_{Project CoverSheet–CSF4003Project[25%]}

CourseName	CSF4003	FacultyName	Dr. Fadi Abu-Amara
ProjectTitle	Project	DueDate	9th December 2019
Section		DateSubmitted
StudentName	1. 2. 3. 4.	StudentID	1. 2. 3. 4.
ThisassessmentassessesthefollowingLearningoutcomes:

Declaration – Group

 No part of this assignment has been copied from another source (not from another group, students, an internet source, or a book)

 When another person’s words are used, this is shown in the text with “…” and referenced.

 No part of this assignment has been written by anyone other than the members of the group named below.

 We have a copy of this assignment that we can produce if the first copy is lost or damaged.

_{Names and Signatures:}

_{Name 1………………………………………… Signature ……………………………}

_{Name 2………………………………………… Signature ……………………………}

_{Name 3………………………………………… Signature ……………………………}

_{Name 4………………………………………… Signature ……………………………}

_{N.B. The marker may choose not to mark this assignment if the above declaration is not signed.}

 If the declaration is found to be false, appropriate actions will be taken.

 Plagiarism is copying and handing someone’s work as your own. Any student found guilty of this type of cheating will be dismissed from the college.

_{Received By……………………………………………… Date ……………………………}

1. Introduction

A group of students is required to analyze the Company ABCD and deliver a comprehensive report on Information Security Risk Assessment. Students should consider the following points. Please read the project specification document carefully.

1. Operations
2. Datacenter
3. Network infrastructure
4. Normal Operations
5. Physical Security Issues
6. Logical Security Issues
7. Business Process
8. Employees

After analysis of the company, each group is required to provide a report on Information Security Risk Assessment, which should include Systems Identification and Safeguard Determination phase. The project requires at least five weeks of continuous work. Students should work on the project in their own free time; however, one hour of class time per week should be allocated to discuss the project with teams.

During the discussion, team members should be present. The team members who will be responsible for communication and project progress and choosing a team leader.

Students can use different templates available on the internet to seek help in designing the project requirements. Students should list all the used references.

NOTE: Project submission and presentation will be at the beginning of Week 16.

Any project submitted late will be penalized by a 5% reduction per late day.

Group Marks: 12.5% (Project Report including all the design details)

Individual Marks: 12.5% (Presentation with questions)

The Project Covers the Following Course Learning Outcomes

CLO 2- Analyze the risk management lifecycle, assessment and techniques.

CLO 3- Apply qualitative and quantitative techniques to formulate risk exposure factor.

CLO 4- Apply various risk evaluation and mitigation strategies.

CLO 5- Develop a security architecture to determine patterns and baselines of traffic, services and controls.

1. ACADEMIC HONESTY DECLARATION

This assignment is entirely my work except where I have duly acknowledged other sources in the text and listed those sources at the end of the assignment. I have not previously submitted this work to the HCT. Further, I understand that I will be orally examined on my understanding and contribution.

I understand that I must not attempt to gain marks dishonestly during an assessed task, as this is considered cheating. Helping another student gain marks during an assessed task is also considered cheating. THE PENALTY FOR CHEATING AT HCT IS SEVERE AND INCLUDES PERMANENT DISMISSAL FROM THE COLLEGE.

I have read the above information and understand my responsibilities regarding academic honesty during this assignment.

SIGNED: ________________________________ DATE: ___________________

SIGNED: ________________________________ DATE: ___________________

SIGNED: ________________________________ DATE: ___________________

SIGNED: ________________________________ DATE: ___________________

1. Project Requirements

Below are the project requirements where each group is supposed to fulfill.

1. Introduction to the Case

Introduce the case study, its purpose, and its outcome.

1. The Company

Provide an overview of the company; describe the business activities, core business function, and thorough analysis of the data center diagram.

