CSI2102 Information Security of Dance Club Assessment 2 Answer

Assignment 2: Information Security

Details

Title:Information Security Assignment

Length:Minimum of 1500 words, maximum 2000 (excluding cover page and references)

Case Study

Overview

In this Assignment you will be required to perform a basic risk assessment and apply concepts covered from weeks 1 through 9. The deliverable is a (maximum 2000) word report detailing information security recommendations associated with a small dance club.

Background

The dance club (All Stars Dance) is operated by six staff and has approximately 200 members.

All Stars Dance operate in an office / dance room located on the second floor of a three-storey building that shares a common lift for access. All stars Dance operate during the day and offer evenings between 6pm and 10pm.

Currently anyone can access the second floor via the lift.

The Dance club have two networked desktop computers on site, one printer and are connected to the internet. New member applications and other information such as policy, procedures, and member information are stored both digitally (on computers or web portal) and on-site in locked cabinet. The computers currently do not have authentication enabled.

The dance club has just implemented an online web portal for its members, the dance club has requested a risk assessment and data classification for the data it stores and collects to ensure personal information is secure.

To become a member of the dance club, members are required to visit the website and apply for membership or renew their existing membership. The web portal is an open source content management system (Joomla CMS) that is hosted in Australia by a third-party hosting provider. The portal handles memberships, events and member information such as dance levels (novice, advanced, adult) and personal information (age, gender, address).

The portal allows members to purchase membership, read member only news and register for events or dance tests online, thus the portal is responsible for most of the data processing. Club membership runs from January 1 through to December 31 each year regardless of the application date.

Member payments are processed using a third-party merchant gateway, SecurePay, and deposited directly into the associations nominated bank account, thus payment information is not handled directly by the dance club. Once a member has paid for membership the system adds the member to a mailing list and updates permissions on the user account of which authorises access to member resources on the website / portal.

The mailing list is stored and processed by Mailchimp, a third-party provider located in the United States. Personal information collected for the mailing list include full name and email address. No other information is collected for the mailing list.

The dance club also receives emails from parents and other members from the website contact page or directly via email that are accessed on the computers located in the office.

Dance club staff have access to administer the system remotely using portable devices or on-site using the computers in the office. Staff change frequently and there are no access controls in place. Currently, when a staff member is granted access by the system admin, they have full administrative rights to the portal, this includes memberships, events and web content.

There are four primary functions staff need to perform for members:

Update member information via the web portal
Answer emails
Update news on the portal
Add events to the portal so members can register online
-date news items on the portal

All Stars Dance would like an Information Security assessment and recommendation on what would be required to scure their information system.

Your first task in this assignment would be to identify the information assets (both digital and physical). Things to consider.

The web portal and its CMS
Installed software for memberships
Member information
Physical assets on-site
ISO compliance

Action Steps

Introduction, introduce your report and what you will cover

Identify and categorise information assets. This includes both digital and physical assets. Minimum of 15 assets (max 20). Assets should be categorised

Prioritise the information assets using a weighted factor analysis

Identify threats and vulnerabilities to the information assets. Given the amount of threats a threat category may suffice, i.e., for the CMS you may simply use the threat category software attacks

Classify the information assets using an information classification schema

Create a risk rating for each asset. You may use the simple method (likelihood * impact)

Include with your risk assessment table a control strategy, i.e., mitigate, defend, accept

Recommend security controls where necessary, i.e., access control,

Reference ISO27001 / ISO27002 where appropriate

Report Submission

Cover / Title page:

You do not need to include the ECU cover page. The cover page should include the Unit Code, Unit Title and Assignment Title. Your Name, student number and who the report is prepared for.

Table of Contents:

This must accurately reflect the content of your report and must be generated automatically in Microsoft Word with page numbers.

Introduction:

Introduce the report, define its scope and state any assumptions. Use in- text references where appropriate

Main report content

The report must address the task as defined above.
The report must contain your definition of the problem.
You must include a risk assessment (inclusive of a weighted factor analysis) and information classification schema.
Critical factors chosen for the weighted factor analysis must be justified in your report, i.e., why you chose them.
Threats, vulnerabilities, control strategy and recommended controls must be identified

References

A list of end-text references formatted according to the ECU requirements using the APA format. It is recommended that Endnote is used to manage references. Your references should ideally comprise of books, journal articles and conference papers.

