Unit: Network Security and Cryptography Assignment title: Eye Hospital March 2017 Important notes  Please refer to the Assignment Presentation Requirements for advice on how to set out your assignment. These can be found on the NCC Education website. Click on 'Policies & Advice' on the main menu and then click on 'Student Support'.  You must read the NCC Education documents What is Academic Misconduct? Guidance for Candidates and Avoiding Plagiarism and Collusion: Guidance for Candidates and ensure that you acknowledge all the sources that you use in your work. These documents are available on the NCC Education website. Click on 'Policies & Advice' on the main menu and then click on 'Student Support'.  You must complete the Statement and Confirmation of Own Work. The form is available on the NCC Education website. Click on 'Policies & Advice' on the main menu and then click on 'Student Support'.  Please make a note of the recommended word count. You could lose marks if you write 10% more or less than this.  You must submit a paper copy and digital copy (on disk or similarly acceptable medium). Media containing viruses, or media that cannot be run directly, will result in a fail grade being awarded for this assessment.  All electronic media will be checked for plagiarism.Scenario iSee Clinic is an independent hospital based in London (UK) that treats people with problems relating to their eyes. The aim of the hospital is to provide excellent eye treatment to its patents in a relaxed, clinically safe and pleasant environment. Common eye problems treated at the iSee Clinic include: Cataract; Red Eye; Dry Eyes; Glaucoma; and Corneal disease. In 2015, the iSee Clinic established new small hospitals in Manchester and Glasgow, which provide facilities for consultations and some diagnostic tests. However, the iSee Clinic in London still remains the most important hospital. Unlike the Manchester and Glasgow branches, it provides a comprehensive range of diagnostic tests, various lasers, and a fully equipped operating theatre suite to support the satellite clinics. The iSee Clinic has permanent staff employed as administrators, ophthalmologists and nurses. However, all specialist work is carried out by independent consultants through specific contracts. Consultants are typically at a clinic for 1 day per week. Unfortunately, the iSee Clinic has recently suffered a ransomware attack, which encrypted much of the data on their network. As a result, this attack led to the clinic not being able to operate for a week. The clinic were forced to pay the ransom as it was more cost effective than attempting to recreate the system from patchy and old backup data. The CEO of the clinic has called you, as a network consultant, to ensure that any future ransomware attacks are unsuccessful. She has told you that information security is a very high priority for the clinic. On your first day working for the iSee Clinic, you discover the following problems:  Some users have received phishing emails and have downloaded viruses;  There are no company policies in relation to information security;  The company have not considered the issue of ownership of information and data, and corresponding access rights;  The email is not hosted by an ISP, but on a server running MS Exchange in the LAN, though the company website is hosted by the ISP.  Patients are allowed to browse the internet via 'free' Wi-Fi at clinics. The CEO has been looking to identify 'best practice' and has discovered ISO27001, the UK Government's 'Cyber Essentials' programme and '10 steps to Cyber Security' guidance from CESG. She does not understand these documents, but she likes the idea of adhering to an international standard. Given other high-profile security breaches in the healthcare sector, she considers that certification may give them a business advantage. Crucially, contracts between the government and the iSee Clinic would be cancelled without an appropriate information security management system. Current Technology The company runs LANs in each clinic, with access to the Internet via a router. The London Office LAN includes a Domain controller running Windows Server 2012 R2 which hosts financial systems (Sage), order processing, patient record data, email (Exchange) and human resources (employee) data. Specialist equipment for photographing eyes is Page 2 of 6 Network Security and Cryptography © NCC Education Limited 2017also linked to the server. Office staff have PCs running Windows 7 professional. All computers have individual host-based firewall and anti-virus installed. The company has a content management system (WordPress) website for marketing with a contact form and blog, which is also hosted by their ISP. Marketing staff access the site via a web portal and update the news and blog on a regular basis. Each clinic also has a Wi-Fi system, and regional clinics connect through the Internet to the headquarters. Smaller clinics in Manchester and Glasgow do not host any systems other than client PCs and small Domain Controller for authentication. As the InfoSec consultant, your terms of reference are: To identify the key security challenges faced by the company and recommend solutions. A particular focus should be the additional risks faced by the company as a breach of confidential patient data could cause the company to close since they would be liable for a fine up to £500,000 from the UK Information Commissioner. Task 1 – Risk Assessment (10 Marks) As a security professional, you point out that the most effective approach is to start with a risk assessment, so that the most valuable information assets can be prioritised. This ensures that security measures are put in place in the most cost-effective way. a) Analyse the scenario and identify FIVE (5) important electronically held information assets relating to iSee Clinic. b) Create a table (see below) which lists the assets. For each asset identify the main security threats that you think could affect its confidentiality (C), integrity (I) or availability (A). Remember, threats can be accidents as well as malicious. There are likely to be multiple threats for each asset and the same threats are likely for several assets. c) Complete the columns of the table by assessing the likelihood of the threat being successful and the impact that it would have on the company. In this scenario, you should consider Low/Medium and High definitions as follows:d) Now complete the Risk column by using the following Risk matrix. A completed table will look something like this:2– Network Diagram (30 Marks) The scenario provided an outline of the main network components, excluding printers, switches and client PCs. The existing system has security vulnerabilities and your risk assessment should have identified methods of controlling the risks. You now need to prepare a diagram to show how to secure the network. Make sure you are clear where the software and hardware are located. a) Draw a network diagram, showing network components of the company and new ecommerce system. Each client PC need not be shown, but all other components should be included. b) Your diagram should include suitable (invented, but realistic) IP addresses. c) Make sure that you explain how the network design meets the security requirements that you identified in Tasks 1 and 2. Any alternatives should be briefly discussed.Task 3 – Maintaining Security (8 Marks) Security is a process, not a one-off task, so you need to explain how security will be maintained in the future. Explain any actions you would recommend for ensuring security is taken seriously in the company and monitoring the effectiveness of the Information security management system. This section of the report should be approximately 150 words. Task 4 – Reflective commentary (7 Marks) You should use this section to reflect on what you learned from completing the assignment. a) Explain any problems you had and how you went about solving them. b) Explain anything you would do differently if you were to start it again. This section of the report should be approximately 150 words.