Professional Documents
Culture Documents
MSc in IT Security
University of Central Lancashire
1 Learning Outcomes
This assignment addresses the following learning outcomes from the module syl-
labus: (i) LO1 – Select and use applicable standards and methods for information
security and risk management. (ii) LO3 – Conduct and properly document risk
assessment based on a given scenario. (iii) LO4 – Find and evaluate appropri-
ate published information to remain up-to-date about threats, vulnerabilities and
patches.
2 Assignment Description
This assignment requires you to plan, conduct and document a risk assessment
based on the scenario described in Section 3. You should carefully read the mark-
ing scheme (refer to Section 5) to have a clear perception of what is the expected
content of the risk assessment report you have to deliver and how it will be eval-
uated.
The scenario is described in broad terms, therefore, you may need to make
assumptions and set a scope for the risk assessment; all this has to be documented
in the report. Additionally, any use of published information has to be properly
referenced with in-text citation and a corresponding item in the references list
using the Harvard style1 consistently.
3 Scenario Description
UCLanRE is a new Real Estate agency in Preston, and its current IT infras-
tructure is depicted in Figure 1. The IT infrastructure comprising:
(i) Office personal computers (PCs) running Windows XP for employees; (ii) A
machine running SQL server, which stores all information about customers and
real estates; (iii) A machine running a mail server and stores all emails and at-
tached files. (iv) A machine running an IIS web server hosting the website of
UCLanRE on which users can browse for real estates, register themselves and
contact the employees; (v) All the servers and office PCs are connected to a net-
work switch so that they can communicate with each other. The router serves as a
1 https://libweb.anglia.ac.uk/referencing/files/Harvard_referencing_201718.pdf
1
Figure 1: The IT infrastructure of UCLanRE.
gateway between the internal network and the internet. (vi) Internet Information
Services (IIS, formerly Internet Information Server) is an extensible web server
created by Microsoft.
After some attack incidents and financial loss, the agency realized that it should
carry out a risk assessment and improve its IT infrastructure with security con-
trols.
As you can see, there are no specific hardware and software details given in Figure
1. To avoid working in the entirely same network (and hence copying from each
other), before doing the risk assessment, you have to specify the system parame-
ters and the system boundaries, including the used operating systems, hardware,
software/applications and firmware. Ideally, each of you will work with different
sets of system parameters/scope that you chose or specified.
2
4 Report Structure
To meet the requirements your report must have a professional look. In order to
help you in this regard the following structure is provided as a guideline. The
report must contain the following main sections, however, you are allowed to add
subsections as you find reasonable.
Introduction
Here you will specify the risk assessment method that you use, discuss the
advantages of this risk assessment method. Finally, highlight the certain tasks
that you will perform during the risk assessment on the given system.
Risk Assessment
This section contains the main part (result) of the report, namely, the whole
risk assessment process made on the system in Figure 1, besides your chosen
system parameters. The section can include several sub-sections:
In this section you summarize the main findings and write a non-technical
recommendation (executive summary) for the management/director board, sum-
marizing why they should invest in security and follow the ISO 27001 standards.
Word limit for the report: 2000 words (flexible), excluding the entire bibliog-
raphy list.
You should use Microsoft Word to complete this assignment. If you use a word
processor other than Microsoft Word then you should check to ensure that the
document layout is the same as Microsoft Word. Microsoft Word is available
on the University network. Set up your Word Document with the following:
(i) Margin sizes of 2.54 centimetres (ii) Font of Calibri (iii) Font size of 11 (iv) Line
spacing of 1.15
5 Evaluation Criteria
This assignment has only one deliverable which will be marked according to stu-
dents’ ability to: (i) Plan a risk assessment. (ii) Conduct a risk assessment.
(iii) Documentation.
3
6 Submission
Except where an extension of the hand-in and/or discussion deadline dates have
been approved (based on extenuating circumstances forms), lateness penalties will
be applied in accordance with University policy as shown in Table 1 . Late work
must be submitted to eLearn in the required assignment slot.
