CO4512 - Information Security Management

MSc in IT Security
University of Central Lancashire

Assignment: Risk Assessment Report

Module Leader: Dr. Ahmed Abubahia

Available from: March 02, 2020

Submission due date: 24/04/2020, 11:59pm.
Submission deadline is extended to: 29/04/2020, 11:59pm.
Weighting: 50% of the module.
Word limit: 2000 words.

1 Learning Outcomes

This assignment addresses the following learning outcomes from the module syl-
labus: (i) LO1 – Select and use applicable standards and methods for information
security and risk management. (ii) LO3 – Conduct and properly document risk
assessment based on a given scenario. (iii) LO4 – Find and evaluate appropri-
ate published information to remain up-to-date about threats, vulnerabilities and
patches.

2 Assignment Description

This assignment requires you to plan, conduct and document a risk assessment
based on the scenario described in Section 3. You should carefully read the mark-
ing scheme (refer to Section 5) to have a clear perception of what is the expected
content of the risk assessment report you have to deliver and how it will be eval-
uated.
The scenario is described in broad terms, therefore, you may need to make
assumptions and set a scope for the risk assessment; all this has to be documented
in the report. Additionally, any use of published information has to be properly
referenced with in-text citation and a corresponding item in the references list
using the Harvard style1 consistently.

3 Scenario Description

UCLanRE is a new Real Estate agency in Preston, and its current IT infras-
tructure is depicted in Figure 1. The IT infrastructure comprising:
(i) Office personal computers (PCs) running Windows XP for employees; (ii) A
machine running SQL server, which stores all information about customers and
real estates; (iii) A machine running a mail server and stores all emails and at-
tached files. (iv) A machine running an IIS web server hosting the website of
UCLanRE on which users can browse for real estates, register themselves and
contact the employees; (v) All the servers and office PCs are connected to a net-
work switch so that they can communicate with each other. The router serves as a
1 https://libweb.anglia.ac.uk/referencing/files/Harvard_referencing_201718.pdf

1
 Figure 1: The IT infrastructure of UCLanRE.

gateway between the internal network and the internet. (vi) Internet Information
Services (IIS, formerly Internet Information Server) is an extensible web server
created by Microsoft.
After some attack incidents and financial loss, the agency realized that it should
carry out a risk assessment and improve its IT infrastructure with security con-
trols.

3.1 Your task

In this assignment you have to:

1. Conduct a risk assessment on the network in Figure 1, based on the ISO 27005
standard.
2. Write a detailed risk assessment report (see Section 4 for the required struc-
ture).

3.2 Flexibility of the software/hardware/firmware parameters

As you can see, there are no specific hardware and software details given in Figure
1. To avoid working in the entirely same network (and hence copying from each
other), before doing the risk assessment, you have to specify the system parame-
ters and the system boundaries, including the used operating systems, hardware,
software/applications and firmware. Ideally, each of you will work with different
sets of system parameters/scope that you chose or specified.

2
4 Report Structure

To meet the requirements your report must have a professional look. In order to
help you in this regard the following structure is provided as a guideline. The
report must contain the following main sections, however, you are allowed to add
subsections as you find reasonable.

Introduction

Here you will specify the risk assessment method that you use, discuss the
advantages of this risk assessment method. Finally, highlight the certain tasks
that you will perform during the risk assessment on the given system.

Risk Assessment

This section contains the main part (result) of the report, namely, the whole
risk assessment process made on the system in Figure 1, besides your chosen
system parameters. The section can include several sub-sections:

Summary and Recommendations

In this section you summarize the main findings and write a non-technical
recommendation (executive summary) for the management/director board, sum-
marizing why they should invest in security and follow the ISO 27001 standards.
Word limit for the report: 2000 words (flexible), excluding the entire bibliog-
raphy list.
You should use Microsoft Word to complete this assignment. If you use a word
processor other than Microsoft Word then you should check to ensure that the
document layout is the same as Microsoft Word. Microsoft Word is available
on the University network. Set up your Word Document with the following:
(i) Margin sizes of 2.54 centimetres (ii) Font of Calibri (iii) Font size of 11 (iv) Line
spacing of 1.15

5 Evaluation Criteria

This assignment has only one deliverable which will be marked according to stu-
dents’ ability to: (i) Plan a risk assessment. (ii) Conduct a risk assessment.
(iii) Documentation.

