Information security managment – Managing a small business security
Assessed intended learning outcomes
On successful completion of this assessment, you will be able to:
A1 – Critically discuss the nature and purpose of information security related risk management and
business continuity planning in an organization, including the importance of quantifying risks and
assessing the costs and benefits of putting in place risk management measures.
A2 – Explain the purpose and role of information security policies in an organization and their
relationship to auditing.
A3 – Critically discuss the issues and problems arising in and from the introduction and implementation
of information security policies within organizations, strategies for overcoming these, ethical and legal
considerations, and mechanisms for ensuring that policies have been successfully embedded in the
organization.
Assessment Brief 2
A4 – Explain and critically evaluate the relevance of standards legislature, certifications and
accreditations in the area of information security, the standardization process, and the nature and roles
of the various standards organizations.
Word count
Your assessment should not exceed 3000+10% words (i.e. 3300 words) in total. The standard
penalty is applied for exceeding the maximum word count of 3300 words. The number of words
per section is not pre-scribed; you are expected to use your own judgement.
The title, contents page, and very brief introduction are not included in the word count. The
quoted headings, control names, and phrases etc from any of the standards will not count
towards the word count, – put these in italic, and quote when in-sentence.
In-document forward and backward references, as well as external references, are not included
in the word count.
Figures and diagrams are not counted in the word count where brief labels are used in the
diagram/figure. Those with longer embedded descriptions will be counted.
Assessment task details and instructions
Task – A Small Business Security Project
Introduction
You are working for a very small company, El San Networks n’ Stuff (ESNnS), which advertises
itself as providing system, network, and payment solutions, amongst other things. The
company has just set up, and the director has employed you as its sole Information Security
expert who has training across the field of information security and information security
management.
ESNnS, being new, has no formal procedures yet laid out for anything.
ESNnS has just been contracted by a company, Good Farm Shops (GFS), to provide them support
in setting up an integrated electronic payment system for their shops.
About Good Farm Shops (GFS)
GFS is a collection of 3 farm shops spread across a county.
The farm shops sell a variety of products from the local farms and has a rapidly growing
customer base. To date they have only been able to take cash payments from customers, but
now they have plans to become more organised and expand.
To this end they have contracted with ESNnS to develop a solution and have agreed the
following high-level requirements:
Assessment Brief 3
• GFS want to keep track of all purchases electronically for stock taking and to see
demand at any of the shops at any instance.
• GFS want to be able to accept payment by debit/credit card and related smart
payment.
• GFS want to introduce a membership card for customers.
The Understanding
Additionally, the following understanding was gathered and the following notes were made by
ESNnS on the discussion with GFS:
Customers who make payment with a membership card will have all their purchases tracked,
and in return are awarded special deals and discounts for their loyalty. This is tied with the
customer’s private information – their personal identifying information.
The GFS chief manager does not want to keep travelling between shops to take stock of what is
being sold so information on the three shops’ purchases etc. will be integrated together at one
site, for simplicity and security, and so that everything can be monitored from one place. There
is plenty of spare space on one site that is suitable for secured computer systems.
GFS are interested in keeping their systems in-house as much as possible. They are wary of
employing cloud systems for any part of the infrastructure. This should be no worry as GFS are
looking for a fairly minimal solution.
The core database where membership data is stored along with all core purchases etc. can be at
one site.
GFS would prefer not to employ any additional staff to manage the proposed solution, though
GFS staff may have to undergo training in certain areas.
GFS will have no technician / administrator to manage the site, – ESNnS should be able to
remotely administer and maintain the network and systems.
A check has shown that there will be no problem getting suitable reliable internet access at any
of the sites.
On developing a suitable plan and proposed solution, it’s highly likely that GFS will follow up and
ask ESNnS to implement and maintain their system which will be a lucrative deal for ESNnS.
Task:
Your part of developing the solution is to produce a report on the underlying information and
security technologies – systems and networks, – other aspects, and their compliance with
PCIDSS, CIS CSCs best practices, and GDPR. This will then feed back into a larger study, including
costings, that GFS will produce internally to be used to further pursue the business opportunity.
Complete a report that comprises the following parts:
1. Design Outline (20%)
Assessment Brief 4
2. Threat (10%)
3. Compliance with PCI-DSS Requirements (30%)
4. CIS Critical Security Controls (v8) (20%)
5. Compliance with GDPR (10%)
6. Conclusions and Recommendations (10%)
Each part may have subsections, which should be suitably named. Numbering of sections and
subsections is encouraged for better navigation and in-document referencing.
Use forward and backward references within your document where appropriate
to indicate where related matters are covered.
Consider throughout, best practices relating to:
– Intrusion Detection and Prevention, including firewalls
– Access Control and Management
– Security in transit and in storage
– Backups and Business Continuity planning
– Key management and access
Design Outline (20%)
Design and architect a payment system for GFS to cover the 3 sites.
List and detail the technologies and solutions that you would choose.
Present a logical connectivity/network diagram that covers the 3 sites and detail how it would
operate. More than one diagram might be useful to show different aspects without crowding
one diagram.
Threat (10%)
What are the main threats against this solution, including the risk to information? Reference
external sources which indicate the most likely threats against this sort of business.
Compliance with PCI-DSS (30%)
Detail what is required, technically and non-technically (each where there is an appropriate
response) for each of the 12 PCI-DSS requirements. Where useful, use of diagrams and/or
figures is encouraged.
CIS Critical Security Controls (20%)
There are 56 Safeguards (‘Sub-Controls’) for CIS CSC Implementation Group 1 (IG1) which are
known as providing basic cyber hygiene against the most common attacks.
For each CIS Critical Security Control which has a IG1 Safeguard, briefly detail a solution. –
Address at least one IG1 Safeguard per control.
Assessment Brief 5
Notes: Use CIS Controls version 8. Only 15 of the 18 CSCs have an IG1 Safeguard.
Compliance with GDPR (10%)
Identify and detail how the solution will be compliant with GDPR. Reference best-practice.
Conclusions and Recommendations (10%)
This may include main points which are considered of importance, main points for ourselves
(ESNnS), or main points to pass on to GFS. This is your opportunity to use your judgement as an
expert and add further value.
Do not repeat anything stated elsewhere in the report but add new value here.
Use references where useful.
