ICTNWK511 Manage Network Security

ICT50118Diploma of Information Technology
ICTNWK511 Manage System Security
ICTNWK513 Manage System Security

1. Assessment Plan

Assessments for this unit have been developed by taking into account assessment guidelines as provided in the training package and evidence requirements stipulated in this unit of competency. Assessment is an ongoing process of gathering evidence to determine what each student/learner knows, understands and can do in order to inform teaching and support learning of the intended curriculum.

The purposes of this assessment are;

• To collect evidences that demonstrate competency in the performance criteria of the unit and satisfy skill, knowledge and employability skills requirements
• To provide feedback to the learners/trainees indicating the areas of improvement and professional development
• To measure the effectiveness of the delivery plan and evaluate the learning outcomes The required assessment criteria are provided in each assessment task for learner’s information.

Assessment Method

Assessment in this unit is based on assessment and evidence guidelines provided in the unit of competency and the training package. The evidence is generated through summative assessment tasks. However, the role of Formative Tasks is crucial in developing the required skills and knowledge in completing the summative tasks. Formative tasks enable the trainers to evaluate their own delivery and adjust their facilitation based on the outcomes from these tasks. The role of formative assessments is to improve learning and adapt to student needs. 

These tasks and activities usually take place throughout the unit and planned in accordance with the summative assessment plan/schedule. The formative tasks are generally referred to as “Portfolio” tasks. Portfolio is a collection of all the formative tasks completed during the learning sessions. The portfolio can be used by students as an evidence of participation or example of work completed as part of their learning. 

Formative tasks are not assessed. 

For summative tasks, the following assessment methods are available to collect the aforementioned evidence to demonstrate satisfactory performance in this unit;

• Written Assessment Tasks
• Practical/Analytical Tasks
• Test/Examinations
• Projects
• Observation
• Integrated Assessment

The WrittenAssessment Tasks and Tests have been developed to address various parts of Performance Criteria as well as Required Knowledge.

The Practical Tasks are developed to demonstrate competence in Required Skills. These assessment tasks and activities are mostly designed as in-class assessments, enabling the trainers to observe the work being undertaken and completed (i.e. demonstration of a specific/required skill). Practical tasks may also include use of online learning tools, equipment, activities, or use of software. Instructions for practical tasks are generally provided within the task description. However, trainers/assessor may set certain conditions for conducting and observing these tasks. 

The Project (Individual or Group based) addresses various aspects of competency standard including Performance Criteria, Required Skills and Employability Skills. The role of the project in assessment strategy is to measure student/trainee competence as a form of Summative Assessment. It demonstrates the efficacy of instructions and learning in the prescribed delivery period by assessing the overall performance of the students/trainees for the purpose of grading/final results.

The Test/Exam is generally designed to test the Required Knowledge component of the unit of competency. It may also be used to reinforce learning and test specific aspects of other part of competency where knowledge of certain processes/procedures is required. A knowledge test may be verbal or written as specified in the task description. Examinations are conducted under set conditions.

Observation forms part of in-class activities, participation in designated group processes, presentation and provides an option where specific skills need to be demonstrated to the assessor.

Some of the assessments in this course may be used as Integrated Assessments; i.e. to use evidence created in one unit/task to determine competency in another unit/task. The concept behind the design of the integrated assessment is to limit repetitive tasks that test the same or similar competency elements in different units of competency.

Assessment can be both a formative and summative process. Formative assessment is used to provide feedback to students and teachers to promote further learning. Summative assessment contributes to the judgement of student learning for competency/award purposes. 

Assessment Tasks and Schedule

These assessment tasks/activities have been described in detail in the following section. Note: Assessments tasks in this unit are sequential and progressive. Ensure that the tasks are completed in the above order, and documentation/information maintained in each task.

Assessment Tasks

Assessment Task 1:

Description:

A threat refers to anything that has the potential to cause serious harm to a computer system. A threat is something that may or may not happen, but has the potential to cause serious damage to the network (techopedia, 2014).

This assessment task is a role-play exercise to simulate a real-life environment. For the purpose of this task, your trainer/assessor will play the role of the manager or supervisor.

Consider the following scenario; Business Profile:

ABX is a Legal and Accounting firm with approximately 200 local and international clients ranging from large businesses with complex financial and legal needs to individuals with a modest financial holding. In line with business and statutory requirements there is a formal set of organisational procedures for keeping data secure, confidential and safe.

At company’s head office, there’s a cafeteria and conference room on the ground floor, Legal on the second floor and Accounting on the first floor. There is an open plan work environment, with at least two closed offices on each floor for senior management. There is a workstation in the reception area and in each closed office, and four workstations in the conference room. Individual workstations are scattered around the open plan office to meet business needs. Since the last system upgrade, the company has set up remote access for some of the employees to allow them to work from home and access the files relevant to their job functions.

