COMP3371Cyber SecurityAssignment 2Semester 1 2015/16

Words: 2000

Weighting: 50%Learning Outcomes Assessed: 1, 4Submission date: 14/1/2016Module Leader: Richard HensonVerified by: Dr. P. MoodyElectronic copy available: Blackboard Learning System and RH’s website

If anything about this assignment is not clear to you, please contact the module leader: r.henson@worc.ac.uk

Students are expected to plan their time and work to manage their overall assessment workload.

Intended Learning Outcomes

1. Critically analyse the information security issues and threats facing both users and information managers in organizations4. Explain the legal issues and implications with security.

Scenario

The medium-sized business Partsfix has recently had an information technology audit, at the behest of the Directors. Although no reports of data breaches have ever been reported, the report suggests a number of potential security flaws of a technical nature and a number of defects in procedure that could encourage bad practice in the way employees manage information. Moreover, the lack of procedures to ensure good data management suggests that Partsfix would have difficulty explaining that they had shown due diligence in handling customer data, and they could be regarded as being in breach of the law. The report commends the fact that you haven’t outsourced your IT, but is concerned that the network experiences considerable downtime, information systems do not work together coherently and there is no clear schedule for managing software. If that wasn’t enough, the report suggests that the relaxed approach to security could also put their business partners at risk.

The CEO of Partsfix has approached you because he is naturally concerned about his organisation’s security, and how best to undertake remedial action. They do have an information security policy which they put together several years ago because someone told them that the online credit cards transactions standard PCI-DSS requires it. The policy was never shared across the organisation and he thinks that may have been a mistake.

The CEO sensibly asks you to start at the top (with the Information Security Policy and IT audit), and explain how the technical and management issues listed above may be dealt with, and how the organisation could turn around its customer data handling so the Information Commissioner would not be able to find them guilty of carelessness or recklessness with data.

Assignment task(s)With regard to the scenario above, this assignment requires you to produce a report that:

1. Explains how user management of data could be improved so the employees could no longer be accused of bad practice by a neutral outsider.

2. Explains how technical management of data could be improved to ensure that internal and external network access are robustly controlled and software used on the network is appropriately utilised.

3. Provides a joined up organisational approach to information security

4. Explains the tests that could be undertaken and used as evidence to assure supply chain partners that Partsfix are taking security of data very seriously

Also, by means of a 10 minute presentation, during the final timetabled session (w/c 11th January 2016) on the module schedule, you should provide a reasoned argument (with approx. costing) for Partsfix to invest in getting certification against a named Information Security standard.

The presentation will count for 10% of the total assessment mark. Your presentation materials should be included as a .pptx file with your assignment when you hand it in.

Assessment briefingThis document provides details of the assessment. There will also be an oral briefing conducted week 3. There is also an assessment Q&A Page on Blackboard

Assessment criteriaIn addition to the general points that apply to all assessed work as outlined in the Course Handbook, the following specific criteria will be used for this work:

Explanation of user data management improvements

Explanation of technical data management improvements

Arguments for a joined up organisational approach to information security

Explanation of tests to assure supply chain partners

Arguments for an information security/assurance standard

Referencing, using the Harvard system (see the link to ‘Referencing’ from http://www.worc.ac.uk/studyskills for more information.)

Grade DescriptorA band work would be expected to be of appropriate length, include a degree of analysis and evaluation to address the assignment brief as well as including factual explanation. Typically, at least six relevant, and mostly up-to-date references should be included, and cited appropriately.B band work would be mostly as above but lacking in one or more of the analysis, evaluation, and referencing factors. Typically, at least four relevant and mostly up-to-date references should be included, and cited appropriately.

C band work might be lacking analysis and evaluation, or lacking in factual content in one of the assessment criteria listed for this assignment. It may also be of slightly inappropriate length, and have fewer than four relevant and up-to-date references.D band work might be lacking analysis and evaluation, or lacking in factual content in two of the assessment criteria listed for this assignment. It may have strayed considerably from the recommended word length and conventional method of referencing, but some referencing may have been included.

