Great Deal! Get Instant $10 FREE in Account on First Order + 10% Cashback on Every Order Order Now

1 COMP9721 Assessment 3, S1-2018 COMP9721- Enterprise Information Security Assessment 3 - Completion of Contingency Plan: Implementation, Guideline & Timeline Proposal Semester 1, 2018 Details: Title:...

1 answer below »
1
COMP9721 Assessment 3, S1-2018


COMP9721- Enterprise Information Security
Assessment 3 - Completion of Contingency Plan: Implementation, Guideline
& Timeline Proposal
Semester 1, 2018
Details:
Title: Assessment 3 – Completion of Contingency Plan: Implementation, Guideline
& Timeline Proposal
Due Date: 5.00 PM (GMT+8) Friday, 8th June 2018
Value: 40% of the final mark for the topic
Length: Maximum of 6000 words (excluding cover page and references)

Note: This Assessment 3 is not the same as for COMP3721 (undergraduate topic) – there
are additional research component on compliance to regulation and standards, as noted
in the task section below.

Purpose of this assignment:
The purpose of this assignment is to support the following Learning Outcomes (LO) for this
topic:
LO1: Understand the purpose and context of a range of typical business information
systems.
LO2: Understand the importance of securing the information of an organisation.
LO3: Recognise the security issues associated with the integration of various information
systems within an enterprise.
LO4: Understand the principles of computer security.
LO5: Analyse security risks and prepare information and computer security plans.
LO6: Prepare and present consultant's reports on aspects of computer security.
LO7: Critically analyse publications in the area of computer security.

The assessments in this topic follow on from one another (formative) across the three assessments.
This means that you will to use the preceding assessment to complete the following one. For
instance, you will need the outcome from Assessment 1 to be able to complete Assessment 2, and
the outcome from Assessment 2 to complete Assessment 3.

Case Study:
Megacorp, a subsidiary of Generico Inc., have hired you to undertake a full risk assessment of
their cu
ent security posture as they prepare to move to operating on a multinational scale.
2
COMP9721 Assessment 3, S1-2018
Megacorp cu
ently processes and stores financial and client data in-house, with cloud
services for operational usage and productivity.
Staff work on Windows desktops, with an ad hoc patching cycle. There is also a backup system
for the legacy in-house Windows servers, although the details of how this is configured is
unknown as the System Administrator responsible for this process has recently left the
company and did not leave any documentation on this. Megacorp use an old storage room as
their server room, as the legacy software sometimes requires easy physical access to the
servers running them for maintenance. The office is open-plan, and staff are encouraged to
get up and move around during the day. The cloud system is used mainly for document
collection, although there is not a mandated service specified by the company.
Given the quality of your preceding documents, the company has asked that you provide
ecommendation of timelines, implementation recommendations and ongoing maintenance
guidelines, in reference to your analysis. Given the period of cu
ent rapid expansion,
management wants only a report for the most critical risks identified in the analysis.
Task:
Based upon your risk assessment and risk register from Assessment 2, you must complete the
contingency plans to expand on Assessment 2.
A report for the CEO, CIO and CISO, providing an outline of steps required for implementing
controls, along with a rough timeline and maintenance aspects. This report should cover:
- Deployment and implementation guidelines for specific risk controls
- Maintenance guidelines on each presented control
- Timelines for each aspect
- Summary of your preceding content and documentation
In addition, you must research and identify the regulations, legislation and international
standards that should/could be used in the contingency planning measures from Assessment
2.

