Introduction
This assignment will involve students undertaking research into an information security topic and reporting the outcomes in abriefing paper andannotated bibliography. Students will also need to provide a brief ‘presentation’ to the tutorial group on the more interesting aspects of their topic using a Canvas discussion forum. A range of topics are listed below – you will be randomly allocated to one of the topics using your student id number. The focus of the topics for 2021 will be recent media reporting of information security issues, incidents, and breaches.
This is an individual assignment.
Requirements
The assignment is worth 30% of the marks for Information Security. The briefing paper component will be worth 20% and the presentation and associated discussion will be worth 10%.
The deadline for briefing paper submissions is Sunday at the end of week 6 (21 March 2021).
Canvas based discussion forums (one for each tutorial) with be established around the due date for the briefing paper and will then be closed for further activity by the Sunday of week 9 (11 April 2021).
A range of information security issues, incidents, and breaches are regularly reported in the media. Links to some of these reports have been provided for this assignment and are listed below in connection with 10 different topics. You will be randomly allocated to one of these topics based on your student id number. If you make a submission on a different topic to the one allocated, your mark will be reduced by 50%.
You will need to write a briefing paper to a hypothetical manager on the topic to which you have been allocated. The media reports are a catalyst for the briefing you are providing and a range of issues that should be addressed in the briefing paper are noted below.
In marking the report, attention will be given to your understanding of information security concepts and how well you have met the requirements detailed in this document. Style and technique of your writing will also be considered. Writing this as a briefing to a relevant manager (as distinct from a general report) will also be part of the assessment.
Issues to be addressed
You should use the linked article as a starting point for your briefing of managers in a relevant organisation. You can assume that senior management in your organisation saw the article and wants to know more about the issues raised. This means that you will need to find other literature dealing with the issues connected with the topic and article. The nature of this literature is described below in the section on the ‘Report’.
The different incidents may have different aspects at play and perhaps not all of the questions raised in this section are relevant to every incident – so use judgement as to what should be reported on given the particular circumstances. Note that this should not be an excuse for leaving out major elements of your report.
You should assume you are within an organisation where the issues raised by the topic are relevant.
Different organisational circumstances may well have differing realisations of the risks, so where this is relevant, note the assumptions you are making. For example, security organisations like Department of Defence versus operational government agencies (ATO, Services Australia etc) versus commercial organisations. If the choice is not obvious, you should assume you are in a mid-size government agency that processes sensitive personal information, but only has minimal levels of highly classified sensitive information.
Report on major issues with incident and other incidents like this one. What were the major control weaknesses? Are these common? The extent to which human or technical issues played a role (or both).
What should be done to reduce the risks of such incidents – reduction of risk will usually involve a consideration of both the likelihood and impact side of things.
Also consider issues around prevention, detection and overall resilience.
Consider the overall cost of controls. Are these mitigation measures likely to be cost effective? What sort of residual risks would be reasonable to retain given the cost picture?
Report
Managers and executives frequently rely on their support staff to research particular subjects and present concise summaries of the relevant issues in the form of briefing papers. With this assignment, you should prepare a briefing paper as if you were a middle level manager in an organisation advising an executive level manager about the topic of concern. You should do this by providing a good overview of the key issues associated with the topic (as noted above) along with pointers to additional reading that could be helpful if the reader wanted to explore the issues further. To help the senior manager, this additional reading should be sign-posted with comments on why an article is relevant to some part of the issues covered by the briefing paper, and why this article is a good choice to consider that aspect of the topic.
It is important that you keep your briefing paper concise and to the point as you should assume that your executive manager will not have time to read a lengthy document. While three pages may be seen as a long document in the business context, the briefing paper produced here can be a little longer than this, but penalties will be imposed on submissions that are too long. The upper limit in this case is 1500 words for the main body of the paper. The bibliography and its annotations are not considered to be part of the 1500 word limit.
Given that this report is sufficiently brief, it is not necessary to include an executive summary or table of contents, but it is reasonable to include headings throughout the report. You should provide a brief introduction that outlines the nature of the report.
The pointers to additional reading on the topic should take the form of anannotated bibliography. This means that you should write a paragraph on selected entries in the bibliography focussing on the relevance of the reference to the topic and the quality of the information in the reference (why it is relevant and why this article is a good choice to read). It is expected that there will be a minimum of six entries with annotations in the bibliography. At least two of these annotated entries need to be peer reviewed academic articles. As the currency of source material is relevant to managers, it is also important that at least two of these annotated references are dated from 2019 or later. You should avoid the temptation of using material directly from any article abstract as the main basis for your annotations in the bibliography, as typically this won’t address the key issues of relevance and quality and is likely to cause referencing problems.
The bibliography and the annotations will form an important part of the marking of this assignment, with 40% of the marks allocated for this component. If you don’t include appropriate annotations, your maximum mark will be 14/20. You will also lose marks if you do not have at least two academic articles and two recent articles (2019 or later) annotated in your bibliography.
Requirements
In order to maximise the ease of marking, the submission should:
- use a 11pt font as a minimum;
- line spacing should be at least 1.5 lines; and
- have margins of at least 25mm.
Topic
Third party software and embedded code
Recent reports about the SolarWinds hack highlight a risk from using third party software (purchased or leased software, cloud based SaaS etc). This situation has impacted many large organisations with strong security practices.
https://www.canberratimes.com.au/story/7062715/solarwinds-hack-sets-experts-scrambling/?cs=14232
https://www.abc.net.au/news/science/2020-12-23/hack-russia-nsw-health-rio-tinto-serco-solarwinds-cybersecurity/13009348