The company will be a small-medium sized enterprise, with somewhere between 20 and 200 employees. The turnover of the company will be greater than 2.5 million, and less than 25 million dollars. The company can be in any industry that the team chooses. It is suggested that you try to model the company on an existing company and then make changes to create your own company. This will enable you to get a fuller picture in your minds of what the company is like, its context, and its security needs. It is suggested that the team invents a name for the company, and indeed names for key employees at the company. It is a good idea to describe the purpose of the company, the number of employees, geographical location(s), its ICT infrastructure and any specific industry related risks to the company. It is a creative progress requiring everything to be imagined to get a realistic view of the company to understand its needs and threat profile. KIT711 Data Network Security Semester 1 - 2021 Major Assignment Consultancy Report - due 27th of May (Week 13) The report will have two sections: the first will contain information common to the entire report, such as the threat and risk analysis, while the second section will address specific security issues facing the company.
Microsoft Word - MajorAssignment_2021 f.docx KIT711 Data Network Security Semester 1 - 2021 Major Assignment KIT711 – Major Assignment Due Dates: Case Study – 3:00pm, 7th of May (Week 10), (5% of overall unit mark) Consultancy Report – 3:00pm, 27th of May (Week 13) (20% of overall unit mark) Goal To produce a consultancy report for a SME that addresses their ICT security requirements. Introduction The task is to produce a consultancy report that is for establishing the security provisions for an organization described in a case study. The case study will be created by the team and will be submitted several weeks prior to the remainder of the report to enable the team to receive feedback on its suitability for the assignment. The report itself will contain multiple parts, some created by the whole team, while some will be largely undertaken individually, but with input from the rest of the team. As this assignment contains a sizable amount of team work, you will be awarded a group mark for this assignment that will be moderated by your own contribution to provide your individual mark for the assignment. The group must submit a Group Contribution Report at the end of this assignment, showing the percentage contribution of each member. The groups for the assignment will be formed in the week 7 tutorial, and then the tutorials in weeks 8, 9, and 10 will give us time to work together on several of the activities we will need to complete as a team. Groups must consist of 4 ~ 5 students in the same tutorial and we recommend you form a group with 5 students. Case Study – due 7th of May (Week 10) The first component of the assignment, due in week 10, is the case study. This is a 500-700 words document describing the company the team has invented for your group assignment. The company will be a small-medium sized enterprise, with somewhere between 20 and 200 employees. The turnover of the company will be greater than 2.5 million, and less than 25 million dollars. The company can be in any industry that the team chooses. It is suggested that you try to model the company on an existing company and then make changes to create your own company. This will enable you to get a fuller picture in your minds of what the company is like, its context, and its security needs. It is suggested that the team invents a name for the company, and indeed names for key employees at the company. It is a good idea to describe the purpose of the company, the number of employees, geographical location(s), its ICT infrastructure and any specific industry related risks to the company. It is a creative progress requiring everything to be imagined to get a realistic view of the company to understand its needs and threat profile. KIT711 Data Network Security Semester 1 - 2021 Major Assignment Consultancy Report - due 27th of May (Week 13) The report will have two sections: the first will contain information common to the entire report, such as the threat and risk analysis, while the second section will address specific security issues facing the company. The first section of the report should be written by the group and should contain: • an executive summary (500 words). • an introduction including a description of the assumptions made and extra context for the case study (1000 words). • a brief threat and a risk analysis using a risk matrix (1000 words). • A discussion of the security issues to be addressed (informed by the threat and risk analysis), and a list of the related security policies that address them. The policies themselves are to be included as part of the section 2 reports. Each high-level security policy should be numbered (1000 words). Include any extra material at the end of the report as appendices. • The appendix should contain a copy of the case study, updated with any changes made since the first submission in week 10. The second section of the report should contain the following subsections, each written by a different group member: • Physical Security (1500 words) • Logical Security (1500 words) • Data and System Security (1500 words) • Network Security (1500 words) • User Education and Compliance (only if the group has 5 members) (1500 words) The content should provide an overview of how you will achieve the security goals stated in the first section of your document in the area that you are tackling, along with abridged security policies based on the format provided by the SANS Institute at https://www.sans.org/information-security-policy/. Each abridged policy should refer explicitly to a numbered security goal from the first section of your report. You will note that the SANS templates contain many different sections, but you must only provide the following sections in your abridged versions: • Purpose: what the purpose of the policy is • Policy: the details of the policy itself • Policy Compliance: who is affected by the policy, and potentially how they are affected KIT711 Data Network Security Semester 1 - 2021 Major Assignment See an example of an email policy in the required format on the last page of this assignment specification. Submission The submission for both the case study in week 10 and the consultancy report in week 13 will be submitted to MyLO. Extra notes and advice • Try to put yourselves in the position of a company trying to win the contract to implement the security services needed by the company. • Presentation matters for this report. It should be consistent, use consistent styles within Word and be attractive to read. • It is also expected that all individual sections will refer back to and be consistent with the assumptions, context, threat and risk analysis, security goals and the policies described in the front part of the report. • This cross referencing can be helped by devising a numbering scheme for the security goals and policies to which the individual sections can refer. • The executive summary should enable an executive to decide whether to endorse the recommendations that it contains (and spend the required money), ask more questions or dismiss the report by just reading it alone. Therefore, it should include • Problems addressed • Solutions investigated • Suggestions recommended. • The introduction enables you to expand on the case study you wrote. The case study was very short, so here is where you can paint a fuller picture with assumptions about what additional needs or processes are taking place at the company that were not defined in detail before. • Your risk analysis is key. If you don’t define and describe the company’s threat profile well, it is very hard to then write policies to defend the company. General threats can be described here, but more detail can then be given in the relevant chapter. • You may want to create a map of the company’s physical location(s). It will be very useful in some chapters, but also helps you to discover risks that may be present. • The security goals should be a clear statement about the level of security that needs to be achieved across the Company to protect its principle assets. Policies express these security goals and standards that you have set for the organisation (the challenge in the individual sections is to show how these goals can be obtained). • Policies should be a result of the threat and risk analysis, but also include some statements about ethics, education and training. Remember that this is a tender document so you are providing an example of the main goals and policies only. KIT711 Data Network Security Semester 1 - 2021 Major Assignment • The individual subsections will outline the individual recommendations for each topic. They should follow the document style and should refer to the information presented in the front part of the document. • The Notifiable Data Breach notification legalisation may be relevant to your company. Sample Email Policy 1. Purpose: the purpose of this email policy is to ensure the proper use of the University of Tasmania’s email system and make users aware of what UTAS deems as acceptable and unacceptable use of its email system. This policy outlines the minimum requirements for use of email within UTAS. 2. Policy • UTAS email accounts should be used primarily for UTAS business-related purposes; personal communication is permitted on a limited basis, but non- university related commercial uses are prohibited. • All university data contained within an email message or an attachment must be secured according to the Data Protection Standard. • Users are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct university business, to create or memorialize any binding transactions, or to store or retain email on behalf of the university. Such communications and transactions should be conducted through proper channels using university-approved documentation. • Using a reasonable amount of university resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from a university email account is prohibited. • University employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system. • UTAS may monitor messages without prior notice. The university is not obliged to monitor email messages. 3. Policy compliance • Compliance Measurement: The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video KIT711 Data Network Security Semester 1 - 2021 Major Assignment monitoring, business tool reports, internal and external audits, and feedback to the policy owner. • Exceptions: Any exception to the policy must be approved by the Infosec team in advance. • Non-Compliance: An employee found to have violated this policy may