CIS3005-N Information Governance Portfolio

TEESSIDE UNIVERSITY AND MANAGEMENT DEVELOPMENT INSTITUTE OF SINGAPORE
Course:                Bachelor of Science (Hons) Cybersecurity and Networks
                       BNSE3 2005A, BNSE3 1904A, BNSE2 1801A)
Module Code and Title: CIS3005-N Information Governance

Information Governance Portfolio

This assessment constitutes 100% of the overall module mark and is assessed individually. It covers all the module learning outcomes as detailed below:

Personal & Transferable Skills

  1. Critically evaluate a data governance implementation plan created for a specified business need and reflect on any potential changes and improvements (PT2)
  2. Communicate effectively and professionally in order to present arguments clearly (PT3) 3. Demonstrate a comprehensive and detailed knowledge of the goals and principles of Data Governance and what it means to work ethically and professionally in accordance with these goals and principles. (PT6)

Research, Knowledge & Cognitive Skills

  1. Demonstrate an understanding of the legal frameworks and international standards underpinning information governance. (RKC1)
  2. Design an appropriately researched data governance implementation plan appropriate for a specified business need that includes business continuity and disaster recovery planning. (RKC4)
  3. Be able to advise on, and evaluate, the ethical and social issues arising from security measures used by business. (RKC6)
  4. Demonstrate a complex understanding of the breadth and depth of the physical and environmental security issues for a given scenario and demonstrate a critical awareness of current problems and issues informed by research findings and professional practice. (RKC2)

Professional Skills

  1. Provide professional advice and guidance on legal and regulatory compliance. (PS3) 9. Plan, analyse and evaluate a risk management framework and recommend appropriate operations security measures. (PS1)

Case Study

Fresh Air is a national independent air conditioning system manufacturer and installer. They have over forty years of experience in manufacturing, sales and installation for trade customers around the world. They manufacture and supply for large-scale projects, such as new University campus buildings.

Fresh Air pride themselves on being an environmentally friendly company, sourcing their power from ethical green suppliers, and incorporating sustainable solutions where possible in their new installations. They send an experienced engineer to work with architects during the planning and design phases of a new build, and ensure regular visits to a developing building before they start their own installation. This ensures they are aware of any changes potentially affecting their product. Materials they use are ethically sourced and recyclable where possible but this does increase the cost of products by around 20% when compared to competitors.

They undertake regular careful market analysis, identifying exciting future trends and making sure they keep abreast of competitor developments. Being the first to provide market leading service and products helps to offset the additional costs relating to ethical and environmental choices. It’s one of the unique selling points for the company and attracts businesses who are keen to have the latest technology installed in their new build. Ultimately, their installations can save companies around 30% in their heating and cooling bills over a long-term period (5 years or more).

Fresh Air employ over 100 staff in a variety of roles, including management, market research, sales, design, manufacturing, testing, installation, IT services and customer aftercare. They would like to undertake a full review of IT services from a security and compliance perspective and introduce a unified desktop solution for all staff, with a supporting helpdesk. The helpdesk will offer walk in, telephone, email and chat support.

Finances

Fresh Air ask trade customers to pay a 20% deposit when an order is placed. Once manufacturing of bespoke parts is due to begin (usually within one month) the customer is billed a further 30%. This covers the cost of administration and early manufacturing. The final invoice is sent electronically to customers within 24 hours of installation and testing, with a request to pay the full balance within one week. This is tracked via a Sales based system which currently has no log in requirement and is installed on just two computers in the main office.

Management & Staffing

Fresh Air developed the following jobs with responsibility for a variety of new systems:

