Information Security 2023
Security evaluation assignment
Introduction
This is an individual assignment and requires students to conduct a security evaluation of their
personal information management situation and report on the results of this evaluation. The main
body of the report is expected to be around 2500 words, but the quality is more important than
length. This review intends to give you exposure to some of the issues that organisations might face
when conducting similar information security reviews, but clearly with much less formality (both in
terms of how the review is conducted and the expectations around the control environment).
As it is not feasible to give you access to a ‘normal’ organisational setting, we will use your personal
situation as a simulation for the organisation. Despite this being similar to an organisational security
review, it is important that you treat the situation ‘as is’ – that is, you should focus on the risks that
are relevant to your situation, not some real or pretend organisation. These risks may not be quite
the same as those that organisations experience, but risks do vary significantly between different
organisations, so this will not undermine the integrity of this exercise.
The security evaluation review for this year will focus on some key issues, including access controls,
operations security (backup and recovery, protection from malware, updates) and cybersecurity
(concerning resilience and protection from cyber-attacks, malware and hacking). There may be some
overlap between these issues.
There will be opportunities for students to informally discuss issues with this assignment and their
review during the classes in the weeks leading up to the submission deadline. Make sure that you
are familiar with what is required of this assignment and take advantage of this opportunity.
Requirements
This assignment is intended to cover the full range of your personal situation with respect to
the information and its management – this will include any technology, insomuch as it relates
to information processing and storage. This includes:
• home computers, laptops and home networks;
• mobile devices that you may have, including smart phones, tablets, smart watches, and
fitness devices;
• other storage media that you use to store relevant information;
• Personal information you store online (in the cloud – data storage and email).
For this exercise, you should exclude:
• other home-related devices such as smart TVs, Google/Apple/Amazon smart home devices,
and electronic locks;
• information about you that is stored by others (for example, the information the University
keeps on students is outside of the scope of this review);
• any work-related activity or home businesses (information security issues with these work
related contexts would normally be covered by the workplace and their security evaluation
processes).
The first step in the review is to identify all of the relevant information assets, any associated
technology resources, and what these resources are used for. It is important for your report to
include a description of these assets and their uses so that the reader has a context within which to
situate the investigation and its findings. The nature of these assets and their use will influence the
risk environment, so your overview is important for the reader to make a judgement about the
reliability of the review and its findings.
In conducting such a review is common practice to have a normative model against which the situation
is assessed. You should use ISO 27002:2013 as the primary source for constructing a customised
normative model for this review, but this should be supplemented by other sources as appropriate
(and these other sources should be identified and properly referenced). Note that it is important that
the review extends beyond the simple technical aspects of the situation, so the customised model
should account for non-technical aspects as well. [Details on accessing ISO 27002 can be found in the
week 4 tutorial work.]
As noted above, the review for this year should focus on the issues of access controls, operations
security (backup and recovery, protection from malware, updates) and cybersecurity (concerning
resilience and protection from cyber-attacks, malware and hacking). These issues should become
primary headings in your normative model (it is your responsibility to manage the overlap between
these issues), and each of them should contain a number of controls that would then form the basis
of the normative model and subsequent evaluation.
The adaption of ISO 27002 (and other sources) for the normative model needed for the evaluation
should be guided by risk management principles – that means selecting a set of controls that are likely
to be more important in a personal environment and leaving out controls that are not all that relevant.
As a guide for this assignment, it is expected that you would have around 15 to 20 controls in your
customised normative model. These customised controls should have a link back to the sources (such
as ISO 27002 – using the control number from the standard), so the reader knows where this element
was derived from. In some cases, the customised control in your normative model may be a direct
copy of the control from the standard, and in other cases, it may be an adaption from a range of
sources (such as those covered in the week 4 lecture and tutorial work).
To illustrate this process of adaption, Section 5 of ISO 27002 covers issues associated with security
policy. For a personal situation, it would be quite unusual to have formalised written security policies
in place in relation to the issues of concern to this assignment – so the lack of such written policies
would not be a reasonable finding to make in most circumstances. However, it is quite likely you might
have some informal policies in place, such as who you might allow various facilities to be used by,
what security software you use, and how and when you backup your data. This suggests that it could
be helpful to have a general control in your adapted evaluation model relating to security policy, but
it would be reasonable for this to be kept at a high level (and the used during the evaluation to
consider whether your informal policies are adequate for the situation at hand).
