NSI TAFE

Unit: ITNET202A
Assessment Type Report
Assessment 2
Number
Type: Case Study
Weighting 30%

Due Date/Time Week 11

via Moodle Turnitin

A. Task:
You are to provide a security architectural design for a new, internet-based bankthat you are
setting up, having been granted a banking license
legislation recently passed by the Federal Government.

The requirements for this design are described below.

Because you are dealing with a bank, several security concerns at various levels need to be
addressed in your architecture:

1. Compliance with federal and state legislation,

2. Public confidence in your enterprise by providing confidentiality, availability, and integrity

ofcustomer data,

3. Privacy of customer data,

4. Interoperation with other financial institutions, both nationally and internationally,

5. Compliance with international standards,

6. Security of all bank assets,

7. Current trends in customer engagement via the internet

1
Your design needs to deal with enterprise architectural issues relating to application security,
platform/OS security, network security, and storage security.

The decision has been made to run the IT operations in a Cloud environment.

B. Components you need to deliver:

1. High-level security architecture (SABSA contextual and conceptual levels). I suggest that you
use reference architectures if you can find these. The purpose of this work product is to show
what types of security services you intend to provide, what types of cloud services you will be
using (private, public, hybrid, SaaS, PaaS, IaaS), what types of systems and networking you
will need for the bank consider head and branch office systems and networks, ATM and
EFTPOS systems and networks, international links.

You will need to make reasonable assumptions about sizing, capacity, etc. of the various IT
components, and you need to provide a design for best security practice, i.e. cost is less of
anissue than having security exposures and weaknesses.

Banking Application Architecture example only:

2
2. Detailed (SABSA logical level) security architecture. This will include specific details of what
security services you will provide, what networking you will provide, what application systems
you will be protecting, what tools you will be using.

3
Indicative example only:

3. Detailed design (SABSA physical level) of your main processing site(s), irrespective of the
use oftheCloud. This will include location, security equipment, networking devices, storage
sizing, management tools, operational components for the detailed security architecture.

4. Costing estimates (both labor, hardware, and software, both for implementation and
operation)

5. Planning estimates with enough detail to show estimates at the equipment installation level

6. Resourcing estimates

For these latter components, you would benefit from using the SABSA Framework for Security
Service Management.

C. Approach:
Use the SABSA framework as a guide for your work products. Concentrate on the How, Who
and Where (Process, People, and Location) columns. You will have to do some research about
how an organization like a bank would be running its IT systems and what they would consist of.

4
D. Deliverable work products:
Included in the set of work products you need to produce are:

1. Business requirements and risk assessments on which you will base your designs.

2. Use cases -
systems,and subsystems, with special emphasis on security interactions.

3. High-level security architectural diagrams and explanatory notes. See point 1. above
under components.

4. High-level logical network diagrams - These should show what security systems you
planto implement, where they are located about the network, and other IT components. These
should be accompanied by descriptions of the detailed security architectures they depict.

Indicative example only:

5
5. Description of the security services you are planning to provide, why, and where they will
be located about the IT systems and networks.

6. Equipment lists describing what equipment you will be implemented to provide these
security services.

6
E. Submission:
Due date: (Week 11) 15th May 11:55 pm

Format: report, suggested length 20-25 pages (incl. diagrams and tables), in a standard report
format, in a paper-based format.

F. Assessment:
This work is worth 30% of the final subject mark but will be marked out of 100.Marks

will be awarded for:

a. Report format and style - 10

b. Thoroughness and reasonableness of your assumptions - 10

c. Application of use cases to your assumptions - 10

d. Linking of business requirements to your solution - 10

e. Consistency between high-level architecture, detailed architectures, and detailed designs -10

f. Relevance of your architectures and designs to business requirements and use cases - 15

g. Delivery of all required work products and completeness of your solution - 20

h. Proof of application of security best practice in your solution -15