ICTCYS606 1
docx
keyboard_arrow_up
School
Deakin University *
*We aren’t endorsed by this school
Course
611
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
42
Uploaded by BrigadierAnteaterMaster276
Student
Assessment Guide:
ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 2 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Copyright 2022
Australian College of Business Intelligence
All rights reserved
Version: 22.0
Date Modified: March 2022
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Australian College of Business Intelligence.
Disclaimer:
The Australian College of Business Intelligence does not invite reliance upon, nor accept responsibility for, the information it provides. The Australian College of Business Intelligence makes every effort to provide a high-quality service. However, neither the Australian College of Business Intelligence, nor the providers of data, gives any guarantees, undertakings or warranties concerning the accuracy, completeness or up-to-date nature of the information provided. Users should confirm information from another source if it is of sufficient importance for them to do so.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 3 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Content
s
ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
................................................................................................................................................
1
1. Assessment Information
............................................................................................................
4
A. Purpose of the assessment
....................................................................................................
4
B. What you are required to do
................................................................................................
4
C. Competencies being assessed
................................................................................................
4
D. Important resources for completing this assessment
.........................................................
5
E. A note on plagiarism and referencing
.................................................................................
5
F. A note on questions with role plays
......................................................................................
5
G. Instructions for completing this assessment
.......................................................................
6
2. Assessment Coversheet
..............................................................................................................
7
ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
................................................................................................................................................
7
3. Assessment Questions
................................................................................................................
8
A. Task A - Demonstrate knowledge of cyber security standards and laws
.........................
8
B. Task B - Research Cyber security standards and laws in organization
.........................
24
C. Task C - Analyse the implementation of cyber security standards and laws in organization
..............................................................................................................................
29
D. Task D - Implement and align organization with the standards and laws
....................
33
4. Student Self Checklist
..............................................................................................................
42
A. Student Self Checklist for Tasks A - D
..............................................................................
42
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 4 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
1. Assessment Information
A. Purpose of the assessment
This assessment will develop your skills and knowledge required to understand the cyber security laws and standards and their value in compliance.
B. What you are required to do
For this assessment, you are required to complete 4 tasks:
Task A – Demonstrate knowledge of cyber security standards and laws
Task B –Research Cyber security standards and laws in organization
Task C – Analyse the implementation of cyber security standards and laws in organization
Task D – Implement and align organization with the standards and laws
Tasks B, C and D of this assessment require you to use the provided case study information relating to the fictional company UniqueStore. C. Competencies being assessed
Elements
To achieve competency in this unit you must demonstrate your ability to:
1.
Understand Cyber security standards and laws
2.
Analyze Cyber Security standards and laws
3.
Plan and implement Cyber security standards and laws
Performance Evidence
Evidence of the ability to:
identify cyber security standards and laws and analyse an organisation’s operations and compliance to required laws and standards on at least one occasion.
Knowledge Evidence
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 5 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
To complete the unit requirements safely and effectively, the individual must:
Conduct a cyber security compliance assessment on at least one occasion
For further information on the competencies of this unit, please refer to: https://training.gov.au/Training/Details/ICTCYS606
D. Important resources for completing this assessment
To complete this assessment, please refer to the following resources provided on Moodle:
ICTCYS606 learner guide
ICTCYS606 Observation checklist
ICTCYS606 Marking Guide
ICTCYS606 Case study folder
Additional student assessment information
E. A note on plagiarism and referencing
Plagiarism is a form of theft where the work, ideas, inventions etc. of other people are presented as your own. When quoting or paraphrasing from a source such as the Internet, the source must be recognised. If you are quoting a source, make sure to acknowledge this by including “quotation marks” around the relevant words/sentences or ideas. Note the source at the point at which it is included within your assessment, such as by using a citation. Then list the full details of the source in a ‘references’ section at the end of your assessment. All sources used for your assessment should be detailed in a ‘references’ section. It is advisable to never copy another person’s work.
F. A note on questions with role plays
The following questions involves role plays:
Task D, Question D2
For these questions, as outlined below, you will be assessed on your ability to role play being an Cyber Security Specialist. These questions require you to manage meetings and take notes on what is discussed. Student Assessment Guide: ICTCYS606
Version: v21.0
Page 6 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Your Trainer & Assessor will also observe your meeting for Task D, Question D2 and complete an observation checklist. Please note: You will also need to attend separate meetings organised by other students whereby
you role play being other people. This allows other students in your unit to also role play being the CTO and Operational Manager. You do not need to take notes at meetings during which you are not role playing being the CTO.
G. Instructions for completing this assessment
Answer the questions below using the spaces provided:
Answer all parts of each question
Use your own words and give examples wherever possible
The quality of your answer is more important than how long it is
Enter your answers in this document
You may use various sources of information to inform your answers, including your resources provided by ACBI, books, and online sources. You must acknowledge and cite your sources. Submission via Moodle
Please refer to the “Instructions for Submitting Your Assessment” found within the unit course page on Moodle. NOTE: Please take care to follow all instructions listed. Assessments uploaded with a draft status on Moodle may not be graded.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 7 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
2. Assessment Coversheet
3. Assessment Questions
A. Task A - Demonstrate knowledge of cyber security standards and laws
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 8 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Task A instructions
Answer the questions below to demonstrate your knowledge of ICTCYS6 06.
A1. Describe the term ‘Cybercrime’.
Answer in 40-80 words.
Any criminal conduct done out online or via computers is referred to as cybercrime. While most cybercrimes are committed to make money for the perpetrators, some are committed against computers or other devices to harm or disable them. Others transmit viruses, illicit information, photos, or other items via computers or networks.
A2. Describe a cyber security risk, what risks could commonly be present in an organization from cybersecurity perspective?
Answer in 100-120 words.
Information, data, or information systems may lose their confidentiality, integrity, or availability, which could have detrimental effects on a company. Today, one of the hazards with the fastest-growing potential to harm businesses, their data, and their financial performance is cyber risk. Cybercriminals are utilising new and evolving technology to compromise and steal the assets of companies.
