网络安全代写 – Management of Information Security

网络安全代写 – 这是一个网络安全相关的报告代写任务

Management of Information Security

assignment1.

In this assessment task, you will work in a group of at most 4 students. The team will perform risk analysis and management for Metro Healthcare Service given below. The goal of the assignment is to establish an objective measurement of risk that will allow Metro Healthcare Service management to understand business risk to critical information and knowledge assets both qualitatively and quantitatively to make business decisions regarding investments in people, processes, and technology to bring risk to acceptable level.

This task assesses your achievement of these Unit Learning Outcome(s)

• ULO2 Assess security risks, threats and vulnerabilities to the organisation and implement appropriate information security protection mechanisms.
• ULO3 Conduct investigation of security management issues in organisation by analysing requirements, plans and IT security policies.

Deliverables

• A well written report of approximately 2500 words explaining possible risks that Metro healthcare faces. The report must have a 1/2 page executive summary that summarizes your findings and recommendations.
• You must justify your answers, show step by step your work and include all the formulas required to arrive at your answer. An answer without justification, step by step description and formulae will be given zero mark.
• Use Harvard style referencing in your report. Deakin portal http://www.deakin.edu.au/students/studying/study-support/referencing/harvard provides an example of Harvard referencing style. Any other referencing style will be penalised.
• The report submission should be made electronically via CloudDeakin and is due by Monday 20 August 2018 at 5:00PM (AEST). Only one submission per group is needed.
• This assessment is worth: 30% of your overall mark. Student teams will be tested on their ability to analyse the cybersecurity businesses objectives and requirements and propose justified countermeasures to manage security risks.
• Plagiarism declaration sheet – You will NOT need to attach a cover sheet / plagiarism declaration sheet, it will be handled when you upload your assignment to the dropbox.
• Plagiarism is the copying of another person’s ideas or expressions without appropriate acknowledgment and presenting these ideas or forms of expression as your own.^1 Deakin University, as well as the Faculty of Science and Technology and the School of IT view plagia r is m as a serious offence and impose heavy penalties on students found guilty of the offence.

Resources

You will need the following resources to do the assignment.

1. Common Vulnerabilities and Exposures (CVE): https://cve.mitre.org/index.html
2. Rating criteria and a scoring system document
3. Google to do research.
4. Lecture slides
5. Documents (when ready will announce) in http://www.deakin.edu.au/individua ls- sites/?request=~jemal/

(^1) Faculty of Science and Technology Plagiarism notice.

Case Study: Metro Healthcare System

Metro healthcare is a Melbourne based private mental healthcare service provider. The vision of Metro healthcare reads To be the premier provider of mental health services in Victoria and the mission of Metro reads To provide our patients with finest healthcare in a safe, secure and individualised environment. Metro has 80 employees that include doctors, nurses, technologists, administrators, etc. The figure below shows a Metro netw ork diagram.

L AN

oracleData
Ser ve r

Email Server
(runs MacAfee)

Rout er Sw itch ID S Internet

Gateway

Firewall

Human Resource Unit Doctors and Nurse
(Psychiatric Unit)

Finance Unit

Information Tech nology Unit

Printer Printer

W eb ser ve r
(runs MacAfee)

Medical labUnit
Printer
Oper a tor

Metro healthcare system

Metro has five business units: the human resource unit, the finance unit, the information technology unit, the medical laboratory unit and the psychiatric unit. The information technology unit is responsible for the management of the information technology infrastructur e such as the hardware, software, and network. Chief Information Security officer and several cybersecurity professionals w ithin the information technology unit are responsible for Metro cybersecurity management. The hospital deploys a complex networked system that seamlessly integrates the hospital Internet and Intranet. All workstations at the psychiatric unit run Microsoft Windows 10 for 32-bit and 64-bit and Microsoft Internet Explorer (IE 11). All workstations at the human resource unit and the finance unit run Microsoft Windows 8 for 32- bit and 64-bit and Microsoft Internet Explorer (IE 11). The workstations at the medical laboratory unit run Microsoft Windows 7 for 32-bit Systems SP1 and Microsoft Internet Explorer (IE 11).

Metro deploys state-of-art cybersecurity controls (firewalls, antivirus products, intrusion detection systems, and mul ti-factor authentication). Last patch update was done in 1st Januar y

2018. databaseserver (Oracle), Apache server (for webserver) and Microsoft Exchange Server (for email) are used. The employees can use Microsoft Outlook and/or Microsoft Exchange Outlook webAccess (OWA) email client. Oracle E-Business Suite (Oracle Human Resources, Oracle General Ledger, etc.) is used for maintaining and processing all information (e.g., patient health records, administrative records, and personnel records). Approximately, there are about 800K patient health records, 2 mi llion administrative records, and 100K personnel records in the database. Telstra Health’s Argus software to securely communicate confidential patient information quickly and reliably, in-line with privacy standards". Argus software is

used to securely exchange patient data with other hospitals, GPs, specialists, primary health networks and allied health providers.

1 Identification and valuation of assets

In this task, you w ill identify, valuate and prioritise at least one information asset for each department. Provide a rationale for selecting the information assets and provide a brief description of how you approached the identification, valuation, and prioritisation of the assets. Use the following template to list the threats, threat agents and the associated attributes.

