offline services in stores and online shopping services

FIND A SOLUTION AT Academic Writers Bay

Assignment – Case Study for 7905ICT (30%)
This case study will be around “The Good Guys” company which provides both offline services in stores and online shopping services. In order to improve customers’ online shopping experience, a proprietary app will be developed for its online service which includes all online shopping functionalities, and also a linked analysis tool in the company’s back end. The analysis tool can analyze the popularity of each product/brand for the purpose of storage management, market prediction etc. The analysis tool can also analyze all customers’ shopping behavior, their favorite products for marketing and advertisement purpose.
There are three parts to be learnt for this case study. The first task is to analyze the privacy policy for “The Good Guys” company and check if the policy complies with APP. The second task aims to improve cyber security awareness for all employees, third-part contractors of “The Good Guys”. The third task is to undertake a risk analysis for the company and provide appropriate security controls. You need to choose two tasks to complete and include in your final report submission.
These three topics will be introduced in workshops 4.1, 4.2 and 5.1 (during week 9-11) and an analysis report shall be generated based on your workshop learning. This instruction document highlights the content you need to cover (in red) and also provides a template or a detailed description for each task. After week 11, a complete report shall be submitted through the assignment submission point in Assessment 2.
Report Format:
1. Title (followed by your name, student ID and your course code)
2. Executive Summary (A brief introduction on what will be covered in this report)
3.1 Case description (Introduce what “The Good Guys” is and all relevant services it provides)
Security Operations (Choose 2 tasks from 3 listed topics to include in your report)
Part 1: Privacy Impact Analysis and Compliance Check 
Part 2: Design an Acceptable Use Policy
Part 3: Risk Management and Governance
4. Conclusion and Reflection (Conclude and reflect what you have done/learnt in this report)
5. Reference
Case Study – Part 1: Privacy Impact Analysis and Compliance Check
A PIA is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. Steps involved in a proper PIA includes:
Threshold assessment
Plan the PIA
Describe the project
Identify and consult with stakeholders
Map information flows
Privacy impact analysis and compliance check
Privacy management — addressing risks
Recommendations
Report
Step 10. Respond and review.
Instead of going through all steps in this workshop, you only need to undertake one of the critical steps “Privacy impact analysis and compliance check” to examine the privacy policy status of the given case according to what APPs have regulated. The privacy policy you shall analyse is the privacy policy for “The Good Guys” which can be found in https://www.thegoodguys.com.au/privacy-policy .
You may use the following table as a template to undertake your compliance check. The table has filled the first row as an example about the analysis on APP1. Note: 13 APP principles shall be kept in the table.
Include the complete form with your complete privacy impact analysis and compliance check for your Case Study-Part 1 in your assignment report.
Step 6: Privacy Analysis and Compliance Check
This PIA assesses “The Good Guys” services/applications against the objects of the Australian Privacy Principles (APPs). Sometimes not all APPs are relevant to their services/applications in the following list, you may put N/A in the corresponding rows. There may not always be a risk or you cannot get details from the privacy policy e.g. how they protect personal information, you may leave your comment in the third column like “No details about how they protect personal information are given in the policy. The personal information shall be transmitted with a secure communication channel such as VPN”. A quick overview on what 13 APPs regulate is given as follows:
open and transparent management of personal information (APP 1);
anonymity and pseudonymity (APP 2);
collection of solicited personal information (APP 3);
dealing with unsolicited personal information (APP4);
notification of the collection of personal information (APP 5);
use or disclosure of personal information (APP 6);
direct marketing (APP7)
cross boarder disclosure of personal information (APP8).
adoption, use or disclosure of government related identifiers (APP 9);
quality of personal information (APP 10);
security of personal information (APP 11);
access to personal information (APP 12); and
correction of personal information (APP 13).
The following table summarises the key requirements of each relevant privacy principle. You may use this table to undertake the Privacy Impact Analysis and Compliance Check following 13 APPs.
Privacy Principles
Implemented information handling practices
Identified risks/Comments
APP1 – Open and transparent management of personal information An APP entity must take reasonable steps to implement practices, procedures and systems that will ensure it complies with the APPs and any binding registered APP code and is able to deal with related inquiries and complaints. An APP entity must have a clearly expressed and up-to-date APP Privacy Policy about how it manages personal information. An APP entity must take reasonable steps to make its APP Privacy Policy available free of charge and in an appropriate form (usually on its website). An APP entity must, upon request, take reasonable steps to provide a person or body with a copy of its APP Privacy Policy in the particular form requested.
The Good Guys’ Privacy Policy is publicly and freely available on their website. The policy claims they’ve followed APPs when dealing with the personal information they collect. It describes the processes to deal with inquiries and complaints from individuals about the entity’s compliance with the APP.
(This can be a relevant comment or an identified risk) The policy includes an email address and a post address for lodging a complaint. No telephone number is given for inquiring the handling status or quickly reporting a data breach.
APP 2 — Anonymity and pseudonymity An APP entity is not required to provide those options where: the entity is required or authorised by law or a court or tribunal order to deal with identified individuals, or it is impracticable for the entity to deal with individuals who have not identified themselves Anonymity means that an individual dealing with an APP entity cannot be identified and the entity does not collect personal information or identifiers. A pseudonym is a name, term or descriptor that is different to an individual’s actual name. Where applicable, an APP entity must ensure that individuals are made aware of their opportunity to deal anonymously or by pseudonym with the entity.

