COM3065:Critically Evaluate a data Governance Implementation plan Created for a Specified Business :Advanced Security Techniques Assignment, TU, Singapore

Personal & Transferable Skills
1. Critically evaluate a data governance implementation plan created for a specified business need and reflect on any potential changes and improvements (PT2)
2. Communicate effectively and professionally in order to present arguments clearly (PT3)
3. Demonstrate a comprehensive and detailed knowledge of the goals and principles of Data Governance and what it means to work ethically and professionally in accordance with these goals and principles. (PT6)

Research, Knowledge & Cognitive Skills
4. Demonstrate an understanding of the legal frameworks and international standards underpinning information governance. (RKC1)
5. Design an appropriately researched data governance implementation plan appropriate for a specified business need that includes business continuity and disaster recovery planning. (RKC4)
6. Be able to advise on, and evaluate, the ethical and social issues arising from security measures used by the business. (RKC6)
7. Demonstrate a complex understanding of the breadth and depth of the physical and environmental security issues for a given scenario and demonstrate a critical awareness of current problems and issues informed by research findings and professional practice. (RKC2)

Professional Skills
8. Provide professional advice and guidance on legal and regulatory compliance. (PS3)
9. Plan, analyse and evaluate a risk management framework and recommend appropriate operations security measures. (PS1)

Case Study

Fresh Air is a national independent air conditioning system manufacturer and installer. They have over forty years of experience in manufacturing, sales and installation for trade customers around the world. They manufacture and supply for large-scale projects, such as new University campus buildings.

Fresh Air pride themselves on being an environmentally friendly company, sourcing their power from ethical green suppliers, and incorporating sustainable solutions where possible in their new installations. They send an experienced engineer to work with architects during the planning and design phases of a new build and ensure regular visits to a developing building before they start their own installation. This ensures they are aware of any changes potentially affecting their product. Materials they use are ethically sourced and recyclable where possible but this does increase the cost of products by around 20% when compared to competitors.

They undertake regular careful market analysis, identifying exciting future trends and making sure they keep abreast of competitor developments. Being the first to provide market-leading service and products helps to offset the additional costs relating to ethical and environmental choices. It’s one of the unique selling points for the company and attracts businesses who are keen to have the latest technology installed in their new build. Ultimately, their installations can save companies around 30% in their heating and cooling bills over a long-term period (5 years or more).

Fresh Air employs over 100 staff in a variety of roles, including management, market research, sales, design, manufacturing, testing, installation, IT services and customer aftercare. They would like to undertake a full review of IT services from a security and compliance perspective and introduce a unified desktop solution for all staff, with a supporting helpdesk. The helpdesk will offer walk-in, telephone, email and chat support.

Finances

Fresh Air asks trade customers to pay a 20% deposit when an order is placed. Once manufacturing of bespoke parts is due to begin (usually within one month) the customer is billed a further 30%. This covers the cost of administration and early manufacturing. The final invoice is sent electronically to customers within 24 hours of installation and testing, with a request to pay the full balance within one week. This is tracked via a Sales based system which currently has no login requirement and is installed on just two computers in the main office.

AST ICA1

From the module guide “Component 1 (30%): A critical review of the current status of security techniques assessing learning outcomes 1,2,3,8. Criteria:

Understanding of current security threats.

Appreciation of appropriate countermeasures.

Consideration of legal, ethical and professional issues.

•  LO1 Demonstrate a comprehensive and detailed understanding of information and network security principles.
• LO2 Demonstrate an understanding of the tools and skills employed by the network attackers.
• LO3 Confidently describe appropriate methods of protecting networks and systems that are legal, ethical and professional.
• LO8 Communicate findings from investigative tasks clearly, fluently and effectively in a professional manner.”

Task/scenario
Consider a typical UK-based company with a conventional IT infrastructure involving

• several physical sites;
• VPN links between the sites;
• (logical) DMZ for email and (public-facing) web servers; and
• internal file and database servers.
  Some of the servers are cloud-based. The company also makes heavy use of social media Twitter, LinkedIn, and Facebook to engage with (potential) customers. You are to research and report
• typical means of reconnaissance or information gathering and attack (i.e., attack vectors) by actors involved in industrial espionage/spying (both from the UK and overseas);
• a comprehensive attack surface of the scenario;
• the legal, social, ethical and professional issues associated with one potentially active measure you prefer to mitigate the security concerns in the given scenario.

AST ICA2

From the module guide
“Component 2 (70%): The design, implementation and evaluation of appropriate security measures and investigation of a given scenario.  Assesses learning outcomes 4,5,6,7,8,9. Criteria:
1. Demonstration of understanding of the scenario.
2. Identification of security vulnerabilities.
3. Selection and justification for their choice of security measures used in
the investigation.
4. Evaluation of the appropriateness of chosen security measures used in the
investigation.
5. Critical reflection of self-performance and the development of skills for
employment as a computer security professional.

• LO4 Synthesise and evaluate appropriate data for a given scenario to make informed computer security judgements.
• LO5 Select and justify appropriate security measures informed by appropriate
  research to satisfy the stated objectives.
• LO6 Operate ethically and legally when conducting simulated investigations for a given scenario.
• LO7 Act autonomously with limited supervision when investigating simulated
  computer security scenarios.
• LO8 Communicate findings from investigative tasks clearly, fluently and effectively in a professional manner.
• LO9 Reflect on the knowledge and skills gained during the module and articulate their effect on future employability as a computer security professional.”

Scenario
ECHRS Ltd is based in Bradford and provides a telephone and web-portal outsourcing service for human resources records and payroll for a range of companies across diverse sectors. A specialist division of ECHRS based in Leicester handles occupational health services via a pool of doctors and nurses on casual zero-hours contracts. Their contact with external clients
is normally via the ECHRS staff at Bradford.
The Bradford site has the following IT infrastructure:

• desktop PCs, mostly Windows 10;
• a large, customised web server running IIS on Windows Server 2012 R2 with Remote Desktop Services;
• VoIP telephony server / Fax.

Backups are via tape and stored in a fireproof safe at Bradford.
ECHRS’s web and email is provided via GoDaddy and cPanel configuration.
Occupational health services division staff based at Leicester use remote desktops (served via the Bradford remote desktop services). The workstations themselves are a mixture of very old Windows XP devices all the way up to powerful Windows 10 machines.

All staff have access to email via the GoDaddy service; many are known to access it via personal devices (mobile phones and tablets). Occupational health services doctors and nurses sometimes visit employees of external clients at their home address or workplace. They are known to make notes on their own devices prior to writing reports via the remote desktop services. Some access the remote desktop services from their home PCs.

ECHRS believe that they have suffered an intrusion. This is because a large amount of data has been found by a third party on a web forum accessed via I2P (Invisible Internet Project). The third-party has reported this to ECHRS via anonymous email. The data is reported as containing a substantial amount of personal and payroll data for many (but not all) external client companies, which is not compliant with the GDPR.

There are also a small number of detailed occupational health reports on external client employees. You have been brought in as an external security specialist.

Task
1. Explain the consequences of the event, including non-compliance with the GDPR.
2. Explain how you would investigate this intrusion
3. Make recommendations for immediate actions to limit the compromise. You should make reasonable assumptions about the possible means of intrusion
4. Identify the other potential means of information leakage (based on the scenario) if there was no intrusion
5. Make recommendations for future security at ECHRS
6. Describe, with rationale, the relevance of this ICA to you and your future employment and how you believe it could be improved For the first three tasks, be precise about tools and methods. Justify all your suggestions, recommendations and decision.