ICTCYS608 Student Assessment Guide

docx

School

Deakin University *

*We aren’t endorsed by this school

Course

606

Subject

Information Systems

Date

Feb 20, 2024

Type

docx

Pages

32

Uploaded by BrigadierAnteaterMaster276

Report
Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments Student Assessment Guide: ICTCYS608 Version: v21.0 Page 2 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments Copyright 2021 Australian College of Business Intelligence All rights reserved Version: 21.0 Date Modified: September 2021 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Australian College of Business Intelligence. Disclaimer: The Australian College of Business Intelligence does not invite reliance upon, nor accept responsibility for, the information it provides. The Australian College of Business Intelligence makes every effort to provide a high-quality service. However, neither the Australian College of Business Intelligence, nor the providers of data, gives any guarantees, undertakings or warranties concerning the accuracy, completeness or up-to-date nature of the information provided. Users should confirm information from another source if it is of sufficient importance for them to do so. Student Assessment Guide: ICTCYS608 Version: v21.0 Page 3 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments Content s 1. Assessment Information ...................................................................................................... 4 A. Purpose of assessment ........................................................................................................................ 4 B. What you are required to do ............................................................................................................... 4 C. Competencies being assessed ............................................................................................................. 4 D. Important resources for completing this assessment ......................................................................... 5 E. A note on plagiarism and referencing .................................................................................................. 5 F. A note on questions with role plays ..................................................................................................... 6 G. Instructions for completing this assessment ....................................................................................... 6 2. Assessment Coversheet ....................................................................................................... 7 3. Assessment Questions ......................................................................................................... 8 A. Task A - Demonstrate knowledge of cyber security risk assessments ................................................. 8 B. Task B – Prepare to perform risk assessment .................................................................................... 12 C. Task C – Perform risk assessment ...................................................................................................... 16 D. Task D – Finalise risk assessment ...................................................................................................... 18 4. Student Self Checklist ........................................................................................................ 21 A. Student Self Checklist for Tasks A - D ................................................................................................ 21 Student Assessment Guide: ICTCYS608 Version: v21.0 Page 4 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments 1. Assessment Information A. Purpose of assessment This assessment will develop your skills and knowledge required to conduct a risk assessment and analysis in a business environment. B. What you are required to do For this assessment, you are required to complete 4 tasks: Task A – Demonstrate knowledge of cyber security risk assessments Task B – Prepare to perform risk assessment Task C – Perform risk assessment Task D – Finalise risk assessment All tasks of this assessment require you to use the provided case study information relating to the fictional company EzyMart. C. Competencies being assessed Elements To achieve competency in this unit you must demonstrate your ability to: 1. Prepare to perform risk assessment 2. Perform risk assessment 3. Finalise risk assessment Performance Evidence Evidence of the ability to: Conduct a cyber security risk assessment on at least one occasion Knowledge Evidence Student Assessment Guide: ICTCYS608 Version: v21.0 Page 5 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments To complete the unit requirements safely and effectively, you must: Risk assessment methodologies and processes required in cyber security Methodologies of identifying and measuring risk culture and risk appetite in the cyber environment Sources of legislative requirements required in cyber security Organisational procedures applicable to conducting a cyber security risk assessment including, Documenting risk assessment processes and findings Establishing requirements and features of cyber security risk assessment processes For further information on the competencies of this unit, please refer to: https://training.gov.au/Training/Details/ICTCYS608 D. Important resources for completing this assessment To complete this assessment, please refer to the following resources provided on Moodle: ICTCYS608 Perform cyber security risk assessments learner guide ICTCYS608 Marking Guide ICTCYS608 Case study folder Additional student assessment information E. A note on plagiarism and referencing Plagiarism is a form of theft where the work, ideas, inventions etc. of other people are presented as your own. When quoting or paraphrasing from a source such as the Internet, the source must be recognised. If you are quoting a source, make sure to acknowledge this by including “quotation marks” around the relevant words/sentences or ideas. Note the source at the point at which it is included within your assessment, such as by using a citation. Then list the full details of the source in a ‘references’ section at the end of your assessment. All sources used for your assessment should be detailed in a ‘references’ section. It is advisable to never copy another person’s work. Student Assessment Guide: ICTCYS608 Version: v21.0 Page 6 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments F. A note on questions with role plays Task B, Question B5 and Task D, Question D3 involve role plays. These questions require you to role play being the cyber security manager at EzyMart, lead meetings and take notes on what is discussed. Please note: You will also need to attend separate meetings organised by other students whereby you role play being other people. This allows other