Assessment I - Cyber Security Requirements_v 2 dasdasd

Prévia do material em texto

T-1.8.1_v3
	Details of Assessment
	Term and Year
	
	Time allowed
	
	Assessment No
	1 of 2
	Assessment Weighting
	50%
	Assessment Type
	Case Study - Report
	Due Date
	
	Room
	
	Details of Subject
	Qualification
	ICT40120 Certificate IV in Information Technology 
	Subject Name
	Cyber Security
	Details of Unit(s) of competency
	Unit Code (s) and Names
	ICTICT424 Address Cyber Security Requirements
	
	BSBXCS404 Contribute to cyber security risk management
	Details of Student
	Student Name
	Vinicius Bulhoes da Silva
	College
	Aapoly 
	Student ID
	202470730
	Student Declaration: I declare that the work submitted is my own and has not been copied or plagiarised from any person or source. I acknowledge that I understand the requirements to complete the assessment tasks. I am also aware of my right to appeal. The feedback session schedule and reassessment procedure were explained to me.
	Student’s
Signature: ____________________
Date: _____/_____/_________
	Details of Assessor
	Assessor’s Name
	
	Assessment Outcome
	Assessment Result
	☐ Competent ☐ Not Yet Competent 
	Marks
	 /50
	Feedback to Student 
Progressive feedback to students, identifying gaps in competency and comments on positive improvements:
	______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ______________________________________________________________________________________
	Assessor Declaration: I declare that I have conducted a fair, valid, reliable and flexible assessment with this student.
☐ Student attended the feedback session.
☐ Student did not attend the feedback session.
	Assessor’s 
Signature: ___________________
Date: _____/_____/________
	Purpose of the Assessment
	The purpose of this assessment is to assess the student in the following learning outcomes:
	Competent (C)
	Not Yet Competent
(NYC)
	Performance Criteria: ICTICT424 Address Cyber Security Requirements
	1.1 Identify and document valuable assets to create register of valuable assets
	
	
	1.2 Perform threat and risk assessment on valuable assets register to identify and document cyber security requirements
	
	
	1.3 Review current cyber security controls against the cyber security requirements to identify cyber security gaps
	
	
	2.1 Identify cyber security controls which address cyber security gaps
	
	
	2.2 Determine specific cyber security controls to address cyber security gaps against the organisation’s risk appetite
	
	
	2.3 Seek feedback from organisational representative and agree on cyber security controls to implement
	
	
	2.4 Implement, test and document agreed cyber security controls to address cyber security gaps
	
	
	2.5 Seek feedback from organisational representative to identify discrepancies between cyber security controls and cyber security requirements
	
	
	3.1 Determine currency of valuable assets register to identify new valuable assets and changed threats and risks
	
	
	3.2 Identify, determine, and agree on cyber security controls to address new cyber security gaps
	
	
	3.3 Implement and document new and modified cyber security controls to address cyber security gaps
	
	
	Performance Criteria: BSBXCS404 Contribute to cyber security risk management
	1.1 Consult with stakeholders to determine scope of risk management appropriate to organisation and industry
	
	
	1.2 Review relevant critical cyber risk management strategies appropriate to level of risk
	
	
	1.3 Assist in developing suitable cyber security response options according to organisational policies and procedures
	
	
	1.4 Present options for risk management strategies for approval within scope of own role
	
	
	1.5 Document approved risk management strategies
	
	
	2.1 Support communication of approved risk management strategies to required personnel
	
	
	2.2 Contribute to monitoring cyber security risk according to selected risk management strategies
	
	
	2.3 Assist in determining compliance with implemented cyber risk mitigation strategies
	
	
	2.4 Address non-compliance within scope of own role and escalate where required according to organisational policies and procedures
	
	
	2.5 Assist in establishing feedback processes that provide warning of potential new risks according to organisational requirements
	
	
	3.1 Identify benchmarks to track effectiveness of risk management strategies
	
	
	3.2 Support evaluation of effectiveness of implemented strategies
	
	
	3.3 Update risk management strategies with new information as required
	
	
	Assessment/evidence gathering conditions
	Each assessment component is recorded as either Competent (C) or Not Yet Competent (NYC). A student can only achieve competence when all assessment components listed under “Purpose of the assessment” section are recorded as competent. Your trainer will give you feedback after the completion of each assessment. A student who is assessed as NYC (Not Yet Competent) is eligible for re-assessment.
	Resources required for this Assessment
	· Computer with relevant software applications and access to internet
· Weekly eLearning notes relevant to the tasks/questions
	Instructions for Students
	
	Please read the following instructions carefully
· This assessment must be completed ☒ In class ☒ At home
· The assessment is to be completed according to the instructions given by your assessor.
· Feedback on each task will be provided to enable you to determine how your work could be improved. You will be provided with feedback on your work within two weeks of the assessment due date. All other feedback will be provided by the end of the term.
· Should you not answer the questions correctly, you will be given feedback on the results and your gaps in knowledge. You will be given another opportunity to demonstrate your knowledge and skills to be deemed competent for this unit of competency. 
· If you are not sure about any aspect of this assessment, please ask for clarification from your assessor.
· Please refer to the College re-assessment for more information (Student handbook).
	