Types of Cyber Risk
Phishing
Malware
DDos Attack
Cross Site Attack
Password Theft
Crypto jacking
Ransomware
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 9 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
A3. What is Risk management? What are key principles of risk management?
Answer in 120-150 words.
Risk Management
- The process of discovering, evaluating, and controlling risks to an organization's resources and profits is known as risk management.
Key principles of Risk Management
Early identifications of the risks - Measure the risk by determining its source, developing preventative measures, and planning a response in the event that it materialises.
Risks involved in Organization Goals and objectives - Make sure your organization's general goals and objectives are aligned with your risk management plan.
Managing risks within the context - Since each organisation will have a varied level of risk tolerance, context is crucial when analysing project risk. Different causes will have
varying effects on organisations and industries.
Stakeholders Involvement - It is crucial to enlist the assistance of project participants as well as internal organisation experts who can advise you on risk management strategies.
A4. What does it mean by tolerance of risk in an organization?
Answer in 40-80 words.
Risk Tolerance
- A critical consideration when making risk-based decisions, risk tolerance is a measurement of the amount of risk that an organisation is ready to accept. It can be stated in
qualitative or quantitative terms.
Organizations must decide what categories and what degrees of risk are acceptable. To Student Assessment Guide: ICTCYS606
Version: v21.0
Page 10 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
maintain uniformity throughout the firm, risk tolerance is set as part of the organisational risk
management plan.
A5. What laws in Australia are related to the cyber security? Provide brief description of these laws.
Answer in 200-250 words.
Privacy act 1988
- The Privacy Act of 1988 is the main law in Australia that governs the management of personal data about people. This covers both the federal public and private sectors' acquisition, use, storage, and disclosure of personal information.
Gramm-Leach-Bliley Act Of 1999
– The Gramm-Leach-Bliley Act created guidelines for financial organisations' use of client information. All businesses that are "significantly engaged" in offering customers financial products and/or services are subject to the law.
Children’s Online Privacy Protection Act Of 1998
– The Children's Online Privacy Protection Act (COPPA) gives parents choice over how their children's information is shared in order to safeguard children under the age of 13.
The telecommunication act 1979
– The Act permitted a corporation to possess up to 4 stations in a single market and removed a limit on national station ownership.
The security of critical infrastructure act 2018
- The Security of Critical Infrastructure Act 2018
aims to control the intricate and changing national security dangers presented by foreign interference in Australia's critical infrastructure, including sabotage, espionage, and coercion.
A6. Describe ISO standards in relation with cyber security and governance.
Answer in 200-250 words.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 11 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Each business that uses technology must develop ISO standards for security, such as ISO9001 and ISO27001. It is the responsibility of the security officer to ensure that it is installed and maintained correctly.
ISO27001 - A widely recognised standard known as ISO 27001 establishes the specifications for ISMS. The requirements give you guidance on how to create, maintain, and enhance your ISMS. The 2013 revision of the standard, known as ISO/IEC 27001:2013, is regarded as the gold standard for safeguarding stakeholder and consumer confidentiality.
ISO 22301- The international standard for business continuity management is ISO 22301. (BCM). The International Organization for Standardization's ISO 22301 is a publication that is intended to assist businesses in preventing, preparing for, responding to, and recovering from unanticipated and disruptive incidents. The following are some advantages of the standard: The following are some advantages of the standard:
Reduce the effects of disasters by taking a proactive approach
maintaining vital operations during emergencies, minimising downtime,
hastening recovery times, and displaying resilience to clients
ISO 20000 - The international ITSM (IT service management) standard is ISO/IEC 20000. It makes it possible for IT departments to make sure that their ITSM procedures are in line with business requirements and global best practises. Your organisation can benefit from ISO 20000 by benchmarking its ITSM, enhancing services, proving that it can satisfy customer needs, and developing a framework for impartial evaluation. gives access to important markets because many public sector organisations demand that IT service suppliers show proof of ISO 20000 compliance.
A7. Describe parts 10.7 and 10.8 of the Criminal Code Act 1995 of Australia.
Answer in 200-250 words.
Part 10.7- describes the computer offences:
Unauthorized alteration, impairment, or access with the purpose to conduct a major crime. Access to data stored in a computer refers to: the data being displayed by the computer or being output in any other way the data being copied or moved to another location in the Student Assessment Guide: ICTCYS606
Version: v21.0
Page 12 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
computer or to a data storage device.
The prevention of any such communication over an electronic link or network utilised by the computer, such as the alteration or removal of the data an addition to the data, constitutes unauthorised modification of data with the intent to impair- impairing electronic communication to or from a computer.
Financial offences are covered in Part 10.8.
ADI refers to a business that complies with the Banking Act of 1959's definition of an ADI.
Dealing in personal financial data entails providing or utilising financial data.
Deception is the intentional or careless use of words or other behaviour to deceive.
Possession or creation of personal financial information is considered to be obtaining personal financial information.
Information about a person that could be used to obtain finances, credit, or other financial benefits is referred to as personal financial information.
A8. Describe PCI DSS and its main features.
Answer in 200-250 words.
PCI DSS
- "Payment Card Industry Data Security Standard" is what this acronym stands for. In order to maintain a secure environment, ALL businesses who take, handle, store, or send credit card information must adhere to this set of security standards.
American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and
Visa Inc. International are members of the PCI Security Standards Council, which created it. All companies that store, process, or transmit cardholder information are subject to the standard.
Features of PCI-DSS
For processing credit card transactions, IS&T offers a secure transmission infrastructure.
Wherever it is kept, cardholder data is secure.
Access to cardholder data is constrained to those who have a business need-to-know.
The most recent anti-virus software safeguards systems.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 13 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Networks are tested and monitored to ensure that security precautions are in place and working properly.
A9. Describe the Essential Eight Security model.
Answer in 200-250 words.
