Analyse the existing information system
This coursework consists of a group and individual part. The coursework requires a critical analysis of an existing information system threats, relevant risk and performing audit. There are several tasks and you need to produce deliverables by performing the tasks and each task has a corresponding weighting which collectively adds up to 100.
Analyse the existing information system by performing the following sub-tasks:
Inventory of assets: Define the inventory of assets. The asset inventory should include following properties:
The asset inventory shall include following properties
• Asset name
• Short brief,
• Possible owner,
• Acceptable use,
• Sensitivity (restricted, unrestricted),
• Criticality(essential, required, deferrable)
Develop statement of applicability: Develop a statement of applicability based on the existing gap within the information system by following the information security management system standard ISO 27001:2013. Consider only the relevant control objectives. You need to follow the ISO 27001:2013 check list (uploaded in moodle) for the asset inventory.
Statement of Applicability
Task 2: Perform Threat Analysis and Risk Management
Perform threat analysis and risk management by looking at the scenario context and deliverables from task 1. Develop a threat report considering the following properties
• Threat Name
• Threat actor skill level
• Resource and tools
• Access vector
• Indicator of Compromise
Population of the risk register with at least five possible risks. Each risk should linkwith the threat identified by deliverable 3. You need to provide the probability and impact level scales for the risk register. The risk register should include the following attributes
• Risk name
• Asset name
• Risk level
Identify the possible relevant controls to address the identified risks and threats by deliverable 3 and 4. The deliverable should consider risk control strategy (such as avoid, reduce, fallback, share, transfer, accept), control category and relevant references from the existing standards. Security control should consider following attributes
• Risk name
• Risk control strategy:
• Asset Type:
• General controls:
• Application controls:
• Administrative controls:
• Duration: Short /Medium/Long
Task 3: Perform security audit
Develop an audit report based on the scenario and identified risks. Consider at least required control objective which are relevant with the assets and context. You need to follow the ISO 27001:2013 check list (uploaded in moodle) for performing the audit.
The report should include following headings
• Audit Question
• Result: non-conformity/potential non-conformity /conformity
• Action: corrective /preventive action
Task 4: Incident handling
There are several incidents occurred within the scenario. You need to produce one incident report. You can follow any template or make your own template for performing this task.
• Organisation details:
• Incident details :
o Brief summary of the incident (what has happened, where did it happen, when did it happen)
o Sensitivity of Data /Information involved Public/ Internal Use Only/ Restricted/Confidential (Privacy Violation)/Unknown
o System compromised (Provide in detailed if any )
• Incident Analysis
o Causes for the incident (Provide in detailed)
• Lesson learned
Task 6: Individual evaluation
Each member of the group should produce a review based on the assigned tasks within the group. Your review is an individual piece of work 400 words in length and should include the followings:
• A reflective account of what you learned from undertaking each of the deliverables
• How realistic are the proposed risk control actions to mitigate the identified risks?
• How effective is the business continuity plan from your view
• Of the performed tasks, which task is the hardest to perform and why.
• Does the business struggle to control cyber security risks and what is the current trend of risks?