1 Part A and B Requirements Dr Ian Storey, Dr Shaahin Madani, 2020 S2 The assignment has two parts, Part A and Part B. Note the assignment due dates on the homepage. You should base the assignment around the business described in the Word file, 2020 S2 TruTrust.pdf. After the groups are finalised, the teaching team will create separate Microsoft Teams work- ing groups for all groups. The MS Teams platform and the assigned group provides all teams with every communication method they require for working on the assignment (e.g. chats, video/voice calls, storing files etc). All working files must be uploaded to your team’s channels (i.e. a Files tab in one of the channels) and worked on from there. Further details about this will be communicated with your when the teams are finalised. Final assignments for marking need to be submitted to TurnItIn via the link on Canvas (only one submission per team please, otherwise you will have 100% plagiarism). Part A For this part of the assignment your team must submit three files, an ALE risk analysis in an Excel spreadsheet, a short Word file as described below, and a responsibility matrix. The files should contain your team name in the title, as below, Part A
ALE.xlsx Part A Documentation.docx Part A Responsibility.docx or .pdf These must be uploaded to TurnItIn via Canvas before the due date/time. The allowed upload file types are: .doc, .docx, .xls, .xlsx. ALE Risk Analysis For Part A of the assignment your team needs to present an ALE risk analysis. You will supply an Excel spreadsheet with at least 12 risks. Ensure the spreadsheet is named appropriately, and separate worksheets should also be named appropriately. You must use Excel calculations in the cells (i.e. use Excel formula). Do not enter calculated values by hand (except those that are not calculated), but make sure that the calculated fields are calculated in the spreadsheet you send to your tutor. This includes data taken from one sheet to another. (Only a maximum of 50% marks will be rewarded if values are inappropri- ately.) Not all risks decisions should be “transfer” or “mitigate”. At least one must be “accept”. Marks will be deleted for an “avoid” decision unless you have discussed it with your tutor. In one of the risks, the control should be some form of policy. 2 Any depreciation of ongoing control costs should be depreciated linearly over five years, as in lectures and tutorials. (This is just for consistency within this course.) Each control in the quantitative analysis should be clearly mapped against a control in Table A.1 in ISO/IEC 27001:2013. Give the code for the control and the brief name of the control. For example, with A.5.1.1, give A.5.1.1, Policies for information security in the sheet. In a separate worksheet from the ALE analysis, include a calculated field for the total cost of your mitigation plan. This should be transferred from the first table, not entered by hand. You can include your consultancy fee in this as well. No more than two worksheets. Accompanying Documentation As well as the Excel file, include a Word file with the following information in dot form. Give your information/answers under the dot points. • Names of the members of your team. • The name of your Excel file. • A cut-down presentable table of your ALE results, including decisions. This should not be your entire spreadsheet, but it should have relevant information that matches your spreadsheet. It should be presentable, as in a readable report to top management. Marks off if this is too busy or simply a copy of your spreadsheet. • The most important risk to consider from your analysis. • The total cost of the mitigation scheme, and how you calculated it. • A brief outline of how you “discovered” the top risk in your analysis. (You can make up a believable “story” of how you discovered the risk.) Just one or two sentences. • Explain why you chose the accept decision for the risk involving this decision. No more than one paragraph. • Nominate a real-world attack (or vulnerability). You do not need to describe the attack for Part A (that comes in Part B). Just give the name of the attack and a web link to the attack: provide a link to a simple, easy-to-understand explanation of the attack. You could also supply a link to a CERT page on the attack. Your tutor might ask you to choose a different attack for Part B, but please have some links to information on the attack. This document should be quite short. It should just cover the above points in outline. Elements of Part A could be reused for Part B. If so, you need to make any changes suggested by your tutor. Part B For Part B, you will submit three files, an Excel spreadsheet, a Word file for the report and a nominated academic article in pdf format. The assignment will not be marked until all these are sent. The files should contain your team name in the title, as below, Part B ALE.xlsx Part B Report.docx 3 Part B Nominated Article.docx or .pdf These should be submitted to TurnItIn on Canvas. ALE Excel Workbook You can submit some of the same risks as presented in the worksheet for Part A if they were satisfactory, but you must resubmit. Report Word