Essential Eight Security Model
–
Application Control - The programmes that can run in your environment and who can run them are controlled by application control.
Application Patching - Application patching makes sure all software services have all the latest updates installed, keeping productivity systems safe and functional. With the third blog
in this series, you may mature your approach to application patching.
Microsoft office Macro Configuration - Microsoft Office macro settings should be configured based on the origin, trust, and users of the macros. This is the superior approach. The fourth blog in this series explains the way to the most advanced Microsoft Office Macro settings.
Hardening of User Application - By removing unused and unsafe features and settings, user application hardening increases the security of a given application. With the series' fifth blog, improve the hardening of your applications.
Administrative Privileges Restrictions – Restricting administrative privileges meets the principles of least privilege and zero trust by applying the logic that you should never grant access to anyone who doesn't require it.
Operating Systems Patching – Operating system patches protect the platforms on which we work. You must also consider the operating systems that are used by the other devices outside servers, desktops, and laptops when deciding whether to run Windows, Mac, or Linux.
Multi-Factor Authentication – By combining many simple secondary identification methods, such as apps, SMS codes, or even biometrics, Multi-Factor Authentication increases the level of confidence for access and identity management.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 14 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Backup Solutions - Regular data backups protect vital corporate data and intellectual property. In a world full of security dangers, maintaining business continuity requires a strong
disaster and recovery plan.
A10. Describe the privacy act 1988 and how it affects the cybersecurity requirements for a business?
Answer in 200-250 words.
The Privacy Act 1988 is the primary piece of legislation in Australia protecting privacy and data protection. It governs how federal government agencies and companies in the private sector handle personal information. This law supports: - Standards and laws governing privacy and data protection in connection to cybersecurity rules. Personal information may only be collected by entities using legitimate, ethical methods when it is reasonably necessary for those purposes. Only individuals with permission may use the personal information. Once information is no longer required for a purpose for which it may be legitimately used under the APPs, the organisation must destroy or de-identify it. Subject to certain exclusions, individuals have the right to request access to their personal information, and entities are required to accede to these requests. According to the privacy act, the gathering of data through the use of cookies or other tracking technologies may constitute the gathering of personal information if the data collector has knowledge of or access to reasonable means to ascertain the identity of the data subject or if cookie data is linked to other personal data. The APPs' requirements will correspondingly apply in these situations.
A11. Describe what is data governance?
Answer in 100-120 words.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 15 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
The phrase "data governance" is used both at the macro and micro levels. Protecting important data assets and ensuring that high-quality data is available to the appropriate people at the appropriate time are the shared objectives of data governance and cybersecurity. Proper data handling can have a tremendous impact in a world where privacy laws and big data are becoming more and more important.
Data governance is essential to carrying out security plan. Organizations must first understand who manages the data and where it is located in order to protect sensitive data and adhere to complicated requirements. The danger of a data breach is lower when data is organised properly, and when security problems do happen, it makes forensics easier.
A12. Describe security requirements to protect business processes in an organization.
Answer in 200-250 words.
Business owners are required by law to safeguard data and maintain the confidentiality of client information. You need policies that abide by the laws on privacy, spam, and electronic transfers if you want to protect your online clients. Policies may include:
data privacy for customers
code of behaviour
operational procedures.
Security specifications should specify how your company gathers, keeps, and uses data from third parties.
Physical security measures might include security guards, alarm systems, bar-coded or
biometric door locks, restricted access areas, and security personnel.
Limit access to the data to protect it. Authorizations at the username-level and password-level can reduce access by unauthorised personnel.
Securing equipment physically might help to safeguard your business. As a result, some equipment, including computers and printers, may need key locks.
Documents ought to be kept in a safe location that is only accessible to authorised staff members. There should be an electronic copy of every document. Authorized personnel should be given photocopies or electronic copies as needed.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 16 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
A13. Would there be security requirements specific to a process or you will prefer to implement security governance guidelines that are implemented across the organization? Discuss.
Answer in 200-250 words.
Information security operations should be governed in accordance with all pertinent requirements, such as governing laws, rules, and corporate policies. A framework for information security governance should be established with the participation of senior managers.
Information security tasks must be delegated to and carried out by people who have received the necessary training. They must be made to answer for their deeds or lack thereof.
To guarantee a successful execution of an information security programme, information security priorities should be conveyed to stakeholders at all levels of an organisation.
Information security operations must relate to other business management tasks like enterprise architecture, capital planning, and strategic planning.
The organisational structure supporting information security should be suitable for the organisation it supports and should change with the organisation.
Information security managers should use the tools and data at their disposal to regularly assess how well the security programme they are in charge of is performing.
To influence the improvement of security posture and the overall performance of the organisation, monitoring information should be used as an input into management choices about priorities and money allocation.
A14. Describe principles of cyber security to protect an organization from compliance perspective.
Answer in 200-250 words.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 17 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
The principles of cyber security that a company should adhere to in order to be protected are
as follows. Govern
- To "govern" is to recognise and control security concerns.
The identity and value of systems, applications, and data are determined and documented, as are the requirements for confidentiality, integrity, and availability of those systems, applications, and data.
The identity and value of systems, applications, and data are determined and documented, as are the requirements for confidentiality, integrity, and availability of those systems, applications, and data.
Security risk management processes are integrated into organisational risk management frameworks.
Security risks are identified, documented, managed, and accepted both before systems and applications are authorised for use.
Protect
- Implementing security measures to lower security hazards is protecting. The following principles apply:
Reliable providers deliver and support systems and applications.
Systems and applications are managed in a responsible and secure way.
Only reputable operating systems, programmes, and computer code are allowed to run on systems.
Data is regulated and inspectable while it is transmitted across separate systems and is encrypted both in transit and at rest.
Systems, applications, and data repositories are only accessible to verified and trusted
employees.
Personnel receive continual cyber security awareness training, as well as the minimal access to systems, apps, and data repositories needed for their jobs.
