Information Security Management
Information Security Management Assignments
Group Assignment (50%)
Deadline: Thursday 5th December 2013
This task is to be carried out in groups of 3 students (ideally).
The task is to carry out an information security risk assessment for an organization and develop an
Information Security Strategy for that organization. This should include, at least:
•
a prioritized list of the risks identified,
•
a definition of the control objectives that need to be met in order to secure the organization,
•
a list of specific controls that should be put in place, and any relevant guidance on how the
controls should be implemented, along with clear rationales, in terms of costs and benefits,
for the choices that have been made,
•
an outline of the information security policies that should be established,
•
an audit strategy for the controls that have been proposed,
•
a suitable incident response plan.
You should make use of whatever accepted industry or international standards you feel are
appropriate in carrying out this task, but either COBIT 5 or ISO27000 series standards, or a
combination of both are recommended.
If you feel that additional areas need to be addressed in the strategy, then please add them, with a
brief explanation of why.
In selecting an organization to focus on, you may choose a specific organization with which one or
more of your group are familiar, or you may use the University of Salford as an example
organization. In the case where you choose an organization that not all of the group members are
familiar with, you should clearly define the roles that each member of the group will take in the
assignment work, bearing in mind the prior knowledge that each member has.
Individual Assignment (50%)
Deadline: Friday 17th January 2014
This assignment is carried out as an individual.
The task builds on the group assignment, so may be though of as an individual component of the
same assignment. You are asked to:
•
make a critical analysis of the implications of the strategy you have put in place from an
ethical and a legal point of view, identifying key areas where ethical and legal questions
need to be addressed and an analysis of the issues involved, making reference to relevant
laws, regulations and ethical guidelines in order to back up any arguments you make;
•
write a critical analysis of the barriers to implementation of the strategy, and opportunities
for creating a culture of security in the organization;
•
write a reflective report on the process that was employed in the group part of the
assignment, summarizing your own role in the work, indicating areas where you feel you
and the group could have improved on what was done, and reflecting on the lessons you
have learned from the process.
It is recognized that there may not be a “correct” answer in many cases, but marks will be awarded
for demonstrating a clear understanding of the relevant arguments.
