CRS180_22334VIC_VU21995-VU21996_AT2of2_LEARNER_V2

CRS180 Revision 101 May 2018 Page 1 Assessment Task 2: Risk Assessment Report and Incident Scenario Student Version Section A – Program/Course details Qualification code: 22334VIC Qualification title: Certificate IV in Cyber Security Unit code: VU21995 VU21996 Unit title: Manage the security infrastructure for the organisation Evaluate and test an incident response plan for an enterprise Department name: Enter CRN number Section B – Assessment task details Assessment number: 2 of 2 Semester/Year: 1 & 2/2023 Due date: Ongoing Duration of assessment: Ongoing Assessment method Assessment task results ☒ Ungraded result ☐ Other: Click here to enter text. Section C – Instructions to students Task instructions: Task Instructions. This is a group task. However, if any student wishes to work individually on this Assessment Task, they must obtain prior permission from the Assessor and follow the guidelines provided by them. In such cases, the student may collaborate with a friend, partner or colleague with the approval of the assessor. All members of the group will collaborate and contribute to completion of the whole task Each member of the group will submit a copy of the group’s work by uploading the completed task to Brightspace with the attached cover sheet. Each member of the group is required to upload a copy of the assessment There are four parts for this Assessment task Part A, Part B, Part C and Part D Part A is Cyber Hygiene Checklist and Risk Assessment Part B is Risk Assessment Report Part C is Risk Implementation Report Part D is Evaluate and test an IRP Part A: Cyber Hygiene Checklist and Risk Assessment Part A1: Cyber Hygiene Checklist Template Background: You are part of a team of security analysts whose job is to evaluate the effectiveness of the security infrastructure of companies working in different industries. Tasks: You will need to create an electronic file template checklist that is used to assess the security system of organisations. OFFICIAL Holmesglen: HR_CAIT 29-Jan-2021 L:\CAIT\Teaching\T&L\202110\22334VIC_OnCampus\VU21995_VU21996\MASTER_HR\CRS180_22334VIC_VU21995-VU21996_AT2_Master_v1.docx

CRS180 Revision 101 May 2018 Page 2 Assessment Task 2: Risk Assessment Report and Incident Scenario Section C – Instructions to students The template will address the following: • Status of software tools and hardware that provide security for the organisation • Status of the operating systems being used • Status of policies addressing passwords and administration of profiles The template checklist will need to contain between 15-20 check points. Refer to the cyber hygiene model templates used in class, as a guide to wording and type of check points which can be included, and also research cyber hygiene checklists on the internet. The marking guide lists all details that must be addressed by the items in the checklist. The template must include a scoring system where each point included in the cyber hygiene check has a point value of 1. The template will include a scoring summary which indicates the overall cyber hygiene of the organisation for the report. For example, if there are 15 check points and 6 were identified as present the scoring system will be illustrated as: (Number of items identified as present / 15 items on checklist) * 10 = Cyber Hygiene Rating Eg. 6 items identified as present (6 / 15) * 10 = 4 Cyber Hygiene Rating = 4 CYBER HYGIENE RATING: 0 - 4: their security infrastructure has inadequate protection 5 - 7: remedial action on it is required but not urgent 8 - 10: their security infrastructure is adequate. Part A2: Risk Assessment Background: The team has been approached by the “ABC Widget” franchise (refer to scenario in Supporting Documents at the end of this assessment document). ABC Widgets is unsure whether they are following proper Cyber Hygiene principles. Its management has hired your team as security analysts to assess their current security system. Tasks: Continue working in your current group, and: Read the scenario and view the data centre virtual tour to identify ABC Widget’s current physical security infrastructure and related vulnerabilities (Virtual tour of a data centre site) • Use the template checklist developed in PART A1 to assess ABC Widget security policies and practises that support their infrastructure • Using the Report template, prepare a summary report on the status ABC Widget’s digital and physical infrastructure security. Your report will examine and comment on ABC Widget’s existing security policies including data and storage policies and cover the impact of these on the level of security hygiene and security risks in regards to: o current equipment security o current staff operations and habits of employees o current electronic and data backup security o current physical security o current wireless security o current online access and purchasing o current policies including data storage policies Part B – Risk Assessment Report OFFICIAL Holmesglen: HR_CAIT 29-Jan-2021 L:\CAIT\Teaching\T&L\202110\22334VIC_OnCampus\VU21995_VU21996\MASTER_HR\CRS180_22334VIC_VU21995-VU21996_AT2_Master_v1.docx

