Fundamental Concepts of Data Security ISEC5006

Computing @ Curtin University
Fundamental Concepts of Data Security
ISEC5006
ASSIGNMENT
Due Date: Friday 22-May-2020, 12:00pm Perth time.
Weight: 25% of the unit mark.
Note: This document is subject to minor corrections and updates. Announcements will
be made promptly on Blackboard and during lectures. Always check for the latest version of
the assignment. Failure to do so may result in you not completing the tasks according to the
specifications.
1 Overview
This assignment provides you an opportunity to perform risk assessment for a fictional business. You
will need to make use of the relevant data security concepts discussed in the lecture and perform your
own research on topics related to the task.
2 The Task
In this assignment, you will play the role of a security consultant. Your client is a fictional organisation –
IISC consulting company. The client has requested you to perform a security risk assessment of the
organisation. You are expected to deliver a formal written report which will be presented to the board.
It is required that the information security risk assessment is performed in accordance with NIST SP
800-30 Rev.1 – Guide for Conducting Risk Assessments
https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
Based on the background information about the company given in Appendix 1, perform the required
risk assessment and submit a written report. Note that you may make an assumption on information
required to complete the task if it is not described in Appendix 1.
3 The Report
3.1 Structure
The report must be formally written and follow the required structure given below:
Updated
April 14, 2020
Fundamental Concepts of Data Security ISEC5006
ASSIGNMENT- Semester 1, 2020
Page
1/6
Computing @ Curtin University
• Cover page: It must clearly show your name and student ID and it must indicate to a reader that
this is a security risk assessment report for the company.
• Table of contents: Provide a table of contents.
• Executive summary: This must summarise the task and the major findings.
• Introduction
– Purpose: It must clearly state the reasons for conducting the risk assessment and the
objectives that the work aims to achieve.
– Scope: It must clearly state what are covered and what are not.
• Recommendations: This section must list and explain the most (and only the most) important
findings from the analysis. Typically, they correspond to the items that have the highest
risk values as detailed in the risk assessment results subsequently. The recommendations
must indicate the vulnerabilities and the possible consequences if they are not immediately
addressed. All recommendations need to have correct references to the individual items in the
risk assessment results.
• Risk assessment approach
– Participants: You will need to list all people involved in the risk assessment, their roles and
contact details.
– Techniques: You will need to clearly state which methods you use to find out necessary
information to identify vulnerabilities, estimate loss, and determine risk values (you must
also clearly indicate the information).
– Risk model: You need to explain in detail which risk assessment approach (qualitative/quantitative) you use. If you use the qualitative approach, you need to clearly indicate the different
levels, explain their interpretations, and finally construct the risk matrix that you will follow. If
you use the quantitative approach, you will also need to explain the mathematical equations
that you use to calculate the risk values. Importantly, all the risk calculations that you
present subsequently need to be consistent with the risk model you choose.
• System characterisation: In this section, you will detail all the six components of the information
system that you are performing the risk assessment on, including hardware, software, data,
procedure, people (or users), and networks. Where applicable, you must show detailed technical
information such as model, version, diagrams etc. You should also provide further categorisation
for each component for improved clarity.
• Vulnerability statement: In this section, you will list all the vulnerabilities that you have found and
briefly describe them.
• Threat statement: In this section, you will identify all possible threat sources. For each threat
source, you list possible threat actions they may perform.
• Risk assessment results: In this section, you will assess the risk for each of the vulnerabilities you
have discovered above. You must clearly state or make reference to the identified vulnerability,
describe the consequent risk, determine the impact and likelihood with justification, evaluate the
overall risk, identify the existing control, and evaluate the residual risk. Your risk assessment
must address all three security goals: Availability, Integrity, and Confidentiality. Finally, you will
recommend relevant control to address the residual risk.
• Conclusion: Summarise the task you have performed, most importantly the findings, and other
possible implications of this report.
Updated
April 14, 2020
Fundamental Concepts of Data Security ISEC5006
ASSIGNMENT- Semester 1, 2020
Page
2/6
Computing @ Curtin University
• References: Include all relevant references that are used in the assessment. The references
must follow the Chicago referencing style.
• Appendices: Include additional information that you may have.
3.2 Page Limit
The report must not exceed 30 pages.
Note: Any material beyond the page limit will not be marked.
4 Mark Allocation
The total mark of this assignment is 100, and it is distributed as follows