Abc Assignment Help

CSI2102 Information Security of Dance Club Assessment 2 Answer

Assignment 2: Information Security

Details

Title:Information Security Assignment 

Length:Minimum of 1500 words, maximum 2000 (excluding cover page and references)

Case Study

Overview

In this Assignment you will be required to perform a basic risk assessment and apply concepts covered from weeks 1 through 9. The deliverable is a (maximum 2000) word report detailing information security recommendations associated with a small dance club.

Background

The dance club (All Stars Dance) is operated by six staff and has approximately 200 members.

All Stars Dance operate in an office / dance room located on the second floor of a three-storey building that shares a common lift for access. All stars Dance operate during the day and offer evenings between 6pm and 10pm.

Currently anyone can access the second floor via the lift.

The Dance club have two networked desktop computers on site, one printer and are connected to the internet. New member applications and other information such as policy, procedures, and member information are stored both digitally (on computers or web portal) and on-site in locked cabinet. The computers currently do not have authentication enabled.

The dance club has just implemented an online web portal for its members, the dance club has requested a risk assessment and data classification for the data it stores and collects to ensure personal information is secure.

To become a member of the dance club, members are required to visit the website and apply for membership or renew their existing membership. The web portal is an open source content management system (Joomla CMS) that is hosted in Australia by a third-party hosting provider. The portal handles memberships, events and member information such as dance levels (novice, advanced, adult) and personal information (age, gender, address).

The portal allows members to purchase membership, read member only news and register for events or dance tests online, thus the portal is responsible for most of the data processing. Club membership runs from January 1 through to December 31 each year regardless of the application date.

Member payments are processed using a third-party merchant gateway, SecurePay, and deposited directly into the associations nominated bank account, thus payment information is not handled directly by the dance club. Once a member has paid for membership the system adds the member to a mailing list and updates permissions on the user account of which authorises access to member resources on the website / portal.

The mailing list is stored and processed by Mailchimp, a third-party provider located in the United States. Personal information collected for the mailing list include full name and email address. No other information is collected for the mailing list.

The dance club also receives emails from parents and other members from the website contact page or directly via email that are accessed on the computers located in the office.

Dance club staff have access to administer the system remotely using portable devices or on-site using the computers in the office. Staff change frequently and there are no access controls in place. Currently, when a staff member is granted access by the system admin, they have full administrative rights to the portal, this includes memberships, events and web content.

There are four primary functions staff need to perform for members:

  1. Update member information via the web portal
  2. Answer emails
  3. Update news on the portal
  4. Add events to the portal so members can register online
  5. -date news items on the portal

All Stars Dance would like an Information Security assessment and recommendation on what would be required to scure their information system.

Your first task in this assignment would be to identify the information assets (both digital and physical). Things to consider.

  • The web portal and its CMS
  • Installed software for memberships
  • Member information
  • Physical assets on-site
  • ISO compliance
Action Steps
Introduction, introduce your report and what you will cover
Identify and categorise information assets. This includes both digital and physical assets. Minimum of 15 assets (max 20). Assets should be categorised
Prioritise the information assets using a weighted factor analysis
Identify threats and vulnerabilities to the information assets. Given the amount of threats a threat category may suffice, i.e., for the CMS you may simply use the threat category software attacks
Classify the information assets using an information classification schema
Create a risk rating for each asset. You may use the simple method (likelihood * impact)
Include with your risk assessment table a control strategy, i.e., mitigate, defend, accept
Recommend security controls where necessary, i.e., access control,
Reference ISO27001 / ISO27002 where appropriate


Report Submission

Cover / Title page:

You do not need to include the ECU cover page. The cover page should include the Unit Code, Unit Title and Assignment Title. Your Name, student number and who the report is prepared for.

Table of Contents:

This must accurately reflect the content of your report and must be generated automatically in Microsoft Word with page numbers.

Introduction:

Introduce the report, define its scope and state any assumptions. Use in- text references where appropriate

Main report content

  • The report must address the task as defined above.
  • The report must contain your definition of the problem.
  • You must include a risk assessment (inclusive of a weighted factor analysis) and information classification schema.
  • Critical factors chosen for the weighted factor analysis must be justified in your report, i.e., why you chose them.
  • Threats, vulnerabilities, control strategy and recommended controls must be identified

References

A list of end-text references formatted according to the ECU requirements using the APA format. It is recommended that Endnote is used to manage references. Your references should ideally comprise of books, journal articles and conference papers.

