联系我们: 手动添加方式: 微信>添加朋友>企业微信联系人>13262280223 或者 QQ: 1483266981
CYBR7003
Assessment 2
Organisational cyber security report
Assignment Overview
Assessment Weight: 30%
Individual or Group work: Individual
Due Date: Monday, 13th October 2025 at 3PM
Word Count: 3,500 (excluding >tle page, TOC, references and appendices)
Format: PDF or DOCX
Version: 4th Aug 2025
Task Overview and Instruc2ons:
Assessment 2 is designed around the real-world processes and prac>ces of cyber security governance, policy,
ethics, and law. The second part of the semester focuses on the most compelling organisa>onal issues
characterising the management of informa>on and cyber security in modern organisa>ons, public, private,
and not-for-profit.
You will be asked to impersonate an informa>on security consultant tasked with producing a report for the
CEO of CareBridge – a fic>>ous training company. Key elements of your report are as follows:
Nature: Organisa>onal cybersecurity report.
Structure: Execu>ve Report – Title page, Execu>ve Summary (1 page), TOC, Titled sec>ons (and
subsec>ons), Conclusion (1-2 pages), References and Appendices (if required – informa>on that is not
essen>al to the main body of the report).
Please Note: you are expected to write a professional report, on the model of the work done
by consul>ng companies. This means that your report needs to be wriYen in a professional
style: your arguments need to be well-supported, using solid informa>on sources and
referencing them as appropriate; your analysis should be logical and you should reference
different materials to support your points (e.g., materials explored in the classroom; industry
reports; sta>s>cs; academic and ‘grey literature’ papers, etc.); your arguments should flow
well in the report; usage of bullet points and lists should be limited and so should be the usage
of tables and figures. Remember that your audience is the CEO, who expects a clear,
accessible, and well-reasoned report that avoids unnecessary technical detail. Moreover, they
will expect you to validly jus>fy your points (e.g., explaining the ‘why’ for your arguments).
See on Blackboard (under Assessment 2) for some resources on consul>ng reports.
Topics: See guiding ques>ons provided in the scenario (‘Your task’).
Referencing style: APA forma`ng and references (7th Ed.)
See hYps://guides.library.uq.edu.au/referencing/apa7 for guidance
Usage of Genera7ve AI: Short version – Don’t. Long version: Please don’t.
Consider ChatGPT like an academic power tool, used without due thought and considera>on
it can take your academic fingers off.
The Scenario:
CareBridge Health Alliance (CBHA) is a mid-sized, not-for-profit community health network opera>ng across
three states: Queensland, New South Wales, and Tasmania. Founded in 1997, CBHA delivers a broad porlolio
of integrated care services that span mental health support, disability assistance, aged care coordina>on,
chronic illness management, community outreach, and telehealth therapy. With 1,200 full->me employees
and over 2,000 contractors and part->me staff, it serves more than 45,000 clients annually through a mix of
in-person, in-home, and digital services.
In the past five years, CBHA has embarked on a comprehensive digital transforma>on strategy. At the heart
of this shim is a commitment to personalising care pathways, improving opera>onal agility, and enabling data driven service planning. To support this, CBHA has invested heavily in a hybrid-cloud infrastructure, with most
clinical and administra>ve systems now accessible remotely. Staff and care workers operate across loca>ons
using mobile devices and cloud-based apps to document services, track client outcomes, and coordinate with
mul>disciplinary teams.
A major ini>a>ve currently underway is the phased implementa>on of an AI-enabled Case Coordina>on and
Client Insights Plalorm (C3IP). This plalorm uses natural language processing to extract insights from
unstructured clinical notes, predic>ve analy>cs to iden>fy poten>al escala>on risks in mental health and
disability care cases, and machine learning models to recommend op>mal referral pathways based on prior
outcomes. Once fully deployed, C3IP will also allow regional managers to allocate resources dynamically
based on predicted caseloads and service demand. Early pilots are being conducted in two branches, with
full rollout expected by mid-2026.
