TNE80009 Development and implementation of security programme 1. Security programme and implementation Project You are to carry out a risk analysis for the organisation described in Section 5, specify policy to address that risk and specify how it will be implemented. This project is to be conducted in groups of 3 students. Smaller or larger groups are acceptable but a higher standard will be expected from larger groups. Your team can include TNE30009 students but you must evaluate the scenario specified. The project report is due at midnight on the Sunday following the end of semester. 2. Project requirements For the organisation, you are required to: 1. Identify the major security risks faced by this organisation and perform a risk analysis. The number of major risks is to be no more than five. You must use the Delphi method discussed in class. 2. Write security policies that address the risks identified in the risk analysis. 3. Specify how each policy will be implemented. Explain what technologies and procedures will be deployed and how they will be used. Briefly outline the capabilities of the technologies to be implemented. In preparing this work you will need to make a number of assumptions regarding the organisation. You are welcome to check your assumptions with the instructor. When you prepare your work you will need to document your assumptions. 3. Report Your work will be submitted as a group project report. Use the format of this document as a guide to the layout of the report. Sections are to be numbered. Diagrams are to be labelled. Any references used are to be listed in a Reference section. The report is to be no more than 15 pages. Below are the marks allocated to each section. The report will be marked out of 20. Marks will be deducted for no cover page and no or inadequate referencing. Referencing is to be IEEE or Author-Date. The report is to have the following sections: 1. Cover page. This to include the organisation analysed and the names and student identity numbers of all participants. 2. Executive summary. (1 marks) No more than one page outlining the contents and summarising the recommendations of the report. 3. Introduction. (2 marks) No more than one page discussing the security issues faced by the organisation including any assumptions made. 4. Risk analysis. (5 marks) Identify and rank the security threats faced by the organisation using the Delphi method discussed in class. TNE80009 Development and implementation of security programme This is to include an identification of the relevant organisations assets. Threats faced by the organisation are to specify what assets are at risk. This is to be no more than three pages. 5. Security programme (5 marks) This is to consist of policy statements that address the threats identified in the previous section. No more than five of the most urgent threats are to be addressed. Policy statements are high level statements of security goals. This is to be no more than three pages. 6. Implementation of security programme. (5 marks) Specify how each policy will be implemented. Specify what technologies are to be used and where and how they will be deployed. Outline any manual controls to be adopted. Outline technologies that are recommended. This is to be written to sufficient depth that it could be given to technical and administrative staff to implement. This is to be no more than three pages. 7. Summary including recommendations. (2 marks) This will consist of a bullet point list of recommendations as well as future areas for consideration when time and budget allow. This is to be no more than one page. 8. References Use IEEE or Author-Date. This is to be no more than one page. In the above sections you MUST DOCUMENT ANY ASSUMPTIONS YOU MAKE. 4. Assessment Assessment will be based on how thoroughly and clearly the risk analysis, the security programme and the implementation are described. Marks will be deducted for failing to adhere to the format of the report and the security programme outlined in sections 3. All members of the group will receive the same mark. 5. Company Profile ISP compulsory metadata collection You work for an ISP in a country whose government has recently passed legislation mandating the collection of metadata for all communications of its citizens. This has been a source of considerable controversy. Consequently security of the collection, storage and distribution of the metadata is regarded as being of great importance to the government who are prepared to provide quite generous funding to support the development of associated systems. However, they are also planning to legislate for very high fines on ISPs should any data be compromised. The metadata consists of customer account information (user ids, names and addresses) which is reasonably static and communication data which is much more dynamic. Communication data to be collected includes IP address mappings from DHCP servers and email source and destination addresses received by or sent from the ISP’s customer email TNE80009 Development and implementation of security programme servers. Email subject lines are excluded. Destination IP addresses for any communications are also excluded. Data can be requested by a Law Enforcement Agency through encrypted and authenticated email. Data is delivered to the Law Enforcement Agency also via encrypted and authenticated email. The Law Enforcement Agencies are prepared to consider VPN solutions. You are to design the security infrastructure that enables metadata to be collected and stored securely and, subject to the correct authorisations, enables it to be delivered to the Law Enforcement Agencies. Given the great sensitivity of the data and the reasonably generous budget, confidentiality, authentication, integrity and availability are to be of the highest order. Unfortunately, time for implementation is limited so only the top five risks can be addressed. TNE80009 Development and implementation of security programme Appendix: Extract from ISO27001 You may find the following framework useful, but you are not obliged to use it. 1. Allocation of security responsibilities 2. Inventory and classification of key information assets 3. Personnel security a. Personnel screening b. Training in use of security systems and procedures c. Responding to security incidents and malfunctions i. Reporting of security incidents ii. Reporting of security weaknesses iii. Reporting of software malfunctions iv. Incident review and follow-up 4. Physical and environmental security a. Secure areas i. Physical security perimeter ii. Physical entry controls b. Equipment security i. Power supplies ii. Equipment maintenance iii. Security of equipment off-site iv. Disposal and reuse of equipment 5. Communications and operations management a. Operational procedures and responsibilities i. Documentation of operating procedures ii. Operational change control iii. Incident management b. Protection against malicious software c. Network management d. Exchanges of information and software 6. Access control a. User access management i. User registration ii. Privilege management iii. Password management TNE80009 Development and implementation of security programme b. Network access control i. User authentication for external users ii. Node authentication iii. Network connection control iv. Network routing control v. Security of network services c. Monitoring of system access and use i. Event logging ii. Clock synchronisation d. Mobile computing and teleworking 7. Compliance a. Legal responsibilities b. System audits