Format

  • This report should be no more than 2000 words (excluding references and diagrams) and labelled as <CSI2102_your studentid_your studentlastname_studentfirstname>.docx and should be in a single file.
  • Your assignments must be word-processed \ The text must be no smaller than 12pt and font Times New Roman

Answer

Unit Code: -    CSI2102 

Unit Title: - Principles of Information Security 

Assignment Title: - Assignment 2:  

Introduction 

 In the Present scenario it rely heavily on the distribution scheme that ensure the security and integrity of the Dance club. The Recommendations will use the distinguish model to calculate what needs to implemented or alter in order to gain the classification of Information Security. In this Assignment, we gone through the case study. The security is one of the challenges for this Dance club. It is about the Security of the “The dance Club” (All Stars Dance) which is managed by the six staff of the Dance club and it has the 200 members registered. The dance club operated in a dance room situated on the second floor of the three-storey building. Dance club started at evenings between 6pm to 10pm. Dance club are connected with two networked computers on site and printer which is connected through the internet. The new members can join this club by register online on the web portal of the dance club website. In this report we have explained each asset identifies the weightage score. We have also calculated the impact of loss which is cause due to asset in the business.  The website of the Dance club is open source CMS. The most challenging work to secure the web portal from threat. Hackers Generally Stole the data from Web Portal. An SQL Injection vulnerability effect any web portal that uses the SQL database. Hackers Execute this SQL Injection for malicious SQL statements.

Information Security assessment and recommendation

  1. The web portal and its CMS

There are various methods to protect the web portal and its Content management Systems secure. The details steps are discussed below: -

  1. Vulnerability: - We know that there are many methodologies by which Content Management System can be Secure. It is more important to protect coding practices by certainly a logical first step. This is the area which we studied from many years in which expert insight for making improvement of web application security with no shortage. The threat modelling would be implemented to check clearly what the application is meant to do, check how the application goes and where the vulnerabilities are mostly to exits. Static Analysis keep tracks the logic of the code that is not running and looking for shortfalls of data manipulation and algorithms process before production of the application to be build.  ("SANS Institute: Reading Room - Data Loss Prevention", 2019)
  2. Below are few of the rules for making strong security of the website are as follows: 
  3. Select your plug-ins wisely
  4. There must be update with urgency.
  5. Always choose your Content Management Systems with keep in mind about security and functionality.
  6.  Always changes the sources code and track every time.
  7.  Always use strong password.
  8.  Limit the types of file to uploads to non-executables and always keep track them closely.

Asset Identification


System Components
Asset Components
Risk Management Components
People
Employees
  1. Employees ID Cards
  2. Attendance Records


Non-Employees
  1.  Visitors
  2. Business Partners
  3. Clients

Data
Information
  1. Employees Records
  2. Employees Bank account Details
  3. Memberships Plan Records
  4. Members Emails Records
  5. Next coming event details
  6. News Update


Procedure

  1. Employees access procedures
  2. Equipment’s access procedure
  3. Data maintenance policy

Hardware

  1. Access point
  2. Printer
  3. Scanner
  4. Biometric device


Software

  1. Web portal
  2. Online payment System




Weightage Factor Analysis


 The Weightage factors has been opted to give the numerical value to the asset’s impact on the Dance Club. The first factor is taken on the basis of the payment of the third party and employees. The second factor is based on the maintenance cost to make the customers attractive towards the Dance club. The third factor has been chosen on the basis to optimized the unnecessary expenses on the Dance club. ("Whitman, M.E. and Mattord, H.J. (2012) )

 
 CR 1 Impact on Expenses
CR 2 impact on Maintenance
CR 3 Cost to minimize 
Weightage Score

30
30
40
100
Employees ID Cards

0.5
0.9
0.3
54
Attendance Records

0.4
0.7
0.6
57
Visitors

0.6
0.3
0.5
47
Business partners
0.8
0.5
0.4
55
Clients
0.6
0.3
0.6
51
Employees Records
0.5
0.7
0.3
48
Employees Bank Acc Details
0.3
0.2
0.6
39
Membership Plan Records
0.4
0.5
0.2
35
Members Email records
0.2
0.4
0.1
22
Next coming event details
0.3
0.5
0.6
48
News Update
0.1
0.3
0.4
28
Employees access Procedures
0.4
0.3
0.6
45
Equipment access procedures
0.5
0.7
0.6
60
Data maintenance policy
0.1
0.3
0.2
20
Access point
0.2
0.1
0.4
25
Printer
0.3
0.2
0.5
32
Biometric device
0.4
0.3
0.1
25
Web Portal
0.3
0.4
0.4
37
Online Payment Systems
0.1
0.5
0.6
42

Schema Classification of asset

The classification schema is the technique of gathering information which is applied on the schema. The Dance club is small business so the information stored at this organization is very small. The three-classification schema is explained below which his used on the asset.