1. Risk Determination Phase

Describe each of the following based on the provided Company ABCD scenario. (Refer to Appendices for more details):

1. Identify Assets, asset owners
2. Identify Asset Value
3. Identify threats to Assets and their Likelihood
4. Identify Vulnerabilities and the Likelihood of their Exploitation by the Identified threats
5. Describe Risks to the Assets based on Points (3, 4, 5)
6. Evaluate Risk based on Point (6)
7. Safeguard Determination Phase

Describe each of the following based on the provided Company ABCD scenario. (Refer to Appendices for more details):

1. Define the recommended Controls and Safeguards based on the 20 critical security controls.
2. Determine the residual likelihood of occurrence if control and safeguard are implemented.
3. Determine residual severity of impact if candidate control and safeguard are implemented.
4. Determine residual risk levels.

1. Project Specifications

Company ABCD is a software company which consists of 350 total staff, employed at the headquarters and other branches across the country. It’s business model relies on electronic transactions with critical customers and suppliers.

Company ABCD uses the Heroku cloud platform to manage transactions and communications between internal and external applications. Company ABCD communicates with approximately 21 internal applications and 300 trading partners. It currently processes approximately 1 million documents per week and estimates that it will process 1.3 million documents per week by the end of 2020.

1. Data Center Diagram

The following figure shows the data center diagram of ABCD Company.

Figure 1: Data Center Diagram of ABCD Company

1. Potential Threats and Security Concerns

Company ABCD wants to make sure that it receives and processes only messages from authenticated sources. It also wants to make sure that it can receive and retrieve documents from outside its corporate network as safe as possible. The security team configured the firewalls to skip deep packet inspection to speed up the internal data transfer. Besides, the firewall can be accessed internally via an HTTP connection to update its configurations.

Furthermore, the anti-spoofing is disabled by default. The Company also wants to make sure that their email system is not hacked or cracked because they heavily rely on email messages from clients to process their transactions. Company ABCD also wants to protect its data regarding its employees, customers, transactions, financial, and other documents related to business.

The Company allowed its employees to save company data on the cloud. Also, the Web Server can be accessed from outside the company using VPN connections. Company ABCD implemented a backup process to secure all critical data of the business. However, to save cost and time, no regular testing is performed.

1. Recent Threats Faced By the Company

The following are the recent incidents faced by the company a few months ago.

1. An employee received a call alerting him to a breach in the company’s internal network; about 500 clients were targeted on the company network. A DOS attack and single targeted sites on servers are reported. The hacker had managed to bypass the company’s entire security protocol, get behind its firewall, and gain access to its master user access information.
2. One of the senior management email accounts was hacked. The security team suspects that via social engineering, malware, key logger, or Trojan, the attackers obtained access to the email.
3. The IT helpdesk team reported that one of the Heroku servers failed to respond in the middle of the day when most of the transactions were processing. A cluster of Heroku servers is running in the datacenter and suppose to take over if one of the servers fails, but it did not happen. A network team member examined the situation and figured out that the problem in the network connection did not force the redundant server to take over. However, it took him a long time to fix the issue, which resulted in many transaction failure and loss of revenue.
4. The security team uses Windows to maintain Unix-based systems. A virus spread in the internal network of the company during the last week of July.
5. An employee noticed some unknown processes active in one server. The employee immediately thought of an internal intrusion. The security team announced an incident and called for a meeting. About 30 employees attended the meeting, which resulted in significant confusion.
6. During an internal audit, it is found that the security team used to manage different devices such as firewalls and intrusion detection systems from a laptop using a wireless connection.
7. The company’s security officer reported that he had spotted a person roaming in the office area. This person does not seem to be an employee or any partner vendor engineer or support. He reported the issue to the management, and the person was just asked to leave the premises without any interrogation. The management is concerned about the physical security of the company. They are concerned about privacy, identity theft, social engineering, and physical theft of any device.