CRS180 Revision 101 May 2018 Page 4 Assessment Task 2: Risk Assessment Report and Incident Scenario Section C – Instructions to students So far, for ABC Widgets, you have done the following: • Created a Cyber Hygiene checklist and Risk Assessment /summary using a scoring system. (Assessment Task 2 Part A) • Created a Risk Assessment report based on your assessment of ABC Widgets. (Assessment Task 2 Part B) It is now time to implement your system controls in order to manage risk of ABC Widgets. Using: 1. The information you gathered from the risk category audit you performed and 2. The security vulnerabilities you identified, your task now is to do the following for ABC Widgets: a. Implement appropriate security system controls for managing the risk b. Monitor security infrastructure tools and procedures c. Implement data and report storage in line with organisation policies Key tasks 1. To ‘implement’ your system controls, fill out the report matrix below, providing brief written notes and screen shots where appropriate in the blank sections below, explaining, in point form, how your implementation will be carried out in ABC Widgets current environment. You will need to ‘implement’ your changes in a virtual environment - either of the following a. Windows Server b. Linux Server c. Windows 10 PC d. Mac Os PART D – Evaluate and test an IRP using the Incident Response Plan (IRP) that you have developed, you are now required to now simulate an attack scenario to test the effectiveness of your IRP. Each team will get to participate in the Red and Blue team activities. The team will host a meeting for an imaginary cyber incident against defined organization. The audio of meeting to be recorded for review. Each member of the group is required to upload a copy of Assessment task 2. RED TEAM The Red Team may choose their own attack mechanism against the web servers of ABC Company. You may consider attack vectors such as denial of service, virus introduction, data exfiltration or others. Activities: 1. Discuss attack vectors, and launch mechanisms involved 2. Execute the attack 3. Evaluate effectiveness of attack, and note lessons learned BLUE TEAM The Blue Team must follow their Incident Response Plan, including completing all necessary forms such as a communications log, chain of custody, threat severity assessment, incident recovery checklist, etc. This will show how the Blue Team has responded and recorded relevant events. Once the incident has been contained, services restored, and communication strategies enacted, then the Blue Team will need to debrief and consider lessons learned and record any improvements to their process that may have been discovered. Note that the blue team’s response must follow the teams Incident Response Plan, including the following critical OFFICIAL Holmesglen: HR_CAIT 29-Jan-2021 L:\CAIT\Teaching\T&L\202110\22334VIC_OnCampus\VU21995_VU21996\MASTER_HR\CRS180_22334VIC_VU21995-VU21996_AT2_Master_v1.docx

