Assignment Overview:
All Stars Dance (ASD) is a small dance club operated by six staff and currently has a member base of approximately two hundred dancers.
All Stars Dance operate from a dance studio with a small office located on the second floor of a three-storey building. ASD share a common lift to the second floor. The dance club operate during the day and in the evenings between 6 pm and 10 pm. Currently, anyone can access the second floor via the lift 24 hours a day, however, the studio locks the entry door when they close for the day, thus restricting access to the studio to opening hours only.
The dance club have two networked desktop computers on site, and one printer and is connected to the internet via a modem-router supplied to them by their ISP. New member applications and other information such as policy, procedures, and member information are stored both digitally (on computers or websites) and on-site in locked cabinets. The computers currently do not have authentication enabled.
The dance club has just launched a new web portal that provides its members with the ability to apply and pay for:
Dance club membership
Enter dance competitions
Register for testing. Dancers will apply for a test when they have reached a certain level in preparation for the next level, i.e., beginner, intermediate, advanced, and elite.
Make general enquiries
To become a member of the dance club, dancers are required to visit the website and apply for membership or renew their existing membership. Once a dancer enters the systems for the first time, i.e., pay for their first membership, they are provided with a username and password for the website to enter competitions and register for dance tests.
The web portal is an open-source Content Management System (Joomla CMS) that is hosted in Australia by a third-party hosting provider. The CMS handles memberships, competition events and member information such as dance levels (beginner to advanced) and personal information (age, gender, address).
Club membership runs from January 1 through to December 31 each year regardless of the application date. The CMS allows members to purchase a membership, read member-only news and register for events or dance tests online; thus, the CMS is responsible for most of the member data processing.
Member payments are processed using a third-party merchant gateway, SecurePay, and deposited directly into the club’s nominated bank account. Once a member has paid for membership, the system adds the member to a mailing list and updates permissions on the user account which authorises access to member resources on the CMS.
The mailing list is stored and processed by Mailchimp; a third-party provider located in the United States. Personal information collected for the mailing list includes full name and email address. No other information is transferred to Mailchimp.
The dance club also receives emails from parents and other members, either via the website contact page or directly via email. The emails are accessed using Microsoft Outlook on the computers located in the office.
Enquires submitted through the website are stored on the CMS and emailed to the staff admin email account that is accessed on the desktop computers in the office.
Dance club staff have access to administer the CMS remotely using portable devices, or on-site using the computers in the office. Staff change frequently and currently there are no controls in place to restrict system privileges either on the desktop office computers or the CMS. When a staff member is granted access by the system admin, they have full administrative rights to the desktop computers and the CMS.
The owner of the dance club acts as the system administrator for the CMS and desktop computers but has little technical knowledge and lacks an understanding of information security practices. The owner knows only how to create new user accounts with full system access.
There are four primary functions staff need to perform for the club and its members:
Update member information via the CMS when necessary
Answer emails
Update the latest news on the CMS
Add events to the CMS so members can register online
Add testing sessions to the CMS each month
Perform bank reconciliations, i.e., match the income from the CMS to the bank statements. Staff can see all the transactions from the events and membership applications running within the CMS.
Assessment Tasks
All Stars Dance would like an Information Security assessment on the threats facing their information system and a recommendation on how to protect the information assets.
Task 1 – Identify and categorize information assets
you are required to identify both digital and physical assets. Minimum of twenty assets. Assets should be categorised and spread across the system component categories. Prioritise the information assets using their importance to the business process. The critical importance of each asset should be discussed. For example, why these assets were chosen and their weightings.
Task 2 – Identify potential threats, vulnerabilities, and risks to the information assets
Given the number of threats, a threat category may suffice, i.e., for the CMS you may simply use the threat category software attacks as opposed to every software attack that may occur. One or two threat categories will suffice, however, the threat categories chosen must be realistic.
Task 3 – Identify the security management standards and framework
In this task students are required to discuss the implementation steps for the ISO27001 and NIST (National Institute of Standards and Technology) Cybersecurity frameworks.
Task 4 – Critically discuss the possible countermeasure framework
In this task you are going to critique both ISO27001 and NIST frameworks and explain which framework you would choose with comprehensive justification.
Task 5 – Propose an improved IT (Information Technology) infrastructure
Based on the identified framework, propose an Improved IT infrastructure. You are free to use any drawing tool to illustrate your proposed IT system. I would recommend using draw.io for depicting the infrastructure design. The solution should have the following components:
Network Security Mechanisms
Encryption & Intrusion Detection System
Software Controls
Hardware security
Policies & Physical Controls.
Data security policies
Physical & digital storage solutions.
Access control.
Firewall policies
Email security
Task 6 – Acknowledgement of cost and complexity of implementation and impact on the users
This section should discuss the usable security and additional steps introduced for all the stakeholders. The usability of the security measures discussion should comprise the following factors:
Psychological Acceptability
Economic Acceptability
Reconfigurability/Scalability/Sustainability/Manageability
Referencing guides
You must reference all the sources of information you have used in your assessments. Please use the IEEE referencing style when referencing your assessments in this unit. Refer to the library’s reference guides for more information.