Information Security PG Assignment Sample
Instructions for students
1. Please make a submission to the canvas drop box for this assignment with your answers to these questions.
2. All submissions should be made as a simple Microsoft Word formatted document. If you do not have Word installed on your computer, you should use the Office 365 account provided by the University, where you will be able to use a version of Microsoft Word.
3. This paper comprises 4 questions with a total of 100 marks and is worth 40% of the marks for the unit. Attempt all questions and all of the parts.
4. Answer all questions in your Word document using the relevant question number. Please do NOT include a copy of the question in your answers. Please start each question on a new page and write the question number at the top of the page. There is no need to start a new page for the individual parts of each question.
5. Please keep answers brief and to the point. Point form answers are permissible, but you should ensure that sufficient detail is provided to make your points clear.
6. Acknowledging the work of others is important in all academic work and you should ensure you reference the work of others in an appropriate manner. The UC version of Harvard author-date (2021) is the preferred system.
Question 1 [40 marks]
The following scenario relates to Question 1 (a), (b) and (c) below.
A large organisation, similar to the University of Canberra, is in the process of implementing a new human resource management (HRM)* system that includes aspects of workflow. An example of the workflow includes facilitating the on-line submission of leave forms and the subsequent approval (or not) of the leave applications by supervisors. It will also allow staff to have on-line access to relevant personnel and payroll records where appropriate (for example, checking payslips and leave balances, submitting performance assessment reports, etc.). The system would also facilitate activity normally undertaken by senior managers.
* for those unfamiliar with HR/HRM systems, these are the systems that organisations use to manage their staffing. This may include: payroll (making sure staff are paid the right amount at the right time); the recording of leave and leave balances (holidays, sick leave, and long service leave etc.); and a repository for performance management data. They are frequently connected with finance systems and sometimes include other details, but the list mentioned here is sufficient for this exercise.
Part (a)
As part of the implementation of this system, relevant security policies need to be reviewed, redeveloped, replaced or modified. Assume that the organisation already has a general information security policy in place along with a range of issue specific security policies, but no current system specific security policy for a HRM system. Outline the major issues you would expect to see covered in a system specific security policy for the HRM system. Discuss this in broad terms, mostly using the headings and brief statements covering the issues that you would expect to find in the system specific policy (you are not expected to provide the detailed clauses of the policy). Do NOT include things that you would normally find in the general University information security policy or issue specific policies.
Part (b)
A system-specific information security policy for the HRM system may include access control lists, or ACLs. This question will require you to create some of the details you might find in the ACLs for the HRM system. For the purposes of this question, the ACLs will be kept relatively simple.
The general classes of users that should be used for this question are:
1 – staff (these are all staff not included in one of the other categories, but staff in the other categories would have this staff level access in addition to that proposed for their specific category);
2 – supervisors;
3 – HR department admin staff;
4 – IT systems administration staff;
5 – senior management.
Page 3 of 5
The IT data resources should include:
1 – staff personal details (names, address, phone numbers, date of birth, sex, etc.);
2 – payslip records (current and previous payslips);
3 – leave records (including balances and planned leave);
4 – leave applications (yet to be approved);
5 – performance assessments.
Note that the system is likely to use more specific user groups (particularly for admin and IT roles), and it is likely to include other data, but these dimensions have been kept simple for this exercise.
Draw up an access control matrix (in the form of a table) for this situation. The table should have the various classes of users in the rows, and the IT resources of the system in the columns. The cells within the matrix should note the appropriate level of access for the relevant user to the data resource. The access permissions can include: read; update; delete; or other particular privileges or restrictions. For the purposes of this exercise you should assume that someone with limited knowledge of HR systems will then implement this system and associated access security using the data provided in your table. As such, avoid omitting data because you think it might seem obvious. You do not need to provide a rationale for any of the access privileges in your answer to this part – just populate the table in such a way that it describes the relevant privileges.
