Get Instant Help From 5000+ Experts For
question

Writing: Get your essay and assignment written from scratch by PhD expert

Rewriting: Paraphrase or rewrite your friend's essay with similar meaning at reduced cost

Editing:Proofread your work by experts and improve grade at Lowest cost

And Improve Your Grades
myassignmenthelp.com
loader
Phone no. Missing!

Enter phone no. to receive critical updates and urgent messages !

Attach file

Error goes here

Files Missing!

Please upload all relevant files for quick & complete assistance.

Guaranteed Higher Grade!
Free Quote
wave
CO4512 Information Security Management
Answered

Question:
Learning outcomes assessed by this exam:
  1. Select and use applicable standards and methods for information security and risk management.
  2. Compare and critically evaluate alternatives for information security management and risk assessment.
  3. Critically discuss the benefits and pitfalls of compliance with respect to security.
Section A – Answer ALL Questions
Question 1

The first step towards the implementation of an ISMS (Information Security Management System) in an organisation is to define its boundaries, i.e., to define the ISMS scope.

A) Explain the main differences between the in-scope and out-of-scope area. You should use examples related to the XYZVISA scenario in the Appendix A in your explanation. (8 marks)
 
B) Explain the drawbacks and advantages of narrow ISMS scope based on the scenario in the Appendix A. (12 marks)
 
C) Provide and justify six (6) in-scope and four (4) out-of-scope elements from the scenario in Appendix A. (20 marks) (Total: 40 marks)
Section B – Answer any TWO Questions
Question 2

One of the most important steps during asset-oriented risk assessment is identifying the assets in an organisation. List and justify five (5) primary and ten (10) secondary assets from the scenario in Appendix A. (Total: 30 marks)

Question 3

Asset-oriented, threat-oriented and vulnerability-oriented security risk assessment methods.

A) Apply the asset-oriented risk assessment approach to the XYZVISA scenario described in Appendix A.

Identify two (2) threats, two (2) vulnerabilities and two (2) risks derived from your chosen methodology.  (10 marks)

B) For each risk identified in A) above, estimate its likelihood and impact using a scale of Low, Medium and High. Justify each estimation. (14 marks)
 
C) Draw a 3x3 risk matrix to illustrate the severity of each risk. (6 marks) (Total: 30 marks)
Question 4
A) Discuss the five (5) generic phases of risk assessment defined by the ISO 27005 standard. (10 marks)
 
B) Consider the XYZVISA scenario in Appendix A. Describe two (2) example activities performed in each of the five (5) generic phases of risk assessment above. Your examples have to be related to the XYZVISA scenario.(20 marks) (Total: 30 marks)

The XYZVISA scenario (note: the network and system parameters are fictitious).

XYZVISA is a VISA application office that is responsible for managing visa application and issue, and its current IT infrastructure is depicted in Figure 1.

Figure 1. The IT infrastructure of XYZVISA

The IT infrastructure comprising
  • Staff PCs running Windows XP SP2. Staff use their PCs to check the application documents and login into their staff accounts to create the decision documents.
  • The authentication server runs the Kerberos 5 authentication protocol to authenticate staff and applicants who want to login to their account.
  • A machine running SQL server with phpMyAdmin 3.5.x version, which stores all information about applicants personal information and applicantion documents;
  • A machine running Microsoft SQL Server 2000 SP4 version, which stores all decision documents and VISAs ready to be issued;
  • A machine running a mail server Apache James Server 2.3.2, and stores all emails and attached files.
  • A machine running an IIS web server hosting the website of XYZVISA on which people can browse for application information and apply online, as well as checking their application status/decision;
  • For enhanced security, there is a D-Link DIR-878 firewall with firmware 1.12A1 installed to monitor and filter traffic/activity.

support
close