- Aerofoils are required in a variety of devices, from wings to turbomachinery, from ducts to sails: Computational Fluid Dynamics Course Work, CU, UK
- Discuss and describe the financial reporting framework in the UK and the impacts on financial statements: financial accounting Course Work, UOL, UK
- 4CCS1CS1 Using the circuit from Lab 5, you should write a program to display the digits of your King’s K-number on the LEDs: Computer Systems Coursework, KCL, UK
- Explain how own values, belief systems and experiences can affect work practice either in a positive or a negative manner: nvq level 4 in adult care Course Work, OU, UK
- You are required to produce a research project relating to an aspect of Health and Social care: Research Methods in Health and Social Care Course Work, UON, UK
- 5COSC020W Study the Vacoliday Project Brief very carefully and start identifying the building blocks of the Conceptual EERD: DATABASE SYSTEMS COURSEWORK UOW, UK
- 5036MAA Systematically break a problem to include consideration of the environment, sustainability, health and safety: design and sustainability Course Work, CU, UK
- 5036MAA The aim of this assignment is to familiarize ourselves with typical procedures used in engineering design: Design & Sustainability Course Work, CU, UK
- Develop health and safety and risk management policies, procedures and practices in health and social care or children: Social Care Course Work, UOG, UK
- M31678 The aim of this coursework is to analyze the performance of a solar energy installation at the University of Portsmouth: Renewable Energy Management Course Work, UOP, UK
- Using multiple regression analysis, estimate the Fama-French 3 Factor model for your company and interpret your results: Quantitative Methods for Financial Management Course Work, UOM, UK
- Define the terms equality, diversity, inclusion, and discrimination in health and social care: extended diploma in health and social care level 3 Course Work, UOB, UK
- What does the literature tell us about the value of total rewards in a reward strategy? Is it still relevant today: Human Resource Coursework, UoM, UK
- As well as the advisory service provided to individuals and groups looking to start a business, ‘UpStarter’ Offer a service: HNC Business Coursework, UOG, UK
- Analyze the impact of legislation and policy on outcomes-based and person-centered procedures and practice: Governance in Adult Care Course Work, UOB, UK
- You are a Junior Network Administrator at Swift & Bacon Publishers (SBP) Ltd, a medium-sized company that deals: Networking Coursework, UOC, UK
- Identify a strategic change based on a critical environmental analysis of your chosen organization, illustrate in details: Culture Issues Coursework, UCL, UK
- Evaluate own role and responsibilities in effective information management, and in supporting others to effectively handle information: Leadership and Management Coursework, CUL, UK
- State the vision and mission statement of your chosen organization, and highlight its key features. Suggest any changes: Strategic Management Coursework, ABS, UK
- Utilize FT.com as a resource to identify the current spread of UK Government Bonds vs Bund. This information can be found: Security Analysis and Valuation Course Work, UOL, UK
FlySafe is a Scottish company which has been operating for the last three years in the private aviation sector where it provides a Software: Information Security Management Coursework, MUL, UK
University | Middlesex University London(MUL) |
Subject | Information Security Management |
Background to the Case Study Company
FlySafe is a Scottish company which has been operating for the last three years in the private aviation sector where it provides a Software-as-a-Service (SaaS) Flight Management System (FMS) for world-wide operators, corporate
flightdepartments oflarger corporations,brokers and fixed-based operators to manage flights on behalfof their clients.The FMS helps organisations manage their flightoperations byproviding a web-based application where they can sign in to perform a variety of functions such as:
Organisations are not able to create accounts on the SaaS platform directly as this is done by someone from FlySafe’s sales team who onboards them to the platform. FlySafe has currently two front-facing websites:
• FMS web application: hosted on Amazon Web Services.
• The company’s website: hosted on Digital Ocean.
Currently, FlySafe is comprised of the CEO (Director), the CTO (Chief Technology Officer) who also doubles as a software developer, one other software developer and two sales/marketing staff (one of whom is head of
sales/marketing).
All decisions are made by the CEO who relates to the CTO and head of sales/marketing, before they then talk to their team members.
Before the COVID pandemic,FlySafe maintained an office used by the CEO and CTO while othermembers of staff worked from their respective locations (scattered across the UK).
However, the pandemic pushed the company to full remote work and this will remain the case for the foreseeable future.
Staffcommunicateviaemail(Gmail),WhatsAppandZoom.CollaborationisdoneusingConfluence(byAtlassian) and the Google doc suite of applications. TeamsID Business Password Manager is used to store the passwords for all software the company has a subscription for. The sales/marketing team uses Mail Chimp for emailing clients and Calendly to schedule meetings with them. The software developers use Trello to manage their software projects and GitHub for source code version control.
FlySafe does not issue work computers to staff. Instead, all staff are expected to use their own devices. This means that staff are now using a combination of Windows 10 (for CEO and sales/marketing), macOS and Linux operating
system (for the tech team).
