Assignment 2: Information Security
Details
Title:Information Security Assignment
Length:Minimum of 1500 words, maximum 2000 (excluding cover page and references)
Case Study
In this Assignment you will be required to perform a basic risk assessment and apply concepts covered from weeks 1 through 9. The deliverable is a (maximum 2000) word report detailing information security recommendations associated with a small dance club.
Background
The dance club (All Stars Dance) is operated by six staff and has approximately 200 members.
All Stars Dance operate in an office / dance room located on the second floor of a three-storey building that shares a common lift for access. All stars Dance operate during the day and offer evenings between 6pm and 10pm.
Currently anyone can access the second floor via the lift.
The Dance club have two networked desktop computers on site, one printer and are connected to the internet. New member applications and other information such as policy, procedures, and member information are stored both digitally (on computers or web portal) and on-site in locked cabinet. The computers currently do not have authentication enabled.
The dance club has just implemented an online web portal for its members, the dance club has requested a risk assessment and data classification for the data it stores and collects to ensure personal information is secure.
To become a member of the dance club, members are required to visit the website and apply for membership or renew their existing membership. The web portal is an open source content management system (Joomla CMS) that is hosted in Australia by a third-party hosting provider. The portal handles memberships, events and member information such as dance levels (novice, advanced, adult) and personal information (age, gender, address).
The portal allows members to purchase membership, read member only news and register for events or dance tests online, thus the portal is responsible for most of the data processing. Club membership runs from January 1 through to December 31 each year regardless of the application date.
Member payments are processed using a third-party merchant gateway, SecurePay, and deposited directly into the associations nominated bank account, thus payment information is not handled directly by the dance club. Once a member has paid for membership the system adds the member to a mailing list and updates permissions on the user account of which authorises access to member resources on the website / portal.
The mailing list is stored and processed by Mailchimp, a third-party provider located in the United States. Personal information collected for the mailing list include full name and email address. No other information is collected for the mailing list.
The dance club also receives emails from parents and other members from the website contact page or directly via email that are accessed on the computers located in the office.
Dance club staff have access to administer the system remotely using portable devices or on-site using the computers in the office. Staff change frequently and there are no access controls in place. Currently, when a staff member is granted access by the system admin, they have full administrative rights to the portal, this includes memberships, events and web content.
There are four primary functions staff need to perform for members:
All Stars Dance would like an Information Security assessment and recommendation on what would be required to scure their information system.
Your first task in this assignment would be to identify the information assets (both digital and physical). Things to consider.
Action Steps |
Introduction, introduce your report and what you will cover |
Identify and categorise information assets. This includes both digital and physical assets. Minimum of 15 assets (max 20). Assets should be categorised |
Prioritise the information assets using a weighted factor analysis |
Identify threats and vulnerabilities to the information assets. Given the amount of threats a threat category may suffice, i.e., for the CMS you may simply use the threat category software attacks |
Classify the information assets using an information classification schema |
Create a risk rating for each asset. You may use the simple method (likelihood * impact) |
Include with your risk assessment table a control strategy, i.e., mitigate, defend, accept |
Recommend security controls where necessary, i.e., access control, |
Reference ISO27001 / ISO27002 where appropriate |
Report Submission
Cover / Title page:
You do not need to include the ECU cover page. The cover page should include the Unit Code, Unit Title and Assignment Title. Your Name, student number and who the report is prepared for.
Table of Contents:
This must accurately reflect the content of your report and must be generated automatically in Microsoft Word with page numbers.
Introduction:
Introduce the report, define its scope and state any assumptions. Use in- text references where appropriate
Main report content
References
A list of end-text references formatted according to the ECU requirements using the APA format. It is recommended that Endnote is used to manage references. Your references should ideally comprise of books, journal articles and conference papers.