  1. Internal:  There should be banned of carrying the printing materials inside the Dance club If Any members carry any printing material then there must be clearance from Staff of the dance club.
  2. Public: - Any information Posted on the web Portal must be gone through the process of clearance by the Dance club management. The management must to follows the strict rules in order to ensure the Sensitive information.
  3. Confidential: - Database storage systems are more sensitive regarding all the information types. It needs to configure initially and make backup it in secure location.
Classification Category
Description
Marking
Admin Controls
Distribution
Disposal
Internal
The Information which shared inside the organization and have small impact on the public
Internal
Not control of admin
Its for Employees 
There is no any action necessary
Public
The information which is shared for public 
Public
Not control of Admin
It is for the public and Employees
There is no any action necessary
Confidential
The information which has private and secrete information’s of employees
Confidential
Required the authentication to control these categories
It is for those who are associated with the management
The document needs to be shared if hard copy or digital Device information both

Asset Threat Identification

Risk Impact (Likelihood x Impact Matrix)

Risk Management is one of the important parts of any organizations. Any Aware admin need to aware about these types of risks. To prioritize risk, need to do effectiveness and focused the majority of time and take more efforts on the important risks.  A risk always a negative impact. But the size of the impact varies with respect of impact health, time, human life and some other factors. Below the Likelihood impact factor is mentioned for each asset.

Asset Details
 Classification
Threat
Vulnerability
Counter Measures
Likelihood
Impact
Risk rating
Control process





5
5
25

Employees ID Cards

Internal
Details Extortion
Weak employee training
Should give best training
2
4
17
Defend
Attendance Records

Internal
Information Extortion
Weak software management
Should give best training
3
2
15
Defend
Visitors

Public
Human error
Lack of training
Give proper information
3
3
12
Defend
Business partners
Public
Human Error
Information loss
Give proper information
4
2
16
Defend
Clients
Public
Information Extortion
Information loss
Share proper information
3
3
14
Defend
Employees Records
Internal
Theft
Weak employees training
Training should be at high level
3
3
17
Accept
Employees Bank Acc Details
confidential
Theft
Poor software training
Trained and give information
3
4
18
Defend
Membership Plan Records
confidential
Theft
Software issue
Deliver proper information
2
3
6
Defend
Members Email records
confidential
Theft
Software issues
Proper training required
3
2
8
Defend
Next coming details
public
Extorsion 
Weak employees training
Employee need training
4
1
3
Defend
News Update
Public
Human error
Weak employees training
Employees need proper training
4
3
10
Defend
Employees access Procedures
Internal
Human error

Training required
1
1
11
Defend
Equipment access procedures
Internal
Technology issues
Poor software training
Keep always up to date
1
4
8
Accept
Data maintenance policy
internal
Software issues
Weak software training
Always keep up to date
2
2
5
Defend
Access point
internal
Theft
Technology failures
Give technology training
3
1
3
Accept
Printer
internal
Theft
Hardware failures
Always maintain it
4
4
12
Accept
Biometric device
confidential
Technology Problem
Hardware failures
Always update the technology
3
3
12
Accept
Web Portal
public
Software attacks
Software
Poor training
Antivirus and software security
4
1
16
Defend
Online Payment Systems
public
Software issue
Software poor training
Software handling with good trainer
5
3
14
Defend

Final Recommendation

It is very important that Dance Club has to implement various key countermeasures. It is also important that in the organization only single staff has authentication to access all the data policies. The manager has authentication to access all the confidential data of the members. The Organizer Manger has only authentication to out the event details on the web portal.  To protect from loss of data the web portal should be secure so that the attacker can’t theft any data of employees and misuse it. The latest technology must be used in the Dance club. If any Employee has been out from the company then the Management have to revoked him immediately. (2019)

Executive Summary

The Aim of this report to gain the different options that will directly protect the confidentiality of the members information and security of his physical appearance. The Various risk has been discussed above and the potential threats of each assets are listed in table. The Result of the Information security systems analyzed are used then developed the action along with the recommendation of the physical device which is to be installed inside the building and inside Dance Club room. The impact of the various asset was discussed above. The risk rating of asset and counter measures was explained. The report is finalized with certain recommendation for the dance club to gain the integrity and confidentiality of the Personal information of the registered members.

Customer Testimonials