COIT20263 ass2 part 2-Final (2)
.docx
keyboard_arrow_up
School
Central Queensland University *
*We aren’t endorsed by this school
Course
MISC
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
15
Uploaded by CaptainTeamFerret36
COIT20263
Information Security Management
Term 3, 2023
Assessment 2 Part Two
Tutor: Md Hossain
Prepared by:
Prabin Sharma (12207143)
Prashant Poudel (12213897)
Buland Shrestha (12204230)
Susan Bista (12216002)
Date: 26 January. 2024
a)
Based on week 8 workshop material/slides, identify two of the access control models that you
think are suitable for SyMeCa Software Solutions Pty Ltd (SSS). Your discussion should explain
the access control model and provide details of your proposal for SSS (your discussion should be
specific to SSS). Justify your choices. (
Work on it during Week 8 workshop
). Answer:
An access control model refers to a framework or system that regulates permissions and restrictions
for accessing resources within a computer system or network. It establishes the guidelines and
procedures for granting or declining access to users or entities based on their identity, roles,
attributes, or other relevant factors.
Access control models play a critical role in safeguarding an organization's data and effectively
managing and limiting access to resources. In the context of SyMeCa Software Solutions Pty Ltd
(SSS), a mid-sized software company operating in a dynamic and collaborative work environment
with three branches located across Australia. There are various types of access control models frequently employed in the field of information
security.
Mandatory Access Control (MAC)
Discretionary Access Control (DAC)
Role-Based Access Control (RBAC)
Attribute-Based Access Control (ABAC)
Rule-Based Access Control (RBAC)
After conducting a thorough evaluation of the requirements and ongoing challenges, we have
decided to select the following access control models that are best suited to address their unique
needs.
Attribute-Based Access Control:
Attribute-Based Access Control (ABAC) is a widely recognized model for access control in which
access control policies are defined based on various attributes related to users, resources, and the
environment (Hu. et. al. 2015). These attributes can include factors such as user roles, location, time
of access, and contextual information. In the context of SSS, ABAC can be effectively utilized to
formulate access policies that are tailored to specific attributes such as data sensitivity, project roles,
and location.
Proposal for SSS:
With SSS's flexible work arrangements and wide range of clients, implementing ABAC can provide
significant advantages in adjusting access control based on user attributes such as location, device,
and involvement in projects. Various projects may necessitate distinct access requirements
depending on the sensitivity of the data and the work context. For example, employees working
remotely may require different access permissions than those based in the office. ABAC enables the
company to establish policies based on contextual attributes, thus bolstering security in a dynamic
work environment.
Justification:
ABAC is a suitable solution for SSS due to its ability to adapt to changing environments. SSS serves a
wide range of clients, including financial institutions and government agencies. ABAC offers a robust
access control mechanism by considering factors like data sensitivity and client security
requirements. It enables SSS to implement a flexible access control approach by defining policies
based on contextual attributes such as location and time. For instance, access to specific resources
can be limited to certain branches or specific hours. ABAC promotes secure collaboration and data
sharing within SSS. By considering attributes like project roles and data classification, ABAC ensures
that only authorized individuals have access to confidential information.
Role-Based Access Control (RBAC):
Role-Based Access Control (RBAC) is a commonly utilized access control model in which access
permissions are allocated according to an individual's designated role within the organization. Each
employee is assigned specific roles, and each role is accompanied by predetermined permissions.
(Ferraiolo et. al. 1999
).
Proposal for SSS: In SSS, where different branches specialize in various areas (e.g., app development, financial
software, government contracts), RBAC can be implemented to streamline access control. For
example, employees in the Sydney branch focused on app development might have roles
specific to their expertise, and access permissions would be granted accordingly. RBAC ensures
that employees have the necessary access rights based on their roles, reducing the risk of
unauthorized access to sensitive information.
Justification:
SSS operates in various divisions, each focusing on different areas such as app development,
financial software, and government contracts. Role-Based Access Control (RBAC) can be
implemented to define specific roles for each division, including their corresponding responsibilities.
