Task
back to topAssignment Two is comprised of two parts and your report should be no more than 5 pages excluding the cover page, table of contents and references.
Part One
Plan, Develop and Manage a Security Policy (10 marks)
Background:
Consider that the Commonwealth Government of Australia is planning to launch ‘My Health Record’ a secure online summary of an individual’s health information. The system is available to all Australians, My Health Record is an electronic summary of an individual’s key health information, drawn from their existing records and is designed to be integrated into existing local clinical systems.
The ‘My Health Record’ is driven by the need for the Health Industry to continue a process of reform to drive efficiencies into the health care system, improve the quality of patient care, whilst reducing several issues that were apparent from the lack of important information that is shared about patients e.g. reducing the rate of hospital admissions due to issues with prescribed medications. This reform is critical to address the escalating costs of healthcare that become unsustainable in the medium to long term.
Individuals will control what goes into their My Health Record, and who is allowed to access it. An individual’s My Health Record allows them and their doctors, hospitals and other healthcare providers to view and share the individual’s health information to provide the best possible care.
The 'My Health Record' is used by various staff such as System Administrator, Doctor, Nurse, Pathologist and Patient. In order to convey and demonstrate the rules and regulations to the users of this system, Commonwealth Government of Australia needs a security policy.
You are employed as the Security Advisor for the organisation. The task that is handed to you by the Chief Information Officer now is to create, develop and manage "System Access Security Policy" for atleast any 3 users of the system.
Complete the following in your security policy:
- Plan System Access Security Policy
- Develop System Access Security Policy
- Manage System Access Security Policy
Part Two
Conducting a Risk Assessment (10 marks)
You will be given a list of organisation in week 3 by your lecturer and you can select any one organisation from them. The organisation uses various IT systems for its daily operations. Assume that you are appointed as an IT Systems Auditor for the chosen organisation and you are asked to provide a risk register must come up for the IT systems in the organisation.
- A brief introduction of the organisation and the IT systems
- Identify and explain any major risk in the IT systems components
- Discuss the consequences of the risk
- Inherent risk assessment,that is the assessed, raw/ untreated risk inherent in a process or activity without doing anything to reduce the likelihood or consequence
- Mitigate the risk
- Residual risk assessment,that is the assessed, risk in a process or activity in terms of likelihood and consequence after controls are applied to mitigate the risk.
- Create a Risk Register based on the risks identified in the IT systems and prioritise of the risk using a standardised framework such as the ANSI B11.0.TR3 Risk Assessment Matrix
Given the fact there is no clear prioritisation framework NOR risk appetite framework, the risk register is your professional assessment of the likelihood and consequence of the risks you identify. When preparing your risk register you should think carefully about the assets the chosen organisation may have and how these may be compromised from the perspective of Information Security.
Rationale
back to topThis assessment task will assess the following learning outcome/s:
- be able to justify the goals and various key terms used in risk management and assess IT risk in business terms.
- be able to apply both quantitative and qualitative risk management approaches and to compare and contrast the advantages of each approach.
- be able to critically analyse the various approaches for mitigating security risk, including when to use insurance to transfer IT risk.
- be able to critically evaluate IT security risks in terms of vulnerabilities targeted by hackers and the benefits of using intrusion detection systems, firewalls and vulnerability scanners to reduce risk.
Marking criteria and standards
back to topAll parts in this assessment task will be evaluated against the following criteria:
PartOne:Plan, Develop and Manage a Security Policy (10 marks)
Criteria |
HD |
DI |
CR |
PS |
FL |
|---|
1. Plan System Access Security Policy
Maximum 2 Marks
|
Well planned and well documented for system access security policy. Demonstrates breadth and depth of understanding and has insights and awareness of deeper more subtle aspects of the topic content. Evidence of having researched/read more widely beyond the core materials. |
Well planned and documented for system access security policy, but, there are few minor errors in the planning and it does not make much impact. Demonstrates breadth and depth of understanding and has insights and awareness of deeper more subtle aspects of the topic. Evidence of having read beyond the core materials.
|
Planned and documented for system access security policy, but, there are minor errors in the planning and it does not make much impact for the organisation. Demonstrates thorough understanding of material presented in core texts and readings.