Specific criteria are in the Grading Matrix for this assignment attached below. You should include the grading matrix at the front of your assignment when submitting.

Assessment feedback Feedback is provided in an ongoing basis over the course of the module (see “Types of Feedback on my Module” slides on Blackboard and Assessment & Feedback section in the Module Outline).

Formative Feedback opportunityYour opportunity to receive written feedback will be until on Thursday January 7th 2016 before 3pm. You can submit up to 20% of your Word document via email with your student number. You will receive written feedback on the document itself in the form of comments also via email. Seek out as much feedback as you can, it is your responsibility to initiate it and helps you get at issues that need attention early on. Students who do this always achieve higher marks than those who don’t fully participate in the process because they have continued to improve their work.

Handing in and returnWork must be word-processed/typed and should clearly show your student number.  You are required to keep a copy of work handed in.  You should submit your work electronically via SOLE by the 3pm deadline on Thursday, 14/1/16. The return date for this assignment is electronically via SOLE on Thursday, 11/2/16. 

See the University’s guide to uploading and submitting assessment items at the University of Worcester via SOLE in under 60 seconds on You Tube http://youtu.be/yAEnTkVchMg.

If for any reason the systems are down, email your work to solehelp@worc.ac.uk before the deadline just to be on the safe side. You may also email your tutor before the deadline. Providing that the documents emailed are the final copy, these emails will be treated as on time submission. You can then submit to the required system when it is working again. With technology sometimes, things can go wrong; these are back-up safeguards.

Turnitin

For this assignment, please put your work through Turnitin to generate an originality report. You should include a print screen of the part of the Turnitin report showing the overall similarity percentage at the front of your assignment file and submit it with your work. In the event of problems with Turnitin, you should submit your work on time as normal but without the Turnitin report/screen dump, and then e-mail the Turnitin report to your module tutor as soon as possible when Turnitin is back working properly. Use the website submit.ac.uk. You will have to set up a class and id and password. Include below here:

Class ID: 2987613Password: computer

Technical support is available by emailing eos@worc.ac.uk

Late submission of workI t is essential that you submit your work, in order to be able to pass the module . Work which is submitted late will be subject to grade penalties as below.

Students who submit course work late but within 5 days of the due date will have work marked, but the grade will be capped at the minimum pass grade unless an application for mitigating circumstances is accepted.

Students who submit work later than 5 days but within 14 days of the due date will not have work marked unless they have submitted a valid claim of mitigating circumstances.

For full details of submission regulations see Undergraduate Regulatory Framework at http://www.worcester.ac.uk/registryservices/documents/UndergraduateRegulatoryFramework2007entry.pdf

Full details of Procedures for Dealing with Exceptional Mitigating Circumstances are available at http://www.worcester.ac.uk/registryservices/679.htm

Academic Dishonesty WarningPlease note the regulations on academic dishonesty (cheating), in particular

the inclusion in your assignments of un-attributed material taken from other sources; all assignments are individual unless otherwise stated in the assignment brief, so co-operation with other students that results in

identical material appearing in the work of more than one student is not acceptable.  Be assured that every effort will be taken to deal with you fairly, but remember that there are strict rules concerning cheating. You will find further details in your Course Handbook accessible via SOLE and at http://www.worcester.ac.uk/registryservices/documents/Proceduresforinvestigationofallegedcheating.pdf .

Word Limits: The word limit does not include the reference list, computer programme code listings, tables, diagrams or reasonably short appendices, but will include quotations, citations and the captions to tables and diagrams. The following penalties can be applied to work which exceeds the stated word limit:

Up to 10% over: no penalty 10% to 20% over: one grade point penalty (e.g. B+ to B) 20% to 30% over: two grade points penalty (e.g. B+ to B-) More than 30% over: three grade points penalty (e.g. B+ to C+)

ReassessmentIn the event you are required to take reassessment you will receive formal notification of this via a letter from Registry Services posted on the SOLE page after the meeting of the Board of Examiners. The letter will normally include a copy of the reassessment task(s). Deadlines for re-assessment can be found in the University Calendar at http://www.worcester.ac.uk/registryservices/655.htm