Detect
- Finding cyber security incidents by spotting and comprehending cyber security occurrences. The following guidelines should be followed:
Event logs should be gathered and examined promptly to identify cyber security incidents
Cyber security incidents should be examined promptly to identify them.
Respond
- Responding to cyber security issues and recuperating after them. The following rules must be followed:
Cybersecurity incidents must be promptly reported to the appropriate authorities, both internally and internationally
they must be contained, eliminated, and recovered from
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 18 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
business continuity and disaster recovery plans must be implemented as needed.
A15. Describe the CIA (confidentiality, integrity, availability) Triade.
Answer in 200-250 words.
Confidentiality
- Measures to maintain confidentiality are intended to stop unlawful information dissemination. The confidentiality principle's goals are to maintain the privacy of personal information and guarantee that only the people who require it to carry out their organisational duties can see it and access it.
Integrity
- The integrity principle guarantees that data is accurate and trustworthy and is not improperly manipulated, whether intentionally or unintentionally.
Availability
- The goal of availability is to make the technological foundation, the applications, and the data accessible when they are required by a business process or by its clients.
A16. What is a cyber security incident?
Answer in 200-250 words.
Cyber Security Incident - Any attempted or actual unauthorised access, use, disclosure, alteration, or destruction of information constitutes a security event. This involves interfering
with IT operations and breaking school rules, laws, and regulations.
A cyber security incident is defined as one or more acts, events, or circumstances involving any one or more of the following:
unauthorised access to or modification of computer data
unauthorised impairment of electronic communications to or from a computer
unauthorised impairment of the availability, reliability, security, or functionality of computer data, a computer programme, or a computer.
Unauthorized use of, access to, or alteration of systems, software, or data are all examples of computer system breaches.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 19 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Equipment storing institutional data is lost or stolen
A denial-of-service attack is launched
IT resources are not used as intended
Compromised user accounts are used
A17. Describe MAPE-K.
Answer in 200-250 words.
The MAPE-K was created to control how autonomic systems respond. The Monitor step gathers data from controlled resources and looks for circumstances that call for modifications. The data is examined to see whether adjustment is required to meet system objectives. If an adjustment is required, the Plan stage develops a method to achieve a new target state that satisfies the objectives. Finally, the planned method is carried out on the resources under management.
A set of requirements that the MAPE-K loop uses to determine adaption parameters and tactics make up the Knowledge component. The Monitor, Analyze, Plan, Execute and Knowledge (MAPE-K) model, a commonly used reference model in autonomic computing, is adhered to by the adaption loop. The knowledge base built on ontologies provides information for security adaption. The knowledge base for the security adaption is the Information Security Measuring Ontology (ISMO). The ISMO is useful both during design and during operation. The ISMO provides information to the software architect at the design stage so they can incorporate security adaption elements into their programme.
A18. What is SIEM and what SIEM tools you ae aware of? Describe at least three tools.
Answer in 200-250 words.
Security Information and Event Management, or SIEM, is a collection of technologies and Student Assessment Guide: ICTCYS606
Version: v21.0
Page 20 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
services that provides a comprehensive understanding of an organization's information security. The most widely used tools are:
ArcSight - ArcSight gathers and examines log data from an enterprise's operating systems, applications, and security technologies. Security workers are informed by the system when a malicious threat is found.
IBM QRadar gathers log data from a variety of information system sources within an organisation, including network hardware, operating systems, software, and user activity. From cloud-based applications, QRadar can also gather network flow information and log events. Threat intelligence feeds are supported by this SIEM as well.
Splunk SIEM - Both a locally installed copy of the software and a cloud service are options for the Splunk SIEM. Third-party app integration of threat intelligence feeds is supported.
A19. What is a security incident response plan? What are the components of the plan?
Answer in 200-250 words.
Security Incident response plan - Your security team can utilise an incident response plan as a
set of tools and procedures to find, eradicate, and deal with cybersecurity threats. The typical
components of incident response planning are: The typical components of incident response planning are:
Roles and responsibilities in incident Roles and responsibilities in incident response
Roles and responsibilities in incident response
processes for each stage of the process
communication protocols among the incident response team, the rest of the organisation, and external stakeholders
ways to use lessons learned from prior incidents to strengthen the security posture of the organisation
Six steps of incident response:
Preparation
Identification
Containment
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 21 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Eradication
Recovery
Lessons Learned
A20. Describe different types of cyber security incidents including security vulnerabilities and malware.
Answer in 200-250 words.
Cybercriminals are continuously looking for ways to exploit the weaknesses in your computer
security. However, by being aware of some of the most widespread network vulnerabilities and learning how to fix them, you may drastically lower your risk of a data breach or similar incident.
Cybersecurity vulnerabilities are involved in some cybercrimes:
Network Security Flaws. These are problems in a network's hardware or software that
make it vulnerable to probable outside intrusion.
Vulnerabilities in the operating system. These are flaws in a certain operating system that criminals could employ to damage or take control of an asset the OS is installed on.
Vulnerabilities arise from human errors. The human component is frequently the weakest link in cybersecurity frameworks. Simple user errors can reveal private information, open vulnerable entry points for criminals, or crash systems.
Vulnerabilities in the process. Certain process controls can lead to the creation of some vulnerabilities. The usage of weak passwords is one instance.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 22 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
B. Task B - Research Cyber security standards and laws in organization
Task B instructions:
For Task B you are to use the case study scenario relating to UniqueStore
.
You are the cyber security analyst and advisor for the company responsible to develop
strategies and implement them to protect the information assets of the company.
Ensure you have read the “Tasks A, B & C information” in the “ICTCYS606 Case study information” document provided on Moodle. Then answer the questions below.
B1. Review the company policies, industry and Australian government’s regulations, standards and laws required for organisations cyber security operations and summarise your findings.
Answer in 300 words.
In order to safeguard Unique Store against online attacks and strengthen their cybersecurity posture, experts have produced collections of best practises known as cybersecurity standards. The Unique Store adheres to the standards listed below.
