FIND A SOLUTION AT Academic Writers Bay
Assignment – Case Study for 7905ICT (30%)
This case study will be around “The Good Guys” company which provides both offline services in stores and online shopping services. In order to improve customers’ online shopping experience, a proprietary app will be developed for its online service which includes all online shopping functionalities, and also a linked analysis tool in the company’s back end. The analysis tool can analyze the popularity of each product/brand for the purpose of storage management, market prediction etc. The analysis tool can also analyze all customers’ shopping behavior, their favorite products for marketing and advertisement purpose.
These three topics will be introduced in workshops 4.1, 4.2 and 5.1 (during week 9-11) and an analysis report shall be generated based on your workshop learning. This instruction document highlights the content you need to cover (in red) and also provides a template or a detailed description for each task. After week 11, a complete report shall be submitted through the assignment submission point in Assessment 2.
1. Title (followed by your name, student ID and your course code)
2. Executive Summary (A brief introduction on what will be covered in this report)
3.1 Case description (Introduce what “The Good Guys” is and all relevant services it provides)
Security Operations (Choose 2 tasks from 3 listed topics to include in your report)
Part 1: Privacy Impact Analysis and Compliance Check
Part 2: Design an Acceptable Use Policy
Part 3: Risk Management and Governance
4. Conclusion and Reflection (Conclude and reflect what you have done/learnt in this report)
Case Study – Part 1: Privacy Impact Analysis and Compliance Check
A PIA is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. Steps involved in a proper PIA includes:
Plan the PIA
Describe the project
Identify and consult with stakeholders
Map information flows
Privacy impact analysis and compliance check
Privacy management — addressing risks
Step 10. Respond and review.
You may use the following table as a template to undertake your compliance check. The table has filled the first row as an example about the analysis on APP1. Note: 13 APP principles shall be kept in the table.
Include the complete form with your complete privacy impact analysis and compliance check for your Case Study-Part 1 in your assignment report.
Step 6: Privacy Analysis and Compliance Check
open and transparent management of personal information (APP 1);
anonymity and pseudonymity (APP 2);
collection of solicited personal information (APP 3);
dealing with unsolicited personal information (APP4);
notification of the collection of personal information (APP 5);
use or disclosure of personal information (APP 6);
direct marketing (APP7)
cross boarder disclosure of personal information (APP8).
adoption, use or disclosure of government related identifiers (APP 9);
quality of personal information (APP 10);
security of personal information (APP 11);
access to personal information (APP 12); and
correction of personal information (APP 13).
The following table summarises the key requirements of each relevant privacy principle. You may use this table to undertake the Privacy Impact Analysis and Compliance Check following 13 APPs.
Implemented information handling practices
(This can be a relevant comment or an identified risk) The policy includes an email address and a post address for lodging a complaint. No telephone number is given for inquiring the handling status or quickly reporting a data breach.
APP 2 — Anonymity and pseudonymity An APP entity is not required to provide those options where: the entity is required or authorised by law or a court or tribunal order to deal with identified individuals, or it is impracticable for the entity to deal with individuals who have not identified themselves Anonymity means that an individual dealing with an APP entity cannot be identified and the entity does not collect personal information or identifiers. A pseudonym is a name, term or descriptor that is different to an individual’s actual name. Where applicable, an APP entity must ensure that individuals are made aware of their opportunity to deal anonymously or by pseudonym with the entity.
APP 3 — Collection of solicited personal information An APP entity solicits personal information if it explicitly requests another entity to provide personal information, or it takes active steps to collect personal information. For personal information (other than sensitive information), an APP entity that is: an agency, may only collect this information where it is reasonably necessary for, or directly related to, the agency’s functions or activities an organisation, may only collect this information where it is reasonably necessary for the organisation’s functions or activities Personal information must only be collected by lawful and fair means.
APP4 — Dealing with unsolicited personal information An APP entity that receives unsolicited personal information must decide whether or not it could have collected the information under APP 3, and: if the entity could not have collected the personal information and the information is not contained in a Commonwealth record — the entity must destroy or de-identify the information as soon as practicable, if it is lawful and reasonable to do so, or if the entity could have collected the personal information under APP 3, or the information is contained in a Commonwealth record, or the entity is not required to destroy or de-identify the information because it would be unlawful or unreasonable to do so — the entity may keep the information but must deal with it in accordance with APPs 5–13.
