SEC7000 Information Security Assessment Brief SEM 1 | CMU

Assessment Brief

The student will submit a WRIT1 assignment of 4000 words, which covers three chapters.

Chapter 1 (2000 words)

Imagine you've been appointed as a security and privacy consultant for a major corporation. This company is on the verge of developing and rolling out surveillance technologies (CCTV, Face Recognition) and contact tracing applications (a centralized system managing all collected data) for the UK government to address the spread of viruses. 

Your task is to create a comprehensive report outlining the strategies the company should adopt to integrate Data Protection by Design and Default principles and security standards (ISO, NIST, COBIT, etc.) into the project. 
Please consider the following factors as you prepare your recommendations for the project.

• Data Protection by Design and Default: Provide insights on how the company can ensure that data protection measures are integrated seamlessly into the design and default settings of the surveillance and contact tracing applications.
• Compliance with Regulations: Address how the project aligns with relevant data protection regulations and guidelines, particularly those applicable in the context of the UK government such as UK GDPR.
• User Privacy: Discuss approaches to safeguarding user privacy, emphasizing the importance of minimizing data collection, implementing robust consent mechanisms, and ensuring transparency.
• Security Measures: Outline security measures that should be implemented to protect the collected data from unauthorized access, breaches, and other potential threats.
• Data Retention and Deletion Policies: Propose policies for the retention and deletion of data to ensure compliance with data protection principles and regulations.
• Ethical Considerations: Consider the ethical implications of deploying surveillance and contact tracing technologies and suggest ways to mitigate potential risks and concerns. 

By addressing these key aspects, your report will provide a comprehensive guide for the company to implement robust Data Protection by Design and Default in the development and deployment of surveillance and contact tracing applications for the UK government. 

Section 1.1.Data Protection by Design and Default (500 words) 
Section 1.2. Mapping best practices of (ISO27001, Cyber Essentials, NIST, and COBIT) with GDPR. (1000 words) 
Section 1.3. The mechanisms for implementing security and Incident Response and Reporting. (500 words)

Chapter 2: (1800 words) 

Compose a report on a recent information security incident or breach that occurred post-May 2024. The report should encompass a brief overview of the attack, the impact on the organization, specifics regarding the vulnerability exploited in the attack (such as CVE details), the manifestation of the attack (e.g., illustrated scenarios), the tools employed by the attackers, and potential preventive measures that could have mitigated the threat or addressed the vulnerability. Additionally, incorporate considerations for Risk Management/Risk Assessment, referencing the provided template for the attack. Use the sample references as a guide for sourcing relevant information. 

Section 2.1.Description of the attack, exposed vulnerability, and loss to the organization. (600 words)

Section 2.2.Critical evaluate the attack, tools used by the attackers and recommended preventive mechanisms. (600 words) 

Section 2.3. Implement the Risk Management / Risk Assessment, Evaluate the impact, likelihood, and risk level associated with the incident, and propose risk mitigation strategies using the risk assessment template. (600 words) 

Chapter 3: (200 words)

Write a reflective report on your practical development of the practical activities via: 

• The 8 Cisco Cyber Essential labs: Security awareness (Cisco Cyber security essentials training). Students must complete 8 Chapters of the training (both theoretical and practical aspects). And
• Immersive labs

Learning Outcomes

• [LO1] Assess fundamental characteristics of information security in the context of emerging technologies.
• [LO2] Critically evaluate and apply risk identification, estimation, evaluation and management methods.
• [LO3]. Synthesize a business continuity plan.
• [LO4] Critically evaluate security best practices, laws, and regulations for information privacy and security.
• [LO5] Reflect on the adequacy of current regulations and laws for emerging cyber security threats.

Assessment Criteria

• [AC1] Building a deeper understanding of the basic and effective discussion of theoretical components of learning outcome research. Meets the requirements in chapters 1 and 2 of the assessment. [LO1, LO3]
• [AC2] Successful discussion of theoretical components of learning outcome research. Meets the requirements in chapter 1 of the assessment. [LO1, LO4]
• [AC3] Successful discussion and technical approaches used to meet learning outcomes. Meets the requirements in chapters 1 and 2 of the assessment. [LO2, LO3, LO4]
• [AC4] Successful discussion of theoretical components of learning outcome research. Meets the requirements in chapters 1 and 3 of the assessment. [LO2, LO4, LO5]
• [AC5] Meets the requirements of Chapter 1 for the GDPR and Laws. [LO4, LO5]