CRS180 Revision 101 May 2018 Page 5 Assessment Task 2: Risk Assessment Report and Incident Scenario Section C – Instructions to students steps: a. Receive (and make record of) the incident alert b. Complete a chain of custody report for all stages of the incident c. Complete and follow all relevant documentation and forms d. Discuss strategies on how to react to the incident. Section D – Conditions for assessment Conditions: Student to complete and attach Assessment Submission Cover Sheet to the completed Assessment Task. • Learner to complete and attach Assessment Submission Cover Sheet to the completed Assessment Task. • Learner must answer all the questions satisfactorily to prove competence in this task. If not successful within the enrolment period as per Holmesglen assessment procedure, you will be requested to resubmit within seven days of receiving feedback. You are permitted two resubmissions per assessment task. • This is a group task and open book assessment. • You can research information from the internet, but you must not copy and paste directly from internet. answers must be in your own words. • Provide a list of references you have sourced in the Reference URL link section • You are required to upload all the required evidence to Brightspace. • It is expected all documents will be completed and submitted electronically but if this is not possible, contact your teacher prior to the due date to make an alternative method of submission. • You may appeal an assessment decision according to the Holmesglen Assessment Complaints and Appeals Procedure. • Should learner require special allowance or adjustment to this task, please decide with the assessor within at least one week of the due date to this assessment. Equipment/resources students must supply: Equipment/resources to be provided by the RTO: PC computer or laptop with the following minimum specification: - Quad-Core CPU,16GB of RAM, 250GB of Storage, 2 GHz or faster processor - Access to an internet connection (ADSL or cable connection eferred) - Headset/earphone with microphone (webcam optional but preferred) - Windows 10 - available free from https://developer.microsoft.com/en-us/windows/downloads/v irtual-machines/ or https://www.microsoft.com/enus/ evalcenter/evaluate-windows-10-enterprise - Packet Tracer - free to download - NETLab - free, accessed via web Holmesglen url - NetAcad - free, Register through Cisco learning academy - VMware workstation Pro - available free through Holmesglen OnTheHub - Kali Linux - free to download - LinkedIn Learning - free access via Holmesglen url - Microsoft Office Suite - free access through Holmesglen MyHorizon - WebEx - free to download - Storage - free via Holmesglen OneDrive or student can PC computer or laptop with the following minimum specification: - Quad-Core CPU,16GB of RAM, 250GB of Storage, 2 GHz or faster processor -ferred) - Headset/earphone with microphone (webcam optional but preferred) - Windows 10 - available free from https://developer.microsoft.com/en-us/windows/down loads/virtual-machines/ or https://www.microsoft.com/enus/ evalcenter/evaluate-windows-10-enterprise - Packet Tracer - free to download - NETLab - free, accessed via web Holmesglen url - NetAcad - free, Register through Cisco learning academy - VMware workstation Pro - available free through Holmesglen OnTheHub - Kali Linux - free to download - LinkedIn Learning - free access via Holmesglen url - Microsoft Office Suite - free access through Holmesglen MyHorizon - WebEx - free to download - Storage - free via Holmesglen OneDrive or student OFFICIAL Holmesglen: HR_CAIT 29-Jan-2021 L:\CAIT\Teaching\T&L\202110\22334VIC_OnCampus\VU21995_VU21996\MASTER_HR\CRS180_22334VIC_VU21995-VU21996_AT2_Master_v1.docx

CRS180 Revision 101 May 2018 Page 7 Assessment Task 2: Risk Assessment Report and Incident Scenario OFFICIAL Holmesglen: HR_CAIT 29-Jan-2021 L:\CAIT\Teaching\T&L\202110\22334VIC_OnCampus\VU21995_VU21996\MASTER_HR\CRS180_22334VIC_VU21995-VU21996_AT2_Master_v1.docx

CRS180 Revision 101 May 2018 Page 8 Assessment Task 2: Risk Assessment Report and Incident Scenario Error: Reference source not found Part B –Risk Assessment Report Criteria for Part B- Risk Assessment Report Satisfact ory Comment Yes No The following has been submitted for assessment: 1 Learner has submitted Assessment Risk Report using required Template which defines purpose and scope of risk assessment and risk assessment methodology used. ☐ ☐ 2 Learner has stated in Assessment Risk Report Risk Model used ISO 27001 or NIST to conduct risk assessment ☐ ☐ 3 Learner determined risk assessment by using appropriate standards ISO 27001 or NIST ☐ ☐ 4 Learner conducted audit and reported on existing security technology components for ABC Widgets ☐ ☐ 5 Learner reported on baseline risks for existing security tools for ABC Widgets ☐ ☐ 6 Learner categorised risks for existing security tools for ABC Widgets ☐ ☐ 7 Learner determined risks for human operations with security systems and categorised determined risks ☐ ☐ 8 Learner audited, evaluated and categorised the organisation’s security policies and risk plans ☐ ☐ 9 Learner audited ABC Widgets physical security infrastructure ☐ ☐ 10 Learner determined ABC Widgets physical security infrastructure vulnerabilities ☐ ☐ 11 Learner determined resources required by ABC Widgets for reported risk categories to minimise risk on business operation ☐ ☐ 12 Learner documented vulnerability and risk assessment results ☐ ☐ 13 Learner summarised findings and communicated security infrastructure vulnerabilities and associated risks to management personnel, including system security, human operations, security policies, risk plans and physical infrastructure ☐ ☐ 14 Learner recommended effective amendments to security policies and risk plans for implementation ☐ ☐ OFFICIAL Holmesglen: HR_CAIT 29-Jan-2021 L:\CAIT\Teaching\T&L\202110\22334VIC_OnCampus\VU21995_VU21996\MASTER_HR\CRS180_22334VIC_VU21995-VU21996_AT2_Master_v1.docx