students in your unit to also role play being the cyber security manager at EzyMart. G. Instructions for completing this assessment Answer the questions below using the spaces provided: Answer all parts of each question Use your own words and give examples wherever possible The quality of your answer is more important than how long it is Enter your answers in this document You may use various sources of information to inform your answers, including your resources provided by ACBI, books, and online sources. You must acknowledge and cite your sources. Submission via Moodle Please refer to the “Instructions for Submitting Your Assessment” found within the unit course page on Moodle. NOTE: Please take care to follow all instructions listed. Assessments uploaded with a draft status on Moodle may not be graded. Student Assessment Guide: ICTCYS608 Version: v21.0 Page 7 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments 2. Assessment Coversheet Candidate Name: Ajay Yadav Student ID: Acbi20210532 Contact Number: 0451129915 Email: ajyadmac@gmail.com Trainer / Assessor Name: Naveed Khan Qualification: ICT60220 Advanced Diploma of Information Technology (Cyber Security) Units of Competency: ICTCYS608 Perform cyber security risk assessments Assessment Tasks: A. Demonstrate knowledge of cyber security risk assessments B. Prepare to perform risk assessment C. Perform risk assessment D. Finalise risk assessment Due Date: Date Submitted: Declaration: I have read and understood the following information at the beginning of this assessment guide (please tick): Assessment information Submitting assessments Plagiarism and referencing I declare this assessment is my own work and where the work is of others, I have fully referenced that material. Name (please print): Ajay Yadav Candidate signature: Date: Student Assessment Guide: ICTCYS608 Version: v21.0 Page 8 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments 3. Assessment Questions A. Task A - Demonstrate knowledge of cyber security risk assessments Task A instructions Answer the questions below to demonstrate your knowledge of cyber security risk assessments. A1. Describe the elements of a cyber security risk assessment. Answer in 100-200 words. Write your answer here A cyber security risk assessment is a process that helps organizations identify, analyse, and prioritize the security risks they face. It involves the following elements: Identify the assets, threats, and vulnerabilities that could affect the organization’s operations, data, systems, and reputation. Analyse the likelihood and impact of each risk scenario, taking into account the existing security controls and mitigation strategies. Prioritize the risks based on their severity, urgency, and potential consequences, and assign them to different categories or levels. Report the findings and recommendations of the risk assessment, using clear and concise language, and providing supporting evidence and documentation. Review and update the risk assessment periodically, or whenever there are significant changes in the organization’s environment, objectives, or resources. A2. Describe what the ‘risk appetite’ of an organization means. Then explain how the risk Student Assessment Guide: ICTCYS608 Version: v21.0 Page 9 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments management policies of an organization can impact its contingency plans and hence its operations. Answer in 100-200 words. Write your answer here Risk appetite is the level of risk that an organization is willing to accept in pursuit of its objectives before action is deemed necessary to reduce the risk. Risk appetite reflects the organization’s risk attitude and its willingness to accept risk in specific scenarios, with a governance model in place for risk oversight. Risk management policies are the guidelines and procedures that an organization follows to identify, assess, avoid, and mitigate risks. They help the organization align its risk appetite with its strategic goals and objectives, and comply with relevant regulations and standards Risk management policies can help the organization prioritize the most critical risks and allocate resources accordingly to develop and implement contingency plans. Risk management policies can help the organization define the triggers and thresholds for activating the contingency plans and assign roles and responsibilities for executing them. Risk management policies can help the organization monitor and evaluate the effectiveness of the contingency plans and update them as needed to reflect changes in the risk environment. A3. Explain what a risk register is. Then describe how you would prepare one for an organization. Answer in 150-300 words. Write your answer here A risk register is a document that is used as a risk management tool to identify, analyse, and prioritize potential risks that could affect the execution of a project or an organization. It helps to record and track the details of each risk, such as its description, category, probability, impact, score, response plan, and owner. A risk register can also be displayed as a table or a scatterplot to visualize the level and distribution of risks. To prepare a risk register for an organization, Gather relevant past documents, such as previous risk registers, project plans, lessons learned, and audit reports, to identify common or recurring risks that the organization may Student Assessment Guide: ICTCYS608 Version: v21.0 Page 10 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments face. Gather input from various stakeholders, such as managers, employees, customers, suppliers, and experts, to identify new or emerging risks that the organization may encounter. Enter the potential risks into the risk register, using a consistent format and terminology, and assign a unique identifier to each risk. Analyse the probability and impact of each risk, using qualitative or quantitative methods, such as scales, ratings, scores, or formulas, and document the assumptions and sources of data used. Prioritize the risks based on their risk score, which is the product of probability and impact, and assign them to different categories or levels, such as high, medium, or low. A4. Explain three cyber security legislations. Answer in 250-500 words. Write your answer here Cyber security legislations are laws and regulations that aim to protect the security and privacy of data and systems from cyber threats, such as hacking, phishing, malware, and ransomware. Different countries and regions have different cyber security legislations, depending on their legal frameworks, cultural values, and security challenges. The Privacy Act 1988 - The Privacy Act includes the Australian Privacy Principles (APPs), which set out the standards and obligations for handling personal information, and the Notifiable Data