Report Requirements:

Must Contain
Cove
Title Page
This must contain the topic code and title, assignment title, your name
and student identification, due date.
Executive Summary
Table of Contents
This must accurately reflect the content of your report and must be
generated automatically in Microsoft Word with page numbers.
Introduction
3
COMP9721 Assessment 3, S1-2018
A
ief outline of what the document includes, how it is structured and
what you based your decisions in the report on.
Main content .
You should structure this under appropriate headings.
References
A list of end-text references formatted according to the Flinders APA
Referencing XXXXXXXXXXPDF 95KB) requirements. It is recommended that
Endnote is used to manage references. Your references should comprise
of books, journal articles, and conference papers.
Format
This report should be no more than 6,000 words (excluding references
and diagrams) and labelled as studentlastname_studentfirstname>.docx and should be in a single file.
Your assignments must be word-processed and the diagrams be
developed using graphics software (most word-processors provide this
facility). The text must be no smaller than 12pt and font Times New
Roman
Marking Ru
ic:
40% Total = 40 marks
Assessment criteria Maximum marks for
this element
Student mark
Previous Content
All Critical Risks identified are
present
2
Appropriate Diagrams/Tables 2
Summarised co
ectly 2
Maintenance Guidelines
Relevant to each asset 2
Timeline is appropriate for the
asset
2
Included relevant
esponsibilities / roles /
outcomes
4
Links to implementation
guidelines
4
Implementations
Detailed Outcomes 1
Justifications are adequate &
ealistic
2
Appropriate to the asset 1
In-line with the risk-analysis and
Business Impact Analysis
2
Timeline for implementations
are realistic and achievable
2
Applicable solutions proposed 2
http:
www.flinders.edu.au/slc_files/Documents/Blue%20Guides/APA%20Referencing%20%282017%29.pdf
http:
www.flinders.edu.au/slc_files/Documents/Blue%20Guides/APA%20Referencing%20%282017%29.pdf
4
COMP9721 Assessment 3, S1-2018
Regulations/Legislation
Regulation identified are
applicable
1
Justification of regulations 4
Standards
Standards identified are
applicable
1
Justification of standards 4
Report
Layout & Readability 0.5
Language Usage 0.5
Content Covered 0.5
Referencing 0.5
Total mark 40 (Maximum)
Late submission:
As stated in the official Statement of Assessments Methods (S XXXXXXXXXXfor this topic, an
assessment submitted after the fixed or extended time for submission shall incur a penalty to
e calculated as 5% of the total mark for the assessment for each day, (or part thereof) up to
5 business days (Monday-Friday) it is late. After 5 days the assessment will be awarded a zero
(0) mark.
Academic Misconduct (Including Plagiarism):
Flinders University regards academic misconduct of any form as unacceptable. Academic
misconduct, which includes but is not limited to, plagiarism; unauthorised collaboration;
cheating in examinations; theft of other students’ work; collusion; inadequate and inco
ect
eferencing; will be dealt with in accordance with the Flinders Policy on Academic Integrity
Policy.
http:
www.flinders.edu.au/academicintegrity/
http:
www.flinders.edu.au/academicintegrity/student.cfm
Turnitin:
Turnitin is expected to be used for all assignments across the University. More information and links
to Turnitin can be found on FLO. It is recommended that you submit a draft of your work via the
Turnitin draft mechanism, to check it for e
ors in advance. Leave sufficient time for this process,
which can be up to 24 hours.
Extensions:
If you require an extension for submission, you may request one, on an individual basis through the
automated extension request tool located on FLO. This is in the ‘General’ section on the FLO topic
page.
http:
www.flinders.edu.au/academicintegrity
http:
www.flinders.edu.au/academicintegrity/student.cfm

1
COMP9721 Assessment 1, S1-2018


COMP9721- Enterprise Information Security
Assessment 1 – Case Study Analysis and Risk Register
Semester 1, 2018

Details:
Title: Assessment 1- Case Study Analysis and Risk Register
Due Date: 5.00 PM (GMT+8) Friday, 30th March 2018
Value: 30% of the final mark for the topic
Length: Maximum of 2000 words (excluding cover page)

Purpose of this assignment:
The purpose of this assignment is to support the following Learning Outcomes (LO) for this
topic:
LO1: Understand the purpose and context of a range of typical business information systems
LO2: Understand the importance of securing the information of an organisation
LO3: Recognise the security issues associated with the integration of various information
systems within an enterprise
LO4: Understand the principles of computer security
LO5: Analyse security risks and prepare information and computer security plans
LO6: Prepare and present consultant's reports on aspects of computer security

The assessments in this topic follow on from one another (formative) across the three assessments.
This means that you will to use the preceding assessment to complete the following one. For
instance, you will need the outcome from Assessment 1 to be able to complete Assessment 2, and
the outcome from Assessment 2 to complete Assessment 3.

