Risk Assessment for UCLanRE IT Infrastructure

Learning Outcomes

This assignment addresses the following learning outcomes from the module syllabus:

(i) LO1 – Select and use applicable standards and methods for information security and risk management.

(ii) LO3 – Conduct and properly document risk assessment based on a given scenario.

(iii) LO4 – Find and evaluate appropriate published information to remain up-to-date about threats, vulnerabilities and patches.

UCLanRE is a new Real Estate agency in Preston, and its current IT infrastructure is depicted in Figure 1. The IT infrastructure comprising:

(i) Office personal computers (PCs) running Windows XP for employees;

(ii) A machine running SQL server, which stores all information about customers and real estates;

(iii) A machine running a mail server and stores all emails and attached files.

(iv) A machine running an IIS web server hosting the website of UCLanRE on which users can browse for real estates, register themselves and contact the employees; (v) All the servers and office PCs are connected to a network switch so that they can communicate with each other. The router serves as a gateway between the internal network and the internet.

After some attack incidents and financial loss, the agency realized that it should carry out a risk assessment and improve its IT infrastructure with security controls.

In this assignment you have to:

1. Conduct a risk assessment on the network in Figure 1, based on the ISO 27005 standard.

2. Write a detailed risk assessment report (see Section 4 for the required structure).

In this section you summarize the main findings and write a non-technical recommendation (executive summary) for the management/director board, summarizing why they should invest in security and follow the ISO 27001 standards.

Word limit for the report: 2000 words (flexible), excluding the entire bibliography list.

You should use Microsoft Word to complete this assignment. If you use a word processor other than Microsoft Word then you should check to ensure that the document layout is the same as Microsoft Word. Microsoft Word is available on the University network. Set up your Word Document with the following:

(i) Margin sizes of 2.54 centimetres (ii) Font of Calibri (iii) Font size of 11 (iv) Line spacing of 1.15

Evaluation Criteria This assignment has only one deliverable which will be marked according to students’ ability to: (i) Plan a risk assessment. (ii) Conduct a risk assessment.

The following (non-exhaustive) list contains examples that may cause your work to fail (several of the following points together would lead to a fail).

• Very badly structured, no paragraphs/sections/subsections, or badly structured, very few (and long) paragraphs/sections/subsections.

• Very badly written/cannot understand/many typos and grammatical issues

• No or very limited in-text citation or not Harvard style at all.

• Unsatisfactory Risk Assessment Plan (incorrect/missing assets, assets category, scope, legal issues)

• Unsatisfactory Risk Assessment (incorrect/missing threats, vulnerabilities, impacts).

• Unsatisfactory Risk Evaluation (incorrect/missing Boston grid calculations)

• Unsatisfactory Management report and Technical Report (very badly written, incorrect use of technical terms)