Identify and critically analyse information security threats to computer networks and management information systems. (management of information systems | Managing information systems)
Designing and Developing Products for the Cyber security
Coursework Brief
|
Academic year and term:
|
2019/2020 – Semester-, Year 3
|
|
Module title:
|
Cyber Security
|
|
Learning outcomes assessed within this piece of work as agreed at the programme level meeting
|
Students who successfully complete this module will be able to:
- Identify and critically analyse information security threats to computer networks and management information systems. (management of information systems | Managing information systems)
- Critically evaluate the range of effective security controls used to protect system and user data.
- Synthesize solutions to security problems through effective information security governance.
- Create understanding of professional, social, ethical and legal issues associated with cyber security.
|
|
Type of assessment:
|
1. Individual Assessment: Individual report (up to maximum 2500 words) (this will assess learning outcome 1, 2 & 3).
|
|
Assessment deadline:
|
Coursework1: Individual Assessment – 40%
Assignment Report 40% (up to 2500 words): Individual assignment based on the given scenario. This should be submitted via Turnitin as a Microsoft Word file.
|
|
Kind reminder: You MUST make a reasonable attempt at your assignment and submit it. Failure to do so may result in CAPPED Resit and/or failure of the module.
It is also student’s full responsibility to ensure that all assignments are submitted on the correct link and on time before the submission date.
|
Deliverables: Coursework 1
Coursework 1 is an individual report and will be submitted as a word document (up to 2500 words in total including all diagrams, documentation and description) via Turnitin on Moodle and must include all the required components.
Coursework 1 is worth 40% of the overall assignment. The marking criteria are outlined below.
Assignment Preparation Guidelines
1. All components of the assignment report must be word processed (hand written text or hand drawn diagrams are not acceptable), font size must be within the range of 12 point to 14 point including the headings, body text and any texts within diagrams.
2. Standard and commonly used fonts such as Times New Roman, Arial or Calibri should be used.
3. Your document must be aligned left or justified with line spacing of 1.5.
4. All figures, graphs and tables must be numbered and labelled.
5. You must provide screen shots of any commands used in your ethical/Hacking tests.
6. You have cited your work thoroughly by using Harvard referencing style.
7. Material from external sources must be properly referenced and cited within the text using the Harvard referencing system.
8. All components of the assignment (text, diagrams. Code etc.) must be submitted in one Word file.
Second Assessment: Examination – 60% (2 hours- unseen)
An end of course examination will be conducted in week 12 which follows delivery structure and exercises set in the workshops. Students will have access to sample formative feedback on tasks set in workshops and mock online tests thereby helping them to improve their understanding of topics covered in this module and to prepare them for this exam. This assignment will assess module learning outcomes 1,2 and 4.
Overall, the assessments in this module fall into two categories i.e. coursework and examination with the following weightings:
Note: Pass mark in this unit: 40%
Coursework Brief -Designing and Developing Products for the Cyber security
Using the given scenario, students will demonstrate an in-depth understanding of information security governance outcomes with management directives and will provide guidance for Information Security Managers on how to develop an information security strategy within the organisation’s governance framework and how to drive that strategy through an information security program.
The Scenario-Individual Assessment – 40%
You have just been appointed as Security Manager in a multinational pharmaceutical company in West Midlands. You are responsible for physical, IT and information/data security. The company conducts research into medicines and vaccines for the treatment of HIV/AIDS, tuberculosis and malaria on behalf of the WHO. The organization applies information governance standard ISO27001 and implements a security strategy which is not imposed on everybody due to individual’s differing workload.
These are six departments within this company:
· Research and Development,
· Personnel,
· Marketing and Business Development,
· Strategic Operations and Management,
· Information Technology,
· Customer Services.
Diagram 1: The Company’s internet
R&D is the one department with good security (biometric and card-based access control systems and running its own network which is isolated from the company`s network). Since it is not connected to the rest of the intranet, R&D is not shown in the company`s network diagram above.