Part (c)
In your answer to part (b), you should have described the access privileges for all of the classes of users. Provide a rationale that justifies the level of access that you have given to the following two classes of users of the HRM system:
• IT systems administration staff
• senior management
Question 2 [25 marks]
Part (a)
One of the challenges with ICT security is ‘selling’ the notion of investing in ICT security. One approach is to use a traditional return on investment approach with an emphasis on information security issues. This is referred to as a Return on Security Investment (ROSI) and ROSI calculations can be presented to management to justify security investments. The ROSI elements discussed during the semester included the following formula components: Single Loss Expectancy (SLE); Annual Rate of Occurrence (ARO); Annual Loss Expectancy (ALE) which is calculated: ALE = ARO * SLE; Modified Annual Loss Expectancy (MALE) (this is the ALE after the implementation of the proposed security controls). The ROSI takes account of the ALE, the MALE and the cost of the proposed controls. Considering the following scenario involving the help desk staff responsible for providing support to the HRM system from question 1: The help desk staff reset hundreds of passwords annually for various reasons. On average the help desk staff reset 10 passwords annually without properly verifying the staff member’s identity correctly and provide access to the wrong person. The damages in reputational and privacy breaches is estimated to cost $16000 per incident. By implementing a verification software package with a licence cost of $8,000 per annum, the loss expectancy would be reduced by 75%. Calculate the ROSI for this scenario. Given this scenario, discuss the limitations with using a ROSI calculation in this manner. You should provide 5 issues that highlight limitations with the application of a ROSI used as a primary means to justify this control.
Part (b)
Your information security section within the university (as per Q1) conducts a series of rolling security evaluations of its general IT environment and specific core application systems. You have been allocated the task of conducting the evaluation of the baseline controls in the general IT environment. An activity early in this process is the construction of a suitable normative model for the evaluation. Using the ISO 27002 information security framework discussed during the semester, identify 7 controls that would be important elements of the normative model. It is quite likely that there will be many more than 5 controls relevant to this baseline security situation, but you should try to select 7 of the more important controls. You should provide a brief rationale for the selection of the controls for the normative model.
Question 3
Part (a)
Information security should be balanced against the business goals of the organisation. What symptoms might be exhibited by an organisation in which information security considerations have been overdone?
Part (b)
Can trained individuals serve as a "human firewall" to mitigate the risks associated with human error in information security, or do you believe that humans are inherently the weakest link in such scenarios? Please provide an explanation, supported by relevant examples and justifications.
Question 4
Insider threats describe security threats to an organisation coming from people working inside the organisation. As the CISO (Chief Information Security Officer) of an organisation, you are aware that insider threats are an increasing exposure for all organisations. For each of these insider threats listed below:
a) identify controls that could reduce the risk the threat occurring (prevention);
b) identify controls that would assist with the detection of these threats, should they occur.
The solutions can use some technology, but the human factor is also important in addressing these issues. The solutions shouldn’t prevent the normal work of the organisation from occurring. Answer by listing the number of the threat and associated control type (1a,1b, 2a, 2b) and your answer. You should briefly describe two controls for each of the parts (hence, 8 controls in total).
Insider Threats
1. An IT systems administrator uses their privileged access to insert some additional (ghost) staff members on the payroll system and then collects the pay of these ghost staff members;
2. A member of a University student administration area with access privileges to update grades in the student records system has been taking bribes from students to modify their grades for important units. Note that the normal workflow involves grade modifications being recommended by academics in charge of the relevant unit, the grade changes being approved by various processes, then entered into the student records system by a staff member in the student administration area.
Solution
Introduction
This research investigates the basics of information security and gives an in-depth evaluation of the many risks that businesses face today. The study stresses taking preventative action and putting in place sufficient controls to lessen the impact of any dangers. Information security frameworks like ISO 27002 are highlighted in the study as crucial to protecting an organization's data. University Assignment Help, The research wraps up by discussing insider risks and offering solutions to both prevent and identify insider-perpetrated hostile behavior.
Q1
Part (a)
The HRM system has its own unique set of security risks and needs, which should be addressed in a system-specific security policy. It is crucial to have a system-specific information security strategy in place as part of rolling out the new HRM system. The goal of this policy is to make everyone on staff aware of their responsibilities for keeping the HRM system secure, as well as to give clear standards and processes for managing and protecting data inside the HRM system. Some of the most substantial concerns that may be addressed by such a strategy are listed below:
These system-specific policies should be reviewed and updated regularly to ensure that it is still adequately securing the HRM system and the information contained within it.
