BSBXCS402 Assessment 2 - Project (Portfolio)
docx
keyboard_arrow_up
School
Canberra Institute of Technology *
*We aren’t endorsed by this school
Course
402
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
10
Uploaded by CoachWolverine3943
Assessment 2 – Project (Portfolio)
Student Name: CIT Number: Competency Title, Code and Banner Code
CRN
BSBXCS402 Promote workplace cyber security awareness and best practices
Assessment Type
☐
In the workplace ☒
Simulated environment ☐
Other
Assessment Name
Assessment 2 – Project (Portfolio)
Assessment Date
Assessor Name
Student Statement:
This assessment is my own work. Any ideas and comments made by other people have been acknowledged. I understand that by emailing or submitting this assessment electronically, I agree to this statement.
PRIVACY DISCLAIMER:
CIT is collecting your personal information for assessment purposes. The information will only be
used in accordance with the CIT Privacy Policy.
© Canberra Institute of Technology Page 1 of 10
Date created: 21/09/2021
CRICOS No. 00001K | RTO Code 0101 Date updated: 4/12/2023
Assessment Task Instructions for Students
Assessment Task:
In your role as a cybersecurity officer, you will be required to develop cyber security awareness in your organisation. You will develop one set of policies and procedures for a work area that promote cyber security awareness and practices (Activity 1). You will also support effective cyber security practices in the work area by arranging training or updates to be provided to colleagues that support practice or awareness in relation to two different cyber security matters and review cyber security awareness in your organisation (Activities 2 and 3).
Covering the following topics:
Develop cyber security awareness in the work area
Establish the current level of awareness in work area relating to cyber security
Create and maintain cyber security awareness program that reflects organisation-wide best practice
Contribute to developing cyber security policies and procedures, and communicate to required personnel
Support effective cyber security practices in the work area
Review cyber security practices according to organisational policies and procedures
Arrange training and information updates as required, and maintain related records
Present insights from review and training to required personnel, and potential related impacts on the workplace
Review cyber security awareness in the work area
Review latest cyber security threats and trends impacting organisations
Document outcomes of the review and suggested improvements for consideration by required personnel
Communicate review outcomes and cyber security improvement requirements according to organisational
policies and procedures Assessment range and conditions
:
Assessment is untimed and are conducted as open book assessment (this means you can refer to your textbook)
The student will take on the nominated role to complete all the required activities
The training organisation will assign a supervisor to the student
The training organisation will provide the resources required to complete the assessment task
The student must use the templates provided to document their responses
The student must follow the word-limits specified in the templates
Materials provided:
Workplace personnel/stakeholders to participate in the assessment activities o
Please refer to the roles and responsibilities section for more information o
This should be organised by the training organisation either via, LMS, telephone conferences, video
conferencing or anything of a similar nature
© Canberra Institute of Technology Page 2 of 10
Date created: 21/09/2021
CRICOS No. 00001K | RTO Code 0101 Date updated: 4/12/2023
information and data sources relating to cyber security
Documents detailing workplace health and safety (WHS) standards, environmental guidelines and organisational requirements - as applicable on the educational and training institute.
Materials you may need:
a device with an active internet connection
internet browser
access to eLearn
Industry-specific technologies currently used in industry - you must research and identify the technologies related to the education industry.
Recording hardware/software for podcasting, e.g. microphone, headphone and speakers
Information for students: You may have two (2) attempts for this assessment.
If your first
attempt is not successful, your teacher will discuss your results with you and will arrange a second attempt.
If your second
attempt is not successful, you will be required to re-enrol in this unit.
Only one re-assessment attempt will be granted for each assessment item.
Scenario You have recently joined an organisation as a cybersecurity officer. The organisation has experienced a number of cyber threats recently including but not limited to: •
A ransomware attacks •
A number of phishing activities •
Data leakage on a number of occasions •
Website hacking (two times in the last month) The organisation currently does not have the expertise, knowledge, or skills to look into cyber security threats, they will require your services to make sure the organisation is secure and safe from the cyber threats.
Activity 1:
Develop a cyber security policy: You are required to develop cyber security awareness in the work area by developing one set of policies and procedures for a work area that promote cyber security awareness and practices. For this activity, the organisation’s policy is that policy reviews must include an assessment of a variety of existing staff’s knowledge of issues. Your teacher may tell you more about the organisation, and the organisation may be different for different class members. To complete this assessment task, you must first establish what the current level of awareness of cyber security is in this simulated work area. 1a. Write a set of questions or strategies that you would use to find out what the (non-ICT) workers’ current level of awareness is. You will be looking for information including, but not limited to
•
Phishing attacks.
•
Removable media.
•
Passwords and authentication.
•
Physical security.
•
Mobile device security.
•
Working remotely.
© Canberra Institute of Technology Page 3 of 10
Date created: 21/09/2021
CRICOS No. 00001K | RTO Code 0101 Date updated: 4/12/2023
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
•
Public Wi-Fi.
•
Cloud security.
I would ask them whether they use public Wi-Fi especially for bank transfers?
