CSI2102- Information Security
Assignment 2 – Risk Management and Data Classification
Title: Information Security Assignment 2 Due Date:
Value: 30% of the final mark for the unit
Length: Minimum of 1500 words, maximum 2000 (excluding cover page and references)
For this assignment students are required to perform a risk analysis and data classification for a small dance club. The dance club is operated by six staff and has approximately 200 members. The dance club (All Stars Dance) has just implemented an online web portal for its members, the dance club has requested a risk assessment and data classification for the data it stores and collects to ensure personal information is secure.
To become a member of the dance club, members are required to visit the website and apply for membership or renew their existing membership. The web portal is an open source content management system (Joomla CMS) that is hosted in Australia by a hosting provider. The portal allows members to purchase membership, read member only news and register for events or dance tests. Club membership runs from January 1 through to December 31 each year regardless of the application date.
Member payments are processed using a merchant gateway, SecurePay, and deposited directly into the associations nominated bank account. Once a member has paid for membership the system adds the member to a mailing list and updates permissions on the user account of which authorises access to member resources.
Similarly, when memberships expire on December 31, members are removed from the mailing list and permissions are restricted until membership renewal. The mailing list is stored and processed by Mailchimp, a third-party provider located in the United States. Personal information collected for the mailing list include full name and email address. No other information is collected for the mailing list.
Personal information collected, processed and stored for membership include:
- Dance club membernumber
- Date ofbirth
- Test levels (system adminsonly)
- Guardian / Parent fullname
The dance club also receives emails from parents and other members from the website contact page.
The web portal does not store payment information. This information is transferred to the payment gateway for processing at the time of registration. Dance club members can login via the web portal and manage their personal information such as, phone number and address details.
Dance club staff have access to administer the system remotely using portable devices of their choosing. Staff change frequently and there are no access controls in place. Currently, when a staff member is granted access by the system admin, they have full administrative rights to the portal, this includes memberships, events and web content.
There are five primary functions staff need to perform for members:
- The secretary requires full access to the membership database to update,approve and manage
- The secretary is responsible for sending out all member communications, i.e., emails via the mailing list, upcoming
- The events manager needs access to the events system to manage dance club events such as competitions and
- Test convener is responsible for the dance test events system but does not need access to all events, i.e. dance
- Two staff members are assigned the task of updating dance club news each
All Stars Dance would like an Information Security professional to conduct a risk assessment and produce a suitable data classification schema.
To do this you will need to determine the information assets and create a classification scheme for the information currently held. Using this classification, you can then report on the vulnerabilities and countermeasures that should be in place.
Step 1: Categorise and identify the information assets
Step 2: Classify the information assets. This will involve the creation of a classification schema. Step 3: Prioritise the information assets. This will involve a weighted factor analysis.
Step 4: Analyses the threats and vulnerabilities for each asset to determine the likelihood and impact scale
Step 5: create a risk rating for each asset (likelihood x impact) Step 6: recommend countermeasures for each threat / vulnerability
Note: the order of the above steps is not important
You should consider the types of information that needs protecting and risks associated with it, i.e., staff members, dance club members, polices or any other media types etc.
Your assignment should contain:
- Information assets (no less than20)
- Classification schema appropriate for scenario and applied to informationassets
- Weighted factoranalysis
- Threats to informationassets