BIT361- Security Management and Governance – Case Study - Semester 1, 2022 All questions are to be completed. Complete your answers using this document. Case study scenario: CoreAx Medicinal (CoreAx)...

BIT361- Security Management and Governance – Case Study - Semester 1, 2022
All questions are to be completed. Complete your answers using this document.
Case study scenario: CoreAx Medicinal (CoreAx) see appendix
In discussing the questions below, use information from the CoreAx Medicinal Case Study.
Table of Contents
    1
Table of Contents    1
Question 1.    2
Question 2.    3
Question 3.    4
Question 4.    7
Common Terms and Formulas in Risk Management.    9
Definitions    9
Formulas    9
Appendix - Case Study Scenario:    10
CoreAx Medicinal    10
Your Role - MedEx Security Services (MXSS)    11
Question 1.
Risk management is focused on developing strategies and controls for known vulnerabilities. Contingency plans are strategies and tactics for dealing with unexpected events: what to do when the risk management processes fail.
1. List and
iefly describe the members of the of Contingency Planning Management Team (CMPT) for information security. (3 marks)
Once the CPMT (and other subordinate teams) have been formed, outline and discuss the seven (7) core steps of the overall Contingency Planning Process (note* it should integrate the BIA, IRP, and DRP efforts) (8 marks)
Briefly describe the differences of a Disaster Recovery and Business Continuity as they would apply to the 'Head Office' at CoreAx Medicinal. Give examples of each to explain your answer. (4 marks)
Question 2
Formal Information Security (InfoSec) policy development, implementation, and compliance are important to medium and large organisations. Though the Research and Development department and Team members have additional requirements.
1. Write a paragraph explaining the reasons why formal InfoSec policy statements are essential at CoreAx Medicinal for the Research and Developments Team. (6 Marks)
1. Describe what elements compliance statements should contain in an InfoSec policy document for the Research and Developments Team? (5 marks.)
1. Give two (2) examples of InfoSec Policy Documents that would be required at CoreAx Medicinal for the Research and Developments Team, provide justification for your choice. (4 marks)
    For parts D and E:
Every staff member of CoreAx Medicinal Research and Development department and team is provided with a company mobile phone which is controlled by CoreAx Medicinal ’s Mobile Devices policy. This policy restricts the use of company devices to company business and that all company communications (Email, Text, Social Media) and personal communications during work hours must be conducted using the company provided devices. Personal smart devices are not to be used on company owned networks or equipment or during work hours.
D. Suggest a detailed program to ensure awareness and compliance to the InfoSec policy. Providing examples. (8 marks)
Describe how you could determine the success of your awareness and compliance program? (7 Marks)
Page 2 of 2
Question 3.
CoreAx Medicinal needs to determine how to prioritize the security a
angements for several of their assets. In
ief discussions with them, you obtain the following information:
    Asset
    Asset impacts
    Threats and vulnerabilities (Frequency per year)
    ICT Network Services M
    Some importance to profitability,
Some impact on public image,
Some impact on success of organisation
    Human e
or:
- Misconfiguration of Network (1.5/yr.),
Hardware failure:
- Equipment lifetime failure (2/yr.)
    ChemBuild Software
    Little importance to profitability,
Little impact on public image, and
Little impact to the success of organisation
    Inco
ect entries (15/yr.)
    Research and Development Centre
    Important to profitability and
Important to public image,
strong impact on the success of organisation
    Compromises to intellectual property:
- Copyright infringement (6/yr.),
- Patent infringement (0.25 yr.)
    Pharmaceutical Products Facility Staff
    Essential to profitability,
No impact on public image,
Critical for the success of organisation
    Development Skills Shortage:
- Employee leaves (5/yr.)
1. Using this information and your general knowledge, complete the following tables. Show all calculations. (16 Marks)
When you have completed the tables, write a paragraph discussing the relative priorities of the assets and how that will affect security planning for these assets. You should include some discussion of the types of controls that should be considered for the different assets and their vulnerabilities. (6 Marks)
    Table 1: Asset priority table
    
    
    Success of the organization impact
    Profitability Impact
    Public image
    Priority Score
(Asset impact)
    P_________ of _______
     XXXXXXXXXXCriterion Weight -
Assets ˅
    40
    40
    20
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    Table 2: TVA Table
     
     
     
     XXXXXXXXXXAssets
Threats
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    Table 3: Risk.
    Asset
    Threat
    Vulnerability
    Likelihood
    Impact
    Priority
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
Question 4.
CoreAx Medicinal has identified several possible control measures for the improvement of their information security. Cu
ently the data in Table 1 and Table 2 below has been determined,
For Table 1 we have provided the;
· Likelihood (you will need to calculate the probability of a vulnerability being exploited), then derive the Annualised Rate of Occu
ence (ARO)
· We have calculated the Single Loss Expectancy (SLE) for you individually using the SLE = Asset Value (AV) x Exposure Factor (EF).
· Using the included values, you can now complete the Annualised Loss Expectancy
1. Complete a Cost Benefit Analysis for the items in the tables below. You may need to add columns or rows. Show all calculations. (16 Marks)
Discuss, in detail, which of these controls should be implemented, considered, or rejected. (12 Marks)
    Table 1: Risk – Unprotected (before Controls/Safeguards)
     
     
    
     
     