Assessment – Case Study – Report Writing
Case Study Report
Company Description and Network Description
Located in Sydney, Devon Accounting is a medium sized accounting company that offers tools and technologies to prepare all types of tax returns, including individual, sole trader, partnership, trust and company returns. They also provide a broad range of small business accounting services, including bookkeeping, financial statement preparation, tax planning, and advice. 
The company headquarters is located in Sydney in a three-storey building with each floor being approximately 2000 square meters. Business has grown and they have now planned to relocate to a new bigger office. Their business team has grown to 100 staff. The offices have at least 15 wireless access point. Each office has its own local internet connection. 
All connections to the internet are protected by firewalls and network intrusion detection systems. All the workstations have virus-scanning software and a central console is used to push out signature updates. Workstations and servers are generally kept up to date with patches and service packs. The networking staff has employed all the standard security practices one would expect to find at most organisations of this size. 
Although network security is well established in this company, there are still several cyber security vulnerabilities that the company faces on a regular basis, mostly from human-machine interactions. 
For example, a salesperson who frequently holds meetings in a conference room near his office was frustrated by the lack of availablenetwork connections for meeting participants. He decided to pick up an inexpensive wireless access point at his local electronics store and plugged it in. The salesman didn’t consider that the conference room was next to the parking
lot, making the access point available to the public.
Another problem they face is the amount of time it takes for the network administrator to locate infected computers whenever virus strikes throughout the enterprise. It is always a challenge to quickly identify, locate and disable the switch ports of machines infected. It can take up to 45 minutes per workstation for a potential total of 75 hours to locate and identify the infected users. This process usually includes logging into and querying routers and switches; and physically going to the switch to identify the port and trace the wire to the workstation. This process would have been even more difficult if the workstation happened to be in a remote location should the company expand in future. 
This process is unproductive, costly and time consuming. Additionally, it assumes some knowledge of the network architecture. A new network administrator who did not possess knowledge of the network topology would have a much more difficult time locating the infected workstations.
Another serious issue company must address is Cyber security in order to protect its information and digital assets from compromise, theft or loss since Devon Accounting stores commercial assets and personal information on smart phones, computers, hard drives and online. The attack can be from a determined attacker outside, or an insider threat within your business. Devon Accounting could be the victim of hacking because of its online presence.
Devon Accounting has been increasingly using cloud computing for various business processes. Xero is accounting software stored in the cloud and provides integration between the small business’s accounting software and its accounting advisors. Xero have recently become popular a choice of tool at Devon Accounting. Office 365 is another tool used by some of the employees at Devon Accounting
One new management headache created by cloud computing is the fragmentation of where the files are stored. There is no consistency in the storage of these files which are stored on Dropbox, Google Drive, and OneDrive. It is easy to forget where the data is. Backing up all this data from different locations, or moving from one provider to another, is complex and difficult.
The use of mobile devices has increased exponentially and employees at Devon Accounting have taken up these devices enthusiastically because of convenience in the workplace. Employees felt they would get more tasks done on time if allowed to choose their own mobile tools – and even their sceptical bosses felt that the use of these consumer mobile devices in the workplace increases employee productivity.
This concept of 'Bring Your Own Device' (BYOD) - where employees use their personal devices to store business data – opens up new concerns and issues for Devon Accounting. In addition to worries about where exactly the business’s data might be ‘in the cloud’, BYOD means that any small – and easily-lost – device can easily contain vast amounts of relevant business information. Spreadsheets with pricing models, client lists, usernames and access can easily be stored on a mobile device.
Worryingly though, use of personal mobile devices, cloud computing services is not even mentioned in the current IT policy. Mobile devices can be gateways for new viruses, Trojan horses, and other cyber-security problems and currently Devon Accounting is not be well-equipped to address such problems.
Cyber security planning is important for every organisation. Recently, you have been hired by your company to work as a Cyber Security consultant. Security controls at Devon Accounting was implemented 5 years ago. New systems, services and IT equipment have been added into the network since then. If any small or large disaster occurs, it is not prepared to recover itself after the disaster, the result of which is the high possibility that its business processes and functions would be disrupted for a long period of time. This would also result in different kinds of losses to the company.
Your company requires you to research online for the threats present doing business online, review each of the threats present and contribute to the cybersecurity risk management at your company. As part of an IT team, rather than concentrating the attention and energy on doors, locks, and vaults, you must rely on a set of organisational policies, current technology trends and practices, and user education to protect the organisation from cybersecurity attacks that can compromise networks, steal data and other sensitive company information, and harm the entity's reputation. When the volume and intensity of cyber-attacks increase, so does the need for cybersecurity risk management.
You will be required to recognise the organisation's threats and weaknesses, as well as implementing administrative controls and systematic solutions to make sure that your organisation is adequately secured. 
Devon Accounting performs its different functions and business processes with the help of different IT equipment and computer systems. You are told that it mainly wants to implement a Cyber Security plan and implement for its IT system. There is different IT equipment in the company networks such as servers, workstations, printers, and so on. There are also web applications which employees use in their daily operation. 
Current Security Controls:
SWOT analysis was used to identify the risks which led to the implementation of current security controls, and that was developed 5 years ago; since then a lot has changed in the company. 
The security control was implemented by the Network administrator Bill Simmons whose role was to manage the day to day operation of the network. Maintenance and management of IT security was not Bill’s forte. The company at that time chose not to recruit a specialised IT security personnel. The plan was never revisited since and did not include various changes and updates made to the system processes and networking devices over the years.
Furthermore, the current security controls implemented at Devon Accounting only accounts for Password, System Access, Anti-Virus, which also requires looking into. It is very surprising that for a business which deals with financial information of clients does not have any security controls in place for critical security issues such as Wi-Fi access, Software installation, Software Patches, Social Media, Email, Cloud Computing Services and Storage, Remote access, external devices etc.
With the increase of employee numbers and relocation, company director Andrew Jacobs is concerned about the IT security of the system in place and the protection of customer data stored on the system and server. 
With this and the recent reports on threats to the systems of companies worldwide, the Director together with the company's CEO, are more aware of having a IT Security controls in place. 
To address all issues the company has appointed you as an IT Security consultant, your primary role is to understand the system and processes of the company. For this case study, your Facilitator will act as an IT Manager who will provide you with the required information regarding different IT equipment, operations and business processes of the company.
You must consult your IT Manager (your facilitator) regarding the progress of each stage during IT Security planning process. 
Network diagram for the organisation is shown below. This diagram is essential for understanding how the network works and what changes are possible in it.
