Information Security and Information Security PG – IT Computer Science Assignment Help

Assignment Task

Task 

Information Security and Information Security PG

Instructions for students

1. Please make a submission to the canvas drop box for this assignment with your answers to these questions.
2. All submissions should be made as a simple Microsoft Word formatted document. If you do not have Word installed on your computer, you should use the Office 365 account provided by the University, where you will be able to use a version of Microsoft Word.
3. This paper comprises 4 questions with a total of 100 marks and is worth 40% of the marks for the unit. Attempt all questions and all of the parts.
4. Answer all questions in your Word document using the relevant question number.
5. Please do NOT include a copy of the question in your answers. Please start each question on a new page and write the question number at the top of the page. There is no need to start a new page for the individual parts of each question.
6. Please keep answers brief and to the point. Point form answers are permissible, but you should ensure that sufficient detail is provided to make your points clear.
7. Acknowledging the work of others is important in all academic work and you should ensure you reference the work of others in an appropriate manner. The UC version of Harvard author-date (2021) is the preferred system.
8. Please do not submit a copy of this assignment to a draft assignment submission box from another unit. A 10 mark penalty will be imposed in these cases.

Question 1 
The following scenario relates to Question 1 (a), (b) and (c) below.
A large organisation, similar to the University of Canberra, is in the process of implementing a new human resource management (HRM)* system that includes aspects of workflow. An example of the workflow includes facilitating the on-line submission of leave forms and the subsequent approval (or not) of the leave applications by supervisors. It will also allow staff to have on-line access to relevant personnel and payroll records where appropriate (for example, checking payslips and leave balances, submitting performance assessment reports, etc.). The system would also facilitate activity normally undertaken by senior managers.

* for those unfamiliar with HR/HRM systems, these are the systems that organisations use to manage their staffing. This may include: payroll (making sure staff are paid the right amount at the right time); the recording of leave and leave balances (holidays, sick leave, and long service leave etc.); and a repository for performance management data. They are frequently connected with finance systems and sometimes include other details, but the list mentioned here is sufficient for this exercise.

Part (a) 
As part of the implementation of this system, relevant security policies need to be reviewed, redeveloped, replaced or modified. Assume that the organisation already has a general information security policy in place along with a range of issue specific security policies, but no current system specific security policy for a HRM system.
Outline the major issues you would expect to see covered in a system specific security policy for the HRM system. Discuss this in broad terms, mostly using the headings and brief statements covering the issues that you would expect to find in the system specific policy (you are not expected to provide the detailed clauses of the policy). Do NOT include things that you would normally find in the general University information security policy or issue specific policies.

Part (b)
A system-specific information security policy for the HRM system may include access control lists, or ACLs. This question will require you to create some of the details you might find in the ACLs for the HRM system. For the purposes of this question, the ACLs will be kept relatively simple.
The general classes of users that should be used for this question are:

1. staff (these are all staff not included in one of the other categories, but staff in the other categories would have this staff level access in addition to that proposed for their specific category);
2. supervisors;
3. HR department admin staff;
4. IT systems administration staff;
5. senior management.

The IT data resources should include:
1 – staff personal details (names, address, phone numbers, date of birth, sex, etc.);
2 – payslip records (current and previous payslips);
3 – leave records (including balances and planned leave);
4 – leave applications (yet to be approved);
5 – performance assessments.

Note that the system is likely to use more specific user groups (particularly for admin and IT roles), and it is likely to include other data, but these dimensions have been kept simple for this exercise. Draw up an access control matrix (in the form of a table) for this situation. The table should have the various classes of users in the rows, and the IT resources of the system in the columns. The cells within the matrix should note the appropriate level of access for the relevant user to the data resource. The access permissions can include: read; update; delete; or other particular privileges or restrictions.

For the purposes of this exercise you should assume that someone with limited knowledge of HR systems will then implement this system and associated access security using the data provided in your table. As such, avoid omitting data because you think it might seem obvious.
You do not need to provide a rationale for any of the access privileges in your answer to this part – just populate the table in such a way that it describes the relevant privileges.