|
Planned and documented for system access security policy, but, there are minor errors in the planning and it will impact for the organisation. Demonstrates evidence of having read material presented in core texts and readings. However literature is presented uncritically in a purely descriptive manner. Content acknowledged but not really taken into account.
|
Poor planned and documented for system access security policy and major errors in the planning and it will impact for the organisation. Demonstrates very little evidence of having read material presented in core texts and readings. Inaccurate or inconsistent acknowledgement of sources. Limited knowledge of key principles and concepts.
|
2. Develop System Access Security Policy
Maximum 3 Marks
|
Well developed and well documented for system access security policy. Demonstrates breadth and depth of understanding and has insights and awareness of deeper more subtle aspects of the topic content. Evidence of having researched/read more widely beyond the core materials.
|
Well developed and documented for system access security policy, but, there are few minor errors in the developing and it does not make much impact. Demonstrates breadth and depth of understanding and has insights and awareness of deeper more subtle aspects of the topic. Evidence of having read beyond the core materials.
|
Developed and documented for system access security policy, but, there are minor errors in the developing and it does not make much impact for the organisation.Demonstrates thorough understanding of material presented in core texts and readings.
|
Developed and documented for system access security policy, but, there are minor errors in the developing and it will impact for the organisation. Demonstrates evidence of having read material presented in core texts and readings. However literature is presented uncritically in a purely descriptive manner. Content acknowledged but not really taken into account.
|
Poor developed and documented for system access security policy and major errors in the developing and it will impact for the organisation.
Demonstrates very little evidence of having read material presented in core texts and readings. Inaccurate or inconsistent acknowledgement of sources. Limited knowledge of key principles and concepts.
|
3. Manage System Access Security Policy
Maximum 3 Marks
|
Well managed and well documented for system access security policy. Demonstrates breadth and depth of understanding and has insights and awareness of deeper more subtle aspects of the topic content. Evidence of having researched/read more widely beyond the core materials.
|
Well managed and documented for system access security policy, but, there are few minor errors in the managing and it does not make much impact. Demonstrates breadth and depth of understanding and has insights and awareness of deeper more subtle aspects of the topic. Evidence of having read beyond the core materials.
|
Managed and documented for system access security policy, but, there are minor errors in the managing and it does not make much impact for the organisation.Demonstrates thorough understanding of material presented in core texts and readings. |
Managed and documented for system access security policy, but, there are minor errors in the managing and it will impact for the organisation. Demonstrates evidence of having read material presented in core texts and readings. However literature is presented uncritically in a purely descriptive manner. Content acknowledged but not really taken into account.
|
Poor managed and documented for system access security policy and major errors in the managing and it will impact for the organisation.
Demonstrates very little evidence of having read material presented in core texts and readings. Inaccurate or inconsistent acknowledgement of sources. Limited knowledge of key principles and concepts.
|
4. Presentation, Writing Style, Grammar and References
Maximum 2 Marks
|
Highly developed skills in expression and presentation of response.
Fluent writing style appropriate to assessment task. Grammar and spelling accurate. Well organised.
|
Well-developed skills in expression and presentation of response. Fluent writing style appropriate to assessment task. Grammar and spelling accurate. Well organised. Evidence of having read beyond the core materials.
|
Good skills in expression and clear presentation of response. Mostly fluent writing style appropriate to assessment task.
Grammar and spelling accurate.Demonstrates thorough understanding of material presented in core texts and readings. |
Some skills in expression and presentation of response.
Meaning apparent but writing style not always fluent or well organised. Grammar and spelling contain errors. However literature is presented uncritically in a purely descriptive manner. Content acknowledged but not really taken into account.
|
Rudimentary skills in expression and presentation of response.