After constructing the customised normative model, you should use this to conduct a review of your
own personal information security situation and report on the findings and recommendations. This
is usually done by looking at the real situation and comparing this to the issues in the customised
normative model. Where there is alignment between your situation and various controls in the
normative model, this suggests the security measures are appropriate and these issues become
commendations. Where there is misalignment, the differences require further investigation and can
then become the basis for recommendations for change or improvement.
In conducting the review, you may find it helpful to undertake some tests to verify some of the
findings. As an example, you could physically check backup stores and verify that they keep the most
recent copies of the data, as per the backup arrangements that you think might be in place, and that
this backup data really is retrievable and easily able to be restored. You could also use various
software tools to verify security elements of the technical environment.
In making the findings and recommendations, you should be guided by the risk environment you are
operating in. For example, you would not make recommendations about implementing a rigorous
backup routine if you have little sensitive information to lose – you should suggest a contingency
approach that matches this risk profile. It is important to recognise that an overly stringent security
environment is likely to be just as problematic as one with insufficient security measures, as in the
longer term, many of these stringent security measures will be ignored or neglected if they are seen
as unnecessary for the risk profile they are meant to be controlling.
And finally, you should reflect on how well this whole process has worked after completing the review.
These reflections would not normally be part of an organisational security evaluation report but can
be seen as bringing some academic rigour to this exercise and may also be part of a high-quality
professional practice where professionals will reflect on activities they have undertaken. The use of
references will improve the quality of your reflections.
Examples of the questions you may consider in your reflections include: Has this review produced
the intended results? Is it likely to uncover the main information security issues and make reasonable
recommendations for change? Is a review of this nature worth the effort? Are there easier ways that
could be used to provide reasonable assurance about information security risks? Has your adaption
of the security model provided adequate coverage of the issues for a personal situation such as the
one you are in? How easy would it be for others (particularly people without a strong IT or security
background) to use these materials to assure themselves that they are not exposing themselves to
unwarranted information security risks?
Required sections for your report
In summary, your report should include the following (these six dot points could be used as the basis
for major headings/sections in your report):
• An overview of your personal situation and the key risks areas that may be present
(information, technology, and what these artefacts are used for; what are the key risks that
might be evident in these uses of information and technology);
• A brief discussion of the customised normative model that you have used for you review. This
section is mainly concerned with how you have constructed this normative model and why
you have included the various controls in the model, noting the various sources you have used.
This section is more about providing a rationale for why various controls have been included
rather than just providing a simple list of the controls;
• A summary of the tasks undertaken to conduct the review. What steps did you follow in
conducting the review? What evidence did you consider in helping you form your views?
What tests did you perform in order to verify the answers to key review questions? Did you
use any automated tools for any of this testing?
• The findings of your review and recommendations for improvement. You should provide a
summary of the good and bad issues that arose from the review. What issues from the
situation came up looking good in the review, and where was there room for improvement?
What things would you realistically change in order to improve the information security
environment? It is important that this section only presents a summary of the key issues
from the review – the details of the evaluation of individual controls should be put in the
appendix (the appendix table, with the fourth column detailing the evaluation of each
individual control). You should not make recommendations that haven’t appeared anywhere
in the appendix table.
• A reflection on the methodology or review approach, following your experience of applying it
to your personal computing situation. This is an important part of the assignment and should
not be neglected. There are details above on what should be covered in this section and a
reasonable length for this section is around 500+ words;
• An appendix with the details of your review. The detailed issues considered (customised
normative model) and the assessment against these issues should be included in an
Appendix in a table format (described below). This material is not part of the main word count
for the assignment. While this appendix is not part of the word count, this will be part of the
assessment for the assignment, and the marker will need access to this material to ascertain
the extent of the nature and quality of the review that you have undertaken.
Without this table, there is little evidence that you have actually conducted an appropriate
security evaluation, and your assignment will be marked accordingly.
Assessment
The assignment is worth 30% of the marks for Information Security. The deadline for submissions of
this assignment is Friday night at the end of week 11 (21 April 2023, 23:59PM).
The main body of the report is expected to be around 2500 words – please include a word count, but
words from any quotations, your bibliography, and the appendix table, should not be included in this
word count. Note that it is not necessary to include an executive summary as this report is sufficiently
brief, but a brief introduction setting out what the report covers would be helpful.