CRS180 Revision 101 May 2018 Page 10 Assessment Task 2: Risk Assessment Report and Incident Scenario Criteria for Part C- Risk Implementation Report Satisfact ory Comment Yes No 11 . Learner stored incident reporting documentation according to the organisation’s policies (Q7) ☐ ☐ 12 . Learner obtained and recorded relevant security clearances required by the security practitioner (Q8) ☐ ☐ 13 Learner Interpreted and followed documented material and procedures (Q1 –Q4) ☐ ☐ 14 . Learner use a laptop or a workstation (Q9.b) ☐ ☐ 15 Learner installed and demonstrated application software packages (Q9.b) ☐ ☐ 16 Learner identified and implemented cyber hygiene process (Q9) ☐ ☐ 17 Learner followed best practices in cyber hygiene processes (Q9 ☐ ☐ 18 Learner has knowledge of maintenance procedures (Q3, Q4, Q5, Q9) ☐ ☐ 19 Learner has knowledge of malware scanners (Q9.b) ☐ ☐ 20 Learner has knowledge of virus Scanners (Q9.b) ☐ ☐ 21 Learner has knowledge of diagnostic tools eg. (Q9.b) - MS Baseline Security Analyser (or equivalent) - MS Security Compliance Manager (or equivalent) ☐ ☐ Implement appropriate security system controls for managing the risk Current ABC Widgets system/process (If it does not exist, note this) Your improved system (Screenshot where applicable) The improved score based on the changes made by your implementat ion. 1. Describe existing policies and procedures to cover user access of the system, if none exist implement your recommendation s. No strong password policies exist for intermediary devices Poor physical security existing on network infrastructure - Learner should insert some recommendations in point form here. Scored improved from 1 – 5 based on recommendati ons Score improved from Low; Medium; High OFFICIAL Holmesglen: HR_CAIT 29-Jan-2021 L:\CAIT\Teaching\T&L\202110\22334VIC_OnCampus\VU21995_VU21996\MASTER_HR\CRS180_22334VIC_VU21995-VU21996_AT2_Master_v1.docx

CRS180 Revision 101 May 2018 Page 11 Assessment Task 2: Risk Assessment Report and Incident Scenario 2. If required, conduct training in the use of system related policies and procedures No training programs in place at present - Learner should insert some recommendations in point form here. Scored improved from 1 – 5 based on recommendati ons Score improved from Low; Medium; High 3. Configure two notifications that alerts ABC Widgets IT team. 1. system resources running low. 2. System breakdowns No existing notifications in place for any system alerts Scored improved from 1 – 5 based on recommendati ons Score improved from Low; Medium; High 4. Configure a daily backup to the local server. No existing daily backup at all in place Learner will configure the backup using 1 of the 3 operating systems (Windows Server/ Linux / Windows 10 PC) Provide screen shots of backup Scored improved from 1 – 5 based on recommendati ons Score improved from Low; Medium; High Monitor security infrastructure tools and procedures Current ABC Widgets system/process (If it does not exist, note this) Your improved system The improved score based on the changes made by your implementat ion (use the same scoring system from Assessment 1) 5. Compare ABC Widgets initial infrastructure with your new recommendation s. Develop at least two procedures to Initial infrastructure is outdated Poor security features Equipment has old security features attached Learner to insert at least two procedures based on recommendations they have identified. These should be presented in point form here. Benchmark and compare the initial implementation of VMware virtual machines performance with your recommendation. Review the security benchmarking improvements. Scored improved from 1 – 5 based on recommendati ons Score improved from Low; Medium; High OFFICIAL Holmesglen: HR_CAIT 29-Jan-2021 L:\CAIT\Teaching\T&L\202110\22334VIC_OnCampus\VU21995_VU21996\MASTER_HR\CRS180_22334VIC_VU21995-VU21996_AT2_Master_v1.docx