YOU MAY ALSO READ ...  Professionals

APP 3 — Collection of solicited personal information An APP entity solicits personal information if it explicitly requests another entity to provide personal information, or it takes active steps to collect personal information. For personal information (other than sensitive information), an APP entity that is: an agency, may only collect this information where it is reasonably necessary for, or directly related to, the agency’s functions or activities an organisation, may only collect this information where it is reasonably necessary for the organisation’s functions or activities Personal information must only be collected by lawful and fair means.

APP4 — Dealing with unsolicited personal information An APP entity that receives unsolicited personal information must decide whether or not it could have collected the information under APP 3, and: if the entity could not have collected the personal information and the information is not contained in a Commonwealth record — the entity must destroy or de-identify the information as soon as practicable, if it is lawful and reasonable to do so, or if the entity could have collected the personal information under APP 3, or the information is contained in a Commonwealth record, or the entity is not required to destroy or de-identify the information because it would be unlawful or unreasonable to do so — the entity may keep the information but must deal with it in accordance with APPs 5–13.

APP 5 — Notification of the collection of personal information An APP entity that collects personal information about an individual must take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters. The matters include: the APP entity’s identity and contact details the fact and circumstances of collection whether the collection is required or authorised by law the purposes of collection the consequences if personal information is not collected the entity’s usual disclosures of personal information of the kind collected by the entity information about the entity’s APP Privacy Policy whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located

APP 6 — Use or disclosure of personal information An APP entity can only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies. The exceptions include where: the individual has consented to a secondary use or disclosure the individual would reasonably expect the APP entity to use or disclose their personal information for the secondary purpose, and that purpose is related to the primary purpose of collection, or, in the case of sensitive information, directly related to the primary purpose the secondary use or disclosure is required or authorized by or under an Australian law or a court/tribunal order a permitted general situation exists in relation to the secondary use or disclosure the APP entity is an organization and a permitted health situation exists in relation to the secondary use or disclosure the APP entity reasonably believes that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body, or the APP entity is an agency (other than an enforcement body) and discloses biometric information or biometric templates to an enforcement body, and the disclosure is conducted in accordance with guidelines made by the Information Commissioner for the purposes of APP 6.3

APP 7 — direct marketing An organisation must not use or disclose personal information for the purpose of direct marketing unless an exception applies, such as where the individual has consented. Where an organisation is permitted to use or disclose personal information for the purpose of direct marketing, it must always: allow an individual to request not to receive direct marketing communications (also known as ‘opting out’), and comply with that request. An organisation must provide its source for an individual’s personal information, if requested to do so by the individual.

