Assessment Brief: BIS3004 IS Security and Risk Management Trimester-1 2024

Assessment Overview

Assessment
Task

Type

Weighting

Due

Length

ULO

Assessment
1: Case Study Write a report to discuss recent types of
information security attacks, protection mechanisms and risk management.

Individual

30%

Week 6

2500 words

ULO-2

ULO-3

ULO-4

equiv. – equivalent word count based on the Assessment Load Equivalence Guide. It means this assessment is equivalent to the normally expected time requirement for a written submission containing the specified number of words.

Note for all assessment tasks:

• Students can generate/modify/create text generated by AI. They are then asked to modify the text according to the brief of the assignment.

• During the preparation and writing of an assignment, students use AI tools, but may not include any AI-generated material in their final report.

• AI tools are used by students in researching topics and preparing assignments, but all AI-generated content must be acknowledged in the final report as follows:

Format

I
acknowledge the use of [insert the name of the AI system and link] to
[describe how it was used]. The prompts used were entered on [enter the date
in ddmmyyy:] [list the prompts that were used]

Example

Tools

I acknowledge the use of
ChatGPT https://chat.openai.com to create content to plan and
brainstorm ideas for my assessment. The prompts used were entered on 18 March
2023:

• What are some key challenges in
running an online business?

Assessment 1: Case Studies (Use case analysis, Risk Identification and Assessment)

Due date:

Week 6

Group/individual:

Individual

Word count / Time provided:

2500

Weighting:

30%

Unit Learning Outcomes:

ULO-2, ULO-3, ULO-4

Justification

There is a noticeable increase in the occurrence of data intrusions within the financial and healthcare sectors in Australia. The Australian government is currently revising its cybersecurity frameworks and policies to strengthen resilience against nation-state threat actors and thereby disrupt this adverse trend.

In the past 4 years, numerous data breaches have occurred in Australia. Several of them affected many users. Table 1 is a comprehensive compilation of noteworthy instances of data breaches that have transpired in recent years.

Table 1: Major Data Breach Incidents in Australia

Company Name

Date of Impact

Latitude

March 2023

Medibank

December 2022

Optus

September 2022

Eastern Health

March 2021

Northern Territory Government

February 2021

Canva

May 2019

Australian Parliament House

February 2019

Approach Analysis

You are required to choose one of the data breaches from the list above in Table 1 and create a report on it. Your report must include the following information.

1. Detail of the Attack:

This section of your report should include the elements below.

• What was the attack? What vulnerability was exploited?

• Was the vulnerability already known? When did it happen?

• Were there any controls implemented against the vulnerability and yet it was exploited?

2. Analysis and Action:

This section of your report should include the elements below.

• When and how did the target figure out about the attack?

• For how long, the risk was not actioned?

• Did the organisation have a risk assessment policy and procedure?

• Did the organisation maintain a risk register?

• Was the vulnerability included in the risk register?

• How was the risk perceived (critical/non-critical/high/medium/low)?

• What the attacker(s) did, stole, and wanted?

• Did the organisation pay anything because of the attack?

• What action did they adopt to avoid further damage?

3. Risk assessment

a. Risk Identification

b. Risk Analysis

c. Risk Evaluation

Risk Identification and Assessment

In this section, you need to identify risks and conduct an analysis of the selected use case. Regarding the selected scenario, reasonable assumptions can be made if they are adequately documented and supported. To perform risk identification and analysis, you can choose either of the following tools or a combination of them.

• Factors Analysis in Information Risk (FAIR)

• NIST Privacy Risk Assessment Methodology (PRAM)

• NIST CyberSecurity Framework (CSF)

Assessment Description

Assume you have been recruited as a cybersecurity specialist by the client organisation (the use case you chose). You are responsible for conducting a security risk assessment and preparing this report for the board members. In most organisations, board members have minimal levels of computer literacy and risk-related knowledge. Include the following information in your report preparation:

1. Introduction

2. Details of the attack

3. Analysis and action

4. Risk Assessment

a. Risk Identification

b. Risk Analysis

c. Risk Evaluation

5. Conclusion

6. References

Note: Your responses to the above questions must be supported by APA-style citations and references.

Additional Information

When conducting research, you may find the following URLs or research tools useful:

✓ https://ieeexplore.ieee.org/Xplore/home.jsp

✓ https://dl.acm.org/

✓ https://scholar.google.com/

Marking Criteria and Rubric: The assessment will be marked out of 100 and will be weighted 30% of the total unit mark.

