Learning outcomes of CO4512 Information Security Management Assignment assessed by this exam:
- Select and use applicable standards and methods for information security and risk management.
- Compare and critically evaluate alternatives for information security management and risk assessment.
- Critically discuss the benefits and pitfalls of compliance with respect to security.
Section A – Answer ALL Questions
The first step towards the implementation of an ISMS (Information Security
Management System) in an organisation is to define its boundaries, i.e., to define the ISMS scope.
A) Explain the main differences between the in-scope and out-of-scope area. You should use examples related to the XYZVISA scenario in the Appendix A in your explanation.
B) Explain the drawbacks and advantages of narrow ISMS scope based on the scenario in the Appendix A.
C) Provide and justify six (6) in-scope and four (4) out-of-scope elements from the scenario in Appendix A.
Section B – Answer any TWO Questions
One of the most important steps during asset-oriented risk assessment is identifying the assets in an organisation. List and justify five (5) primary and ten (10) secondary assets from the scenario in Appendix A.
Asset-oriented, threat-oriented and vulnerability-oriented security risk assessment methods.
A) Apply the asset-oriented risk assessment approach to the XYZVISA scenario described in Appendix A.
Identify two (2) threats, two (2) vulnerabilities and two (2) risks derived from your chosen methodology.
B) For each risk identified in A) above, estimate its likelihood and impact using a scale of Low, Medium and High. Justify each estimation.
C) Draw a 3×3 risk matrix to illustrate the severity of each risk.
A) Discuss the five (5) generic phases of risk assessment defined by the ISO 27005 standard.
B) Consider the XYZVISA scenario in Appendix A. Describe two (2) example
activities performed in each of the five (5) generic phases of risk assessment
Your examples have to be related to the XYZVISA scenario.
The XYZVISA scenario (note: the network and system parameters are fictitious).
XYZVISA is a VISA application office that is responsible for managing visa application and issue, and its current IT infrastructure is depicted in Figure 1.
The IT infrastructure comprising
- Staff PCs running Windows XP SP2. Staff use their PCs to check the application documents and login into their staff accounts to create the decision documents.
- The authentication server runs the Kerberos 5 authentication protocol to authenticate staff and applicants who want to login to their account.
- A machine running SQL server with phpMyAdmin 3.5.x version, which stores all information about applicants personal information and applicantion documents;
- A machine running Microsoft SQL Server 2000 SP4 version, which stores all decision documents and VISAs ready to be issued;
- A machine running a mail server Apache James Server 2.3.2, and stores all emails and attached files.
- A machine running an IIS web server 1 hosting the website of XYZVISA on which people can browse for application information and apply online, as well as checking their application status/decision;
- For enhanced security, there is a D-Link DIR-878 firewall with firmware 1.12A1 installed to monitor and filter traffic/activity.
- After some attack incidents, the VISA office realized that a risk assessment is required and improve its IT infrastructure with security controls.