YOU MAY ALSO READ ...  Origins Of Globalization – Explain the origins of globalization

APP 8 — cross-border disclosure of personal information Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to the information, unless an exception applies, such as the individual has given informed consent. An APP entity that discloses personal information to an overseas recipient is accountable for any acts or practices of the overseas recipient in relation to the information that would breach the APPs (see s 16C of the Privacy Act).

APP 9 — Adoption, use or disclosure of government related identifiers An identifier is a number, letter or symbol, or a combination of any or all those things, that is used to identify the individual or to verify the identity of the individual. A government related identifier is an identifier that has been assigned by an agency, a State or Territory authority, an agent of an agency or authority, or a contracted service provider for a Commonwealth or State contract. Where an identifier, including a government related identifier, is personal information, it must be handled in accordance with the APPs. An organisation must not adopt a government related identifier of an individual as its own identifier of the individual, unless an exception applies. An organization must not use or disclose a government related identifier of an individual, unless an exception applies.

APP 10 — Quality of personal information An APP entity must take reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete. An APP entity must take reasonable steps to ensure that the personal information it uses and discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.

APP 11 — Security of personal information An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Where an APP entity no longer needs personal information for any purpose for which the information may be used or disclosed under the APPs, the entity must take reasonable steps to destroy the information or ensure that it is de-identified. This requirement applies except where: the personal information is part of a Commonwealth record, or the APP entity is required by law or a court/tribunal order to retain the personal information

APP 12 — Access to personal information APP 12 requires an APP entity that holds personal information about an individual to give the individual access to that information on request. APP 12 also sets out other requirements in relation to giving access, including how access is to be given and when access can be refused. There are separate grounds on which agencies and organisations may refuse to give access. APP 12 operates alongside and does not replace other informal or legal procedures by which an individual can be provided with access to information, including, for agencies, the Freedom of Information Act 1982 (FOI Act) that provides a right of access to information held by agencies.

APP 13 — Correction of personal information APP 13 requires an APP entity to take reasonable steps to correct personal information to ensure that, having regard to the purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading. This requirement applies where: the APP entity is satisfied the personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to a purpose for which it is held, or the individual requests the entity to correct the personal information.

