ECU Cyber Security Management CSI6130 Assignment 2
Written Report – Cyber Security Organisation Evaluation
Word Count 1500 Words – A Brief Report
Grade Marks available – 20% of final grade
Report to be written individually
This assignment is an individual assessment for student to consider and report upon the cyber posture and cyber position of a company or organisation. Remember that we are looking at medium to large organisations – so please do not use a smallorganisation of 1-4 people.This assignment asks you to write a report that uses the early part of the NIST Framework.
Select any large organisation of your choice. It should be well known and visible in terms of its corporate behaviour. Look for an organisation which has an outwardly public facing view.In your report you should use the column “A” of the NIST framework to perform your organisational evaluation.
This framework column (titled IDENTIFY) shows 5 areas of evaluation
- Asset Management
- Business Environment
- Governance
- Risk Assessment
- Risk Management Strategy
Please draft up your report according to the following guiding steps below.In your written report – choose an organisation and then use open-source methods to evaluate the organisation.
Introduction – Describe the company / Organisation and what it does
In Asset management – decide what the core business is of the organisation. What is it trying to protect? What does it sell / or do?
In Business Environment– decide what kind of environment the organisation engages with – who are the key stakeholders – are there key industry alignments? Do they sell or engage directly with the general public?Who are the competitors? Are they the largest organisation in their part of the industry – or are others much larger? Is it highly competitive or is it dominated by a single market player?
In Governance – what is the structure? Is there a CEO / and a C Suite? Who sits on the board? Do they have a strong cyber presence in their board? Do they conform to any known standards or regulations?
In Risk Assessment – As an outsider – what can you tell about their current Appetite for Risk? Are they moving aggressively? Do they have a large amount of on-line interaction? Do they have payment gateways for products?
In Risk Management Strategy – In your assessment, what are the policies and / or systems that you think they should have in place?Do they include any ISO standards? How often do their staff re-new their passwords?
Conclusion – what are your concluding remarks about this company’s cyber posture?
Some hints to get you started:
Do not pick a private company that is secretive about its operations. Remember that you will be using open-source information to make this assessment – so choose a company that is well known and has an operation which can be viewed online by your own internet searches. (for example: McDonalds, Seek, CarSales.com, Datacom, Next DC,etc)
When you get to the sections on risk assessment and risk management strategies – you will need to rely on your own judgement to decide what are the most importantrisks. (Note you are note trying to eliminate all risks – pick the 3 or 4 most critical ones). Cyber security management uses frameworks like NIST – but also relies on the human judgement of a Cyber Risk Manager to decide what takes the top position in terms of threat.
You might consider things such as payment systems, how easy are the logins?,passwords, etc. However these last two sections (Risk Assessment and Risk Strategy) are up to you. There is no single correct answer – students may have different ideas.
You may also have a look on review forums, social media etc – and see how their customers judge them. (Think in terms of supply/payment / delivery/access etc and don’t get caught up in the issues about faulty products or customer complaints about service. Concentrate on issues about cyber security / accessibility / and use the threat elements described in the unit modules.
Assessment 2 Written Report Rubric for CSI6130 ECU
| Assessment Criteria | High Distinction (HD) | Distinction ( D) | Credit ( C) | Pass (P) | Fail (N) |
| Introduction & Background of the Organisation 10 Marks | Outstanding beginning that presents a clear introduction and concise background about the organisation and its general cyber posture. | A very good beginning that presents a quite clear introduction and concise background about the organisation and its general cyber posture. | A standard mid-level beginning that presents a fair introduction and brief background about the organisation and its general cyber posture. | A basic level beginning that presents a brief introduction and brief background about the organisation and its general cyber posture. | A poor beginning that presents a poor introduction and partial background about the organisation and its general cyber posture. |
| Asset Management 20 Marks | An outstanding evaluation that understands the core business and what it should be trying to protect. | A very good report that understands the core business and what it should be trying to protect | A standard report that understands the core business and what it should be trying to protect | A basic report that understands the core business and what it should be trying to protect | A poor report that fails to understand the core business and what it should be trying to protect |
| Business Environment 20 Marks | An outstanding explanation of the business environment that the organisation works in and a clear understanding of the key alignments, stakeholders, and operational differences. | A very good explanation of the business environment that the organisation works in and a strong understanding of the key alignments, stakeholders, and operational differences. | A standard explanation of the business environment that the organisation works in and a average understanding of the key alignments, stakeholders, and operational differences. | A basic level explanation of the business environment that the organisation works in and a poor understanding of the key alignments, stakeholders, and operational differences. | A poor explanation of the business environment that the organisation works in that fails to understand the key alignments, stakeholders, and operational differences. |
| Governance 20 Marks | An outstanding description of the Governance, leadership, and hierarchy of the organisation. | A very good description of the Governance, leadership, and hierarchy of the organisation. | A good description of the Governance, leadership, and hierarchy of the organisation. | A basic description of the Governance, leadership, and hierarchy of the organisation. | A poor description of the Governance, leadership, and hierarchy of the organisation. |
| Risk Assessment 20 Marks | An outstanding explanation of the risk appetite, major threats and vulnerabilities based upon their operations and online interactions. | A very good explanation of the risk appetite, major threats and vulnerabilities based upon their operations and online interactions. | A good explanation of the risk appetite, major threats and vulnerabilities based upon their operations and online interactions. | A basic explanation of the risk appetite, major threats and vulnerabilities based upon their operations and online interactions. | A poor explanation of the risk appetite, major threats and vulnerabilities based upon their operations and online interactions. |
| Risk Management Strategy 20 Marks | An outstanding evaluation of the necessary policies and standards that are required for this organisation | A very good evaluation of the necessary policies and standards that are required for this organisation | A good evaluation of the necessary policies and standards that are required for this organisation | A basic evaluation of the necessary policies and standards that are required for this organisation | A poor evaluation of the necessary policies and standards that are required for this organisation |
| Summary and Conclusions 10 Marks | An outstanding summation of the key elements of the organisation’s cyber posture | A very good summation of the key elements of the organisation’s cyber posture | A good summation of the key elements of the organisation’s cyber posture | A basic summation of the key elements of the organisation’s cyber posture | A poor summation of the key elements of the organisation’s cyber posture |
| Sub Total 120 marks | |||||
| Final Grade out of 20 marks |