SIT284 Cybersecurity Management Assessment 1 Information Answer
Assessment 1 information - 2020
SIT284: Cybersecurity Management
Group Planning Report
This assessment is for students to demonstrate their ability to plan an investigation of security management issues in corporate organisations. Students are required to work as a team (at most 4 students in a team) to evaluate the risk levels, potential impact of threats and vulnerabilities, and cost-benefit analysis of control methods.
- Textbook, lecture notes (especially those that focus on risk management and treatment)
· Online resources such as those that maintain the list of known vulnerabilities.
This assessment assesses the following Unit Learning Outcomes (ULO) and related Graduate Learning Outcomes (GLO):
|Unit Learning Outcome (ULO)||Graduate Learning Outcome (GLO)|
|GLO 1: Discipline-specific knowledge and capabilities|
GLO 4: Critical thinking
GLO 5: Problem Solving
GLO7: Through the assessment of students’ teamwork skills in planning an investigation
Case Study: Patterson Sports Performance (Company)
Patterson Sports Performance (PSP) is one of the top sports performance companies in Australia headquartered in Melbourne with branches throughout the country and revenues reaching about $1 billion per annum. Its client base is estimated to be more than 10,000, which includes multinational businesses, prominent athletes and celebrities and high-profile corporate executives. The PSP company has five major business units: the finance department, the marketing department, the e- Solution department, the business development (BD) department and the legal department. The legal department, staffed with attorneys, solicitors, barristers, paralegals, and support staffs. The BD department, headed by a BD director, is tasked with initiating, facilitating, and supporting strategic business development plan as well as managing and retaining relationships with existing clients while increasing the client base. The marketing department, led by a marketing director, focuses on marketing functions such as branding, positioning, and segmentation. The finance department, headed by chief financial officer, is responsible for all aspects of the PSP company’s financial health. The finance team is responsible for planning, coordinating and administering the overall financial activities of the sports company. The e-Solution department is responsible for the management of the IT infrastructure such as the hardware, software, and network. A chief information security officer (CISO) and several cybersecurity professionals within the e-Solution department are responsible for cybersecurity management of PSP.
The PSP company collects and maintains substantial amount of privileged and very sensitive information, intellectual property, and commercially sensitive material that relates to the sporting teams and athletes, as third-party sports companies. The legal team uses information technology (IT) extensively for various purposes including communication with clients and associates and discovery of relevant athletes’ contracts. The BD team uses IT such as customer relationship management software and the database extensively for activities such as new business opportunities research and worthwhile income sources. The marketing team harvests PSP’s IT capabilities and other channels such as social media platforms for the many marketing related activities including research and development of marketing strategies and marketing analysis. The finance team uses IT capabilities in various finance-related activities including analyzing market trends and competitors.
The PSP datacenter is located in Melbourne and hosts a complex networked systems that seamlessly integrates the enterprise network and the Internet. All workstations (desktops) run Microsoft Windows 10 for 32-bit and 64-bit and Microsoft Internet Explorer (IE 11). Database server (Oracle), Apache server (for webserver) and Microsoft Exchange Server (for email) are used. Information systems for document management service (DMS), e-Discovery tools, and software tools for case management, calendar and scheduling, and CRM systems, among others, are used. Oracle E- Business Suite (Oracle Human Resources, Oracle General Ledger, etc.) is used for maintaining and processing all information (e.g., athlete client contact details, administrative records, and personnel records). Last patch update was done in 1st January 2020. Approximately, there are about two million sports data documents, four million administrative records, 200K personnel records and 500K athlete client contact details in the database. The cybersecurity management team deploys state-of- art cybersecurity controls (firewalls, antivirus products, intrusion detection systems, and multi-factor authentication) to safeguard the business-critical and privacy-sensitive information.
The following is a partial risk appetite statement of Patterson Sports Performance:
- The company has very low appetite for the loss of, unauthorized or accidental disclosure of sensitive data including privileged and personal information.
- The company has very low appetite for risks that harm its reputation.
- The company has very low appetite for violating corporate ethics policy and professional ethics.
- The company has very low appetite to outage of systems that support critical business functions.
- The company has moderate appetite for excellence and innovation using technology.
1 Assets identification
In this section, you will identify the assets, determine their values (worth) and prioritise them. Use the following asset inventory table as a template to record the collected information.
|Asset Name||Asset Type||Department||Value||Priority|
Asset inventory: Identify an asset from each department (e.g., one information assets from the marketing department, one knowledge assets from the legal department, etc.), add it to the above table and provide a brief rationale for selecting the asset.
Asset valuation: Use the cost-based approach or the market value-based approach to calculate the relative value of the selected assets. You must justify any assumptions you make.
