.INF80043 IS/IT Risk Management Project Due Date : Friday, 20th April 2017, 11:59 PM Required Length : MAX 4000 words (not including reference list & appendices) Marks Allocated : 40% Submission Procedure : Electronic submission through blackboard (more info on submission procedure will be released closer to the due date). The assignment declaration (available through blackboard in due time) with your signature need to be submitted as part of the submission. The following MUST be included as part of the submission: ▪ Fully completed assignment cover sheet (available through blackboard), ▪ Any relevant appendices to the report (please note: appendices do not count towards the word limit), ▪ A complete and accurate reference list as per the Harvard and/or APA style, Please note that marks may be deducted if the assignment fails to comply with above specifications!Assignment tasks Your need to provide as assigned to: • Carry out an extensive review of risks on the company’s IS/IT/Information security management practices by: o Identifying and detailing all key components of risk, vulnerabilities, threat as well as their impact to the company. o The risk assessment needs to be conducted in accordance to the best practice prescribed by one (or a hybrid) of the leading standards, guidelines, or framework pertaining IS/IT/Information security. • Identify further opportunities of risk management activities within thecompany. • A coherent IS/IT/Information security risk mitigation strategy that provides proactive solutions for the risks identified in the Risk Assessmentstage • Produce a risk analysis report of the company to be submitted to the company’s senior executive (remember: the audience of your report is going to be the senior executives – the C-level individuals of the organisation) Your task is to produce a report addressing the above requirements. It is important to note that the use of established standards, frameworks and best practice in the process is highly valued and sought after by the senior executives. (It is even more important to remember that this is an academic assignment, as such, you need to adhere to a scholarly standard in your report by providing adequate justifications by using good quality scholarly and peer-reviewed literature and reference them accordingly throughout the report)INF80043 IS/IT Risk Management Project - Assessment Rubric Criteria Need Improvement Developing Mastering 0 1 2 3 4 5 The use of salient features of an established Risk Mitigation framework (for example: using international standards like ISO/IEC 27001 and ISO/IEC 27002 for control selection that address multiple risks). Does not demonstrate an understanding of how to use the standards in the analysis and development of risk analysis & mitigation; lacked the details required for a coherent risk analysis & mitigation report. Demonstrates a basic but accurate understanding of how to use the standards in the analysis and development of risk analysis & mitigation, but lacks some detail required for a coherent risk analysis & mitigation report. Demonstrates a sophisticated understanding of how to use the standards in the analysis and development of the risk analysis & mitigation report. Identification and analysis of most threats & vulnerabilities within the organisation - technical, operational and managerial. Does not attempt or fails to identify and analyse accurately. Analysis is disorganized, incomplete, or completely lacking in evidence on identification of threats. Approach to the analysis is egocentric or sociocentric. Does not relate issue to broader but critical organisational contexts. Analysis is grounded in absolutes, with little acknowledgement of the team’s own biases. Does not recognize context or surface assumptions and underlying implications (or does so in a superficial manner). Summarizes threats, though some aspects are incorrect or unclear. Key details are missing or glossed over. Presents and explores relevant contexts and assumptions regarding the vulnerabilities, although in a limited way. Analysis includes some outside verification, but primarily relies on established authorities. Provides some recognition of context and assumptions and implications. Clearly identifies the threats and subsidiary, implicit aspects of the threat. Identifies integral relationships essential in analysing the threats. Analyses the vulnerabilities with a clear sense of scope and context. Considers other integral contexts. Analysis acknowledges complexity and bias of vantage and values. Identifies influence of context and questions assumptions, addressing other dimensions underlying the vulnerability. Impact analysis (both technical, system, and organisational) with quantitative and/or qualitative methods Demonstrates an inadequate understanding of impact analysis. Demonstrates a basic and accurate understanding of impact analysis. Demonstrates a sophisticated understanding of impact analysis.Thorough control assessment and likelihood analysis relating to all critical vulnerabilities identified Demonstrates an inadequate understanding of control assessment and likelihood analysis. No evidence of source evaluation skills. Repeats information provided without question or dismisses evidence without adequate justification. Does not demonstrate an understanding of control as part of Risk Mitigation; lacked the details required for an effective implementation of control mechanisms. Demonstrates a basic and accurate understanding of control assessment and likelihood analysis Demonstrates adequate skill in evaluating. Use of evidence is qualified and selective. Demonstrates a basic but accurate understanding of how to use the control to mitigate risk, but lacks some detail required for an effective use of control in risk mitigation. Demonstrates a sophisticated understanding of control assessment and likelihood analysis Evidence of selection and evaluation skills; notable identification of uniquely salient resources. Examines evidence; questions its accuracy & completeness. Demonstrates a sophisticated understanding of how to use appropriate control to mitigate risk. Risk assessment tables Demonstrates an inadequate understanding of what should be contained in the risk assessment tables. Offers some proper matrices with adequate details, although some aspects may require further clarifications. Identification concise, accurate, logical explanation. Understanding of Legal and Regulatory requirements as well as other key environmental factors affecting the organisation Demonstrates an inadequate understanding of these requirements. Demonstrates an inadequate understanding of other key environmental factors affecting the organisation Offers some understanding of both the legal and regulatory requirements. Offers some understanding of other key environmental factors affecting the organisation Concise, clear, accurate, logical explanation of what is required to cover the company on the legal and regulatory aspects, as well as other key environmental factors affecting the organisation Presentation and Supportive evidence Uses colloquial, simplistic language Uses language and syntax that is unclear Appropriate report format not used No reference list using correct Harvard or APA Style Inappropriate or less than satisfactory report quality given the intended target audience Uses language that is satisfactory for the report but better proofreading is required. Not all required report sections are included Limited reference list using correct Harvard or APA Style Reasonable report quality given the intended target audience Uses language that is stylistically sophisticated and appropriate report format. Uses other relevant and appropriate literary devices to enhance the report. Comprehensive reference list using correct Harvard or APA Style Excellent report quality given the intended target audiencePreparation of the report covering the nature of investigations, using any of the frameworks discussed, summary of results and security management along with the recommendations. Demonstrates an inadequate understanding of how to present or use information or inappropriate recommendations chosen. Demonstrates a basic but accurate understanding of how to present information gathered and suggests recommendations appropriate for the given context. Demonstrates a sophisticated understanding of how to present information gathered and suggests recommendations. Rationale, Justification & Critical Thinking The report does not reflect a mature and reasonable rationale in considering various key aspects in the IS/IT/Information security domain, particularly in the Risk Mitigation area. Does not show critical thinking in the key phases/steps of Risk Mitigation. The report shows some reasonable rationale as well as some aspects of critical thinking in considering various key aspects in the IS/IT/Information security domain, particularly in the Risk Mitigation area. The report provides a mature and reasonable rationale, as well as ample demonstration of critical thinking, in considering various key aspects in the IS/IT/Information security domain, particularly in the Risk Mitigation area.