Assessment 2 Information

Your Task

Demonstrate your understanding of key cyber security concepts aligned with learning outcomes LO2, LO3, and LO4. You will configure a firewall and develop an access control policy document that complies with relevant laws, regulations, and ethical guidelines.

Additionally, this task requires you to leverage open-source cyber security and generative AI tools, simulating industry practice.

Assessment Description

This assessment is designed to simulate industry practices for securing and managing networks. You will apply your knowledge and skills to configure firewalls, define access control policies, and evaluate the legal and ethical considerations of your decisions.

Your final deliverable includes two documents:

1)  Your report (.docx), which includes:

a.  Your access control model justification

b.  Your Access Control Policy

c.  Your legal and compliance justification

2)  Your pfsense Configuration (.xml)

Case Study

Kaplan Financial, a mid-sized Australian company, is experiencing rapid growth, which has introduced critical  network  security  challenges.  Recent  incidents,  including  unauthorised  access,  phishing attempts, and malware infections, have posed significant threats to the company’s operations and the security of sensitive data.

The company is pursuing ISO 27001 certification, reflecting its commitment to implementing best practices for information security management. Additionally, as an Australian organisation, Kaplan Financial  must  comply  with  relevant  legislation,  including  the  Privacy  Act  1988  (Cth)  and  the Cybersecurity Act 2018, which mandate stringent measures for safeguarding sensitive information and protecting critical systems against cyber threats.

To address these challenges, you are brought in as a consultant tasked with configuring the network firewall and designing robust access controls for the internal IT team. Your solution must secure the network and prevent future attacks as well as align with the company’s certification requirements and legislative obligations.

Kaplan Financial has several departments with distinct responsibilities:

• Executive Leadership: Oversees the company’s overall strategy and drive organisational performance.

• Client Services: Provides personalised investment advice, manages client portfolios, and ensures financial strategies align with customers’ goals.

• Human   Resources: Manages   employee   records,   recruitment,   performance,   and   HR operations.

• IT Department: Maintains the IT infrastructure, manages the network, support employees’ technological needs, and ensures security across all systems.

• Administration: Involved   in  day-to-day  administrative  functions  and  ensures  smooth operations across departments.

Kaplan Financial’s network infrastructure includes the following components:

•    Each of the fifty (50) employees have company-provided laptops connected via Wi-Fi. Flexible work arrangements allow employees to work both on-site and remotely.

•   The company has internal servers hosting critical applications:

o Customer Relationship Management (CRM): A comprehensive system for managing client   portfolios,   automating   communications,   tracking   client   engagement,   and generating profitability report.

o Human Resources Management software: A platform to manage employee records, track performance, and automate HR processes.

o Security Information and Event Management (SIEM): A tool to monitor, detect, and respond to security threats across the network.

o Corporate Performance Management (CPM) System: A platform that provides high- level insights, analytics, and tools to monitor overall company performance against strategic goals.

Assessment Instructions

1. Understand the Case Study

Review the context of Kaplan Financial, its security challenges, and compliance obligations. Consider how the organisational structure influences security design.

2. Select an Access Control Model

Choose the most appropriate access control model. Justify your choice considering security concerns and departmental responsibilities. This should form the first part of your report and should be approximately 250 words long.

3. Document Your Access Control Policy

Use a generative AI tool (e.g., ChatGPT, Gemini) to draft a formal access control policy. Your policy should be approximately 1000 words long and should cover:

a.  Measures to prevent unauthorized access.

b.  Secure access for both on-site and remote workers.

c.  Implementation of access control principles (e.g. least privilege, need-to-know).

d.  Access control impact on each of the critical applications.

e.  How the policy affects firewall configuration.

f.   Other details found in a typical access control policy.

Refine your generative AI outputs to create a formal Access Control Policy. Submit your policy  as  the  second  part  of  your  report.  Include  screenshots  of  your  generative  AI interaction in the appendices.

4. Justify Legal and Compliance Obligations

Justify your access control policy by explaining how it aligns with Kaplan Financial’s legal obligations, referencing relevant regulations. Your justification should be approximately 250 words long and should be submitted as the third part of your report.

5. Configure the Network Firewall

Configure the network firewall using pfSense according to your access control policy.

Save the configuration as an XML file for submission.