Unit 5 & 32: Security & Information

Security Management

Authorised Assignment Brief 1

Student Name/ ID
Number

Unit Number and Unit 5: Security

Title
Unit 32: Information Security Management

Academic Year

Unit Tutor

Assignment Title Planning an ISMS and Security Policies Security for an

Organisation

Issue Date

Submission Date

Submission Format

The assignment submission is in the form of the following.

A formal 10-minute presentation (10–20 slides as a guide with supporting speaker
notes) to communicate an evaluation of your investigation to a non-technical audience,
highlighting key information regarding the range of IT security risks that organisations face
and the IT security solutions for them. The presentation will also include an assessment of
the current organisational security procedures and an evaluation of both the physical and
virtual security countermeasures presented.
A briefing paper to communicate an evaluation of your investigation to a non-technical
audience, highlighting key information regarding the basic principles of information security
management. The paper will also include an assessment of the current organisational ISMS
and analysis of the elements required to establish and maintain an ISMS.
The recommended word limit is 2,000–2,500 words, although you will not be penalised for
exceeding the total word limit.
A process review to assess the existing risk assessment procedures in an organisation and
review and summarise standard risk management approaches that could be applied. The
review will show how implementing IT security should work in conjunction with an
organisation’s policy.

Effective assignment design for the Higher Nationals in Computing/Computing for England:
94 Authorised Assignment Briefs – Issue 1 – August 2022 © Pearson Education Limited 2022
 The recommended word limit is 1,000–1,500 words, although you will not be penalised for
exceeding the total word limit.
You are required to make use of headings, paragraphs and subsections as appropriate, and
all work must be supported with research and referenced using the Harvard referencing
system.
A written report to review the security incident and recommend and justify a suitable ISMS
and security policy for the organisation. The ISMS and the policy should include all
stakeholders so that an audit trail can be identified. The report will evaluate the suitability of
the ISMS and the security tools selected to meet the needs of the business.
The recommended word limit is 2,000–3,000 words, although you will not be penalised for
exceeding the total word limit.
You are required to make use of headings, paragraphs and subsections as appropriate, and
all work must be supported with research and referenced using the Harvard referencing
system.

Unit Learning Outcomes

Unit 5
LO1 Assess risks to IT security
LO2 Describe IT security solutions
LO3 Review mechanisms to control organisational IT security
LO4 Manage organisational security.
Unit 32
LO1 Explore the basic principles of information security management
LO2 Critically assess how an organisation can implement and maintain an Information
Security Management System (ISMS)
LO3 Appraise an ISMS and describe any weaknesses it may contain
LO4 Examine the strengths and weaknesses of implementing ISMS standards.

Transferable skills and competencies developed

Computing-related cognitive skills

● Demonstrate knowledge and understanding of essential facts, concepts, principles and
theories relating to computing and computer applications
● Recognise and analyse criteria and specifications appropriate to specific problems, and
plan strategies for their solutions
● Critical evaluation and testing: analyse the extent to which a computer-based system
meets the criteria defined for its current use and future development

Effective assignment design for the Higher Nationals in Computing/Computing for England:
Authorised Assignment Briefs – Issue 1 – August 2022 © Pearson Education Limited 2022
95
● Methods and tools: deploy appropriate theory, practices and tools for the design,
implementation and evaluation of computer-based systems.
Computing-related practical skills
● The ability to evaluate systems in terms of quality attributes and possible trade-offs
presented within the given problem
● The ability to critically evaluate and analyse complex problems, including those with
incomplete information, and devise appropriate solutions, within the constraints of a
budget
● The ability to specify, design and construct reliable, secure and usable computer-based
systems
● The ability to recognise any risks and safety aspects that may be involved in the
deployment of computing systems within a given context.
Generic skills for employability
● Intellectual skills: critical thinking; making a case; numeracy and literacy
● Contextual awareness, e.g. the ability to understand and meet the needs of individuals,
business, and the community, and to understand how workplaces and organisations are
governed
● Interaction: reflection and communication.

