ASSESSMENT TASKS

BSBXCS404 - Contribute to cyber security risk

management

This study source was downloaded by 100000836533786 from CourseHero.com on 12-13-2021 22:36:32 GMT -06:00

https://www.coursehero.com/file/120380398/BSBXCS404-Attempt1pdf/
 Assessment 1 - Knowledge Assessment (Written Tasks)

1.1 Answer the following questions:

a) Identify the data protection legislation applicable in your state.

In NSW Privacy and Personal Information Protection Act 1998 protects privacy rights by making
sure that personal information is properly collected, stored, used or released by NSW public
sector agencies via the Information Protection Principles (IPPs). This gives one the right to see
and ask for changes to be made to your personal or health information. Also, allows to make a
complaint to the NSW Privacy Commissioner if you believe a NSW public sector agency has
misused your personal information or breached one of the IPPs.

b) When must an organization or agency notify affected individuals and the Office of the
Australian Information Commissioner (OAIC) according to Notifiable Data Breach
legislation and Privacy Act 1988? Answer using 20-40 words.
A data breach happens when personal information is accessed or disclosed without
authorization or is lost. As per Privacy Act 1988, organizations must notify affected individuals
and OAIC when a data breach involving personal information is likely to result in serious harm
immediately after detection.

c) Identify five (5) examples of serious harm under the Notifiable Data Breaches scheme?
• a device with a customer’s personal information is lost or stolen
• a database with personal information is hacked/leaked
• a database of organisation’s employee details is leaked
• sensitive government information leaked
• health record of individual or from medical service provider’s is breached
• Financial details of an individual or finance org. hacked.

d) What are the seven (7) principles of the General Data Protection Regulation (GDPR)?
Principle (a) – lawfulness, fairness and transparency
Principle (b) – purpose limitation
Principle (c) – data minimization
Principle (d) – accuracy
Principle (e) – storage limitation
Principle (f) – integrity and confidentiality
Accountability principle

This study source was downloaded by 100000836533786 from CourseHero.com on 12-13-2021 22:36:32 GMT -06:00

https://www.coursehero.com/file/120380398/BSBXCS404-Attempt1pdf/
 1.2 Answer the following questions:
a) What is the purpose of attending regular organizational training in cybersecurity risk
management strategies? Answer using 30-60 words.
• Making confident staffs- By holding official Security Awareness Training, team can feel confident
using the technology they need to. They'll know what to do and what not to do to help protect
the business.
• Better Culture - Being informed creates a better workplace culture. By establishing data security
as a priority, employees can help keep each other accountable for best practices and support
each other in safe technology use.
• Save Money - Combining a confident team with a data security-conducive culture will save your
company money.
• Save Time - One of the hidden costs of data breaches is the time lost trying to fix it and recover.
Similar to the cost saved, one can also save time by implementing training on security awareness.
• Better Security- the biggest benefit to holding a training session on security awareness is better
security.

b) What is the purpose of a regular cybersecurity threat assessment? Answer using 30-60
words.
Regular cybersecurity threat assessment assist the network in many ways
1. keeps the network more secure
2. Helps prevent hidden or pre-planned network breach, malware or spy ware attacks.

c) Explain what a cybersecurity incident response plan is using 30-60 words.

An incident response plan is a documented, written plan with 6 distinct phases that helps IT
professionals and staff recognize and deal with a cybersecurity incident like a data breach or
cyber-attack. Properly creating and managing an incident response plan involves regular updates
and training. The incident response phases are:

1. Preparation - Employees are trained, regular drill,

2. Identification - when happened, how it discovered, areas affected, scope of work, is the
source discovered?
3. Containment - Delete affected portion if possible or isolate the problem/affected portion,
disconnect un-affected network, and update software or path.
4. Eradication - Eradicate the malware using expert help
5. Recovery - process of restoring and returning affected systems and devices back into
business environment
6. Lessons Learned – prepare incident report in detail for future help

d) Why should escalation routes to senior levels be clear, efficient and effective? Answer
using 30-60 words.
At the time of Cyberspace breach command line to senior or experts need to be very
clear. It helps in
1. Identifying, isolate and eradicate the breach faster
2. Stake holders/customers data breach/loss can be minimized

This study source was downloaded by 100000836533786 from CourseHero.com on 12-13-2021 22:36:32 GMT -06:00

https://www.coursehero.com/file/120380398/BSBXCS404-Attempt1pdf/
 1.3 Answer the following questions:

a) What are the two (2) types of risk management methodologies for assessing, analyzing
and reviewing cybersecurity risks?
There are two main types of risk assessment methodologies: quantitative and qualitative.
A qualitative risk assessment is less about numbers and more about what would actually
happen, day-to-day if one of the risks on your list were to occur. , a qualitative security
risk assessment methodology is performed by talking to members of different
departments or units and asking them questions about how their operations would be
impacted by an attack or a breach. Specifically, asking how a team’s productivity would
be affected if they couldn’t access specific platforms, applications, or data. These
interviews will show an assessor which systems and platforms are mission-critical for
specific teams, and which aren’t.

While a quantitative risk assessment is straightforward and numbers based. To conduct a

quantitative risk assessment, a team uses measurable data points to assess and quantify
risk. This type of assessment is used to answer questions that need to be answered in
numbers, such as "How many records will be exposed if we experience a breach?" or
"how will this risk affect our bottom line?" It enables boards to compare the costs of
security controls with the data that those controls protect.

b) Identify four (4) reasons why developing communication plans are critical risk
management processes.
Developing communication plan can be sometimes critical. Reason being-
1. Communication plan involves assigning responsibilities to different stake holders
including suppliers. Reaching the appropriate stake holder at all times can be difficult.
2. Lack of proper distribution of communication plan among all the stake holders may
cause chaos and mismanagement at the time of breach.
3. Communication management plan are usually complicated as different problems/
issues are usually dealt with different stake holders. So the communication process are
usually lengthy and time consuming.
4. Communication process can be expensive when it comes to critical problems, so
meeting budgetary requirement at times of fault rectification needs to have budget
already approved. Which can be sometime critical.