In marking the report, attention will be given to your understanding of information security concepts
and how well you have met the requirements detailed above. The style and technique of your writing
will also be considered.
The section providing a reflection on the methodology and review approach is an important part of
this assignment and will attract around one-quarter of the marks allocated.
All work quoted from other written sources must be appropriately referenced using the UC version
of the Harvard (2021) author-date style (both with in-text references and all sources included in the
bibliography). This style is described in detail (including electronic sources) in referencing guides
available at: http://canberra.libguides.com/referencing
For the appendix only: It is quite likely that the material in this appendix will use headings and other
material taken directly from the ISO 27002 standard. So long as you make it clear which parts have
been taken from the standard and which parts are your own responses, it is not necessary to put the
material from the standard in quotation marks. For example, a sentence in your appendix (as a lead
in or a footnote) could state that ‘the controls in the left-hand column have been derived directly from
the ISO 27002 standard unless otherwise noted’, this then avoids the need for quotation marks and in
text references for each of these controls.
Submission: All assignments should be submitted in electronic format (via the Canvas online
assignment submission process). A cover sheet is not required (submission to the Canvas drop box is
a formal acknowledgement that this is your own work unless otherwise noted), but you should include
your student id, assessment item name and the word count.
There is a draft submission box, Ouriginal (URKUND) – Student Text-matching Checker. Please feel free
to use this before your final submission.
A suggested process for this assignment is:
• identify your information assets, associated technology and uses; think briefly about any
risks that these uses might entail;
• construct your customised normative model, and use this to populate the left-hand column
of your appendix table;
• conduct the security evaluation, using the appendix table as a means of documenting the
elements of this review – this should result in a fully populated appendix table;
• write the main body of the assignment, including the description of the information assets,
the normative model and its construction, the description of the process you undertook, and
key findings and recommendations – these findings and recommendations should connect
directly with elements in your appendix table;
• write the reflections section of the report.
Sample row for appendix
Note that this is a sample row only – the content of the cells in your review table is likely to be
different! Note that the text in the first column has been taken directly from the ISO 27002 standard,
with the control number being a sufficient attribution in this case (there should be a statement on
this elsewhere in the appendix, as noted above).
It is expected that you will have about 15 to 20 rows of this nature in the appendix of your report.

In some cases, rows like this could be split into multiple rows if you think this is warranted – in this
case, you may have two rows – one that considers the taking of backups and a second one concerned
with the testing of these backups.
The example above is about backup – the first column is a statement of the control (12.3.1 in this
case); the second column is a description of what backup arrangements actually exist in your current
situation, making sure you address issues mentioned in the control. You don’t need to discuss the
risks here.
The third column is about any tests that you do as part of this evaluation. Not all controls (rows in
your table) will need tests. It is also important to distinguish between the testing that you do as a
regular part of your normal operational activities, and the tests that you do for this evaluation. For
example, if you normally test your backups on a regular basis (perhaps to see that they will actually
work, which is something that organisations should be doing fairly regularly), then this is something
that should be noted in the second column. But if you have specifically tested a backup as part of this
evaluation process, then this is something that would be noted in the third column, along with a
description of the test results.
The fourth column is used to note findings and recommendations with respect to that control. If
everything is good, you should note that. I expect this will be the case for some (perhaps many) of
the controls. Where there are differences between what you are doing yourself and what the control
indicates you should be doing, then these are findings, and also the basis for recommendations – that
is, things you can change to bring your practices more in line with the control. Some judgement may
be needed around these recommendations.
All of this does have a risk element to it. For example, things like the essential eight recommend daily
backups. From a personal perspective, this might be much more than is needed, except when you are
working on something quite critical (like this assignment) where more frequent backups would be
very helpful due to the amount of work that might be lost if something went wrong. This could mean
that from a risk perspective, personal backup arrangements that were not daily could still be
acceptable, so long as they were ramped up when more critical work was being done.
You don’t need a lot of discussion about this risk context in the appendix table, although the
recommendations you make in the table should take some account of it. Where there are significant
discrepancies between the recommendations you actually make (based on this risk context and what
would be reasonable) and what the control indicates should be happening, then these could have a
brief discussion in the findings section of the report.
Rubric:
Rubric is available here https://uclearn.canberra.edu.au/courses/13447/assignments/104128
References
ISO (2013) ISO/IEC 27002:2013 Information technology – Security techniques – Code of practice for
information security controls, International Standards Organisation, Switzerland.