Vocational scenario

You have been employed as a Junior Network Security Specialist for Phaeton Security
Solutions Limited (PSS). PSS provides network security solutions for a range of clients from
multiple industry sectors. The services offered by PSS include the following.
● Providing a security audit of an organisation’s network in the context of its business
requirements
● Reviewing and recommending improvements to an organisation’s network security
● Implementing network security solutions
● Plans and designs Information Security Management Systems (ISMS) for organisations.
PSS usually has large, multinational corporations as their clients, but the CEO has received
an unusual request from a new client and has decided that this would be an ideal project for
you to handle by yourself.
The client is the Dowding Federation, an Academy chain consisting of three sixth-form
colleges (SFC). The Dowding Federation has a Chief Executive Officer and manages an
educational budget of UKP £16.4 million.
One of the colleges that is part of this chain is Wargrave College, a large SFC with 2000
students that specialises in computer science, maths and engineering.
Wargrave College has 65 members of staff, both teaching and non-teaching, and has an
operating budget of UKP £5.3 million.

Effective assignment design for the Higher Nationals in Computing/Computing for England:
96 Authorised Assignment Briefs – Issue 1 – August 2022 © Pearson Education Limited 2022
 All staff data, both personal and for payroll, are kept on dedicated Human Resource (HR)
servers located within the Network Server Room.
All student data is kept on the college Student Information System (SIS), which contains data
such as:
● contact details for students and parents
● medical history and other sensitive information
● assessment data from homework and examinations, as well as historical GCSE data
● attendance data – Present/Not Present/Authorised Absent for all lessons while at college
● any Special Educational Needs (SEN) data.
All college files are located on a shared public access fileserver. This contains all educational
resources created by teachers, as well as areas for students to upload and download
coursework assignments and homework.
Students logging in to any computer on the college network had Read Access to the
fileserver; teachers had Read/Write access.
The college maintained their own email exchange server, holding all staff and student
emails as well as historical emails from all previous years.
The email server, fileserver, backup NAS drive and Network Domain Server were located in a
non-secured room in the IT Technicians’ office. This room was never locked in case staff or
students needed IT support.
The college had a Virtual Learning Platform (VLP), that provided a web interface to the
fileserver and provided a way for students to access course materials.
The college computers ran older versions of Windows 8.1, as it was determined to be too
expensive to migrate to the current version of the software.
To save money, a freeware VPN had been set up to allow teachers to access college
materials from home using college laptops installed with a VPN client software. It was still
possible for staff members to access the fileserver directly using Remote Desktop.
Because the college was deemed to be at a low risk, most of the security countermeasures
had been designed to minimise a threat from malicious damage from students:
● all IT labs were locked and could not be opened without a swipe card
● college policy was that no student could be in an IT lab unsupervised
● virus scanners had been configured to automatically scan any USB drive plugged into a
device
● all optical drives had been removed from each college computer.
An Acceptable Use Policy was created for students (see Appendix 1). Staff were not
considered to be a security threat, so no staff policies were created.
Similarly, the college had a simple firewall, however this was configured just to block
attempts at network intrusion from known malicious blacksite IP addresses.

Effective assignment design for the Higher Nationals in Computing/Computing for England:
Authorised Assignment Briefs – Issue 1 – August 2022 © Pearson Education Limited 2022
97
Because the Federation CEO had deemed the college to be a low-priority threat, data
backups involved a single 8TB Network Attached Storage (NAS) Drive, where data was
backed up each week.
Security procedures were not strictly followed as it was thought there was no requirement
because the college was a ‘soft target’.
The ISMS implemented lacked a clear framework and failed to continuously measure
effectively if the security controls performed as expected.
Just prior to the pandemic in March 2020, Wargrave College suffered a massive security
breach.
A ransomware virus was downloaded and deployed onto all the college servers, resulting in
a complete and total loss of:
● all personal student and staff data
● all data on the backup NAS drive
● all coursework and teaching resource data on the public fileserver and VLP
● all current and historical attendance data
● all financial data on the HR servers, meaning college staff and contractors could not be
paid
● all current and historical email data.
The college did not have the finances to pay the ransom and so a completely new IT system
was purchased. All data was lost.
As part of a review after the incident, it was determined that a teacher working from home
at the weekend, in trying to find extra teaching materials, inadvertently downloaded a virus
containing a malicious payload onto their staff laptop from a compromised website. The
teacher was not using the VPN.
The ransomware was activated only when the laptop was connected to the college network
on the following Monday. The ransomware virus then deployed and copied itself onto all
network devices from the target location, encrypting all data on all servers, resulting in a
total, catastrophic loss of all data.
In the aftermath of the incident, the client wants you to review the risk assessment
procedures that were in place and provide a new risk assessment procedure that is ISO
compliant.
They also want you to clearly demonstrate how any new security will still allow Wargrave
College to carry out its normal operations, with a greater emphasis on lessons being
delivered remotely.
To make sure that something like this does not happen again, the client also wants you to
design a suitable security policy, identifying key stakeholders, justifying your plan and the IT
tools selected. The new plan needs to cover a wide range of potential IT threats.
You have been given the current IT Use Policy from Wargrave College, as well as their
current Risk Assessment plan. These documents are given to you in Appendices 1 and 2.
Make sure you study them before attempting this assignment.