Breaches (NDB) scheme, which requires organisations to notify individuals and the Office of the Australian Information Commissioner (OAIC) of eligible data breaches that are likely to result in serious harm. This is a law that aims to enhance the security and resilience of Australia’s critical infrastructure, which includes assets and systems in the electricity, gas, water and ports sectors. The Security of Critical Infrastructure Act requires owners and operators of critical infrastructure assets to provide information to the government, comply with risk management obligations, and cooperate with government directions in response to significant incidents. The Criminal Code Act 1995 - This is a law that defines and criminalises various cyber offences, such as unauthorised access, modification, or impairment of data and systems, identity theft, phishing, spamming, and cyber terrorism. Student Assessment Guide: ICTCYS608 Version: v21.0 Page 11 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments A5. Explain what is meant by the term ‘risk culture’. Then describe how you would explain it to your CEO to make her understand its important and consider the risk culture in business strategy. Answer in 100-200 words. Write your answer here Risk culture is the set of values, beliefs, attitudes, and behaviours that shape how an organization perceives, takes, and manages risk. It influences the decisions and actions of all employees, from the board and senior management to the front-line staff. A strong risk culture is one that supports the organization’s strategy, objectives, and performance, while ensuring compliance with regulations and standards. Importance of risk culture Risk culture affects the quality and effectiveness of risk management, which is essential for the sustainability and resilience of the organization in a volatile and uncertain environment. Risk culture influences the alignment and balance between risk and reward, which is critical for the optimization of value creation and protection. Risk culture drives the awareness and ownership of risk across the organization, which is vital for the prevention and mitigation of potential losses and crises Risk culture fosters a learning and improvement mindset, which is beneficial for the innovation and adaptation of the organization to changing customer needs and market opportunities. A6. Describe risk assessment methodologies that are adopted in cyber security practices. Answer in 100-200 words. Student Assessment Guide: ICTCYS608 Version: v21.0 Page 12 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments Write your answer here Cyber security risk assessment methodologies are the approaches and techniques that are used to identify, analyse, and prioritize the cyber security risks that an organization faces. There are two main types of risk assessment methodologies: qualitative and quantitative. Qualitative risk assessment methodologies use scenarios, scales, ratings, and subjective judgments to estimate the likelihood and impact of cyber security risks. They are useful for providing a general overview of the risk landscape, and for comparing and ranking different risks. Quantitative risk assessment methodologies use numeric values, formulas, and statistical models to measure and calculate the probability and magnitude of cyber security risks. They are useful for providing a more precise and objective estimation of the risk level, and for supporting cost-benefit analysis and decision making. A7. Describe how you would gather information about the legislative requirements for cyber security related to the finance industry. Consider both national and international legislative requirements that are applied to the finance industry. Make sure you reference your sources. Answer in 100-200 words. Write your answer here To gather information about the legislative requirements for cyber security related to the finance industry, follow below steps. - Identify the scope and jurisdiction of the interested financial services. - Search for the relevant cybersecurity regulations that affect the financial services in the chosen scope and jurisdiction. Some of the common cybersecurity regulations that apply to the finance industry are: o PCI DSS: Payment Card Industry Data Security Standard, a set of security standards for protecting cardholder data4. o SOX: Sarbanes-Oxley Act, a law that requires public companies to maintain adequate internal controls over financial reporting and disclosure. o NIST: National Institute of Standards and Technology, a federal agency that develops and publishes voluntary cybersecurity frameworks and guidelines. Student Assessment Guide: ICTCYS608 Version: v21.0 Page 13 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments o ISO/IEC 27001: International Organization for Standardization/International Electrotechnical Commission, a standard that specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system. A8. Define what methodologies you can adopt to identify and measure the risk culture and risk appetite of the organization with respect to the cyber security. Answer in 100-200 words. Write your answer here Risk culture and risk appetite are important aspects of cyber security management, as they reflect the attitudes, values, and behaviours of the organization towards cyber risks. To identify and measure the risk culture and risk appetite of the organization with respect to the cyber security, some of the methodologies that can be adopted are: - Workshops, questionnaires, and stakeholder interviews: These are common methods to ascertain the risk tolerance, preferences, and expectations of the organization and its key stakeholders, such as the board, senior management, business units, and employees. These methods can also help to assess the alignment, communication, and awareness of the risk culture and risk appetite across the organization. - Surveys: These are useful tools to collect quantitative and qualitative data on various indicators of risk culture, such as the tone from the top, the risk awareness and training, the risk reporting and escalation, the risk incentives and rewards, and the risk behaviours and outcomes. Surveys can be conducted periodically or on an ad hoc basis, and can target different levels and functions of the organization. - Metrics and dashboards: These are effective ways to monitor and measure the risk culture and risk appetite of the organization using various sources of data, such as the control environment, the risk incidents and losses, the risk assessments and audits, the risk compliance and performance, and the risk feedback and reviews. Student Assessment Guide: ICTCYS608 Version: v21.0 Page 14 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments A9. Explain how you would prepare cyber security risk assessment process for an organization. Make