Introduction to Information Security

  1. Explain the principles of information security and the measures to
    secure information.
  2. Develop an information security policy to demonstrate security
  3. Identify and describe security implications for modern networks
    20% of the overall mark
    This is an individual project, in which the student will submit a report of
    3000 words +/- 10% excluding appendices. The report should include:
    • Security policies, standards and procedures with recommendations.
    • Define the concepts of and principles of Information security and the
    methods used to secure assets with good practice and
    The Phase-1 report should be uploaded on Moodle via Turnitin by Sunday
    22 Nov 2020 at 11.55pm.
    Late submission will obtain maximum %60, any submissions later than 3
    days from the deadline will obtain 0.
    Learning outcomes assessment:
    1 2 3 4 5
    4 X X X
    6 X X X
    9 X X X
    Sum_LO’s 3 3 3
    Please read this assignment carefully and the instructions that accompany this document
    A security policy is the cornerstone of any project for preserving business integrity. It aims at identifying
    the threats that could impact and cause damage and/or harm to a company and solutions to transform
    the organization to ensure that it is more secure. As a result of this scenario you will be required to
    arrive at a solution and complete a report which will include any relevant recommendations to improve
    security aspects within the organization itself. Bahrain PLC is a manufacturer of aerospace parts which is
    located in the kingdom of Bahrain and considers its line of business as highly competitive because there
    are several companies that compete with them for the same government contracts. The company
    recently received warnings from government agencies that foreign intelligence agencies were interested
    in some of the research that the company was and is still conducting.
    A government contract requires Bahrain PLC to conduct a formal process of risk assessment and
    management of its operations. This process includes identifying risks and potential threats to the
    company’s IT infrastructure in which the senior management have identified several areas of concern.
    These areas included the following:
    • Security procedures in relation to the location and building layout of Bahrain PLC’s plant
    • Security controls relating to the release of confidential information to competitors and foreign
    • Potential threats and risks from potential hackers attempting to break into Bahrain PLC’s
    internal network or public Web site
    • Risk management methods used with regards to
    o Bad organizational operational practices
    o Bad practices/mistakes by users
    Bahrain PLC’s office and manufacturing buildings are located on a small road between a public beach
    and a public park.
    • The first floor of the office building which houses the research department (has a patio area
    which is located next to the beach that Bahrain PLC employees use during their lunch hour and
    during coffee breaks).
    • Administrative offices are located on the second floor. Bahrain PLC manufactures its products in
    this two-story manufacturing building.
    • PLC’s datacenter which is located at the basement and contains the following:
    2 windows server 2003 SP1, 10 windows server 2008 SP1 and 20 server 2012 ,Red hat Enterprise
    Linux 7.7, Cisco Intrusion detection system, ASA firewall. Fiber channel SAN storage,
    • The organization is connected to the Internet with a single Internet provider, through a single
    You have been hired as security specialist to help organization conducting the risk assessment and build
    information security policy.
    • You notice that Employees use Wi-Fi to connect their mobile devices through a legacy Wireless
    access points. In addition, WEP (Wired Equivalent Privacy) is being used for encryption.
    • Many employees reported that they received email asking users to update their information on
    the company’s Web site, after you investing you found a legitimate-looking e-mail but the URLs in
    the e-mail actually point to a false Web site.
    • While taking a tour inside the company, you noticed that the employees in the finance
    department were throwing unused printed papers into the trash without damaging them.
    • During one of your periodic checks to see how well security policy is being observed by the
    employees, you discover an employee has attached his mobile phone to his workstation and enable
    tethering to access interment bypass company firewall.
    • After reviewing the company’s firewalls settings Noticed that there is Hundreds of thousands
    brute-force attempts generated from various IP addresses around the world.
    • An IT staff member told you that a former information security expert was fired for various
    technical reasons and was unhappy when leaving his position
    • Your organization IT system administrator backup data with on-site storage, the backup take
    place at planned intervals manually
    Task 1 (15 Marks)
    Provide professionally formatted Introduction that provides a general overview and objectives of the
    report. Include table of references (minimum 15 and should include books, journals, white papers and
    legitimate verifiable websites).
    Task 2 (5 Marks)
    Identify and categorize the assets to be protected, including their relative value, sensitivity or
    importance to the organization. (Servers, desktops, mobile, storage, network, security, web applications,
    Task 3 (5 Marks)
    Produce a physical design of customer premises indicating where all assets should be located and
    methods of securing all assets physically from internally and externally threats. Your design should be
    reasoned and justified.
    Task 4 (15 Marks)
    Risk Management
    Discuss different risk scenarios and carry out security risk assessment for the organization using
    appropriate methods. Identify and discuss ISO 2700X standards related to risk management and use its
    methodology to carry out assessment on relevant component. You are required to build risk assessment
    matrix (at least 15 risks)
    Task 5 (15 Marks)
    Produce fully qualitative and quantitative risk analysis for all Risk found at Task 4, including all elements,
    information assets, supporting assets
    Task 6 (15 Marks)
    Research and investigate the widely used Critical Security Controls to reduce risk at your organization.
    You should produce a minimum of 15 controls that vary in their effectiveness and relate to the CIA triad
    as following:
  • Controls that mitigate known attacks.
  • Controls that address a wide variety of attacks.
  • Controls that identify and stop attackers early in the compromise cycle.
    Task 7 (15 Marks)
    Security policies and procedures
    Based on your risk assessment, produce a comprehensive security policy and procedures that are fit for
    purpose. This should be relevant to ISO 27001 standards and must cover the following areas:
    • Physical Security
    • Application
    • information
    • network
    • operations
    • Data security (encryption)
    • Access Control
    • End user Education
    • Disaster recovery
    Produce at least one security procedure for each policy component. You must use appropriate
    templates that are professionally for formatted.
    Task 8 (10 Marks)
    Top managements are planning to Build SOC (Security Operation Center) at PLC,
    Your manager asked you to do research about SOC and provide details report containing
  • Explain what SOC are, how it works and how your organization can benefit from SOC.
  • Discuss the components of SOC ,explain the tasks carried out by SOC team
  • Discuss how you can improve your company security posture to best protect your organization
    after implementing SOC (Security Operation Center).
    Task 9 (5 Marks)
    Conclusion and Recommendations
    Conclude your findings in all tasks and provide recommendations for your organization executives
    regarding the future Information Security best practices
    You should consider the following key points in your investigation: –
    • Topic should be discussed critically in detail.
    • A word count of 3000 words +/- 10% will be allowed for this report.
    • The introduction and table of contents will not be included in the word count
    • Appendices are required but will not count towards the word count.
    • A reference list should be included as the first appendix (include references in your main body of

Sample Solution