Reference no: EM132455768

ICTNWK519 - Design an ICT security framework - Australian International Academy

Assessment Plan

The assessment plan will overview student on the unit of competency that will be assessed and provides an idea on how, when and what kinds of assessment, types of activities and evidence will be expected from the student. It will guide the student on using the tools to collect their evidence and will make them clear on criteria for the judgement of their performance.

Element

Assessment Part 1. Research ICT security requirements

Assessment Part 2. Conduct risk analysis

Assessment Part 3. Develop ICT security policy and operational procedures

Assessment Task 1

Exercise 1 (answer in approximately 150 words)
Question (a) What is a Standard?
Question (b) What are the three categories of standards?

Exercise 2 (answer in approximately 50 words)
Question  Why is it necessary for an organization to have an information security framework?

Exercise 3 (answer in approximately 100 words)
Question  (a) What is ISO?
Question  (b) How does an Australian Standard differ from an ISO Standard?

Exercise 4
Question  Name the International Standard that relates to Information Security Management Systems? List all versions.

Exercise 5
Question Below are examples of Australian/Commonwealth legislation which is applicable to information management and security policies. Match the relevant legislation to the correct definition.

Exercise 6 (answer in approximately 50 words)
Question  What is a Security Policy and what are three main reasons for having a security policy?

Exercise 7 (answer in approximately 50 words)
Question  What is 128 bit encryption, and what is its benefit in network encryption?

Exercise 8 (answer in approximately 50 words)

Question  Encrypting servers is a requirement for securing a server from hackers. In relation to this, describe what the software application ‘True Crypt' does. Include details of the failings of this software in your answer.

Case Study Scenario 1

Instructions

You are to take the role of Fred.

You are required to carry out a risk assessment following the standard steps and document the outcomes. Each of the steps is described below, including guidance to help you to understand the Assessment Task and its objective.

Step 1: Identify sensitive information and critical systems

Identify the types of sensitive information and critical systems associated with the operation of a small school, district-wide computer network.

Step 2: Estimate the value of system components

You are required to calculate a reasonable approximation of the replacement value of each component of the system-both equipment and information.

Step 3: Identify threats

Hold a collaborative brainstorming session with your fellow students and create a list of threats to information security and categorise them as one of the following:
• natural
• manmade unintentional
• manmade intentional.

Step 4: Identify vulnerabilities

Identify vulnerabilities in relation to each of the natural, intentional manmade and unintentional manmade threats as identified in Step 4 'Identify threats'.
Categorise each of the vulnerabilities as:
• Physical concerns (e.g., room access, building construction, and climate)
• Hardware- and software-related issues (e.g., equipment, programs, and compatibility)
• Media liabilities (e.g., disks, tapes, hard drives, and print copies)
• Communications (e.g., access points and encryption)
• Human concerns (e.g., personnel and office behaviour)

Step 5: Estimate the likelihood of a potential penetration becoming an actual penetration

Likelihood of potential vulnerabilities can be estimatedin terms of probability.
Security penetration testing is one of the assessment method to identify potential vulnerabilities in a system being tested. A system is said to be penetrated if any of identified vulnerability is exploited and threat agent gets access to network and have full control over system and its data.

Estimate the likelihood of potential loss or penetration.

Step 6: Identify countermeasures against perceived threats and vulnerabilities

Identify potential solutions to the concerns caused by your identified threats and vulnerabilities.

Step 7: Estimate costs of implementing countermeasures

Determine the costs associated with the countermeasures identified in Step 7 'Identify countermeasures against perceived threats and vulnerabilities'.

Step 8: Select suitable countermeasures for implementation

Decide which of the identified countermeasuresare to be implemented by comparing the costs identified in Step 7 against the benefits for each.

Step 9: Review the Security requirements

Once you have finished Assessment Tasks 1-8, submit the output to your trainer/facilitator for review and approval. You should then complete the document ‘Review and Approval of Security Requirements'.

Case Study Scenario 2

You work for a security auditing firm as an ICT Analyst and have been assigned a team project to perform a security audit of the well-renowned Federation University. In the team meeting, the Project Manager decided to assign you the Assessment Task of researching the security standards practised in the ICT operation of the university.

Instructions

You are required to provide a report of the findings of your research, assess the impact on the ICT
operation of the client and provide recommendations or comments on your research outcome.

Assessment Task 1: Identify Security Requirements

Identify and list the statutory, commercial and application security requirements for Federation University based on the documented Information Security Policy of Federation University ,‘Scenario Document 1'.

Assessment Task 2: Perform Gap Analysis

Guide: The ISO standard, also known as ISO 27001 ISMS, has control requirements which will be the benchmark for this analysis. ISO 27001 takes a risk assessment based approach. An information security risk assessment is used to identify the security requirements of the organisation, and then to identify the security controls needed to bring that risk within an acceptable level for the organisation.

Instructions:
Perform a gap analysis using the scenario information and output of Step 1 and complete the template named‘GAP Analysis for ISO 27001 Template.xls'.

Exercise  1. Consult with your supervisor (trainer)to clarify which of the controls mentioned in the template are applicable or not for the given scenario(Federation University Information Security Policy).

Exercise  2. Scale each of the identified controls using aa capability maturity level rating. The provided template contains information on using Capability Maturity level for rating.

Exercise  3. Based on your findings, then document the analysis and recommendations by using the gap analysis template.

Assessment Task 3: Review the Security requirements

Once you have finished Assessment Tasks 1 and 2, submit your work to the trainer/facilitator for reviewing and approval and complete ‘Review and Approval of Security Requirements'document.

Assessment Task 2

Case Study Scenario

Security Environment for the Assessment

This is simulated workplace assessment in which you will take on the role of a Team Member and perform a risk analysis to identify security threats and document the output of the following Assessment Tasks:

a. Evaluating assets and threats
b. Assigning a risk level to each area of vulnerability
c. Identifying the areas of costs associated with the contingencies
d. Comparing actual controls in place with minimum requirements and identifying gaps
e. Forwarding the recommenation from the analysis for approval and development of an action plan to mitigate risk

Your facilitator will provide you with access to two different security environments, of which you are required to choose ONLY ONE optin to use in your risk analysis.

Security Environment A

Your trainer or assessor will provide you with the details to get an overview of your actual training environment (i.e. your school ICT infrastructure).

Security Environment B

Your trainer will provide you with the virtual environment created using virtualizati n servers workstations (VMware).

Activities

Exercise 1

Select your security environment( or B) and what is the main reason for your selection.

Exercise 2

(a) What are the three generic categories of security threats for your chosen e vironment?

(b) List 10 different impacts of the threats that you believe are likely to occur in terms of loss and security failure.

Exercise 3

You have participated in a meeting with other team members in the risk assessment and have developed a list of access control elements. This access control elements will serve as a tool for documenting the selected system's compliance or noncompliance with specific control techniques established in the company's security standards for operating systems, networks, data stores, and applications. Based on your chosen security environment (either it is the training organization or the simulated environment of training organization), you need to complete the following questionnaire.

Exercise 4

You are required to identify at least three threats (most commonly discovered in the provided security environment) and consider a server and two workstations where you have access, to determine the threats and document your security analysis using the table below.

Exercise 5

You are required to determine the risk level by assigning a risk level of high(H), moderate(M) or low(L) for each area of vulnerability to show the possible effect of damage if the threat were to occur. You need to use the table below for this analysis.

Exercise 6

You are required to review and gain approval of your risk assessment (done in Exercise 2-6) by examining the important aspects of the Risk assessment using the review document ‘Review and Approval of Risk Analysis' and getting approval from your supervisor. You need to attach the signed document during the assessment submission.

Exercise 7

Assume that you have identified the following threats during the risk assessment.

a. Access to personal information
b. Corrupt Databases
c. Server being unavailable
d. IP Address Spoofing

Make a list of counter measures to manage the above threats.

Assessment Task 3

Case Study Scenario

You have been working in a training school as a System Administrator who looks after the local area network and IT Infrastructure with support and configuration of the PC and servers. You have been assigned to a new project where you will undertake the role of System Administrator with some of the responsibilities including to:
• Assist in the development and maintenance of System security plans and contingency plans
• Participate in risk assessments to evaluate the risk and its mitigation strategies associated with the IT and systems.
• Provide support for proposing, coordinating, implementing and enforcing security policies, standards and methodologies.
• Document the security framework and develop the security policies and operating procedures
• Align the organizational security requirements with that of internationally accepted and local security standards (ISO Standards)

Recently the training school decided to review its security policies as they had not been reviewed for a number of years. The Director of the training school has assigned you the job of creating a new security framework for the training school.

You are required to complete the following Assessment Tasks covering design of the security framework and the

creation of related policies and procedures.

Exercise  1:Role Play

You are to participate in a role play meeting to review some aspects of ISMS (Information Security Management System). The agenda for the meeting is provided in your learning resources.

You are participating in this meeting as a System Administrator for the company as provided in the given case scenario. Your trainer/facilitator will act as the Security Compliance Officer and will provide you with information on current information security risk management practices within the training school.

Once the meeting is finished, you will need to document the points discussed in the meeting.

Exercise  2: Develop ICT Security Framework

Using the information from Assessment Task 1, describe the ICT security framework for the case study organization based on the framework provided in figure 1 below. Your description should cover the following topics:
• Introduction
• Objectives
• Application
• Scheme of Delegation under the ICT Security Framework,
• Legislation and internationally recognized standards.

(The description should be approximately 300 words.)

Exercise  3:Develop Information Security Policies

Develop Information Security Policies for the case study organization to fulfill the requirement of the framework developed in Assessment Task 2.

The policies should cover areas of information security including:
• Physical Security
• System Security
• Authorization
• Access to Network
• Passwords
• Backups
• Endpoint Security and Antivirus
• Disposal of Equipment
• Repair and Maintenance of Equipment
• Security Incident Management
• Acceptable Use Policy

Exercise  4: Develop Procedures for Implementation of Security Policies

a. You are required to develop a list of procedures that each employee would follow to implement the policies developed in Assessment Task 3. Compile your list and submit it to the Operations Manager (your trainer) to review an approval. Complete the document, ‘Review and Approval of Procedure for Policies' and have it signed off by the Operations Manager. Once you have got the approval for the procedures, you need to perform part b of this Assessment Task.
b. Develop procedures for at least five of your policies on your list.

Exercise  5:

Describe three actions that could be taken to maintain the confidentiality of information relating to students and/or employees in the training organization. (Answer in approximately 50 words)

Exercise  6:

List all the legislations that has been applied in your training organization as developed in Assessment Task 2 and explain the importance of statutory legislation in making policies.

Attachment:- Design an ICT security framework.rar