ISO 27001- A widely regarded standard known as ISO27001 establishes the specifications for ISMS. The requirements give Unique shop guidance on how to create, maintain, and enhance
your ISMS.
ISO 22301 This offers a foundation for best practises for putting in place an effective BCM system.
ISO 20000Your organisation can benefit from ISO 20000 by benchmarking its ITSM, enhancing
services, proving that it can satisfy customer needs, and developing a framework for impartial evaluation.
The following laws are some of those in effect at the Unique Store:
The Privacy Act
The Security of Critical Infrastructure Act 2018 Student Assessment Guide: ICTCYS606
Version: v21.0
Page 23 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
The Crimes Act 1914
The Telecommunications Act 1979 1
B2. Perform analysis to align required laws and standards to organisational cyber operations, provide your recommendations
Answer in 300 words.
Unique Store data is safeguarded against both internal and external attacks thanks to cyber security. It can refer to a group of tools, techniques, frameworks, and policies used to protect
computers, networks, software, and data from unauthorised access and damage. The following policies were developed by Unique Store in accordance with applicable laws and regulations.
System Use Guidelines:
A system usage policy outlines the regulations for how a Unique Store's IT system may be used, such as the need that passwords be used across all platforms and, if permitted, rules surrounding private usage of the system outside of business hours.
The following are included in the email use policy:
Using personal email accounts for business activities is not permitted.
Opening attachments in emails from unidentified senders is.
It's against the law to access other people's email accounts.
Email account passwords must never be shared.
Excessive personal use of business email is not permitted.
A warning that the business will be watching your email.
Internet use guidelines must include the following:
Only using the Internet for business-related objectives
Information regarding the organization's ability to monitor Internet usage.
Ensuring that downloads only come from dependable and safe sources.
It is forbidden to download executable files because they can contain harmful malware.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 24 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
2
B3. Analyse organisation’s existing cyber security compliance strategies and document outcomes according to organisational policies and procedures. This is necessary to develop
a baseline for comparison with standards and further development for compliance.
Answer in 500 words.
Budgetary alignment - Aligning the budget is important for the compliance and security teams. When planning the budget across several years, combining the two departments can be beneficial.
Application security - Application security is one of the most crucial security measures to put in place to protect the systems. It uses both software and hardware to battle potential external threats that can appear when developing an application. Application security is the way to go if we intend to use it for your apps.
Business continuity planning - Network architecture planning is a challenging process that must be finished before the organization's network infrastructure can be planned and developed. For the company to save money and improve business processes, a highly available and high-performance network is required.
Plans for disaster recovery and cyber security - Disaster recovery plans for cyber security are the way to go, say security professionals. This is due to the fact that it is crucial for businesses
to continue operating after a disaster, which is the main goal of disaster recovery plans. These plans also outline the appropriate response approach, which promotes open communication among stakeholders and guarantees a speedy process recovery when assaults do occur.
3
B4. How much time will it to determine compliance evaluation requirements and benchmarking of the organizational practices against the standards and laws? Prepare a plan for the CTO along with executive summary, your findings, and recommendations. This plan will be followed in the analysis phase.
Answer in 400 words.
The business-damaging nature of cyber-attacks, which are continually evolving and growing more sophisticated and covert, has made the work of the CTO more challenging. In order to provide more effective security governance and security operations, a CTO must integrate security into every technological component of their firm (SecOps).
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 25 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Introduction - Benchmarking for compliance ensures an ethical organisational culture, produces advantages
and results, and promotes ongoing development. A crucial part of compliance evaluation and
benchmarking is compliance auditing, monitoring, testing, and value measurement.
Findings - Implement technical controls: Although a cyber-attack presents a little risk, it might be challenging to thwart. Therefore, we have tightened security in a number of ways:
Setting up and using a firewall.
Making and running network monitoring software.
Encrypting private information.
Normalize antivirus settings for all endpoints.
Put policies, practises, and process controls in place.
Risk Assessment – Almost all key cyber security compliance obligations call for a risk and vulnerability assessment. These are essential in identifying the most significant security flaws in the company. At the moment, Unique Store employs a risk officer and does assessments every six
months.
Employee Cybersecurity Training Requirement - To effectively combat evil intent, it is crucial to educate staff about common hazards. A thorough cybersecurity awareness training programme also reduces the likelihood of security
threats. The eight required learning courses and workshops for all staff have been implemented by Unique Store.
Security Governance – It takes planning and execution to implement an organization's security defences. Currently, Unique-Store is adopting a 360-degree approach that carefully examines and safeguards every organisational asset, including the people and processes. The CTO is in a good position in the executive team to engage senior management in understanding cybersecurity priorities and generating executive buy-in for initiatives for managing cyber risk.
Deploying Security-First Technologies – The CTO can assist in creating and enforcing a governance framework that thoroughly evaluates the technologies employed in a company and makes sure that they adopt a security-first strategy, in which technologies and procedures that are thought to be intrinsically less safe are phased out.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 26 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
C. Task C - Analyse the implementation of cyber security standards and laws in organization
Task C instructions:
For Task C, you are to continue using the case study scenario of UniqueStore. Task C continues on from Task B. NOTE: Ensure you have read the “Tasks B & C information” in the “ICTCYS606 Case study information” document provided on Moodle. Then answer the questions below.
4
C1. Conduct organizational compliance assessment according to organisational and legislative requirements, review the documents and policies provided in the case study.
Answer in 400 words.
A compliance assessment is a technique for assessing and recording the current status of risk management, supervision, and compliance in a particular compliance area. Unusual Shop. A compliance audit is a methodical examination of how closely a company adheres to standards that have been established by a governing authority. An auditing team conducts compliance audits to standardise procedures, find organisational gaps, and reduce risks. Unique stores must adhere to the following regulations:
Eliminating any blind spots, and keeping an eye on environmental adjustments. identifying, mapping, and notifying users of topology changes throughout the whole hybrid enterprise, including settings using multiple clouds.
