SCC 444 Individual Assessment 2016-17 Case Study – BishBosh Data Analytics Due Date: 10 February 2017 16:00 (to be submitted on Moodle) This assessment is worth 40% of your overall course mark. Background on the Company BishBosh Data Analytics (BBDA) is an SME that provides services to extract business intelligence from online social media. The company serves clients who are interested in gauging consumer responses to a new product. Furthermore, the social media analytics tools can track negative comments about products so that they may be improved or positive ones to inform advertisement and marketing campaigns. BBDA's tools can also analyse social media information and experiences of products from a range of manufacturers, hence enabling a particular client to study and evaluate its position in a specific market segment. BBDA's tools are highly efficient and effective – they can analyse text, images and videos at great speed and integrate data extracted from such analyses into highly visual, easyto-understand reports for clients. Services offered to clients BBDA uses a software-as-a-service model, that is, all its social media analysis and reporting tools are available to clients as online services. When a client wishes to gauge responses to a particular product or a product line, such a product or product line is registered through a client portal. The social media tools then trawl popular forums, gather the data, analyse it and generate reports. Clients can access these reports through the portal and can also set the frequency with which the reports should be generated. A premium service offered is that of real-time monitoring where clients can observe (through the portal) responses to specific products or advertising campaigns in realtime. The service is offered using a back-end platform that includes BBDA's own server farm and the Amazon Elastic Compute Cloud (EC2) http://aws.amazon.com/ec2/. EC2 is currently used to complement the existing server capacity at BBDA and provide the flexibility to increase or reduce the computing power and storage available in line with client demand at a particular point in time. Information security approach at BBDA The board of BBDA takes information security very seriously. The board members recognise that any breach of information security can have major consequences for BBDA's business – given the software-as-a-service nature of the tools a lot of confidential client information is held by BBDA. Any breach could seriously compromise the competitive edge of a client. The resulting loss of reputation and lack of trust in BBDA would be catastrophic. As such one of the senior board members has a specific responsibility to oversee information security within the organisation and ensure that any business decisions account for the key strategic role of information security. There is a Chief Information Security Officer (CISO) who heads an information security team responsible for both technical and operational assurance across the organisation. The CISO reports directly to the board member responsible for information security. The CISO is very diligent and follows good information security practices. For example:• Relevant procedures and guidelines have been developed, implemented and their compliance is monitored. • An information security policy is in place and regular training is provided to staff members at all levels to ensure that they understand their roles and responsibilities with regards to the information security policy. • Good information security practices are in place such as disk encryption on office machines and access to all data protected through passwords – which in turn are required to be strong passwords and have the usual controls of expiration, non-reuse, etc. in place. • A network monitoring system is in place to record and flag anomalous events to the information security team for review and follow-up actions. • Regular penetration testing is carried out to test for new vulnerabilities in the company's online system. Scenario BBDA's board has become increasingly aware of improving the company's "green" credentials and reduce its overall footprint on the natural environment. This was one of the reasons for the partial move to EC2 – plans are in place to retire the in-house server farm in the medium-term and fully move to a commercial cloud provider. The board now plans to push ahead with further innovations regarding the company's green policy. Two key initiatives are being put in place: 1. A smart building management system (BMS) with a range of wireless sensors and actuators will be commissioned and installed to improve the energy efficiency of the enterprise environment. The BMS will automatically monitor building usage and control heating and lighting. It will also manage energy consumption of enterprise computing terminals (not the server farm), e.g., switch off terminals that may be left on and idle over an extended period. The BMS can be monitored and controlled through a web service provided by the contractor installing the BMS – this web service is provided as part of the installation package. 2. Staff members will be encouraged to organise their work so that they can work remotely (e.g., from home) for part of the week to minimise their carbon footprint and not travel to company premises. In the medium- to long-term the company expects to operate a highly virtualised workforce with very few staff required to be physically on-premises. Employees can use their personal devices for working remotely but the company will commit to providing mobile devices, e.g., laptops or tablets, to any employees who need them so that they can work from anywhere and at any time. The board member responsible for information security has recently come across the Executive Summary of a report on data exfiltration risks prepared by Lancaster University. The full report and other resources are available at: http://www.security-centre.lancs.ac.uk/data-exfiltration/ Your Assignment You are the CISO and have been charged by the board to prepare a report no longer than 10 sides of A4 (minimum 11 pt font, Helvetica or Arial, single line spacing and 2 cm margins on all sides). Your report must include the following:1. A threat model depicting the data exfiltration threats arising from the new green initiatives being used by the company and the rationale behind the model. The model need not be too complex (as it must be understandable by the board). You can use the incident fault trees used in the Lancaster University report. However, this is not mandatory. A simple box and line diagram would also be acceptable as long as the notation is clear and understandable. Marks will be awarded for the comprehensive nature of the model and the rationale behind the threats included. (Worth 10%) 2. A vulnerability model (scoped to data exfiltration vulnerabilities only) for the new green initiatives being used by the company and the rationale behind the model. The model need not be too complex (as it must be understandable by the board). A tree diagram with associated explanation will suffice. (Worth 10%) 3. A qualitative analysis of the risks posed by the various threats and vulnerabilities in the models above. The report should include your approach for the qualitative analysis (i.e., stating the qualitative risk assessment methodology of your choice). The analysis should, at least, clearly identify the risks, their likelihood, their impact, their severity and how they may best be managed (e.g., accepted, transferred, avoided or reduced/mitigated). Be clear on your risk management recommendation, e.g., if a risk is transferred clearly note to whom. (Worth 10%) 4. Conclude your report with a set of recommendations based on the Critical Security Controls proposed by the Council on Cyber Security (Available on Moodle). The recommendations should clearly state which controls should be deployed to counter the data exfiltration risks in the new setting and give rationale for recommending the controls. Note that you are only asked to recommend controls to counter data exfiltration risks. (Worth 10%) Additional notes on the report size and formatting: Please note that the report limit of 10 pages is strict. You are not required to have a cover page. Simply put the title, your name and student number on the first page of the report. Similarly, any references that you include are within the 10 page limit. Any additional text beyond the first 10 pages will be disregarded and not marked. Also, please pay close attention to the formatting restrictions and the font types and sizes.