Unit code | CMP71001 |
Assignment 2 | Cybersecurity report for an SME |
Due Date Learning | February 05, 2020 |
Outcomes Graduate | 3, 4, 6 |
Attributes | 3, 4 & 5 |
Weight | 30% of overall unit assessment |
Suggestion |
Contents
Details……………………………………………………………………………………………………… 1
Task…………………………………………………………………………………………………………. 1
Task Information………………………………………………………………………………………… 3
Report Requirements………………………………………………………………………………….. 3
Assignment Submission……………………………………………………………………………….. 4
Late submission…………………………………………………………………………………………. 4
Marking key………………………………………………………………………………………………. 4
Details:
Value: 30% of the final mark for the unit
Length: Maximum of 4000 words excluding title, contents and reference pages
Kala Design (KD) is a small to medium enterprise (SME) printing and graphics design company operating in Brisbane, Gold Coast and Sydney. They also have a web presence for e-commerce (e.g. online orders and payment), a customer relationship management (CRM) system, with information about products and services purchased (e.g. customer details, customer purchase history and payment details, problem reports, work details, etc). They also have a marketing system that allows for digital marketing using e- mail, social media, and any other modern marketing techniques.
KD currently employs 30 people – none of whom have any cybersecurity expertise. There are plans to expand the number of employees to at least 80. The boss’s 19-year-old niece and nephew were
responsible for all computer and network administration related matters for the past two years. An asset register exists but, unfortunately, is far from adequate.
KD has recently won a financially rewarding two-year contract, making them responsible for printing government documents. They are progressively scaling up their online presence as a result and have just published a new prototype catalogue online using Weebly. In recent months, employees have noticed; computers progressively operating slower, and random malware inspired popups are being displayed.
In addition to the asset registry, the following is an overview of notes you have from a meeting, with the owner, of the current situation within KD:
- The Operating System (OS) software environment consists of a mix of Windows 7/10 laptops, some smart-devices and three design-specific machines running macOS High Sierra 10.13.0, and two machines are Linux OS (Debian). Some laptops have been purchased specifically for KD and others are brought in/taken home each day by the employees (BYOD).
- None of the PCs or laptops contain any additional security software outside the default Windows and Mac offering.
- Patch/update levels across laptops is unknown with each workstation encompassing varying desktop configurations. The last time any known updates were applied was May, 2019.
- Internet access is via ADSL using D-Link DSL-2740B wireless routers.
- A QNap TS-412 NAS is used to backup workstation data (at each employee’s discretion) using WinSCP. The username/password for the NAS admin account is kala/kala123.
- A Windows 2000 Server was previously operational in the organisation but a power surge, caused during a severe weather event, resulted in hardware no longer functioning.
- Each employee receives on average 40-80 spam messages each day.
- In January 2020 – two workstations succumbed to a ransomware attack and KD paid the ransom.
- There are currently no policies or rules guiding employees on how to best utilise resources and conform to ideal cybersecurity conscious behaviours.
- Employees can access each other’s computers and email accounts.
- Data is emailed/stored without using any cryptographic techniques.
- Last week an employee found a USB flash drive in the car park and plugged it into their computer.
Since then, the employee has claimed that the computer appears to have “a mind of its own”.
Task (read carefully!)
You have been hired to advise on the cybersecurity issues and develop a range of recommendations to ensure KD can fulfil current and future contractual obligations. The employees are comfortable, and reluctant to change their current cybersecurity behaviour. Many of the employees believe that the company is functioning correctly and does not need a new cybersecurity operational model. KD’s manager is committed to addressing the cybersecurity issues and culture of the workplace and has allocated a sum of $250,000 to achieve the goal.
The manager has requested that you compile a succinct report addressing the top eight (8) cybersecurity related issues only. In producing your solution, and using what you have learned to date, you must address the following requirements:
- Why the chosen cybersecurity issue is being included within the “top 8”?
- An explanation/demonstration of the potential consequences of the identified issue (think cybersecurity risk identification and assessment here!) At a minimum, you must address the inadequate asset register.
- A detailed explanation/demonstration of how you propose to address the issues (think cybersecurity risk controls here!)
- Why is your chosen control/solution better than alternative approaches?
- A detailed breakdown of the cost/benefit in addressing the selected issue.
- Develop a preliminary Cybersecurity Contingency Plan (CP) for KD that addresses the four key elements of a CP.
Task Information (read carefully!)
- The report should be communicated in a manner that would be applicable for someone with little or minimal computer technical literacy. For example, if you were discussing the remedy of a ‘network security’ issue, a simple network diagram (using Microsoft Visio for example) can be very useful. Diagrams/graphics are not counted as part of the word count.
- You must address the inadequate asset register as part of your report. You may make assumptions where required but be sure to state what assumptions you are making. You can include your updated asset registry in an appendix (it will not be counted as part of the word limit).
- Not all solutions/controls need to be of a technical nature. Think outside the box about what needs to be rectified within this growing organisation. You must discuss, compare and reference appropriate models and frameworks in coming to your decisions.
- Marks are not awarded for selecting the correct “top 8”. Rather, marks are awarded for adequately justifying why the “top 8” were selected.
- You must make use of adequate in-text references throughout your entire report.
- Be creative in how you chose to communicate your findings. The report does not have to be a large collection of paraphrased text. Diagrams are a much more effective way of communicating an idea or concept. Tables and charts are an effective way to draw comparisons or contrast different ideas. However, all supporting material must be adequately referenced and acknowledged.
Report Requirements
Title page Unit code and title, assignment title, your name and student number, campus, and your tutor’s name. |
Table of contents This must accurately reflect the content of your report and should be generated automatically in Microsoft Word with page numbers. |
Introduction A succinct overview of the report. How did you formulate your solutions? What approach did you use to undertake your research into the subject matter? What issues are being addressed in the report? |
Main content This section should be divided into components that address each issue independently. Each component should clearly address the report requirements as depicted in the task outline. |
Summary The section should briefly draw together the main points raised in the report. You should not introduce or discuss any new information. |
Reference list A list references formatted according to the SCU requirements using the APA format. Using the Endnote software will make this process very easy. |
Appendix Include an updated asset registry as part of cyber risk management processes and any other items you consider necessary |
Assignment Submission
The submission must be a single document (e.g. Word, PDF), submitted through Blackboard via the submission portals, including the Turnitin portal.
Late submission
If you submit your assignment after the due date, then you will be penalised in accordance with the standard SCU regulations of 5% of the maximum mark, for every work-day that your assignment is late. If your assignment is submitted more than 6 days late, then you will be awarded a mark of 0 for the assignment.
Marking key
Criteria | Level of Achievement | ||||
Not met | Attempt made | Good attempt | Almost perfect | Perfect | |
Title page, contents page, introduction and conclusion meet the report requirements? | 0 | 0.25 | 0.5 | 0.75 | 1 |
Selected ‘issues’ are adequately justified to demonstrate their inclusion in the “top 8”? | 0 | 1.5 | 3 | 4.5 | 6 |
Solutions/strategies to address selected issues are technically correct/appropriate. | 0 | 2 | 4 | 6 | 8 |
Proposed solutions/strategies have been compared/contrasted to alternatives. | 0 | 1 | 2 | 3 | 4 |
Financial costs of addressing issue have been assessed and correctly documented? | 0 | 1 | 2 | 3 | 4 |
A CP has been sufficiently researched and developed. | 0 | 1 | 2 | 3 | 4 |
In-text references have been used correctly and align to an appropriately formatted reference list. | 0 | 0.75 | 1.5 | 2.25 | 3 |