1. Explain the principles of information security and the measures to
   secure information.
2. Develop an information security policy to demonstrate security
   awareness.
3. Identify and describe security implications for modern networks
   Weighting:
   Instructions
   20% of the overall mark
   This is an individual project, in which the student will submit a report of
   3000 words +/- 10% excluding appendices. The report should include:
   • Security policies, standards and procedures with recommendations.
   • Define the concepts of and principles of Information security and the
   methods used to secure assets with good practice and
   recommendations
   The Phase-1 report should be uploaded on Moodle via Turnitin by Sunday
   22 Nov 2020 at 11.55pm.
   Late submission will obtain maximum %60, any submissions later than 3
   days from the deadline will obtain 0.
   Learning outcomes assessment:
   1 2 3 4 5
   Step
   1
   2
   3
   4 X X X
   5
   6 X X X
   7
   8
   9 X X X
   Sum_LO’s 3 3 3
   Please read this assignment carefully and the instructions that accompany this document
   Scenario:
   A security policy is the cornerstone of any project for preserving business integrity. It aims at identifying
   the threats that could impact and cause damage and/or harm to a company and solutions to transform
   the organization to ensure that it is more secure. As a result of this scenario you will be required to
   arrive at a solution and complete a report which will include any relevant recommendations to improve
   security aspects within the organization itself. Bahrain PLC is a manufacturer of aerospace parts which is
   located in the kingdom of Bahrain and considers its line of business as highly competitive because there
   are several companies that compete with them for the same government contracts. The company
   recently received warnings from government agencies that foreign intelligence agencies were interested
   in some of the research that the company was and is still conducting.
   A government contract requires Bahrain PLC to conduct a formal process of risk assessment and
   management of its operations. This process includes identifying risks and potential threats to the
   company’s IT infrastructure in which the senior management have identified several areas of concern.
   These areas included the following:
   • Security procedures in relation to the location and building layout of Bahrain PLC’s plant
   • Security controls relating to the release of confidential information to competitors and foreign
   governments
   • Potential threats and risks from potential hackers attempting to break into Bahrain PLC’s
   internal network or public Web site
   • Risk management methods used with regards to
   o Bad organizational operational practices
   o Bad practices/mistakes by users
   Bahrain PLC’s office and manufacturing buildings are located on a small road between a public beach
   and a public park.
   • The first floor of the office building which houses the research department (has a patio area
   which is located next to the beach that Bahrain PLC employees use during their lunch hour and
   during coffee breaks).
   • Administrative offices are located on the second floor. Bahrain PLC manufactures its products in
   this two-story manufacturing building.
   • PLC’s datacenter which is located at the basement and contains the following:
   2 windows server 2003 SP1, 10 windows server 2008 SP1 and 20 server 2012 ,Red hat Enterprise
   Linux 7.7, Cisco Intrusion detection system, ASA firewall. Fiber channel SAN storage,
   • The organization is connected to the Internet with a single Internet provider, through a single
   firewall.
   You have been hired as security specialist to help organization conducting the risk assessment and build
   information security policy.
   • You notice that Employees use Wi-Fi to connect their mobile devices through a legacy Wireless
   access points. In addition, WEP (Wired Equivalent Privacy) is being used for encryption.
   • Many employees reported that they received email asking users to update their information on
   the company’s Web site, after you investing you found a legitimate-looking e-mail but the URLs in
   the e-mail actually point to a false Web site.
   • While taking a tour inside the company, you noticed that the employees in the finance
   department were throwing unused printed papers into the trash without damaging them.
   • During one of your periodic checks to see how well security policy is being observed by the
   employees, you discover an employee has attached his mobile phone to his workstation and enable
   tethering to access interment bypass company firewall.
   • After reviewing the company’s firewalls settings Noticed that there is Hundreds of thousands
   brute-force attempts generated from various IP addresses around the world.
   • An IT staff member told you that a former information security expert was fired for various
   technical reasons and was unhappy when leaving his position
   • Your organization IT system administrator backup data with on-site storage, the backup take
   place at planned intervals manually
   Task 1 (15 Marks)
   Introduction
   Provide professionally formatted Introduction that provides a general overview and objectives of the
   report. Include table of references (minimum 15 and should include books, journals, white papers and
   legitimate verifiable websites).
   Task 2 (5 Marks)
   Identify and categorize the assets to be protected, including their relative value, sensitivity or
   importance to the organization. (Servers, desktops, mobile, storage, network, security, web applications,
   database).
   Task 3 (5 Marks)
   Produce a physical design of customer premises indicating where all assets should be located and
   methods of securing all assets physically from internally and externally threats. Your design should be
   reasoned and justified.
   Task 4 (15 Marks)
   Risk Management
   Discuss different risk scenarios and carry out security risk assessment for the organization using
   appropriate methods. Identify and discuss ISO 2700X standards related to risk management and use its
   methodology to carry out assessment on relevant component. You are required to build risk assessment
   matrix (at least 15 risks)
   Task 5 (15 Marks)
   Produce fully qualitative and quantitative risk analysis for all Risk found at Task 4, including all elements,
   information assets, supporting assets
   Task 6 (15 Marks)
   Research and investigate the widely used Critical Security Controls to reduce risk at your organization.
   You should produce a minimum of 15 controls that vary in their effectiveness and relate to the CIA triad
   as following:

• Controls that mitigate known attacks.
• Controls that address a wide variety of attacks.
• Controls that identify and stop attackers early in the compromise cycle.
  Task 7 (15 Marks)
  Security policies and procedures
  Based on your risk assessment, produce a comprehensive security policy and procedures that are fit for
  purpose. This should be relevant to ISO 27001 standards and must cover the following areas:
  • Physical Security
  • Application
  • information
  • network
  • operations
  • Data security (encryption)
  • Access Control
  • End user Education
  • Disaster recovery
  Produce at least one security procedure for each policy component. You must use appropriate
  templates that are professionally for formatted.
  Task 8 (10 Marks)
  Top managements are planning to Build SOC (Security Operation Center) at PLC,
  Your manager asked you to do research about SOC and provide details report containing
• Explain what SOC are, how it works and how your organization can benefit from SOC.
• Discuss the components of SOC ,explain the tasks carried out by SOC team
• Discuss how you can improve your company security posture to best protect your organization
  after implementing SOC (Security Operation Center).
  Task 9 (5 Marks)
  Conclusion and Recommendations
  Conclude your findings in all tasks and provide recommendations for your organization executives
  regarding the future Information Security best practices
  PLEASE READ ADDITIONAL NOTES BELOW BEFORE SUBMISSION
  Caution:
  You should consider the following key points in your investigation: –
  • Topic should be discussed critically in detail.
  • A word count of 3000 words +/- 10% will be allowed for this report.
  • The introduction and table of contents will not be included in the word count
  • Appendices are required but will not count towards the word count.
  • A reference list should be included as the first appendix (include references in your main body of
  text).

Sample Solution

The post Introduction to Information Security appeared first on homework handlers.