sure you address the questions below: What would be the requirements of the process and what would be its salient features? How will you document the process and how will you record your findings? Answer in 100-200 words. Write your answer here A cyber security risk assessment is a process of identifying, analyzing, evaluating, and prioritizing the cyber security risks that an organization faces, and implementing appropriate controls and mitigation strategies to reduce them. The requirements and salient features of the process are as follows: - Requirements: The process requires a clear understanding of the organization’s objectives, assets, operations, environment, and stakeholders. It also requires access to relevant data sources, such as cyber threat intelligence, vulnerability scans, security audits, incident reports, and compliance standards. The process should involve the participation and collaboration of different roles and functions within the organization, such as the board, senior management, business units, IT staff, and security team. The process should be aligned with the organization’s risk appetite, which is the level of risk that the organization is willing to accept or tolerate. The process should be documented, communicated, and reviewed regularly to ensure its effectiveness and relevance. - Salient features: The process consists of several steps, which can vary depending on the chosen framework or methodology. However, some of the common steps are: - Scope definition: This step defines the boundaries and objectives of the risk assessment, such as the scope of the assets, systems, data, processes, and functions that are included, and the criteria and metrics that are used to measure and evaluate the risks. - Risk identification: This step identifies and documents the potential cyber threats and vulnerabilities that could affect the organization, such as malware, phishing, denial-of-service, data breaches, insider threats, and so on. This step also considers the sources, actors, motives, and methods of these threats and vulnerabilities, as well as the existing controls and defences that the organization has in place. - Risk analysis: This step analyses and estimates the likelihood and impact of each identified risk, based on the probability of occurrence and the severity of consequences. This step also considers the factors that influence the likelihood and impact, such as the exposure, exploitability, and resilience of the organization. This step results in a quantified or qualified risk score for each risk, which reflects the level of risk that the organization faces. Student Assessment Guide: ICTCYS608 Version: v21.0 Page 15 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments B. Task B – Prepare to perform risk assessment Task B instructions You work as a cyber security manager for EzyMart. EzyMart is an online store for consumer goods and sells several products in different categories including Fashion, Home Appliances, Furniture, and electronics. The store operates in Melbourne Metro with their suppliers located in Australia and abroad. They have a warehouse located in Melbourne city and their head office is in the city as well. As an online store, they heavily rely of information technology and eBusiness solutions. Read the “ICTCYS608 Case study information” document provided on Moodle, then answer the questions below. B1. Analyse organisations risk culture and document findings according to organisational requirements of the EzyMart. Prepare a report on your findings. Answer in 300-600 words. An organization's risk culture is generally defined as the set of rules that staff members are expected to abide by in order to act in a way that promotes high performance. Behaviour norms, both individual and group, within an organization that determine the group's ability to identify, understand, discuss, and respond to the organization's present and future risks. Those at EZYMart will behave appropriately when their thinking is sound. This will include actions that are common in cultures with high levels of risk, like: Effective and honest communication. As soon as a problem or issue emerges, escalate it. always take risk and controls into account before making decisions and accept responsibility for them. Be prepared to take a stand and declare your own. Being honest and accepting responsibility for issues Expressing a desire to become more risk aware and knowledgeable about risk management; demonstrating concern for how their risk management affects others and understanding what happens downstream when something goes wrong. Exhibiting a constructive outlook on risk management. keeping in mind the EzyMart guidelines and practices. It is necessary to record the events leading up to the identification of the intrusion, infection, or system compromise and to report them to the security officer. The report should include specific observations about what transpired, the extent of the damage caused, and the files that were compromised. Student Assessment Guide: ICTCYS608 Version: v21.0 Page 16 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments B2. Research and document legislative and organisational cyber security risk requirements for EzyMart. Make sure you focus on the Essential Eight Maturity Model and define your strategy. Draft an email to Helen that provides your recommendations. Answer in 100-200 words. Write your answer here HI Helen, In addition to laws, regulations, acts, orders, by-laws, decrees, or other similar ordinances enacted by the jurisdiction in which the Services or a specific portion of the Assignment is performed, I am writing this email to make sure you understand the significance of cybersecurity risk requirements based on pertinent approvals, licenses, certificates, and other directives issued by any government agency. Take workplace health and safety, for instance. requires, to the greatest extent possible, that all employees work in physically and psychologically safe and healthy environments. This means taking precautions to make sure that the job doesn't have a detrimental effect on mental health or make a condition worse. Because they have to follow internal organizational rules and regulations, as well as applicable laws and codes of practice, when performing their duties, employees need to be aware of the legal requirements. The essential eight maturity model and the data presented here are based on the ACSC's experience gathering cyber threat intelligence, handling cyber security incidents, performing penetration tests, and assisting organizations in putting the essential eight into practice. The first step for the company should be to identify a target maturity level that makes sense for their circumstances. Organizations should then progressively apply each maturity level until the goal is