Need to get good score
Page 1 CMP71001 Cybersecurity Final Assessment Case Study You have just been appointed to be the Chief Information Security Officer (CISO) for The University of the Sunshine State (USS). You and your team are based in Australia. 1. Introduction You have just been appointed to be the CISO for USS. You and your team are based in Australia. Whilst USS has been in existence for many years, the new Australian campuses are just being established and it is expected to be fully operational for enrolling students by the end of 2021. Due to the “fluid” nature of the Covid-19 pandemic, USS knows that at any time it may be delivering all units online, and that the cyber risk landscape has changed. The threats of cyber-attacks are ever present, and the need to secure electronic data, online transactions and billing services, student and employee data, communications with students and stakeholders is paramount. USS recognises the need to develop correct cyber security systems for the organisations protection. It is aware that it needs to improve its cybersecurity posture and develop the correct people, processes and technology approaches to successfully compete in the marketplace and mitigate any possible threats. 2. Aim and Scope The results for a preliminary USS audit are given in this document. There will were several questions asked of the organisation, to help scope how this organisation is initially viewing cyber security, and their efforts to organise internally by assigning responsibilities and allocating resources of staff and budget. Comments are made at a high level and are purposely general in nature to help identify certain concepts that may be of help to you as CISO. The information presented is designed for you to make decisions that you will need to justify based on your learning and understanding of the underlying concepts. 3. Organisation Description Question: Describe your organisation in terms of the goods/services that are available, number of ‘seats’ (employees), and number of offices in Australia. Organisation comment: “We will be offering units at both undergraduate and postgraduate level across four faculties (Faculty of Business, Law and Arts, Faculty of Education, Faculty of Health, Faculty of Science and Engineering) in both on-campus (Covid health guidelines permitting) and online formats. The estimation of staff numbers we have for our Australian campuses is 2700 in total. We will have campuses in all capital cities in Australia.” 4. Attack history and motivation Question: Has the organisation previously had any history of cyberattacks? Organisation comment: “Distributed DDoS attack (was caught up in the 2016 Dyn attack), multiple phishing attacks ranging in sophistication, ransomware attack (two weeks ago)” Question: Why is your organisation implementing cybersecurity? Page 2 Organisation comment: “Driving our organisation’s cyber security initiatives is the increasing awareness of the invasive nature of cyber-criminal activity against Universities. A number of high-profile incidents have involved Australian Universities. Cyber threats have imposed an elevated cyber security related risk awareness from the CIO, the organisation executives and board of directors, and legal/regulatory bodies.” Further Consideration: 4.1 Reducing the risk should be the main deliverable of the organisation’s cyber security strategy and outcome of the risk assessment decided by senior management. At a technical level, this should include the necessary actions to be implemented to establish and maintain an agreed level of cyber security. 4.2 Organisation employees, suppliers, equipment manufacturers, and servicing technicians do introduce a significant cyber security risk for USS’ operations. As our CISO, your recent talk that cited the ‘Target’ incident, though they are in retail, was still particularly important as to third-party risk. Making all stakeholders aware of and implement all aspects of cyber security all the time will be a critical aspect of USS’ cyber security operations. 4.3 Knowing who is using USS’ network and for what purpose is important and a real concern relating to cyber security. Discovering early malicious intent, unintentional mistakes, or poor cyber security practices are risks that needs to be addressed. USS’ network monitoring and analysis is one way to have this capability. 4.4 There is a need to have a clear policy and practical procedures for all USS’ employees and visitors who will use the network. In the cyber security policy and proper use expectations should be clearly stated. 5. Driving Cyber Security for each campus Question: Why is your organisation implementing cyber security in each campus? Organisation comment: “As this is a new operation it has been decided that a centralised system is not a practical solution for cyber security and so each campus will function as a separate cyber security unit.” Further Consideration: 5.1 There is a need to implement cyber security for all communications between campuses. The numerous transactions and interactions among staff and students make these communications channels are essential. 5.2 USS will be using cloud services for backing up data for many of its operations. Communications between the campuses and cloud providers – both organisation owned and external – is essential. 