In parallel, CBHA maintains strategic data-sharing partnerships with a range of allied organisa>ons. These
include ten affiliated service providers (including disability housing, counselling centres, and Indigenous
health coopera>ves), two public universi>es, and three state-funded specialist research units. These partners
par>cipate in coordinated care models, joint client planning, and research projects intended to improve
health equity and service delivery models across marginalised popula>ons.
To facilitate collabora>on, partners are granted access to certain CareBridge systems via federated iden>ty
management, and client informa>on is frequently exchanged in real >me using secure APIs. In some
arrangements, partners also contribute their own datasets to integrated research environments, which
combine de-iden>fied client data from mul>ple sources to support longitudinal health studies and policy
evalua>on. For example, an ongoing research project with the University of Southern Cross is analysing mul>-
year outcomes of youth transi>oning from child mental health services to adult care pathways.
CBHA’s governance model reflects its commitment to regional autonomy and community responsiveness. Its
11 local branches operate semi-independently but within a standardised opera>onal framework. Each
branch manages its own rela>onships with local health networks and service contractors, while repor>ng to
the central headquarters in Brisbane. Strategic oversight is provided by the Governance & Strategy
CommiYee, which includes execu>ves from across func>ons, as well as two independent board members
with experience in public health and digital innova>on.
Internally, CBHA’s cybersecurity and IT func>ons are overseen by the CIO, who reports to the COO. The
cybersecurity func>on is composed of five in-house professionals: a GRC officer, a cybersecurity policy
analyst, a third-party risk specialist, and two security opera>ons staff. All SOC (Security Opera>ons Centre)
services are provided via a managed service provider with 24/7 monitoring. The IT and security teams
collaborate on the implementa>on of new digital systems, including C3IP and data integra>on tools used in
research partnerships.
CBHA con>nues to expand both its digital capabili>es and its network of collaborators. A new project
launching later this year will involve real->me data exchange between CBHA, a regional hospital network,
and the Na>onal Disability Insurance Scheme (NDIS) digital gateway. This ini>a>ve aims to streamline funding
assessments, reduce administra>ve burden on carers, and improve outcome tracking. At the same >me,
CBHA is exploring op>ons to contribute data to the Australian Na>onal Health Data Collabora>ve (NHDC),
with the goal of suppor>ng evidence-based policy development in community mental health.
Situa&on
CBHA recently suffered a near-miss incident: a misconfigured API between its case management plalorm
and a university research partner exposed 1,100 client profiles for over 48 hours. Although no malicious
access was confirmed, the OAIC has been no>fied, and internal audits revealed several gaps: poor third-party
risk assessments, inconsistent data governance prac>ces across branches, and no board-level cybersecurity
risk repor>ng mechanism.
At the same >me, the new CEO, Leila Tane, appointed in April 2025, wants to professionalise governance and
risk management prac>ces across CBHA. Leila has a background in government digital services and
understands the strategic importance of cybersecurity but wants a clearer picture of how to approach it for
a community-based, human-services organisa>on like CBHA.
She has hired you—an independent cybersecurity governance consultant—to provide a strategic report on
CBHA’s cyber governance maturity and its path forward.
Your Task
Prepare a professional Cybersecurity Governance & Policy Report for the CEO of CareBridge Health Alliance.
You have been engaged by the Chief Execu>ve Officer of CareBridge Health Alliance to prepare a
comprehensive cybersecurity governance report for the organisa>on. Ms. Tane is commiYed to
strengthening the organisa>on’s approach to informa>on security, par>cularly in light of recent digital
expansion and the increasingly complex network of CareBridge’s service delivery and data partnerships.
The purpose of your report is to provide strategic advice on how CareBridge can enhance its cybersecurity
governance, policy alignment, and risk management prac>ces. Your recommenda>ons will inform upcoming
execu>ve and board-level decision-making.
