CI7130 (Network and Information Security) Coursework (Security Assessment Report and Business Continuity Plan)

This coursework allows you to extend your knowledge and understanding of a particular topic presented during the taught component of the module.

SYNOPSIS

For this coursework, you are being asked to write a technical report on a broad security assessment activity, and a plan for business continuity. This will overall comprise of three sections: (a) an executive summary, (b) security assessment of the (preferably fictitious) organisation, and (c) a rudimentary version of a business continuity plan, containing an outline of a security policy for a specific aspect identified in the second part.

You must not use a real organisation without the express and written permission from a senior person within the organisation and this written permission must be appended to the report. If you are using a real organisation, make sure you are not including any confidential information in your coursework report and contact the module leader to arrange additional precaution measures.

It is important that your report is realistic and specific. It should be suitable as an example of a document that could be used for a real organisation (see below for further details on the choice of your organisation). You need to be aware of the differing audiences for the separate sections, as further explained below. Please also create a cover page, which lists your name, student ID number, and description of assessment (CI7130 coursework report or similar).

The first section is to be a single-page executive summary, which is targeted at the organisation’s managers and executives (i.e. non-technical people, so you should be careful about the use of jargon or technical terms). This part of the report should contain an outline of the identified key issues (such as threats or vulnerabilities to critical assets) and a statement of the recommendations (security controls) to be adopted. In order to be specific, you need to give precise information about required quantities, resources and budget.

In the second section, a more detailed analysis is required. This is directed at the technical staff within the organisation and/or the technical specialists you will use for the implementation.

You may use any suitable framework that was discussed in the lectures for the actual security assessment, for example OCTAVE, OCTAVE Allegro, STRIDE or NIST RMF might be appropriate methodologies. You may also combine (elements of) frameworks, if you feel this is suitable. Please clearly indicate which framework(s) you are using, including a justification including some key references to backup your arguments.

In an initial section, you need to identify potential members of the team required to assess and deliver the solution (do not include names, etc., but job roles, e.g. Network Administrator, Company Director, etc.). Following this, the potential scope to be assessed should be specified

(be it functional or geographical, etc.).

As the next step, your security assessment of the organisation, will involve highlighting a small number of key critical assets, and identifying potential threats to these assets, and their vulnerabilities. The exact order and method for doing this will depend on your chosen framework. A least two different categories of assets need to be involved, if you are focusing on information assets, you need to identify appropriate container assets. You should give your reasons for selection of your critical assets.

Your security assessment needs to include a final section suggesting technologies and architectures that can be employed as mitigation techniques, to protect the highlighted assets. This might be a natural part of your chosen security assessment framework(s), or an addition that is required if not provided by the framework. Explanations of how they counter security attacks are required as part of a justification of their suitability.

You are not being asked for the exact details or configuration of the proposed solutions, it is enough to specify the technologies. Then identify the proposed architecture of your recommendations (a network diagram may help illustrate your solution, but remember that you don’t need to have done a full detailed design).

You should indicate key tasks that need to be performed and hardware that needs to be purchased (don’t list equipment exhaustively, rather state in what order equipment should procured and deployed). You should include a broad schedule of tasks, without going into technical details.

The third part describes an initial version of a business continuity plan for the organisation, the target audience of which are the organisation’s managers. You may follow the template structure that was presented in the lecture, or else adopt your own, but it is essential that you include a basic security policy that relates to at least one of the issues identified in the second, security assessment part of your report.

The organisation is essentially of your own choice. It could be fictitious (made up) or a real organisation; you may also use the University. It must not be a real organisation without the express and written permission from a senior person within the organisation. If you are using a real organisation, make sure you are not including any confidential information in your coursework report.You may consult with the coursework setter for preliminary feedback on the suitability of your solution during the coursework briefing session and within the specified time of up to one week after the end of the second teaching week.

REPORT STRUCTURE

Please use font size 11pt Arial throughout the report. Overall, your report should consist of 12 pages, including references. Only key sources should be referenced, such as conference and journal papers or white papers, further documenting your chosen security framework(s).

References should take the following form: full list of authors (i.e. not ‘et al.’), title of paper/book, title of journal (publisher if a book), year of publication, volume number and first and last page numbers. If you are using a Web reference, the full URL must be included along with the date of access. The references should be listed at the end of the report, but assimilated into the text identified by the reference number in square parentheses (this is the Vancouver referencing style).

Please use the following more detailed guidelines concerning the structure of your report:

• Cover Page (1 Page)
• Executive Summary (1 Page)
• Security Assessment Report (6 Pages)
  • Identification of Critical Assets, Threat and Vulnerability Assessment, Risk (5 Pages)
  • Prioritised List of Issues (1 Page)
• Business Continuity Plan (4 Pages)
  • Introduction
  • Description of Continuity Plan
  • Security Policy
• References (1 Page)

ASSESSMENT CRITERIA – MARKING SCHEME

This coursework component contributes to 50% of the overall module grade. The marking scheme of this assignment is based on several criteria with corresponding weights, given as follows:

• Executive Summary (Suitable Title and Author information, introduces organisation and team, summarises security assessment activities and main findings) – 10%
• Security Assessment – 35% (Correct application and use of chosen framework(s), completeness, specific and realistic, correct terminology and/or use of formal worksheets)
• Business Continuity Plan – 25% (Specific and realistic, quality of security policy, relates to security assessment)
• Scope – 20% (Breadth and depth of the report, technical accuracy)
• General Presentation (Use of language, adherence to formatting instructions, professional appearance, appropriate addressing of target audience, quality of diagrams, use of references) – 10%

SUBMISSION INFORMATION

You may consult with the coursework setter for preliminary feedback on the suitability of your solution during the coursework briefing session and within the specified time of up to one week after the end of the second teaching week.

The report needs to be submitted as softcopy only, by uploading to Canvas, using the provided link. The deadline for submission of the completed coursework is Monday, May 02 23:59h.

Once the deadline has passed, a late coursework link will still be available for you in

case you had difficulties with the submission, but you need to e-mail the coursework setter if you have used it and you may experience a penalty. You will receive written feedback, including your mark, 3 working weeks after the submission deadline.

Academic Misconduct (Cheating) The University defines this as any form of attempt by a student to gain an unfair advantage in assessments or to aid another to gain such an advantage. Examples of types of academic misconduct are included in the regulations, and further information and support can be found here. Your work will be scrutinised for academic misconduct, including its originality score based on matches with other sources, using the TurnitIn site.

Get expert help for CI7130 (Network and Information Security) Coursework (Security Assessment Report and Business Continuity Plan) and many more. 24X7 help, plag free solution. Order online now!