Report and Presentation Requirements Dr Ian Storey 2018 Fact Finding Fact finding is a major component of the analysis in this assignment. Describe techniques used, and give a small number of examples with associated data ( no less than 3 ). For exam- ple, provide pivotal statements provided by management in the report. Quantitative Analysis You will provide a quantitative analysis associated with a detailed Excel spreadsheet, pre- sented in the form of threat/control pairs, as shown in lectures. You need no less than 10 threats in the spreadsheet. At least one of the threat/control pairs should result in a nega- tive CB . At least two should refer to intangible assets. It may help you to evaluate an SLE using AV × EF. However, in some cases it can be more natural to just estimate the SLE directly. Intangibles, in particular, might be difficult evaluate using AV and EF. Any data shown in the report and in the presentation should be appropriate for and should communicate effectively with management not familiar with information security terms or risk assessment. Tables must be readable. If you include the purchase of large control items used in an ongoing way, depreciate them over five years, as in lectures. Each control in the quantitative analysis should be clearly mapped against a control in Table A.1 in ISO/IEC 27001:2013 . Qualitative Analysis As well as the quantitative analysis, you are to include a qualitative analysis for at least three threats , derived rigorously from the quantitative analysis with clear stated bounda- ries for the qualitative categories. If it is not, you will receive 0 marks for this part of the re- port. The qualitative analysis results should include a risk matrix as discussed in lecture. To have an interesting spread of threats, I would recommend including the highest and low- est ranked threats. Critical Issue Your presentation and report must include a discussion of a “ critical issue ” and a discussion of a “ recent attack ” (see below). The critical issue will be assigned by your tutor, but you are free to make a suggestion. Each team will have a separate critical issue. You can choose from the following, or suggest another. Accountability (can include cloud issues with this topic) Ransomware Backup and Business Continuity Failure of Policy or Management Commitment 1
Employee Awareness Information Security Insurance Legal Contracts with Cloud Provider DR Loss of Customer Details Social Engineering Botnets and Trojans USB attack Attacks on TLS/SSL Wi-Fi Insecurities Phishing Attacks DoS and dDoS VPNs Mobile Devices Password Storage (for inspiration, see lecture notes and How NOT to Store Passwords! - Computerphile) Physical Security and Water Theft (Physical) Identity Theft Insider attacks Social Networks ACL Lists Security Policy update Security Policy Documentation Security Policy Design Security Policy Dissemination Biometric Access Control Bluetooth Attacks Session Hijacking Cross-Site Scripting Rootkit or Bootkit Logic Bomb Backdoor Keylogger Screen Scraper Blockchain (discuss this in depth with your tutor before committing to this topic) Chip and Pin Fraud The critical issue should feature in your list of threat/control pairs. Recent Attack You should propose, research and present (both for the presentation and report) an overall view of a recent real-world attack , preferably related to your critical issue. You should in- clude a CERT reference and a simpler, easy-to-understand reference (explanative YouTube link is okay). 2
The attack should be no more than 15 years old, preferably less than 4 years old. If you can- not find a recent example of an attack featuring your critical issue then discuss with your tutor. Let your tutor know which real-world attack you are choosing. This attack should be described in the presentation in such a way that other teams can learn from your presentation. Nominated Reference Articles Two “nominated” articles must be supplied in PDF form . The articles come from refereed academic sources, either a journal or a conference, and at least one must be from a jour- nal . With all references, RMIT style is required, except that page numbers must be included with the in-text citation of the nominated article , and the text should be highlighted in the PDF. The PDFs will not be accepted if these are not done. Provide a copy of the Ulrichs web page to show that the article is scholarly. Report The report should be between 2,300 to 3,300 words ( excluding appended material and ta- bles). Any element not labelled and referred to in the report will not be recognised as being in the report . Among other things, this includes, Figures, Tables, References, Spreadsheets Make sure to number appendix elements as, say, Appendix 1, Appendix 2, etc, and refer to them by number from the text. Similarly, for figures, tables and spreadsheets, if used. If the Excel file and spreadsheet are not named they will not be counted as part of your assign- ment. Similarly, references must have citations. There are academic requirements on referencing and plagiarism which must be adhered to. Incorrect referencing attracts negative marks, possibly zero for the entire assignment . You must use RMIT style. There is to be a minimum of 9 references overall (including nominated articles, other refer- eed articles, trade articles, books and lecture notes) with about 12 preferred. You must ref- erence all the web references you use (be careful to keep track of these as you access them, it is easy to surf for lose track of pages, at least keep a list of the page URLs so you can go back and reference them properly). All the web references used in the report (and presenta- 3
tion) are required, but no more than 4 web references will be counted in your reference count . The report does not have to have exactly the same material as the presentation. You can make improvements in the report after the presentation. You cannot use cloud for this assignment unless it is directly related to your critical issues (for reasons which will be discussed in class). Format The report should be in MS Word .doc or .docx format. You must to include the following headings, as Word heading styles , in your document. You can have other headings as needed. Executive Summary Fact Finding Critical Issue Recent Attack Critique Question Quantitative Analysis Qualitative Analysis Conclusions References As soon as possible after your team is formed, nominate one person only from your team who is responsible for uploading to Turnitin and for emailing other deliverables. The name of the file submitted to Turnitin should be: Report<Team Name>.docx For example, if your team was named “Defense in Depth” then the Word file should be named, ReportDefenseInDepth.docx Please use only a Word, .doc or .docx, file. The report Word file is to be submitted via TurnItIn (only one submission per team). The re- sponsibility matrix and the nominated PDF articles are to be submitted by email to your tu- tor (only one submission per team). The assignment will not be marked until the Word report is submitted to TurnItIn, and the responsibility matrix and the nominated articles have been received. Details of the TurnItIn submission will be conveyed closer to the due date. 4
Recommend
More recommend