Not all material is relevant and/or is presented in a disorganised manner. Meaning apparent but writing style not fluent or well-organised, Grammar and spelling contain errors. Demonstrates very little evidence of having read material presented in core texts and readings. Inaccurate or inconsistent acknowledgement of sources. Limited knowledge of key principles and concepts.
|
Part Two:Conducting a Risk Assessment (10 marks)
Criteria |
HD |
DI |
CR |
PS |
FL |
|---|
1. Identify and Explain the Major Risks
Maximum 2 Marks
|
Well identified and well explained the Major Risks. Demonstrates breadth and depth of understanding and has insights and awareness of deeper more subtle aspects of the topic content. Evidence of having researched/read more widely beyond the core materials. |
Well identified and explained the major risks, but, 1 is a minor risks in the organisation. Demonstrates breadth and depth of understanding and has insights and awareness of deeper more subtle aspects of the topic. Evidence of having read beyond the core materials.
|
Identified and explained the risks, but, 2-3 are minor risks in the organisation. Demonstrates thorough understanding of material presented in core texts and readings.
|
Identified and explained the risks, but, 4-5 are minor risks in the organisation. Demonstrates evidence of having read material presented in core texts and readings. However literature is presented uncritically in a purely descriptive manner. Content acknowledged but not really taken into account.
|
Poor identification of risks and explained which are not relevant for organisation. Demonstrates very little evidence of having read material presented in core texts and readings. Inaccurate or inconsistent acknowledgement of sources. Limited knowledge of key principles and concepts.
|
2. Risk Assessment
Maximum 3 Marks |
Well documented with consequences, mitigate and reduce likelihood of risks. Demonstrates breadth and depth of understanding and has insights and awareness of deeper more subtle aspects of the topic content. Evidence of having researched/read more widely beyond the core materials.
|
Well documented with consequences, mitigate and reduce likelihood of risks, but a risk is not major. Demonstrates breadth and depth of understanding and has insights and awareness of deeper more subtle aspects of the topic. Evidence of having read beyond the core materials.
|
Documented with consequences, mitigate and reduce likelihood of risks, but 2-3 risks are not major. Demonstrates thorough understanding of material presented in core texts and readings.
|
Documented with consequences, mitigate and reduce likelihood of risks, but, 4-5 risks are not major. Demonstrates evidence of having read material presented in core texts and readings. However literature is presented uncritically in a purely descriptive manner. Content acknowledged but not really taken into account.
|
Poor documentation with consequences, mitigate and reduce likelihood of risks.
Demonstrates very little evidence of having read material presented in core texts and readings. Inaccurate or inconsistent acknowledgement of sources. Limited knowledge of key principles and concepts.
|
3. Risk Register
Maximum 3 Marks |
Created a very good risk register with all the required components. Evidence of having researched/read more widely beyond the core materials.
|
Created a very good risk register with all the required components but a risk is not major. Evidence of having read beyond the core materials.
|
Created a very good risk register with all the required components but 2-3 risks are not major.Demonstrates thorough understanding of material presented in core texts and readings. |
Created a very good risk register with all the required components but 4-5 risks are not major. Demonstrates evidence of having read material presented in core texts and readings. However literature is presented uncritically in a purely descriptive manner. Content acknowledged but not really taken into account.
|
Created a very poor risk register with not any major risks and no evidence is provided.
|
4. Presentation, Writing Style, Grammar and References
Maximum 2 Marks
|
Highly developed skills in expression and presentation of response.
Fluent writing style appropriate to assessment task. Grammar and spelling accurate. Well organised.
|
Well-developed skills in expression and presentation of response. Fluent writing style appropriate to assessment task. Grammar and spelling accurate. Well organised. Evidence of having read beyond the core materials.
|
Good skills in expression and clear presentation of response. Mostly fluent writing style appropriate to assessment task.
Grammar and spelling accurate.Demonstrates thorough understanding of material presented in core texts and readings. |
Some skills in expression and presentation of response.
Meaning apparent but writing style not always fluent or well organised. Grammar and spelling contain errors. However literature is presented uncritically in a purely descriptive manner. Content acknowledged but not really taken into account.
|
Rudimentary skills in expression and presentation of response.
Not all material is relevant and/or is presented in a disorganised manner. Meaning apparent but writing style not fluent or well-organised, Grammar and spelling contain errors. Demonstrates very little evidence of having read material presented in core texts and readings. Inaccurate or inconsistent acknowledgement of sources. Limited knowledge of key principles and concepts. |
Presentation
back to topWhen submitting your assignment be sure to meet the following presentation requirements: