CMP73001 Cybersecurity Management

Unit Cybersecurity Management
Unit code CMP73001
Assignment 2: Plans/programs/policy development exercise
Due Date: Week 9 Monday 27 Apr 2020
Learning outcomes: 2 & 3
Graduate Attributes: 3 & 4
Weight 30% of overall unit assessment
Task Description
You are hired by Advanced Medicos Limited (AML), a healthcare product sell company, as a
cybersecurity consultant to help in security management and to address the contemporary and emerging
risks from the cyber threats the company is facing. AML is providing a platform for Australian customers
to sell their product online. The vision of the company is to be among the top 5 nation-wide. The board
from the advice by Chief Information Officer (CIO) and Chief Information Security Officer (CISO) has
concluded that they should get to point that the key services such as web portal should be able to recover
from major incidents in less than 20 minutes while other services can be up and running in less than 1
hour. In case of a disaster, they should be able to have the Web portal and payroll system fully functional
in less than 2 days.
The company is a new company which is growing rapidly. While the company uses its database server to
store the information of its customers’ private data, credit card info, etc. it has a poordesigned network
4/12/2020 54528 – Unit Cybersecurity ManagementUnit code CMP73001Assignment 3/7
with a low level of security. As the company is responsible for the privacy and the security of customer
personal info, credit card details, the security of payment transactions, etc. they have decided to improve
their information security. Therefore, they have hired you to do the following task:
Your task is to perform a risk analysis and develop a security plan for the Company and document the
Existing IT infrastructure of AML:
– Office 365 Emails Hosting
– 2 Web server providing web services and payment options
– A physical database server storing customer information
– DHCP and DNS servers
– Servers located in a server room accessible by all staff
– There is no virtual/cloud storage
– The backup files are stored on a single computer connected to the internal network
– Two 24-port Cisco Catalyst switches (1Gbps ports)
– Switches are access layer switches
– ADSL router
– 40 PCs with outdated antivirus
– The operating systems used in the company are Windows 2012 server and Windows 10
– Windows Firewalls are on
– No security configuration on routers and switches
– Telnet connection is used by IT people to remotely check the configuration of the network devices.
Therefore, there is no encryption in remote access.
– Two wireless access points
– Wireless security is WPA
– 10 Voice over IP phones
– Servers located in a server room accessible by all staff
– There is no virtual/cloud storage
– The backup files are stored on a single computer connected to the internal network
– There are 40 staff including three IT people (IT staff are responsible to look after internet connection,
network devices, Wi-Fi, Voice over IP service, LAN, computers, servers, hardware and software, and
video conference facilities).
– All staff and equipment are on a single floor.
– The roles and responsibilities of people who are responsible for information security management are not
clear and they are not documented. All IT staff help in information security management.
For this assignment, you need to write a report to the CEO of the company and answer a number of
questions. You should also identify assets, perform risk assessment, and propose solutions to mitigate
risks. Your answer should be submitted in PDF/DOC files.
Assignment guideline
Plans/programs/policy development exercise: develop program direction and policy and propose controls
and changes to secure the organization information system based on the risk assessment results.
Task 1: Security policy development and risk management
1.1 Based on the information given for AML and based on the risk assessment results in Assignment 1,
develop an appropriate access control policy for this company.
1.2 What types of access controls do you recommend protecting the assets of the company? Justify your
choices. You should have physical and logical access controls which do not let unauthorized access to the
assets (assets include information, software, and hardware). At least three access controls should be
provided. Justify your choices with cost benefit analysis and effectiveness.
1.3 Propose at least five controls, which can be used to control threats identified in Assignment
1. Justify your choices with cost benefit analysis and effectiveness.
1.4 Determine and recommend data security solutions for three different data states in the company: data
in use, data in motion, and data at rest.
4/12/2020 54528 – Unit Cybersecurity ManagementUnit code CMP73001Assignment 4/7
1.5 What authentication method do you recommend for AML Company for effective and efficient
management of user identify verification, especially for remote users.
1.6 Explain how a single sign-on service (SSO) can help AML company to manage authentication. Which
protocol will be used to implement this SSO service and why? Explain the protocol.
1.7 Explain the difference between incident response and disaster recovery. What are the responsibilities
of the incident response team and the disaster recovery team?
1.8 Describe six phases of developing an incident response plan. For this question, you should explain
each phase and propose at least two activities for each phase in AML Company. You may need to do some
research to answer this question.
1.9 Provide five examples of natural or human-made disasters in relevant to AML. Explain three phases of
disaster recovery. You can use the link below to find some information about disaster recovery phases.
1.10 Explain the definition of MTD, RTO, and RPO in disaster recovery. What is the difference between
disaster recovery and business continuity?
Task 2: Review and improve security policies (optional – students who answer this question will receive a
10% extra mark)
For this task, you should read the following version of policies created by an IT staff. You as the
cybersecurity consultant are asked to review and revise the policies and propose a more comprehensive
version of the policies for the company. For each group, you should write at least six new policy
Security policies Backup policies:
• A weekly full backup should be performed in the company.
• Backup files should be stored in a server in the company.
Computer use policies:
• The programs from untrusted and external sources should not be run on the company computers.
• Computer logs should be only stored on the computer.
Assessment Criteria
Criteria Max Mark
Task 1: Security policy development and risk management 27
Task 1.1: access control policies 3
Task 1.2: Access controls for the asset identified in Assignment 1 4
Task 1.3: Controls for the threats identified in Assignment 1 5
Task 1.4: Data security controls for three data states 1.5
Task 1.5 & 1.6: Recommendation of a multi-factor authentication method a single sign-on definition , and