Case Study:
Before the design of new security solutions can begin, the security analyst must first
understand the cu
ent state of the organization and its relationship to security. Megacorp, a
subsidiary of Generico Inc., have hired you to undertake a full risk assessment of their cu
ent
security posture as they prepare to move to operating on a multinational scale. Megacorp
cu
ently processes and stores financial and client data in-house, with cloud services for
operational usage and productivity.
Staff work on Windows desktops, with an ad hoc patching cycle. There is also a backup system
for the legacy in-house Windows servers, although the details of how this is configured is
2
COMP9721 Assessment 1, S1-2018
unknown as the System Administrator responsible for this process has recently left the
company and did not leave any documentation on this. Megacorp use an old storage room as
their server room, as the legacy software sometimes requires easy physical access to the
servers running them for maintenance. The office is open-plan, and staff are encouraged to
get up and move around during the day. The cloud system is used mainly for document
collection, although there is not a mandated service specified by the company.
Task:
This assessment is designed to demonstrate your knowledge and analysis of a specific security
context Using the case study provided, create a risk register for the threat environment for
Megacorp as they move towards an international operation. This
Answered Same Day May 09, 2020 COMP9721 Flinders University

Solution

Amit answered on May 24 2020
117 Votes
Executive summary
A guide of contingency planning provides an exhaustive list of recommendation, operations and considerations for Information Technology (IT) contingency planning. Contingency planning is defined as the plan of action to recover IT operations after a system disruption or emergency. Plan of action or interim measures may include moving IT system and services to another location, restoring IT functions by using other tools and equipment or restoring IT functions by using manual methods.
IT systems can be affected by various inte
uptions. They vary from mild such as short time power-
eak, disk failure, etc. to severe such as destruction of equipment, fire out
eak in equipment, etc. also they may occur from sources like natural disasters, te
orist attacks. Though there are many disruptions which can be avoided, minimized or eliminated with the help of different technical solutions or operations managements. They are cover under the risk management step of the organization. However, it is nearly not feasible to eliminate all risks. Sometimes, the critical resource IT system functioning is present out of the control of organization - electric power, etc. and hence organization will not be able to ensure their 24x7 availability. It can be infe
ed that contingency planning, execution and end user testing are important for risk mitigation and service availability.
Table of Contents
Executive summary    1
Introduction    4
Adherence to International Standards    5
Overview of BCP phases    6
Roles and Responsibilities    7
Summary of Preceding Plan    8
Business Contingency Planning for Server Systems in Megacorp    10
Business Contingency Planning for Networking Systems in Megacorp    14
Business Contingency Planning for Information System in Megacorp    18
Maintenance    22
Testing, Exercise and Training    23
Summary of Terms and Definitions used in the Document    25
References    26
Introduction
This document presents the contingency plan for Megacorp. It will act as a central repository for all required information, procedures, processes and tasks that are essential to provide a restoring facility to the Megacorp. It will also facilitate the decision-making capacity of the management and it shall provide timely response to any inte
upted or extended inte
uptive in the normal business operations. This is very important in case when the cause of disruption is such which requires immediate restoration of services and cannot be implemented by using normal daily processes. The personnel and financial resources indicated in the document represents the commitment of the management towards the response, resumption and restoration services. Hence, it becomes necessary that information and plans should be maintained in a state that they remain viable and maintain a state to ensure the accuracy of contents of the document.