Marking

Criteria

Not satisfactory

(0-49%) of the criterion mark

Satisfactory

(50-64%) of the criterion mark

Good

(65-74%) of the criterion mark

Very Good

(75-84%) of the criterion mark

Excellent

(85-100%) of the criterion mark

Introduction
(10 marks)

The introduction lacks clarity, and an
engaging hook, and disorganised, lacks originality

The
introduction is generally clear, includes a moderately engaging opener,
presents a wellarticulated statement, about the topic, provides some
pertinent context, is adequately organised, and lacks significant
originality.

The introduction is clear, contains an
engaging hook, presents a wellarticulated statement, about the topic,
provides relevant context, and is wellorganized.

The introduction is well
written with a clear discussion about the case analysis, Risk

Identification
and

Assessment

The introduction is exceptionally
clear, contains a highly engaging hook, presents a wellarticulated topic,
provides pertinent context, is flawlessly organised, and demonstrates
originality.

Details of the Attack (15)

The report lacks clarity and detail, providing little to no
information about the details of the attack and its various aspects.

The
report provides a basic overview of the details of the attack, covering some
of the necessary details but lacking depth in one or more areas, such as what
vulnerability was exploited.

Generally, good discussion about the details of the attacks , including clear identification, a
thorough explanation

of the attack

Very clear discussion about
the details of the attack. The answer is supported with reference and in-text
citations

In-depth and very clear discussion about the details
of the attack. Accurate answers are supported with reference and in-text
citations

Analysis and action

(10)

Poor discussion with irrelevant information

A brief discussion about the analysis and action.
The analysis provides a basic impact assessment but lacks comprehensive
details.

Generally, good discussion regarding the analysis
and action. The impact assessment is reasonable but may lack some depth

Very clear discussion about
the analysis and action. The answer is supported with references and in-text
citations

In-depth and very clear discussion about the
analysis and action. The report provides a complete strategy of how the
target found out about the attack and the way they dealt with it with
accurate answers supported with references and in-text citations.

Risk
Identification

(15)

Poor discussion with irrelevant information

A brief discussion about risk identification. Displayed a basic
understanding of the threat landscape but it lacks depth. One of the provided
tools was not utilised correctly.

Generally
good discussion about risk identification.

Shows a good grasp of the threat landscape but may
overlook using one of the given tools.

Very clear discussion regarding risk identification.
Properly use one of the given tools. The answer is supported by the reference
and in-text citation

Using one of the provided tools demonstrates an
exceptional understanding of the threat landscape with accurate responses
supported by references and in-text citations.

Risk
Analysis

(15)

Poor risk assessment. No assets were mentioned,

A brief discussion about risk analysis.

Some relevant assets were identified, but

Most relevant assets are
identified with

A very clear and in-depth

nor were any threats evaluated.

Few threats are evaluated.

important ones are missing. Some threats were
assessed but lacked detail or accuracy.

minor omissions or inaccuracies. Welldocumented
threats with minor omissions or inconsistencies. The answer is supported with
reference and in-text citation

Comprehensive

identification of all relevant assets,
including data, systems, and applications. A thorough assessment of potential
threats, their likelihood, and potential impact. The answer is supported with
reference and intext citation

Risk
Evaluation

(20)

Poor
evaluation of risk. There are no identified threats or vulnerabilities.

A
brief discussion about risk evaluation.

Few threats and vulnerabilities are
identified.

Most threats are identified, but some important ones
are missing.

Some vulnerabilities were identified,
but important ones are missing.

Comprehensive threat identification
with minor omissions. Most vulnerabilities were identified and assessed with
minor omissions. The answer is supported with reference and in-text citation

Thorough

identification of potential threats, including emerging and
known threats. Comprehensive

identification and evaluation of
vulnerabilities. The answer is supported with reference and in-text citation

Conclusion

(10)

The conclusion is unclear, fails to
summarize key points, has little to no impact, lacks coherence, and lacks
originality

The conclusion is somewhat unclear,
lacks a thorough summary of key points, has a limited impact, struggles with
coherence, and lacks originality.

The conclusion is generally clear,
summarizes key points adequately, has a moderate impact, maintains
satisfactory coherence, and lacks significant originality.

The conclusion is clear, effectively
summarizes key points, has a positive impact, maintains good coherence, and
shows some originality.

The conclusion is exceptionally clear,
effectively summarizes key points, has a significant impact, maintains
excellent coherence, and demonstrates originality.

Formatting and referencing

(5 marks)

Includes misspelt words, incorrect language, incorrect
punctuation, improper formatting, and reference citation based on applicable

standards; satisfies minimum page
length requirements

Few spelling, grammatical, and
punctuation problems are present. A few formatting or citation problems
according to proper standards; fulfils minimal page requirements.

Few spelling, grammatical, and
punctuation problems are present with a few citation problems

Few spelling, grammatical, and
punctuation problems are present.

There are no spelling or grammar
mistakes. The paper’s format and citation of sources conform to applicable
criteria; the minimum number of pages is met.