MIS607 Cyber Security Management

The Subject Learning Outcomes demonstrated by successful completion of the task below include:

1. Explore and articulate cyber trends, threats and staying safe in cyberspace, plus protecting personal and company data.
2. Analyse issues associated with organisational data networks and security to recommend practicalsolutionstowardstheirresolution.
3. Evaluate and communicate relevant technical and ethical considerations related to the design, deployment and/or the uses of secure technologies within various organisational contexts.

Task Summary

Reflecting on your initial report (A2), the organisation has decided to continue to employ you for the next phase: risk analysis and development of the mitigation plan.

The organisation has become aware that the Australia Government (AG) has developed strict privacy requirements for business. The company wishes you to produce a brief summary of these based on realworld Australian government requirements (similar to how you used real-world information in A2 for the real-world attack).

These include the Australian Privacy Policies (APPs) especially the requirements on notifiable data breaches. The APP wanst you to examine these requirements and advise them on their legal requirements. Also ensure that your threat list includes attacks on customer data breaches. The company wishes to know if the GDPR applies to them.

The word count for this assessment is 2,500 words (±10%), not counting tables or figures. Tables and figures must be captioned (labelled) and referred to by caption. Caution: Items without a caption may be treated as if they are not in the report.

Be careful not to use up word count discussing cybersecurity basics. This is not an exercise in summarising your class notes, and such material will not count towards marks. You can cover theory outside the classes.

Requirements

Assessment 3 (A3) is in many ways a continuation of A2. You will start with the threat list from A2, although feel free to make changes to the threat list if it is not suitable for A3. You may need to include threats related to privacy concerns. Beginning with the threat list:

• You need to align threats/vulnerabilities, as much as possible, with controls.
• Perform a risk analysis and determine controls to be employed.
• Combine the controls into a project of mitigation.
• Give advice on the need for ongoing cybersecurity, after your main mitigation steps.
• You must use the risk matrix approach covered in classes. Remember risk = likelihood x consequence.
• You should show evidence of gathering data on likelihood, and consequence, for each threat identified. You should briefly explain how this was done.
• At least one of the risks must be so trivial and/or expensive to control that you decide not to use it (in other words, in this case, accept the risk). At least one of the risks, but obviously not all.
• Provide cost estimates for the controls, including policy or training controls. You can make up these values but try to justify at least one of the costs (if possible, use links to justify costs).

A3 requires at least 5 references (but as many as you like above this number) with at least 3 references coming from peer-reviewed sources: conferences or journals. (You can put a star “*” after these in the reference section if you want to highlight which are peer reviewed.)

One of the peer-reviewed articles must be uploaded in pdf format along with the A3 report (this can be done in BB). This pdf will be referred to here as the “nominated article”. (Zero marks for referencing if the nominated article is not itself peer-reviewed.) Of course, the nominated article should be properlyreferenced and cited, but you need to site an important direct quote from within the article (with page number), not just a brief sentence from the abstract. The quote should also relate to the main topic of the article, not just a side issue.

The report should consist of the following heading structure.

With subject code and name, assignment title, student’s name, student number, and lecturer’s name. Also include AI declaration.

This should be written after the report and should briefly summarise what you did and what you found. It should be capable of being read by management generally, even those with relatively little IS experience.

Body of the Report Threat list and STRIDE categorisation summary Threat analysis Using risk matrix Threats and controls Mitigation scheme