Details of Assessment

Term and Year Time allowed

Assessment No 1 of 2 Assessment Weighting 60%
Assessment Type Case Study - Report
Due Date Room
Details of Subject
Qualification ICT40118 Certificate IV in Information Technology
Subject Name Cyber Security
Details of Unit(s) of competency
Unit Code (s) and
ICTICT424 Address Cyber Security Requirements
Names
Details of Student
Student Name
College Student ID

Student Declaration: I declare that the work submitted is my

own and has not been copied or plagiarised from any person Student’s
or source. I acknowledge that I understand the requirements Signature: ____________________
to complete the assessment tasks. I am also aware of my
right to appeal. The feedback session schedule and Date: _____/_____/_________
reassessment procedure were explained to me.

Details of Assessor
Assessor’s Name

Assessment Outcome
Assessment
Competent Not Yet Competent Marks /60
Result
Feedback to Student
Progressive feedback to students, identifying gaps in competency and comments on positive improvements:
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________

Assessor Declaration: I declare that I have conducted

a fair, valid, reliable and flexible assessment with this
student. Assessor’s
Signature: ___________________
Student attended the feedback session.
Student did not attend the feedback session. Date: _____/_____/________

Purpose of the Assessment

1
The purpose of this assessment is to assess the student Competent (C) Not Yet Competent
in the following learning outcomes:
(NYC)

Performance Criteria: ICTICT424

1.1 Identify and document valuable assets to create register

of valuable assets
1.2 Perform threat and risk assessment on valuable assets
register to identify and document cyber security requirements
1.3 Review current cyber security controls against the cyber
security requirements to identify cyber security gaps
2.1 Identify cyber security controls which address cyber
security gaps
2.2 Determine specific cyber security controls to address
cyber security gaps against the organisation’s risk appetite
2.3 Seek feedback from organisational representative and
agree on cyber security controls to implement
2.4 Implement, test and document agreed cyber security
controls to address cyber security gaps
2.5 Seek feedback from organisational representative to
identify discrepancies between cyber security controls and
cyber security requirements
3.1 Determine currency of valuable assets register to identify
new valuable assets and changed threats and risks
3.2 Identify, determine, and agree on cyber security controls
to address new cyber security gaps
3.3 Implement and document new and modified cyber
security controls to address cyber security gaps

2
Table of Contents
1. Introduction 4
2. Asset register 4
3. Threat and risk assessment of current asset 5
4. Cyber security requirements of current asset 6
5. Current cyber security controls 6
6. Identify cyber security gaps 7
7. New Cyber Security controls to address the gaps 7
8. Feedback on the Cyber Security controls 8
9. Sign off Form for Implementation 9
10. Cyber Security Implementation and Testing 10
11. New Assets 10
12. New Asset threat and risk assessment 11
13. Identify Cyber Security Gaps on new assets 12
14. Implement and document new cyber security controls to address cyber security gap
12
15. Conclusions 12
16. Reference 12

3
 1. Introduction

Devon Accounting is a medium measured bookkeeping organization situated in Sydney that

offers instruments and advances to set up a wide range of government forms, including
singular, sole dealer, association, trust and friends returns. They likewise give a wide scope of
private venture bookkeeping administrations, including accounting, budget report arrangement,
charge arranging, and guidance.
This report is designed to address common issues in Devon Accounting as there is a good
networking system but still there are multiple issues regarding cyber security like lack of
available network connections for meeting members, locating infected systems from virus is
much time taking process and the company is unable to secure its data.
For all these issues there is a need of cyber security to be implemented in the company to
provide security and efficiency. Only cyber security can decrease all these issues in the
company.
Cyber security plans give automated confirmation to business that will ensure agents aren't in
harm's way. Viruses can ruin PCs to a wet blanket, and making work basically unlimited.
Amazing cyber security gets rid of this opportunity, growing business' conceivable yield. If we
can exhibit that our business is reasonably made sure about against a wide scope of cyber
breaches, we can move trust in our customers that their own data won't be subverted [1].