Network diagram for the organisation is shown below. This diagram is essential for understanding how the network works and what changes are possible in it.
Your organisational policies and procedures recommend you follow a numberof industry standards, legislation, practices and risk management strategies to manage cybersecurity risks. Such as but not limited to the following: 
1. Standard ISO27035
2. National Institute of Standards and Technology (NIST)
3. European Union Agency for Network and Information
4. Security (ENSISA)
5. Information Security Forum (ISF)
6. Standards for Information Assurance for Small to Medium
7. Enterprises Consortium (IASME)
8. National Cyber Security Centre - Australia (NCSC)
One of the main recommendations is to follow ISO/IEC 27001 standards. 
The ISO 27001 standard specifies five main pillars for managing cybersecurity risk, as well as seven steps for conducting a risk assessment:
1. Risk identification/ Identifying Risks
2. Vulnerability reduction/ Reduced vulnerability
3. Threat reduction/ lowering of the risk
4. Consequence mitigation/ Consequence reduction
5. Enable cybersecurity outcome/ Allow for a successful cybersecurity outcome
6. Enable cybersecurity outcome/ Allow for a successful cybersecurity outcome
ISO 27001 allows the organisation to specify the risk acceptance requirements and the criteria for conducting information security risk assessments as follows (in Clause 6.1.2):
1. Identify risks associated with the loss of confidentiality, availability and integrity of information within the scope of the information security management system (ISMS) (6.1.2.c.1);
2. Identify the risk owners (6.1.2.c.2);
3. Assess the consequences that may result if an identified risk materialises (6.1.2.d.1);
4. Assess the likelihood of that risk occurring (6.1.2.d.2);
5. Determine the levels of risk (6.1.2.d.3);
6. Compare the results of the analysis against the risk criteria (6.1.2.e.1);
7. Prioritise the risks for treatment (6.1.2.e.2).
You will be required to consider introducing new cyber-defence technologies that go beyond IT protection and concentrate on detecting social engineering and phishing, supply chain management, IoT security, and preserving the network's "root of trust."
(Appendix 1): Please see below the memorandum sent by email from the Company’s Director.
Memorandum – Devon Accounting Sydney Office
To: Staff
From: Director Andre Jacobs
Re: Cyber Security Issues and Requirements 
Dear all 
As you probably already know, the new Devon Accounting office is being relocated. 
With this change of location and thinking about the greater security of our current and prospective customers, the company's steering committee decided to hire an IT cyber security consultant. 
This hiring aims at the best structure of our security systems so that we can protect the data with customers, employees and all our database. 
This decision was also made, after realizing some issues which needed to be investigated our system and procedures, such as: 
1. Data loss during a recent malware attack on the company’s network which affected the company economically
2. Some of the operating systems used by staff are old and difficult to get support (Application and Operating Systems Patches)
3. Some of the staff are given remote access to but no monitoring is done, and no controls are in place (Remote access controls)
4. Staff have been receiving too many spams and malicious mails (Email filter and web content)
5. Network services such as printing and scanning down frequently due to Server issues (capacity and networking equipment)
6. Several laptops have gone missing from the office (Physical Security)
7. An occurrence of black out due to storm resulted in the whole systems to go offline resulting in productivity loss which was severe to the company (UPS) 
8. Staff has been using easy to remember passwords and there have also been instances where a staff had written the password in a sticky note and placed it in the computer screen. Staff are also not locking their workstation in their lunch break. Serious issues can arise when the staff involved is responsible for processing payments and invoices (Password policies and authentications).
9. IT department is having difficulties dealing with issues relating virus, worms, and malware. Staff are using their personal USB in company’s workstation and accessing external websites which may have contained malicious codes (Firewall updates)
10. Some staff also access company’s network and Intranet via wireless devices. Staff are not happy about the speed being too slow or taking too long for the information to download (Wireless security and wireless access points)
11. Employees are using their personal wireless devices to store business data.
12. One new management headache created by cloud computing is the fragmentation of the files stored. There is no consistency in the storage of these files. Files are stored on Dropbox, Google Drive, or OneDrive. Backing up all this data from different locations, has become complex and difficult.
13. Critical cyber risk management strategies and response not updated for more than 5 years
Besides these key points, the company's management is concerned with possible data breaches caused by employees who normally access data from their mobile devices or remotely. 
For these and other reasons, it is critical that we review our current security policies and prepare a detailed security plan and investigate what actions and measures can be taken. 
We count on the collaboration of all during this process to assist IT security consultant to conduct a security analysis and recommendation on the controls to be implemented.
Regards, 
AJ. 
Bill Simmons responsibilities (Appendix 2):
Responsibilities included:
· installing and configuring computer networks and systems
· identifying and solving any problems that arise with computer networks and systems
· budgeting for equipment and assembly costs
· assembling new systems
· maintaining existing software and hardware and upgrading any that have become obsolete
· monitoring computer networks and systems to identify how performance can be improved
· working with IT support personnel
· providing network administration and support
· Support recommended strategies for risk management that reduce cybersecurity risk
· Help develop effective cybersecurity response options in line with organisational policies and procedures
· Implement risk management strategies in risk response
· Contribute to cybersecurity risk assessment in compliance with defined risk management techniques
· Help in the assessment of Cyber risk reduction strategies implemented
· Address non-compliance in accordance with organisational policies, procedures and scope as required
· Evaluate and update the risk management techniques implemented
Current Cyber Security Controls (Appendix 3):
Below are the details of security controls implemented by Bill Simmons at Devon Accounting 5 years ago.
	Security Controls
	Description / Issues
	Security Control in Place
	Update Required
	Password
	Password chosen by staff are weak. Not secure and do not use multi factor authentication where possible. Passwords and not changed regularly and is shared among other users.
	Yes
	Yes
	System Access
	Access privileges are not properly implemented
	Yes
	Yes
	Secure Wi-Fi & Devices
	Employees are able to use company and public wireless network on the company’s devices. 
	No
	Yes
	Legitimate Software
	Staff are allowed to download and install software of their choice
	No
	Yes
	Patches and Anti-Virus
	Anti-Virus software is very old 
	Yes
	Yes
	‘Clean’ devices
	Staff are allowed to use personal USB or external hard drives on company’s PC’s.
	No
	Yes
	Social Media
	Staff are allowed to access social media sites such as Facebook, YouTube, Twitter, Instagram on company’s network
	No
	Yes
	Email
	Staff have been receiving too many spams and junk mails which is clogging up the network
	No
	Yes
	Cloud Computing Services and Storage
	Company use Accounting cloud-based application Xero, Office 365. Back up for cloud storage has become an issue.
	No
	Yes
	Remote Access
	Staff are given remote access to but no monitoring is done, and no controls arein place
	No
	Yes
T-1.8.1_v3
Cyber Security Requirements - Assessment I v.2, Last updated on 20/08/2023	Page 1
Current Asset Register (Appendix 4):
PC’s and Laptop
	PC
	Qty
	Operating system (OS)
	Central processing unit (CPU)
	Memory
	MS Office version
	Anti-Virus
	Other licenced software
	Purchase date
	Warranty
	Exp. Life (years)
	Replacement Yr.
	HP 24-F0130A 23.8-inch All-in-One
	10
	Windows 7
	Core i3, 8130U
	8GB
	Office 2013
	AVG
	OneDrive; Junos Pulse 5; Skype, Text pad, MYOB
	Jun-18
	3 years
	3
	2021
	HP Pavilion 590-P0082A
	10
	Windows 10
	Core i7 8700
	16GB
	Office 365
	Avast
	Microsoft Project, Cyberlink Director, VLC Player, Skype, Winzip, MYOB
	Aug-18
	3 years
	3
	2021
	Lenovo IdeaCentre 510S-02
	10
	Windows 10
	Core i5
	8GB
	Office 2013
	Norton
	Microsoft Project, Cyberlink Director, Sticky Note, Skype, Winrar, MYOB
	Jan-16
	3 year
	3
	2019
	Inspiron Small Desktop
	10
	Windows 7 Pro
	Intel® Core™ i5 9400
	8GB
	Office 2013
	Norton
	Microsoft Visio, Norton Sticky Note, Skype, Winzip, MYOB
	Jan-16
	3 year
	3
	2019
	Vostro Small Desktop
	15
	Windows 10
	ntel® Core™ i3-9100