  • IT Services Manager – looking after IT services, which include:
    • Purchase and licensing of proprietary software for the workshop floor.
    • Working with a third-party provider on hardware and software provision (the contract for this is outsourced).
    • Managing the company website for customer orders and deposits, technical detail and progress of build, booking system for installation inspection (aftersales & customer service).
    • Implementing an email solution (could be outsourced – the choice is left to the IT Services Manager).
    • Implementing a desktop solution for all staff (managed in-house). This will include a helpdesk system using the ITIL framework to ensure IT related issues are fully documented and tracked using a ticketing system.
    • Implementing a sign in/sign out system which can show when staff are on the premises. This will be linked to a fire evacuation system to ensure in the case of a fire incident all staff are safely out of the building.
    • Implementing an annual leave/sickness system for staff. o Implementing a staff training system for IT related services and systems.
    • Responsible for 2 full-time technical staff.
  • Sales Manager – looking after sales and marketing:
  • Responsible for 3 full time sales staff, who will receive 1.5% commission on every system they sell. This commission is paid within 48 hours of the final installation.
  • Responsible for managing a budget around sales marketing information, which will be set at £80,000 per annum.
  • Supplies information to be displayed on the website and social media platforms. o Identifies new customers. o Tracks payment status for each development. o Responsible for chasing late payment.
  • Installation Manager – working with customers and other tradesmen to track progress of developments and adjust to any build changes: o Conducts the initial survey of work using a work-supplied iPad device.
    • Responsible for 12 installation-approved staff. o Manages an installation calendar to ensure no quiet days or clashes.
    • Tracks development of new projects to plan for the best time to start manufacturing and installation.
    • Keeps and updates technical documentation relating to each build.
    • Works with architects and other tradesmen to design and specify a suitable system for installation.
    • Arranges on-site training for their staff.
    • Responsible for full testing and sign-off for every installation.
  • General Manager – has overall responsibility for the running of the company:
    • Manages everyone else and ensures department managers meet their own targets. o Conducts staff performance reviews (department managers). o Looks after overall budgeting. o Responsible for ensuring full compliance (including for health and safety). o Implements general policies and processes (e.g. disciplinary).
    • Works with department managers to set annual targets and adjust business aims.

Physical Structure

Fresh Air is split across three buildings on a main site at the top of a rural hill. The site is exposed to extreme weather events such as lightning and wind but is at very low risk of flooding. It is able to generate its own electricity via the use of wind turbines. However, the turbines will not operate at wind speeds under 6mph or over 50mph. During periods of steady moderate winds Fresh Air is able to generate income by feeding power back in to the national grid. It uses 6 backup diesel generators during power cuts/extreme wind to enable it to continue to operate due to the critical nature of its operations. Secure backup servers are located 50 miles away, at a lower level site which is sheltered from wind but at higher risk of flooding.

Upgrades and Maintenance

Fresh Air manufacturing is in operation 12 hours a day, every weekday. Offices are open 8am5pm Monday to Friday, with occasional Saturday working if there are some critical deadlines approaching.

Day to day operations

In order to maintain a secure environment, IT services will deploy a unified desktop solution which uses cloud computing to store everyday data. Proprietary collaborative software is developed in-house to control workshop machinery for production. Fresh Air will have one IT support team and can offer in-house support for all IT services. All new staff undertake comprehensive training over a four week probation period, and existing staff must undertake annual refresher training, including information security and compliance.

Assessment Requirements

Your task is to put together the following items (in total around 4000 words):

  1. A risk assessment analysis relating to IT services and data security and your recommendations for risk mitigation to ensure business continuity. [25 marks]
    • Guide: 1200 words
    • To include identified risk name, description, likelihood and severity, overall risk score, specific mitigation with justification linked to business continuity
      All risks should be clearly related to this scenario
  1. A summary of ethical, social, legal and regulatory compliance issues relating to this case study, to include clear information on all applicable laws and industry best practice (such as ISO27K). The summary should demonstrate an understanding of the differences between ethical and legal considerations. It should include a clear list of controls you plan to implement with justification for each. [35 marks]
    • Guide: 2000 words
    • To include a comprehensive list of all pertinent legislation and ethical and social issues with clear controls identified and justified
    • To include clear links between issues identified, suggested controls and associated legislation/standards
    • To include an indication of consequences to the organisation in the event of non-compliance
  1. An A4 electronic poster showing the steps to be taken for Disaster Recovery. It should indicate responsibilities and have a clear start and end. This process is to be followed by your IT team in the event of an IT related disaster. [20 marks]
    • Guide: 200 words (mostly design but some explanatory text could be present)
    • Should be relevant to the target audience
    • Should be generic enough to be followed in the event of any IT related disaster Use formal process flow notation
  1. A reflection on the portfolio you have produced: its strengths and weaknesses and your own learning based on your degree route. [10 marks]
    • Guide: 600 words
    • The reflection needs to be honest and identify areas for improvement within the portfolio, with justifications
    • You can reflect on every aspect of the portfolio you have produced, including presentation, your recommendations, content, references, time management etc.
    • It should link to your prior learning, and future career choice
  1. The entire portfolio needs to be professionally presented. [10 marks]
    • References should be included in appropriate places
    • It should be free from major spelling/grammatical issues and in a publishable state
    • It should include page numbers, a table of contents, sensible headings, list of references and appendices (if appropriate).
    • The structure should be easy to follow and logical
    • Any assumptions should be listed throughout