All offices are on the ground floor with servers (email, ftp, web servers etc) and document filling rooms and photocopiers in the basement which are easily accessible to all employees of their day to day duties. In each department, there are a number of workstations, network printers, USB based local printer/plotter/scanners, USB and network drives.
Contractors and visitors need to sign in before entering the premises which is by the entrance and then pick a blank pass in which they need to enter some of their detail (name) and wear at all times to move from department to department.
There is also a smoking area just outside the building, conveniently situated next to the staff car park which is open for visitors and contractors as well. The company’s Wi-Fi signals can be sensed by wireless devices in the smoking area.
Employees often go out of the premises for lunch. Some staff members have lunch at the riverside local Pub which is only 40 meters away from the complex and often carry their offices laptop with them that contain sensitive information. Some employees spend their lunchtime break listening to their iPods or simply surf the internet (some in their personal Laptops or mobile and some in their workstations).
The problem is that in the past there have been several incidents of information breach such as Man in the middle attack, DNS spoofing, Wifi password attack, Phishing, Evil twin attack, Denial of service attack (DoS), etc which led the Company to hire a Security Manager (yourself) to tighten security. These incidents took place across departments including R&D and went unnoticed and unpunished.
Task 1: [50%]
You need to assess the existing threats of the organization in line with the given scenario by carrying out ethical hacking/ penetration testing. You can use your selected security testing tools or other tools/techniques to identify the vulnerabilities, threats and risks which can be physical, IT infrastructure and information/data security within this organisation.
- a. Critically evaluate the choice of your investigation tools and techniques using screenshots and appropriate description of each steps.
- b. You should compile your list of threats (10 threats, sort them by importance) in order of importance and use a table such as the one below to provide extra information. You should include the countermeasures against each threat you have listed.
Table 1: Example as reference.
|
Asset
|
Threat
|
Loss
|
Impact
|
Countermeasure
|
|
Equipment
|
Theft: (brief scenario e.g. Dr Evil comes through the unlocked window)
|
Logitech wireless keyboard
|
Medium
|
Install Alarm, hire guards, landmines etc
|
Note:For anything not mentioned, you are to assume that it is not present: e.g. secure locks, armed guards etc. You are free to make any assumptions you wish regarding your understanding of the various operations of the company, providing that you clearly state these in your report.
Task 2: [45%]
The current security strategy is not effectively managed and followed by employees and may result in further problems if not dealt with immediately.
Therefore, you will identify the importance of security policy and write an information security policy for management purposes. It should identify suitable countermeasures and how these can be implemented, e.g. through awareness training, monitoring, feedback and reporting.
Presentation, Report Layout and References: [5%]
You are required to use the appropriate report layout and formatting style (see the guidelines below) as well as academic citations and a reference list. Your report should be free from grammatical and spelling errors.
Marking Criteria – Coursework 1
|
Functionality
|
Criteria /Deliverables
|
Marks
|
|
Task 1:
|
You have investigated the ethical hacking/penetration testing to identify the threat vulnerabilities by using appropriate tools like network sniffer, port scanner, and system log analysis, auditing (physical security) and evaluate critically. You made use of tools like (Namp/Xenmap or Wireshark etc) and provided screenshots. (25 Marks)
You have considered the whole scenario and produced a list of likely security threats based on their business impact. (10 Marks)
You have suggested logical countermeasures against each of the threat. (15 Marks)
|
50
|
|
Task 2:
|
You have discussed the importance of having a security policy in an organisation. You have outlined a short brief between security governance and security policy. You have used academic literature to support your arguments. (10 Marks)
The policy must include:
Background and purpose. (5 Marks)
Scope. (5 Marks)
Roles and responsibilities (5 Marks)
Policy framework (5 Marks)
Distribution, training and implementation (5 Marks)
Monitoring, feedback and reporting (5 Marks)
Business continuity (5 Marks)
|
45
|
|
Presentation, Report Layout and References
|
Your report is well laid out and formatted according to the given requirements. Your report should be free from grammatical and spelling errors. The Harvard system has been used to cite work where necessary and a list of references is also provided.
|
5
|
|
Total
|
100
|
100% Plagiarism Free & Custom Written,
tailored to your instructions