	8GB DDR4
	Office 365
	Avast
	7-Zip, Adobe Reader, Google Chrome, Media Player Classic, MYOB
	Jan-16
	3 year
	3
	2019
	Lenovo IdeaCentre 510
	15
	Windows 10
	Intel Core i5-8400
	8GB
	Office 365
	Avast
	7-Zip, Adobe Reader, Google Chrome, Media Player Classic, MYOB
	June-19
	2 year
	2
	2021
	LenovoThinkPad E590
	20
	Windows 10 Pro
	Intel® Core™ i7
	16GB
	Office 365
	Avast
	7-Zip, Adobe Reader, Google Chrome, Media Player Classic, MYOB
	June-19
	2 year
	2
	2021
	27inch iMac with Retina 5K display
	10
	macOS Catalina
	3.0GHz 6-core eighth-generation
	8GB
	Google Docs
	Scan Gaurd
	Final Cut Pro X, Safari, iTunes, Photo Booth, Siri, iMovie
	June-18
	3 year
	3
	2021
Infrastructure Devices
	Device type
	Qty
	Device name
	Owner/Location
	Brand
	Model
	CPU
	Memory
	IP Address
	Server
	2
	Server01
	On the rack in server room
	Dell
	PowerEdge T100 II
	Intel(R) Xeon(R) CPU E5-2630 v3, 32
	128GB DDR4 RAM
	192.168.1.10 - 192.168.1.11
	Server
	2
	Server02
	On the rack in server room
	HP
	ML350 Gen10
	Intel Xeon-S 4110 8-Core (2.10GHz 11MB L3 Cache) Kit
	16GB
	192.168.1.12 - 192.168.1.13
UPS
	Device type
	Model
	Qty
	Output Power Capacity
	Max Configurable Power
	Battery Type
	Typical recharge time
	Standard Warranty
	UPS
	APC SMC1000I SMART-UPS C 1000VA LCD 230V
	2
	600 Watts / 1000 VA
	600 Watts / 1000 VA
	Maintenance-free sealed Lead-Acid battery with suspended electrolyte: leakproof
	3 hour(s)
	2 years
Switches
	Device type
	Model
	Qty
	Switch Ports
	Switching Capacity
	MAC Address Table
	Forwarding Rate
	Switch
	S3900-48T4S, Stackable Managed Switch with 4 10Gb SFP+ Uplinks
	2
	48x 100/1000BASE-T, 4x 10GE SFP+ Ports
	176 Gbps
	16K
	130 Mpps
	Switch
	8-Port Gigabit PoE+ Managed Switch 
	5
	8 RJ45 Ports & 2 SFP Ports, 2 SFP, 150W
	20 Gbps
	8K
	15 Mpps
	Switch
	24-Port Gigabit PoE+ Managed Switch 
	2
	24 RJ45 Ports & 4 SFP Ports, 4 SFP, 400W
	56 Gbps
	8K
	42 Mpps
Router
	Device Type
	Model
	Quantity
	Interface
	Antenna Type
	Wireless Standard
	Wireless Speed
	Wireless
Security
	Wireless Features
	Firewall
	Router
	AC1200 Wireless Dual Band Gigabit Router
	1
	4 10/100/1000Mbps LAN Ports
1 10/100/1000Mbps WAN Port
2 USB 2.0 Ports
	2 dual band detachable antennas (RP-SMA)
	IEEE 802.11ac/n/a 5GHz
IEEE 802.11n/g/b 2.4GHz
	5GHz: Up to 867Mbps
2.4GHz: Up to 300Mbps
	64/128-bit WEP, WPA / WPA2, WPA-PSK/ WPA2-PSK encryption
	Enable/Disable Wireless Radio, WDS Bridge, WMM, Wireless Statistics
	DoS, SPI Firewall
IP Address Filter/MAC Address Filter/Domain Filter
IP and MAC Address Binding
Printers, Scanner, and Copier
	Device Type
	Model
	Quantity
	Memory Standard
	Connectivity
	Operation
	Protocol
	Security Protocol
	Wi-Fi Standard
	Multifunctional Printer
	Fuji Xerox DocuPrint CM405 df
	5
	512MB/1024MB
	10/100/1000Base-T Ethernet, USB 2.0, Optional external wireless
	Microsoft Windows XP (32 / 64 Bit), Server 2003 (32 / 64 Bit) Vista (32 / 64 Bit), Server 2008 (32 / 64 Bit) Server 2008 R2 (32 / 64 Bit), Windows 7 (32 / 64 Bit) Mac OS X 10.3.9, 10.4, 10.5, 10.6 Red Hat Enterprise Linux 5/6 (x86) SUSE Linux Enterprise Desktop 10/11 (x86)
	IPV4/IPV6, DHCP, BOOTP, RARP, AutoIP, TCP/IP (LPD, Port9100, WSD†† , HTTP, HTTPS, SMTP, WINS, FTP, Telnet, DNS, DDNS, IPP, SNTP, POP3, SMB, NetBEUI), SNMP, Bonjour ®(mDNS), IPsec, LDAP, Kerberos, 802.1x(Wired)
	64(40-bit key) / 128(104-bit key) WEP, WPA-PSK (TKIP, AES) WPA2-PSK (AES)
	IEEE802.11b/g/n
Backup Drive
	Device Type
	Model
	Qty
	Memory 
	CPU
	Networking Protocol
	Security
	External Ports
	Supported RAID Type
	Backup Drive
	Synology DiskStation 5-Bay 3.5" Diskless 2xGbE NAS, Black, DS1019+
	5
	4 GB DDR3L Non-ECC SO-DIMM x 2
	Intel Celeron J3455 quad-core 1.5GHz, burst up to 2.3GHz
	SMB, AFP, NFS, FTP, WebDAV, CalDAV, iSCSI, Telnet, SSH, SNMP, VPN (PPTP, OpenVPN ™, L2TP)
	Firewall, encryption shared folder, SMB encryption, FTP over SSL/TLS, SFTP, rsync over SSH, login autoblock, Let's Encrypt support, HTTPS (customizable cipher suite)
	• 2 x USB 3.0 port 
• 1 x eSATA port
	Synology Hybrid RAID (SHR), Basic, JBOD, RAID 0, RAID 1, RAID 5, RAID 6, RAID 10
Wireless Access Point
	Device Type
	Model
	Qty
	Interface
	Antenna Type
	Wireless Standard
	Wireless Speed
	Wireless
Security
	Wireless Features
	Wireless Access Point
	AC1200 Wireless Dual Band Gigabit Ceiling Mount Access Point
	15
	Gigabit Ethernet (RJ-45) Port *1（Support IEEE802.3at PoE）
Console Port *1
	Internal Omni
2.4GHz: 2* 5dBi
5GHz: 2*6dBi
	IEEE 802.11ac/n/g/b/a
	5GHz:Up to 867Mbps
2.4GHz:Up to 300Mbps
	Captive Portal, Authentication
Access Control
Wireless Mac Address Filtering
Wireless Isolation Between Clients
SSID to VLAN Mapping
Rogue AP Detection
802.1X Support
64/128/152-bit WEP / WPA / WPA2-Enterprise,
WPA-PSK / WPA2-PSK
	Multiple SSIDs （Up to 16 SSIDs, 8 for each band）
Enable/Disable Wireless Radio
Automatic Channel Assignment
Transmit Power Control （Adjust Transmit Power on dBm）
QoS(WMM), Airtime Fairness, Beamforming
Band Steering, Load Balance
Rate Limit, Reboot Schedule, Wireless Schedule, Wireless Statistics based on SSID/AP/Client
Smartphones
	Device Type
	Model
	Quantity
	Processor
	Memory
	OS
	Connectivity
	Smartphone
	Samsung Galaxy Note 9
	25
	CPU Speed
2.7GHz, 1.7GHz
CPU Type
Octa-Core
	Card slot
microSD, up to 1 TB (uses shared SIM slot) - dual SIM model only
Internal
128GB 6GB RAM, 512GB 8GB RAM
	Android 8.1 (Oreo), upgradable to Android 9.0 (Pie); One UI
	WLAN	
Wi-Fi 802.11 a/b/g/n/ac, dual-band, Wi-Fi Direct, hotspot
Microsoft Surface Tablet
	Device Type
	Model
	Quantity
	Processor
	Memory
	Software
	Security
	Wireless
	Network
	Microsoft Surface Tablet
	Surface Pro
	15
	Intel® Core™ 7th-generation m3, i5 or i7
	4GB, 8GB or 16GB RAM
	Windows 10 Pro (i5,i7)
Windows 10 Home (m3)
Office 30-day trial
	TPM chip for enterprise security
Enterprise-grade protection with Windows Hello face sign-in
	Wi-Fi: IEEE 802.11 a/b/g/n/ac compatible
Bluetooth Wireless 4.1 technology
	4G LTE Cat 9 modem up to 450Mbps
GPS / GLONASS: Standalone and Assisted GNSS, accuracy up to 3 meters
Nano SIM Tray and Embedded SIM (eSIM)
4G
Firewall
	Device Type
	Model
	Qty
	Standards
	Network Protocols
	Firewall
	Access Control
	Certificates
	Encryption
	Firewall
	Cisco RV220W Network Security Firewall Data Sheet
	1
	IEEE 802.11n, 802.11g, 802.11b,
802.3, 802.3u
802.1X (security authentication)
802.1Q (VLAN)
802.11i (Wi-Fi Protected Access [WPA2] security)
802.11e (wireless quality of service [QoS])
IPv4 (RFC 791), IPv6 (RFC 2460)
Routing Information Protocol (RIP) v1 (RFC 1058), RIP v2 (RFC 1723)
	Dynamic Host Configuration Protocol (DHCP) server, DHCP relay agent
Static IP
Point-to-Point Protocol over Ethernet (PPPoE)
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol (L2TP)
Spanning Tree Protocol (STP)
Dynamic DNS (DDNS) (DynDNS, TZO)
	Stateful packet inspection (SPI) firewall, firewall rules
	MAC-based access control, IP/MAC binding, wireless profiles
	X.509v3 certificates, certificate upload using PEM format
	Data Encryption Standard (DES), Triple Data Encryption Standard (3DES) and Advanced Encryption Standard (AES) encryption (128, 192, 256-bit)
Telephone System
	Device Type
	Model
	Qty
	Phone Features
	Interface
	Network and security
	Telephone System
	Yealink SIP-T41S
	100
	6 VoIP accounts
One-touch speed dial, redial
Call forward, call waiting
Call transfer, call hold
Call return, group listening
3-way conference call
Dial Plan, XML Browser, Action URL/URI
USB port (2.0 compliant)
 Bluetooth earphone through BT40,
 Wi-Fi through WF40,
	2 x RJ45 10/100M Ethernet ports
Power over Ethernet (IEEE 802.3af), Class 2
1 x USB port (2.0 compliant)
1 x RJ9 (4P4C) handset port
1 x RJ9 (4P4C) headset port
1 x RJ12 (6P6C) EHS port
	SIP v1 (RFC2543), v2 (RFC3261)
Call server redundancy supported
NAT traversal: STUN mode
Proxy mode and peer-to-peer SIP link mode
IP assignment: static/DHCP
HTTP/HTTPS web server
QoS: 802.1p/Q tagging (VLAN), Layer 3 ToS DSCP , SRTP for voice
Transport Layer Security (TLS)
HTTPS certificate manager
T-1.8.1_v3
Cyber Security Requirements - Assessment I v.2, Last updated on 20/08/2023	Page 16
Threat and Risk Assessment of current asset (Appendix 5):
	Role
	Participant
	System Owner 
	Bill Simmons
	Network Administrator
	Bill Simmons
	Director
	Director Andre Jacobs
Techniques Used
	Technique
	Description
	Risk assessment questionnaire
	The assessment team used a customized version of the self-assessment questionnaire in NIST SP-26 “Security Self-Assessment Guide for Information Technology Systems”. This questionnaire assisted the team in identifying risks.
	Assessment Tools
	The assessment team used several security testing tools to review system configurations and identify vulnerabilities in the application. The tools included NMAP, NESSUS, APPSCAN
	Vulnerability sources
	The team accessed several vulnerability sources to help identify potential vulnerabilities. The sources consulted included: 
· SANS Top 20 (www.sans.org/top20) 
· OWASP Top 10 (www.owasp.org/documentation/topte n.html) 
· NIST I-CAT vulnerability database (HTTP://icat.nist.gov) 
· Microsoft Security Advisories (www.microsoft.com/security) 
	Review of documentation
	The assessment team reviewed system documentation, network diagrams and operational manuals.
	Interviews
	Interviews were conducted to validate information.
	Site visit
	The team conducted a site visits and reviewed physical access and environmental controls
	