achieved. Based on the available data, I would advise reviewing and analyzing the current system and data in order to assess and minimize risk using a risk-based approach. Doing so will guarantee that security controls are in place and that the number of impacted systems or users is kept to a minimum. I appreciate your time, and please don't hesitate to get in touch with me if you have any questions. Regards Ajay CyberSecurity Manager EzyMart Student Assessment Guide: ICTCYS608 Version: v21.0 Page 17 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments B3. Analyse EzyMart’s risk register to determine its currency against organisational legislative requirements. NOTE: You can find the risk register in the Case Study Information folder on Moodle. Answer in 200- 400 words. Write your answer here After reviewing the risk register, we think that the data it contains is rudimentary and needs to be expanded upon in order to help the business assess and prioritize risk. It should go without saying that the risk register needs to include all relevant data from each risk identification along with suggestions for mitigating or resolving the risk. In this case, however, the information is present in the document, but it is either missing some important information or is incomplete. As we previously discussed, the risk register does not include pertinent information such as likelihood, consequences, a better risk description, the person responsible, or recommendations. Instead, it documents and assesses the organization's systems to analyze the risks based on the organizational legislative requirements. Risks need to be evaluated in order to determine the optimal degree of control for each kind of information technology system. Sufficient controls must be implemented in order to preserve data security, confidentiality, integrity, and availability.We may need to think about establishing a risk tracker for the organization as To track changes to the risk register in a collaborative manner, think about utilizing a cloud-based project management tool. Numerous apps offer helpful mobile applications, such as progress dashboards and messaging. Depending on the organization, the risk register may differ. Although we previously stated that the actual risk register lacked pertinent information, we must take into account that in certain situations, it is preferable not to expand the information to Don't get too hung up on the details; the primary purpose of a riskregister is to document potential threats. Selecting the fields necessary to alert your team members to potential hazards is a good idea. B4. Develop and document a risk assessment plan according to the requirements of Level 1 of Essential Eight Maturity Model. Answer in 200-400 words. Write your answer here Risk assessment strategy to stop malware from being delivered and executed attackers at this Student Assessment Guide: ICTCYS608 Version: v21.0 Page 18 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments maturity level are primarily concerned with gaining access to and potentially even controlling systems by using widely available commodity tradecraft. For instance, adversaries may opportunistically use a publicly available exploit for a security flaw in an unpatched internet-facing service, or they may authenticate to a service by using credentials that have been stolen, reused, brute-forced, or guess worked. Generally speaking, adversaries are looking for any victim, not just one. Rather than exerting significant effort to gain access to a particular target, they will opportunistically look for common vulnerabilities in a large number of targets. Adversaries will convince users to start malicious software and breach a system's security by using standard social engineering techniques, like Microsoft Office macros. An adversary will attempt to exploit an account with exceptional rights if it is breached. Depending on their goals, adversaries may potentially destroy data (including backups). - Application Control: Application control can be used to restrict the execution of unauthorized or dangerous programs to a list of approved programs. Examples of such programs include.exe, DLL, installers, compiled HTML, HTML apps, scripts (like Windows Script Host, PowerShell, and HTA), and drivers. Additionally, application control rulesets ought to be reviewed on a yearly basis, if not more frequently. Workstations and servers that allow or prohibit program executions are centrally logged, protected from unauthorized change and deletion, watched for signs of compromise, and responded to when cyber security events are detected. - Patch Application: It is necessary to update Flash, web browsers, Java, Microsoft Office, and PDF viewers. Within 48 hours, fix or mitigate any machines that have vulnerabilities. Install the most recent software version and remove any outdated versions. - Configure Microsoft Office: Block macros from the Internet and only permit verified macros in "trusted locations" with restricted write access or digitally signed with a reliable certificate. This is configured in the application settings of Microsoft Office. - Restrict administrative access: Limit administrator privileges to operating systems and applications based on user responsibilities in accordance with the principle of least privilege. Regularly reassess whether privileges are still necessary. Avoid reading emails or using privileged accounts for online browsing. B5. THE SCENARIO: Now you have developed your risk assessment plan, you need to present the plan to relevant stakeholders at EzyMart. Set up a meeting with: Student Assessment Guide: ICTCYS608 Version: v21.0 Page 19 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments At least two relevant stakeholders, as role played by other students in your unit WHAT YOU NEED TO DO BEFORE YOUR MEETING: Organise a day and time for your meeting, in line with the availability of other students in your unit as well as your Trainer & Assessor. This meeting should take no more than 10 minutes. You are required to lead the meeting. Prior to the meeting ensure you have read the instructions below on what you’ll be required to do during the meeting and prepare as necessary. WHAT YOU NEED TO DO DURING YOUR MEETING: Use the meeting to: Present an overview of your risk assessment plan in a PowerPoint format Seek feedback on your risk assessment plan Ensure you take note of what you discuss during the meeting. WHAT YOU NEED TO DO AFTER YOUR MEETING: Record notes of what was discussed during your meeting, including the feedback received. Then explain any adjustments you will make to your risk assessment plan. Answer in 75-150 words. Meeting notes Write your answer here We discuss the following topics with the pertinent stakeholders during the meeting: - a risk assessment strategy - The significance