CRS180 Revision 101 May 2018 Page 13 Assessment Task 2: Risk Assessment Report and Incident Scenario Medium; High 8. Create a new folder named ‘Security Clearances’ Inside this folder create a .docx that indicates a clearance of a second user. No existing provision for storing Staff Security Clearance documentation. Provide screen shots of folder created and documents with security clearance. Scored improved from 1 – 5 based on recommendati ons Score improved from Low; Medium; High 9. Implement the following Cyber hygiene processes to monitor and manage risk: a. Set the administrativ e password to Tafe123$ b. Install, demonstrate and run an appropriate software that scans for viruses and malware. Poor Cyber Hygiene practices evident from current infrastructure A. Set Administrator password (Provide a screen shots) B. Install, demonstrate and run an appropriate software that scans for viruses and malware. (Provide a screen shot) Scored improved from 1 – 5 based on recommendati ons Score improved from Low; Medium; High Part D – Evalate and test an IRP Skills to be observed during this task to the required standard 1. Date: 2. Date: 3. Date: Comment Satisfactory Satisfactory Satisfactory Yes No Yes No Yes No 1. All members have taken an active role during the assessment ☐ ☐ ☐ ☐ ☐ ☐ 2. Red Team is seen to be discussing various attack methodologies ☐ ☐ ☐ ☐ ☐ ☐ 3. Red Team launches the attack ☐ ☐ ☐ ☐ ☐ ☐ 4. Red Team monitors situation and responds as necessary, noting down performance for use in lessons learned at the end of the exercise ☐ ☐ ☐ ☐ ☐ ☐ 5. Blue Team collects all relevant incident response evidence using the template forms ☐ ☐ ☐ ☐ ☐ ☐ OFFICIAL Holmesglen: HR_CAIT 29-Jan-2021 L:\CAIT\Teaching\T&L\202110\22334VIC_OnCampus\VU21995_VU21996\MASTER_HR\CRS180_22334VIC_VU21995-VU21996_AT2_Master_v1.docx

CRS180 Revision 101 May 2018 Page 14 Assessment Task 2: Risk Assessment Report and Incident Scenario Skills to be observed during this task to the required standard 1. Date: 2. Date: 3. Date: Comment Satisfactory Satisfactory Satisfactory Yes No Yes No Yes No created in Assessment Task 1 6. Blue Team discusses and evaluates strategy to mitigate the incident ☐ ☐ ☐ ☐ ☐ ☐ 7. Blue Team attempts to implement their solution ☐ ☐ ☐ ☐ ☐ ☐ 8. Blue Team implements their communications strategy (following the document created in Assessment Task 1) ☐ ☐ ☐ ☐ ☐ ☐ 9. Blue Team analyses their response for effectiveness ☐ ☐ ☐ ☐ ☐ ☐ 10. Blue Team discusses and records lessons learned from the incident ☐ ☐ ☐ ☐ ☐ ☐ 11. Red Team evaluates their effectiveness, and discusses improvements in their approach ☐ ☐ ☐ ☐ ☐ ☐ Assessment Submission Cover Sheet (VET) By submitting this assessment task and signing the below, I acknowledge and agree that: 1. This completed assessment task is my own work. 2. I understand the serious nature of plagiarism and I am aware of the penalties that exist for breaching this. 3. I have kept a copy of this assessment task. 4. The assessor may provide a copy of this assessment task to another member of the Institute for validation and/or benchmarking purposes. Student ID: Student name: Submission or observation date: Student signature For electronic submissions: By typing your name in the student signature field, you are accepting the above declaration. Section F – Feedback to Student Has the student successfully completed this assessment task? Yes No ☐ ☐ Additional Assessor comments (as appropriate): Resubmission allowed: Yes ☐ No ☐ Resubmission due date: OFFICIAL Holmesglen: HR_CAIT 29-Jan-2021 L:\CAIT\Teaching\T&L\202110\22334VIC_OnCampus\VU21995_VU21996\MASTER_HR\CRS180_22334VIC_VU21995-VU21996_AT2_Master_v1.docx