Asset prioritisation: Use the weighted factor analysis (WFA) worksheet to priorities the four assets. Here you must choose three or four impact factors that are different than the one we discussed in class. Provide a rationale for selecting the impact factors. You must include the weighted factor analysis worksheet table here as well.
2 Threat and Vulnerability Analysis
- In this task, you will create a threats-vulnerabilities-assets (TVA) worksheet. For each asset in the asset inventory table, identify 3 different most probable threats and 3 different most probable vulnerabilities. Provide a brief description of how the threats and vulnerabilities you selected are linked to the specific asset, and the methods used to identify the threats and the vulnerabilities.
|Asset 1||Asset 2||Asset 3||Asset 4|
- For each threat you identified above, identify three different most probable threat agents. Determine the set of appropriate factors (size, skill, motive, and opportunity) related to the selected threat agents, add it to the ‘threat agents table’ below and justify why you choose the particular threat agents and the set of factors.
|Threat||Threat Agent||Threat Agent|
- For each vulnerability you identified above, determine the set of appropriate factors (i.e., Ease of discovery, Ease of exploit, Awareness and Intrusion detection), add it to the ‘vulnerability table’ and justify why you choose the particular threat agent and the set of factors.
|Asset||Vulnerability Name||Vulnerability factors|
|Ease of discovery||Ease of exploit||Awareness||Intrusion detection|
3 Estimating risk
In this section, you will estimate the risks for the assets and rate them. Use the following as a template to record the results.
|Asset Name||Vulnerability||Threat||Risk Likelihood||Risk Impact||Risk Rating||Priority|
|Laptop||Loss||Theft||2.4 (Low)||2.9 (Low)||2.2 (Low)||2.8 (Low)||Low|
Compute the risk likelihood, the risk impact, and the risk level. You must justify and show step by step your work and include all the formulas required to arrive at your answer.
- Justify and support your choice of the values for the factors used to estimate the risk likelihood and the impact of the risk.
- For each risk rating computed, provide a brief explanation of why you assigned the rating to the risk. Also explain the approach you followed to prioritize the risks.
4 Risk Treatment Strategy
This section involves the identification and selection of appropriate risk treatment strategies for managing the risks identified in the previous section. Note that selecting the most appropriate risk treatment option involves organization’s risk appetite and residual risk as well as balancing the costs and efforts of implementation against the benefits derived. Use the following template to record the results.
|Risk||Treatment||Residual risk||Cost-Benefit Analysis (CBA)|
- For each risk, select a security control and briefly describe how the selected security control sufficiently reduces the risk to a desired level. You need to research online to address this question. As you perform research, make sure that you collect certain parameters and values (e.g., the amount of risk mitigated by the control) about the selected security control. This information will be useful to determine if the new security control you propose is worthwhile to use.
- For each risk, perform a cost-benefit analysis (CBA) to determine if the cost of protecting the asset against the risk outweighs the benefits from implementing the security control. From online sources, you will need to collect statistics on parameters such as the frequency with which a threat (you identified threats in section 2) is expected to occur in a particular year and the percentage of the asset value lost due to the security incident. Briefly explain, why you think the values for the parameters you collected correspond to the particular threat. You must justify and show step by step your work and include all the formulas required to arrive at your answer.
- For each risk, determine the residual risk and the appropriate treatment strategy. Provide a brief explanation of why you consider the treatment strategy you selected is appropriate for managing the risk.
5 What do I do now?
- In your designated team:
- Start collecting and researching information.
- Think creatively and brainstorm.
- Write your report.
- Look at the assessment rubric and the unit learning outcomes to ensure that you understand what you are being assessed (and marked) on.
- Complete the self and peer assessment via Feedback Fruits.
- Referencing, plagiarism and collusion
Any work that you submit for assessment must be your own work (and in this case your teams work). Please note that this unit has systems in place to detect plagiarism and all submissions are submitted to this system. Submitting work, in whole or in part, that is copied or paraphrased from other authors (including students), without correct acknowledgement, is considered one of the most serious academic offences. This practice is equivalent to cheating in examinations and it may lead to expulsion from the University. For further information, you should refer to Regulation 4.1(1), Part 2—Academic Misconduct, via (Current university legislation). Please note that these regulations are not intended to discourage group work and exchange of views and information with other students and staff. Such interaction is most desirable, provided that you ultimately write your own answers and acknowledge any quoted sources. We see responsible attitudes to plagiarism as part of general good ethical practice. Ensure you have familiarised yourself with the rules and regulations on plagiarism and collusion.
Referencing: at least 3 references (extra to the page limit). Use Harvard style referencing in your report.