Assessment Brief: BIS3004 IS Security and Risk Management Trimester-1 2024
Assessment Brief: BIS3004 IS Security and Risk Management Trimester-1 2024
Assessment Overview
Assessment
|
Type |
Weighting |
Due |
Length |
ULO |
Assessment |
Individual
|
30% |
Week 6 |
2500 words
|
ULO-2 ULO-3 ULO-4 |
equiv. – equivalent word count based on the Assessment Load Equivalence Guide. It means this assessment is equivalent to the normally expected time requirement for a written submission containing the specified number of words.
Note for all assessment tasks:
• Students can generate/modify/create text generated by AI. They are then asked to modify the text according to the brief of the assignment.
• During the preparation and writing of an assignment, students use AI tools, but may not include any AI-generated material in their final report.
• AI tools are used by students in researching topics and preparing assignments, but all AI-generated content must be acknowledged in the final report as follows:
Format |
I |
Example |
Tools I acknowledge the use of • What are some key challenges in
|
Assessment 1: Case Studies (Use case analysis, Risk Identification and Assessment)
Due date: |
Week 6 |
Group/individual: |
Individual |
Word count / Time provided: |
2500 |
Weighting: |
30% |
Unit Learning Outcomes: |
ULO-2, ULO-3, ULO-4 |
Justification
There is a noticeable increase in the occurrence of data intrusions within the financial and healthcare sectors in Australia. The Australian government is currently revising its cybersecurity frameworks and policies to strengthen resilience against nation-state threat actors and thereby disrupt this adverse trend.
In the past 4 years, numerous data breaches have occurred in Australia. Several of them affected many users. Table 1 is a comprehensive compilation of noteworthy instances of data breaches that have transpired in recent years.
Table 1: Major Data Breach Incidents in Australia
Company Name |
Date of Impact |
Latitude |
March 2023 |
Medibank |
December 2022 |
Optus |
September 2022 |
Eastern Health |
March 2021 |
Northern Territory Government |
February 2021 |
Canva |
May 2019 |
Australian Parliament House |
February 2019 |
Approach Analysis
You are required to choose one of the data breaches from the list above in Table 1 and create a report on it. Your report must include the following information.
1. Detail of the Attack:
This section of your report should include the elements below.
• What was the attack? What vulnerability was exploited?
• Was the vulnerability already known? When did it happen?
• Were there any controls implemented against the vulnerability and yet it was exploited?
2. Analysis and Action:
This section of your report should include the elements below.
• When and how did the target figure out about the attack?
• For how long, the risk was not actioned?
• Did the organisation have a risk assessment policy and procedure?
• Did the organisation maintain a risk register?
• Was the vulnerability included in the risk register?
• How was the risk perceived (critical/non-critical/high/medium/low)?
• What the attacker(s) did, stole, and wanted?
• Did the organisation pay anything because of the attack?
• What action did they adopt to avoid further damage?
3. Risk assessment
a. Risk Identification
b. Risk Analysis
c. Risk Evaluation
Risk Identification and Assessment
In this section, you need to identify risks and conduct an analysis of the selected use case. Regarding the selected scenario, reasonable assumptions can be made if they are adequately documented and supported. To perform risk identification and analysis, you can choose either of the following tools or a combination of them.
• Factors Analysis in Information Risk (FAIR)
• NIST Privacy Risk Assessment Methodology (PRAM)
• NIST CyberSecurity Framework (CSF)
Assessment Description
Assume you have been recruited as a cybersecurity specialist by the client organisation (the use case you chose). You are responsible for conducting a security risk assessment and preparing this report for the board members. In most organisations, board members have minimal levels of computer literacy and risk-related knowledge. Include the following information in your report preparation:
1. Introduction
2. Details of the attack
3. Analysis and action
4. Risk Assessment
a. Risk Identification
b. Risk Analysis
c. Risk Evaluation
5. Conclusion
6. References
Note: Your responses to the above questions must be supported by APA-style citations and references.
Additional Information
When conducting research, you may find the following URLs or research tools useful:
✓ https://ieeexplore.ieee.org/Xplore/home.jsp
✓ https://dl.acm.org/
✓ https://scholar.google.com/
Marking Criteria and Rubric: The assessment will be marked out of 100 and will be weighted 30% of the total unit mark.
Marking Criteria |
Not satisfactory (0-49%) of the criterion mark |
Satisfactory (50-64%) of the criterion mark |
Good (65-74%) of the criterion mark |
Very Good (75-84%) of the criterion mark |
Excellent (85-100%) of the criterion mark |
Introduction |
The introduction lacks clarity, and an |
The |
The introduction is clear, contains an |
The introduction is well Identification Assessment
|
The introduction is exceptionally |
Details of the Attack (15) |
The report lacks clarity and detail, providing little to no
|
The
|
Generally, good discussion about the details of the attacks , including clear identification, a of the attack
|
Very clear discussion about |
In-depth and very clear discussion about the details |
Analysis and action (10) |
Poor discussion with irrelevant information |
A brief discussion about the analysis and action. |
Generally, good discussion regarding the analysis |
Very clear discussion about |
In-depth and very clear discussion about the |
Risk (15) |
Poor discussion with irrelevant information |
A brief discussion about risk identification. Displayed a basic
|
Generally Shows a good grasp of the threat landscape but may |
Very clear discussion regarding risk identification. |
Using one of the provided tools demonstrates an |
Risk (15) |
Poor risk assessment. No assets were mentioned, |
A brief discussion about risk analysis. |
Some relevant assets were identified, but |
Most relevant assets are |
A very clear and in-depth |
|
nor were any threats evaluated.
|
Few threats are evaluated.
|
important ones are missing. Some threats were |
minor omissions or inaccuracies. Welldocumented |
Comprehensive identification of all relevant assets, |
Risk (20) |
Poor
|
A Few threats and vulnerabilities are
|
Most threats are identified, but some important ones Some vulnerabilities were identified, |
Comprehensive threat identification |
Thorough identification of potential threats, including emerging and identification and evaluation of |
Conclusion (10) |
The conclusion is unclear, fails to |
The conclusion is somewhat unclear, |
The conclusion is generally clear, |
The conclusion is clear, effectively |
The conclusion is exceptionally clear, |
Formatting and referencing (5 marks) |
Includes misspelt words, incorrect language, incorrect standards; satisfies minimum page |
Few spelling, grammatical, and |
Few spelling, grammatical, and |
Few spelling, grammatical, and |
There are no spelling or grammar |