3
6 Submission

The risk assessment report should be submitted as a .docx to the appropriate

assignment submission slot on eLearn2 by the due date. All references and in-
text citations in the report should follow the Harvard style of referencing.

7 Penalties for Late Submission

Except where an extension of the hand-in and/or discussion deadline dates have
been approved (based on extenuating circumstances forms), lateness penalties will
be applied in accordance with University policy as shown in Table 1 . Late work
must be submitted to eLearn in the required assignment slot.
(Working) Days Late Penalty
Up to 5 Maximum mark 50%
More than 5 0%

8 Extenuating Circumstances

If you believe that there are circumstances that justify an extension of the hand-in
deadline for assignment work, you are required to use the Extenuating Circum-
stances forms (available online based on the EC request procedure via myU-
CLAN.) Extensions (to a maximum of 10 working days) are granted when there
are serious and exceptional factors outside your control. Everyday occurrences
such as colds and hay fever do not normally qualify for extensions. Where possi-
ble, requests for extensions should be made before the hand-in date.
The school considers extenuating circumstances to be conditions that signifi-
cantly impact on your work. Typically these will cover more than one module.
Requests for consideration of extenuating circumstances in respect of assignment
work submission, should be made using the extenuating circumstances envelope.
You are advised to speak to your Course Leader/pastoral tutors prior to com-
pleting these envelopes. Whilst extenuating circumstances are being considered,
you are advised to inform relevant staff members, and continue with the assign-
ment. Extenuating circumstances should be submitted via MyUCLan.

9 Feedback

Feedback will be given to the class within 15 working days of the assignment final
submission, i.e., 15 working days counting from the due date. This may take
2 http://portal.uclan.ac.uk

4
the format of a generic feedback (within 15 working days) followed by individual
written feedback, or individual feedback using the feedback sheet.
Individual written feedback will be tied to the Learning Outcomes listed in this
assignment brief, together with any additional helpful feedback such as areas of
strength and/or areas for improvement.

10 Plagiarism

The University operates an electronic plagiarism detection service (Turnitin) where

your work will be automatically uploaded, stored and cross-referenced against
other material. You should be aware that the software searches the World Wide
Web, extensive databases of reference material and work submitted by members
of the same class to identify duplication.
To avoid accusations of plagiarism, give an in-text citation and provide biblio-
graphic details of any source used in the references list. Remember that you can
reuse ideas from different sources but not literal text.
Plagiarism is not acceptable and you will face consequences when it is detected
by Turnitin. For detailed information on the procedures relating to plagiarism,
please see the current version of the University Academic Regulations.

11 Reassessment and Revision

Reassessment in written examinations and coursework is at the discretion of the

Course Assessment Board and is dealt with strictly in accordance with Univer-
sity policy and procedures. Revision classes for referrals will take place during
’reassessment revision, appeals and guidance week’ as marked on the academic
calendar.
The mark for the reassessed module is subject to a maximum of
50%.
For more information and further guidance regarding Sections (7-11), please
refer to the Assessment Handbook3 and Student Handbook4

12 MARKING SCHEME

To be awarded a failing grade (0, 10, 25, 30, 35, 40, 42, 45) your
work will not have met the required standard.
3 https://www.uclan.ac.uk/study_here/assets/assessment_handbook_1920.pdf
4 https://www.uclan.ac.uk/study_here/assets/university_student_handbook_1819.pdf