Continual Vulnerability Assessment and Repair
Removing redundant or shadow rules that negatively affect device performance.
Performing in-the-moment analysis and offering a thorough history of rule and object usage in a policy to make it simple for you to spot unused rules.
Outlining certain traffic patterns in a rule and report on the information moving across
a large address range.
Using event-driven review and verification to identify which rules should be kept and recertified and which ones should be decommissioned.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 27 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
C2. Document assessment findings according to organisational policies and procedures
Answer in 500 words.
Organizational policies and procedures offer standards for decision-making and how work should be done inside an organisation. Increased openness, accountability, uniformity, and stability are the outcomes of having clear, well-written policies and processes.
Because data breaches and cyberattacks could be expensive, cybersecurity regulations are crucial. At the same time, employees are frequently the security weak points in a business. Employees fail to encrypt important information, share passwords, open harmful URLs and attachments, and utilise unauthorised cloud applications.
Public businesses or organisations that operate in regulated sectors like healthcare, finance, or insurance need these kinds of rules more than others. If their security protocols are found to be insufficient, these firms run the risk of facing severe penalties.
The Unique Store follows the suggested policies and procedures.
Application Control Recommendations
Microsoft Office macro configuration
user application hardening
administrator permission restrictions
operating system patches
multi-factor authentication
regular backups
5
C3. Identify and document areas of non-compliance and near misses, use a suitable format to present your findings
Answer in 400 words.
Action must be taken in response to non-compliance in order to manage any consequences as well as control and correct any non-compliance. An organisation must also assess whether root cause elimination is necessary to stop recurrence. When root cause elimination measures are implemented, their efficacy must be evaluated. All internet-connected systems,
for instance, are still susceptible to increasingly skilled, persistent threat actors, such as nation states and well-funded criminal groups, who can evade even strong defences to access
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 28 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
systems and expose businesses to a variety of regulatory investigations and legal action.
Aside from cyber security, there are other non-compliance issues and near misses at Unique Store, including:
Employees are exposed to an increased risk of accidents in both scenarios: "An employee slips and nearly falls because of a leaking air conditioner spilling onto a pavement." It's crucial to maintain track of these close calls so that employees understand the importance of taking precautions at work.
A eight story skyscraper houses a unique business. Employees who work at heights need to be considerably more aware of the risks they may encounter at work. Serious injuries or perhaps death could follow from falling from a considerable height
Failure to take precautions and evaluate hazards when operating heavy machinery could lead to serious injury or death.
6
C4. How will you align organisation’s activities to required standards, to fill the gaps as per your findings? Research and use industry best practices.
Answer in 400 words.
A significant factor separating high-performing from low-performing businesses is organisational alignment. Compliance with relevant laws, regulations, and standards is facilitated by an organization's policies and processes. Many people take financial quick cuts, such using pre-made policy templates. On some organisations' websites, you can download their policies. Use caution while copying and pasting papers from other companies when using this technique. The management and organisation of policies and procedures may differ significantly, making adaption challenging. There is also the question of whether the other corporation accurately and consistently followed all applicable rules and regulations.
Have a strong compliance and ethics programme in place and develop rules and procedures to stop and identify illegal behaviour. How should organisational actions be in line with necessary standards is the question.
Make sure that each policy statement is clear, understandable, and concentrated on a particular issue.
Throughout the document, use the active voice.
Make documents simple to understand for those who must follow them.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 29 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Check to see whether the policy conflicts with any other policies.
All policies ought to be contrasted with analogous ones.
Explain each of the key terms used in the text.
The text ought to be supported by cited authority.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 30 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
D. Task D - Implement and align organization with the standards and laws
Task D instructions:
For Task D you are to use case study scenario for UniqueStore. Ensure you have read the “Task D information” in the “ICTCYS606 Case study information” document provided on Moodle. Then answer the questions below. 7
D1. Develop and document all compliance requirements and present a report to the CTO.
Answer in 500 words.
Compliance Requirement – Essential 8 Maturity Model - Planning and executing improvement initiatives is a component of the Essential 8 Maturity Model. creating workgroups, a culture of professional excellence, and integrating worker development with process improvement.
The elements of the Essential 8 model are as follows.
Application management
Patching of applications
Disable untrusted Microsoft Office macros
harden user applications
limit admin rights
patch operating systems
use multi-factor authentication
back up vital data every day
PCI DSS – Payment Card Industry Data Security Standard (PCI-DSS) was created to reassure and safeguard customers' data. These security guidelines for credit card transactions are now mandated for all businesses.
Inventory of Authorized and Unauthorized Devices – Completely eliminating blind spots, discovering, mapping, and alerting on topology changes throughout the hybrid company.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 31 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Continuous vulnerability assessment and remediation - Continuous vulnerability assessment and remediation refers to the patching or fixing of cybersecurity flaws found in enterprise assets, networks, and applications. Real-time detection is used to find weak points in systems, scope modifications before they are implemented, and quicken the approval process.
Secure configurations for network devices - Secure configurations for network devices begin with firewall policy and the particular management tools that have been deployed. Getting rid of rules and doing real-time analysis.
Boundary defence - Boundary defence involves connecting to every on-premises network device and every private public cloud instance in order to collect security policies, standardise data, and present everything through a single pane of glass. revealing any rules that permit similar access to a new request or any requests that duplicate that access. Performing a pre-change impact analysis to analyse the effects of a possible rule change on compliance and security
8
D2. Distribute requirements to required personnel in preparation to realign business activities to requirements, prepare a presentation and present to the stakeholders. (For this activity you will perform a role play and present to your class your recommendations and obtain the feedback)-
Please attach your presentation with the assessment.
Answer in 400 words.
