ACC00222 - Computer Security, Control and Audit Assignment 2 Due: 5.00pm, Monday of Week 13 Weighting: 40% RISK ANALYSIS AND SECURITY PLAN You are to identify a company or organisation that you are familiar with and wish to perform a full risk analysis of the information system(s) and write a Security Plan. The organisation you identify should have some form of network interconnecting systems resources and users. You should identify a suitable organisation early in the semester and discuss your choice with the lecturer or tutor. It would be ideal if you identified an organisation that requires a significant upgrade of its information systems. It is acceptable to choose an organisation that only has limited information systems facilities (or even none at all) but that would benefit from the implementation of a significant, networked system. In determining this, the managers may not even want or believe they need the upgrade, which means you will have to make appropriate assumptions without their input. While it does not have to be an actual organisation, it will greatly assist if it is, and you are familiar with it and its IT operations and requirements. Suitable choices of organisation might be: a small to medium sized business, a division/unit of a larger business/government department, a school, a university department, or other moderate sized organisation. It should have some 10's of people using its systems. To make sure you are on the right track - discuss your choice with the lecturer or tutor. This is very important because you should not take on more than you can reasonably handle within the timeframe, objectives and parameters of the unit. Your Security Plan could have two different emphases as per the marking schedule below. If the organisation you have chosen has a large fairly stable information system(s), then the Current Security Status section of the plan will contain the most extensive part of the risk analysis and the Recommendations section will be fairly small in comparison. If the organisation is to undergo a major information systems upgrade and has few or no existing information systems resources then the Recommendations section will be the major part of the plan and the Current Security Status will be small. Your task is to perform a risk analysis and develop a security plan for the Company. You may work either singly, in groups of two (2) or three (3). If you work in a group you will submit just one copy of the assignment and all members will receive the same mark. Assignments solutions should be checked for the originality of your work through Turnitin link (link will be created and advised) before you finally submit it. Please make sure you use this system, review the report generated by the system and make changes (if necessary!) to minimise the issues of improper citation or potential plagiarism. If you need any advice please contact your unit assessor or local tutor. Make sure you use the Assignment 2(Security Plan) Report Template provided on MySCU to format your report for this assessment item. Working individually... Develop a security plan for your chosen organisation with the risk analysis component based on any three (3) areas of security management. Working in a group of two (2)... Develop a security plan for your chosen organisation with the risk analysis component based on any five (5) areas of security management. You may choose any security areas from the following list or from any other international standard including Table 15.2 or 15.3 of your text for the purposes of your analysis. Possible Security Management Areas: • Physical and Environmental Security management • Access Control Management • Data and Network Security Management • Communication and Operations Management • Human Resource Management • Policy, planning and Governance Management Working in a group of three (3)... Develop a full security plan for the organisation based on all threat and control groups, as per Table 15.2 or 15.3 of your text or any international standard, including the above list above that may compromise the proposed system(s). Note that the choice of three (for individual), five (for group of two) or all (for group of three) areas could mean multiple spreadsheets as each individual site (if there are multiple sites) needs their own risk analysis and costing. You are expected to address at least five specific sub-areas (controls), see table 15.3, in each security management area in offering a compressive solution for the organisation. Assignments will be marked in accordance with the following marking schedule. Task Possible Marks Your Marks Organisation Description 5 Security Policy 15 Current Security Status (see notes below) #10 @20 *30 Recommendations (see notes below) *10 @20 #30 Network and Systems Diagram and Description of current and/or new system 10 Timetable and Responsibility for Implementation 5 Cost Benefit Analyses 20 Report Format 5 TOTAL 100 # Current Security Status is a minor section, not requiring threat and control groups or spreadsheet analyses, because of the lack of existing facilities in the chosen organisation. The Recommendations section is a major part of the report requiring threat and control groups and spreadsheet analyses. * Recommendations is a minor section, requiring threat and control groups or spreadsheet analyses, because of the plenty of existing facilities in the chosen organisation. The Current Security Status section is a major part of the report requiring threat and control groups and spreadsheet analyses. @ Both the Current Security Status and Recommendations (requiring threat and control groups or spreadsheet analyses) are included in approximately equal proportions. Note that the total of the Current Security and Recommendations Sections is 40 marks but depending on the relative importance of the two sections this may be distributed as 10-30, 20-20, or 30-10 respectively.