(Working) Days Late Penalty
Up to 5 Maximum mark 50%
More than 5 0%
8 Extenuating Circumstances
If you believe that there are circumstances that justify an extension of the hand-in
deadline for assignment work, you are required to use the Extenuating Circum-
stances forms (available online based on the EC request procedure via myU-
CLAN.) Extensions (to a maximum of 10 working days) are granted when there
are serious and exceptional factors outside your control. Everyday occurrences
such as colds and hay fever do not normally qualify for extensions. Where possi-
ble, requests for extensions should be made before the hand-in date.
The school considers extenuating circumstances to be conditions that signifi-
cantly impact on your work. Typically these will cover more than one module.
Requests for consideration of extenuating circumstances in respect of assignment
work submission, should be made using the extenuating circumstances envelope.
You are advised to speak to your Course Leader/pastoral tutors prior to com-
pleting these envelopes. Whilst extenuating circumstances are being considered,
you are advised to inform relevant staff members, and continue with the assign-
ment. Extenuating circumstances should be submitted via MyUCLan.
9 Feedback
Feedback will be given to the class within 15 working days of the assignment final
submission, i.e., 15 working days counting from the due date. This may take
2 http://portal.uclan.ac.uk
4
the format of a generic feedback (within 15 working days) followed by individual
written feedback, or individual feedback using the feedback sheet.
Individual written feedback will be tied to the Learning Outcomes listed in this
assignment brief, together with any additional helpful feedback such as areas of
strength and/or areas for improvement.
10 Plagiarism
12 MARKING SCHEME
To be awarded a failing grade (0, 10, 25, 30, 35, 40, 42, 45) your
work will not have met the required standard.
3 https://www.uclan.ac.uk/study_here/assets/assessment_handbook_1920.pdf
4 https://www.uclan.ac.uk/study_here/assets/university_student_handbook_1819.pdf
5
The following (non-exhaustive) list contains examples that may cause your work
to fail (several of the following points together would lead to a fail).
• Very badly structured, no paragraphs/sections/subsections, or badly struc-
tured, very few (and long) paragraphs/sections/subsections.
• Very badly written/cannot understand/many typos and grammatical issues
• No or very limited in-text citation or not Harvard style at all.
• Unsatisfactory Risk Assessment Plan (incorrect/missing assets, assets cate-
gory, scope, legal issues)
• Unsatisfactory Risk Assessment (incorrect/missing threats, vulnerabilities,
impacts).
• Unsatisfactory Risk Evaluation (incorrect/missing Boston grid calculations)
• Unsatisfactory Management report and Technical Report (very badly written,
incorrect use of technical terms)
To be awarded a pass mark (50, 52, 55, 58) your work will be of a
competent standard.
• Acceptable structure, some paragraphs sections/subsections but still miss
some sections/subsections/paragraphs.
• Acceptable sentences/may contain some typos and grammatical issues/understandable
writing skill.
• Acceptable number and style of in-text citations, but several may be inap-
propriate.
• Satisfactory Risk Assessment Plan (acceptable level of Plan, but may contain
incorrect/missing assets or assets category or scope, or legal issues)
• Satisfactory Risk Assessment (acceptable level of Assessment, but may con-
tain incorrect/missing threats, or vulnerabilities, or impacts)
• Satisfactory Risk Evaluation (acceptable level of Evaluation, but may contain
incorrect/missing Boston grid calculations)
• Satisfactory Management report and Technical Report (acceptable writing
skill, but may contain some incorrect use of technical terms)
Your report structure and writing style (compact/focused) as well as the num-
ber of incorrect or inappropriate risk plan/assessment elements will be used to
determine whether you receive a low (50) or (52), mid (55) or high (58) pass
grade.
6
To be awarded a merit grade (62, 65, 68) your work will be of a
very good standard.
7
• Outstanding/Excellent Risk Evaluation (very good level of Evaluation, with
only very few or no incorrect/missing Boston grid calculations)
• Outstanding/Excellent Management report and Technical Report (very good
writing skill, with only very few or no incorrect use of technical terms)
Your report structure and writing style (professional/compact/focused) will be
used to determine whether you receive a low (74), mid (80), high (87), very high
(94) or exception distinction (100).