2. Asset Register

Here is the list of all the devices and software platforms that are linked to our network as follow:
 Pc’s and laptops: HP 24-F0130A 23, HP Pavilion 590-P0082A, Lenovo Idea Centre
510S-02, Inspiron Small Desktop, Vostro Small Desktop, Lenovo Idea Centre 510,
Lenovo ThinkPad E590, iMac.
 Operating system: windows 7, windows 7 pro, windows 10, windows 10 pro, macOS
Catalina.
 Ms Office: Office 365, Office 2013, Google Docs.
 Antivirus: AVG, Norton, Avast, Scan Guard.
 Infrastructure Devices: server01 (Dell) model: PowerEdge T100 II, server02 (HP)
model: ML350 Gen10.
 UPS: APC SMC1000I SMART-UPS C 1000VA LCD 230V.
 Switches: S3900-48T4S, Stackable Managed Switch with 4 10 GB SFP+ Uplinks, 8-
Port Gigabit PoE+ Managed Switch, 24-Port Gigabit PoE+ Managed Switch.
 Router: AC1200 Wireless Dual Band Gigabit Router with speed 5GHz: Up to 867Mbps,
2.4GHz: Up to 300Mbps
 Printer, scanner, copier: Multifunctional Printer (Fuji Xerox DocuPrint CM405 df), with
512MB/1024MB memory.
 Backup drive: Synology DiskStation 5-Bay 3.5" Diskless 2xGbE NAS, Black, DS1019+
with 4 GB DDR3L Non-ECC SO-DIMM x 2 memory.
 Wireless Access Point: AC1200 Wireless Dual Band Gigabit Ceiling Mount Access
Point with interface Gigabit Ethernet (RJ-45) Port *1 （ Support IEEE802.3at PoE)
Console Port *1 and speed 5GHz: Up to 867Mbps, 2.4GHz: Up to 300Mbps.
 Smartphone: Samsung Galaxy Note 9, CPU Speed: 2.7GHz, 1.7GHz, CPU Type: Octa-
Core with OS Android 8.1 (Oreo), upgradable to Android 9.0 (Pie); One UI.
 Microsoft Surface Tablet: Surface Pro (model), with processor Intel® Core™ 7th-
generation m3, i5 or i7 with 4GB, 8GB or 16GB RAM and software Windows 10 Pro
(i5,i7), Windows 10 Home (m3), Office 30-day trial.

4
  Firewall: Cisco RV220W Network Security Firewall Data Sheet (model).
 Telephone System: Yealink SIP-T41S (model).

3. Threat and Risk Assessment of current asset

Risk management is closely related to asset management and identification. In fact, there is
some overlap in that some cybersecurity risks, such as unsecured routers or workstations, can
often be found during the asset identification process.
An important component of risk management is running a risk assessment. After risk
assessment following risks was found in the system. There are following techniques that were
used to do risk assessment:
 Risk assessment questionnaire (Security Self-Assessment Guide for Information
Technology Systems)
 Assessment tools (NMAP, NESSUS, APPSCAN)
 Vulnerability sources (SANS Top 20, OWASP Top 10, NIST I-CAT vulnerability
database, Microsoft Security Advisories)
 Documentation review
 Interviews
 Site visit

Now here is the list of risks that were found in Devon Accounting as follow:

Asset Threat Impact Weakness Action (Mitigation)

Server Hacking High lack of strong get credentials and
password policy enforce password
enforcement policy
Backup drive Data removal High Backup not Run backup tests
tested every x months
Data Information High Human errors Training and
leakage consequences of
illegal actions in
policy
Hardware Failure/ theft High Easy breakable Implement physical
devices locks security and CCTV
cameras, Alarm
systems
Malicious code Viruses High Virus definition Update to latest
list not updated Anti-Virus. Update
virus definition.
Update Firewall.
Security policy
Remote access Remote OS High Remote access Remote Access
authentication is is not currently monitoring software
enabled but not monitored. / Disable access
monitored. when not in use
Login encryption No login High Unencrypted Require encryption
setting not encryption passwords could of passwords but
properly be compromised, have not been
configured resulting in enforced. Physical

5
 compromise of security should be
confidentiality & in place that would
integrity of limit the ability to
sensitive data sniff the network to
exploit this
vulnerability.

