- Explain the principles of information security and the measures to
secure information. - Develop an information security policy to demonstrate security
awareness. - Identify and describe security implications for modern networks
Weighting:
Instructions
20% of the overall mark
This is an individual project, in which the student will submit a report of
3000 words +/- 10% excluding appendices. The report should include:
• Security policies, standards and procedures with recommendations.
• Define the concepts of and principles of Information security and the
methods used to secure assets with good practice and
recommendations
The Phase-1 report should be uploaded on Moodle via Turnitin by Sunday
22 Nov 2020 at 11.55pm.
Late submission will obtain maximum %60, any submissions later than 3
days from the deadline will obtain 0.
Learning outcomes assessment:
1 2 3 4 5
Step
1
2
3
4 X X X
5
6 X X X
7
8
9 X X X
Sum_LO’s 3 3 3
Please read this assignment carefully and the instructions that accompany this document
Scenario:
A security policy is the cornerstone of any project for preserving business integrity. It aims at identifying
the threats that could impact and cause damage and/or harm to a company and solutions to transform
the organization to ensure that it is more secure. As a result of this scenario you will be required to
arrive at a solution and complete a report which will include any relevant recommendations to improve
security aspects within the organization itself. Bahrain PLC is a manufacturer of aerospace parts which is
located in the kingdom of Bahrain and considers its line of business as highly competitive because there
are several companies that compete with them for the same government contracts. The company
recently received warnings from government agencies that foreign intelligence agencies were interested
in some of the research that the company was and is still conducting.
A government contract requires Bahrain PLC to conduct a formal process of risk assessment and
management of its operations. This process includes identifying risks and potential threats to the
company’s IT infrastructure in which the senior management have identified several areas of concern.
These areas included the following:
• Security procedures in relation to the location and building layout of Bahrain PLC’s plant
• Security controls relating to the release of confidential information to competitors and foreign
governments
• Potential threats and risks from potential hackers attempting to break into Bahrain PLC’s
internal network or public Web site
• Risk management methods used with regards to
o Bad organizational operational practices
o Bad practices/mistakes by users
Bahrain PLC’s office and manufacturing buildings are located on a small road between a public beach
and a public park.
• The first floor of the office building which houses the research department (has a patio area
which is located next to the beach that Bahrain PLC employees use during their lunch hour and
during coffee breaks).
• Administrative offices are located on the second floor. Bahrain PLC manufactures its products in
this two-story manufacturing building.
• PLC’s datacenter which is located at the basement and contains the following:
2 windows server 2003 SP1, 10 windows server 2008 SP1 and 20 server 2012 ,Red hat Enterprise
Linux 7.7, Cisco Intrusion detection system, ASA firewall. Fiber channel SAN storage,
• The organization is connected to the Internet with a single Internet provider, through a single
firewall.
You have been hired as security specialist to help organization conducting the risk assessment and build
information security policy.
• You notice that Employees use Wi-Fi to connect their mobile devices through a legacy Wireless
access points. In addition, WEP (Wired Equivalent Privacy) is being used for encryption.
• Many employees reported that they received email asking users to update their information on
the company’s Web site, after you investing you found a legitimate-looking e-mail but the URLs in
the e-mail actually point to a false Web site.
• While taking a tour inside the company, you noticed that the employees in the finance
department were throwing unused printed papers into the trash without damaging them.
• During one of your periodic checks to see how well security policy is being observed by the
employees, you discover an employee has attached his mobile phone to his workstation and enable
tethering to access interment bypass company firewall.
• After reviewing the company’s firewalls settings Noticed that there is Hundreds of thousands
brute-force attempts generated from various IP addresses around the world.
• An IT staff member told you that a former information security expert was fired for various
technical reasons and was unhappy when leaving his position
• Your organization IT system administrator backup data with on-site storage, the backup take
place at planned intervals manually
Task 1 (15 Marks)
Introduction
Provide professionally formatted Introduction that provides a general overview and objectives of the
report. Include table of references (minimum 15 and should include books, journals, white papers and
legitimate verifiable websites).
Task 2 (5 Marks)
Identify and categorize the assets to be protected, including their relative value, sensitivity or
importance to the organization. (Servers, desktops, mobile, storage, network, security, web applications,
database).
Task 3 (5 Marks)
Produce a physical design of customer premises indicating where all assets should be located and
methods of securing all assets physically from internally and externally threats. Your design should be
reasoned and justified.
Task 4 (15 Marks)
Risk Management
Discuss different risk scenarios and carry out security risk assessment for the organization using
appropriate methods. Identify and discuss ISO 2700X standards related to risk management and use its
methodology to carry out assessment on relevant component. You are required to build risk assessment
matrix (at least 15 risks)
Task 5 (15 Marks)
Produce fully qualitative and quantitative risk analysis for all Risk found at Task 4, including all elements,
information assets, supporting assets
Task 6 (15 Marks)
Research and investigate the widely used Critical Security Controls to reduce risk at your organization.
You should produce a minimum of 15 controls that vary in their effectiveness and relate to the CIA triad
as following:
- Controls that mitigate known attacks.
- Controls that address a wide variety of attacks.
- Controls that identify and stop attackers early in the compromise cycle.
Task 7 (15 Marks)
Security policies and procedures
Based on your risk assessment, produce a comprehensive security policy and procedures that are fit for
purpose. This should be relevant to ISO 27001 standards and must cover the following areas:
• Physical Security
• Application
• information
• network
• operations
• Data security (encryption)
• Access Control
• End user Education
• Disaster recovery
Produce at least one security procedure for each policy component. You must use appropriate
templates that are professionally for formatted.
Task 8 (10 Marks)
Top managements are planning to Build SOC (Security Operation Center) at PLC,
Your manager asked you to do research about SOC and provide details report containing - Explain what SOC are, how it works and how your organization can benefit from SOC.
- Discuss the components of SOC ,explain the tasks carried out by SOC team
- Discuss how you can improve your company security posture to best protect your organization
after implementing SOC (Security Operation Center).
Task 9 (5 Marks)
Conclusion and Recommendations
Conclude your findings in all tasks and provide recommendations for your organization executives
regarding the future Information Security best practices
PLEASE READ ADDITIONAL NOTES BELOW BEFORE SUBMISSION
Caution:
You should consider the following key points in your investigation: –
• Topic should be discussed critically in detail.
• A word count of 3000 words +/- 10% will be allowed for this report.
• The introduction and table of contents will not be included in the word count
• Appendices are required but will not count towards the word count.
• A reference list should be included as the first appendix (include references in your main body of
text).
Sample Solution