    Asset
    Threat
    Vulnerability
    Likelihood (Calculate)
    Annualized Rate of Occu
ence (ARO)
    Single Loss
Expectancy
(SLE)
    Annualized Loss Expectancy (ALE)
    Intellectual Z Property / Patents
    Espionage or trespass
    Network intrusion
    30 events per yea
    
    $6,262
    
    Workstations
    Software attacks
    Virus/Malware
    90 events per yea
    
    $434
    
    Production Servers
    Hacking
    Network intrusion
    Once every 2 weeks
    
    $2,849
    
    Central HO
Server Room
    Hardware equipment failure
    Power Failure
    Twice every Three Years
    
    $168,714
    
In Table 2 the Control measures (Safeguards) have been applied, complete the Cost Benefit Analysis we have provided:
· Likelihood (you will need to calculate the probability of a vulnerability being exploited), then derive the Annualised Rate of Occu
ence (ARO)
· We have provided the annual cost of each control and the new calculated Single Loss Expectancy (SLE) after the control was applied.
· Using the included values, you can now conduct the Cost Benefit Analysis.
    Table 2: Risk protected (Controls/Safeguards Applied)
     
     
     
    
     
     
     
     
     
    Asset
    Threat
    Vulnerability
    Control
    Likelihood (Calculate)
    (ARO)
    Annual cost of Control/ Safeguard (ACS)
    Single Loss Expectancy - Post Controls
    (_______)
    (_______)
    (_______)
    Intellectual Property / Patents
    Espionage or trespass
    Network intrusion
    Firewall
    Once every 3 Months
    
    $60,000
    $5,306
    
    
    
    Workstations
    Software attacks
    Virus/ Malware
    Anti-virus
    65 events per yea
    
    $35,000
    $434
    
    
    
    Production Servers
    Hacking
    Network intrusion
    IDPS
    15 events per yea
    
    $26,000
    $1,674
    
    
    
    Central HO
Server Room
    Hardware equipment failure
    Power Failure
    Uninte
uptible Power Supply
    Once every Two years
    
    $48,000
    $14,461
    
    
    
Common Terms and Formulas in Risk Management.
Definitions
    Term
    Definition
    Annual Cost Of The Safeguard (ACS)
    Annual cost of the safeguard (Control)
    Annualised Loss Expectancy (ALE)
    A comparative estimate of the losses (SLE) from successful attacks on an asset over one year.
    ALE (precontrol)
    ALE of the risk before the implementation of the control
    ALE (postcontrol)
    ALE examined after the control has been in place for a period of time
    Annualized Rate Of Occu
ence (ARO)
    Indicates how often you expect a specific type of attack to occur.
    Asset Value (AV)
    Financial value or worth of each information asset
    Cost-Benefit Analysis (CBA)
    Determines whether the benefit from a control alternative is worth the associated cost of implementing and maintaining the control.
    Exposure Factor (EF)
    The percentage loss that would occur from a given vulnerability being exploited
    Likelihood
    The probability that a specific vulnerability will be exploited.
    Single Loss Expectancy (SLE)
    The calculated value associated with the most likely loss
from a single occu
ence of a specific attack
Formulas
ALE = Single Loss Expectancy (SLE) x Annualized Rate of occu
ence (ARO)
SLE = asset value (AV) x exposure factor (EF)
CBA = ALE (pre - control) – ALE(post - control) – ACS
Appendix - Case Study Scenario:
CoreAx Medicinal
CoreAx Medicinal Pty Ltd (CoreAx) is a pharmaceutical manufacturing organisation. It is primarily a drug compounding and manufacturing organisation that manufactures chemotherapy and other short shelf-life drugs for use in Victorian and Tasmanian Hospitals and Cancer Treatment facilities CoreAx has a long history in the development of genomic based products that use the latest genomic sequencing technology and knowledge of the human genome to provide customised treatment products that lead the way in the treatment options within Oncology (Cancer) treatment. Recently it has been developing a Genomic Sequencing system that is cutting edge.
CoreAx have developed nine (9) treatment centres in Victoria, located within the Epworth Hospital network, The treatment centres have genomic sequencing laboratories attached that require standardised installations. CoreAx are now ready to offer the Genomic Sequencing system to the
oader medical industry and envision significant future growth in this area. They will sell their products to through their own sales network in Australia, and through an affiliate organisation Medtronic (under license) internationally. Medtronic has
anch offices that are located across the globe.
The Genomic Sequencing Laboratories equipment they manufacture must be installed and serviced by specialist technicians. CoreAx
anch offices provide three major functions for their customers: sales and consultancy; trained service and support professionals; and training staff. Common stock items are kept in stock at
anch locations for service requirements, but some products are shipped directly to customers on an as needed basis due to the customization required to match different installations. A Website and an online portal allow
anches and retailers to order equipment and a
ange installation dates, time, and location.
A key part of CoreAx is the design and testing of their Genomic Testing products. Care must be taken with products in development that the information is retained within the company and laws relating to copyright (e.g., software for electronic equipment), patents (physical equipment) and trade secrets as well as not releasing important commercial information (e.g., product release dates and quantities). Design, development, and testing is coordinated through the head Office at the Burwood Business Centre in the Eastern Subu
s of Melbourne. The final products are assembled in the manufacturing facility in the Waverly Business Park nea
y.
The Head Office in Melbourne has three main divisions: Research; Design and Development; Manufacturing; and Sales and Installation. Support departments include Finance, Payroll, and Accounts, ICT, and Human Resources. Support and oversight for
anches is largely provided by the relevant areas of the business, however since manufacturing must conform