Part (b)
Based on the broad categories of people and IT data resources provided in the question, one possible set of access control lists (ACLs) for the HRM system may look something like this:
More refined permissions may be necessary in practice, but these examples should serve as a primer on access control lists. Regular reviews and updates to the access control lists are necessary to keep them relevant to the demands of the company and the threats they face.
Access Control Matrix
Conditions
• The staff has restricted access to their personnel file, including pay stubs, time off records, and evaluations of performance. They may also see filed requests for time off.
• Supervisors may access and modify employees' biographical data, vacation logs, and evaluations of job performance. They have access to their subordinates' pay stubs and leave requests, and may make changes to such requests.
• All data resources, except payroll information, are accessible to HR Admin. They have access to see and modify pay-end information but not remove it.
• IT Admin has complete control over all data storage and deletion options.
• Senior Management has access to all employees' private information, including their time off requests, evaluations of their performance, and salary. They have access to all employees' leave requests and may modify those of the workers under their supervision.
Part (c)
Access to all HRM IT data resources must be granted to IT system administrators. They must be able to do all necessary tasks, such as updating, patching, and troubleshooting, since they are responsible for the system's maintenance and administration. They should also be able to monitor the system to guarantee its health and that all necessary safeguards are in place to protect the information (Alsmadi and Al-Ameed, 2020).
It is essential to provide upper management with extensive access to the HRM system's IT data resources. This is because they are tasked with making strategic choices using the system's data and hence need access to all relevant data to do so. They also need the ability to keep an eye on the system to spot any problems and make sure everyone on staff is using it properly. However, it is critical to provide them access to just the information they need to do their jobs and to make sure they understand their duties when it comes to managing private data.
Q2
Part (a)
The following are the necessary pieces of the formula to determine ROSI in this case:
- The annual loss expectation (ALE) is $160,000 (based on the projected cost of reputational
- The privacy breaches of $16,000)
- The minimum annual loss expectation (MALE) is $40,000 (75% decrease in ALE)
- The cost of the suggested control is $8,000 per year.
ROSI = (ALE - MALE - Cost of proposed control) / Cost of the proposed control
ROSI = ($160,000 - $40,000 - $8,000) / $8,000 = 12.5
The 12.5% ROSI indicates that there would be a return on investment of 12.5 times the cost of the suggested control in this case.
A ROSI estimate has certain disadvantages when used as the main justification for security measures, however.
1. The precision of ROSI computations depends on the quality of the input data. Poor investment choices may be made as a consequence of incorrect ROSI calculations caused by faulty data inputs.
2. The financial costs of security incidents and controls are the only ones included in ROSI estimates; the possible non-monetary costs, such as harm to reputation or loss of confidence, are disregarded.
3. However, it's important to note that ROSI estimates presuppose that the suggested security solutions would be successful in lowering the frequency and severity of security events.
4. Future threats and changes in the security environment that might make present security procedures ineffective are not taken into consideration in ROSI assessments.
5. Return on investment (ROI) assessments ignore the opportunity cost of spending money on additional safety measures. Spending money on security measures might mean less money for other, equally vital expenditures, which could imply missed possibilities.
Part (b)
When it comes to managing information security, the ISO 27002 information security framework is the gold standard. There is a total of 14 control domains included in the framework, and they all pertain to different elements of data protection. The question asks us to name seven controls that should be included in any comprehensive evaluation of a university's IT infrastructure's baseline security measures.
Figure 1 ISO/IEC 27002
(Source: ISO27001, 2022)
1. Information Security Policy: One of the most important controls in an information security management system is the information security policy. It defines the information security program's scope, goals, and guiding principles and demonstrates the company's dedication to protecting sensitive data. Information security policies provide the groundwork for the execution of particular security measures and assist ensure that all parties involved understand their obligations in the protection of information assets (ISO, 2013).
2. Access Control: One further essential control is access control, which verifies that only approved users may access sensitive data and infrastructure. Controls like these use a combination of technological, administrative, and physical precautions to ensure that only authorized users have access to sensitive data and systems. Maintaining the privacy, security, and usability of data is essential, and access control is a key component in doing so.
3. Information Classification and Handling: Controlling the identification, categorization, and processing of information according to its sensitivity and criticality is the goal of information classification and handling. Safeguards are in place to prevent information from being accessed, disclosed, altered, or destroyed in a way that is disproportionate to its worth, as is the case with this control (Nguyen, Dang and Tran, 2021).