This study source was downloaded by 100000836533786 from CourseHero.com on 12-13-2021 22:36:32 GMT -06:00

https://www.coursehero.com/file/120380398/BSBXCS404-Attempt1pdf/
 c) What are the eight (8) steps you should consider when developing communication
plans?
1. Demography
2. Organizational structure
3. Network architecture
4. Stakeholder, supplier and vendors involved
5. Budgetary requirement
6. First point of contact when breach/fault occurs
7. A guide line/detailed incident report directory which can help at the time of breach.
8. A hierarchy/diagram/flowchart clearly showing whom to contact at different types of
incident.

d) Identify five (5) phases included in evaluating the effectiveness of cybersecurity risk
management.
1. By benchmarking the current methodology with the best practice in market.
2. Checking the effectiveness by self-generated drill or breach
3. Regular audit of the current risk management strategy by internal/external RM
experts.
4. Update RM as per feedback from experts/suppliers/vendors/customers when its
required.
5. Impalement the updated RM strategy and create awareness among staffs.

e) Explain the term risk-based monitoring in cybersecurity risk management using 30-60
words.
Risk-based approach to cybersecurity, means considering risk above all other
factors. Risk-based security teams are more concerned with reducing their
organization’s real exposure to cyber-attack and data breach than they are about
checking boxes or passing audits.

A risk-based approach to cybersecurity is also proactive rather than reactive. Instead of

focusing on incident response, this approach is likely to invest heavily in testing, threat
intelligence, and prevention.

Finally, this approach is inherently realistic. The goal of a risk-based cybersecurity

program is meaningful risk reduction, not 100% security.

f) Why is maintaining the currency of the risk register important in cybersecurity risk
management? Answer using 30-60 words.
Failing to update the risk register is a pitfall for two reasons. One, the risk register will not
be as effective due to it being out-of-date. Two, the project team will not mature as
quickly in risk management practices if they do not practice regularly.

This study source was downloaded by 100000836533786 from CourseHero.com on 12-13-2021 22:36:32 GMT -06:00

https://www.coursehero.com/file/120380398/BSBXCS404-Attempt1pdf/
 1.4 Answer the following questions:

a) What are considered suitable procedures in an organization to incorporate industry-

specific knowledge and practices in managing cybersecurity risks? Answer using 30-60
words.
Industry best practices in managing cyber security risks are-
1. Using up to date network firewall, anti-virus software.
2. Arrange cyber security awareness campaign and make clear communication plan in
risk situations.
3. Implement secure login, password protection and authentication both at office and
home.

b) Identify five (5) procedures to manage cybersecurity risks?

1. Identify information assets.
2. Locate information assets.
3. Classify information assets.
4. Conduct a threat modelling exercise.
5. Finalize data and start planning.

1.5 Answer the following questions:

a) Why is it important to update technology in an organization? Answer using 30-60

words.
Reason being- a) old technology cannot compete against new threats, b) Staffs may not
act as quickly in risk incidents if they work in old technological environment.

b) Identify five (5) guidelines for updating technology in an organization.

1. 1. Investigate technologies that will solve problems for your company.
2. 2. Assemble an implementation team to champion the new technology once you've
chosen it.
3. 3. Implement the technology through a pilot program to work out kinks and gain buy-
in.
4. 4. Train your employees to use the new tool.
5. 5. Launch, fine-tuning the tool to fit your needs as you go.

This study source was downloaded by 100000836533786 from CourseHero.com on 12-13-2021 22:36:32 GMT -06:00

https://www.coursehero.com/file/120380398/BSBXCS404-Attempt1pdf/
 1.6 Answer the following questions:

a) When should business process design principles be applied concerning risk

management? Answer using 30-60 words.
Process Design is the act of transforming an organization’s vision, goals, and available resources
into a discernible, measureable means of achieving the organization’s vision . Process Design
needs to start at time of business planning/network planning.

b) What are the three (3) key aspects behind business process design principles?
1. Adding value for the customer.
2. Reduction of risk management delays.
3. Simplicity in business/network process standardization.

c) Identify five (5) business process design principles concerning risk management.
1. Identify and analyze the risk
2. Evaluate the rank of the risk
3. Monitor and review the risk
4. Treat the risk
5. Update business process design with new lessons learnt.
1.7 Answer the following questions:

a) Explain what cybersecurity maturity is using 30-60 words.

The Cyber Security Maturity focuses on specific controls that protect critical assets, infrastructure,
applications, and data by assessing organization’s defensive posture. Cyber security is mature
when it emphasizes on operational best practices for each control area, as well as the
organizational effectiveness and maturity of internal policies and procedures.

b) Identify three (3) reporting mechanisms for tracking organizational cybersecurity

maturity.
a. Partial – Requirement is not implemented, is partially progressed or is not
well understood across the entity.
b. Substantial – Requirement is largely implemented but may not be fully
effective or integrated into business practices.
c. Full – Requirement is fully implemented and effective and is integrated, as
applicable, into business practices.

References

1. https://securityscorecard.com/blog/it-security-risk-assessment-methodology
2. https://securityscorecard.com/blog/what-is-network-security-assessment

This study source was downloaded by 100000836533786 from CourseHero.com on 12-13-2021 22:36:32 GMT -06:00

https://www.coursehero.com/file/120380398/BSBXCS404-Attempt1pdf/
Powered by TCPDF (www.tcpdf.org)