APP 6 — Use or disclosure of personal information An APP entity can only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies. The exceptions include where: the individual has consented to a secondary use or disclosure the individual would reasonably expect the APP entity to use or disclose their personal information for the secondary purpose, and that purpose is related to the primary purpose of collection, or, in the case of sensitive information, directly related to the primary purpose the secondary use or disclosure is required or authorized by or under an Australian law or a court/tribunal order a permitted general situation exists in relation to the secondary use or disclosure the APP entity is an organization and a permitted health situation exists in relation to the secondary use or disclosure the APP entity reasonably believes that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body, or the APP entity is an agency (other than an enforcement body) and discloses biometric information or biometric templates to an enforcement body, and the disclosure is conducted in accordance with guidelines made by the Information Commissioner for the purposes of APP 6.3
APP 7 — direct marketing An organisation must not use or disclose personal information for the purpose of direct marketing unless an exception applies, such as where the individual has consented. Where an organisation is permitted to use or disclose personal information for the purpose of direct marketing, it must always: allow an individual to request not to receive direct marketing communications (also known as ‘opting out’), and comply with that request. An organisation must provide its source for an individual’s personal information, if requested to do so by the individual.
APP 8 — cross-border disclosure of personal information Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to the information, unless an exception applies, such as the individual has given informed consent. An APP entity that discloses personal information to an overseas recipient is accountable for any acts or practices of the overseas recipient in relation to the information that would breach the APPs (see s 16C of the Privacy Act).
APP 9 — Adoption, use or disclosure of government related identifiers An identifier is a number, letter or symbol, or a combination of any or all those things, that is used to identify the individual or to verify the identity of the individual. A government related identifier is an identifier that has been assigned by an agency, a State or Territory authority, an agent of an agency or authority, or a contracted service provider for a Commonwealth or State contract. Where an identifier, including a government related identifier, is personal information, it must be handled in accordance with the APPs. An organisation must not adopt a government related identifier of an individual as its own identifier of the individual, unless an exception applies. An organization must not use or disclose a government related identifier of an individual, unless an exception applies.
APP 10 — Quality of personal information An APP entity must take reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete. An APP entity must take reasonable steps to ensure that the personal information it uses and discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.
APP 11 — Security of personal information An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Where an APP entity no longer needs personal information for any purpose for which the information may be used or disclosed under the APPs, the entity must take reasonable steps to destroy the information or ensure that it is de-identified. This requirement applies except where: the personal information is part of a Commonwealth record, or the APP entity is required by law or a court/tribunal order to retain the personal information
APP 12 — Access to personal information APP 12 requires an APP entity that holds personal information about an individual to give the individual access to that information on request. APP 12 also sets out other requirements in relation to giving access, including how access is to be given and when access can be refused. There are separate grounds on which agencies and organisations may refuse to give access. APP 12 operates alongside and does not replace other informal or legal procedures by which an individual can be provided with access to information, including, for agencies, the Freedom of Information Act 1982 (FOI Act) that provides a right of access to information held by agencies.
APP 13 — Correction of personal information APP 13 requires an APP entity to take reasonable steps to correct personal information to ensure that, having regard to the purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading. This requirement applies where: the APP entity is satisfied the personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to a purpose for which it is held, or the individual requests the entity to correct the personal information.
Case Study – Part 2: Design an Acceptable Use Policy (AUP):
What is an AUP?
Many companies have extended their business into a cyber space and found it’s hard to survive without quickly adapting to the complicated cyber environment. This virtual cyber space brings profits, convenience, but also various risks. An AUP mitigates those risks by establishing rules for how employees shall use the company’s computer system and access the network, as well as how they shall protect company’s Intellectual property, client’s data/information and their own devices etc.
What sets an AUP apart from other user agreements – like the common end-user license agreement (EULA) that most people quickly skim before hitting “I accept” – is that it applies to a much larger system. While a EULA is for a single piece of software, an AUP applies to entire networks, websites, and how a person is expected to comport themselves while using your business’s resources. While a EULA focuses on the client (end user), an AUP is for employees.
Why do we need an AUP?
An AUP is not just a set of rules for how your employees can use the company’s technological resources, but also an educational document to teach proper information security practices to your employees. It’s also a semilegal document that can have repercussions for any employee breaking the guidelines.
What to be covered in the AUP for your case?
