ISYS326: Information Systems Security

Assignment 2, Semester 2, 2019

(Weighting 35%)

Assignment Description:

In this assignment, you have to choose an Information System or IT system to write a reflective report on security analysis. You can choose a system from the following list or your own. If you select your own topic, it must be based on a peer reviewed journal paper (e.g., published by IEEE, ACM, Springer and Elsevier). The report would be based on two security models: STRIDE and DREAD. First, you need to identify 5 common security threats to your selected system. Then, you should list the security requirements to deal with those threats using STRIDE model. In the second part of your report, you have to analyse the risk of each threat on your system using DREAD model. You also need to measure the overall risk of the system and propose the appropriate security measures to overcome the threats. The assignment is a group assignment and each group may have 2 members at best.

List of IS or IT Systems:

Enterprise Resource Planning
Data Warehousing
Office Automation
Global Information Systems
Library Management Systems
Online Ticket Reservation Systems
Hotel Management System
Banking System
Healthcare System
Supply Chain Management System

Report Structure:

You should use the IEEE conference paper template to write the report like assignment 1. The template can be downloaded from the unit LEO site. The report should not exceed 3000 words in total including bibliography and appendix.

Abstract: An abstract (a short summary of the report) needs to convey a complete synopsis of the paper, but within a word tight limit. Writing an abstract includes brief introduction to the general topic of the work and then explanation of the exact research strategies, including the aims. It should then highlight the outcomes.

Introduction: In the Introduction, you are attempting to inform the reader about the rationale behind the work. The introduction does not have a strict word limit, unlike the abstract, but it should be as concise as possible. It can be a tricky part of the paper to write, so many scientists and researchers prefer to write it last, ensuring that they miss no major points. The introduction gives an overall view of the report but does address a few slightly different issues from the abstract. An introduction should emphasize on background, importance, limitations, and assumptions. You should provide a short overview of the chosen system in this section.

Identify Five Common Security Threats: In this section, you will be identifying five common security threats that might have significant impacts on your system. You have to choose specific security attack on different security services such as attacks on integrity, data confidentiality, availability, authentication, non-repudiation and so on.

Analyse Security Requirements using STRIDE model: Now you need to analyse the security requirements using STRIDE model and also map the requirements with respect to security attacks (known as STRIDE threat classification). An explanation should be provided whether the chosen system can defend the security threats classified by the STRIDE model.

Risk Rating Using DREAD Model: In this section, you have to calculate risk values for each threat. Using DREAD model, you have to quantify the risk factor for each category and then calculate the overall risk value to evaluate the severity of risks on your information or IT system. You also need to describe some mitigation techniques to overcome the risks.

Conclusion: This is really just a more elaborate version of the abstract. In a few lines you should summarize your findings and recommendations. Your abstract will do most of this for you but, as long as you do not get carried away, especially for longer reports, it can help the reader absorb your findings a little more.

References: All papers that are used in the report must be cited in the reference section. Your report should include at least 4 peer reviewed conference and/or journal papers. Please ensure that you reference properly and acknowledge all sources using the Harvard (AGPS) style (check LEO site for guidelines). Don’t use IEEE referencing style.

Marking Scheme: Please check the marking rubric on the next page.

A report template has been uploaded on the LEO site for your reference.

A research report on STRIDE and DREAD model can also be downloaded from the unit LEO site.

Rubric – Assessment 2: Information Systems Security Analysis and Planning (Total marks = 35)

ILO	Criteria			Standards
		Below Expectations	Meets Expectations	Exceeds Expectations
		Level 1 (e.g. F)	Level 2 (e.g. P)	Level 3 (e.g. C)	Level 4 (e.g. D)	Level 5 (e.g. HD)
L5	A report which evaluates the security risk of a system in an organisation using standard risk assessment models. (20 Marks)	No submission or submission containing little or no material relevant to risk assessment.	Some omissions and/or inconsistencies such that an incomplete risk assessment report is submitted.	Minor omissions and/or inconsistencies which might raise some concerns such as incorrect evaluation of a security threat	Sufficient detail such that comprehensive risk assessment and analysis that demonstrates that the student is aware of and understands all obvious relevant issues.	All relevant information provided including risk scores, severity and potential consequences.
L4	A well-structured and understandable report that implements appropriate security measures to minimise the risks. (15Marks)	No submission or material in the submission related to mitigation techniques.	Submitted late and/or much too long or too short and/or illogical structure or inconsistent style. Inappropriate security measures are recommended.	Submitted on time but lacking successful integration of different security measures to overcome the threats	All possible mitigation techniques are discussed, and the right security measures have been selected to minimise the impacts	A clear, concise, wellstructured report identifying all mitigation techniques, implementation costs of those techniques, and justification of selecting the right one

Australia Universities

ACT

Australian Catholic University

Australian National University

Bond University

Central Queensland University

Charles Darwin University

Charles Sturt University

Curtin University of Technology

Deakin University

Edith Cowan University

Flinders University

Griffith University

Holmes Institute

James Cook University

La Trobe University

Macquarie University

Monash University

Murdoch University

Queensland University of Technology

RMIT University

Southern Cross University

Swinburne University of Technology

University of Adelaide

University of Ballarat

University of Canberra

University of Melbourne

University of Newcastle

University of New England

University of New South Wales

University of Notre Dame Australia

University of Queensland

University of South Australia

University of Southern Queensland

University of Sydney

University of Tasmania

University of Technology Sydney

University of the Sunshine Coast

University of Western Australia

University of Wollongong

Victoria University

Western Sydney University

Year 11 - 12 Certification Assignment

Australian Capital Territory Year 12 Certificate

HSC - Higher School Certificate

NTCE - Northern Territory Certificate of Education

QCE - Queensland Certificate of Education

SACE - South Australian Certificate of Education

TCE - Tasmanian Certificate of Education

VCE - Victorian Certificate of Education

WACE - Western Australia Certificate of Education

ISYS326: Information Systems Security

Assignment Description:

List of IS or IT Systems:

Diploma Universities Assignments