Effective assignment design for the Higher Nationals in Computing/Computing for England:
98 Authorised Assignment Briefs – Issue 1 – August 2022 © Pearson Education Limited 2022
 As part of your work for PSS, your CEO wants you to put together a presentation on IT
security threats and countermeasures. You will present this to the CEO and four senior
Security Specialists, so that you can demonstrate you have the breadth of knowledge
required to begin to work with larger clients on your own.

Assignment activity and guidance

Activity 1
Produce a formal presentation (with supporting notes) on a review of the range of IT
security threats that are faced by an organisation like Wargrave College, describe and
evaluate the range of countermeasures, both physical and virtual.
Your presentation should include a section on security risks, including:
● a discussion of the different types of security risks to an organisation like Wargrave
College
● an assessment of the organisational security procedures presented in the given scenario
(Appendix 1 – Unit 5 - Current Security Policy for Wargrave College)
● an analysis, with reasons, of the benefits of implementing network monitoring systems.
Your presentation should go on to discuss a range of security countermeasures for the
identified risks, including the following.
● A discussion of the potential security impact of incorrect configuration of:
o firewall policies
o third party VPN clients and servers.
● A discussion, using a specific example from either your research or the Wargrave College
scenario, of how implementing each of the following can improve network security:
o a De-Militarized Zone (DMZ)
o a Static IP
o Network Address Translation (NAT).
● A proposal for a method to assess and treat IT security risks
● An evaluation of the range of countermeasures that can be employed to make sure that
an organisation’s integrity is not compromised. Organisational Integrity could be either
Data Security or Operational Continuance. Make sure you include both physical and
virtual security countermeasures.
You should support any points you make in the presentation with well-chosen examples
from any research you have carried out on related sectors or security scenarios.
Activity 2
Produce a briefing paper that reviews the principles and the benefits of an ISMS used in an
organisation like Wargrave College, and analyse the process of implementing such a system.
Your paper should include a section on an ISMS framework, including the following.

Effective assignment design for the Higher Nationals in Computing/Computing for England:
Authorised Assignment Briefs – Issue 1 – August 2022 © Pearson Education Limited 2022
99
● An examination of the key principles of an ISMS and its relevance to the successful
operation in Wargrave College
● An analysis of the benefits that an effective ISMS can have on Wargrave College
● An assessment and critical analysis of the elements and processes required for
Wargrave College to establish and maintain a more robust ISMS, ensuring that the key
principles are met
● A justification of the steps required for Wargrave College in order to implement an ISMS.
You should support any points you make in the presentation with well-chosen examples
from any research you have carried out on related sectors or ISMS scenarios.
Activity 3
Produce a process review document that assesses the current mechanisms and legislation
for data security within an organisation. Your review should include the following.
● A review of the current risk assessment procedures in Wargrave College. (Appendix 2 –
Unit 5 – Risk Assessment)
● An explanation of data protection processes and regulations, applied to Wargrave
College
● A summary of an appropriate risk-management strategy or applied ISO standard and its
application to IT security at Wargrave College
● An analysis of the possible impact on security at Wargrave College, following the results
of an IT security audit
● A recommendation, with supported reasons, on how the IT security at Wargrave College
can be aligned with its organisational policy. You should detail explicitly the security
impact if there is a misalignment.
You should support any points you make in the report with well-chosen examples from any
research you have carried out on related sectors or ISMS scenarios.
Activity 4
Present a written report to appraise an ISMS for Wargrave College and design a suitable
security policy, based on the supplied evidence and operational requirements. Your report
should include the following.
● A plan of the design of an ISMS for Wargrave College, including an implementation map,
taking into consideration functional and non-functional requirements of the digital
systems
● A suitable security policy, including the main components of a disaster recovery plan for
the college
● Identification and discussion of the stakeholders and their roles in implementing a
security audit
● Justification, with reasons, for the designed security plan, including the selected physical,
virtual and policy elements

Effective assignment design for the Higher Nationals in Computing/Computing for England:
100 Authorised Assignment Briefs – Issue 1 – August 2022 © Pearson Education Limited 2022
 ● An appraisal of and justification for the planned ISMS design, against the new IT security
landscape in Wargrave College, auditing the different stages of the process followed
● An analysis of the relationship between ISO and international ISMS standards and the
establishment of an effective ISMS for Wargrave College
● An evaluation of the suitability of the tools used in the security policy designed for
Wargrave College in terms of how it meets their needs
● A critical examination of the advantages and disadvantages of the planned ISMS for the
college, against key and international standards.
You should support any points you make in the report with well-chosen examples from any
research you have carried out on related sectors or projects, as well as the existing scenario
and any associated documentation.

