INF80043 IS/IT Risk Management Project Due Date : Friday, 12th May 2017, 11:59 PM Required Length : MAX 4000 words (not including reference list & appendices) Marks Allocated : 40% Submission Procedure : Electronic submission through blackboard (more info on submission procedure will be released closer to the due date). The assignment declaration (available through blackboard in due time) with signature of all team members need to be submitted as part of the submission. The following MUST be included as part of the submission:  Fully completed assignment cover sheet (available through blackboard),  Individual Contribution declaration by each member of the team, containing statement of contribution and a 1-page personal/professional reflection on the group assignment progress (more details will be published in BB). This will be used to determine whether or not (and how) mark differentiation should be exercised to the group result.  Any relevant appendices to the report (please note: appendices do not count towards the word limit),  A complete and accurate reference list as per the Harvard and/or APA style,  Meeting minutes for each meeting (including virtual meetings) Please note that marks may be deducted if the assignment fails to comply with above specifications! Assignment tasks Your team is a cross-functional team, assigned to:  Carry out an extensive review of risks on the company’s IS/IT/Information security management practices by: o Identifying and detailing all key components of risk, vulnerabilities, threat as well as their impact to the company. o The risk assessment needs to be conducted in accordance to the best practice prescribed by one (or a hybrid) of the leading standards, guidelines, or framework pertaining IS/IT/Information security.  Identify further opportunities of risk management activities within the company.  A coherent IS/IT/Information security risk mitigation strategy that provides proactive solutions for the risks identified in the Risk Assessment stage  Produce a risk analysis report of the company to be submitted to the company’s senior executive (remember: the audience of your report is going to be the senior executives – the C-level individuals of the organisation) Your task is to produce a report addressing the above requirements. It is important to note that the use of established standards, frameworks and best practice in the process is highly valued and sought after by the senior executives. (It is even more important to remember that this is an academic assignment, as such, you need to adhere to a scholarly standard in your report by providing adequate justifications by using good quality scholarly and peer-reviewed literature and reference them accordingly throughout the report) INF80043 IS/IT Risk Management Project - Assessment Rubric Criteria Need Improvement Developing Mastering 0 1 2 3 4 5 The use of salient features of an established Risk Mitigation framework (for example: using international standards like ISO/IEC 27001 and ISO/IEC 27002 for control selection that address multiple risks). Does not demonstrate an understanding of how to use the standards in the analysis and development of risk analysis & mitigation; lacked the details required for a coherent risk analysis & mitigation report. Demonstrates a basic but accurate understanding of how to use the standards in the analysis and development of risk analysis & mitigation, but lacks some detail required for a coherent risk analysis & mitigation report. Demonstrates a sophisticated understanding of how to use the standards in the analysis and development of the risk analysis & mitigation report. Identification and analysis of most threats & vulnerabilities within the organisation - technical, operational and managerial. Does not attempt or fails to identify and analyse accurately. Analysis is disorganized, incomplete, or completely lacking in evidence on identification of threats. Approach to the analysis is egocentric or socio-centric. Does not relate issue to broader but critical organisational contexts. Analysis is grounded in absolutes, with little acknowledgement of the team’s own biases. Does not recognize context or surface assumptions and underlying implications (or does so in a superficial manner). Summarizes threats, though some aspects are incorrect or unclear. Key details are missing or glossed over. Presents and explores relevant contexts and assumptions regarding the vulnerabilities, although in a limited way. Analysis includes some outside verification, but primarily relies on established authorities. Provides some recognition of context and assumptions and implications. Clearly identifies the threats and subsidiary, implicit aspects of the threat. Identifies integral relationships essential in analysing the threats. Analyses the vulnerabilities with a clear sense of scope and context. Considers other integral contexts. Analysis acknowledges complexity and bias of vantage and values. Identifies influence of context and questions assumptions, addressing other dimensions underlying the vulnerability. Impact analysis (both technical, system, and organisational) with quantitative and/or qualitative methods Demonstrates an inadequate understanding of impact analysis. Demonstrates a basic and accurate understanding of impact analysis. Demonstrates a sophisticated understanding of impact analysis. Thorough control assessment and likelihood analysis relating to all critical vulnerabilities identified Demonstrates an inadequate understanding of control assessment and likelihood analysis. No evidence of source evaluation skills. Repeats information provided without question or dismisses evidence without adequate justification. Does not demonstrate an understanding of control as part of Risk Mitigation; lacked the details required for an effective implementation of control mechanisms. Demonstrates a basic and accurate understanding of control assessment and likelihood analysis Demonstrates adequate skill in evaluating. Use of evidence is qualified and selective. Demonstrates a basic but accurate understanding of how to use the control to mitigate risk, but lacks some detail required for an effective use of control in risk mitigation. Demonstrates a sophisticated understanding of control assessment and likelihood analysis Evidence of selection and evaluation skills; notable identification of uniquely salient resources. Examines evidence; questions its accuracy & completeness. Demonstrates a sophisticated understanding of how to use appropriate control to mitigate risk. Risk assessment tables Demonstrates an inadequate understanding of what should be contained in the risk assessment tables. Offers some proper matrices with adequate details, although some aspects may require further clarifications. Identification concise, accurate, logical explanation. Understanding of Legal and Regulatory requirements as well as other key environmental