Understand the challenges and evaluate the risks in managing the security of an information system
 Critically analyse using a threat and risk assessment.
This will be based on a case study, in which you will demonstrate your ability to manage an information system and conduct threat and risk assessment.
CASE STUDY
‘Dog World' is a very successful retailer of all things related to dogs - from canine health care products, dog toys & chews through to dog food & supplements to in-house vet advice and dog books/DVDs. They also have a community bulletin board where local business can advertise canine services (like dog walking or grooming) and local people can advertise puppies for sale or dogs that need re-homing. Each store has a local paper-based board.

The company operates a national chain of 100 out-of-town retail stores plus its own successful website called www.dogworld.com which operates a full e-commerce facility backed up by a multi-terabyte database. The website supports a national (and often international) dog-lovers community chat forum. The website also runs paid-for adverts from other companies in the dog sector.
Each local store has a manager and between 10-15 staff, each with varying degrees of access to the company IT systems. For example, a junior-level sales assistant can only log onto the EPOS (electronic point-of-sale) terminals to make sales (cash or card) and pull up prices and product details.

They cannot delete or modify anything nor make refunds. Supervisor level staff can do all this plus make refunds but nothing else. Only managers can modify product data or prices - perhaps because of a local temporary sales event.
All EPOS systems are linked to the central corporate data centre where the central IT team are responsible for uploading and maintaining all product and pricing data and for developing and maintaining the corporate website.

the chief executive of Dog World has become very concerned recently about two data theft incidents. Firstly, some confidential corporate data has found its way into the public domain (which could be abused by competitors and suppliers) and secondly, several thousand sets of customer records have been hacked - including personal and card payment details.

This latter attack has not been publicized but could obviously seriously damage the company image. The in-house IT staff lack the necessary technical knowledge and skills to get on top of this security problem - much to the annoyance of the chief executive.
So to address this potentially disastrous situation form escalating, the chief executive has contracted you - an information security consultant - to advise him on how to secure the corporate data assets and to highlight and evaluate the different types of threat (internal or external) that the company faces and how to contain or eliminate those risks. You will thus produce a threat & risk assessment, supplemented by recommended solutions and actions.

Specifically, the chief executive has requested that your report covers the following areas:

(a) A brief summary of the ‘data architecture' of the company - how/where data is captured, where it is transmitted to/from (and how), where it is stored and how/where it is backed-up and audited. A clearly annotated diagram would greatly help here. (Worth 10%)

(b) A detailed breakdown of all possible ‘access points' into that data architecture - both internally by staff at different levels/roles/sites and externally by third parties (customers, competitors, suppliers and malicious attackers). What data can they see and what can they do? (Worth 20%)

(c) A detailed analysis of what risks each ‘access point' presents - how could any person (internal or external) exploit that access point for malicious reasons? What damage could they do via that access point? (Worth 20%)

(d) A detailed set of solutions and actions for each identified risk - so as to minimize or ideally eliminate that risk, even if the access point cannot (or perhaps should not) be closed itself. Such solutions and actions could be technical, social, legal, managerial or procedural. (Worth 30%)

(e) A comparison of the company's present and recommended security plan as compared against industry standard IT security frameworks or benchmarks. How well does the company compare now against the best and how will it compare once all your solutions and actions are implemented? (Worth 20%)

See below for the marking scheme and further advice...

The above provides a basic outline of the company. It is expected that you will have to supplement this case study with your own intelligent assumptions and additional research. You must fully document and explain all such assumptions and fully reference any external sources you use via the Harvard referencing system.
Marking scheme

(a) A large, clearly annotated diagram is clearly needed here. It should include all hardware, data communications and servers. This is one aspect where research and intelligent extensions/assumptions come into play. Worth 10%

(b) An ‘access point' is defined as any interaction opportunity between the corporate data (including customer personal & card data) and a human user - who could be a member of staff in a local sore, a member of staff at central IT or corporate HQ, an external member of the public looking on the website, an attacker probing the website etc. For each you should list all legitimate access rights and all potential or illegitimate actions. A table may be best to display all this work. Worth 20%

(c) The risks could be accidental data loss or damage to outright hostile and malicious attack - internally or externally. Using the ideas presented in the unit plus your own research, itemize each risk - real or potential - for each type of user and access point. Again, perhaps a tabular layout would help here. Worth 20%

(d) The recommended solutions and actions can come from ideas presented in the unit but for a high mark on this criterion you are strongly advised to conduct your own private research. Every risk should be aligned with a solution or action. Worth 30%

(e) This task firstly demands that you research what IT security frameworks and standards are out there in the real world and then compare the present case study - before and after implementing your recommendations - against these findings. For example, in the unit we discuss a set of guidelines for cloud-based data security. Your job is to find others. Worth 20%