Information Security Strategy Development

Assignment Brief
As part of the formal assessment for the programme you are required to submit an
Information Security Strategy Development assignment. Please refer to your Student
Handbook for full details of the programme assessment scheme and general information on
preparing and submitting assignments.
Learning Outcomes:
After completing the module, you should be able to:
1) Evaluate the basic external and internal threats to electronic assets and
countermeasures to thwart such threats by utilising relevant standards and best
practice guidelines.
2) Analyse the legalities of computer forensics phases and the impact of the legal
requirements on the overall information security policy.
3) Critically assess the boundaries between the different service models (SaaS, PaaS,
IaaS) and operational translations (i.e. cloud computing) and to identify the associated
risks.
4) Critically investigate a company information security strategy to provide consultation
and coaching through reporting and communication.
5) Assess, compare and judge computer media for evidentiary purposes and/or root
cause analysis.
6) Apply relevant standards, best practices and legal requirements for information security
to develop information security policies.
7) Lifelong Learning: Manage employability, utilising the skills of personal development
and planning in different contexts to contribute to society and the workplace.
Your assignment should include: a title page containing your student number, the module
name, the submission deadline and a word count; the appendices if relevant; and a
reference list in Arden University (AU) Harvard format. You should address all the elements
of the assignment task listed below. Please note that tutors will use the assessment criteria
set out below in assessing your work.
Maximum word count: 2,500 words
Please note that exceeding the word count will result in a reduction in grade proportionate to
the number of words used in excess of the permitted limit.
You must not include your name in your submission because Arden University operates
anonymous marking, which means that markers should not be aware of the identity of the
student. However, please do not forget to include your STU number.
This assignment is worth 50% of the total marks for the module.
Using your current or previous workplace1 as the case study, please answer the
following:
1) Critically analyse the different types of software acquisition models and try to relate that
to those systems you are using at your workplace. [LO3]
(10 marks)
2) Do you have a handbook that describes the policies, processes, and procedures in
place? Evaluate the security strategy in that handbook for network activity monitoring,
for instance? What are the issues missing in the handbook? You need to discuss the
legal issues raised by this handbook as many companies consider a handbook as part
of the contract. [LO4]
(20 marks)
3) What is the information security strategic plan in place and how it is implemented?
[LO4, LO6]
(10 marks)
4) Analyse the external and internal threats to information systems in your workplace and
show how your security strategy should protect against those threats. Report your risk
assessment methodology in a flowchart-like figure. You can have a look at Stoneburner
(2002) work to understand how you should relate all the activities together. Please do
not copy the work from (Stoneburner, 2002) as you need to compile your own risk
assessment methodology as part of your security strategy plan. You also need to
discuss how you are going to manage the identified risks. [LO1, LO5]
(20 marks)
5) Critically analyse the access control strategy? If you are to rewrite that part of your
security plan, what would you change? Why? What sort of a strategy you will use here?
proactive or reactive? Justify your answer. [LO4, LO6]
(20 marks)
6) What do you recommend for a proper incident management strategy? How would you
implement it? Hint: Stakeholders and role responsibilities. [LO4, LO6, LO7]
(10 marks)
7) Compile a brief security strategy that suits the business requirements as well as the
security requirements of this workplace. [LO4, LO6, LO7]
(10 marks)