Introduction
Online retailer Unique Store offers a variety of goods in a number of categories, including fashion, home appliances, furniture, and electronics. The store's suppliers are spread around Australia and beyond, however it is based in Sydney. They have a warehouse in Fairfield, and their corporate headquarters are in the CBD. They mainly rely on information technology and
eBusiness solutions as an online retailer. An Equinix data centre houses their IT infrastructure. Their website and eBusiness are supported by a number of COTS and custom apps. Their back-office software is provided by Microsoft, and their IT hardware is supplied by
HP and Cisco. Windows 10, Office 365, Azure, Outlook, and OneDrive are all used by them.
Analysis – Objective of Security Compliance
Reduce the effect of incidents
identify and manage current and potential threats
maintain vital operations during times of emergency
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 32 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
reduce downtime and speed up recovery
Organizations Risk Culture
Risk culture refers to the shared values, beliefs, knowledge, attitudes, and awareness of risk among a group of individuals working towards a same goal. All organisations, including for-
profit businesses, government agencies, and nonprofits, must follow this rule.
Regulations and Compliance Standards for the Essential Eight Maturity Model
ISO 27001A widely regarded standard known as ISO27001 establishes the specifications for ISMS. The requirements give Unique shop guidance on how to create, maintain, and enhance
your ISMS.
ISO 22301 This offers a foundation for best practises for putting in place an effective BCM system.
ISO 20000 Your organisation can benefit from ISO 20000 by benchmarking its ITSM, enhancing services, proving that it can satisfy customer needs, and developing a framework for impartial evaluation.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 33 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
PCI DSS - The organisation has implemented the security controls and guidelines listed below to meet PCI DSS 3.2 criteria.
Several laws are implemented in the Unique Store, including
the Security of Critical Infrastructure Act
the Crimes Act of 1914
the Privacy Act.
Observed question with meeting
D3..
THE SCENARIO:
You are discussing your findings and recommendations in relation to cyber security compliance requirements for UniqueStore
You, acting as the Cyber Security Specialist
A CTO of the company, as role played by another student in your unit
An Operations Manager at UniqueStore, as role played by another student in your unit
NOTE: Your Trainer & Assessor will also observe this meeting and complete an observation
checklist.
WHAT YOU NEED TO DO BEFORE YOUR MEETING:
Organise a day and time for your meeting, in line with the availability of other students in your unit as well as your Trainer & Assessor. This meeting should take no more than 5 minutes. You are required to manage the meeting. Prior to the meeting ensure you have read the instructions below on what you’ll be required to do during the meeting and prepare as necessary. WHAT YOU NEED TO DO DURING YOUR MEETING:
Use the meeting to:
Describe the objectives of your presentation
Outline the areas of shortcoming and gaps
Provide recommendations for future improvement
Ensure you take note of what you discuss during the meeting.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 34 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
WHAT YOU NEED TO DO AFTER YOUR MEETING:
Record notes of what was discussed during your meeting. Answer in 40-80 words.
Meeting notes
Location – Room 4
Date and Time - 09-05-2022 1:30 PM
Attendees – Ajay, Sara, Sahil, Ashima
Agenda – -
Discuss Objectives of Unique Store -
Discuss Organization Culture -
Discuss Compliance and Regulatory requirement of essential eight model
-
Discuss PCI DSS requirements
-
Discuss Cyber Security Laws and standards
Action Items Owners
Deadline
Status Laws and standard Requirements Sara, Sahil
16-05-2022
Progresse
d
Existing Cyber Security Compliance Strategies Ajay, Ashima
17-05-2022
Progresse
d
Conduct Compliance Assessment Ajay, Sara, Sahil
22-05-2022
Progresse
d
9
D3. Develop an evaluation strategy according to organisational policies and procedures to be used in future for compliance analysis, gap findings, solution identification and Student Assessment Guide: ICTCYS606
Version: v21.0
Page 35 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
implementation of the recommendations
Answer in 400 words.
The threat that cyberattacks represent to businesses' operations, reputations, and revenue streams is starting to become more widely understood. Your cyber security strategy should be planned out in eight steps, including a security risk assessment, security goals, technology evaluation, security framework selection, security policy review, risk management plan creation, implementation of your security strategy, and security strategy evaluation.
The risk evaluation will necessitate cooperation from several parties as well as the proprietor of Unique business. This procedure is necessary to secure organisational management's commitment to allocating funds and putting the right security measures into place.
Making sure that the cyber security strategy is in line with the company's business objectives is a crucial part of the plan. The development of a proactive cyber security programme for the entire organisation can start once the business objectives have been identified.
A further action is to assess the technology. This is a collection of guidelines, strategies, and tools for evaluating a technology's potential worth and contribution to a particular industry or market.
The security framework is the next step, and it offers instructions on the controls required to regularly monitor and assess your organization's security posture. Choose a framework that is
workable and compatible with the strategic business objectives of your firm by using the 8 fundamental models that Unique Store adopted.
The security policies of Unique Store are reviewed every quarter to address security concerns, adopt cyber security measures, and then make sure these rules are current and address new threats.
Risk management, an important element of the cyber security plan. An study of potential hazards that might have an influence on the organisation is provided in this strategy.
10
D4. Submit all documents to required personnel as a report and seek and respond to feedback obtained. You will prepare a brief for your class and discuss it in the class to receive feedback and to adjust your strategy accordingly, then finalize your report. Use an appropriate report format.
Add your report here along with the brief you have prepared.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 36 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Answer in 250 words.
Introduction
Online retailer Unique Store offers a variety of products in the following categories: fashion, home appliances, furniture, and electronics. The store's suppliers are spread around Australia
and beyond, however it is based in Sydney. They have a warehouse in Fairfield, and their corporate headquarters are in the CBD. They mainly rely on information technology and eBusiness solutions as an online retailer. They have their own online store with a shopping cart, online catalogue, and customer support features. The company's CEO is Mark Sheldon, while the CFO is Timothy Assaf, the CTO is Helen George, and the COO is Hamza Abu Zeid. They answer to the company's proprietors, Mark and Hamza among them, who make up the board of directors. It is our responsibility as the company's cyber security analyst and advisor to create and put into action plans to safeguard its information assets.