4. Network Security: Protecting the university's network infrastructure from outside interference is the primary goal of network security. To protect the university's network from both external and internal threats, this control employs methods including firewalls, intrusion detection and prevention systems, and network segmentation.
5. Incident Management: Security Incident Detection, Reporting, and Response is the Three Phases of Incident Management. This check guarantees that security issues are dealt with promptly and thoroughly and that necessary steps are made to avoid such problems in the future. Incident management consists of standard operating procedures for handling security events from the time they are discovered until they are resolved.
6. Security Awareness and Training: This control entails making sure that everyone from workers to students to contractors participates in security-related training and education programs. This control makes sure that everyone involved knows what they're supposed to do to keep information secure and is aware of the dangers they face. Security-related education and training can contribute to a more secure environment on campus.
7. Business Continuity Management: It is a kind of risk management that ensures the university can continue operating normally in the face of unforeseen circumstances. This control makes sure the school has contingency plans and procedures ready to go in case of a natural catastrophe or other disruption to normal operations. Backup and recovery processes, emergency response plans, and disaster recovery plans are all examples of the kind of measures that make up business continuity management (Chen et al., 2019).
These controls were chosen for the normative model because they are cornerstones of information security management and hence offer the most value for the model's users. Protecting information assets requires a combination of measures, including access control, information categorization and management, and network security, all of which are outlined in the information security policy. Security awareness and training help establish a culture of security throughout the institution, while incident management ensures that security issues are addressed in a timely and efficient way. Last but not least, business continuity management makes sure the school can keep running no matter what happens. Finally, the ISO 27002 information security framework offers a complete set of controls that may be utilized to create a normative model for assessing the foundational safeguards in a college or university's IT infrastructure.
Q3
Part (a)
Being overly concerned with information security may hurt an enterprise in some ways. Some examples of such signs are:
1. Excessive controls: Overzealous information security measures might cause an organization to implement unnecessary restrictions that slow down normal operations. For instance, if a company has set up too many data access restrictions, its staff may be hampered in their work. Employees may become dissatisfied as a result, which in turn reduces their output.
2. Inflexibility: Organisational rigidity and slowness to react to change have been linked to an excessive focus on information security. It may be difficult for a company to make adjustments to its IT infrastructure if it has adopted too many security measures. It may be hampered in its capacity to adapt to shifting market circumstances and take advantage of emerging business possibilities (Du et al., 2019).
3. High Costs: Extremely expensive prices may result from an excessive focus on information security. For an organization to retain its security posture after implementing several security measures, it may need significant investments in hardware, software, and personnel training. This may result in high operating expenses, which may reduce the company's capacity to turn a profit.
4. Lack of innovation: An excessive focus on information security risks stifling innovation. A company that is too concerned with safety may be reluctant to adopt useful innovations in technology or management. Because of this, the company may be hampered in its efforts to innovate and expand.
5. Low morale: An overabundance of information security measures may reduce morale in the workplace. An excessive emphasis on safety in the workplace may lead to an atmosphere of suspicion and paranoia. This might make it hard to recruit and retain the best employees while also lowering work satisfaction (Darcy, Agarwal, and Maruping, 2020).
An organization's operations may suffer if too much emphasis is placed on information security. To ensure that security measures are suitable and effective without impeding business activities, it is crucial to strike a balance between information security concerns and the demands of the company.
Part (b)
The term "human firewall" refers to the idea that educated and prepared people may provide an extra barrier of defense against cyberattacks. However, the cybersecurity industry is still split on the question of whether or not specially trained persons can effectively function as a human firewall. This answer will analyze both of these claims and provide supporting evidence and explanations. Although human error poses a significant threat to information security, some have found success using a human firewall to protect against it. The concept is that a group of knowledgeable people may serve as a "human firewall," blocking off unwanted intrusions. Individuals may play an important role in a complete cybersecurity plan with the proper education and guidance.
Phishing assaults are a good illustration of the usefulness of the human firewall strategy. Attackers often employ phishing emails and other forms of communication to deceive victims into divulging sensitive information or installing malware. Successful phishing attempts may be greatly reduced if employees are taught to spot and report questionable emails. The percentage of successful phishing assaults was found to be reduced by 64 percent in companies that gave regular security awareness training to their staff, according to research done by the Aberdeen Group.
