Security evaluation assignment Introduction This is an individual assignment and requires students to conduct a security evaluation of their personal information management situation and report on the results of this evaluation.

Information Security 2021
Security evaluation assignment
This is an individual assignment and requires students to conduct a security evaluation of their personal
information management situation and report on the results of this evaluation. The main body of the report is
expected to be around 2500 words, but quality is more important than length. The intention of this review is
to give you exposure to some of the issues that organisations might face when conducting similar information
security reviews.
As it is not feasible to give you access to a ‘normal’ organisational setting, we will use your personal
situation as a simulation for the organisation. Despite this being similar to an organisational security review, it
is important that you treat the situation ‘as is’ – that is you should focus on the risks that are relevant to your
situation, not some pretend organisation. These risks may not be quite the same to those that organisations
experience, but risks do vary significantly between differing organisations, so this will not undermine the
integrity of this exercise.
The security evaluation review for this year will focus on some key issues, including access controls,
operations security (backup and recovery, protection from malware, updates) and contingency planning
(concerning availability, incident management and continuity).
4/26/2021 64483 – Information Security 2021Security evaluation assignmentIntroductionThis 3/7
This assignment is intended to cover the full range of your personal situation with respect to information and
its management – this will include any technology, insomuch as it relates to information processing and
storage. This includes:
• home computers, laptops and home networks;
• mobile devices that you may have including smart phones, tablets, smart watches, and fitness devices;
• other storage media that you use to store relevant information;
• personal information you store online (in the cloud – data storage and email).
For this exercise, you can exclude:
• other home-related devices such as smart TVs, Google/Apple/Amazon smart home devices, and electronic
• information about you that is stored by others (for example, the information the University keeps on
students is outside of the scope of this review);
• you should also avoid including any work-related activity or home businesses in this review.
The first step in the review is to identify all of the relevant information assets, any associated technology
resources, and what these resources are used for. It is important for your report to include a description of
these assets and their uses so that the reader has a context within which to situate the investigation and its
findings. The nature of these assets and their use will influence the risk environment, so your overview is
important for the reader to the make a judgement about the reliability of the review and its findings.
In conducting such a review is common practice to have a normative model against which the situation is
assessed. You should use AS 27002:2015 as the primary source for constructing a customised normative
model for this review, but this should be supplemented by other sources as appropriate (and these should be
fully referenced). Note that it is important that the review extends beyond the simple technical aspects of the
situation, so the customised model should account for non-technical aspects as well. [Details on accessing AS
27002 can be found in the week 4 tutorial work.]
As noted above, the review for this year should focus on the issues of access controls, operations security
(backup and recovery, protection from malware, updates) and contingency planning (concerning availability,
incident management and continuity). These issues should become primary headings in your normative
model, and each of them should contain a number of controls that would then form the basis of the normative
model and subsequent evaluation.
The adaption of AS 27002 and other sources for the normative model to evaluate your circumstances should
be guided by risk management principles – that means selecting a set of controls that are likely to be more
important in a personal environment and leaving out controls that are not all that relevant. As a guide for this
assignment, it is expected that you would have around 20 controls in your customised normative model.
These controls should have a link back to the relevant control from your sources (such as AS 27002), so the
reader knows where this element was derived from.
To illustrate this process of adaption, Section 5 of AS 27002 covers issues associated with security policy. For
a personal situation, it would be quite unusual to have formalised written security policies in place in relation
to the issues of concern to this assignment – so the lack of such written policies would not be a reasonable
finding to make in most circumstances. However, it is quite likely you might have some informal policies in
place, such as who you might let use various facilities, what security software you use, and how and when
you backup your data. This suggests that it could be helpful to have a general control in your adapted
evaluation model relating to security policy, but kept at a high level and used to consider whether your
informal policies are adequate for the situation at hand.