Asset Sensitivity
Name Type Unit Value (Worth) C I A

Note that an asset may have more than one sensitivity attributes. Choose the best option and justify your choice of the security attributes for the asset. The name, type and unit of the asset should be obtained directly from the case study. The value (worth) of the asset need to be computed. You can do some research to find how sensitive the information asset and then use the Factors for Estimating Sensitivity Value table to assign the appropriate values to C (confidentiality), I (integrity) and A (availability). You must justify and support your choice of the values for the confidentiality, integrity, motive, and availability.

2 Threat and Vulnerability Analysis

In this task, you w ill gather and analyse information about potential threats, the threat agents involved, and vulnerabilities to Metro healthcare information assets you identified in the previous section. Note that the threats and vulnerabilities do not need to be exhaustive, but must be consistent with those considered relevant to Metro healthcare and must provide a reasonably complete context for critical risk analysis.

2.1 Identifying Threats and Threat Agents

For each information asset you identified in previous section, identify the most probable threats and threat agents to Metro healthcare business objectives or mission and vision. You must identify a different cybersecurity threat and a different threat agent for each information asset. Also, as different threat agents can target Metro healthcare, it is important to identify threa t agents that are more likely to pose cybersecurity risks to Metro healthcare assets. You will need to provide convincing rationale for selecting the threats and threat agents for the information assets. Use the following template to list the threats, threat agents and the associated attributes.

Asset
Na me

Threat Attributes
Thre at
Type

Thre at Age nt
Siz e Skill Motive O pportunitie s

For determining threat agent attributes, you will need to do some online research. For example, you can derive information on motivation by using intelligence know ledge of the threat agent. Similarly, for information on opportunity, you can look at and analysing information such as the access to information that a threat agent has, the change in technology and the availability of technology to the threat agent, the vulnerabilities of the target, the profile of the target and the perception that the public has of the target. Once you have gathered the information yo u need, you can use the Factors for Estimating threadLikelihood rating table to assign the

appropriate values to size, skill, motive, and opportunityof the threat agents. You must justify and support your choice of the values for the size, skill, motive, and opportunity.

2.2 Identifying Vulne ra bilit ie s

In this task, you will identify one or more vulnerabilities that can be directly exploited by the threat agents previously identified. Note that an asset may have more than one vulnerabilities. There are many non-zero-day vulnerabilities in Metro healthcare as presented in the case study. To identify and understand these vulnerabilities, you will need to research and find online resources that maintain up-to-date non-zero-day vulnerabilities along with various attributes.

Threat Vulnerability Vulnerability Attributes
Type Agent Name Discoverability Exploitability Exposure Detectability

Use the above template to list the vulnerabilities and the associated attributes. For each vulnerability you identified, discuss the level of exposure, discoverability, e xploitability and detectability of the vulnerability by the threat agents. Exposure refers to how well the threat agents know about the vulnerability. Discoverability is the ease with which the threat agents can discover the vulnerability. Exploitability refers to the ease with which the vulnerability can be exploited, and detectability refers to how likely is an exploit to be detected. Use the Factors for Estimating Vulnerability Likelihood rating table to assign the appropriate values to exposure, discoverability, exploitability and detectability. You must justify and support your choice of the values for the exposure, discoverability, exploitability and detectability.

3 Quantitative Risk Analysis

3.1 Estimating Threat Likelihood

Estimate the likelihood of each vulnerability to be uncovered and exploited by a threat agent. Use the following template for reporting the likelihood.

Threat
Name

Vulnerability
Name

Likelihood Magnitude
Threat Vulnerability Total

The likelihood of a threat refers to the average values of the threat agent factors (skill, motive, opportunity and size). The likelihood of a vulnerability refers to the average values of the vulnerability factors (exposure, discoverability, exploitability and, detectability). The total likelihood refers to the average of the threat and vulnerability likelihood values. The total likelihood value is used to determine the magnitude of the threat likelihood from the severity rating table. The magnitude of threat likelihood refers to the levels of probability (e.g., low, medium, or high) of a threat to be successful.

3.2 Estima ting Vulne ra bility Impact

In this step, you estimate the adverse impact of a successful exploit on Metro healthcare. Us e the following template for reporting the impact.

Threat
Name

Vulnerability
Name

Impact
Sensitivity Value Mission Value Total Magnitude^

Use the overall likelihood and the severity rating table to determine the magnitude (high, medium or low) of the likelihood. You must justify and show step by step your w ork and include all the formulas required to arrive at your answer.

3.3 Estima ting Ove ra ll R isk Se ve rity a nd M itig a tio n Strategy

In this step, the likelihood estimate and the impact estimate are used together to calculate the overall severity level for the risk to the asset. You will need to prioritise the risks based on their risk level. Use the follow ing template to report the results.

Asset Risk
Na me Type Like lihood Impa c t Severity level Priority le ve l

You must justify and show step by step your w ork and include all the formulas required to arrive at your answer.

4 Risk Treatment Strategy

The team will propose a protection strategy (i.e., security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level) to mitigate each of the identified risk. Use the following template.

Asset Risk
Na me Type Severity level Mitigation CBA Re sidual risk

The team must justify the choice of the security solutions proposed using cost benefit analysis (CBA) to justify w hich controls are w orth implementing, and discuss how the proposed controls will reduce the risks.