INFORMATION SYSTEMS IN A HOSTED DATA CENTRE FACILITY

  100% Pass and No Plagiarism Guaranteed

INFORMATION SYSTEMS IN A HOSTED DATA CENTRE FACILITY

Information Security Management

Description:

SALT (Smart And Living Technologies) is a medium sized Software Development company in South Australia which was established in 2004. It is present in two premises, both of which have their offices. Additionally, they have hosted their information systems in a hosted data centre facility with a service provider. That is the only instance of their IT infrastructure. SALT is providing software solutions and consulting services to clients all over the world, who fall under small to medium sized businesses. The departmental heads are mostly the people who were there since first day of the business, except the CISO that is a new role introduced recently. This explains why heads of department in SALT have a good knowledge about their business processes but did not make much effort towards formal documentation.

Alex Smith is the CEO of SALT. He started the company in partnership with a friend Brett. Brett is an investor in the company but has a dormant role as far as the business operations are concerned. Mr. Smith is an engineer but he has no modern technical understanding of IT security issues. Alex has had no problems with IT Security until very recently when the Company’s network was subject to a series of attacks. In the period of 3 days, the company’s website was defaced, a serious virus infected the company e-mail and large quantities of data were corrupted.

Alex’s IT security risk management concerns are wide ranging. He needs to determine whether the same hackers are likely to hack the company again. He believes the recent attacks suggest the hackers were interested in either proprietary theft of sensitive information for personal and/ or financial gain or, to disrupt the reputation of the company. There is also an evidence of a previous disgruntled employee planning for revenge against the company.

Smith is worried about cyberterrorism and is concerned about becoming a victim of e-crime. After discussing with the Executive committee, he appoints you as a Chief Information Security Officer (CISO). As a first step, you will review the current threats analyse the impacts, and create necessary management plans. The CEO has shared a recent audit report to start with and the shocking results are listed below:

Internal Audit Report:

1. General:

o Improper operating procedures used by employees. 
o Lack of security awareness and general security laziness. o Nil acceptance of security responsibility. 
o In-adequate standard operating procedures. o Unattended machines.
o Failure to take care of media. o Printing sensitive material.
o Failure to turn off computers at the end of the working day.
o Failure to backup information.

2. Hardware problems:

o Failure to adequately secure the hardware (eg laptops unsecured). 
o Effects from the physical environment causing damage.

3. Software concerns:

o Some application software is of inferior quality and untested in the field and therefore not able to be trusted in the office environment. 
o Nil audit logs.
o Lack of adequate access control.
o Lack of secure identification and authentication techniques.
o Limited antivirus software.
o Lack of restrictions to specific files when certain applications are operating.
o Lack of security awareness and general security laziness.

Task:

1. Based on the above information, please propose the organisation structure of Information Security team, which is suitable to work for you. Justify your proposal so that you can secure approval from Mr. Alex. (Remember you are the CISO.)

a. Deliverables:

i. Organisation Chart

ii. Justification for each role

iii. Job description of each role

2. Please propose Information Security processes and procedures which you will like your team to define. You only need to name those processes and procedures, explain only one process and one procedure in detail. Examples of such security processes is Information

Security Incident Management and Information Security Risk Management. An example of such a procedure is SOP for TVA (Threats and Vulnerability Assessment).

3. Based on the findings of the Audit report, discuss the major risks and threats the company is currently facing in the current scenario as of September 2016. Your discussion can be categorised under the broad categories of people, process and technology. Please also prepare your Risk Register for SALT (only cover Information Security Risks). The template will be: {Risk ID, Risk description, Risk Probability, Risk Impact, Proposed Mitigation, Risk Ownership, Risk Triggers}.

a. Notes:

i. Recall that Risk Register is a deliverable of Information Security Risk Management. So it means that you have to plan risk management, and identify, assess*, mitigate, assign owners and triggers to those risks). *Decide your strategy for assessment: qualitative or quantitative.

ii. Based on the internal audit report, please identify vulnerabilities of SALT from Information Security perspective.

iii. Based on the evaluation of the above threats, prepare a Business Impact Analysis (BIA). It will become an input to your risk assessment and risk response planning.

iv. You may base your proposal on any (one or more) standards which were discussed in the class.

b. Deliverables:

i. Lists of risks, threats and vulnerabilities

ii. Assessment (qualified and/or quantified) of the risks identified and the BIA

iii. Risk register

4. Provide a suitable Information Security policy for SALT. Your policy document should include the major sections of the proposed policy document. Also, please highlight in your policy where you have mitigated the threats that you identified as response to the questions below.

a. Note: You may base your proposal on any (one or more) standards which were discussed in the class.

b. Deliverable:

i. Information Security Policy document

ii. Highlight the sections as mentioned

5. Finally, illustrate the legal and ethical issues in case data related to one of the South Australian public sector clients of SALT are lost or damaged. Also identify the risks that may arise due to these issues. Provide details of how the broad categories of Federal and South Australian criminal legislation can be used to prosecute hackers and computer criminals in South Australia.

a. Deliverable:

i. List of legal and ethical issues

ii. Elaboration of those issues

iii. Add your risks arising due to legal and ethical issues to the Risk Register but put a different identifier to those risks in the Risk Register so that those can be clearly identified.

6. Advise how your organization can be forensically ready for possible actions against intruders to company network.

a. Deliverable:

i. Forensic readiness document

Formatting instructions:

Submit 1file (Word) for each group

Use either Times New Roman 12 font or Arial 10 font

Use 1.5 line spacing.

Use one line of spacing between paragraphs.

Use normal margins (2.54cm)

References:

1. Include minimum 8 academic references

2. Harvard Referencing UniSA guide must be used for reference formatting.

3. Reference sources may include journal articles, conference papers, or a chapter from a book.

4. Provide full bibliographic details of items selected.

References are required in alphabetic order by surname (family name) and according to an accepted system of listing reference details, including online source details.

Plagiarism

Any plagiarism (intentional or unintentional) will be reported to the Academic Integrity Officer, so please ensure you are confident with correct citation of references both in the body of the assignment and in the reference list. It is not sufficient to just add the reference list without citations in the body of the paper. This is considered as plagiarism and will be reported for necessary actions. You must acknowledge all material used from other author(s) in-text at the time you use it and all the way through the paper, as well as including the correct reference in the reference list. Please refer to the reference guide on the Learning Connection web site of the University of South Australia and/or contact your course coordinator if you are not sure about Harvard referencing citation methods. Strict Harvard means that you need to follow correct formatting for commas, italics etc. If you are using EndNotes software or similar, please ensure that you check your reference list as it doesn’t necessarily follow the strict Harvard UniSA style.

It is your responsibility to ensure that you keep a back-up copy of your assignment for contingency purposes. Using a hard drive as the back-up is not recommended.