Format
Unit Code: - CSI2102
Unit Title: - Principles of Information Security
Assignment Title: - Assignment 2:
Introduction
In the Present scenario it rely heavily on the distribution scheme that ensure the security and integrity of the Dance club. The Recommendations will use the distinguish model to calculate what needs to implemented or alter in order to gain the classification of Information Security. In this Assignment, we gone through the case study. The security is one of the challenges for this Dance club. It is about the Security of the “The dance Club” (All Stars Dance) which is managed by the six staff of the Dance club and it has the 200 members registered. The dance club operated in a dance room situated on the second floor of the three-storey building. Dance club started at evenings between 6pm to 10pm. Dance club are connected with two networked computers on site and printer which is connected through the internet. The new members can join this club by register online on the web portal of the dance club website. In this report we have explained each asset identifies the weightage score. We have also calculated the impact of loss which is cause due to asset in the business. The website of the Dance club is open source CMS. The most challenging work to secure the web portal from threat. Hackers Generally Stole the data from Web Portal. An SQL Injection vulnerability effect any web portal that uses the SQL database. Hackers Execute this SQL Injection for malicious SQL statements.
Information Security assessment and recommendation
There are various methods to protect the web portal and its Content management Systems secure. The details steps are discussed below: -
Asset Identification
System Components | Asset Components | Risk Management Components |
People | Employees |
|
Non-Employees |
| |
Data | Information |
|
Procedure |
| |
Hardware |
| |
Software |
|
Weightage Factor Analysis
The Weightage factors has been opted to give the numerical value to the asset’s impact on the Dance Club. The first factor is taken on the basis of the payment of the third party and employees. The second factor is based on the maintenance cost to make the customers attractive towards the Dance club. The third factor has been chosen on the basis to optimized the unnecessary expenses on the Dance club. ("Whitman, M.E. and Mattord, H.J. (2012) )
| CR 1 Impact on Expenses | CR 2 impact on Maintenance | CR 3 Cost to minimize | Weightage Score |
30 | 30 | 40 | 100 | |
Employees ID Cards | 0.5 | 0.9 | 0.3 | 54 |
Attendance Records | 0.4 | 0.7 | 0.6 | 57 |
Visitors | 0.6 | 0.3 | 0.5 | 47 |
Business partners | 0.8 | 0.5 | 0.4 | 55 |
Clients | 0.6 | 0.3 | 0.6 | 51 |
Employees Records | 0.5 | 0.7 | 0.3 | 48 |
Employees Bank Acc Details | 0.3 | 0.2 | 0.6 | 39 |
Membership Plan Records | 0.4 | 0.5 | 0.2 | 35 |
Members Email records | 0.2 | 0.4 | 0.1 | 22 |
Next coming event details | 0.3 | 0.5 | 0.6 | 48 |
News Update | 0.1 | 0.3 | 0.4 | 28 |
Employees access Procedures | 0.4 | 0.3 | 0.6 | 45 |
Equipment access procedures | 0.5 | 0.7 | 0.6 | 60 |
Data maintenance policy | 0.1 | 0.3 | 0.2 | 20 |
Access point | 0.2 | 0.1 | 0.4 | 25 |
Printer | 0.3 | 0.2 | 0.5 | 32 |
Biometric device | 0.4 | 0.3 | 0.1 | 25 |
Web Portal | 0.3 | 0.4 | 0.4 | 37 |
Online Payment Systems | 0.1 | 0.5 | 0.6 | 42 |
Schema Classification of asset
The classification schema is the technique of gathering information which is applied on the schema. The Dance club is small business so the information stored at this organization is very small. The three-classification schema is explained below which his used on the asset.
