Given: The student is given a scenario where an organization’s sensitive data ar
Given: The student is given a scenario where an organization’s sensitive data are leaked due to a breach and information about their currently implemented security defense system/measures are provided. The student is also given a list that contains a full list of assets inventory for the organization, including all descriptions and monetary values.
XYZ Company Background:
XYZ Corporation is a small-medium-sized technology company specializing in software development and IT solutions. The company employs approximately 200 employees and handles sensitive data from clients in various industries, including financial institutions and healthcare providers. XYZ Corporation takes data security seriously and has implemented several security defense systems and measures to protect its assets.
Current Security Defense Systems/Measures:
Firewall and Intrusion Detection System: XYZ Corporation has deployed a robust firewall and intrusion detection system to monitor network traffic and prevent unauthorized access to its internal systems. The system is designed to identify and block suspicious activities.
Access Control and Authentication: The company enforces strong access control policies, requiring employees to use unique usernames and passwords to access their systems. Additionally, two-factor authentication (2FA) is implemented for accessing critical systems and databases.
Encryption: XYZ Corporation uses encryption techniques to safeguard sensitive data both at rest and during transit. All data stored on servers and databases are encrypted, and secure communication protocols (such as SSL/TLS) are utilized for data transmission.
Regular Software Updates and Patches: The company has a strict policy of regularly updating software and applying security patches to mitigate vulnerabilities. This includes operating systems, applications, and third-party software.
Employee Training and Awareness: XYZ Corporation conducts regular security awareness training programs for employees to educate them about data protection best practices, such as recognizing phishing attempts and the importance of strong passwords.
Company Assets and Inventory:
Servers and Networking Equipment: Dell PowerEdge R740 Server (x3) – $10,000 each
Cisco Catalyst 3850 Switch (x2) – $5,000 each
Juniper SRX340 Firewall – $8,000
Databases and Storage Systems: Oracle Database Server – $20,000
NetApp FAS2650 Storage System – $15,000
Workstations and Laptops: • _HP EliteBook 840 G7 (x50) – $1,500 each
Dell OptiPlex 7070 Desktop (x25) – $1,200 each
Software Licenses: • _Microsoft Office 365 Enterprise License – $12,000
Adobe Creative Cloud License – $6,000
Client Data: • _Financial Institution Client Data (confidential) – Value not specified
Healthcare Provider Client Data (protected health information) – Value not specified
Note: The values provided are hypothetical and may not represent actual prices in market.
Description of Data Breach Incident:
Despite the implemented security defense systems and measures, XYZ Corporation recently experienced a data breach incident. The breach occurred when a malicious attacker exploited a vulnerability in an outdated software component that had not been patched promptly. The attacker gained unauthorized access to the company’s internal network and managed to extract sensitive client data, including financial institution client data and protected health information from healthcare providers. The exact value of the stolen data is yet to be determined, but it poses a significant risk to both the affected clients and XYZ Corporation’s reputation.
Upon discovering the breach, XYZ Corporation took immediate action to contain the incident, engage with a cybersecurity forensic firm to investigate the extent of the breach, and notify the affected clients. The company is now working diligently to strengthen its security measures, update all software components, and enhance employee training programs to prevent future breaches and protect its assets and sensitive data.
Required: The student will
Assess the current security measures and strategies implemented at this company.
Perform a full analysis of possible types of breaches that might take place on those assets (minimum of three breaches) and use a risk analysis and assessment statistical techniques to report the security posture of that organization.
Identify and rank company XYZ’s assets, threats, and vulnerabilities using a tool (like Excel) that shows all calculations and decision-making logic. Record any assumptions made.
Conduct a detailed Cost Benefit Analysis (CBA) for a chosen control based on prior risk analysis, justify assumptions, and provide a concise conclusion and recommendation regarding the control’s purchase.
NB. Make sure to use proper and concise security terminologies in your report as covered in various sessions.
Deliverables: The assignment deliverables are as follows:
A Full PDF report to document your findings for the following (Template):
Part A: Countermeasures: A comprehensive assessment/critique of the listed 5 current security measures adopted by the XYZ company. The description shall include how these measures operate to protect data, which assets they target to protect, whether they are effective, and what are other potential security threats the current defenses impose on the XYZ company.
Part B: Attacks: Provide full description of a minimum of 3 attacks (web based, network based, and software based) that can be launched against the company XYZ based on the current security posture as analyzed in part A. For each identified attack, provide sufficient information about the attack type, vulnerability or vulnerabilities that might lead to that attack, asset or assets that might be compromised, and security components that might be compromised, and your suggestion to mitigate that attack.
Part C: Risk Analysis: Perform the following tasks with respect to risk analysis of the company XYZ assets: Prioritize Assets, Identify and Prioritize Threats and Vulnerabilities for each asset, Calculate risk for each vulnerability, Prioritize which vulnerability would you address first and why? The risk analysis process shall be done using a tool that can be a full excel spreadsheet showing all calculations and interpretations. Document any assumptions made during your analysis.
Note: Check useful resources for some useful tools that might shed light on what we expect you to submit in this part of the assignment.
Part D: Cost Benefit Analysis (CBA): You are required to carry out a comprehensive Cost-Benefit Analysis (CBA) for a control measure that you have identified as a potential solution to risks outlined in your earlier risk analysis (Part C). Your analysis should lead to a well-reasoned conclusion on whether the control should be implemented. The CBA process shall be done using a tool that can be a full excel spreadsheet showing all calculations and interpretations. Document any assumptions made during your analysis. Justify each assumption’s relevance and reasonableness. Summarize the results of your CBA and present a clear recommendation on whether or not to purchase the control.
Reflection:
Each student must write a bulleted list reflecting on their individual contribution to the fulfillment of this assignment’s requirements as a team member. Please use the first-person pronoun “I” in your reflection.
References: Cite all used references using APA style.
Submission instruction
Submit PDF file as a primary resource (Template)
Submit Excel sheet as a secondary resource.
Students must use their own words to document the report and refrain from copy/paste from web resources or using AI tools and also cite any references used properly.
Useful Resources
https://www.isaca.org/resources/isaca-journal/issues/2017/volume-3/it-asset-valuation-risk-assessment-and-control-implementation-model
Academic Integrity Disclaimer
I hereby confirm that the work submitted for the assignment is entirely my own. I affirm that I have not used any artificial intelligence (AI) tools or any other unauthorized means to generate answers or complete any part of this assignment. The work presented reflects my own ideas, research, and understanding of the subject matter. I understand the importance of academic integrity and the consequences of submitting work that is not my own. I acknowledge that any violation of academic honesty policies may result in disciplinary action, including but not limited to, a failing grade for the assignment or the entire course.
By submitting this assignment, I declare that I have complied with the academic integrity standards set forth by CIS/ZU. I am aware of the ethical implications of using external assistance and have adhered to the principles of honesty and integrity throughout the completion of this assignment.