Format

This report should be no more than 2000 words (excluding references and diagrams) and labelled as <CSI2102_your studentid_your studentlastname_studentfirstname>.docx and should be in a single file.
Your assignments must be word-processed \ The text must be no smaller than 12pt and font Times New Roman

Answer

Unit Code: - CSI2102

Unit Title: - Principles of Information Security

Assignment Title: - Assignment 2:

Introduction

In the Present scenario it rely heavily on the distribution scheme that ensure the security and integrity of the Dance club. The Recommendations will use the distinguish model to calculate what needs to implemented or alter in order to gain the classification of Information Security. In this Assignment, we gone through the case study. The security is one of the challenges for this Dance club. It is about the Security of the “The dance Club” (All Stars Dance) which is managed by the six staff of the Dance club and it has the 200 members registered. The dance club operated in a dance room situated on the second floor of the three-storey building. Dance club started at evenings between 6pm to 10pm. Dance club are connected with two networked computers on site and printer which is connected through the internet. The new members can join this club by register online on the web portal of the dance club website. In this report we have explained each asset identifies the weightage score. We have also calculated the impact of loss which is cause due to asset in the business. The website of the Dance club is open source CMS. The most challenging work to secure the web portal from threat. Hackers Generally Stole the data from Web Portal. An SQL Injection vulnerability effect any web portal that uses the SQL database. Hackers Execute this SQL Injection for malicious SQL statements.

Information Security assessment and recommendation

The web portal and its CMS

There are various methods to protect the web portal and its Content management Systems secure. The details steps are discussed below: -

Vulnerability: - We know that there are many methodologies by which Content Management System can be Secure. It is more important to protect coding practices by certainly a logical first step. This is the area which we studied from many years in which expert insight for making improvement of web application security with no shortage. The threat modelling would be implemented to check clearly what the application is meant to do, check how the application goes and where the vulnerabilities are mostly to exits. Static Analysis keep tracks the logic of the code that is not running and looking for shortfalls of data manipulation and algorithms process before production of the application to be build. ("SANS Institute: Reading Room - Data Loss Prevention", 2019)
Below are few of the rules for making strong security of the website are as follows:
Select your plug-ins wisely
There must be update with urgency.
Always choose your Content Management Systems with keep in mind about security and functionality.
Always changes the sources code and track every time.
Always use strong password.
Limit the types of file to uploads to non-executables and always keep track them closely.

Asset Identification

System Components	Asset Components	Risk Management Components
People	Employees	Employees ID Cards Attendance Records
	Non-Employees	Visitors Business Partners Clients
Data	Information	Employees Records Employees Bank account Details Memberships Plan Records Members Emails Records Next coming event details News Update
Procedure		Employees access procedures Equipment’s access procedure Data maintenance policy
Hardware		Access point Printer Scanner Biometric device
Software		Web portal Online payment System

Weightage Factor Analysis

The Weightage factors has been opted to give the numerical value to the asset’s impact on the Dance Club. The first factor is taken on the basis of the payment of the third party and employees. The second factor is based on the maintenance cost to make the customers attractive towards the Dance club. The third factor has been chosen on the basis to optimized the unnecessary expenses on the Dance club. ("Whitman, M.E. and Mattord, H.J. (2012) )

	CR 1 Impact on Expenses	CR 2 impact on Maintenance	CR 3 Cost to minimize	Weightage Score
	30	30	40	100
Employees ID Cards	0.5	0.9	0.3	54
Attendance Records	0.4	0.7	0.6	57
Visitors	0.6	0.3	0.5	47
Business partners	0.8	0.5	0.4	55
Clients	0.6	0.3	0.6	51
Employees Records	0.5	0.7	0.3	48
Employees Bank Acc Details	0.3	0.2	0.6	39
Membership Plan Records	0.4	0.5	0.2	35
Members Email records	0.2	0.4	0.1	22
Next coming event details	0.3	0.5	0.6	48
News Update	0.1	0.3	0.4	28
Employees access Procedures	0.4	0.3	0.6	45
Equipment access procedures	0.5	0.7	0.6	60
Data maintenance policy	0.1	0.3	0.2	20
Access point	0.2	0.1	0.4	25
Printer	0.3	0.2	0.5	32
Biometric device	0.4	0.3	0.1	25
Web Portal	0.3	0.4	0.4	37
Online Payment Systems	0.1	0.5	0.6	42

Schema Classification of asset

The classification schema is the technique of gathering information which is applied on the schema. The Dance club is small business so the information stored at this organization is very small. The three-classification schema is explained below which his used on the asset.

Internal: There should be banned of carrying the printing materials inside the Dance club If Any members carry any printing material then there must be clearance from Staff of the dance club.
Public: - Any information Posted on the web Portal must be gone through the process of clearance by the Dance club management. The management must to follows the strict rules in order to ensure the Sensitive information.
Confidential: - Database storage systems are more sensitive regarding all the information types. It needs to configure initially and make backup it in secure location.