If there is anything about the current assignment that you don’t understand, please contact the module tutor

Student Number:

Academic Year and Semester: Sem 1

Module Code:COMP3371

Module Title:Cyber security

Assignment Weighting:50%

Assignment No:2

Occurrence:

Assessment Criteria Explanation of user data management improvements Explanation of technical data management improvements Arguments for a joined up organisational approach to information security Explanation of tests to assure supply chain partners Arguments for an information security/assurance standard Referencing, using the Harvard system

Assignment 2 - Assessment Criteria

GRADE

Explanation of user data management improvements

Explanation of technical data management improvements

Arguments for a joined up organisational approach to information security

Explanation of tests to assure supply chain partners

Arguments for an information security/assurance standard

Referencing, using the Harvard system

A Detailed Code of Conduct, appropriate list of typical data management tasks (examples), training sessions set up to improve weak data handling, test of competence (examples)

Detailed explanation of any processes that might help business continuity and prevent the network performing poorly having to be shut down due to hardware/software failure (examples)

Detailed explanation as to how top-level policy can be effectively shared with all employees and any knowledge gaps can be addressed without prejudice

Detailed explanation of external tests that may be performed on Partsfix’s network to ensure that it cannot easily be penetrated via the Internet. Also provides examples of results that could indicate problems

Explanation of the processes and controls involved in implementing a named quality assurance scheme, and clear statement of benefits to the organisation of achieving that standard

Typically, at least six relevant, and mostly up-to-date references should be included, and cited appropriately

B Code of Conduct, appropriate list of typical data management tasks and typical mistakes

Detailed explanation of the processes that might help business continuity and prevent the

Explanation of how top-level policy can be effectively shared with all

Explanation of external tests that may be performed on Partsfix’s network to ensure

Some explanation of the processes and controls involved in implementing a named quality

Typically, at least four relevant and mostly up-to-date references should be included, and

(examples), training sessions set up to improve weak data handling, test of competence (examples)

network performing poorly or having to be shut down due to hardware/software failure (examples)

employees and how knowledge gaps that become apparent can be sensitively identified and filled.

that it cannot easily be penetrated via the Internet. Some indication of positive/negative results and consequences

assurance scheme, and clear statement of benefits to the organisation of achieving that standard

cited appropriately.

C Workable Code of Conduct, appropriate list of data management tasks (examples), something about training, something about a test of competence

Explanation of named processes that might help business continuity and prevent the network having to be shut down due to hardware/software failure (examples)

Explanation of how top-level policy can be shared with all employees and how knowledge gaps can be sensitively identified and filled.

List of external tests that may be performed on Partsfix’s network to ensure that it cannot easily be penetrated via the Internet. Examples of tests, results and consequences

Identification of the processes and controls involved in implementing a named quality assurance scheme, and a statement of benefits to the organisation of achieving that standard

Fewer than four relevant and up-to-date references, cited appropriately.

D List of do’s and don’ts, identification of problem tasks, something about training & test of competence

Identification of essential processes for business continuity and how to prevent the network having to be shut down due to hardware/software failure (examples)

Explanation of how top-level policy can be shared with all employees and some indication what else needs to be done

List of external tests that may be performed on Partsfix’s network and results that would indicate problems for the business

Identification of the processes involved in implementing a specific quality assurance scheme, and some indication of benefits to the organisation of achieving that standard

Some referencing in use, but not Harvard and not appropriately cited.

Fail (E-G)

List of do’s and don’ts and mention of project tasks or training but not

Importance of business continuity identified, but no detail of essential

Superficial explanation of the “trickle down” effect

Only names one or more external tests on the network and doesn’t clearly

Superficial treatment of the term quality assurance, and

Shows a lack of understanding of the purpose of referencing and makes no attempt to

much else (examples)

processes or actions to help keep those processes going

from top management but no indication about issues in implementation

indicate what would constitute a good or bad result.

benefits to the business of the named scheme not included

use any type of end-of-document linking to external sources