OFFICI AL CRS180 Revision 101 May 2018 Page 1 Assessment Task 2: Risk Assessment Report and Incident Scenario Supporting document Unit code : VU21995 VU21996 Unit title: Manage the security infrastructure for the organisation Evaluate and test an incident response plan for an enterprise ABC Widget Cyber Hygiene Scenario ABC Widgets is an Australian company that sells children clothes online and from their six stores in Melbourne. Equipment and Operation:  All stores have EFTPOS terminals which accept credit and debit card payments.  EFTPOS are connected through WiFi using WPA to file servers locally installed in each branch.  EFTPOS machines are using Windows XP, which has been updated and patched to the latest version.  EFTPOS machines have paypass contactless payment facility enabled.  Barcode scanners are used by staff to scan the inventory items to directly input data into the inventory database which is located on the same file server as the customer data. Electronic Security Concerns:  IT Administrator has some concerns but he has been told that although the data is part of the same database, they're two different tables.  Users/Employees are sharing their login details with each other and the password policy does not enforce strong passwords and periodic passwords renewal.  Each file server is using FTP to handle and serve the customer data.  Aging equipment with limited security features Current Equipment  ABC Widgets PL are currently running their virtualisation platform with VMWare vSphere Client 5.5. This platform houses all required services for ABC.  ABC Widgets are also using Cisco 1941 series router with IOS licensing of 12.1 version with no security package. Their switch infrastructure also requires potential upgrades. They are currently using two Cisco Catalyst 2960 with Cisco IOS Release 12.2 with no security pack. Physical Security:  There is a security guard at each store who does random inspections of people coming in and leaving the store.  Stores are kept locked after hours Wireless Network: 1 | P a g e

OFFICI AL CRS180 Revision 101 May 2018 Page 2 Assessment Task 2: Risk Assessment Report and Incident Scenario  There are wireless access points in different areas of each store to allow the EFTPOS machines to connect to the financial institution's network for authorizations.  An employee has raised some concerns that the wireless networks are available from the car park to anyone with a WiFi enabled device.  The IT Administrator thinks that since the wireless network is protected by WPA and mac-address filtering is enabled, they are reasonably safe. Data Backup Procedure:  Once a fortnight, the IT Administrator goes to each branch to back up file servers data on a portable hard drive and keeps it in a locked cupboard in his office. Online Access and Purchase:  ABC Widgets website also accepts credit card payments and there is a process to accept the credit card payments over the phone, if required.  ABC Widgets have a rough total of 2000 transactions being done on a particular day. ABC Widgets have hired you as a security analyst to provide a complete risk assessment of their systems, both in each branch and their website. You're also asked to investigate the use of RFID technology that ABC Widgets would like to use to decrease the theft and loss of items. ABC Widgets is has concerns with respect to large number of transactions associated with key periods of the year (such as, Easter, EoFY - End of Financial Year, Christmas and etc). There are also concerns about their IT infrastructure safety and adequate Cyber Hygiene. Elements to be addressed:  social engineering,  shoulder surfing,  WiFi security,  physical security,  EFTPOS security,  phishing,  file server security,  backup security,  staff security awareness training,  website security (such as SQLi and XSS) 2 | P a g e

OFFICI AL CRS180 Revision 101 May 2018 Page 1 Assessment Task 2: Risk Assessment Report and Incident Scenario Document Control Title Version Date Issued Status Document owner Creator name Creator organisation name Subject category Document Revision History Version Date Author Summary of Changes 1.0 1.1 2 1 | P a g e

OFFICI AL CRS180 Revision 101 May 2018 Page 2 Assessment Task 2: Risk Assessment Report and Incident Scenario Table of Contents 1.0 Introduction ..................................................................................................................................... 2 1.1 Overview of Cyber Hygiene Checks and Risk Assessments .......................................................... 2 1.2 Purpose for Conducting these Checks and Assessments ............................................................. 2 1.3 Scope of Check and Assessment .................................................................................................. 2 1.4 Document Review ........................................................................................................................ 2 2.0 Cyber Hygiene Checklist .................................................................................................................. 2 2.1 Cyber Hygiene Table .................................................................................................................... 2 2.2 Cyber Hygiene Company Score .................................................................................................... 2 2.3 Cyber Hygiene Score Calculation ................................................................................................. 2 2.4 Cyber Hygiene Score Assessment ................................................................................................ 2 2.5 Summary Evaluation of Score ...................................................................................................... 2 3.0 Risk Assessment ............................................................................................................................... 2 3.1 Risk Assessment of Equipment .................................................................................................... 2 3.2 Risk Assessment of Staff Operations ............................................................................................ 2 3.3 Risk Assessment of Phishing Campaigns ...................................................................................... 2 3.4 Risk Assessment of Electronic Security ........................................................................................ 2 3.5 Risk Assessment of Physical Security ........................................................................................... 2 3.6 Risk Assessment of Wireless Network ......................................................................................... 2 3.7 Risk Assessment of Data Backup .................................................................................................. 3 3.8 Risk Assessment of Online Access and Purchasing ...................................................................... 3 4.0 References ....................................................................................................................................... 3 2 | P a g e