In determining risks associated with the for Devon Accounting, the team utilized the following model for classifying risk:
Risk = Threat Likelihood x Magnitude of Impact
	Impact 
	Definition
	High
	The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. 
Examples: 
· A severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions 
· Major damage to organizational assets 
· Major financial loss 
· Severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.
	Medium
	The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. 
· Significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced 
· Significant damage to organizational assets 
· Significant financial loss 
· Significant harm to individuals that does not involve loss of life or serious life-threatening injuries.
	Low
	The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. 
Examples: 
· Degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced 
· Minor damage to organizational assets 
· Minor financial loss 
· Minor harm to individuals.
	
Industry standards, organisational procedures, and legislative requirements
· The Notifiable Data Breach (NDB) Scheme
https://www.oaic.gov.au/privacy/notifiable-data-breaches/about-the-notifiable-data-breaches-scheme/#:~:text=Under%20the%20Notifiable%20Data%20Breaches,whose%20personal%20information%20is%20involved 
· Privacy Act 1988
T-1.8.1_v3
https://www.oaic.gov.au/privacy/the-privacy-act/ 	
Cyber Security Requirements - Assessment I v.2, Last updated on 20/08/2023	Page 23
	Asset or service
	Business value
	Threat
	Existing controls
	Still existing vulnerabilities/ weaknesses
	Description of Impact
	Impact
	Likelihood
	Risk Rating
	Actions items
	Reviewed
	Server
	High
	Hacking
	User authentication / Locked door
	lack of strong password policy enforcement
	improper use of system resources
	High
	High
	Medium
	check the credential policies (getting credentials and enforcing password policy)
	01/03/2015
	Back up drive
	Medium
	Accidental Data removal / deletion
	Current Backup solution
	Backup/restore not tested
	Data Availability and integrity
	High
	High
	Medium
	Run backup restore tests every x months
	01/06/2015
	Data
	high
	software leaks information which is sensitive
	policy for software development, training, advice on choosing software
	people make errors?
	If sensitive data leaked could be bad for reputation, could be illegal
	High
	High
	Medium
	Training and consequences of illegal actions in policy
	01/09/2015
	Switch/ Router, Printers, Scanner, and Copier, Wireless Access Point, Microsoft Surface Tablet, Firewall, Smart Phones, Telephone Systems
	Medium
	Hardware/Equipment Failure or theft
	Only locked doors
	Locks easy to break
	Failure or malfunction of hardware may cause denial of service to system users. Additionally, hardware configuration may be altered in an unauthorized manner, leading to inadequate configuration control or other situations that may impact the system.
	High
	High
	High
	Implement physical security and CCTV cameras, Alarm systems
	01/03/2016
	Malicious Code
	Medium
	Malicious software such as viruses or worms may be introduced to the system
	Anti-Virus
	Virus definition list not updated
	Damage to the data or software.
	High
	High
	Medium
	Update to latest Anit-Virus. Update virus definition. Update Firewall. Security policy.
	01/16/2016
	Remote Access
	Medium
	Remote OS authentication is enabled but not monitored.
	None
	Remote access is not currently monitored;
	Malicious Use /
Computer Crime / Compromise of confidentiality & integrity data.
	High
	High
	Medium
	Remote Access monitoring software / Disable access when not in use
	01/09/2016
	Login encryption setting is not properly configured.
	