Additionally, the possibility of human mistakes in information security may be mitigated by having a well-educated staff. The chance of data breaches and other security events may be reduced if organizations educate their employees on how to safeguard confidential information and assets. Training on topics such as safe data handling and transmission, password and multi-factor authentication, and the identification and reporting of possible security problems are all part of this. However, many believe the human firewall method is insufficient since people are always going to be the weakest link in information security. The argument rests on the notion that even the most well-trained persons may be deceived or influenced by skillful adversaries due to their fallibility as human beings (Peltier, David and Sharman, 2020). This is the scenario when cybercriminals use elaborate social engineering techniques to deceive their targets into divulging confidential information or installing malicious software.
The "CEO fraud" scam is an example of this kind of assault in which criminals pose as high-ranking executives to deceive unsuspecting staff into sending money. Here, the adversary employs a variety of social engineering techniques and uses information readily accessible to the public to generate an authentic-sounding narrative. In the face of time constraints or if the attacker has done their research and has access to extensive knowledge about the target organization, even highly trained personnel may be vulnerable to such assaults. Ultimately, it's clear that skilled people are an asset to any cybersecurity plan, but they can't take the place of other, more technological safeguards. Factors like training quality and frequency, attacker sophistication, and an organization's overall security posture will all influence how well the human firewall strategy works. Therefore, the human firewall strategy should be viewed as part of a larger, multi-layered security strategy that also includes technical controls like firewalls, intrusion detection systems, and access controls, along with incident response policies and procedures and continuous security monitoring.
Q4
Controls to avoid and identify insider threats are crucial for protecting businesses from their potentially catastrophic effects.
Prevention Controls
Detection Controls
In this way, insider threats pose a danger to businesses, making it all the more important to set up safeguards capable of seeing and stopping them in their tracks. Each insider threat is unique; thus, each set of controls has to be evaluated, revised, and updated as necessary.
Insider Threats Control Measures
Threat 1:
1a. Access Control: To stop hostile insiders from abusing privileged access to sensitive information or systems, it is essential to manage access to IT resources. The concept of least privilege is a method of control that restricts an individual's access to resources to only what they need to do their job. Separation of tasks is another control that may be put in place to reduce the likelihood of a breach of security caused by a single point of failure. That person's inability to take independent unauthorized action remains in place even if their access is hacked (Moyer, Collins and Terando, 2019).
1b. User Activity Monitoring: Monitoring user behaviors on IT systems is one method of identifying and averting potential insider threats. Suspicious behavior, such as attempts to access data or systems outside of regular work hours or frequent access to systems they do not normally use, may be spotted by analyzing user activity logs. Repeated unsuccessful login attempts, for example, maybe a sign of an attempted attack if they are not caught by monitoring (Taheri, Jafarian and Mousavi, 2019).
Threat 2:
2a. Role-Based Access Control: Controlling who may access a system based on their assigned tasks and responsibilities is the goal of role-based access control (RBAC). It is crucial in this instance to restrict access to the student record system to just approved individuals. With RBAC in place, employees are prevented from changing marks for courses for which they are not directly responsible. A division of roles may help with this control by making sure no one person can change grades without it being looked over by someone else ().
2b. Anomaly Detection: It is the practice of looking for out-of-the-ordinary trends in user behavior. Each user's baseline of typical behavior may be used to spot and examine suspicious patterns. A red flag might be raised if a member of the student administration staff made several changes to grades in a short period or accessed the system outside of regular working hours. AI and ML systems can automatically learn typical behavior patterns and spot outliers, making them ideal for the task of anomaly identification.
It takes a mix of technological and human controls to prevent and identify insider threats. Many measures, like access control, user activity monitoring, role-based access control, and anomaly detection, may be put in place to monitor for and identify insider threats. However, these safeguards must be put in place in a manner that does not disrupt regular operations. For instance, the level of invasiveness of user activity monitoring shouldn't be such that workers feel continually watched. By fostering a culture of security awareness and encouraging workers to report suspicious conduct, effective communication, training, and awareness campaigns may also aid in lowering the risk of insider threats (Wirth, Maret and Klein, 2019).