Scope
This document covers all information related to information systems used, managed or operated by the organization or contractor or agency or any other organization on behalf of agency. The mentioned procedures are applicable to all users, contractors and employees of the organization.
Objectives
There are various types of systems being used in the organization which can be classified as information systems, servers and networking systems. Information systems provide critical functionality to the organization such as email, internet access and whereas the Servers and Networking systems provides the fundamental structure to support the aforementioned information system. They allow customer and organization to perform their respective task. As mentioned above, some of the risks can be mitigated but not all of them. Hence, it is essential for the organization to develop contingency plan and also disaster recovery plans. They will ensure that organization will have uninte
upted operations and regular services to the customers.
The key motive of the contingency planning is to protect two types of assets of the organization: data and personnel. All sections of contingency plan should provide ways to protect and safeguard the personnel and procedures to restore data in case of disaster. The primary focus of the plan is creating policies and processes to protect information system in case a contingency occurs and ensures that assets keep functioning. This covers the operational capability to identify and analyze (Sonfield, 1984) the critical applications, data recovery from alternate backup locations and data restore to pre-disaster state. Along with the above-mentioned objectives, other objectives of plan are as follows:
· Identification of resources to be used during contingency to execute the plan.
· Minimizing the number of decisions to be taken during contingency.
· Identification of actions to be executed by pre-allocated teams.
· Identification of critical data associated with customers that needs to be recovered at the time of contingency.
· Establishing testing and maintenance processes to be used for this plan and also training procedure for contingency teams.
Critical success factors
Following are critical factors and issues which should be applied to the contingency plan of the organization for its successful implementation:
· Commitment of budget for disaster recovery.
· 100% availability of senior management for disaster recovery and contingency planning.
· Establishing and execution of required Memorandums of Agreements, Service Level Agreements and Memorandums of Understanding (MOUs).
· Changes in the cu
ent scheduling procedures for transportation of backup data files to the offshore or alternate storage facility.
Adherence to International Standards
For the Business Contingency Plan to be effective, it needs to adhere to international standards. The BCP adheres to the following standards:
· Federal Information Security Management Act of 2002
· National Institute of Standards and Technology or commonly known as NIST under the Special Publication 800-34 R v1, Contingency Planning Guide for Information Technology Systems published in the year May 2010.
· NIST SP 800-53, R v4, Security and Privacy controls for Information Technology and Systems and Organizations published in the year April 2013
· NIST SP 800-84, Guide to Test, Exercise and Training Programs for IT Plans and Capabilities published in the year September 2006.
· Australian Standard or AS: 3745-2010 (Standards Australia, 2010b)
Overview of BCP phases
The BCP or Business Contingency Plan has been designed to recover the data of the organization using a 3-phased approach. This approach ensures that all the data recovery actions are executed in a methodical sequence. This will increase the effectiveness of the recovery effort and reduce the system down-time during contingency. Following are three phases of BCP:
· Activation and Notification phase - This phase comes into execution once a disruption occurs which goes beyond the RTO established for the information system. After the activation of BCP, all the users of the system are notified that an outage has occu
ed and a detailed assessment of outage will be ca
ied out. The presented collected from outage assessment is sent to the owners of the system. This information is used to modify the recovery procedures of the occu
ed specific outage.
· Recovery phase - This phase provides details of the recovery procedure followed by the recovery of the system. Procedures are written in a way which suits the demands of skilled technician who can then execute this plan to recover the system with immediate effect and without having any prior information of the system. This phase contains the procedures used for communication of status of recovery to the system users and owners.
· Reconstitution phase - This phase includes the definitions of actions used to test and validation of system functionality. It performs two major activities: validation of successful system recovery and deactivation of plan. During the validation phase, the system is tested prior to returning back to pre-disruption state. These validation procedures may conduct regression testing, concu
ent processing o
and validation of data. Once the data is completely restored and system is
ought back to normal working state, then system is declared as recover and fully functional by system users and owners. Deactivation part includes sending notification to users about the system being operational. Reconstitution phase also includes the documentation of recovery steps, finalization of logs activities, framing lesson learnt during the updating of plans and preparing resources for any recovery event of future.
Roles and Responsibilities
There are various resources and team involved in the execution and recovery of the system. The following teams have been framed and developed during the contingency times which may affect the IT system. The contingency plan establishes various teams which are assigned with the contingency planning of the recovering functions. The team is assigned with the responsibility of system recovery of the affected computer environment and all its associated applications. Team members include staff who are involved in day-to-day operations and maintenance of the system. The team leader leads the team. The following table describes the roles and responsibilities of the members of the team.
    Role
    Responsibility
    Director, Facility Leadership (Departmental Head)
    · All the responsibility of the development, implementation and maintenance of the contingency plan.
· Ensures that Contingency Plan has been developed with the help of managers who are associated with the business processes of the system.
· Provides information regarding the duration of system down to the contingency plan coordinator based on outage assessment.
· Declares the activation of contingency plan.
· Determines whether the intermediate processing should be activated to maintain the cu
ent business operations or the operations should be halted till the system is recovered.
· In case of escalation, high management is to be consulted.
· Responsible for testing, maintenance and sending IS contingency plan to delegates and other personnel.
· Approves all changes in the contingency plan.
    Administrato
    · Manage and monitor the activities of recovery team until the system recovery is completed.
· Ensures that all recovery activities have been performed consistently as the service level agreements.
· Provides timely statues to Contingency plan director.
· Creates an After-Action Report once operations are resumed.
· Assists the contingency plan director in testing, implementing and distributing the Contingency plan
    Recovery Team
    · Determines the expected downtime of the system i.e. Duration between failover and alternate site.
· Prioritizes the resource recovery sequence.
· Conducts all activities of system recovery and resumption activities.
· Retrieve backups
· System configuration.
· Ensures that voice and data communication are working, activates the phones and pagers.
· Provides IP numbers and information network routing.
· Includes validation testing teams.            
    Alternate Contingency Planning Coordinato
    · Same responsibilities as that of contingency coordinator.
· Becomes active in absence of contingency planning coordinator.
Summary of Preceding Plan
    System Acronym
    System Name
    Description
    Server and Mainframes
    Web Serve
    Hosting of company’s website
    
