Information Security Evaluation Report

Current Information Security Environment

The coursework assignment for the Information Security Management module involves the production of an information security evaluation report. This coursework is a major piece of work and represents 50% of the overall assessment for this module. This coursework is a piece of groupwork. Groups will consist of a maximum of 4 students unless otherwise agreed with your tutor. If you do not manage to form a group on your own then you will be allocated to one.

The deliverable for this coursework is a written report that evaluates the current level of information security management within an organisation by:

• identifying the organisation’s key physical and information assets;

• highlighting key vulnerabilities and threats relating to information security;

• reviewing the controls in place to protect the organisation’s assets against these vulnerabilities and threats;

• providing output from, and comment on, an information security risk assessment;

• identifying possible control improvements, safeguards and countermeasures to mitigate the identified risks;

• producing outline costs and general advice on ways that the organisation could improve information security.

Section 1: Introduction

Provide an overview of organisation/department and of the project at hand. Organisations and any personnel should be anonymised.

Section 2: Current Information Security Environment

Describe the existing information environment by identifying key physical and information assets and describe the impact on the organisation if their C.I.A was compromised.

Section 3: Information Security Audit This section should include three sub-sections:

a) Provide an overview of how you conducted the audit.

b) For each of the following 7 threat categories, through discussion with your client organisation, clearly identify vulnerabilities associated with the physical and information assets that you have identified in Section 2 above:

• Malware

• Hacking

• Social

• Misuse

• Physical

• Error

• Environment

c) Provide an assessment of the controls the organisation has (or does not have) in place to address the identified threats and vulnerabilities. Controls are a critical aspect of information security because they are the key concepts and patterns we employ to protect information systems. They are also the same things we deploy to mitigate non-system information risks and indeed wider operational risks. However most importantly, from a business perspective, they are the key to determining the costs of securing an organisation.

Section 4: Information Security Risk Assessment Evaluate and identify relative risk for all vulnerabilities (control weaknesses) highlighted in the previous section and provide comment on each risk and on the overall risk assessment.

Section 5: Control Improvements, Safeguards and Countermeasures Undertake some web-based research and identify potential control improvements, safeguards and countermeasures that the company could employ to mitigate or otherwise reduce risk and improve the general state of security within the organisation.

Section 6: Costs and Additional Advice Provide outline costs for implementing the control improvements proposed in the previous section and detail any additional general advice and guidance that you feel may assist your client in improving and maintaining their information security.

Section 7: Appendices Additional research material; useful information on existing technology controls, case studies, industry guidance, etc.;

technical glossary and anything else that you may feel may be relevant or that evidences your research and justifies your proposals Please note that the contents of the appendices are not included in the overall word count for your submission. You can, therefore include as much information as you like in this section without fear of being penalised.

The purpose of the report is clearly stated.

The report addresses the requirements of the coursework.

The standard of English used is adequate for communication with the audience.

The approach taken by the students could lead to a solution for the scenario.

The report contains a discussion of the client’s current information security environment

The report contains details of an information security audit and risk assessment

The report presents potential control improvements, safeguards and countermeasures

The report presents outline costs and some additional general advice.

The students have demonstrated a satisfactory understanding and appreciation of information security management, have undertaken an information security audit and have reported on  the findings of such at a level that could provide real value to the client organisation.

The students have demonstrated a more than satisfactory grasp of the module material, have excelled in the presentation of risk assessment and control improvements and have displayed an admirable understanding and appreciation of the challenges associated with information security management within their client’s organisation.

The students have demonstrated an exceptional grasp of the module material and have undertaken and reported on an information security audit in a manner, and to a level, that would be considered commendable by an information security expert.