Part (c) 
In your answer to part (b), you should have described the access privileges for all of the classes of users. Provide a rationale that justifies the level of access that you have given to the following two classes of users of the HRM system:
• IT systems administration staff
• senior management

Question 2
Part (a) 
One of the challenges with ICT security is ‘selling’ the notion of investing in ICT security. One approach is to use a traditional return on investment approach with an emphasis on information security issues. This is referred to as a Return on Security Investment (ROSI) and ROSI calculations can be presented to management to justify security investments. The ROSI elements discussed during the semester included the following formula components: Single Loss Expectancy (SLE); Annual Rate of Occurrence (ARO); Annual Loss Expectancy (ALE) which is calculated: ALE = ARO * SLE; Modified Annual Loss Expectancy (MALE) (this is the ALE after the implementation of the proposed security controls). The ROSI takes account of the ALE, the MALE and the cost of the proposed controls. Considering the following scenario involving the help desk staff responsible for providing support to the HRM system from question 1:

The help desk staff reset hundreds of passwords annually for various reasons. On average the help desk staff reset 10 passwords annually without properly verifying the staff member’s identity correctly and provide access to the wrong person. The damages in reputational and privacy breaches is estimated to cost $10,000 per incident. By implementing a verification software package with a licence cost of $5,000 per annum, the loss expectancy would be reduced by 75%.

Calculate the ROSI for this scenario.
Given this scenario, discuss the limitations with using a ROSI calculation in this manner. You should provide 5 issues that highlight limitations with the application of a ROSI used as a primary means to justify this control.

Part (b) 
Your information security section within the university (as per Q1) conducts a series of rolling security evaluations of its general IT environment and specific core application systems. You have been allocated the task of conducting the evaluation of the baseline controls in the general IT environment. An activity early in this process is the construction of a suitable normative model for the evaluation.
Using the ISO 27002 information security framework discussed during the semester, identify 5 controls that would be important elements of the normative model. It is quite likely that there will be many more than 5 controls relevant to this baseline security situation, but you should try to select 5 of the more important controls. You should provide a brief rationale for the selection of the controls for the normative model.

Question 3 
Part (a) 
Information security should be balanced against the business goals of the organisation.
What symptoms might be exhibited by an organisation in which information security considerations have been overdone?

Part (b) 
What role should the top level management of an organisation (usually the CEO and associated executive level management committee) play in relation to the security of the organisation’s information assets?

Part (c) 
During the semester, we discussed the concept of ‘normalisation’ of information security. 
Provide two examples to illustrate how this could work in the context of the scenario in Q1.

Question 4 
Insider threats describe security threats to an organisation coming from people working inside the organisation. As the CISO (Chief Information Security Officer) of an organisation, you are aware that insider threats are an increasing exposure for all organisations. 

For each of these insider threats listed below:
a) identify controls that could reduce the risk the threat occurring (prevention);
b) identify controls that would assist with the detection of these threats, should they occur.

The solutions can use some technology, but the human factor is also important in addressing these issues. The solutions shouldn’t prevent the normal work of the organisation from occurring. Answer by listing the number of the threat and associated control type (1a,1b, 2a, 2b) and your answer. You should briefly describe two controls for each of the parts (hence, 8 controls in total).

Insider Threats
1. An IT systems administrator uses their privileged access to insert some additional (ghost) staff members on the payroll system and then collects the pay of these ghost staff members;
2. A member of a University student administration area with access privileges to update grades in the student records system has been taking bribes from students to modify their grades for important units. Note that the normal workflow involves grade modifications being recommended by academics in charge of the relevant unit, the grade changes being approved by various processes, then entered into the student records system by a staff member in the student administration area.

This IT Computer Science Assignment has been solved by our IT Computer Science Expert at TV Assignment Help. Our Assignment Writing Experts are efficient to provide a fresh solution to this question. We are serving more than 10000+ Students in Australia, UK & US by helping them to score HD in their academics. Our Experts are well trained to follow all marking rubrics & referencing Style. Be it a used or new solution, the quality of the work submitted by our assignment experts remains unhampered. 

You may continue to expect the same or even better quality with the used and new assignment solution files respectively. There’s one thing to be noticed that you could choose one between the two and acquire an HD either way. You could choose a new assignment solution file to get yourself an exclusive, plagiarism (with free Turn tin file), expert quality assignment or order an old solution file that was considered worthy of the highest distinction.