Information Security (or Information Security PG) 11759 (or 6682)

Faculty of Science and Technology
Semester 1, 2023
Sample Final Assignment
This is a Sample Final Assignment for Information Security. It provides an indication of what the final assignment in the unit might look like.
Unit Name: Information Security (or Information Security
Unit Number: PG) 11759 (or 6682)
Time allowed: 48 hours
Permitted materials: Open book
Marks on this paper: 100
Marks for assessment: 40
Instructions for students
1. Please make a submission to the canvas drop box for this assignment with your answers to these questions.
2. All submissions should be made as a simple Microsoft Word formatted document. If you do not have Word installed on your computer, you should use the Office 365 account provided by the University, where you will be able to use a version of Microsoft Word.
3. This paper comprises 4 questions with a total of 100 marks and is worth 40% of the marks for the unit. Attempt all questions and all of the parts.
4. Answer all questions in your Word document using the relevant question number. Please do NOT include a copy of the question in your answers. Please start each question on a new page and write the question number at the top of the page.
There is no need to start a new page for the individual parts of each question.
5. Please keep answers brief and to the point. Point form answers are permissible, but you should ensure that sufficient detail is provided to make your points clear.
6. Acknowledging the work of others is important in all academic work and you should ensure you reference the work of others in an appropriate manner. The UC version of Harvard author-date is the preferred system.
Please note that these questions are sample questions only - different questions will be asked in the final take home
assignment, although they maybe similar in nature to these questions.
Question 1 [30 marks]
A large organisation, similar to the University of Canberra, is in the process of implementing a new student records system (SRS).
Part (a) (10 marks)
As part of the implementation of this system, the University’s password policy needs to be reviewed. Outline the major issues you would expect to see covered in such a security policy. Discuss this in broad terms, mostly using the headings you would expect to find in the policy (you are not expected to provide the detailed clauses of the policies).
Part (b) (10 marks)
[Tute exercise from week 4 concerning the creation of an ACL table:]
One of the things that might be included in a system-specific information security policy for student records is sometimes referred to as access control lists, or ACLs. In this exercise, we will create some the details you might find in the ACLs for UC’s student records. For the purposes of this question, the ACLs will be kept relatively simple.
The classes of users that could be used would include: students; lecturers; course convenors; admin staff; IT staff; senior management The IT data resources could include: personal details of students; students’ current enrolment; students' historical records; unreleased results for current units; course and unit details.
Note that the system is likely to use more specific user groups (particularly for admin and IT roles), and it is likely to include other data, but these dimensions have been kept simple for this exercise.
Draw up an access control matrix (in the form. of a table) for this situation. The table should have the various classes of users in the rows, and the IT resources of the system in the columns.
The cells within the matrix should note the appropriate level of access for the relevant user to the data resource. The access permissions can include: read; update; delete; or other particular privileges or restrictions.
For the purposes of this exercise you should assume that someone with limited knowledge of student record systems will then implement this system and associated access security using the data provided in your table. As such, avoid omitting data because you think it might seem obvious.
Part (c) (10 marks)
In your answer to part (b), you should have described the access privileges for all of the classes of users. This question requires you
to justify the levels of access that you have given to groups comprising Lecturers, and Course conveners.
Question 2 [20 marks]
Part (a) (10 marks)
Using the example of a student records system (SRS) from question 1, explain the concept of risk assessments in relation to the information assets of an organisation. It is important that you give examples specific to the SRS in your answer.
Your discussion should include:
• what they are, and the reasons why risk assessments are normally undertaken;
• how often they should be performed, and who should get the results of the exercise;
• an explanation of the differences between informal and detailed approaches;
• the situations where quantitative approaches would be suitable and where qualitative approaches may be more appropriate;
• the situations where a baseline approach may be appropriate (include a brief description of what a baseline approach is).
Part (b) (10 marks)
A question on a quantitative risk assessment and calculation of a ROSI, similar to that done in the week 5/6 tutorial.
Note that you will not be required to remember the detailed ROSI formula for this question.
Question 3 [20 marks]
Part (a) (10 marks)
Your information security section within the university (as per Q1) conducts a series of rolling security evaluations of its general IT environment and specific core application systems. You have been allocated the task of conducting the evaluation of the SRS.
An activity early in this process is the construction of a suitable normative model for the evaluation.
Using one or more of the information security frameworks discussed during the semester, identify 5 controls that would be important elements of the normative model. You should recognise that the general IT environment would have been covered by other security evaluations as part of the rolling program, so that issues from this environment would not be relevant to the review that is specific to the SRS unless they require some specific additional attention with the SRS.
You should provide a brief rationale for the selection of the controls for the normative model. It is also possible that some controls selected may also be covered by some other security evaluation of the IT environment as part of the rolling program – in these cases, you should justify why this should receive specific attention in this review.
Part (b) (10 marks)
During the week 7 class, an article was considered that provided a taxonomy of Information Systems Security (ISS) development methods (Siponen 2005). In the article, Siponen classified published ISS development methods into four generations of approaches and recommended the development and adoption of fifth generation ISS development approaches that could be easily integrated into regular information systems development processes.
What problems are likely to arise from the use of first generation approaches? What specific benefits could come about for an organisation if it were to adopt a more modern approach, such as one classified as fourth or fifth generation.
Reference
Siponen, MT 2005, 'Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods', Information and organization, vol. 15, no. 4,pp. 339-75.
Question 4 [30 - 40 marks]
This question may include a number of smaller information security related questions, or parts. Each of these parts will be similar to some of the tute questions that have been asked during the semester. You will not need to remember the detail of
the articles discussed during the tutorials, but you should have a general familiarity with them. Also keep in mind that this is open book, and that you will have access to any of this material if needed.

发表评论

电子邮件地址不会被公开。 必填项已用*标注