5
 The following (non-exhaustive) list contains examples that may cause your work
to fail (several of the following points together would lead to a fail).
• Very badly structured, no paragraphs/sections/subsections, or badly struc-
tured, very few (and long) paragraphs/sections/subsections.
• Very badly written/cannot understand/many typos and grammatical issues
• No or very limited in-text citation or not Harvard style at all.
• Unsatisfactory Risk Assessment Plan (incorrect/missing assets, assets cate-
gory, scope, legal issues)
• Unsatisfactory Risk Assessment (incorrect/missing threats, vulnerabilities,
impacts).
• Unsatisfactory Risk Evaluation (incorrect/missing Boston grid calculations)
• Unsatisfactory Management report and Technical Report (very badly written,
incorrect use of technical terms)

To be awarded a pass mark (50, 52, 55, 58) your work will be of a
competent standard.
• Acceptable structure, some paragraphs sections/subsections but still miss
some sections/subsections/paragraphs.
• Acceptable sentences/may contain some typos and grammatical issues/understandable
writing skill.
• Acceptable number and style of in-text citations, but several may be inap-
propriate.
• Satisfactory Risk Assessment Plan (acceptable level of Plan, but may contain
incorrect/missing assets or assets category or scope, or legal issues)
• Satisfactory Risk Assessment (acceptable level of Assessment, but may con-
tain incorrect/missing threats, or vulnerabilities, or impacts)
• Satisfactory Risk Evaluation (acceptable level of Evaluation, but may contain
incorrect/missing Boston grid calculations)
• Satisfactory Management report and Technical Report (acceptable writing
skill, but may contain some incorrect use of technical terms)
Your report structure and writing style (compact/focused) as well as the num-
ber of incorrect or inappropriate risk plan/assessment elements will be used to
determine whether you receive a low (50) or (52), mid (55) or high (58) pass
grade.

6
 To be awarded a merit grade (62, 65, 68) your work will be of a
very good standard.

• Good structure, some paragraphs sections/subsections but still miss small

number of sections/subsections/paragraphs
• Good sentences/may contain few typos and grammatical issues/good writing
skill
• Good number and style of in-text citations, but few of them may be inappro-
priate.
• Good Risk Assessment Plan (good level of Plan, but may contain few incor-
rect/missing assets or assets category or scope, or legal issues)
• Good Risk Assessment (good level of Assessment, but may contain few incor-
rect/missing threats, or vulnerabilities, or impacts)
• Good Risk Evaluation (good level of Evaluation, but may contain few incor-
rect/missing Boston grid calculations)
• Good Management report and Technical Report (good writing skill, but may
contain few incorrect use of technical terms)
Your report structure and writing style (professional/compact/focused) as well
as the number of incorrect or inappropriate risk plan/assessment elements will be
used to determine whether you receive a low (62), mid (65) or high (68) merit
grade.
To be awarded a distinctive grade (74, 80, 87, 94, 100) your work
will be of an excellent standard.
• Outstanding/Excellent structure, some paragraphs sections/subsections
• Outstanding/Excellent sentences/may contain very few/no typos and gram-
matical issues/very good writing skill
• Outstanding/Excellent number and style of in-text citations, only very few
or none of them are inappropriate.
• Outstanding/Excellent Risk Assessment Plan (very good level of Plan, with
only very few or no incorrect/missing assets, assets category, scope, and legal
issues)
• Outstanding/Excellent Risk Assessment (very good level of Assessment, with
only very few or no incorrect/missing threats, vulnerabilities, and impacts)

7
 • Outstanding/Excellent Risk Evaluation (very good level of Evaluation, with
only very few or no incorrect/missing Boston grid calculations)
• Outstanding/Excellent Management report and Technical Report (very good
writing skill, with only very few or no incorrect use of technical terms)
Your report structure and writing style (professional/compact/focused) will be
used to determine whether you receive a low (74), mid (80), high (87), very high
(94) or exception distinction (100).