Assignment: Cybersecurity Planning and Compliance- Risk Assessment Report

This assessment is to be done individually. You may make reasonable assumptions regarding the assessment scenario as long as they are documented and justified. An appropriate length for the report is 3000 words (+/-10%), all inclusive.

Scenario

You have recently been hired as a consultant to undertake a security risk assessment for an aged care organisation, with operations at a single location in Adelaide. They offer residential aged care, retirement living and in-home services. There are ~120 aged-care residents, ~30 retirement living residents and ~300 clients receiving in home services.

Currently, the processes supporting in home services are all paper based and the company would like to digitise and automate these processes where possible. Carers have expressed frustration with not being able to access client data when providing services in their homes. They have also raised concerns that taking notes manually on site and then transcribing these once returning to the office is error prone and time consuming. Management are concerned about the confidentiality of sensitive client data and about the lack of accuracy and completeness of reports written at the end of the day or even the following day. The company would like to implement a remote access solution to improve client care and productivity while ensuring usability by the carers and privacy of client data.

A decision has been made to introduce a solution that effectively addresses security and usability requirements through the provisioning of partially-managed corporate approved devices. Carers will be able to purchase their preferred device from a corporate approved shortlist. The shared use of these personal devices is permitted so that the carers don't have to carry two devices on their rounds. A moderate level of risk management controls will be applied, including a separation of organisational and client data from the personal data of the carer.

Your task is to undertake a security risk assessment for the introduction of this initiative and to prepare a report for the board. The board members are generally risk averse and their level of computer literacy is quite low. Details regarding the structure and guidelines for the report are provided below.

Structure of Report

Structure your report in the following numbered sections:

1. Executive Summary

2. Introduction / Context Establishment

3. Risk Assessment

Risk Identification

Risk Analysis

Risk Evaluation

4. Risk Treatment / Recommendations

5. Evaluation

6. References

Report Organisation and Presentation

This report is aimed at two major stakeholder audiences, the board/executives and other relevant cybersecurity personnel. As such, you will need to strike a careful balance to ensure that the content of each section is customised appropriately. The executives (technical laypersons) will expect a focus on business interests in order to make appropriate decisions and the technical staff will require sufficient technical detail to guide their implementation of cybersecurity controls.

Marks will be allocated for the general organisation and flow of the report, including use of appropriate headings and sub-headings, effective use of bullet points, tables etc. Grammar, spelling, writing style and correct referencing are also important.

Executive Summary

Highlight the purpose and focus of the report and why it is important for the intended audience. Provide a very brief overview of what is included in the report and then focus on the recommendations.

Introduction / Context Establishment

Introduce your report, and state its purpose and focus, defining the scope and boundaries of the risk assessment process. Provide support / justification for the importance of the review with reference to business objectives. Document any relevant legal compliance constraints. Explain and justify the criteria that will be used to evaluate risk. Provide an outline of the remainder of the report and the steps undertaken in the process.

Risk Assessment

In this section, you will identify relevant risks, analyse their characteristics and evaluate their potential business impact. Limit your discussion to a subset of the potential risks by focussing on the risks most relevant to the business and only consider threats initiated by malicious adversaries.

Risk Treatment / Recommendations

Provide justified recommendations regarding risk treatment. Recommendations should include both corporately enforced and user-reliant risk management controls. The recommended controls should be explicitly linked to the risks identified in the previous section. Formally document and justify any residual risk remaining after the recommended treatments.

Format your assignment according to the following formatting requirements:

1. The answer should be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides.

2. The response also includes a cover page containing the title of the assignment, the student's name, the course title, and the date. The cover page is not included in the required page length.

3. Also include a reference page. The Citations and references should follow APA format. The reference page is not included in the required page length.