In order to enable the flexibility of businesses, BYOD (Bring Your Own Device) and WFH (Work From Home) have become an acceptable working model nowadays. So the AUP you develop should include not only the IT equipment/facilities, client’s data property, but also the use of email, Internet, social media, personal devices and home network security.
The AUP should apply to all employees in “The Good Guys” and third-party contractors which include all sales in offline stores, online stores, shopping data/market analysts, online platform developer/administrators, storage managers, contracted delivery service providers, third-party product contractors etc.
AUP template 1-Acme (please find the file in workshop 4.2 of Learning@GU course site)
Based on the given template, write an AUP for “The Good Guys” which shall include the regulations for BYOD and WFH scenarios. Include this AUP for your Case study-Part 2 in your assignment report.
Case Study – Part 3: Risk Management and Governance
Risk management is the process of identifying and assessing risk, reducing it to an acceptable level, and ensuring it remains at that level. Major categories of risks include:
Physical damage: Fire, water, vandalism, power loss, and natural disasters
Human interaction: Accidental or intentional action or inaction that can disrupt productivity
Equipment malfunction: Failure of systems and peripheral devices
Inside and outside attacks: Hacking, cracking and attacking
Misuse of data: Sharing trade secrets, fraud, espionage, and theft
Loss of data: Intentional or unintentional loss of information to unauthorized receivers
Application error: Computation errors, input errors, and buffer overflows
Identify all important assets in your case.
Choose 5 assets from:
An proprietary web app with the interface providing all critical functions as other online retailing system – GoodGuysApp.
Servers storing all product information, and staff account information: SR_prod, SR_staff
A server keeping all customers credential information, purchase history and credit card information: SR_Cust
Offline store facilities (PoS machines etc.) and products
Market analysis software
database/servers maintaining the business and contracted 3rd party
Prioritize the assets, list your 5 most critical assets and apply quantitative risk analysis to these 5 assets. There are rows in blue color where you should suggest the type of security control and the cost involved in applying that security control, then calculating ALE after applying that security control. So you need to:
Undertake a quantitative risk analysis, estimate Asset Value (AV), Exposure Factor (EF), Single Loss Expectancy (SLE), Annual Rate of Occurrence (ARO) and Annual Loss Expectancy (ALE) for all these assets.
Without working on the security controls (in blue-colored rows), you shall prioritize all these risks, answer which risk needs the most urgent attention to apply a security control.
Fill in blue-colored rows with your suggested security controls and estimate annual cost of each suggested security control.
Review your existing/suggested security controls, their costs and values that control can bring to your company. Check if your suggested security control should be applied or not using the equation “Value of control to the company = ALE before implementing control – ALE after implementing control – Annual cost of control”.
Identify which ISO/IEC standard can help to improve the security level for your case. List all ISO/IEC standards you can refer to for your case.
Threat / Type of control (in blue rows)
Annual Cost of security control (in blue rows)
Proprietary software (GoodGuys online shopping app)
Disclosure by malicious hacker
Anti-Virus Software and updates
Malfunction (system bugs)
Natural disaster (earthquake, flood, fire)
Include the following contents for your Case Study-Part 3 in assignment report:
Full table of above quantitative risk analysis
After risk prioritization, what is the top risk in your list to be fixed most urgently?
Security control justification. For each proposed security control, a cost analysis needs to be done before deciding if it should be deployed. In your report, use the 1st asset and 1st risk as an example, i.e. the one in the following table, analyse ALEs before applying a security control and after applying the control, and cost in this security control, and then make your decision if it’s worthwhile to spend money in the anti-virus software and its updates. Include the steps involved in your analysis and the decision you made in your report. Asset Index Asset
Threat / Type of control (in blue rows) Annual Cost of security control (in blue rows) AV EF SLE ARO ALE 1
Disclosure by malicious hacker
30000 0.2 6000 20 120000 Anti-Virus Software and updates 3000 30000 0.2 6000 1 6000
List all relevant ISO/IEC standards you can refer to for your case.
- Assignment status: Already Solved By Our Experts
- (USA, AUS, UK & CA PhD. Writers)
- CLICK HERE TO GET A PROFESSIONAL WRITER TO WORK ON THIS PAPER AND OTHER SIMILAR PAPERS, GET A NON PLAGIARIZED PAPER FROM OUR EXPERTS
QUALITY: 100% ORIGINAL PAPER – NO PLAGIARISM – CUSTOM PAPER