations are identified and are justified to reasonable detail. Possible threat agents are identified and are justified to full detail. Consideration of the scenario is reasonably correlated.  Mitigations are identified and are justified to full detail. Consideration of the scenario is reasonably correlated.

 

Possible threat agents are identified and are justified to full detail. Consideration of the whole scenario is fully correlated.  Mitigations are identified and are justified to full detail. Consideration of the whole scenario is fully correlated.

 

CLO2 Deliverable: Discuss the role of security risk management and contingency planning in safeguarding information assets [40 %]: Parts 1 [20 Marks] and

Part 3 [20 Marks]

Content is none existent. Content submitted but does not answer the question Incidents Risk and CBA calculations are correct and explained to a reasonable extend. Consideration of effective contingency planning is correct and reasonably justified. Incidents Risk and CBA calculations are correct and explained to a full extend. Consideration of effective contingency planning is correct and fully justified. Incidents Risk and CBA calculations are correct and explained to a full extend. Consideration of the whole scenario is reasonably correlated. Consideration of effective contingency planning is correct and fully justified in relation to associated risks of Part1. Incidents Risk and CBA calculations are correct and explained to a full extend. Consideration of the whole scenario is fully correlated. Consideration of effective contingency planning is correct and fully justified in relation to associated risks of Part1 and the whole scenario.
CLO3 Deliverable: Examine different types of security threats and corresponding countermeasures [10 %]:

Part 2 (Partial [5 Marks]) and Part 6 (Partial [5 Marks])

Content is none existent. Content submitted but does not answer the question. General threat categories and possible mitigations are identified and are somewhat justified. General counter measures are identified and are somewhat justified. Specific threat categories and possible mitigations are identified and are somewhat justified. Specific counter measures are identified and are somewhat justified. Detailed specification of threat categories and possible mitigations are identified and are somewhat justified. Detailed specification of counter measures is identified and are somewhat justified. Whole scenario detailed specification of threat categories and possible mitigations are identified and are somewhat justified. Whole scenario detailed specification of counter measures is identified and are somewhat justified.
CLO4 Deliverable: Describe the legal and public relations implications of security and privacy issues [20 %]:

Part 5 (Partial [10 Marks]) and Part 6 (Partial [10 Marks])

 

Content is none existent. Content submitted but does not answer the question. Details related to personnel security measures and implication on operation are provided. Details related to personnel security measures and implication on operation are provided and fully justified Details related to personnel security measures and implication on operation are provided and fully justified with enough and accurate detail. Details related to personnel security measures and implication on operation are provided and fully justified with enough and accurate detail and fully corelated with the whole scenario.
CLO5 Deliverable: Apply major techniques, approaches and tools to discover system vulnerabilities and protect information assets [20 %]:

Part 4 (Partial [15 Marks]) and Part 5 (Partial [5 Marks])

Content is none existent. Content submitted but does not answer the question. Measures related to security outsourcing have been researched and stated. Measures related to security outsourcing have been researched and explained in relation to the given scenario. Measures related to security outsourcing have been researched and explained in relation to the given scenario with clear emphasis on the importance of the vetting process. Measures related to security outsourcing have been researched and explained in relation to the given scenario with clear emphasis on the importance of the vetting process and full consideration of the whole given scenario.

 

 

2 –  Rubric for Marking Oral Defense

 

Criteria Absent Insufficient

(1-59%) (F)

Emerging (60-69%)

(D/D+/C-)

Satisfactory (70-76%)

(C/C+)

Competent (77-86%)

(B-/B/B+)

Mastering (87-100%)

(A-/A)

Follow-up Questions and Discussion Unable to demonstrate any knowledge of the topic. Responds inaccurately and inappropriately to questions. Demonstrates some knowledge of the topic by responding to some questions and making mistakes in answering other Questions. Demonstrates good knowledge of the topic by responding accurately and appropriately to almost all questions. Demonstrates excellent knowledge of the topic by responding with accurate detail to almost all questions. Demonstrates extensive knowledge of the topic by responding confidently, precisely and appropriately to questions.

 

Leave a Comment

Your email address will not be published. Required fields are marked *

+1 587-331-9072
WHAT'SAPP US, WE'LL RESPOND
AustralianEssayHelp
We will write your work from scratch and ensure that it is plagiarism FREE, you just submit the completed work.