	No login encryption
	
	Unencrypted passwords could be compromised, resulting in compromise of confidentiality & integrity of sensitive data.
	Malicious Use /
Computer Crime / Compromise of confidentiality & integrity data.
	High
	High
	Medium
	Require encryption of passwords but have not been enforced. Physical security should be in place that would limit the ability to sniff the network to exploit this vulnerability.
	01/09/2016
T-1.8.1_v3
	
Cyber Security Requirements - Assessment I v.2, Last updated on 20/08/2023	Page 25
Project Overview
Your task is to prepare a comprehensive report for Devon Accounting, which must encompass the following cyber security planning and requirement measures.
· Analysis of Cyber security requirements for the business
· Evaluating and Implementing Cyber Security Controls
· Improve and maintain the security
· Develop, manage and monitor cybersecurity risk management strategies
Your supervisor will provide assistance and feedback throughout the various stages of this report.Report Requirement:
· Microsoft Word
· Single spaced, 11 pt. Arial
· Cover Sheet with all the information and signed
· Page number in the footer at the bottom right corner
· Table of contents 
· Provide references where applicable
Table of Contents
1. Introduction
2. Asset Register
3. Threat and Risk Assessment of current asset
4. Cyber Security Requirements of current asset
5. Current Cyber Security Controls
6. Identify Cyber Security Gaps
7. New Cyber Security controls to address the gaps
8. Feedback on the Cyber Security controls 
9. Sign off Form for Implementation
10. Cyber Security Implementation and Testing
11. New Assets
12. New Asset threat and risk assessment
13. Identify Cyber Security Gaps on new assets
14. Develop critical cyber risk management strategies and response
15. Critical cyber risk compliance
16. Monitor and benchmark critical cyber risk management strategies 
17. Implement and document new cyber security controls to address cyber security gaps 
18. Evaluate and Update risk management strategies
19. Conclusions
20. Reference
Marking Scale
	