After constructing the customised normative model, you should use this to conduct a review of your own
personal information security situation and report on the findings and recommendations. This is usually done
by looking at the real situation and comparing this to the issues in the customised normative model. Where
there is alignment between your situation and various controls in the normative model, this suggests the
security measures are appropriate and these issues become commendations. Where there is misalignment, the
differences require further investigation and can then become the basis for recommendations for change or
In conducting the review, you may find it helpful to undertake some tests to verify some of the findings. As
an example, you could physically check backup stores and verify that they keep the most recent copies of the
data, as per the backup arrangements that you think might be in place, and that this backup data really is
retrievable. You could also use various software tools to verify security elements of the technical
4/26/2021 64483 – Information Security 2021Security evaluation assignmentIntroductionThis 4/7
In making the findings and recommendations, you should be guided by the risk environment you are
operating in. For example, you would not make recommendations about implementing a rigorous backup
routine if you had little sensitive information to lose – you should suggest a contingency approach that
matches this risk profile. It is important to recognise that an overly stringent security environment is likely to
be just as problematic as one with insufficient security measures, as in the longer term, many of these
stringent security measures will be ignored or neglected if they are seen as been unnecessary for the risk
profile they are meant to be controlling.
You should reflect on how well this whole process has worked after completing the review. Examples of the
questions you may consider include: Is it likely to uncover the main information security issues and make
reasonable recommendations for change? Is a review of this nature worth the effort? Are there easier ways
that could be used to provide reasonable assurance about information security risks? Has your adaption of the
security model provided an adequate coverage of the issues for a personal situation such as the one you are
in? How easy would it be for others (particularly people without a strong IT or security background) to use
these materials to assure themselves that they are not exposing themselves to unwarranted information
security risks?
In summary, your report should include the following:
• an overview of your personal situation and the key risks areas that may be present (information, technology,
and uses);
• a brief discussion of the customised normative model that you have used for you review. This section is
mainly concerned with how you have constructed this normative model and why you have included the
various controls in the model, noting the various sources you have used;
• a summary of the tasks undertaken to conduct the review. What steps did you follow in conducting the
review? What evidence did you consider in helping you form your views? What tests did you perform in
order to verify the answers to key review questions? Did you use any automated tools for any of this testing?
• the findings of your review and recommendations for improvement. You should provide a summary of the
good and bad issues that arose from the review. What issues from the situation came up looking good in the
review, and where was there room for improvement? What things would you realistically change in order to
improve the information security environment? It is important that this section only presents a summary of
the key issues from the review – the details of the evaluation of individual controls should be put in the
• a reflection on the methodology or review approach, following your experience of applying it to your
personal computing situation. This is an important part of the assignment and should not be neglected. There
are details above on what should be covered in this section and a reasonable length for this section is around
500+ words;
• an appendix with the details of your review. The detailed questions and issues considered (customised
normative model) and the assessment against these issues should be included in an appendix in a table format
(described below). This material is not part of the main word count for the assignment. While this appendix is
not part of the word count, this will be part of the assessment for the assignment and the marker will need
access to this material to ascertain the extent of the review that you have undertaken. Without this table, there
is little evidence that you have actually conducted an appropriate security evaluation and your assignment
will be marked accordingly.
The assignment is worth 30% of the marks for Information Security. The deadline for submissions of this
assignment is Sunday at the end of week 11 (25 April 2021).
The main body of the report is expected to be around 2500 words – please include a word count, but words
from any quotations, your bibliography, and the appendix with the review details, should not be included in
this word count. Note that it is not necessary to include an executive summary as this report is sufficiently
In marking the report, attention will be given to your understanding of information security concepts and how
well you have met the requirements detailed above. Style and technique of your writing will also be
The section providing a reflection on the methodology and review approach is an important part of this
assignment and will attract around one quarter of the marks allocated.