Classification Category	Description	Marking	Admin Controls	Distribution	Disposal
Internal	The Information which shared inside the organization and have small impact on the public	Internal	Not control of admin	Its for Employees	There is no any action necessary
Public	The information which is shared for public	Public	Not control of Admin	It is for the public and Employees	There is no any action necessary
Confidential	The information which has private and secrete information’s of employees	Confidential	Required the authentication to control these categories	It is for those who are associated with the management	The document needs to be shared if hard copy or digital Device information both

Asset Threat Identification

Risk Impact (Likelihood x Impact Matrix)

Risk Management is one of the important parts of any organizations. Any Aware admin need to aware about these types of risks. To prioritize risk, need to do effectiveness and focused the majority of time and take more efforts on the important risks. A risk always a negative impact. But the size of the impact varies with respect of impact health, time, human life and some other factors. Below the Likelihood impact factor is mentioned for each asset.

Asset Details	Classification	Threat	Vulnerability	Counter Measures	Likelihood	Impact	Risk rating	Control process
					5	5	25
Employees ID Cards	Internal	Details Extortion	Weak employee training	Should give best training	2	4	17	Defend
Attendance Records	Internal	Information Extortion	Weak software management	Should give best training	3	2	15	Defend
Visitors	Public	Human error	Lack of training	Give proper information	3	3	12	Defend
Business partners	Public	Human Error	Information loss	Give proper information	4	2	16	Defend
Clients	Public	Information Extortion	Information loss	Share proper information	3	3	14	Defend
Employees Records	Internal	Theft	Weak employees training	Training should be at high level	3	3	17	Accept
Employees Bank Acc Details	confidential	Theft	Poor software training	Trained and give information	3	4	18	Defend
Membership Plan Records	confidential	Theft	Software issue	Deliver proper information	2	3	6	Defend
Members Email records	confidential	Theft	Software issues	Proper training required	3	2	8	Defend
Next coming details	public	Extorsion	Weak employees training	Employee need training	4	1	3	Defend
News Update	Public	Human error	Weak employees training	Employees need proper training	4	3	10	Defend
Employees access Procedures	Internal	Human error		Training required	1	1	11	Defend
Equipment access procedures	Internal	Technology issues	Poor software training	Keep always up to date	1	4	8	Accept
Data maintenance policy	internal	Software issues	Weak software training	Always keep up to date	2	2	5	Defend
Access point	internal	Theft	Technology failures	Give technology training	3	1	3	Accept
Printer	internal	Theft	Hardware failures	Always maintain it	4	4	12	Accept
Biometric device	confidential	Technology Problem	Hardware failures	Always update the technology	3	3	12	Accept
Web Portal	public	Software attacks	Software Poor training	Antivirus and software security	4	1	16	Defend
Online Payment Systems	public	Software issue	Software poor training	Software handling with good trainer	5	3	14	Defend

Final Recommendation

It is very important that Dance Club has to implement various key countermeasures. It is also important that in the organization only single staff has authentication to access all the data policies. The manager has authentication to access all the confidential data of the members. The Organizer Manger has only authentication to out the event details on the web portal. To protect from loss of data the web portal should be secure so that the attacker can’t theft any data of employees and misuse it. The latest technology must be used in the Dance club. If any Employee has been out from the company then the Management have to revoked him immediately. (2019)

Executive Summary

The Aim of this report to gain the different options that will directly protect the confidentiality of the members information and security of his physical appearance. The Various risk has been discussed above and the potential threats of each assets are listed in table. The Result of the Information security systems analyzed are used then developed the action along with the recommendation of the physical device which is to be installed inside the building and inside Dance Club room. The impact of the various asset was discussed above. The risk rating of asset and counter measures was explained. The report is finalized with certain recommendation for the dance club to gain the integrity and confidentiality of the Personal information of the registered members.

Customer Testimonials

ABC Assignment Help for one reason became my favorite because they don’t have a very complex signing up process and it’s very simple so everybody can use it. I was able to sign in without any hassle as my Company Law Assignment was due and they did it for me in a very efficient manner and I am very delighted with their service and a heartiest thanks.

Emily, Sydney

I work part time to meet my expenses apart from college and I took this as a decision to not burden my parents. A while later I started feeling great amount of stress in balancing it all together and decided to seek help from ABC Assignment Help for my Commercial Law Assignment and they did my assignment for me and I am super satisfied with their work style. Thank you so much.

Lawrence, Tasmania

I had a harsh week as I was extremely debilitated and every one of my assignments were getting excessively and caused me an incredible mental breakdown. A companion of mine seeing my circumstance asked me to utilize ABC Assignment encourage, their quick and efficient administrations helped me complete my Contract Law Assignment with less stress

Rihana, New South Wales

Get Help Instantly

Forgot Password Step 1

Forgot Password Step 2

Reset Password