Task Description You are hired by Advanced Medicos Limited (AML), a healthcare product sell company, as a cyber security consultant to help in security management and to address the contemporary and...

Task Description You are hired by Advanced Medicos Limited (AML), a healthcare product sell company, as a cyber security consultant to help in security management and to address the contemporary and emerging risks from the cyber threats the company is f
Task Description You are hired by Advanced Medicos Limited (AML), a healthcare product sell company, as a cyber security consultant to help in security management and to address the contemporary and emerging risks from the cyber threats the company is facing. AML is providing a platform for Australian customers to sell their product online. The vision of the company is to be among the top 5 nation-wide. The board from the advice by Chief Information Officer (CIO) and Chief Information Security Officer (CISO) has concluded that they should get to point that the key services such as web portal should be able to recover from major incidents in less than 20 minutes while other services can be up and running in less than 1 hour. In case of a disaster, they should be able to have the Web portal and payroll system fully functional in less than 2 days.
The company is a new company which is growing rapidly. While the company uses its database server to store the information of its customers’ private data, credit card info, etc. it has a poor designed network with a low level of security. As the company is responsible for the privacy and the security of customer personal info, credit card details, the security of payment transactions, etc. they have decided to improve their information security. Therefore, they have hired you to do the following task:
Vulnerability assessment and Business Impact Analysis (BIA) exercise:
1. Perform vulnerability assessment and testing to assess a fictional business information system.
2. Perform BIA in the given scenario.
3. Communicate the results to the management.
Existing IT infrastructure of AML:
- Office 365 Emails Hosting
- 2 Web server providing web services and payment options
- A physical database server storing customer information
- DHCP and DNS servers
- Servers located in a server room accessible by all staff
- There is no virtual/cloud storage
- The backup files are stored on a single computer connected to the internal network
- Two 24-port Cisco Catalyst switches (1Gbps ports)
- Switches are access layer switches - ADSL router - 40 PCs with outdated antivirus
- The operating systems used in the company are Windows 2012 server and Windows 10
- Windows Firewalls are on
- No security configuration on routers and switches
- Telnet connection is used by IT people to remotely check the configuration of the network devices. Therefore, there is no encryption in remote access.
- Two wireless access points
- Wireless security is WPA
- 10 Voice over IP phones
- Servers located in a server room accessible by all staff - There is no virtual/cloud storage
- The backup files are stored on a single computer connected to the internal network
- There are 40 staff including three IT people (IT staff are responsible to look after internet connection, network devices, Wi-Fi, Voice over IP service, LAN, computers, servers, hardware and software, and video conference facilities).
- All staff and equipment are on a single floor.
- The roles and responsibilities of people who are responsible for information security management are not clear and they are not documented. All IT staff help in information security management.
For this assignment, you need to write a report to the CEO of the company and answer a number of questions. You should also identify assets, perform risk assessment, and propose solutions to mitigate risks.
This assignment has several group questions. Therefore, you should make groups of two members in each. In each question, there are three roles, and each team member should choose one role and answer its question.
i. Analyse the output information that you receive from a well-known scanner, Nmap. For this question, you are strongly encouraged to watch a recording that has been posted guiding you in this task. You should add a screenshot of the scan results in your submission.
ii. Critically discuss how Wireshark software can be used in penetration testing to capture information about the company’s traffic. For this question, you can install Wireshark on your own laptop/pc (https:
www.wireshark.org/download.html). Open a
owser in your computer and capture TCP and HTTP traffic. Explain what types of information you have obtained from Wireshark. You should add a screenshot of the output.
iii. Explain which security measures (including hardware and software) you intend to implement in AML company to mitigate existing risks (a firewall and an IDS are examples of security measures). For this question, you should submit a logical topology of your proposed network design. The design should show how the security measures are connected to the company’s network. In your network design, the servers should be publicly available to external users. Therefore, the servers’ zone should be separate from the internal network and computers.
iv. Reflection for the task not more 300 words

Security Policy Development& Risk Management
Contents
31.
Task 1: Security Policy Development and Risk Management
31.1.