Your report should cover the following key elements:
o An overview of cybersecurity governance in the not-for-profit health and community services sector
in Australia. This overview should highlight the common challenges such organisa>ons face—
par>cularly those that operate across mul>ple jurisdic>ons, with diverse partnerships and shared
data arrangements—and outline emerging trends in governance best prac>ce.
o The CEO is seeking detailed recommenda>ons on how CareBridge might establish a consistent and
enforceable cybersecurity policy framework across its branches, affiliated service providers, and
research partners. Given the complexity of data flows and the increasing integra>on of third-party
systems, your report should address how such a framework might be governed, opera>onalised, and
monitored in a federated environment.
o Ms. Tane has also asked you to review CareBridge’s current approach to cyber risk management. She
is interested in your recommenda>ons regarding how the organisa>on might adopt a more structured
and proac>ve risk management methodology, par>cularly in the areas of third-party risk, AI-enabled
service delivery, and client data sharing. You are encouraged to refer to exis>ng models or frameworks
to support your recommenda>ons and to reflect on how cyber risk ownership and awareness might
be embedded more broadly across the organisa>on.
o In light of ongoing discussions among the execu>ve team and the Governance & Strategy CommiYee,
the board is exploring the op>on of pursuing ISO 27001 accreditaJon. Your report should therefore
provide a clear and impar>al analysis of whether ISO 27001 would be a suitable objec>ve for
CareBridge. If you recommend that cer>fica>on be pursued, please outline the preliminary steps the
organisa>on would need to undertake. If you believe another framework or approach may be more
appropriate, jus>fy this recommenda>on and suggest a viable alterna>ve.
o Following a recent incident involving unintended data exposure via a research partner’s system,
CareBridge is reviewing its broader disaster and risk planning capabiliJes. While the organisa>on
maintains business con>nuity plans for physical events, there is currently no integrated response plan
that incorporates cyber events. You are asked to provide a high-level design of a cyber incident
response plan that could be embedded within a more comprehensive disaster risk strategy. This
should include key roles and responsibili>es, escala>on processes, coordina>on with external
stakeholders, and internal communica>on protocols.
Finally, as your report will be presented to the execu>ve team and shared with board members, you are
required to include a succinct, non-technical execuJve summary. This summary should clearly outline the
organisa>on’s key cyber governance risks and your most cri>cal recommenda>ons, framed in a manner that
supports informed, strategic decision-making by non-specialist leaders.
Some 2ps:
o The scenario described in the present case is fic>>ous. It reflects a real-world situa>on but was
adapted for educa>onal purposes. The sugges>on for you is not to fight against the scenario but play
along with it: try and immerse yourself in the environment described in the case and embrace the
condi>ons that it presents as much as possible. The scenario provides minimal informa>on about the
fic>>ous company and its industry. A good star>ng point is to reflect on how a company like
CareBridge works on a daily basis. You will also need to conduct extensive research on the requested
topics (see ‘Your task’);
o On Blackboard/Assessment/Assessment 2 there are some resources for you to get inspira>on on how
to write a report like this one;
o An Execu>ve Summary gives the reader a chance to have a quick snapshot of the contents – it is not
an announcement of the sec>ons of the report. An execu>ve will assesses a report upon the summary
and not read the whole document.
Examples of Exec Summaries:
“In this report, we will illustrate three cases of data breaches occurred to organisa9ons in
CareBridge industry to extract learnings, then we will reflect on their cyber-risk management
strategies…” = NOT GOOD!
“In this report, we present the case of Organisa9on A, which faced a ransomware data breach
from which CareBridge could learn that [….] We also recommend CareBridge to select [op9on
1] to treat cyber-risk [x] because… ” = GOOD!
o The Conclusion restates the recommenda>ons and ac>ons iden>fied in the report. The execu>ve will
use the Conclusion to iden>fy what areas in the company are to be involved in implemen>ng the
recommenda>ons. NOTE: It is not up to the consultant to name them.
Examples of Conclusions:
“The malware breach was caused by clicking on links in a phishing email which launched a
virus into the intranet. The an9virus soKware install was out of date and so unable to iden9fy
the aLach vectors…” = NOT GOOD!
“To remedy the current data breach the following ac9ons should be implemented
immediately: 1)… 2)… To prevent future breaches the following should measures be
considered: 1)… 2)… ” = GOOD!
o Please, follow the usual advice on how to include references to support your arguments.
o This page may be helpful: hYps://guides.library.uq.edu.au/referencing
CYBR7003
Assessment 2
Organisational cyber security report最先出现在KJESSAY历史案例。