6. USS’ Cyber Security Organisation Administration Question: How is your organisation addressing cyber security policies and procedures? Organisation comment: Page 3 “As part of our employment procedure finding the correct personnel is essential. Once suitable employees are found a cyber security committee will be established. It will be responsible for the process of creating USS’ office procedures with regards to cyber security. This should become an ongoing and constantly updated procedure”. Further Consideration: 6.1 The Board of Directors (BoD) have made cyber security a priority for the USS campuses and has tasked management to formulate a strategy starting with a Cyber Security Committee to communicate with the BoD, study cyber security ‘best practices’, provide recommendations, and implement approved actions. 6.2 There is a depth of knowledge in the current off-shore operations and the documentation from this will be made available to USS’ committee as a basis for all strategies. 6.4 The Cyber security committee will have members across all campus offices who will meet regularly using online communications so that they co-ordinate best practice across all campuses. 6.5 A clear message of the organisation policy and expectations from senior management to all USS’ staff and to its suppliers is critical to set an acceptable level of cyber security organisation-wide. The risk is that over time the trap of a lethargic message will lead to a weak cyber security culture. 6.6 Approval of a strategy and a budget are a must and shall be addressed at the highest management level of the organisation. 7. USS’ Cyber Security Threat Prevention and Defence Question: What are your general thoughts, and what are you doing towards cyber security prevention and defence strategies? Organisation comment: “Part of our philosophy is to be proactive; therefore, we expect to have in place a few preventative/security measures. These should be firewalls, internet filtering, standalone servers which contain sensitive information, and security software that locks all PCs requiring 2-factor authentication (2FA) to unlock them.” Further Considerations: 7.1 All campus managers will have basic knowledge of cyber security. We will ensure that they become more knowledgeable and can be of a great assistance by providing proper instruction to them. 7.2 We are aware that the pace of innovation in the malware world is increasing, zero-day exploits are common, and a strategy that relies exclusively on a perimeter defence design to filter out known threats will not be successful. 7.3 We expect to perform Penetration Tests and Vulnerability Assessments routinely across all four campuses. Combining our own assessments with the assessments by experienced external cyber security experts is a ‘best practice’ and will provide a more useful evaluation. 7.5 IT related investment towards hardware and software updates to the office is important to undertake as required. A ‘set and forget’ cyber security program based on hardware and software Page 4 hardening has been proven ineffective in many industries worldwide giving a false sense of security. Cyber security is an evolving threat and requires flexibility and ongoing efforts. 7.6 A program of upgrading computer systems and networks with hardware ‘useful life’ will be established. Additionally, unauthorised installed software is a recognised problem and is a major contributor to virus and malware system wide. 7.7 Unapproved software and hardware will not be permitted on USS’ PCs and networks and it is expected that we will perform scheduled periodic checks as part of the defence hardening and maintenance. As this is a difficult task there will be an identified person responsible for this with a clear process for reporting to the cyber security person in charge. 7.8 We expect to set clear and enforceable ramifications for failure to follow policy or a maliciously act, which will be included as part of the cyber security policy. 8. USS’ Response Question: Describe how a cyber security event may be handled? Organisation comment: “The IR team will be responsible to handle a cyber security incident.” Further Consideration: 8.1 USS should have a comprehensive cyber security contingency response plan in place. With all related response functions such as the emergency response team, initial contact procedures, and internal organisation management ownership. 8.2 There will be created a 3rd party support team of cyber security experts that understand how the USS network is structured and what critical systems are at risk. It is recommended to develop a relationship in advance, and to understand their capabilities and scope of service. It will be possible to also establish service agreements when appropriate. 8.3 A USS security officer should be nominated to perform as the ‘person in charge’ and responsible for initiating and supporting the response and remediation. It is not recommended that the CISO undertakes this responsibility. 8.4 Development of a detailed emergency contingency process as part of the Cyber Security Incident Plan that includes the communication and co-ordination between all four USS campus offices is essential. Simulating an attack as a