Conclusion
Monitoring and evaluating information security systems regularly is essential for providing sufficient safeguards for an organization's data. Risks may and should be reduced if organizations adopt preventative measures including establishing strong security controls and encouraging a security-conscious culture. The paper highlights and discusses many outside and internal dangers that businesses confront. An organization's security posture may be strengthened and the consequences of any breaches lessened by adopting the suggested controls and methods.
References
Alsmadi, M., and Al-Ameed, S. 2020. Factors influencing information security management effectiveness: A systematic review. Journal of Information Security and Applications, 50, pp.1-24. doi: 10.1016/j.jisa.2019.102409
Dang, Q. V., Tran, T. T. H., and Nguyen, N. D. 2021. Enhancing the information security of mobile learning systems in education: A case study in Vietnam. Education and Information Technologies, 26(5), pp.6475-6495. doi: 10.1007/s10639-021-10605-6
ISO/IEC. (2013). ISO/IEC 27002:2013 Information technology - Security techniques - Code of practice for information security controls. International Organization for Standardization. doi: 10.1109/ICCEE.2011.64
ISO27001. (2022). ISO/IEC 27002 controls catalogue. [online] Available at: https://www.iso27001security.com/html/27002.html [Accessed 9 May 2023].
Jajodia, S., Swarup, V., Wang, C., and Wang, X. 2019. Insider threat detection and prevention: Challenges and open problems. IEEE Security and Privacy, 17(1), pp.8-16. https://doi.org/10.1109/MSP.2018.2873509
Jin, J., Zhang, M., Chen, X., and Wang, Y. 2019. A novel approach for security assessment of cloud-based learning systems. Security and Communication Networks, 2019, pp.1-12. doi: 10.1155/2019/8463246
Li, X., Huang, D., Li, H., and Du, X. 2019. A user-centered model for designing information security training systems. Journal of Computer Information Systems, 59(2), pp.142-152. doi: 10.1080/08874417.2018.1469347
Maruping, L. M., Agarwal, R., and D'Arcy, J. 2020. A multi-level perspective on information security awareness and behavior: Recommendations for advancing theory and practice. Journal of the Association for Information Systems, 21(5), pp.1039-1070. doi: 10.17705/1jais.00586
Moyer, S. B., Collins, S. J., and Terando, W. J. 2019. Insider threat: A review of insider threat mitigation strategies. Journal of Cybersecurity, 5(1), pp.1-11. doi: 10.1093/cybsec/tyy021
Pasic, A., and Bjerknes, G. 2019. Identifying and mitigating insider threats using behavioral analysis. Proceedings of the 11th International Conference on Human System Interaction (HSI), pp.554-560. https://doi.org/10.1109/HSI.2018.8431192
Peltier-Rivest, D., and Sharman, R. 2020. Rethinking cybersecurity awareness programs: A human factors engineering perspective. International Journal of Human-Computer Interaction, 36(5), pp.427-439. doi: 10.1080/10447318.2019.1661999
Taheri, H., Jafarian, A., and Mousavi, S. H. 2019. Designing a framework for reducing the risk of insider threats in IT organizations. Computers and Security, 82, pp.1-16. https://doi.org/10.1016/j.cose.2018.11.006
Upadhyaya, S., and Govil, M. C. 2020. A comprehensive study on insider threats in the cyber world. Journal of Ambient Intelligence and Humanized Computing, 11(10), pp.4431-4444. https://doi.org/10.1007/s12652-020-01941-4
Wirth, T., Maret, M., and Klein, M. 2019. Towards an approach for the management of insider threats: A structured literature review. Proceedings of the 52nd Hawaii International Conference on System Sciences (HICSS), pp.6241-6250. https://doi.org/10.24251/hicss.2019.750
Yang, H., Huang, K., and Liu, H. 2019. An empirical study of IT security management for university. IEEE Access, 7, pp.6341-6352. doi: 10.1109/ACCESS.2018.2883723
Zhu, S., Li, S., Hu, Y., Li, X., and Li, X. 2018. Research on the evaluation index system of university information security management. Journal of Physics: Conference Series, 1069, pp.1-17. doi: 10.1088/1742-6596/1069/1/012017