personally identifiable information

Student Name   Student Number  
Unit Code/s & Name/s BSBXCS303 Securely manage personally identifiable information and workplace information
Cluster Name
If applicable
NA
Assessment Name Portfolio Assessment Task No. 1 of 1
Assessment Due Date Week 8
Assessor Name Ashley Ball
Student Declaration:   I declare that this assessment is my own work. Any ideas and comments made by other people have been acknowledged as references.   I understand that if this statement is found to be false, it will be regarded as misconduct and will be subject to disciplinary action as outlined in the TAFE Queensland Student Rules.   I understand that by emailing or submitting this assessment electronically, I agree to this Declaration in lieu of a written signature.
Student Signature   Date  

 

 

 

 

Instructions to Student Section 1 – General Instructions:

You are required to complete Questions 1 – 7 below (starting Page 4 of this document) and answer them in sentence structure where stated. This is an individual assessment. All answers must be in your own words unless it is specifically required to be copied from legislation, policy or procedure. It is also acceptable to copy definitions of any relevant protocols used in your answers.

Section 2 – General Instructions:

You are required to complete Parts 1 – 8 below (starting Page 3 of this document). There will be a variety of practical tasks that require screenshots, explanations, completing templates, checklists and filling out tables. This is an individual assessment. All answers must be in your own words and screenshots must have your name and student number shown within the screenshot. Example: Have a text document open with your name and student number to verify it is your work.

Section 1 – Information / Materials provided by Student:

–       Access to a computer with:

o   Internet access

o   Web browser

o   Microsoft office

–       Access to relevant industry standards, organisational procedures and legislation

Section 2 – Materials to be supplied by Student:

Access to a computer with:

–       Internet access

–       Web browser

–       Microsoft office

–       VirtualBox Virtual Machine Software

–       Windows 10 Virtual Machines

–       HashCalc, 7zip and/or Eraser Software

Work, Health and Safety:

A work health and safety check of the assessment environment is to be conducted prior to the assessment and any hazards addressed appropriately.

Section 1 – Assessment Criteria:

To achieve a satisfactory result, your assessor will be looking for your ability to demonstrate the following key skills/tasks/knowledge to an acceptable industry standard:

–  Review the Privacy Act 1988 and how it relates to the handling of Personally Identifiable Information (PII)

–  Identifying relevant International legislation when operating a company within Australia that conducts international business

–  Reviewing Industry standards such as ISO 27001

–  Reviewing the use of Cloud storage and its’ benefits and risks

–  Understanding the risks to sending sensitive information over insecure mediums

–  Understanding what software can be used to perform secure data storage and retrieval

–  Deletion of secure data

Section 2 – Assessment Criteria:

To achieve a satisfactory result, your assessor will be looking for your ability to demonstrate the following key skills/tasks/knowledge to an acceptable industry standard:

–   Classify and label sensitive data according to Anytown Marketing policies

–   Encrypt device hard drives

–   Implement access controls to sensitive information

–   Confirm data integrity by comparing hash values before and after transfer

–   Backup sensitive data on-site and off-site

–   Complete a Privacy Impact Statement

–   Complete a Data Protection Compliance Checklist for GDPR

Number of Attempts:

You will receive up to two (2) attempts at this assessment task. Should your 1st attempt be unsatisfactory (U), your teacher will provide feedback and discuss the relevant sections / questions with you and will arrange a due date for the submission of your 2nd attempt. If your 2nd submission is unsatisfactory (U), or you fail to submit a 2nd attempt, you will receive an overall unsatisfactory result for this assessment task. Only one re-assessment attempt may be granted for each assessment task.

For more information, refer to the Student Rules.

Submission details Insert your details on page 1 and sign the Student Declaration. Include this form with your submission.

Due Date: Week 8

Submission Details: You are required to complete the tasks in this document in the space provided under each and save the document as BSBXCS303_AT1_<Your Name>

You are also required to complete the following documents and submit them with your completed Portfolio.