	Topics
	Marks allocated
	1
	Introduction
	/2
	2
	Asset Register
	/2
	3
	Threat and Risk Assessment of current asset
	/2
	4
	Cyber Security Requirements of current asset
	/2
	5
	Current Cyber Security Controls
	/2
	6
	Identify Cyber Security Gaps
	/3
	7
	New Cyber Security controls to address the gaps
	/3
	8
	Feedback on the Cyber Security controls 
	/2
	9
	Sign off Form for Implementation
	/2
	10
	Cyber Security Implementation and Testing
	/3
	11
	New Assets
	/2
	12
	New Asset threat and risk assessment
	/2
	13
	Identify Cyber Security Gaps on new assets
	/3
	14
	Develop critical cyber risk management strategies and response
	/4
	15
	Critical cyber risk compliance
	/3
	16
	Monitor and benchmark critical cyber risk management strategies
	/4
	17
	Implement and document new cyber security controls to address cyber security gaps 
	/3
	18
	Evaluate and Update risk management strategies
	/2
	19
	Conclusions
	/2
	20
	Reference
	/2
	TOTAL
	/50
1. Introduction
Devon Accounting is a mid-sized firm based in Sydney, Australia. They provide a range of tools and technologies for businesses. The company utilizes a cloud storage system to house all their software and essential tools, which they share with their client companies and offer services online. However, they lack a dedicated cybersecurity framework to safeguard their data, making them vulnerable to data breaches and cyber-attacks due to weaknesses in their system. Issues with workstations and other elements that are not addressed promptly could also pose risks. The company needs a robust security system along with a thorough threat analysis and mitigation strategy. This report outlines the threats and asset risk management, including asset registers, threat and risk assessments, current asset requirements, cybersecurity controls, existing cybersecurity gaps, proposed new controls to address these gaps, feedback on current cybersecurity measures, additional assets, and strategies for implementation. It aims to help Devon Accounting enhance their system and secure their data effectively. 
2. Asset Register
Understanding the assets is crucial for identifying vulnerabilities and assessing the organisation's network. Below is a comprehensive list of the assets and software within the company for a thorough analysis:
· HP 24-F0130A 23.8-inch All-in-One
· HP Pavilion 590-P0082A
· Lenovo IdeaCentre 510S-02
· Inspiron Small Desktop
· Vostro Small Desktop
· Lenovo IdeaCentre 510
· Lenovo ThinkPad E590
· 27-inch iMac with Retina 5K display
· Servers
· UPS (Uninterruptible Power Supply)
· Switches
· Routers
· Printers
· Backup Drive
· Wireless Access Point
· Smartphones
· Microsoft Surface Tablet
· Firewall
· Telephone system
3. Threat and Risk Assessment of current asset
Risk management is closely linked with asset management and identification. Routers and workstations, for instance, could be unsecured and identified as potential threats during the analysis process. The risk assessment was conducted by system owner Bill Simmons and Director Andre Jacobs. Below are the details of the company’s risk assessment:
· Risk Assessment Questionnaire: They have customized their risk assessment tools to assist the team in identifying potential risks.
· Assessment Tools: Multiple security tools, such as NMAP, NESSUS, and APPSCAN, were utilized to detect vulnerabilities and assess system configurations.
· Vulnerability Sources: Various sources were consulted to identify vulnerabilities, including:
· SANS Top 20 (www.sans.org/top20)
· OWASP Top 10 (www.owasp.org/documentation/topten.html)
· NIST I-CAT Vulnerability Database (HTTP://icat.nist.gov)
· Microsoft Security Advisories (www.microsoft.com/security)
· Documentation Review: System diagrams, operational manuals, and other documentation were reviewed for guidelines and assessment purposes.
· Interviews: Information was validated through discussions and interviews conducted within the company.
· Site Visit: The team performed physical visits to assess environmental controls.
· Risk Classification: Risks were classified and prioritized using the formula:
· Risk = Threat Likelihood X Magnitude of Impact
4. Cyber Security Requirements of current asset
Based on the asset list, the following practices can be adopted to mitigate cybersecurity risks in the organisation:
Designate a Cybersecurity Leader
Appoint a dedicated individual responsible for overseeing cybersecurity. This person will manage security policies, ensure compliance with best practices, and coordinate responses to potential threats.
Inventory Organizational Data, Assets, and Processes
Maintain a comprehensive inventory of all organizational data, assets, and processes. This includes cataloging hardware (e.g., servers, workstations, routers), software (e.g., backup drives, operating systems), and operational processes to ensure all components are accounted for and protected.
Perform Regular Risk Assessments
Conduct periodic risk assessments to identify and evaluate potential vulnerabilities within the organization's systems and processes. This helps in understanding emerging threats and implementing necessary changes to mitigate risks.
Implement Risk-Reducing Controls
Apply security controls to minimize identified risks. This could include deploying firewalls, implementing encryption, setting up access controls, and ensuring regular software updates and patch management.
Incorporate Cybersecurity into Operational Processes
Integrate cybersecurity measures into the organization's daily operations. This includes embedding security practices into workflows, training staff on security awareness, and regularly reviewing and updating security policies and procedures to adapt to new threats.
Current Cyber Security Controls
Based on the threat and risk assessment of current assets, the cybersecurity requirements for those assets have been identified. This section outlines the security controls that need to be implemented to address these requirements. Some recommended examples include:
Secure Wi-Fi and Other Devices: Ensure that all Wi-Fi networks and connected devices are secured using strong encryption protocols (e.g., WPA3) and robust authentication methods to prevent unauthorized access.
Clean Devices: Implement regular cleaning protocols for devices to remove unnecessary files, malware, and potential vulnerabilities. This includes running anti-virus scans and ensuring that devices are free from malicious software.
Social Media Restrictions: Establish policies to limit the use of social media on company devices to reduce the risk of phishing attacks and data leaks. Educate employees about the risks associated with social media use.
Cloud Computing Services and Storage: Use secure cloud services with strong encryption and access controls for storing and managing organizational data. Ensure that cloud providers comply with industry standards and regulations.Passwords: Enforce strong password policies, including complexity requirements and regular updates. Implement multi-factor authentication (MFA) to enhance security for accessing sensitive systems and data.
Email: Deploy email security measures such as spam filters, phishing protection, and encryption to safeguard against email-based threats. Educate employees about recognizing and handling suspicious emails.
Patches and Anti-Viruses: Ensure that all systems and software are regularly updated with the latest patches to fix vulnerabilities. 
System Access Control and Privileges: Implement strict access control measures to ensure that only authorized personnel have access to specific systems and data. Regularly review and update user privileges based on their roles.
Legitimate Software: Verify that all software used within the organization is licensed and obtained from legitimate sources. Avoid using unauthorized or pirated software that could introduce security risks.
Remote Access of Workstations and Other Devices: Secure remote access by using VPNs and strong authentication mechanisms. Ensure that remote connections are monitored and managed to prevent unauthorized access and data breaches.
5. Current Cyber Security Controls
Based on the threat and risk assessment of current assets, the cybersecurity requirements for those assets have been identified. This section outlines the security controls that need to be implemented to address these requirements. Some recommended examples include:
· Secure Wi-Fi and Other Devices: Ensure that all Wi-Fi networks and connected devices are secured using strong encryption protocols (e.g., WPA3) and robust authentication methods to prevent unauthorized access.
· Clean Devices: Implement regular cleaning protocols for devices to remove unnecessary files, malware, and potential vulnerabilities. This includes running anti-virus scans and ensuring that devices are free from malicious software.
· Social Media Restrictions: Establish policies to limit the use of social media on company devices to reduce the risk of phishing attacks and data leaks. Educate employees about the risks associated with social media use.
· Cloud Computing Services and Storage: Use secure cloud services with strong encryption and access controls for storing and managing organizational data. Ensure that cloud providers comply with industry standards and regulations.
· Passwords: Enforce strong password policies, including complexity requirements and regular updates. Implement multi-factor authentication (MFA) to enhance security for accessing sensitive systems and data.
· Email: Deploy email security measures such as spam filters, phishing protection, and encryption to safeguard against email-based threats. Educate employees about recognizing and handling suspicious emails.
· Patches and Anti-Viruses: Ensure that all systems and software are regularly updated with the latest patches to fix vulnerabilities. Install and maintain up-to-date anti-virus and anti-malware software to detect and mitigate threats.
· System Access Control and Privileges: Implement strict access control measures to ensure that only authorized personnel have access to specific systems and data. Regularly review and update user privileges based on their roles.
· Legitimate Software: Verify that all software used within the organization is licensed and obtained from legitimate sources. Avoid using unauthorized or pirated software that could introduce security risks.
· Remote Access of Workstations and Other Devices: Secure remote access by using VPNs and strong authentication mechanisms. Ensure that remote connections are monitored and managed to prevent unauthorised access and data breaches.
· 6. Identify Cyber Security Gaps
The following gaps have been identified in the company's procedures:
· Lack of an IT Specialist: The company does not employ an IT specialist responsible for managing IT operations and security. This absence hampers the ability to effectively oversee and address IT-related issues and vulnerabilities.
· Outdated Systems: The system has not been updated or maintained since its initial implementation. This neglect increases the risk of security vulnerabilities and performance issues due to outdated software and hardware.
· Inadequate Passwords and Security Measures: The company’s passwords, system access controls, and anti-virus solutions are outdated and need to be updated to enhance their effectiveness and security.
· Absence of Security Controls: There are no established security controls in place for critical areas such as:
· Wi-Fi Access: Lack of secure Wi-Fi protocols and access management.
· Software Patches: No regular updates or patch management for software vulnerabilities.
· Software Installation: Unregulated installation of software could introduce risks.
· Email Security: No measures to protect against email-based threats.
· Social Media Use: No restrictions or guidelines for social media use that might impact security.
· Cloud Computing: Insufficient controls for cloud storage and computing services.
· Remote Access: Lack of secure practices for remote access to systems and devices.
· External Devices: No protocols for managing and securing external devices connected to the network.
· Addressing these gaps is crucial for improving the company’s overall cybersecurity posture and ensuring better protection of its assets and data.
7. New Cyber Security controls to address the gaps
The following gaps should be addressed immediately to enhance the company's cyber security measures:
· Hire an IT Specialist: The company should recruit an IT specialist responsible for managing software configurations and ensuring that all systems are regularly updated with the latest security patches and settings.
· Update Workstation Passwords: All workstations within the company should be updated with new, strong passwords to improve security and prevent unauthorized access.
· Improve Device Security: Conduct thorough checks on all devices to identify and address potential vulnerabilities and risks. This includes applying necessary improvements to mitigate any identified threats.
· Update Anti-Virus Software: Review and update existing anti-virus solutions, or consider replacing them with the latest anti-virus tools designed to protect against modern threats and attacks.
· Secure Network Infrastructure: Ensure that Wi-Fi devices, routers, and switches are properly secured. Maintain and update firewalls to align with current devices and settings to safeguard against potential network breaches.
8. Feedback on the Cyber Security controls 
	Feedback from Supervisor
	Current Assets
	Threats and Risks Identified
	Cybersecurity Gaps
	New Cybersecurity Controls
	Update of PC and Laptops
	Feedback
	PCs and Laptops
	Weak passwords, outdated anti-viruses
	No strong password policies, outdated anti-viruses
	Implement strong password policies, update anti-virus software
	New password policies and anti-virus updates
	Current Situation
	Old passwords, outdated anti-viruses
	Susceptibility to modern cyber attacks
	Lack of robust security measures
	Enhance with advanced security tools and regular updates
	Immediate update required for enhanced security
	Data Breach
	Firewalls and Servers
	Potential for system vulnerabilities and data breaches
	Lack of updated firewalls and server protections
	Update firewalls and apply patches to servers
	Ensure regular firewall updates and server security checks
	Data Integrity and Confidentiality
	Network Routers
	Unauthorized access and vulnerabilities
	Weak access controls and outdated security
	Implement strict network access controls and updates