4. Cyber Security Requirements of current asset

Cyber security requirements of current asset are as follow:

 Authentication of password is required to avoid spreading of passwords.
 Access privileges for systems should be limited and implemented properly.
 Secure Wi-Fi connections by making all connections in company private and only
administrative department can have access to the security and privacy of them.
 There should be restrictions on softwares’ installation for employees.
 Regular updates for viruses are required.
 Social media should be banned in the working hours as it would badly affect the network
speed and efficiency.
 Only authorized email should be allowed on systems.
 There should be proper and updated backup system for all the information and data.
 There should be no remote access given to employees.
 There is a need of updated versions of all assets (hardware devices/ platforms) as well
as proper scanning through official anti-virus softwares is required. If there are old
operating systems running on assets then it should be updated to latest one as soon as
possible. Each system should have latest Microsoft Office versions. Also the model of
each system should be upgraded.

5. Current Cyber Security Controls

Security controls that are to be implemented needs to be analysed first. Some of the examples
could be:

Security control Description

Analysis of an I&C System Architecture
Security Modelling of Target Systems
Security Level Assignments
Analysis of the Elements of Attack Vectors
For the advanced security of framework
affiliations between the ICS and the outside
structures, various NIST records, including
NIST SP800-82 and NIST SP 800-53, depict
the measures to be applied.
Security modelling is a way to deal with
unravels the limits, employments, organization
types, and data correspondences of target
structures for a fruitful security need analysis.
Security level undertakings are relied upon to
apply an opposition all around strategy to a
computerized security structure of I&C
systems to effectively shield CDAs from
advanced attacks.
This analysis recognized CDAs, which can be
defiled by malware from outside of the

6
 structure, or at which any malevolent activities
can occur. It by then assesses how the ailment
or the activities become possible.
Assessment of known Vulnerabilities and Based on the analysis of ambush vectors, a
Penetration Tests lack of protection analysis and invasion tests
are performed to recognize the vindictive
activities that can deal the goal structure.

These are some ways in which security controls can be analysed [2].

6. Identify Cyber Security Gaps

A cybersecurity gap analysis has a strong potential for helping companies of any size with their
vulnerability management. There are some cyber security gaps as follows:
 Unknown threats
 Hacking
 Lack of monitoring
 Failure of equipments
 Open to fraud
 Device’s security
 Third party
 Internet of things
 Malicious softwares
 No encryption
 People risks

7. New Cyber Security controls to address the gaps

Cyber security gaps can be addressed by physical controls, management controls or

operational security controls. Now have a look on these controls [3]:

Controls Description
Management controls It can be done through proper guidance, rules
and implementation procedures.
Physical controls It is the security of information and hardware
devices that can be controlled by
authentications, regular scanning, encryption
and restricted access to system.
Operational controls It includes controlling access, authentication
and secure network topologies.

8. Feedback on the Cyber Security controls

7
Assets Threats Current Security New Cyber Feedback
Identified and Risk Cyber Gaps Security from
Security controls supervisor
controls on new
controls
Server Hacking User Open to check
authentication/ fraud credential
Locked door policies,
proper
monitoring
Back up Data Current No Run backup
drive deletion Backup encryption restore tests
solution on regular
basis
Data software policy for Lack of Training and
leaks software monitoring consequence
informatio development, s of illegal
n which is training, actions in
sensitive advice on policy/
choosing Anomalous
software behaviour
must be
flagged
Hardware Equipment Only locked Device’s Implement
devices Failure or doors security physical
theft security and
CCTV
cameras,
Alarm
systems
Malicious viruses or Anti-virus Third Update to
Code worms party latest Anit-
may be Virus. Update
introduced virus
to the definition.
system Update
Firewall.
Security
policy
Remote Remote None Lack of Remote
Access OS monitoring Access
authentic monitoring
ation is software
enabled
but not
monitored.
Login No login None No Require
encryption encryption encryption encryption of
setting not passwords

8
configured. Physical
security
should be in
place that
would limit the
ability to sniff
the network to
exploit this
vulnerability.

9. Sign off Form for Implementation

Document Sign Off

This document has been approved as the Final Report for the Risk Assessment of Devon
Accounting and accurately reflects the current understanding of the project.

Prepared by:

Student name here

Date
Student (institute name)

Approved by:

Supervisor name
Date
Designation (supervisor post)
Institute name

9
10. Cyber Security Implementation and Testing

Implementing cybersecurity controls can be a time-consuming and sometimes expensive

process. For example, technical safeguards like encrypting data may require application
architecture changes; network segmentation could require the acquisition of new networking
infrastructure. Other procedural changes may not have a hard cost associated with the
implementation, but the changes could require significant resources and time to implement.