of implementing the eight strategies for reducing cyber risk - the groups to avoid risk by employing this technique - implementation and management - Application and control - backups The Stakeholders advise that in order to adhere to the previously stated requirements, we must create a monthly report on cyber security risk in order to assess the effectiveness of risk mitigation Student Assessment Guide: ICTCYS608 Version: v21.0 Page 20 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments efforts and potential backup plans to ensure that such risks won't materialize in the future. Stakeholders advise including the budget and backup plan in the risk assessment as well, in order to prioritize and assess the risks holistically. Student Assessment Guide: ICTCYS608 Version: v21.0 Page 21 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments C. Task C – Perform risk assessment Task C instructions Task C follows on from Task B. You now need to implement your risk assessment. Ensure you have read the “ICTCYS608 Case study information” document provided on Moodle, then answer the questions below. C1. You now need to initiate your risk assessment according to the requirements of Level 1 of Essential Eight Maturity Model. Determine the gaps between the EzyMart recommendations and the requirements of the Maturity Model Level 1. Make sure you review the Risk Register and Information Security Policy. Answer in 200-400 words. Write your answer here Following the rules and guidelines of the company Information resources, including computer software and support systems, should be securely protected in order to preserve the sensitivity and significance of the information that is processed, stored, or transferred. Unauthorized users shouldn't be able to physically harm or alter internal components of information systems in a way that could influence how well computers or other activities function. Security and environmental controls should be suitable for the degree of risk. An analysis that weighs the risk of implementing the control against its cost should be done when determining whether security and environmental controls are appropriate. It is the users' responsibility to adhere to copyright, patent, and license agreements for intellectual property. Examples of breaches of authorial integrity that may lead to sanctions include plagiarism, invasions of privacy, unauthorized access, trade secrets, and copyright violations. Communication infrastructure and equipment should be protected from unauthorized modification and manipulation in order to guarantee that communications in transit are not altered or received by undesired parties or that communication services are not interrupted. All equipment rooms, wiring closets, and the resources and facilities of third-party service providers can be considered communication facilities. There are certain gaps that EZY Mart and the maturity model level 1 requirements show, when the risk register is taken into account. Mature levels are determined by evaluating specific and overall objectives that are applicable to each predefined set of process areas. The sections that follow go over each maturity level's unique traits. It is crucial to note that the implementation of each idea in this order requires a certain level of expertise. As a result, training sessions will be necessary prior to implementation to guarantee that staff members can comply with the risk assessment controls to a Student Assessment Guide: ICTCYS608 Version: v21.0 Page 22 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments satisfactory degree. To sum up, the requirements are being handled methodically. C2. Document the process and outcomes of your risk assessment according to Essential Eight Maturity Model. Answer in 200-400 words. Write your answer here A basic set of controls that can be implemented, governed by policies and procedures, and that address potential points of compromise, pivoting and escalation, and cybersecurity incident recovery are useful tools for organizations that are vulnerable to cyberattacks. The outcomes of a risk assessment grounded in the critical eight maturity model help the organization create explicit policies that can help prevent more significant problems down the road. It goes without saying that the company needs to create a consistent risk assessment in order to maintain information, comply with applicable laws, and provide a safe workplace. To help the company identify and analyze possible risks and put in place the necessary controls, it is essential that all employees are well-prepared and aware of their roles and responsibilities. The outcomes of this risk assessment applied to the basic eight maturity model, in general, help the organization implement different systems and controls that will result in a secure system. As an illustration, we can state that this resulted in the business:-Safe system administration procedures are used by the company.- This organization is in charge of managing malware prevention and detection software for ICT systems.- The business monitors system activity in order to identify any possible security threats.- The organization is in charge of email system security measures.- The company checks the security guarantees made by suppliers before integrating security solutions. Security of communications is under the company's jurisdiction. Student Assessment Guide: ICTCYS608 Version: v21.0 Page 23 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments C3. Draft an email to Helen that shares the report of the outcomes of your risk assessment. Answer in 100-200 words. Write your answer here From: Ajay To: Helen Dear Helen, I'm sending you this email because I want to discuss a few of the risk assessment's findings that are connected to: - The business uses secure system management practices. - This organization is in charge of managing malware prevention and detection software for ICT systems. - The business monitors system activity in order to identify any possible security threats. - The organization is in charge of email system security measures. - The company confirms the security guarantees made by the suppliers prior to integrating security solutions. Security of communications is under the company's jurisdiction. It is significant to note that the implementation of this risk assessment helped to identify and assess pertinent risks that had been controlled in accordance with company policies and procedures. At this point, it is crucial to create a process to reduce risks. I appreciate your time, and if you have any questions, don't hesitate to get in touch with me. Regards Ajay Yadav Student Assessment Guide: ICTCYS608 Version: v21.0 Page 24 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments D. Task D – Finalise risk assessment Task D instructions Task D follows