Case Study – Part 2: Design an Acceptable Use Policy (AUP):
What is an AUP?
Many companies have extended their business into a cyber space and found it’s hard to survive without quickly adapting to the complicated cyber environment. This virtual cyber space brings profits, convenience, but also various risks. An AUP mitigates those risks by establishing rules for how employees shall use the company’s computer system and access the network, as well as how they shall protect company’s Intellectual property, client’s data/information and their own devices etc.
What sets an AUP apart from other user agreements – like the common end-user license agreement (EULA) that most people quickly skim before hitting “I accept” – is that it applies to a much larger system. While a EULA is for a single piece of software, an AUP applies to entire networks, websites, and how a person is expected to comport themselves while using your business’s resources. While a EULA focuses on the client (end user), an AUP is for employees.
Why do we need an AUP?
An AUP is not just a set of rules for how your employees can use the company’s technological resources, but also an educational document to teach proper information security practices to your employees. It’s also a semilegal document that can have repercussions for any employee breaking the guidelines.
What to be covered in the AUP for your case?
In order to enable the flexibility of businesses, BYOD (Bring Your Own Device) and WFH (Work From Home) have become an acceptable working model nowadays. So the AUP you develop should include not only the IT equipment/facilities, client’s data property, but also the use of email, Internet, social media, personal devices and home network security.
The AUP should apply to all employees in “The Good Guys” and third-party contractors which include all sales in offline stores, online stores, shopping data/market analysts, online platform developer/administrators, storage managers, contracted delivery service providers, third-party product contractors etc.
Reference:
AUP template 1-Acme (please find the file in workshop 4.2 of Learning@GU course site)
Based on the given template, write an AUP for “The Good Guys” which shall include the regulations for BYOD and WFH scenarios. Include this AUP for your Case study-Part 2 in your assignment report.
Case Study – Part 3: Risk Management and Governance
Risk management is the process of identifying and assessing risk, reducing it to an acceptable level, and ensuring it remains at that level. Major categories of risks include:
Physical damage: Fire, water, vandalism, power loss, and natural disasters
Human interaction: Accidental or intentional action or inaction that can disrupt productivity
Equipment malfunction: Failure of systems and peripheral devices
Inside and outside attacks: Hacking, cracking and attacking
Misuse of data: Sharing trade secrets, fraud, espionage, and theft
Loss of data: Intentional or unintentional loss of information to unauthorized receivers
Application error: Computation errors, input errors, and buffer overflows
TASKS:
Identify all important assets in your case.
Choose 5 assets from:
An proprietary web app with the interface providing all critical functions as other online retailing system – GoodGuysApp.
Servers storing all product information, and staff account information: SR_prod, SR_staff
A server keeping all customers credential information, purchase history and credit card information: SR_Cust
Customer database
Product database
Offline store facilities (PoS machines etc.) and products
Market analysis software
database/servers maintaining the business and contracted 3rd party
……
Prioritize the assets, list your 5 most critical assets and apply quantitative risk analysis to these 5 assets. There are rows in blue color where you should suggest the type of security control and the cost involved in applying that security control, then calculating ALE after applying that security control. So you need to:
Undertake a quantitative risk analysis, estimate Asset Value (AV), Exposure Factor (EF), Single Loss Expectancy (SLE), Annual Rate of Occurrence (ARO) and Annual Loss Expectancy (ALE) for all these assets.
Without working on the security controls (in blue-colored rows), you shall prioritize all these risks, answer which risk needs the most urgent attention to apply a security control.
Fill in blue-colored rows with your suggested security controls and estimate annual cost of each suggested security control.
Review your existing/suggested security controls, their costs and values that control can bring to your company. Check if your suggested security control should be applied or not using the equation “Value of control to the company = ALE before implementing control – ALE after implementing control – Annual cost of control”.
Identify which ISO/IEC standard can help to improve the security level for your case. List all ISO/IEC standards you can refer to for your case.
Asset Index
Asset
Threat / Type of control (in blue rows)
Annual Cost of security control (in blue rows)
AV
EF
SLE
ARO
ALE
1
Proprietary software (GoodGuys  online shopping app)
Disclosure by malicious hacker

YOU MAY ALSO READ ...  Health Promotion

30000
0.2
 6000
20
120000
Anti-Virus Software and updates
3000
30000
0.2
6000
1
6000
Malfunction (system bugs)

30000

Employee disclosure

30000

2
SR_Prod
Natural disaster (earthquake, flood, fire)

DoS attacks

Malware infection

3

4

5

Include the following contents for your Case Study-Part 3 in assignment report:
Full table of above quantitative risk analysis
After risk prioritization, what is the top risk in your list to be fixed most urgently?
Security control justification. For each proposed security control, a cost analysis needs to be done before deciding if it should be deployed. In your report, use the 1st asset and 1st risk as an example, i.e. the one in the following table, analyse ALEs before applying a security control and after applying the control, and cost in this security control, and then make your decision if it’s worthwhile to spend money in the anti-virus software and its updates. Include the steps involved in your analysis and the decision you made in your report. Asset Index Asset
Threat / Type of control (in blue rows) Annual Cost of security control (in blue rows) AV EF SLE ARO ALE 1
Proprietary software
Disclosure by malicious hacker
30000 0.2  6000 20 120000 Anti-Virus Software and updates 3000 30000 0.2 6000 1 6000
List all relevant ISO/IEC standards you can refer to for your case.

Order from Academic Writers Bay
Best Custom Essay Writing Services

QUALITY: 100% ORIGINAL PAPERNO PLAGIARISM – CUSTOM PAPER