Here is the cyber security implementation plan:

Risk Risk Recommend Priority Selected Required Responsible Start- end

(asset/ level ed controls controls resources person date
threat)
Hacking Medium Check credential 2 Reviewin Write Security 01/03/2015
policies g andpolicies, Manager to
Checking verify 01/05/2015
credentia authenticati
l policy on,
Time,
training of
team
Removal Medium Run backup 2 Running Time, Admin 01/06/2015
of data restore tests backup backup to
tests softwares, 01/10/2015
Test cases
Hardwar High Implement 1 CCTV CCTV Security 01/03/2016
e physical security recording cameras, manager To
and CCTV
devices’ cameras, Alarm , special alarm 01/13/2016
theft systems alarms devices,
time, wires
Virus Medium Update to latest 2 Antivirus Write Security 01/16/2016
Anit-Virus. upgradati policies, manager To
Update virus
definition. Update on, time, 01/20/2016
Firewall. Security firewall softwares,
policy updation training of
members
Remote Medium Remote Access 2 Monitorin Time, Admin 01/09/2016
access monitoring g training , To
software
software software 01/12/2016

11. New Assets

Here are the few new assets that can be added in Devon Accounting:
Anti-virus:

Name OS Memory CPU Disk space Software

requirements
Bitdefender Windows 7 2 GB Intel CORE 2 2.5 GB Internet
Anti-virus with Service Duo (2 GHz) Explorer

10
 Pack 1, or equivalent version 10 or
Windows 8, processor higher
Windows 8.1,
and Windows
10
Kaspersky Windows 7 to 6 GB 2 GH Core i3- 34.1 GB files No specific
security cloud windows 10 5005U and 500GB requirement
free drive

PC’s and laptops:

PC Q OS CPU Me MS Anti Other Purchas warrant Exp. Repla

ty mo offic - licenced e date y ceme
. ry e viru software nt
versi s year
on
HP 5 DOS 8th 8 Offic Bitd Skype, July-2020 3 years 3 2023
Pavi Gen GB e efen webcam, year
lion Intel 2016 der HP audio s
- ® plus boost,
15- Core MS Visio,
cc1 i7- VLC
11tx 8550 player, B
U - &O play
1.8G
Hz

12. New Asset threat and risk assessment

New asset threats are as follows:

 Regular monitoring
 Updation
 Security
Risk assessment of new assets is as follows:

Asset Threat Impact Weakness Action (Mitigation)

Virus Virus introduced High Cracked Always use
in system softwares, professional CD’s.
booting process Don’t install any
form CD’s software that is not
professional and
premium. Scan
systems regularly.
Monitoring Duplication of High Lack of Monitor data on
data monitoring regular basis,
policies should be
made for
monitoring

11
13. Identify Cyber Security Gaps on new assets

The new cyber security gaps on new assets would be:

 Lack of monitoring
 Third party
 Human errors
 Theft
 System’s failures

14. Implement and document new cyber security controls to address cyber security gaps

Cyber security controls to address new cyber security gaps are as follows:
 Determine security levels of assets
 Maintain incidence response plan
 Apply anti-virus solutions
 Implement premier defense
 Secure devices and systems

These are some of the ways that can control our security gaps raised in new assets.

15. Conclusions
From the above research and report it is concluded that having control on risks arise in system
or company can lead towards success. If we did not control the risks then our system will lead
towards failure. Risks and security gaps can be controlled by following proper techniques and
methods. Proper planning before risk assessment is very much important. The overall company
should be able to follows those controls given by high management to them.

16. Reference
[1]
Benefits Of Cyber Security For Your Business. (n.d.). Retrieved from nouveau.:
"https://www.nouveau.co.uk/content-hub/benefits-of-cyber-security"

[2] E-GU SONG, J.-W. L.-Y.-C.-Y.-K. (2013). AN ANALYSIS OF TECHNICAL SECURITY CONTROL
REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS. Korea Atomic Energy Research
Institute, 989-111 Daedeok-daero, Yuseong-gu, Daejeon 305-353, Republic of Korea.
[3] LBMC. (2020, January 10). Three Categories of Security Controls. Retrieved from lbmc.com:
"https://www.lbmc.com/blog/three-categories-of-security-controls/"

12