on from Task C. You now need to finalise your risk assessment for EzyMart. Ensure you have read the “ICTCYS608 Case study information” document provided on Moodle, then answer the questions below. D1. Analyse and document findings against the risk register. Determine what threats are there in the current policy, recommendations and practices that are not accounted in the risk register and the recommendations on Essential Eight Maturity Model. You need to identify the threats as, if they are not accounted for, the results could be lethal for business operations of EzyMart. Answer in 200-400 words. Write your answer here The Essential Eight mitigation techniques are application control, patching applications, configuring Microsoft Office macro settings, user application hardening, limiting administrator access, patching operating systems, multi-factor authentication, and routine backups. In terms of resources—time, money, and effort—proactively putting the Essential Eight into practice can be more economical than responding to a significant cyber security incident. The organization's system to analyze risks based on organizational statutory requirements is documented in the risk register. However, as was previously mentioned, it is missing important details like likelihood, consequences, a more thorough risk description, the person responsible, and advice. To ascertain the ideal degree of control for every kind of information technology system, risks need to be taken into account. To safeguard the availability, confidentiality, integrity, and security of information, sufficient controls must be in place. Businesses that fail to adequately adhere to risk assessments may be subject to fines, jail time, and other legal repercussions. Employees must possess the knowledge and abilities to apply and manage a good risk register because the degree of affectation varies depending on the issue. This enables the business to take appropriate action to prevent and mitigate risk while abiding by the law and its own policies and procedures. Student Assessment Guide: ICTCYS608 Version: v21.0 Page 25 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments D2. Develop and document your recommendations as guidelines and practices to improve operational measures of EzyMart to align operations against risk register requirements. Answer in 200-400 words. Write your answer here Here are some suggestions for enhancing business operation in accordance with risk register requirements: - Each and every risk is important: Never think about business risks on their own. It affects the entire organization. Hazards must therefore be taken into account as a corporate issue. By examining the macroenvironment connected to hazards, it will create an integrated picture of management and enhance the organization's risk management capabilities. - Establish uniform procedures: Create thorough risk assessment, measurement, and mitigation systems that support dynamic activities to give operations managers better and more insightful information for making decisions. - create a framework for standard risk reporting: Creating an automated real-time alerting system for concerned authorities, setting up controls to be observed, figuring out threshold limits, and creating an automated real-time alerting system for concerned authorities would all aid in identifying operational risks before any harm was done. In the event that a risk is identified, develop a backup plan and look into the causes of risks to prevent them in the future. How can project managers make sure that stakeholder engagement is high, regular communications occur, and stakeholders are fully informed about the risks associated with their project, given that we recognize the importance of stakeholder communication? By routinely reporting on your project, you can search for recurring issues, report them through interactive connections, and submit them for study. After that, you may respond to possible threats, set up alerts, and inform important stakeholders or individuals who will need to know later on. Staff members may need to receive pertinent training in relation to: Organizational needs and preferences. • The needs and preferences of the customer. • The newest advancements in networking technology. • Essential hardware and software components. • Networking services that users' PCs need to have installed in order for them to complete their tasks. Student Assessment Guide: ICTCYS608 Version: v21.0 Page 26 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments D3. You now need to present your findings. Set up a meeting with: Helen, as role played by another student in your unit Use the meeting to: Communicate risk assessment findings Highlight areas of non-compliance and solutions Seek feedback on your findings After your meeting, record notes of what was discussed. Answer in 100-200 words. Write your answer here Share the results of the risk assessment: applying the organization's pertinent policies and strategies will help to identify risks and facilitate clear communication. Effective and transparent communication. As soon as a problem or issue emerges, escalate it immediately always take risk and controls into account before making decisions; and accept responsibility for them. Being prepared to take charge and assert your authority Being honest and accepting responsibility for issues Showing a desire to become more risk aware and knowledgeable about risk management Being concerned about how their risk management is affecting others and understanding what happens downstream when something goes wrong Encouraging and educating others in risk and risk management Exhibiting a positive attitude toward risk management. D4. Prepare a formal report on the outcomes of your risk assessment. Ensure your report includes an executive summary, findings, and recommendations. Student Assessment Guide: ICTCYS608 Version: v21.0 Page 27 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments Write your report in the space below. Answer in 300-600 words. Write your answer here Executive summary The goal of this study is to ensure that, in terms of cyber security risk assessment, the organization complies with all applicable laws and business requirements. It is imperative to remember that everything starts with effective communication, knowledge, and abilities in order to build a strong risk manager who enables the company to put plans in place to reduce and eliminate any potential risks to the enterprise. Findings When doing a cybersecurity risk assessment, we need to review the following factors in addition to the requirements and salient features: Enhanced familiarity with the organization Prevent data breaches Steer clear of regulatory issues Loss of data Prevent application outages Considering the policies and procedures of EzyMart