COMP1608 (2019/20) Managing IT Security and Risk

Course Leader: Mr Dimitrios Frangiskatos Contribution: 100% of course

• Detailed Specification

This coursework is to be completed individually. Coursework is submitted on the understanding that

it is your own work and that it has not, in whole or in part, been presented elsewhere for
assessment. Where material has been used from other sources it must be properly acknowledged in
accordance with the University's Regulations regarding cheating and plagiarism.

• Deliverables

A report covering the scenario presented next. Please note that this is an open ended scenario which
allows for various assumptions that can alter the scope and focal point and as such these
assumptions must be clearly stated. The length of the report it should not be more than 6,000 words
(font size 12 points, Calibri).

• Assessment Criteria

The assessment criteria is based upon the marks highlighted in the sections below.

Overview

In this coursework, you will propose a scenario relating to a business unit of an organisation, you will
perform risk identification and risk analysis and ultimately present a risk treatment plan a for a new
Information Security Management System (ISMS). You will then illustrate the changing nature of IT
security Risk Management by proposing the analysis and treatments strategies that the business unit
would need to implement when adding new technology or functionality to the organisation.

The Scenario

For your scenario, you will have to define the organisation and state your assumptions for the way
they conduct business. This is not expected to be an exhaustive list but it must give a good idea of how
they currently operate. Following that you have to define a business unit that will be protected by the
ISMS. This business unit must be of a ‘reasonable size’ and be a recognisable entity within a the
organisation (for example, a call-centre or technical support help-desk within a university).

Defining this scenario gives you the opportunity to present a business unit that you are either familiar
with, or that you are interested in researching. You are advised however to not refer to specific names
or disclose confidential information, and as such your report should be anonymised, and can relate
for example to The University of ABC or ABC Forensics Ltd.

Tasks

You will define briefly the organisation and the business unit’s operations, constraints, the roles of the
personnel, the IT and physical infrastructure, and clearly identify the stakeholders.

[10 marks]
Define the key assets that the ISMS must protect within your proposed business unit and provide some
valuation of the assets.

[10 marks]

Present research relating to threats (select the top five based on your assumptions) and exposures
that have happened to similar companies/organisations, companies that contain elements that have
similarity to your business unit, or are generally relevant to your scenario. This research will help you
justify the risk assessment matrices.

[10 marks]

Based upon your research, and also with reference to what has been studied in this module, draw up
appropriate risk assessment matrices that will allow you to assess the risk relating to the business
unit’s assets.

• Identify the threats and the risk assessment levels they represent and present appropriate risk
treatment strategies

[20 marks]

Your business unit decides to embrace a new technology. This can be cloud storage or remote working
or Bring Your Own Device (BYOD) into its operations. Show how this introduction will impact the
existing risk analysis and risk treatment strategy you have proposed above.

• Identify the Threats to this new technology and the risk assessment levels they represent
• Identify appropriate risk treatment strategies for this new technology, and identify changes
that may need to be incorporated into the original risk treatment plan.

[30 marks]

Reporting

Please be advised that the reporting part for this coursework carry a higher weight than usual. You
are required to present a professional report with the following number of headings (at a minimum):

• Executive Summary
• Organisation and Business Unit Operations
• Key Assets
• Threats and Exposures Research
• Risk Assessment and Risk Treatment Strategy
• Introducing New Technology to the Operations
• Conclusion
• References
• Appendix
Present your coursework as a report (that is proofread) of no-more than 6,000 words (not including
Appendix). This should be typed and you may use graphics and tables. References should be in the
Harvard referencing system and recent. Marks are awarded for clear, coherent writing that can
present the defined scenario and the risk management steps without unnecessary waffle.

[20 marks]
Please note that the marks allocated for each task are based on the overall contribution of that task
towards the solution of this coursework. As such the reporting effort for a task with lower marks might
be more laborious than for a task with a higher mark contribution. This also depends on the reporting
style of each students and the usage of tables diagrams