Last summer, FlySafe recruited a student (intern) from our MSc course for 3-months placement. The intern was tasked with conducting a risk assessment, which was documented in a risk register (RiskRegister.xlsx) available on
Moodle. It includes the following:
- An inventory of the company’s assets (see the Assets sheet)
- A vulnerability scan on the FMS and the company’s website, using Qualys Web Application Scanner (see the Qualys Scan sheet)
- An analysis of risks and suggested treatments (see Risks sheet).
- The aim of this coursework is to produce a report, documenting your answers to the following 4 tasks. Your discussion should be explained and justified using evidence from the literature.
Task 1 – Risk Assessment
The aim of this task is to critically appraise the risk assessment conducted by the student.
a. Assets:
i. What sources of information would the student have used to identify the company’s assets?
ii. How much do you agree with the “value” assigned by the student to each asset?
b. Vulnerabilities:
i. For the web application (asset A1) and company’s website (asset A2), discuss whether the student’s conversion of CVSS scores (as provided by Qualys scanner), into vulnerability values is adequate?
ii. What sources of information would the student have used to complete the vulnerability descriptions and values for the remaining assets (A3 to A19)?
iii. Choose ONE vulnerability associated with any of the assets A3 to A19 (excluding A4), and explain/justify whether you agree with the value that the student assigned to that vulnerability.
c. Threats, Likelihood and Impact:
i. What sourcesofinformation wouldthestudent haveusedtoidentify threats, likelihood andimpact?
ii. Would the student have used different sources for different assets? Justify using examples.
iii. What factors would (should) the student have used when estimating the likelihood?
iv. Choose ONE threat in the register and explain/justify whether you agree with the value assigned to its likelihood.
d. Risks:
i. Discuss whether, in your opinion, the studenthas consistently used specific criteria in deciding a value for the “Treatment Option” (Column X of the Risks sheet)? i.e., whether risks should be mitigated,avoided,accepted, or transferred. Illustrate your answer using examples from the risk register.
ii. Discuss the advantages and disadvantages of using integer values to calculate risk. Illustrate with examples from the risk register.
Task 2 –Security Controls & Security Program
The aim of this task is to appraise the student’s choice of security controls. While conducting the risk assessment, thestudentoptedforusing the ISO 27001 AnnexA security controls asa basis for the “Treatment Plan” (Columns
U and Y of the Risks sheet). These security controls are listed in a separate sheet within the risk register for ease of reference.
a. Discuss the student’schoice ofISO 27001.Is ISO 27001 relevant and appropriate for thecompany?
b. Propose an alternative framework and critically compare it to ISO 27001. The comparison mustbe relevant to this case study instead of being just theoretical.
c. Analyse and discuss the mix of security control types (preventive, detective, corrective, recovery, deterrent or compensating) suggested in the “Treatment Plan” (Column Y) for asset A17 (Software Developers). As part of documenting your answer, copy and complete the table (You may also find it useful to produce visual charts to help you with your analysis).
d. Assuming the student was offered a permanent role within the company (Web Developer and Information Security Officer), produce a security program, in the form of a one-year plan, that outlines the student’s key tasks
and deliverables. Briefly explain/justify your program.
Note: Part of your plan should be to consider the implementation/prioritisation of the proposed risk “Treatment Plan” to move from the current position to the projected “Residual Risk” position. For example, explain how to
prioritise risks with the same/similar values within the program.
Task 3 – Cryptography
The aim of this task is to appraise the company’s practices in the use of crypto as a key security control.
a. In the risk register, the student identified “Insufficient Encryption” as a vulnerability for asset A4 (customer details). Assuming this related to the encryption of data in transit, explain the reason that led the student to create
this entry in the register.
b. Apart from the setting-up of a “Policy on the Use of Cryptographic Controls” recommended by the student in the “Treatment Plan”, what else should the student recommend?
c. While reading an article on the “The Panama papers” breach, the student learnt that the hacktivist who leaked the documents leveraged an SSL cryptographic flaw, known as the DROWN attack. Briefly explain (i) how this attack works and (ii) what the company needs to do to protect against it.
d. Whilehavingachatwithoneof thesoftwaredevelopers(Mike), thestudent learntthatMikeusesJava8insome
of his backend coding. The conversation led into a discussion about how to generate pseudo-random data for cryptographic use. Specifically, Mike always makes sure that he explicitly seeds the generator using settled method
(of the SecureRandom class) before generating a random value (using a next* method) instead of relying on selfseeding (i.e., using the OS implementation’s defaults). Discuss whether Mike is adopting a secure coding practice.
Explain/Justify your answer, including bad/good examples of code.
Task 4 – Recommendations
Propose a setof recommendations to the companyto summarise the issues identified in task 1,2 and 3 above. These recommendations should be included as part of your report’s executive summary.
Do You Need Assignment of This Question
Looking for an online coursework writing service on Information Security Management? then don’t look further. At Students Assignment Help UK we have a team of diligent writers who have several years of experience to provide fresh and original coursework solutions on BTEC assignments before the deadline.