Classification Category | Description | Marking | Admin Controls | Distribution | Disposal |
Internal | The Information which shared inside the organization and have small impact on the public | Internal | Not control of admin | Its for Employees | There is no any action necessary |
Public | The information which is shared for public | Public | Not control of Admin | It is for the public and Employees | There is no any action necessary |
Confidential | The information which has private and secrete information’s of employees | Confidential | Required the authentication to control these categories | It is for those who are associated with the management | The document needs to be shared if hard copy or digital Device information both |
Asset Threat IdentificationRisk Impact (Likelihood x Impact Matrix)
Risk Management is one of the important parts of any organizations. Any Aware admin need to aware about these types of risks. To prioritize risk, need to do effectiveness and focused the majority of time and take more efforts on the important risks. A risk always a negative impact. But the size of the impact varies with respect of impact health, time, human life and some other factors. Below the Likelihood impact factor is mentioned for each asset.
Asset Details | Classification | Threat | Vulnerability | Counter Measures | Likelihood | Impact | Risk rating | Control process |
5 | 5 | 25 | ||||||
Employees ID Cards | Internal | Details Extortion | Weak employee training | Should give best training | 2 | 4 | 17 | Defend |
Attendance Records | Internal | Information Extortion | Weak software management | Should give best training | 3 | 2 | 15 | Defend |
Visitors | Public | Human error | Lack of training | Give proper information | 3 | 3 | 12 | Defend |
Business partners | Public | Human Error | Information loss | Give proper information | 4 | 2 | 16 | Defend |
Clients | Public | Information Extortion | Information loss | Share proper information | 3 | 3 | 14 | Defend |
Employees Records | Internal | Theft | Weak employees training | Training should be at high level | 3 | 3 | 17 | Accept |
Employees Bank Acc Details | confidential | Theft | Poor software training | Trained and give information | 3 | 4 | 18 | Defend |
Membership Plan Records | confidential | Theft | Software issue | Deliver proper information | 2 | 3 | 6 | Defend |
Members Email records | confidential | Theft | Software issues | Proper training required | 3 | 2 | 8 | Defend |
Next coming details | public | Extorsion | Weak employees training | Employee need training | 4 | 1 | 3 | Defend |
News Update | Public | Human error | Weak employees training | Employees need proper training | 4 | 3 | 10 | Defend |
Employees access Procedures | Internal | Human error | Training required | 1 | 1 | 11 | Defend | |
Equipment access procedures | Internal | Technology issues | Poor software training | Keep always up to date | 1 | 4 | 8 | Accept |
Data maintenance policy | internal | Software issues | Weak software training | Always keep up to date | 2 | 2 | 5 | Defend |
Access point | internal | Theft | Technology failures | Give technology training | 3 | 1 | 3 | Accept |
Printer | internal | Theft | Hardware failures | Always maintain it | 4 | 4 | 12 | Accept |
Biometric device | confidential | Technology Problem | Hardware failures | Always update the technology | 3 | 3 | 12 | Accept |
Web Portal | public | Software attacks | Software Poor training | Antivirus and software security | 4 | 1 | 16 | Defend |
Online Payment Systems | public | Software issue | Software poor training | Software handling with good trainer | 5 | 3 | 14 | Defend |
Final Recommendation
It is very important that Dance Club has to implement various key countermeasures. It is also important that in the organization only single staff has authentication to access all the data policies. The manager has authentication to access all the confidential data of the members. The Organizer Manger has only authentication to out the event details on the web portal. To protect from loss of data the web portal should be secure so that the attacker can’t theft any data of employees and misuse it. The latest technology must be used in the Dance club. If any Employee has been out from the company then the Management have to revoked him immediately. (2019)
Executive Summary
The Aim of this report to gain the different options that will directly protect the confidentiality of the members information and security of his physical appearance. The Various risk has been discussed above and the potential threats of each assets are listed in table. The Result of the Information security systems analyzed are used then developed the action along with the recommendation of the physical device which is to be installed inside the building and inside Dance Club room. The impact of the various asset was discussed above. The risk rating of asset and counter measures was explained. The report is finalized with certain recommendation for the dance club to gain the integrity and confidentiality of the Personal information of the registered members.