	Reconfigure routers with enhanced security settings
	Unauthorized Access
	Printers
	Illegal access and misuse
	Unrestricted printer access
	Restrict printer access and implement secure authentication
	Update printer security settings to limit unauthorized use
	Backup and Storage Security
	Backup Drives
	Unauthorized access and data breachesInadequate access controls and outdated backups
	Enhance backup security with encryption and access controls
	Update backup protocols and access permissions
	Wireless Network Security
	Wireless Access Points
	Unauthorized access and outdated security
	Outdated security settings and access controls
	Update wireless security settings and restrict unauthorized access
	Implement the latest security protocols and regular updates
	Smartphones
	Smartphones
	Data breaches and unauthorized use
	Lack of controls on device access
	Restrict access and enforce strong authentication and security policies
	Update security measures and policies for mobile devices
	Calls and Messaging
	Telephone Systems
	Call hacking and unsecured messaging
	Lack of encryption and secure messaging 
	Implement encryption for calls and messages
	Update settings for enhanced communication security
In this table:
· Feedback from Supervisor: Feedback should be incorporated to address specific cybersecurity issues and validate the new controls.
· Current Assets: List of assets like firewalls, servers, network routers, printers, backup drives, wireless access points, smartphones, and telephone systems.
· Threats and Risks Identified: The specific threats and risks associated with each asset, such as unauthorized access, data breaches, and outdated security settings.
· Cybersecurity Gaps: Existing gaps in the cybersecurity measures that need addressing.
· New Cybersecurity Controls: Proposed controls to address the identified gaps, such as updating firewalls, restricting access, and implementing encryption.
· Update Details: Specific actions required to update and enhance the security of each asset.
This structured approach helps in systematically addressing cybersecurity issues and improving overall data protection.
9. Sign off Form for Implementation
Sign-Off Form for Implementation
Project Name:
Date:
Prepared By:
Position:
Supervisor Name:
Supervisor Position:
Feedback Provided:
Supervisor Signature:
Date:
Additional Comments:
Prepared By Signature:
Date:
10. Cyber Security Implementation and Testing
The implementation plan includes the following steps:
1. Incident Management and Disaster Recovery Plan: It is vital to have an Incident Management and Disaster Recovery Plan to mitigate risks from any incident or natural disaster, including pandemics like COVID-19. A robust strategy ensures the restoration of data and IT systems by identifying common scenarios and detailing the required actions and responsible individuals (Walkowski, 2019).
2. Inventory and Manage Third Parties: Identify vendors, distributors, and other third parties with access to your organisation’s data or systems and prioritize them based on the sensitivity of the data. Evaluate high-risk third parties to ensure they have appropriate security measures or implement necessary controls. Maintain an up-to-date list of third-party vendors and regularly monitor their activities.
3. Security Controls Implementation: Address potential threats by implementing security measures tailored to the identified risks. These measures help mitigate or eliminate potential dangers. Adopt both technical controls (e.g., encryption, intrusion detection software, antivirus, firewalls) and non-technical controls (e.g., policies, procedures, physical security, social engineering defenses). For example, establish a Security Policy that encompasses various sub-policies such as backup policy, password policy, and access control policy (Magalhaes, 2020).
11. New Assets
There are following new assets that should be identify with valuable assets:
· PCs or Laptops.
· Firewalls.
· Routers.
12. New Asset threat and risk assessment
Here are the threats and risks associated with the new assets:
· PCs or Laptops: Vulnerable to cyber attacks and data breaches.
· Firewalls: Risks of network breaches and inadequate network monitoring.
· Routers: Risk of unauthorised access to the network and company systems.
13. Identify Cyber Security Gaps on new assets
Here are the gaps identified in the new assets of the company:
· Inconsistency in Cybersecurity Enforcement: Uneven implementation and application of security policies across different assets.
· Insufficient User Awareness Training: Inadequate training programs to educate users on the latest cybersecurity practices and threats.
· Trailing in the Application of New Cybersecurity Technologies: Delays in adopting and integrating advanced cybersecurity technologies and tools.
· Lack of Vulnerability Reporting: Absence of a formal process for identifying and reporting vulnerabilities in new assets.
· Inflexibility in Adaptation After a Breach: Difficulty in swiftly adapting and modifying security measures following a security breach.
· Stagnation in the Application of Key Prevention Techniques: Failure to regularly update and apply essential prevention strategies and techniques. 
· Slower Threat Detection and Response: Reduced effectiveness in identifying and responding to emerging threats in a timely manner (MechDyne, 2020).
14. Develop critical cyber risk management strategies and response
· What risks have you identified and assessed?
· Ransomware Attacks: Risk of data being encrypted and held for ransom.
· Data Breaches: Risk of unauthorized access to and exposure of sensitive information.
· Malware Infections: Risk of malicious software compromising systems and data.
· Insufficient System Updates: Risk of vulnerabilities due to outdated software and firmware.
· What is required to secure the network perimeter?
· Firewalls: Deploy to control and monitor incoming and outgoing network traffic based on security rules.
· Intrusion Prevention Systems (IPS): Implement to detect and prevent identified threats and suspicious activities.
· Email Security Software: Use to protect against phishing attempts and malicious email attachments.
· Antivirus and Anti-malware Software: Install to detect, prevent, and remove malicious software.
· System Updates: Regular updates are crucial for patching vulnerabilities and enhancing security features.
· What access privileges are assigned to protect data and information?
· Role-based Access Control (RBAC): Users are assigned access rights based on their roles and job functions.
· Least Privilege Principle: Users are granted the minimum level of access necessary to perform their duties.
· Periodic Access Reviews: Regularly review and adjust access privileges to ensure they remain appropriate.
· What are the possible consequences of not implementing risk assessment strategies?
· Increased Vulnerability: Greater risk of exploitation due to unaddressed weaknesses.
· Financial Losses: Potential for significant financial damage from data breaches or system outages.
· Reputational Damage: Loss of customer trust and market reputation.
· Regulatory Penalties: Potential fines and legal consequences for non-compliance with data protection regulations.
· What vulnerabilities have you identified and what is their likelihood of occurrence?
· Old Software: High likelihood of exploitation due to known vulnerabilities in outdated applications.
· Weak Passwords: Moderate likelihood, as weak passwords are frequently targeted by attackers.
Lack of Encryption: Moderate likelihood, with unencrypted data being vulnerable to theft and interception.
Risk Management Strategy (Documentation):
	Threats and Risks
	Vulnerabilities
	Assets
	Solutions
	Consequences
	Ransomware
	Old software, weak passwords, lack of encryption
	Laptops, computers, data
	Implement data backup, update antivirus software, enforce strong passwords, use encryption
	Data breaches, financial losses, reputational damage
	Data Breaches
	Weak access controls, outdated software
	Sensitive information
	Enforce role-based access control, update software, implement robust access controls
	Unauthorised access, financial and reputation damage
	Malware Infections
	Inadequate antivirus protection, outdated software
	Computers, network
	Install and update antivirus and anti-malwaresoftware, conduct regular system updates
	System compromise, data loss, operational disruptions
	Insufficient System Updates
	Outdated software, unpatched vulnerabilities
	All systems
	Regularly update all systems and applications
	Increased risk of exploitation, security breaches
15. Critical cyber risk compliance
· There are no non-compliance risks in cyber-attacks that are unmanageable or can be overlooked. All the risks identified in this case study can be mitigated through strategies. However, new risks that may arise during implementation include:
· Phishing Attacks
· Machine Learning and AI Attacks
· IoT Attacks
Inadequate Patch Management
16. Monitor and benchmark critical cyber risk management strategies 
During times like these, benchmarking becomes essential. To make well-informed decisions, the organization needs it. The approach taken will depend on the company's resources and goals. The type of benchmarking used will vary based on the purpose of the gap analysis, such as improving the security posture or meeting regulatory requirements. Usually, a gap analysis against a specific security standard is necessary to achieve or maintain certification. Comparing an organization's current security program to industry standards or security protocols is beneficial. If a security standard is not currently in place, this might be the first step in the process (Evans, 2016).
Benchmarking might also involve examining other companies' actions or adopting industry best practices, but that's not the only option. It is also valuable to tap into the experiences and expertise of others within the same industry. Smaller firms, particularly those with limited resources, can greatly benefit from crowdsourcing knowledge and expertise. Learning from other firms facing similar challenges can provide valuable insights. Ultimately, the goal is to align the security program with widely accepted best practices and standards.
17. Implement and document new cyber security controls to address cyber security gaps 
To protect the network and data from cyber attacks, a set of cyber security policies is essential. Organizations use cyber security controls to identify and manage network data risks. Although new threats and vulnerabilities will continually emerge, having controls in place reduces the overall risk of exposure (Cyber, 2012).
The following security controls can be implemented in the company:
· Continuous Monitoring
· Enable Vendor Access
· Attack Surface Analytics
18. Evaluate and Update risk management strategies
A risk management strategy provides a structured approach to identifying, assessing, and managing risks. It includes a process for regularly updating and revising evaluations based on new information or actions taken. This strategy can be applied by even the smallest groups or projects, or integrated into a more complex approach for large, international organizations.
Risk assessment involves identifying and evaluating potential dangers. To protect your organization, personnel, and assets, understanding areas of uncertainty is crucial, which can be achieved through risk analysis. This process can vary in detail and methods depending on the organization. Often, the Management Committee may not conduct the risk assessment directly if staff or volunteers are more involved in the organization (McGlasson, 2013).
In this company, we have scheduled a committee meeting with the Director and team to plan and review the current strategies. The company has provided a document listing devices and assets with descriptions. We then planned potential risks and their mitigation strategies, documenting these along with a timeline. The action plan commenced following an inspection of devices and an analysis of company assets. After six months, the committee will reconvene to review reports, identify gaps, and update strategies with the latest technologies.
19. Conclusions
The report details the risk assessments, identification, and mitigation plans for the threats and vulnerabilities of Devon Accounting. The company is a mid-sized firm located in Sydney, Australia. Their assets and technologies have numerous gaps and have not been updated or maintained since initial implementation. Employees are using a cloud system, leading to a Bring Your Own Device (BYOD) approach within the organization. The servers, laptops, and computers are equipped with outdated antivirus software that has not been updated for over three years. There is no IT specialist to review security gaps and manage the system. Additionally, there is no system in place to monitor the devices and technology implementations. This report provides effective solutions for the identified risks and outlines implementation strategies. 
20. Reference
Here are the revised references with slightly altered wording:
· Cyber, S. (2012, June 1). Top 10 Cybersecurity Risks for Businesses. Secure CyberDefense. Retrieved from https://securecyberdefense.com/top-10-cybersecurity-risks-for-businesses/
· Evans, M. (2016, November 8). Roadmap to Implementing a Successful Information Security Program. BARRAdvisory. Retrieved from https://www.barradvisory.com/roadmap-to-implementing-a-successful-information-security-program/
· Magalhaes, M. (2020, March 6). Security Gap Analysis: Four-Step Guide to Identify and Address Vulnerabilities. TechGenix. Retrieved from https://techgenix.com/security-gap-analysis/
· McGlasson, L. (2013). New Guidelines: Top 20 Cybersecurity Controls. Bankinfosecurity.com. Retrieved from https://www.bankinfosecurity.com/new-guidelines-top-20-cybersecurity-controls-a-1228
· MechDyne. (2020, April 22). 7 Cybersecurity Gaps That Expose Businesses to Threats (And One Way to Address Them). IT Services. Retrieved from https://www.mechdyne.com/it-services/7-cybersecurity-gaps-and-1-way-to-fix-them/
· Walkowski, D. (2019, August 22). What Are Security Controls? F5 Labs. Retrieved from https://www.f5.com/labs/articles/education/what-are-security-controls#:~:text=Control%20Types&text=Some%20common%20examples%20are%20authentication
Cyber Security Requirements - Assessment I v.2, Last updated on 20/08/2023	Page 41
image1.png
image4.jpeg
image5.jpeg
image6.jpeg
image2.jpeg
image3.jpeg