7CCSMSEM
Security Management
Tutorial Weeks 1 & 2
Group of Appreciation of the Natterjack Toad (GANT)
The Group of Appreciation of the Natterjack Toad (GANT) is a conservation group that is keen to promote and preserve the well-being of the Natterjack Toad. It is a UK-registered charity and has a significant number of members world-wide who are all keen to promote the work of GANT. Unfortunately, it is an endangered species that is gradually being destroyed by the development of new areas. For example, it was locally extinct in some areas of Wales due to development work and it had to be re-introduced.
All information for the group can be accessed using a web-based application or by contacting the group’s honorary secretary Dr Jane Peabody for the paper-based records. This information includes the group’s member records, its activities, meeting places, natterjack toad habitats, confidential aspects about their work, etc. In the past, members have raised concerns about information assurance as the website has been previously compromised owing to the server containing no significant security controls.
The chairman Ms Rachel Jackson has heard about information security and believes it is the right time to take it more seriously, but she doesn’t know that much about it. This is where you come in. Ms Rachel Jackson has hired your group to learn more about protecting their information.
Question 1. What is Information Security?
Let’s get the ball rolling. You are preparing for a meeting with Ms Rachel Jackson to convince her that information security should be taken seriously by GANT. In preparation for the meeting, your group should agree on the following principles and points:
– What is Information Security?
– What is the focus of Information Security?
– What information assets under the control of GANT may require protection?
It is also important to prepare a brief discussion about confidentiality vs availability of information. While they are conceptually opposing goals, you will need to convince Ms Rachel Jackson how there can be acceptable trade-offs for the two goals. Please use the information assets that you identified as part of the discussion.
Question 2. What threats and vulnerabilities may GANT face in the future?
The meeting with Ms Rachel Jackson has begun. She clearly understands the principles of Information Security, but she does not yet know how to assess threats, vulnerabilities or risk. To help her understand, identify three threats and vulnerabilities that GANT’s information assurance system needs to manage. Please remember that Ms Rachel Jackson is not tech savvy per say. For example, she will not understand how a MYSQL injection attack works. Try to use simple English to explain the above three points.
Question 3. What is a Threat Agent? Could you, from the threats you mentioned GANT could face, select one and discuss who the Threat Agent might be?
Question 4. Imagine GANT hired you to conduct a vulnerability assessment, so they could use it for their ongoing internal security risk management process. What would be the rationale you would use to choose the most adequate set of assurance techniques?
Question 5. As a recap, what are the main differences between Threat Assessment and Vulnerability Assessment?