factors affecting the organisation Demonstrates an inadequate understanding of these requirements. Demonstrates an inadequate understanding of other key environmental factors affecting the organisation Offers some understanding of both the legal and regulatory requirements. Offers some understanding of other key environmental factors affecting the organisation Concise, clear, accurate, logical explanation of what is required to cover the company on the legal and regulatory aspects, as well as other key environmental factors affecting the organisation Presentation and Supportive evidence Uses colloquial, simplistic language Uses language and syntax that is unclear Appropriate report format not used No reference list using correct Harvard or APA Style Inappropriate or less than satisfactory report quality given the intended target audience Uses language that is satisfactory for the report but better proofreading is required. Not all required report sections are included Limited reference list using correct Harvard or APA Style Reasonable report quality given the intended target audience Uses language that is stylistically sophisticated and appropriate report format. Uses other relevant and appropriate literary devices to enhance the report. Comprehensive reference list using correct Harvard or APA Style Excellent report quality given the intended target audience Preparation of the report covering the nature of investigations, using any of the frameworks discussed, summary of results and security management along with the recommendations. Demonstrates an inadequate understanding of how to present or use information or inappropriate recommendations chosen. Demonstrates a basic but accurate understanding of how to present information gathered and suggests recommendations appropriate for the given context. Demonstrates a sophisticated understanding of how to present information gathered and suggests recommendations. Rationale, Justification & Critical Thinking The report does not reflect a mature and reasonable rationale in considering various key aspects in the IS/IT/Information security domain, particularly in the Risk Mitigation area. Does not show critical thinking in the key phases/steps of Risk Mitigation. The report shows some reasonable rationale as well as some aspects of critical thinking in considering various key aspects in the IS/IT/Information security domain, particularly in the Risk Mitigation area. The report provides a mature and reasonable rationale, as well as ample demonstration of critical thinking, in considering various key aspects in the IS/IT/Information security domain, particularly in the Risk Mitigation area. INF80043 IS/IT Risk Management Challenges The IS/IT Risk Management Challenges were designed to “encourage” you to do a revision of lecture/tutorial materials in a more progressive manner. As such, the challenge will be conducted in a form of mini written-tests to assess your understanding of key issues in IS/IT/Information Security Risk Management, your analytical skill, and your ability to apply what you have learned in a particular context (could be a mini case, a short scenario, or a brief description of an organisational environment). The topic(s) of each challenge will vary, but they will be limited to the content of the previous 5-6 lectures/tutes (i.e., challenge #1 covers the content of lectures 1-5 and tutorials 1-6) prior to the challenge. The challenge will be held during the tutorial (this semester we will allow 45 minutes to complete each challenge). There is a fix schedule for each challenge, and without a valid and compelling reason (with evidence) the challenge will not be rescheduled. There is no option to repeat and/or retake a challenge unless there is a compelling circumstance which needs to be supported by sufficient evidence. This semester we will only have 2 challenges. Below is the schedule for the challenges: Week Date Coverage Max Mark 7 12 April during the tutorial Content of Lectures 1-5 & the associated tutes (i.e., 1-6) 20% 12 24 May during the tutorial Content of Lectures 6-11 & the associated tutes (i.e., 7-11) 20% INF80043 Reflective Practice Portfolio One important component of the assignments for INF80043 is the Reflective Practice Portfolio. This was designed and aimed to foster independent-learning/research, enhance critical thinking ability/skill and promote your understanding on aspects of IS/IT Risk Management. In this semester, the Reflective Practice Portfolio comprises only 3 critical essays. Generall, a critical essay involves the review and evaluation of certain topics of interest. As part of the review/analysis/evaluation, an in-depth analysis supported by sufficient research on facts, practice, and theories need to be conducted. In writing the essay, you ought to present your critical analysis & critical reflection (or review) on the given topic(s). The process involved in the reading, analysis and reflection (should) helps you in refocus your thinking and generate new ideas and/or knowledge which would help your personal, professional and scholarly development. The idea is to have you engaged in critical reflection and build your repertoire of knowledge on critical issues in Risk Management. By the end of the semester, it is hoped that you will be able to go back through all of the readings/learning that you have done and conduct a “reality check” of the amount of learning you have done in the semester. Please note: It is encouraged to present your views, arguments and counter-arguments, but these need to be informed and supported by the appropriate and relevant literature. However, a critical essay is NOT merely a literature review. 3-4 page(s), with 1-1.5 margins, 12 sized fonts should be adequate for each critical essay. A critical essay that does not address the assigned topic will receive a 0. A minimum of 8 good quality references is required. It is important that you employ only resources which are formally accepted as being scholarly and academically reliable. This does not apply either to Wikipedia or to the individual opinions expressed in some Blogs and Web articles (a blog and/or a personal website and/or a news piece are nice to read and may contain valuable information, but these are not regarded as “quality references”). The Swinburne University library database features many useful and high quality references. If you have difficulty in using this database you will find the library tutorials helpful. There are 3 topics in this semester, one for each critical essay: Critical essay 1: Due date: 31 March, 11:59PM Topic: The Need to Balance the Qualitative and Quantitative assessments in Risk Management Critical essay 2: Due date: 28 April, 11:59PM Topic: Aligning IS/IT Risk Management Activities with Business Strategy Critical essay 3: Due date: 19 May, 11:59PM Topic: Effective Information Security & Risk Management Strategy for Small & Medium Enterprises