ICT30120_BSBXCS303_LHO_PrivacyImpactStatement_Template

ICT30120_BSBXCS303_LHO_DataProtectionChecklist

Once completed, upload the document to the Assessment Task 1 within the BSBXCS303 Unit on Connect. TAFE Queensland Learning Management System: Connect URL: https://connect.tafeqld.edu.au/d2l/login

·                Username; 9-digit student number

·                For Password: Reset password go to: https://passwordreset.tafeqld.edu.au/default.aspx

Instructions to Assessor Specifications of assessment: There are 8 parts including 1 template and 1 checklist as listed below, that must all be completed correctly to achieve a satisfactory result for this assessment.

 

Equipment or material requirements:

Documents:

–       ICT30120_BSBXCS303_LHO_AnytownMarketingPolicies

–       ICT30120_BSBXCS303_LHO_StaffInformation

–       ICT30120_BSBXCS303_LHO_PrivacyImpactAssessment_Template

–       ICT30120_BSBXCS303_LHO_DataProtectionChecklist

–       ICT30120_BSBXCS303_LHO_StoredFileDescription

 

–       Access to a computer with:

o   Internet access

o   Web browser

o   Microsoft office

o   Virtual Machine Software

o   Windows 10 Virtual Machines

o   HashCalc Software

 

Details of location: TAFE will provide a simulated work environment in the classroom; however, it is possible to complete these tasks at home using a computer with internet access and the correct software.

Time restrictions: This is a Portfolio assessment designed to take place over 12 weeks.

Level of assistance permitted: Teachers and/or Tutors should be available in class, and accessible by email for students working from home. Staff cannot directly provide students answers but can guide them to complete tasks individually.

Work Health and Safety: A work health and safety check of the assessment environment is to be conducted prior to the assessment and any hazards addressed appropriately.

Interactions with team members: This is an individual assessment and all assessment submissions should be completed individually. Though some consultation is allowed between the cohort.

Contingencies if conditions cannot be met: Students will be able to resubmit their work a second time after feedback has been provided if they are not successful on the first attempt. Reasonable adjustments will also be made for students as and when appropriate, after consultation with the Accessibility and Counselling team. – You must see your teacher prior to assessment regarding this.

 

Note to Student An overview of all Assessment Tasks relevant to this unit is located in the Unit Study Guide.

 

 

 

Section 1

Part 1

Review the following Privacy Policy Guidelines under the Privacy Act 1988 regarding Personally Identifiable Information (PII) and answer the questions below.

 

1a) Which section/s of the Privacy Act 1988 contains APP requirements for PII data protection?

Provide a short description (~50 words) and website address link in answer:

Des.

 

 

 

 

 

 

 

 

 
URL  

 

1b) What are the maximum penalties for not following the Notifiable Data Breach laws?

Des.

 

 

 

 

 

 

 

 

 

 

Part 2

The small business you work for is wanting to do business in Europe. Which European data protection standard would they need to adhere to?

Provide a short description (~50 words) and website address link in answer:

Des.

 

 

 

 

 

 

 

 

 
URL  

 

Part 3

According to ISO 27001 Annex 8.3.2, how should media that contains sensitive information be destroyed? Provide a short description (~50 words):

Des.

 

 

 

 

 

 

 

 

 

 

Part 4

Compare the following cloud providers, 1) Microsoft Azure, and 2) Amazon Web Services (AWS). Provide a short description (~50 words each) of how they both provide distributed storage solutions.

Azure:

 

 

 

 

 

 

 

 

 
AWS:

 

 

 

Part 5

What are 3 general benefits and risks of using cloud storage? Provide a short description for each (~50 words in total):

Benefit Name Description
1.  
2.  
3.  

 

Risk Name Description
1.  
2.  
3.  

 

Part 6

What are 3 risks for sendingreceiving sensitive information by non-secured means such as Email? Provide a short description for each (~50 words in total):

Risk Name Description
1.  
2.  
3.  

 

Part 7

Complete the table below. This requires you to find THREE (3) pieces of software, list what secure protocol it uses and a general description of its’ use, to securely send and retrieve data to a variety of storage locations. Provide a short description (~50) for each:

 

Name Description Protocol(s)
1.    
2.    
3.    

 

 

Section 2

Scenario: You are employed by Anytown Marketing as an IT consultant to assist in implementing their data security and privacy handling policies and procedures.

See “ICT30120_BSBXCS303_LHO_AnytownMarketingPolicies”. This implementation project is to be completed with the required documentation submitted to the authorising manager.