    SharePoint Serve
    Intranet SharePoint website
    
    Database Serve
    Hosting of website’s database and internal database
    
    Exchange Serve
    Hosting of Microsoft Exchange server for emails
    
    File Serve
    File hosting serve
    
    General Purpose Serve
    General purpose server for IT admin to control other systems, manage deployments and for security
    Networking Infrastructure
    WAN and LAN Components
    LAN and WAN Access for the company
    
    Firewall and IDS
    Software and hardware-based security for protection
    Information System
    Email
    Enterprise emailing service based on MS Exchange
    
    Payroll
    Payroll and employee attendance system
    
    Invoice Management
    Invoice management system for the business
    
    Communication Management
    Provides enterprise chat and VOIP services
    
    Document Management
    Helps manage company’s document
    
    Corporate Intranet Services
    Helps host corporate intranet website using Sharepoint serve
Business Contingency Planning for Server Systems in Megacorp
Activation
The activation of CP procedures as well as notification phase defines the actions that takes place once the Server systems disruption is imminent or detected. This detection may be observed by an employee working on the Server or the application hosted by the server, or it may be reported by a group of users, Server administrators or perhaps due to e
or-detection and fault-prevention system in place. I
espective of these, as soon as an anomaly is detected on the server, the decision is taken by the leadership teams and then passed on to the recovery team so that the recovery team can conduct measures to recover the system functions.
Activation Criteria and Process
· A type of outage that would indicate that the Servers (Namely File Server, Database Server, Web Server etc.) would be down for more than the RTO i.e., 12-24 hours.
· The director would determine that whether the system would be able to be recovered on the primary site.
· Additionally, the director would determine if the Server’s CP procedures requires consulting with the appropriate department’s leadership. This includes the following:
· The database administrators.
· The web-server...
SOLUTION.PDF

Answer To This Question Is Available To Download

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here