This approach ensures that employees can access necessary resources and information according to
their roles. RBAC is well-suited for SSS due to its clear structure and easy management, which is in
line with the company's diverse workforce and flexible work patterns. By implementing RBAC, the
company can minimize the risk of unauthorized access by allowing employees access only to
resources relevant to their roles. Furthermore, RBAC reduces the risk of access errors and the need
for manual adjustments by ensuring that individuals are granted access based on their designated
roles. By adopting Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC), the
organization can establish a comprehensive and effective access control framework to meet their
specific needs. These models will improve security measures, reduce the likelihood of unauthorized
access, and promote secure collaboration and data sharing among team members within the
company.
b)
Based on week 9 workshop material/slides recommend some security practices for SSS. Provide
a detailed discussion with justification on how your recommended security practices will
improve SSS’s security. (
Work on it during Week 9 workshop
). Answer:
In the current era of technology, businesses encounter escalating cybersecurity risks and the
necessity to safeguard their confidential data against unauthorized access, data breaches, and other
security incidents. SyMeCa Software Solutions Pty Ltd (SSS), a software company of moderate size
with various branches throughout Australia, shares this concern. Consequently, considering recent
cyber-attacks and security breaches, SSS acknowledges the significance of reviewing and improving
their practices in information security management.
Here are a few examples of well-known security practices that are commonly adopted by large
corporations. Each practice plays a vital role in improving an organization's security stance and
safeguarding its valuable information assets. It is imperative for organizations to evaluate their
unique needs and requirements and adopt a tailored combination of these practices to establish a
robust and efficient security framework.
Benchmarking:
Benchmarking is a strategic management technique that involves analysing an organization's
methods, results, or ways of doing things with those of similar businesses, known leaders in the
field, or rivals. The goal is to find places to improve, learn about the best ways to do things, and
make everything more efficient and effective. When it comes to information security,
benchmarking helps companies compare their security measures to current standards. This
shows them where they might be weak and helps them put in place strong security practices
(CIOACĂ, BRATU & ȘTEFĂNESCU 2017). Some of the benefits and improvements because of
benchmarking are listed below:
a.
Find Security Gaps:
Benefit: Benchmarking lets SSS check their security measures carefully by comparing them to normal
practices in the industry and finding any holes or weak spots.
Improvements: By seeing these gaps, SSS learns about areas that need instant attention. This proactive
method makes sure that security holes are fixed quickly, which improves overall security.
b.
Learn from Best Practices:
Benefit: Benchmarking lets SSS see the best security practices that companies with more experience
have taken.
Improvements: SSS can improve their security by learning about and using these best practices. By learning
from leaders in the field, SSS can put in place effective means and keep up with new threats.
c.
Set performance goals:
Benefit: Comparing security data to industry averages through benchmarking helps you set
performance goals that are reasonable and doable.
Improvements: SSS can set clear security improvement goals and deadlines. Keeping track of success against
these goals on a regular basis keeps the focus on improvement.
d.
Continuous Improvement:
Benefit: Benchmarking helps SSS's security programme have a habit of always getting better.
Improvements: Regular comparisons with benchmarks set up a feedback process that helps people keep
getting better. Keeping a proactive security stance, SSS can change and adapt its security
methods to deal with new threats.
The International Organisation for Standardisation (ISO):
The International Organisation for Standardisation (ISO) is a worldwide group that creates and
distributes international standards to make sure that goods, services, and systems in many fields are
safe, of high quality, and work well. It is important to follow ISO 27001 and ISO 27002 when it comes
to computer security (Tsohou et. al. 2010). ISO 27001 lays out the steps for creating, applying,
maintaining, and always making an information security management system (ISMS). ISO 27002, on
the other hand, gives advice on how to set up specific security controls within the ISMS. Companies
often try to get ISO approval to show that they care about keeping data safe and following standards
that are known around the world. Some of the benefits and improvements that can be gained from
implementing ISO are listed below:
a.
Complete Security Framework:
Benefit: ISO standards, like ISO 27001 and ISO 27002, give information security managers a complete
framework that covers all parts of their job.
Improvement: SSS can make sure that all parts of their security programme are properly handled, such as
risk management, access control, and incident response. This creates a complete and strong
information security management system (ISMS).
b.
Risk-Based Approach:
Benefit:
ISO standards stress a risk-based approach, which means that security steps are in
line with known risks.
Improvements:
Based on how bad risks could be, SSS can decide how to spend its time and
money. By focusing on the most important areas, this makes sure that security is focused
and effective.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help