Note, it’s required to set up a Virtual Machine for this section, we recommend using VirtualBox with the latest Windows 10 ISO.

All visual evidence (screenshots) must include your student details such as Student Name and Student Number (ID). To achieve this, you can use a screenshot tool (for Windows, WIN + SHIFT + S) and overlay text, or simply have a text file open as you take the screenshot.

For example:

Part 1

You are required to classify ALL (12) the Anytown Marketing Firms’ files into their data classification types and new storage locations. Use the “ICT30120_BSBXCS303_LHO_StoredFileDescription” documents for the file names, types, and description of data within.

Note, Label Colours do not need to be completed practically, meaning, students do not need to provide visual evidence (screenshots). Label Colours must be included in the table below.

 

Unofficial Files Location (Website/File Server/ Secure File Server) Label Colour (None/Yellow/Red)
1.    
2.    
Official Files Location (Website/File Server/ Secure File Server) Label Colour (None/Yellow/Red)
1.    
2.    
3.    
4.    
5.    
Official: Sensitive Files Location (Website/File Server/ Secure File Server) Label Colour (None/Yellow/Red)
1.    
2.    
3.    
4.    
5.    

 

Part 2

You are required to provide a short explanation (~50 words) on how encryption protects sensitive data.

You then must also demonstrate encrypting data and provide screenshots as evidence. You can do this in two methods:

  • add a Virtual Hard Drive to your Virtual Machine and encrypt it using Bitlocker or,
  • encrypt a single folder with files using a third-party encryption tool such as 7Zip.

WARNING! Do not encrypt your personal computer’s Hard Drive, you must use a Virtual Machine.

Explanation

 

 

 

 

 

 

 

 
Screenshot(s)

 

 

 

Part 3

You are required to give a brief explanation (~50 words) for the best practices for sharing sensitive data within the workplace.

You then must demonstrate the following and provide screenshots as evidence of completion:

  • Setup a User Group within the Windows 10 Workstation via your Virtual Machine for the Marketing Department. If this feature is not built into your edition of Windows, see Local User and Group Management.
  • Label the folder according to the Anytown Marketing policies document and share the folder so only they have access to the folder and the sensitive data within.
  • Once the folder has been shared, encrypt the folder and all files within.
Explanation

 

 

 

 

 

 

 

 
Screenshot(s)

 

 

 

Part 4

You must perform a hash calculation on the “ICT30120_BSBXCS303_LHO_StaffInformation” document using a hashing algorithm, for example SHA512. Then transfer the file into the encrypted shared folder you created in Part 3 and run the hash calculation again to ensure data integrity after the transfer.

In your Windows 10 Virtual Machine, use one of the two following methods:

Ensure to include visual evidence of the files hash before the transfer, and after the transfer is complete, multiple screenshots will be required.

Screenshot(s)

 

 

 

 

 

 

 

 

 

 

 

Part 5

You are required to explain an attack that would compromise the integrity of sensitive data.

You then must demonstrate setting up file change audits via your Windows 10 Virtual Machine. This is to keep track of changes made to the sensitive data file used in Part 4 to report if attacks have occurred. Provide screenshots as evidence of completion:

Explanation

 

 

 

 

 

 

 

 
Screenshot(s)

 

 

 

Part 6

You are required to explain how you can keep the data integrity intact and secure during transport and at the off-site location.

You then must demonstrate and provide screenshots for backing up the encrypted folder created in Part 3 according to organisational procedures “ICT30120_BSBXCS303_LHO_AnytownMarketingPolicies”. This is required to be backed up to removable storage for transport and storage off-site.

In your Windows 10 Virtual Machine, add a Virtual Hard Drive, then use one of the two following methods to backup data:

  • Backup and Restore (Windows 7) or,
  • a third-party tool such as FreeFileSync.
Explanation

 

 

 

 

 

 

 

 
Screenshot(s)

 

 

 

Part 7

You are required to complete a Privacy Impact Assessment “ICT30120_BSBXCS303_LHO_PrivacyImpactAssessment_Template”. See the PIA template to be completed and submitted with this document.

 

Part 8

You are required to complete the Data Protection & Compliance Checklist to ensure GDPR compliance “ICT30120_BSBXCS303_LHO_DataProtectionChecklist”. The checklist is to be submitted with this document.