In this Assignment, you will be required to perform an information security analysis that includes a risk assessment, and data classification recommendation for a small dance club. The assignment will rely on concepts covered from week 1 through to last week. The deliverable is a 2000 (maximum 2500) word report summarizing the information assets and threats to information.

Background

All-Stars Dance (ASD) is a small dance club operated by six staff and currently has a member base of approximately 200 dancers.

All-Stars Dance operates from a dance studio with a small office located on the second floor of a three-store building. ASD share a common lift to the second floor. The dance club operates during the day and in the evenings between 6 pm and 10 pm. currently, anyone can access the second floor via the lift 24 hours a day, however, the studio locks the entry door when they close for the day, thus restricting access to the studio to opening hours only.

The dance club has two networked desktop computers on-site, one printer, and is connected to the internet via a modem-router supplied to them by their ISP. New member applications and other information such as policy, procedures, and member information are stored both digitally (on computers or website) and on-site in locked cabinets. The computers currently do not have authentication enabled.

The dance club has just launched a new web portal that provides its members the ability to apply and pay for:

• dance club membership
• enter dance competitions
• Register for testing. Dancers will generally apply for a test when they have reached a certain level in preparation for the next level, i.e., beginner, intermediate, advanced.

To become a member of the dance club, dancers are required to visit the website and apply for membership or renew their existing membership. Once a dancer enters the systems for the first time, i.e., pay for their first membership, they are provided with a username and password for the website in order to enter competitions and register for dance tests.

The web portal is an open-source Content Management System (Joomla CMS). The CMS handles memberships, competition events, and member information such as dance levels (beginner to advance) and personal information (age, gender, address).

Club membership runs from January 1 through to December 31 each year regardless of the application date. The CMS allows members to purchase a membership, read member-only news and register for events or dance tests online; thus, the CMS is responsible for most of the member data processing.

Member payments are processed using a third-party merchant gateway, Secure Pay, and deposited directly into the clubs nominated bank account. Once a member has paid for membership, the system adds the member to a mailing list and updates permissions on the user account which authorizes access to member resources on the CMS.

The dance club also receives emails from parents and other members, either via the website contact page or directly via email. The emails are accessed using Microsoft Outlook on the computers located in the office.

Enquires submitted through the website are stored on the CMS and emailed to the staff admin email account that is accessed on the desktop computers in the office.

Dance club staff have access to administer the CMS remotely using portable devices, or on-site using the computers in the office. Staff change frequently and currently there are no controls in place to restrict system privileges either on the desktop office computers or the CMS. When a staff member is granted access by the system admin, they have full administrative rights to the desktop computers and the CMS.

The owner of the dance club acts as the system administrator for the CMS and desktop computers but has very little technical knowledge and lacks an understanding of information security practices. The owner knows only how to create new user accounts with full system access.

There are four primary functions staff need to perform for the club and its members:

1. Update member information via the CMS when necessary
2. Answer emails
3. Update the latest news on the CMS
4. Add events to the CMS so members can register online
5. Add testing sessions to the CMS each month
6. Perform bank reconciliations, i.e., match the income from the CMS to the bank statements. Staff can see all the transactions from the events and membership applications running within the CMS.

Assessment Task

All Stars Dance would like an Information Security assessment on the threats facing their information system and a recommendation on how to protect the information assets.

Action Steps

1. Introduction: introduce your report and what it will cover.
2. Identify and categorize information assets. This includes both digital and physical assets. Minimum of 15 assets (max 25). Assets should be categorized and spread across the system component categories.
3. Prioritize the information assets using weighted factor analysis. Consider the critical impact factors and their associated weightings. The critical impact factors should be documented and discussed. For example, why these particular factors were chosen and their weightings.
4. Identify potential threats and vulnerabilities to the information assets. Given the number of threats, a threat category may suffice, i.e., for the CMS you may simply use the threat category software attacks as opposed to every software attack that may occur. One or two threat categories will suffice, however, the threat categories chosen must be realistic.
5. Create a risk rating for each asset. You may use the simple method (likelihood x impact)
6. Recommend an appropriate classification scheme. You do not need to classify assets; just write a paragraph on what classification schema you would recommend for this business and why. Use references where appropriate.
7. Include with your risk assessment table a control strategy, i.e., mitigate, defend, and accept for each vulnerability/asset.
8. Recommend security controls where necessary, i.e., access control, physical security. Think of the McCumbers cube here, you might want to include Policy, Education, Technology. When recommending a technology be specific, i.e., Access Control, but for Policy and Education, you may simply state policy or education.

Report Requirements

Cover / Title page:

Create your own cover page that includes, Title and Assignment Title, students names, students ID number.

Table of Contents:

This must accurately reflect the content of your report and must be generated automatically in Microsoft Word with page numbers.

Introduction:

Introduce the report, define its scope, and state any assumptions. Use in-text references where appropriate. The introduction should introduce the case study and discuss what the report will cover.

Main report content

• The report must address the task as defined above.
• The report must contain your definition of the problem.
• You must include a risk assessment (inclusive of weighted factor analysis).
• Threats, vulnerabilities, control strategy, and recommended controls must be identified.
• Data classification schema recommended.

References

A list of end-text references formatted using APA 6th or 7th formatting style.

Mendeley is a good tool for managing to reference. Your references should ideally comprise books, journal articles, and conference papers.

Format

• This report should be no more than 2500 words (excluding title page, table of contents, references, and diagrams) and labeled as your student id_ lastname_firstname.docx in a single
• Your assignments must be word-processed. The text must be 12pt, font Times New Roman.

END