Question $1$

You are a security consultant who is providing advice to the Head of ITS $($Information Technology Services $)$ at ABE$-$S $($a private tertiary education institution$).$ ABE$-$S have started offering online programmes, in addition to their on campus ones, and want to revise their InfoSec programme to ensure it meets their current information security needs and requirements.

As part of your work, you will need to perform an initial assessment of the efficiency of the security controls that ABE$-$S may have already put in place. To prepare for the assessment, you start with creating a checklist of the controls you expect to find. The checklist draws on the classifications provided in Ulven and Wangen$$s article $($cited below$),$ and in particular, on Table $16.$

Ulven, J$.$ B$.,$ & Wangen, G$.(2021).$ A Systematic Review of Cybersecurity Risks in Higher Education. Future Internet, $13(2),39.$

Your task:

Prepare a well$-$researched checklist of the expected security controls. The checklist must meet the requirements below.

Requirements:

$1.$ Identify the most common operational, managerial, and technical controls that you would expect to be in place, for any two of the security incidents: $$Social engineering and targeted attacks$,$Insider attacks$,$DoS$/$DDoS$,$Account hijack$/$compromised user$.$Table $16.$ Vulnerability, threat, asset, and consequence analysis of the top threat events.

$2.$ For each expected control, explain which vulnerability it may help address and how it will mitigate the threat $.$ For the specific vulnerabilities and threats associated with each of the incidents, refer to Table $16($the second and the third column$).$

$3.$ For each selected incident, you are expected to identify the two most expected controls in each group. If you feel it is necessary to add more controls, add a line to the table.

$4.$ It is important to provide a clear explanation of what vulnerability the control is trying to address and how having the control in place may help mitigate the risk posed by the threat.

Question $2$

a$)$ Explain the concept of Information Security Culture. Use two examples to illustrate the concept. Discuss two strategies which can be used to influence the information security culture of an organisation.

b$)$ Provide four examples of how privacy legislation typically protects private information.

c$)$ Security control effectiveness and impact are two categories of information security performance measurements. Give two examples of a measurement from each category.