I would ask them how do they use the removable media safely?
Why is mobile device security important?
I would ask them whether they click on suspicious links that they receive in emails or sms?
What are the security measures for remote working?
1b. Participate in a short meeting/ discussion with the staff members using the above questions so you can evaluate the threats landscape and identify the risks. (Your teacher/ assessor will arrange time for this during a class session. The staff members may be played by your trainer/assessor or other students. All playing different, interdisciplinary roles within the organisation. If the parts are played by students, the meeting will occur in small groups in the absence of other students not participating at any given time. All students will lead one of the discussions. You may be playing the parts of workers in different types of organisations, so the results of these discussions are likely to be different. What did you discover about the current levels of cyber security in this workplace? What needs to change?
There is a big need to improve the cybersecurity of this workplace. Employees need to be properly trained and taught, security policies need to be made and kept up to date, and the right industry frameworks need to be put in place.
1c. Based on the information you gathered, develop a set of cybersecurity policies and procedures using this cybersecurity
policies and procedures template. A typical cybersecurity policy will include reference to
•
Phishing attacks.
•
Removable media.
•
Passwords and authentication.
•
Physical security.
•
Mobile device security.
•
Working remotely.
•
Public Wi-Fi.
•
Cloud security.
You may choose to address any three of these, or other areas that you have identified after consultation with the staff.
Intent/ purpose of this
policy:
The policy outlines our basic guidelines and provisions on preserving the security of our
data and organisation’s technology and infrastructure.
Scope of the policy
(which staff/ department
does the policy apply
to?):
This policy applies to all our employees, contractors, volunteers and anyone who has
permanent or temporary access to our systems and hardware
Overall principles of this
policy:
Protect personal and company devices and secure the data
•
Phishing attacks.
Keep emails safe by avoiding opening attachments and clicking on links when the © Canberra Institute of Technology Page 4 of 10
Date created: 21/09/2021
CRICOS No. 00001K | RTO Code 0101 Date updated: 4/12/2023
content is not adequately explained or with spelling mistakes or it look suspicious. Report Scams and hacking attempts immediately.
•
Removable media.
Use password or pin for your removable devices. It might contain removable contain
malware, such as viruses, key loggers and other malicious
Scripts and they can spread very easily and infect the system. •
Passwords and authentication.
Use passphrase instead of a password for your removable devices.
Manage passwords properly by storing them in password management tool and set the password for the tool with at least 8 characters.
Change password every 2 months. Never exchange credentials nor written them down. If its written down, destroy it when the work is done.
Never leave them unattended.
Set up two step or multifactor verification using a physical item, such as a OTP on cellphone or fingerprint or facial recognition.
•
Physical security.
Protect employees, hardware, software, networks, and data from physical occurrences that could damage an organisation, agency, or institution. Fire, flood, natural calamities, burglary, theft, vandalism, and terrorism are covered.
•
Mobile device security.
At least have a very basic level security on your mobile device to protect it from unauthorised access.
Set the device with a password, fingerprint sensor or facial recognition software that
protects others from gaining access to your content.
•
Working remotely.
Use only devices approved by your organization.
Use VPN when necessary. Safe guard your devices with latest software updates
Connect only to trusted networks or your cellular Wi-Fi connection. ...
Create strong passwords.
•
Public Wi-Fi.
Connecting to a public wiFi is a big NO
Share confidential data over the company network/ system and not over public Wi-
Fi or private connection.
•
Cloud security.
cloud security is important as it is a shared responsibility model.
Cloud Service Provider is responsible for the security of the cloud and
Consumer is responsible for security in the cloud, encryption of data and authorisation controls.
Encryption of data is important during data sharing and setting the access control of the data.
Specific procedures to
Implement all employees following cybersecurity best practices
© Canberra Institute of Technology Page 5 of 10
Date created: 21/09/2021
CRICOS No. 00001K | RTO Code 0101 Date updated: 4/12/2023
ensure cyber security in
this workplace:
Protect your data Avoid pop-ups, unknown e-mails, and links Use strong password protection and authentication
Connect to secure Wi-Fi
Enable firewall protection at work and at home Invest in security systems Install security software updates and back up your files Talk to your IT department Employ third-party controls Embrace education and training
Auditing, encrypting data, staff training, use of cybersecurity best practices and hiring a
specialist
(if required) Definitions
of any terms used in this
policy – the policy must
be written in a way that
non-
experts
will
understand
Activity 2:
Support effective cyber security practices in the work area by arranging training to colleagues that supports practice or awareness in relation to two different cyber security matters. This must include simulated activities. You are required to arrange training to be provided to colleagues to support practice and awareness in relation to cybersecurity matters. The training will be required for 15 to 30 minutes and must include at least two of the following topics: •
Phishing attacks.
•
Removable media.
•
Passwords and authentication.
•
Physical security.
•
Mobile device security.
•
Working remotely.
•
Public Wi-Fi.
•
Cloud security.