ReportRequirements

1. MS Word report with 1000 words.

2. Font: Times New Roman, size 12.

3. APA referencing with in-text references and a “references” page.

4. Max of four students per team.

5. Signed cover sheet

1. Report Assessment Criteria

Student Name: _____________________________ ID No.: ______________________

Student Name: _____________________________ ID No.: ______________________

Student Name: _____________________________ ID No.: ______________________

Student Name: _____________________________ ID No.: ______________________

1.	Presentation	5	4	3	2	1	0
	Cover page information
	Appearance, format, English proofreading
	Presentation Total Marks	/7
2.	Introduction to Case	5	4	3	2	1	0
Brief Introduction/purpose of the case
Outcome of the case
	System Documentation Phase Total Marks	/10
3	The Company	5	4	3	2	1	0
	Overview of the company setup, business activities, core function
	Analysis of data center diagram
	The Company Total Marks	/10
3.	Risk Determination Phase	10	8	6	4	2	0
Identify Assets
Identify Asset Value
Identify threats to Assets and Likelihood.
Identify Vulnerabilities and the Likelihood of their Exploitation by the Identified threats.
Describe Risks to the Assets based on Point (3, 4, 5)
Evaluate Risk based on Point (6)
	Risk Determination Phase Total marks	/45

4.	Safeguard Determination Phase	10	8	6	4	2	0
Define controls and safeguards
Determine the residual likelihood of occurrence if control and safeguard are implemented
Determine residual severity of impact if candidate control and safeguard are implemented
Determine residual risk levels
Safeguard Determination Phase Total Marks	/25
	Total Project Report Marks	/97

Comments:

Instructor’s Signature: ______________________ DATE: ___________

1. Presentation Rubric

	Poor (1)	Good (3)	Exemplary (5)	Score
Explanationof Ideas&Information (Project)	does not present information, arguments, ideas, or findings, concisely, and logically; argument lacks supporting evidence; the audience cannot follow the line of reasoning selects information, develops ideas and uses a style inappropriate to the purpose, task, and audience (maybe too much or too little information, or the wrong approach) does not address alternative or opposing perspectives	presents information, findings, arguments and supporting evidence in a way that is not always clear, concise, and logical; the line of reasoning is sometimes hard to follow attempts to select information, develop ideas and use a style appropriate to the purpose, task, and audience but does not fully succeed attempts to address alternative or opposing perspectives, but not clearly or completely	presents information, findings, arguments, and supporting evidence, concisely, and logically; the audience can easily follow the line of reasoning selects information, develops ideas and uses a style appropriate to the purpose, task, and audience clearly and completely addresses alternative or opposing perspectives	/5
Organization (Includes all the sections)	does not meet requirements for what should be included in the presentation does not have an introduction and/or conclusion uses time poorly; the whole presentation, or a part of it, is too short or too long	meets most requirements for what should be included in the presentation has an introduction and conclusion, but they are not clear or interesting generally times presentation well, but may spend too much or too little time on a topic, a/v aid, or idea	meets all requirements for what should be included in the presentation has a clear and interesting introduction and conclusion organizes time well; no part of the presentation is too short or too long	/5
	BelowStandard (1)	ApproachingStandard (3)	AtStandard (5)	Score
PresentationAids	does not use audio/visual aids or media attempts to use one or a few audio/visual aids or media, but they do not add to or may distract from the presentation	uses audio/visual aids or media, but they may sometimes distract from or not add to the presentation sometimes has trouble bringing audio/ visual aids or media smoothly into the presentation	uses well-produced audio/visual aids or media to enhance understanding of findings, reasoning, and evidence, and to add interest smoothly brings audio/visual aids or media into the presentation	/5
ResponsetoQuestions (The Company)	does not address audience questions (goes off-topic or misunderstands without seeking clarification)	answers audience questions, but not always clearly or completely	answers audience questions clearly and completely seeks clarification, admits “I don’t know” or explains how the answer might be found when unable to answer a question	/5
ResponsetoQuestions (Risk Determination Phase)	does not address audience questions (goes off-topic or misunderstands without seeking clarification)	answers audience questions, but not always clearly or completely	answers audience questions clearly and completely seeks clarification, admits “I don’t know” or explains how the answer might be found when unable to answer a question	/5
ResponsetoQuestions (Safeguard Determination Phase)	does not address audience questions (goes off-topic or misunderstands without seeking clarification)	answers audience questions, but not always clearly or completely	answers audience questions clearly and completely seeks clarification, admits “I don’t know” or explains how the answer might be found when unable to answer a question	/5
ParticipationinTeamPresentations	Not all team members participate; only one or two speak	All team members participate, but not equally	All team members participate for about the same length of time All team members can answer questions about the topic as a whole, not just their part of it	/5
			Total	/35