Documentation of the pre-incident events, including what happened, what damage was done, and which files or systems were impacted, is required. These must also be reported to the security officer. As previously mentioned, the risk register documents and evaluates the organization's risk analysis system in compliance with organizational statutory requirements. However, it is deficient in important information, including likelihood, consequences, a more thorough risk description, the person responsible, and guidance. Risks need to be addressed in order to determine the optimal level of control for each kind of information technology system. Enough controls must be in place to protect information security, confidentiality, integrity, and availability. A certain degree of experience is required for any kind of implementation or assessment, and it is crucial to make sure that all employees satisfactorily meet business standards and expectations.In order to progress in their roles and responsibilities, employees must possess the necessary knowledge, skills, and abilities. This means that in order for employees to create appropriate risk registers in accordance with current laws, rules, and procedures, the organization must ensure that they have received the appropriate training. By doing this, the business will be protected from all laws and penalties. It is highly recommended that businesses consult external specialists to provide guidance or feedback on the best course of action for enhancing information security and ensuring that customers' data is secure and confidential. Student Assessment Guide: ICTCYS608 Version: v21.0 Page 28 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments Student Assessment Guide: ICTCYS608 Version: v21.0 Page 29 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments 4. Student Self Checklist A. Student Self Checklist for Tasks A - D Candidate name: Ajay Yadav Unit of Competency: ICTCYS608 Perform cyber security risk assessments Instructions: Place a tick ‘ ’ in the Yes (“Y”) column for each question you have completed all parts for. Task A – Demonstrate knowledge of cyber security risk assessments Did you: Y A1: Describe the elements of a cyber security risk assessment? A2: Describe what the ‘risk appetite’ of an organization means? Then explain how the risk management policies of an organization can impact its contingency plans and hence its operations? A3: Explain what a risk register is? Then describe how you would prepare one for an organization? A4: Explain three cyber security legislations? A5: Explain what is meant by the term ‘risk culture’? Then describe how you would explain it to your CEO to make her understand its important and consider the risk culture in business strategy? A6: Describe risk assessment methodologies that are adopted in cyber security practices? A7: Describe how you would gather information about the legislative requirements for cyber security related to the finance industry? Consider both national and international legislative requirements that are applied to the finance industry. Reference the sources used? A8: Define what methodologies you can adopt to identify and measure the risk culture and risk appetite of the organization with respect to the cyber security? Student Assessment Guide: ICTCYS608 Version: v21.0 Page 30 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments A9: Explain how you would prepare cyber security risk assessment process for an organization, making sure you address the questions below: What would be the requirements of the process and what would be its salient features? How will you document the process and how will you record your findings? Task B - Prepare to perform risk assessment Did you: Y B1: Analyse organisations risk culture and document findings according to organisational requirements of the EzyMart? Prepare a report on your findings? B2: Research and document legislative and organisational cyber security risk requirements for EzyMart? Make sure you focus on the Essential Eight Maturity Model and define your strategy? Draft an email to Helen that provides your recommendations? B3: Analyse EzyMart’s risk register to determine its currency against organisational legislative requirements? B4: Develop and document a risk assessment plan according to the requirements of Level 1 of Essential Eight Maturity Model? B5: Set up a meeting with at least two relevant stakeholders, as role played by other students in your unit? Use the meeting to: Present an overview of your risk assessment plan in a PowerPoint format? Seek feedback on your risk assessment plan? After the meeting, record notes of what was discussed, including the feedback received? Task C - Perform risk assessment Did you: Y C1: Determine the gaps between the EzyMart recommendations and the requirements of the Maturity Model Level 1? C2: Document the process and outcomes of your risk assessment according to Essential Eight Maturity Model? Student Assessment Guide: ICTCYS608 Version: v21.0 Page 31 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ICT60220 Advanced Diploma of Information Technology (Cyber Security) Student Assessment Guide: ICTCYS608 Perform cyber security risk assessments C3: Draft an email to Helen that shares the report of the outcomes of your risk assessment? Task D – Finalise risk assessment Did you: Y D1: Analyse and document findings against the risk register? Determine what threats are there in the current policy, recommendations and practices that are not accounted in the risk register and the recommendations on Essential Eight Maturity Model? Identify the threats? D2: Develop and document your recommendations as guidelines and practices to improve operational measures of EzyMart to align operations against risk register requirements? D3: Set up a meeting with: Helen, as role played by another student in your unit? Use the meeting to: Communicate risk assessment findings? Highlight areas of non-compliance and solutions? Seek feedback on your findings? After your meeting, record notes of what was discussed? D4: Prepare a formal report on the outcomes of your risk assessment? Ensure your report includes an executive summary, findings, and recommendations? Student Assessment Guide: ICTCYS608 Version: v21.0 Page 32 of 32 Developed by: ACBI Approved by: DoS Issued: September 2021 Review: September 2021
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

Virtual Lab Enviornment Introduction Questions.docx
Configuring VLANs and Trunking Lab 1 Submission Form.docx
Developing_and_Implementing_Stored_Procedures_Lab.docx
System_Functions_Lab.docx
Limiting_and_Sorting_Data_Lab.docx
ICTCYS606 1.docx
Scope_Assigment_Poojan_Gor.docx
ICTCYS612 A1 -.docx
1 - ICTNWK540 Student Assessment Guide.docx
ICTNWK537 A1 - AjayY#1 .docx
lab_10_worksheet.docx
CYB_200_Project_Two_Victoria_Thibodeaux.docx