CI7130 (Network and Information
Security)
Coursework (Security Assessment
Report and Business Continuity Plan)
This coursework allows you to extend your knowledge and understanding of a particular topic
presented during the taught component of the module.
SYNOPSIS
For this coursework, you are being asked to write a technical report on a broad security assessment
activity of an organisation of your choice, and a plan for business continuity. This will overall comprise of
three sections: (a) an executive summary, (b) assessment of the security (and dependability)
requirements for the organisation, and (c) a rudimentary version of a business continuity plan,
containing an outline of a security policy for a specific issue or system identified in the first part.
It is important that your report is realistic and specific, in terms of suitability as an example of a
document that could be used for a real organisation. You need to be aware of the differing audiences for
the separate sections, as further explained below.
The first section is to be a single-page executive summary, which is targeted at the organisation’s
managers and executives (i.e. non-technical people, so you should be careful about the use of jargon or
technical terms). This part of the report should contain the following:
An outline of the identified key issues
A statement of the recommendations to be adopted
In the second section, a more detailed analysis is required. This is directed at the technical staff within
the organisation and/or the technical specialists you will use for the implementation.
You may use any suitable framework that was discussed in the lectures for the actual security
assessment, for example OCTAVE or OCTAVE-S might be appropriate methodologies. You may also
combine (part of) frameworks, if you feel this is suitable. Please clearly indicate which framework(s) you
are using, including a justification including some key references to back up your arguments.
The first task is to identify potential members of the team required to assess and deliver the solution (do
not include names, etc., but job roles, e.g. Network Administrator, Company Director, etc.). Following
this, the potential scope to be assessed should be specified (be it functional or geographical, etc.).
The second step, your main assessment of the organisation, will involve highlighting a small number of
key critical assets, and identification of potential threats to these assets, and their vulnerabilities. The
exact order and method for doing this will depend on your chosen framework. At least one information
asset and one network-related asset need to be identified. You should give your reasons for selection.
The third task requires you to suggest technologies and architectures that can be employed to protect
the highlighted assets. Explanations of how they counter security attacks are required and a detailed
analysis including a comparison with other possible solutions will gain extra credit. You are not being
asked for the exact details or configuration of the proposed solutions, it is enough to specify the
technologies.
Then identify the proposed architecture of your recommendations (a network diagram may help
illustrate your solution, but remember that you don’t need to have done a full detailed design). You
should state any assumptions you make about the organisation’s requirements. You should indicate key
tasks that need to be performed and hardware that needs to be purchased (don’t list equipment
exhaustively, rather state in what order equipment should procured and deployed). You should include
a broad schedule of tasks; again, there is no need to be over-specific.
The third part describes a initial version of a business continuity plan for the organisation, the target
audience of which are the organisation’s managers. You may follow the template structure that was
presented in the lecture, or else adopt your own, but it is essential that you include a basic security
policy that relates to at least one of the issues identified in the second, security assessment part of your
report.
The organisation is essentially of your own choice. It could be either your current company or a
company of which you have experience; alternatively you may use the University as your organisation,
or create a fictitious scenario. In this case, make sure you introduce all necessary information about it
first. If you are using a real organisation, make sure you are not including any confidential information in
your coursework report.
You may consult with the coursework setter for preliminary feedback on the suitability of your solution
during the coursework briefing session and within the specified time of up to one week after the end of
the second teaching week.
REPORT STRUCTURE
Please use font size 11pt Arial throughout the report. Overall, your report should consist of 12
pages, including references. Only key sources should be referenced, such as conference and
journal papers or white papers, further documenting your chosen security framework(s).
References should take the following form: full list of authors (i.e. not ‘et al.’), title of
paper/book, title of journal (publisher if a book), year of publication, volume number and first
and last page numbers. If you are using a Web reference, the full URL must be included along
with the date of access. The references should be listed at the end of the report, but assimilated
into the text; identified by the reference number in square parentheses (this is the Vancouver
referencing style).
Please use the following more detailed guidelines concerning the structure of your report:
Executive Summary (1 Page)
Security Assessment Report (6 Pages)
Identification of Critical Assets, Threat and Vulnerability Assessment, Risk (5 Pages)
Prioritised List of Issues (1 Page)
Business Continuity Plan (4 Pages)
Introduction
Description of Continuity Plan
Security Policy
References (1 Page)
ASSESSMENT CRITERIA – MARKING SCHEME
This coursework component contributes to 50% of the overall module grade. The marking scheme of
this assignment is based on several criteria with corresponding weights, given as follows:
Executive Summary (Suitable Title and Author Information, Introduces Organisation and Team,
Summarises Security Assessment Activities and Main Findings) – 15%
Security Assessment – 30% (Correct Use of Chosen Framework(s), Includes Risk Analysis, Specific and
Realistic, Use of Formal Worksheets)
Business Continuity Plan – 25% (Specific and Realistic, Quality of Security Policy)
Scope – 20% (Breadth and Depth of the Report, Technical Accuracy, Critical Analysis, Addresses Target
Audience Appropriately)
SUBMISSION INFORMATION
You may consult with the coursework setter for preliminary feedback on the suitability of your solution
during the coursework briefing session and within the specified time of up to one week after the end of
the second teaching week.
The report needs to be submitted as softcopy only, by uploading to StudySpace, using the provided
TurnitIn link. The deadline for submission of the completed coursework is Thursday March 29, 23:59pm.
Once the deadline has passed, a late coursework link will still be available for you in case you had
difficulties with the submission, but you need to e-mail the coursework setter if you have used it and
you may experience a penalty. You will receive written feedback, including your mark, 3 working weeks
after the submission deadline.
You must not present the work of another as your own without proper acknowledgement. It is the
failure to acknowledge the source that constitutes plagiarism. Be aware of the University rules on
plagiarism: