Based on the case study supplied,write a report that includes;

a) An Information Security Risk Assessment for the organisation (Wolftech). A good answer will identify threats, vulnerabilities, and impacts. It will include priorities and risk treatment options. (35).

b) Discuss whether you think that the organisation will be able to successfully implement an information security policy. Identify any potential obstacles to success. (10)

c) You have been asked by the Chief Executive to consider whether seeking

Certification for ISO 27001 would be a good idea for the company. What is

your response? (10)

d) Discuss what the organisation needs to have in place in order to try to

Maintain operation following a major incident. (15)

You should aim to write no more than 3500 words (excluding appendices).

In your answers you are expected to demonstrate knowledge of appropriate topics discussed in the module, justify your answers and demonstrate further reading (please provide a list of references and / or bibliography). Any work that you submit must be your own interpretation written in your own words (cutting and pasting from the internet will result in an automatic fail).

Opportunity will be provided during / after the Lectures and workshops to ask individual or collective questions about this assessment. These are the times when tutors are available to answer questions relating to this module. You are encouraged to ask questions. Tutors cannot provide answers to the assessment questions asked above, but it is important that you are clear on what you are being asked to do. So please ask questions at an early stage. It is recommended that you begin work on this assessment as soon as you can in order to clarify anything that you are unsure of. Waiting until the final week to say that there is something that you do not understand will mean that you will struggle to produce a good answer.

Case Study

Wolftech is based in the Energy sector and currently employees 85 people who deal with businesses that are located in the UK, Central Europe and China. They have offices in each location, but the management team and main office are located in Wolverhampton. The company is part of a group that includes power plants in developing countries that are considered by some to be harmful to the environment.

Office staff have a range of PCs with different specifications and a number of staff and managers use laptops and mobile devices. Most of the company’s computers are now running Microsoft Windows 7 operating system and Microsoft Office 2010 Professional edition, however some computers are running Windows XP. Many senior staff use a variety of mobile devices (phones, iPads) to access mail, contacts and other work related files. When asked, the MD of the company was not aware of any addition security systems or software being used with mobile devices and believes that staff use both their own and company issued devices. The company servers are located in the basement of the Wolverhampton office. Backups are taken via removable hard disks which are locked in the system administrator’s desk. There does not appear to be any plans to respond to a loss of the servers.

The company uses Microsoft exchange server and operates Outlook for e-mail. Standard applications recently introduced include Microsoft CRM (for Customer Relationship and Contact Management) and Microsoft Share Point for collaborative working and document handling. Outlook Web Access is employed for remote web access to e-mail and public folders. Some staff use their webmail accounts to forward emails to when they are working from home or overseas. Back office systems may use bespoke front end and web-based applications linked to the company Oracle 11g database housed on a database server. The company website is hosted by an external hosting company. There is an integrated sales and purchase system. Accounting is linked with these systems but the main application is Sage 50 Accounts Professional together with the Sage 50 Forecasting package.

The company has a small IT Support team based at the Wolverhampton offices. Outside of the main office, support is provided via a help-line and remote access. A third party company is used for dealing with some of the more difficult problems. The Board do not consider that the company has experienced any cyber-security issues. The company does not currently have an information security policy, any issues would be the responsibility of IT Support.

The MD says that the systems administrator is very able to deal with any security issues; when passwords have been forgotten, he has been able to get into the affected accounts and he will not allow anyone else know the administrator passwords. He also told us that the administrator had been able to reduce the costs of some of the equipment by sourcing less expensive versions from China.

The MD stated that he never had password problems as his PA is able to remind him if he forgets a password. When asked whether the company used encryption he did not seem to understand the question but said that he would talk to the system administrator about this.