Objectives of Unique Store:
Recognize and combat present and potential dangers.
Reduce the effect of occurrences.
During times of crisis, continue to run the essential operations.
Reduce downtime during incidents as much as possible, and accelerate recovery.
Risk Culture - The word "risk culture" refers to the values, beliefs, knowledge, attitudes, and awareness of risk that are held by a group of individuals who have a common goal.
Behaviours - When our people's thinking is sound, their actions will follow suit. In Unique stor, effective communication is crucial. Prior to making any decision, it is important to always take risk into account. For risk and controls, everyone is accountable. Be prepared to take ownership and stand up.
Actions - When the proper attitudes and behaviours are in place, we may proceed to creating
personalised risk management plans for each employee.
Essential Eight Security Model
Application Control - The programmes that can run in your environment and who can run them are controlled by application control.
Application Patching - Application patching makes sure all software services have all the latest updates installed, keeping productivity systems safe and functional. With the third blog
in this series, you may mature your approach to application patching.
Microsoft office Macro Configuration - Microsoft Office macro settings should be configured Student Assessment Guide: ICTCYS606
Version: v21.0
Page 37 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
based on the origin, trust, and users of the macros. This is the superior approach. The fourth blog in this series explains the way to the most advanced Microsoft Office Macro settings.
Hardening of User Application - By removing unused and unsafe features and settings, user application hardening increases the security of a given application. With the series' fifth blog, improve the hardening of your applications.
Administrative Privileges Restrictions – Restricting administrative privileges meets the principles of least privilege and zero trust by applying the logic that you should never grant access to anyone who doesn't require it.
Operating Systems Patching – Operating system patches protect the platforms on which we work. You must also consider the operating systems that are used by the other devices outside servers, desktops, and laptops when deciding whether to run Windows, Mac, or Linux.
Multi-Factor Authentication – By combining many simple secondary identification methods, such as apps, SMS codes, or even biometrics, Multi-Factor Authentication increases the level of confidence for access and identity management.
Backup Solutions - Regular data backups protect vital corporate data and intellectual property. In a world full of security dangers, maintaining business continuity requires a strong
disaster and recovery plan.
PCI DSS - The five main credit card companies—American Express, Discover Financial Services, JCB, MasterCard, and Visa—introduced PCI DSS in 2004. The PCI DSS requirements for Unique Store are listed below.
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 38 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 39 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
4. Student Self Checklist
A. Student Self Checklist for Tasks A - D
Candidate name:
Unit of Competency:
ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Instructions:
Place a tick ‘
✓
’ in the Yes (“Y”) column for each question you have completed all parts for.
Task A Did you:
Y
✓
A1. Describe the term ‘Cybercrime’.
✓
A2. Describe a cyber security risk, what risks could commonly be present in an organization from cybersecurity perspective?
✓
A3. What is Risk management? What are key principles of risk management?
✓
A4. What does it mean by tolerance of risk in an organization?
✓
A5. What laws in Australia are related to the cyber security? Provide brief description of these laws.
✓
A6. Describe ISO standards in relation with cyber security and governance.
✓
A7. Describe parts 10.7 and 10.8 of the Criminal Code Act 1995 of Australia.
✓
A8. Describe PCI DSS and its main features.
✓
A9. Describe the Essential Eight Security model.
✓
A10. Describe the privacy act 1988 and how it affects the cybersecurity requirements for a business?
A11. Describe what is data governance?
✓
A12. Describe security requirements to protect business processes in an organization. ✓
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 40 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
A13. Would there be security requirements specific to a process or you will prefer to implement security governance guidelines that are implemented across the organization? Discuss.
✓
A14. Describe principles of cyber security to protect an organization from compliance perspective.
✓
A15. Describe the CIA (confidentiality, integrity, availability) Triade.
✓
A16. What is a cyber security incident?
✓
A17. Describe MAPE-K.
✓
A18. What is SIEM and what SIEM tools you ae aware of? Describe at least three tools.
✓
A19. What is a security incident response plan? What are the components of the plan? ✓
A20. Describe different types of cyber security incidents including security vulnerabilities and malware.
✓
Task B Did you:
Y
✓
B1. Review the company policies, industry and Australian government’s regulations, standards and laws required for organisations cyber security operations and summarise your findings
✓
B2. Perform analysis to align required laws and standards to organisational cyber operations, provide your recommendations
✓
B3. Analyse organisation’s existing cyber security compliance strategies and document outcomes according to organisational policies and procedures. This is necessary to develop a baseline for comparison with standards and further development for compliance.
✓
B4. How much time will it to determine compliance evaluation requirements and benchmarking of the organizational practices against the standards and laws? Prepare a plan for the CTO along with executive summary, your findings, and recommendations. This plan will be followed in the analysis phase.
✓
Task C Did you:
Y
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 41 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
✓
C1. Conduct organizational compliance assessment according to organisational and legislative requirements, review the documents and policies provided in the case study.
✓
C2. Document assessment findings according to organisational policies and procedures
✓
C3. Identify and document areas of non-compliance and near misses, use a suitable format to present your findings
✓
C4. How will you align organisation’s activities to required standards, to fill the gaps as per your findings? Research and use industry best practices.
✓
Task D - Did you:
Y
✓
D1. Develop and document all compliance requirements and present a report to the CTO.
✓
D2. Distribute requirements to required personnel in preparation to realign business activities to requirements, prepare a presentation and present to the stakeholders. ✓
D3. Develop an evaluation strategy according to organisational policies and procedures to be used in future for compliance analysis, gap findings, solution identification and implementation of the recommendations
✓
D4 Submit all documents to required personnel and seek and respond to feedback
obtained. You will prepare a brief for your class and discuss it in the class to receive feedback and to adjust your strategy accordingly.
✓
Student Assessment Guide: ICTCYS606
Version: v21.0
Page 42 of 42
Developed by: ACBI
Approved by: DoS
Issued: April 2022
Review: April 2022
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help