File The Word file will be in the form of a business report, but referencing must be done with academic rigor. “Discovery” for 3 Risks You need to select a discovery technique and give a report (make up a “discovery story”) of how you discovered three of the risks in your ALE analysis. The goal here is to visualise the report as being the result of discovery. Only a short paragraph is required. You can include, or slightly expand on, risks from Part A if they were satisfactory. One of the three risks must be discovered using a questionnaire and you need to include an example of one Likert scale question (question only). In the explanation of the response “dis- covery”, you can suppose a particular median response, or mean and standard deviations if numbers were used. Of course, explain what threat this revealed. Qualitative Analysis You need to convert the ALE analysis into a risk matrix as discussed in class. (You can have three separate matrices or include all three in one matrix clearly labelled.) You need to, • convert only the three “discovered” risks, • derive the matrix rigorously from the quantitative analysis, • show unambiguously stated cell (bin) boundaries. You can use your own levels, but they must correctly translate the same threats from quantitative analysis. It is up to you how you divide up the cells, but they need to be clearly stated and properly transformed. Word Count The report should be between 2,500 to 4,000 words (excluding appended material and ta- bles). Nominated Article You need to submit a nominated article in PDF form. The following are required for the nom- inated article, • the article must come from refereed academic source, either a journal or a confer- ence. Provide evidence of the academic quality of the article either using screen- shots from the library site or use Ulrichs to show that the article is both scholarly and peer reviewed. This can be submitted as an appendix to your report. • supply the article in pdf format, 4 • provide a link where the tutor can download the article (if you can access it from the library, the tutor should be able to as well), • the nominated article needs to be read by you and included sensibly inside the report no less than 3 times (and not just a basic citation of the article’s abstract), • page numbers must be included in the citations to the nominated article, even with paraphrased text (to help the tutor), • the relevant sections of the nominated article used in the report need to be high- lighted in the PDF file. References and Nominated Reference Article(s) Your report will need to be properly referenced. You need to reference, • the nominated article • at least 2 other academic references (not web page links) • at least 6 references overall including the reference to the nominated article, any ac- ademic references, white papers, lecture notes, or 2 web page links. You can include as many web references as you like, and please include all links you used. However, no more than 2 web links will be included in your reference count. Be careful to keep track of any reference, including web pages, as you access them. It is easy to surf and lose track of pages. RMIT Harvard style should be used with all references and citations. Incorrect referencing attracts negative marks, possibly zero for the entire assignment. Note that an uncited refer- ence or and unreferenced citation will be heavily penalised. Tutors can ask you to supply evidence of any quoted material: PDFs, screen shots, web links, etc. If you supply more than one article in pdf format, please indicate the name of the nomi- nated article. Report Format You must use the following headings, as Word heading styles, in your document. • Executive Summary Needs to be written very carefully and effectively. If you have not written an executive summary before, you will need to do research to learn how a good executive summary is written. • Fact Finding/Discovery Be sure to clearly explain techniques and give short examples. • Real-World attack • Quantitative Analysis Show a presentable chart, but reference the Excel file. • Qualitative Analysis Accurate conversion of quantitative for 3 threat/control pairs • Conclusions • References 5 Responsibility Matrix for Part B, submitted with Part A Students will need to complete a responsibility matrix (see Word file Responsibility Matrix 2020 S2.docx). Contribution weightings can only be between 100 and 150. The marks for Part B are normalised so the average mark is the mark given in proportion to the weightings. Part A’s mark is the same for each member. Failure to submit the responsibility matrix with Part A will result in that everyone will receive the same mark for Part A and the same mark for Part B. The responsibility matrix must be submitted before the due date for Part A and cannot be submitted after this. Note: any issues with team member contribution should be diagnosed early. If you wish to meet with a tutor before the submission of Part A, a time will be made, and the decision of that meeting will be final. After the submission of Part A, the mark is as per the responsibility matrix, or it is equal for all. 欢迎咨询51作业君