The training should occur in front of your trainer/assessor. Use appropriate technology platforms in this training - in most cases, the training involves an MS PowerPoint presentation covering all the mentioned above topics, of at least 10-20 slides. You must also gather feedback from the workplace training to develop the training program for your organisation:
Cybersecurity training and information session © Canberra Institute of Technology Page 6 of 10
Date created: 21/09/2021
CRICOS No. 00001K | RTO Code 0101 Date updated: 4/12/2023
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
How did others evaluate the training
provided? (50-100 words)
The training was relevant to the
needs and requirements of the
audience
Materials provided were helpful
Length of the training was
sufficient and complied
The content was well organised
Questions were encouraged
Instructions were clear and
understandable
The training met all expectations
The topics covered well in the
presentation The content was well organised Questions were encouraged Instructions were clear and understandable The training met all expectations The topics covered well in the presentation Activity 3:
Review cybersecurity awareness in your organisation.
Review the cybersecurity threats and trends to ensure your organisation is secure from all cyber threats. Use your organisation’s threats review template to communicate the outcomes of this review. If there is no template available, use the template provided below. Either way, all questions must be addressed.
How have you reviewed the latest cybersecurity threats and trends impacting organisations? (Review any three organisations)
In early January 2023, T-Mobile discovered that a malicious actor gained access to their systems in November last year and stole personal information,
like names, emails, and birthdays, from over 37 million customers.
MailChimp, the email marketing platform, alerted customers that they had suffered a data breach due to a social engineering
attack that allowed unauthorized users into an internal customer support tool.
Norton Life Lock sent a notice to their customers in mid-January that over 6,000 of their customer accounts had been
breached
in recent weeks due to a “stuffing” attack. Stuffing attacks are when previously compromised passwords are used to
hack in to accounts that use a shared password, another reason why multi-factor authentication
is so important.
By reviewing these latest cybersecurity threats such as compromising passwords, social engineering attack, the data breaching
is the one that is impacting most of the organisations. Latest cybersecurity threats:
© Canberra Institute of Technology Page 7 of 10
Date created: 21/09/2021
CRICOS No. 00001K | RTO Code 0101 Date updated: 4/12/2023
Ransomeware
Phishing
Malware
Socialengineering attacks
Internet of things
Denial of services
Insider threat
Data breach
Brute force
Man in the middle
SQL injections etc
Latest cybersecurity trends:
Data breaches as the top cyber threat The cybersecurity skills gap Cloud security issues Automation and integration in cybersecurity A growing awareness of the importance of cybersecurity Mobile devices as a major cybersecurity risk Increased impact of political-sponsored cyberattacks Risks related to devices AI on both sides of the fence The lasting phishing threat © Canberra Institute of Technology Page 8 of 10
Date created: 21/09/2021
CRICOS No. 00001K | RTO Code 0101 Date updated: 4/12/2023
Outcomes of the review and suggested improvements for consideration by required personnel (50-100 words) A successful cyber-attack will cause serious business damage. It can affect your end result as well as the reputation and
customer trust of your business. Considering the outcomes of the review it is suggested to consider to implement the training
of employees on data security, storage and data breach policies.
You must successfully complete the following skills on the practical observation checklist:
Observation Checklist
During the task the following skills were demonstrated satisfactorily:
(enter specific details of benchmarks to be used in assessing competence)
S*
NYS*
Activity 1 (policy development)
1.
Participation in the meeting and demonstrating skills and knowledge to understand the requirements to complete the assessment task. ☐
☐
2.
Developed cyber security awareness in the work area by developing one set of policies and procedures for a work area that promote cyber security awareness and practices
☐
☐
3.
Established the current level of awareness in work area relating to cybersecurity
☐
☐
4.
Completed the policy and procedure to create and maintain cybersecurity awareness program that reflects organisation-wide best practice
☐
☐
5.
Contributed to developing cybersecurity policies and procedures, and communicated to required personnel
☐
☐
Activity 2 (training)
6.
Plan and develop the presentation for the training session
☐
☐
7.
All topics covered in the presentation
☐
☐
8.
The delivery of the presentation meets the evaluation criteria ☐
☐
9.
Review cyber security practices according to organisational policies and procedures
☐
☐
10. Arrange training and information updates as required, and maintain related records
☐
☐
11.
Present insights from review and training to required personnel, and potential related ☐
☐
© Canberra Institute of Technology Page 9 of 10
Date created: 21/09/2021
CRICOS No. 00001K | RTO Code 0101 Date updated: 4/12/2023
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
impacts on the workplace
Activity 3 (review threats)
12.
Review latest cyber security threats and trends impacting organisations
☐
☐
13.
Document outcomes of the review and suggested improvements for consideration by required personnel
☐
☐
14.
Communicate review outcomes and cyber security improvement requirements according
to organisational policies and procedures
☐
☐
*S – Satisfactory, NYS – Not Yet Satisfactory
© Canberra Institute of Technology Page 10 of 10
Date created: 21/09/2021
CRICOS No. 00001K | RTO Code 0101 Date updated: 4/12/2023