Scenario: Student Grading System Security Remarkable University is implementing a new student grading system. The system needs to be developed and implemented to ensure that it is both fit for purpose and secure from identified threats. The student grading systems core components include: a front-end web/application server which is used by students, academics and administrative staff a database which holds students grades The system will need to be built and managed to ensure that the servers are deployed securely and remain secured against common automated and simple manual attacks. Dedicated, targeted attacks are difficult to protect against, however simple measure can be taken to protect against most automated attacks. Identified threats against the system include : Grade hacking/modification, e.g. students who may wish to modify their own results or view or modify the results of others Privacy concerns, e.g.: internal users such as staff or students who may wish to view or modify results; and external users who may wish to gain access to or modify results or other personal information Malicious code such as worms Automated scanning and exploit tools Targeted exploit attempts Phishing attempts The grading system application needs to remain secured, use appropriate access controls, enforce least privilege, and ensure that information flowing to and from the system is protected. The application needs to be developed in a secure manner and be protected against common attacks, and the database needs to be protected against common automated attacks and use appropriate access controls. Using the scenario above complete the below quesitons: 3. Risk Assessment This provides a summary and analysis of the risk assessment. Identify risks to key assets (threats, threats sources, vulnerabilities), by thinking about the different security domains (User Authentication and Access Control, Server Security, Software Security) and how breaches in those can affect the confidentiality, integrity, and availability of the key assets. Analyse those risks (likelihood, consequence, resultant risk), and summarise your findings in a risk register. 4. Security Strategies and Actions This section should outline security strategies and recommended controls, based on estimated costs/benefit analysis. Develop a security implementation plan. Classify the selected treatments as management, operational, and/or technical controls. 5. Residual Risks By definition, the residual risks are those that remain after all possible (cost-effective) mitigation or treatment of risks. Estimate, describe and rate these residual risks to guide the priorities for ongoing monitoring of risks. 6. Resources This section should detail the resources (e.g., hardware, software, and human resources) for implementing the recommendations outlined in the earlier section on Strategies and Actions. 7. Maintenance and Training Outline the recommended maintenance of the security mechanism and training for the relevant personnel.