COM 510 – Management of Information Security

Security Assessment Assignment Guidelines

Project Description

The objective of this assignment is to apply what you have learned in this course to carry out a simple exercise of doing

an assessment of the cybersecurity measures put in place in a fictitious business organization. Since this is a paper-based

exercise, you can assume the organization to be any business entity such as such as – a college bookstore that accepts

online textbook purchases, a pharmacy store that maintains a database of customer prescriptions, an auto-insurance

agency that maintains customer data, a car rental business, a travel agency that handles flight and hotel reservations for

clients, etc.

You can imagine yourself being hired as an Info Security consultant to perform a security audit of the fictitious

company's IT infrastructure. Assume that some rudimentary security measures are currently in place, but there is much

room for improvement. For your project report describe your assessment of the security measures currently in place

and recommend any needed improvements to ensure better IT security in the organization.

For the project, you can do a security assessment on either a single IT system or the entire IT infrastructure of an

organization, whichever you think is feasible and manageable.

You may use any NIST Special Publications (e.g. SP800-171, SP1800), or any other national framework as a guide to assist

in your report.

Deliverables: A project report describing your security assessment, as a single Word document

Submit your project to the Security Assessment Dropbox. Due date: End of Week 8 (no later than 11:59 PM Sunday, July 3rd).

You can use the following general guidelines for your project report:

Your project report just needs to be a general assessment of the cybersecurity posture of a business entity. It should be

6-8 pages long (not including the cover page), 12 point character size, 1.15 line spacing, and have 1” margins on all sides.

Your report should include a description of the organization, nature of its business, analysis of the results, and

recommendations for improvement in the form of an action plan.

The project report should broadly cover the following areas:

1) Description of the organization – core operational area, corporation mission & vision, role of information

security in the organization.

2) An assessment of the organization’s documented security policies (Assume that you have been provided access

to its EISP and ISSPs documents outlining its various policies. You can look at some sample EISPs and IISPs on the

internet for ideas of what would be appropriate for the organization)

3) The management controls that are currently in place to secure their IT systems

4) The operational controls that are currently in place to secure their IT systems, and

5) The technical controls that are currently in place to secure their IT systems

6) Results of security assessment – strengths of existing security posture and identification of weakness that need

to be addressed. Include a prioritized list of vulnerabilities that need attention.

7) Recommendations for improvement and an action plan detailing steps for implementing them.

Remember, the main purpose of this project is only to give you an idea of how such assessments are carried out in

practice.