Hand in Requirements

Please upload your portfolio as one document to Blackboard by the deadline, in .pdf format.

Marking Criteria

Part

Criteria

Marks

Item 1

Risk Assessment

70% +

60-69%

50-59%

40-49%

<40%

Excellent work to an extremely high professional standard which covers all conceivable risks. Descriptions are highly detailed and include excellent appropriate information. May exceed expectations at this level.

Very good work to a professional standard which covers a wide range of risks. Descriptions are detailed and include very good appropriate information.

Good work to a reasonable professional standard which covers a range of conceivable risks. Descriptions are reasonable and include appropriate information.

An attempt has been made to identify appropriate risks but there are some missing and/or they are not appropriate. Descriptions are included but are not always appropriate or lack detail.

A poor attempt which does not meet the module learning outcomes. It may have missing information or has missed the point.

25%

Item 2

Controls

70% +

60-69%

50-59%

Excellent summary to an extremely high professional standard. Includes excellent detail. It could be implemented in industry. May exceed expectations at this level.

Very good summary to a professional standard. Includes good detail. Could be implemented in industry with some minor adjustments.

Good summary to a reasonable professional standard. Includes reasonable detail. It could be implemented in industry with more work.

35%

40-49%

An attempt has been made to write a summary. Details have been included but are not clear or have no meaning in this context. The document is somewhat vague and needs quite a lot more work.

<40%

A poor attempt which does not meet the module learning outcomes. It may have missing information or has missed the point entirely.

Item 3

Disaster Recovery Poster

70% +

60-69%

50-59%

40-49%

<40%

An excellent informative poster which includes an excellent process flow diagram with references. The steps are logical, realistic and accurate.

A very good poster which includes a very good process flow diagram and references. The steps are accurate and logical.

A good poster with a reasonable process flow diagram (may have missing points) and references. There may be some minor errors present but it’s mostly accurate and logical.

A poster has been submitted but it lacks detail and the process flow diagram may be too simple or incorrect, or missing. Referencing is present but could be improved. Steps could be more accurate and logical.

A poor attempt which does not meet the module learning outcomes. It may have missing information or has missed the point entirely.

20%

Item 4

Reflection

70% +

60-69%

An excellent reflection which identifies strengths and areas for improvement with detailed reasoning. Professional layout and could be published. It clearly links the current module learning to prior learning and experiences and considers future learning and/or career choices in detail. Incorporates references and/or best practice examples.

A very good reflection which identifies a number of strengths and areas for improvement with some reasoning. Layout is good enough to publish with minor amendments. It links learning experiences well and includes references.

10%

50-59%

A good reflection with a selection of points raised. It could be more reflective and make use of references. There is some linking of learning experiences. There may be some minor errors present. Reasonable layout but needs more work.

40-49%

A reflection has been written but it lacks detail and does not provide justifications. No linking of learning experiences included. Layout could be improved, and it needs more work.

<40%

A poor attempt which does not meet the module learning outcomes. It may have missing information or has missed the point entirely.

Professional Presentation

70% +

60-69%

50-59%

40-49%

<40%

Presentation is excellent all round and makes use of industry-appropriate language. All items could be implemented in industry.

Presentation is very good and could be implemented in industry with minor amendments.

Presentation is acceptable but may lack some of the requirements listed in the specification.

Presentation could be improved based on the requirements listed in the specification.

A poor attempt which does not meet the module learning outcomes. It may have missing information or has missed the point entirely.

10%