Access Control (AC) Policy
41.2. Types of Access Controls for AML
XXXXXXXXXXRole-based Access Control (RBAC)
XXXXXXXXXXMandatory Access Control (MAC)
XXXXXXXXXXDiscretionary Access Control (DAC)
51.3 Threat Control
XXXXXXXXXXSQL Injections attacks
XXXXXXXXXXRansomware attacks
XXXXXXXXXXTrojan Virus Attacks
XXXXXXXXXXPhishing
XXXXXXXXXXInformation Theft
51.4. Data Security Solution
XXXXXXXXXXData in Use
XXXXXXXXXXData in Motion
XXXXXXXXXXData at Rest
61.5. Authentication
71.6. Single Sign-On Service
XXXXXXXXXXSecurity Assertions Markup Language (SAML) 2.0 protocol
71.7. Incident Response Vs. Disaster Recovery
XXXXXXXXXXResponsibilities- IRT / DRT
81.8. AML Incident Response Plan
XXXXXXXXXXPreparation
XXXXXXXXXXIdentification
XXXXXXXXXXContainment
XXXXXXXXXXEradication
XXXXXXXXXXRecovery
XXXXXXXXXXLessons learned
101.9. Disasters & Recovery Phases
XXXXXXXXXXFive Disasters
XXXXXXXXXXNetwork Collapse
XXXXXXXXXXIncompatible Software Issue
XXXXXXXXXXInadequate Staff Training
XXXXXXXXXXEquipment Malfunction
XXXXXXXXXXVoIP Resource Issue
XXXXXXXXXXDisaster Recovery Phases
XXXXXXXXXXActivation Phase
XXXXXXXXXXExecution Phase
XXXXXXXXXXReconstitution Phase
XXXXXXXXXXMTD |RTO | RPO | Disaster Recovery |Business Continuity
132.
Task 2: Security Policies
132.1.
Backup Policy
132.2.
Computer Use Policy
14References
1. Task 1: Security Policy Development and Risk Management
1.1. Access Control (AC) Policy
The access control policy established the AML Enterprise Access Control for risk management of account management, access monitoring and enforcement, segregation of duties. This policy outlines best practices that the organization should implement for hardware and software security. The standards that will constitute AML policy are mentioned below. The organization is bound to this policy and shall be compliant to the standards documented.
AC-1: Access Control Procedures- AML business system shall adhere to formal documentation that explains the responsibilities, roles, commitment from management, compliance and entities coordination
AC-2: Account Management: AML business Systems should identify authorized users within the organization and specify the privileges. Access should be granted on the basis of valid authorization and associated business functions in coordination with the intention of system use. Accounts should be reviewed periodically.
AC-3: Separation of Duties: Separate duties should be assigned to individuals to avoid malicious activities and collusion. Duties should be documented.
AC-4: System Use Notification: AML business systems should consistently follow the standards, regulations and policies. A notification message for system approval should be displayed prior to granting access to the system.
AC-5: Concu
ent Session Control: AML systems should enforce a limit on the number of concu
ent sessions to 10.
AC-6: Session Lock: A session lock of 120Minutes should be initiated by AML systems over information asset. Lock should be retained until user is identified and authenticated before reestablishing the access.
AC-7: Wireless Access: Usage restrictions and guidelines on implementation of wireless access should be established, unauthorized wireless access to the AML Database should be monitored and wireless access should be authorized before establishing database connection.
AC-8: Publicly accessible Content: AML system should designate individuals to post publicly accessible content on AML’s system. The individuals should be trained to review and avoid posting non-public information.
1.2. Types of Access Controls for AML
AML Company should consider the access control as the paramount feature to ensure system security.
1.2.1. Role-based Access Control (RBAC)
This AC authorizes control over objects and is further established by grouping users according to their roles and responsibilities. They could be reassigned to other roles if required later without affecting the infrastructure of the AC. Being a healthcare company, the main functions of RBAC would include storing and exchanging healthcare product records, management of data using smart devices. This AC shall control overall costs and tremendous incentives n efficiency based on roles ensuring that the right person gets access to right information at the right time. It will enable disclosure of minimum necessary information needed to achieve an intended purpose.
1.2.2. Mandatory Access Control (MAC)
This AC allows personnel to access the system resources only if they possess clearance of substantially high level. The product or customer information which falls under highly sensitive category are placed under MAC. The sensitivity labels over the type of information and resources helps the designated and authorized personnel to access relevant information according to their scope and profile in order to accomplish their tasks. Mandatory along with role based AC would work the best for AML company under given scenario.
1.2.3. Discretionary Access Control (DAC)
DAC allows an individual to access any object or program within the system, granting the individual complete control over the resources. It can be helpful for internal working of the employees on the resources where least restriction is required for daily operations at AML. But this should also follow the AC policy as it comes with great responsibility expected from the authorized personnel to ensure that the system is not left vulnerable and the system security level settings and permissions are used responsibly.
1.3 Threat Control
1.3.1. SQL Injections attacks
This attack can be controlled by using stored procedures and prepared statements within AML database. Principle of least privilege (PoLP) should be implemented on each account to ensure that each individual has access to minimum relevant information and resources while accomplishing the task specific to his role.
1.3.2. Ransomware