4/26/2021 64483 – Information Security 2021Security evaluation assignmentIntroductionThis 5/7
All work quoted from other written sources must be appropriately referenced using the UC version of the
Harvard author-date style (both with in-text references and all sources included in the bibliography). This
style is described in detail (including electronic sources) in referencing guides available at:
For the appendix only: It is quite likely that the material in this appendix will use headings and other material
taken directly from the AS 27002 standard. So long as you make it clear which parts have been taken from
the standard and which parts are your own responses, it is not necessary to put the material from the standard
in quotation marks. For example, a sentence in your appendix (as a lead in, or a footnote) could state that ‘the
controls in the left hand column have been derived directly from the AS27002 standard unless otherwise
noted’, this then avoiding the need for quotation marks and in text references for these controls.
Submission: All assignments should be submitted in electronic format (via the Canvas online assignment
submission process). A coversheet is not required, but you should include your student id, assessment item
name and the word count.
Sample row for appendix
Note that this is a sample row only – the content of the cells in your review table is likely to be different! As
an example, this row could easily be split into two rows, one that considers the taking of backups and a
second one concerned with the testing of these backups. Note also that the text in the first column has been
taken directly from the AS 27002 standard, with the control number being a sufficient attribution in this case
(there should be a statement on this elsewhere in the appendix as noted above).
It is expected that you will have about 20 rows of this nature in the appendix of your report.
Control Comments about evaluations undertaken Tests Recommendations
12.3.1: Back-up copies of information, software and system images should be taken and tested regularly in
accordance with agreed backup policy. There is an informal policy in place for backing up important user
Laissez-faire approach adopted to implementing back-up policy, but most data is synchronised with cloud
storage and backed up reasonably regularly.
Current work of significance is emailed from work email to home email account after major edits.
Minimal testing of back-up arrangements except when outages/losses are experienced. Back-up data stores
viewed, with timing and frequency of backups considered. Formally integrate back-up schedule into
electronic calendar to ensure more regular compliance with policy.
Test back-up repositories from time to time to ensure stored data can be recovered.
A suggested process for this assignment is:
• identify your information assets, associated technology and uses;
• construct your customised normative model, and use this to populate the left-hand column of your appendix
• conduct the security evaluation, using the appendix table as a means of documenting the elements of this
• write the main body of the assignment, including the description of the information assets, the normative
model and its construction, the description of the process you undertook, and key findings and
recommendations – these findings and recommendations should connect directly with elements in the righthand column of your table;
• write the reflections section of the report.
There will be opportunities for students to informally discuss issues with this assignment and their review
during the classes in the weeks leading up to the submission deadline. Make sure that you are familiar with
what is required of this assignment and take advantage of this opportunity. A discussion forum will be set up
with any substantive questions from students and the associated answers. It is also reasonable to use this
discussion forum to post questions about the assignment, as other students are also likely to be interested in
similar questions.
Chapter 7 and Appendix A from Whitman and Mattord (2011) provides some information on conducting an
information security assessment, although you should note that this is aimed more at organisationally based
situations. The normative model in Chapter 7 of Whitman and Mattord is based on the NIST SP 800-53A
publication, so while this could be a useful guide in developing your normative model, care should be
exercised as the intention with this assignment is to use AS 27002 as the primary source for this model. The
normative model in Appendix A is loosely based on the ISO 27000 series of standards so this could be used
4/26/2021 64483 – Information Security 2021Security evaluation assignmentIntroductionThis 6/7
as a guide as to how the ISO 27002 model could be customised for a particular situation. Note that this is
based on an older version of the standard and you will still need to undertake your own adaption of the
current version of AS 27002. Whitman and Mattord make a comment about the need for such an adaption in
the box on p 88.
NIST 2013, Special Publications SP 800 series, viewed 18 February, 2013,
Standards Australia 2015, AS ISO/IEC 27002:2015 Information technology – Security techniques – Code of
practice for information security controls, Standards Australia International, Sydney.
Whitman, ME & Mattord, HJ 2011, Roadmap to Information Security: For IT and InfoSec Managers