Question-04 [40 Marks]

Scenario:

Overview - In this Assignment you will be required to perform a basic risk assessment and apply concepts covered from weeks 1 through 9. The deliverable is a (maximum 2500) word report detailing information security recommendations associated with a small dance club.

Background - The dance club (All Stars Dance) is a small Australian dance studio operated by six staff and consists of approximately 200 members. All Stars Dance operates in an office / dance room located on the second floor of a three- story building that shares a common lift for access. All stars Dance operate during the day and offer evenings between 6pm and 10pm. Currently anyone can access the second floor via the lift.The dance club has two networked desktop computers on site, one printer and are connected to the internet. New member applications and other information such as policy, procedures, and member information are stored both digitally (on computers or web portal) and on-site in locked cabinets. The computers currently do not have authentication enabled.The dance club has just implemented an online web portal for its members, the dance club has requested a risk assessment and data classification for the data it stores and collects to ensure personal information is secure.

To become a member of the dance club, members are required to visit the website and apply for membership or renew their existing membership. The web portal is an open source content management system (Joomla CMS) that is hosted in Australia by a third-party hosting provider. The portal handles memberships, events and member information such as dance levels (novice, advanced, adult) and personal information (age, gender, address).The portal allows members to purchase membership, read member only news and register for events or dance tests online, thus the portal is responsible for most of the data processing. Club membership runs from January 1 through to December 31 each year regardless of the application date.

Member payments are processed using a third-party merchant gateway, Secure Pay, and deposited directly into the association's nominated bank account, thus payment information is not handled directly by the dance club. Once a member has paid for membership the system adds the member to a mailing list and updates permissions on the user account of which authorizes access to member resources on the website / portal. The mailing list is stored and processed by Mailchimp; a third-party provider located in the United States. Personal information collected for the mailing list include full name and email address. No other information is collected for the mailing list.

The dance club also receives emails from parents and other members from the website contact page or directly via email that are accessed on the computers located in the office. Dance club staff have access to administer the system remotely using portable devices or on-site using the computers in the office. Staff change frequently and there are no access controls in place. Currently, when a staff member is granted access by the system admin, they have full administrative rights to the portal, this includes memberships, events and web content.

There are four primary functions staff need to perform for members:

1. Update member information via the web portal

2. Answer emails

3. Update news on the portal

4. Add events to the portal so members can register online

5. Update news items on the portal

All Stars Dance would like an Information Security assessment and recommendation on what would be required to secure their information system(s).Your first task in this assignment would be to identify the information assets (both digital and physical). Things to consider.

The web portal and its CMS

Installed software for memberships

Member information

Physical assets on-site

ISO compliance

Answer the below questions with accordance to the above scenario:

1. Identify and categorize information assets. This includes both digital and physical assets. Minimum of 10 assets.[5 Marks]
2. Prioritize information assets using a weighted factor analysis.[10 Marks]
3. Identify threats and vulnerabilities to the information assets. Given the amount of threats one or two threat categories may suffice.[5 Marks]
4. Create / define an appropriate classification schema. Apply the classifications levels defined in the schema to the information assets.[5 Marks]
5. Create a risk rating for each asset. You may use the simple method (likelihood * impact).[10 Marks]
6. Include with your risk assessment table one of the five control strategies, i.e., mitigate, defend, accept.[5 Marks]