Microsoft Word - Cybersecurity Risk Management Plan-Assignment 2 2020 CSE1ICB Assignment 2 Cybersecurity Risk Management Plan You are an Entrepreneur looking to start a new IT business. You must...

i had attached the files



Microsoft Word - Cybersecurity Risk Management Plan-Assignment 2 2020 CSE1ICB Assignment 2 Cybersecurity Risk Management Plan You are an Entrepreneur looking to start a new IT business. You must imagine you are about to start a new IT business. Before submitting your application to register your business, you also need to submit a cybersecurity Risk management plan for your business. The purpose of this plan is to protect your intellectual property, and financial data meets with regulatory requirements and creating confidence for clients that you are treating the security of their data seriously. Your plan should be simple (easy to understand), but also dynamic, as you may change systems as a business progresses in the coming years. (You can use CANSO case study provided on the LMS as a reference) 1. Preparation for risk analysis [Total 30 marks] a. Set scope and focus [15 marks] b. Describe the overall goal and target of analysis ( e.g., put the diagram that shows the interaction of users and IT systems) [15 marks] 2. High level analysis [Total 40 marks] a. Identify involved parties (e.g. company XYZ) [ 10 marks] b. Identify assets ( e.g. customer database, customer satisfaction) [10 marks] c. Draw a relationship between assets. For example, the asset diagram of Auto part company is depicted below. [10 marks] d. List initial threats in the following format [10 marks] Cause of the threat ( who? Or what?) What may happen (risk)? Enabler e.g. Hacker Extract customer database Through SQL injection 3. Likelihood, Consequence scale, Risk function and evaluation Criteria [30 marks] 3.1. Likelihood ( certain, likely, possible, unlikely, rare) [ 10 marks] Likelihood Description e.g. certain 10 times per year or a significant number of similar occurrences already on record 3.2. Consequence scale (hint: catastrophic, serious, moderate, minor, insignificant)[10 marks] Consequence Description e.g. Catastrophic Range of 65% affected or downtime in range of [1month, 1 year] Or the ICT director has been jailed 3.3. Risk Function and evaluation criteria [10 marks]  This table is for each asset Risk function ( e.g. for customer database) Consequence/ Likelihood Insignificant Minor Moderate Serious Catastrophic Rare Unlikely Possible Likely Certain Shade: green for “acceptable”, yellow for “monitor” and red for “need to be treated” Assignment Due date: Before 14th May 2020 before 11.00 pm. How to submit: After Turnitin submission, submit your final file into Assignment 2 folder in your CSE1ICB before due date and time. This assignment is worth 20%, and the presentation is 5%. Please NOTE we will not mark your assignment without presentation. Assignment presentation will be conducted during your laboratory timings (Details will be posted on LMS). Each student is allocated 10 mins to present your assignment work. Your presentation will also be marked for 5%. CANSO Cyber Security and Risk Assessment Guide civil air navigation services organisation Published June 2014 Contents © Copyright CANSO 2014 All rights reserved. No part of this publication may be reproduced, or transmitted in any form, without the prior permission of CANSO. This paper is for information purposes only. While every effort has been made to ensure the quality and accuracy of information in this publication, it is made available without any warranty of any kind. www.canso.org 1 Introduction____ page 4 2 Cyber Threats and Risks page 5 3 Motives and Methods page 6 4 Cyber Assets page 10 5 Cyber Security in ATM page 13 6 Managing Cyber Risks page 16 7 Conclusions and Recommendations page 17 8 Appendix A - International Standards page 20 A.1. - ISO 27000 - Series of standards page 20 A.2. - ISO 27005 - Information security risk management (ISRM) page 21 A.3 - NIST Cybersecurity Framework page 22 9 Appendix B - Risk Assessment Methodology page 25 B.1 Overview page 25 B.2 Threats and vulnerabilities page 26 B.3 Dealing with the human threat page 29 B.4 Consequence of risk occuring page 31 B.5 Likelihood of risk occuring page 32 B.6 Assessement of the level of risk and risk tolerance page 32 B.7 Sample risk assessment tables page 34 B.8 Treatment recommendations page 46 10 Sources page 47 Purpose of this document The purpose of this document is to provide air navigation service providers with an introduction to cyber security in air traffic management, including the cyber threats and risks and motives of threat actors, as well as some considerations to managing cyber risks and implementing a cyber security programme. The appendices include information on standards and a framework for cyber security, and some practical guidance to conducting a cyber risk assessment – a recommended first step to understanding and managing the cyber security risks to systems, assets, data and capabilities in ATM. 1 Introduction The current trend in air traffic management (ATM), both at the international level as well as within individual air navigation service providers (ANSPs), is toward increased sharing of information and creating a common situational awareness for a wide spectrum of aviation stakeholders. While this enhances the efficiency of operations and raises productivity, it also opens up the potential for cyber attack. And, the vulnerabilities are only growing because current and next generation systems, like NextGen and SESAR, demand more information sharing through increased use of commercially available information technology, shared network and computing infrastructures, and network-centric architectures and operations. Unlike in the past, information sharing in the future ATM system will not be limited to point- to-point communications, it will also utilise open systems architecture and internet-based flow of information. We are seeing a trend towards increased use of existing technologies, growing interoperability among systems, and use of automation to improve productivity. This trend is not unique to ATM; most industries are applying information technology to improve the efficiency of existing operations as well as to enable new modes of operation. Benefits are achieved by allowing information to be rapidly shared among humans and systems, wherever and whenever it is needed. Unfortunately, these benefits come with risks. Increased use of information technology means greater exposure to cyber attack. The threat is both very real and very serious. ANSPs must develop and execute security strategies and plans to ensure continued mission operations despite this threat. If we are to transform global ATM performance and achieve safe, efficient, and seamless airspace globally, the global ATM system must meet clear security requirements and expectations. The Global Air Traffic Management Operational Concept (ICAO Doc. 9854) speaks to this and defines the security expectation of an integrated, interoperable and globally harmonised ATM system as: “…the protection against threats that stem from intentional acts (e.g. terrorism) or unintentional acts (e.g. human error, natural disaster) affecting aircraft, people or installations on the ground. Adequate security is a major expectation of the ATM community and of citizens. The ATM system should therefore contribute to security, and the ATM system, as well as ATM- related information, should be protected against security threats. Security risk management should balance the needs of the members of the ATM community that require access to the system, with the need to protect the ATM system. In the event of threats to aircraft or threats using aircraft, ATM shall provide the authorities responsible with appropriate assistance and information.” CANSO Cyber Security and Risk Assessment Guide 2 Cyber Threats and Risks The US Department of Homeland Security has defined a cyber threat as “any identified effort directed toward access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, security, or availability of data, an application, or a federal system, without lawful authority.” A cyber threat can be intentional or unintentional, targeted or non-targeted, and can come from a variety of sources, including: foreign nations engaged in espionage and information warfare; criminals; hackers; virus writers; and disgruntled employees and contractors working within an organisation. Unintentional threats can be caused by inattentive or untrained employees, software upgrades, maintenance procedures and equipment failures that inadvertently disrupt computer systems or corrupt data. Intentional threats include both targeted and non-targeted attacks. A targeted attack is when a group or individual specifically attacks a critical infrastructure system. A non-targeted attack occurs when the intended target of the attack is uncertain, such as when a virus, worm, or malware is released on the Internet with no specific target. Repeatedly identified as the most worrisome threat is the “insider” – someone who has authorised and legitimate access to a system or network. Other malefactors may make