Recommended resources
Please note that the resources listed are examples for you to use as a starting point in your
research – the list is not definitive.

Recommended resources can be found under the following Authorised Assignment Brief:
Unit 5: Security.

Effective assignment design for the Higher Nationals in Computing/Computing for England:
Authorised Assignment Briefs – Issue 1 – August 2022 © Pearson Education Limited 2022
101
Learning Outcomes and Assessment Criteria (Unit 5)

Pass Merit Distinction

LO1 Assess risks to IT security

P1 Discuss types of security M1 Analyse the benefits of LO1 & LO2
risks to organisations. implementing network D1 Evaluate a range of physical
monitoring systems with and virtual security measures
P2 Assess organisational
supporting reasons. that can be employed to ensure
security procedures.
the integrity of organisational IT
LO2 Describe IT security solutions
security.
P3 Discuss the potential M2 Propose a method to
impact to IT security of assess and treat IT security
incorrect configuration of risks.
firewall policies and third-
party VPNs.
P4 Discuss using an
example for each, how
implementing a DMZ, static
IP and NAT in a network
can improve Network
Security.

Effective assignment design for the Higher Nationals in Computing/Computing for England:
102 Authorised Assignment Briefs – Issue 1 – August 2022 © Pearson Education Limited 2022
 Pass Merit Distinction
LO3 Review mechanisms to control organisational IT
security
P5 Review risk assessment M3 Summarise an D2 Recommend how IT security
procedures in an appropriate risk- can be aligned with an
organisation. management approach or organisational policy, detailing
ISO standard and its the security impact of any
P6 Explain data protection
application in IT security. misalignment.
processes and regulations
as applicable to an M4 Analyse possible
organisation. impacts to organisational
security resulting from an
IT security audit.
LO4 Manage organisational security.
P7 Design a suitable M5 Justify the security plan D3 Evaluate the suitability of the
security policy for an developed giving reasons tools used in the organisational
organisation, including the for the elements selected. policy to meet business needs.
main components of an
organisational disaster
recovery plan.
P8 Discuss the roles of
stakeholders in the
organisation in
implementing security
audits.

Effective assignment design for the Higher Nationals in Computing/Computing for England:
Authorised Assignment Briefs – Issue 1 – August 2022 © Pearson Education Limited 2022
103
Learning Outcomes and Assessment Criteria (Unit 32)

Pass Merit Distinction

LO1 Explore the basic principles of information security
management
P1 Examine the key M1 Analyse the benefits LO1 & LO2
principles of an ISMS and an effective ISMS can D1 Critically analyse what is
its relevance to the have on an organisation. required to establish and
successful operation of an maintain an ISMS for a selected
organisation. organisation, ensuring that the
LO2 Critically assess how an organisation can key principles are met.
implement and maintain an Information Security
Management System (ISMS)
P2 Assess the elements M2 Justify the steps
and processes required to required for
establish and maintain an implementing an ISMS for
ISMS. a selected organisation.
LO3 Appraise an ISMS and describe any weaknesses it
may contain
P3 Plan the design of an M3 Justify the planned LO3 & LO4
ISMS for a selected ISMS design for a selected D2 Critically examine the
organisation, including an organisation by following advantages and disadvantages
implementation map. the stages of audit. of the planned ISMS against the
P4 Appraise the planned key ISO and international
ISMS designed, against the standards.
organisational
requirements.
LO4 Examine the strengths and weaknesses of
implementing ISMS standards.
P5 Recognise the purpose M4 Analyse the
of the key ISO and relationship between ISO
international ISMS standards and
standards. establishing an effective
ISMS within an
organisation.

Effective assignment design for the Higher Nationals in Computing/Computing for England:
104 Authorised Assignment Briefs – Issue 1 – August 2022 © Pearson Education Limited 2022