Task:

You have been given the task to;

Identify and categorise potential network threats during each of the following likely attack stages (typical network attack pattern);

1. Footprint
2. Penetration
3. Elevation of privilege
4. Exploit
5. Cover-up

Using the STRIDE model, identify and categorise threats using the above network as an example to;

1. Define the scope of the threats (e.g. the hardware/software that will be evaluated)
2. Analyse system vulnerabilities and predict the threats
3. Identify and define likely types and sources of threats
4. Categorise the threat under each of the six STRIDE categories

Alternatively, a similar network diagram (resembling the given business profile) can be used for this task.

Consult with your trainer/assessor (manager role-play) to confirm the network to be used. 

Write your evaluation/analysis in a well-structured word document with appropriate headings and subheadings. 

This task is expected to be completed within one session and must be done during a designated assessment session in the class. Your communication, analytical, and technical skills will be observed and assessed.

Assessment Criteria

The following assessment criteria will be used for marking this assessment task. Ensure that you have addressed all of the criteria in your work;

• The document is appropriately structured and presented as a formal document
• Appropriate headings and sub-headings are used to structure the contents
• The content flow covers all the required elements of the analysis and contains a logical sequence of the topics
• Appropriate consultation is maintained within the team and with the manager/supervisor (role-play) throughout
• Maintained effective communication within the team and resumed responsibility for own tasks
• Demonstrated analytical skills in analysing network topology and predicting potential threat
• Modelling of potential threat demonstrates the required technical knowledge and skills relevant to the task
• Developed the threat model based on likely/typical attack stages (Footprint, penetration, elevation of privilege, exploit, cover-up
• Used the STRIDE model to categorise threats
• Document demonstrates a structured approach to identifying and categorising threats

Submission Guidelines

▪ Word processed threat modelling document 

Note: Keep a copy of all your work/documents as you may need them in the subsequent tasks.

Students should upload the assessment tasks on the MEGA Student Portal in the respective unit.

Assessment Task 2:

Description:

A network security policy, or NSP, is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment (NIST, 2014).

In this assessment task, you will be required to “write” a Network Security Policy resembling a real-life policy based on the fundamental CIA Triad approach of;

1. Confidentiality and privacy of company’s information and data
2. Integrity and protection of company’s information
3. Availability/access of company’s information

You will use the organisation profile used in Assessment Task1, Part A for the required context and relevance (or any other organisational context if a different network/organisation was chosen in the previous task). There is no fixed format for the policy document. However, it is expected that you will include the typical policy components of;

• Purpose
• Scope
• Definitions
• Audience
• Relevant laws/standards
• Policy
• Responsibility

You may use these as possible heading for your policy document. The policy should be neatly drafted and presented as a formal document. 

Assessment Criteria

The following assessment criteria will be used for marking this assessment task. Ensure that you have addressed all of the criteria in your work;

• The policy documents are developed within the given purpose and context
• The policy document is appropriately structured and presented as a formal document
• Appropriate headings and sub-headings are used to structure the contents
• The content flow covers all the required sections and contains a logical sequence of the information
• Target audience and policy scope are identified and described
• Reference to the relevant laws/regulations (information, privacy, disclosure, access etc.) and standards are made within the policy documents
• The policy contents follow the CIA Triad approach to address all the required areas (i.e. Confidentiality, Integrity, and Access)
• The policy contents demonstrate understanding of organisational and security requirements
• Overall, the contents, language, and presentation resemble a real-life approach to writing a formal policy document

Submission Guidelines

▪ Word processed policy document 

Note: Keep a copy of all your work/documents as you may need them in the subsequent tasks.

Students should upload the assessment tasks on the MEGA Student Portal in the respective unit.

Assessment Task 3:

Description:

A risk analysis is a document process showing an organisation's vulnerabilities and the estimated cost of recovery in the event of damage. A "risk" is the expectation that a threat may succeed and the potential damage that can occur. The risk management plan summarises defensive measures and associated costs based on the amount of risk the organization is willing to accept (PC Mag, Encyclopaedia, 2014).

For the purpose of this task, you will need to use a sample, lab-based, network to assess the security risk from both internal (someone having internal access of the network) and external (visible to public through the internet) perspectives. 

You will use the same business profile and security context used in Assessment Tasks 1, Part A&B. Your plan will be developed around the following main content areas;

1. Purpose and context (organisational, risk assessment)
2. System assets (e.g. data, business and personal information, hardware, records, IP etc.) and perceived values (tangible and intangible)
3. Potential threats and vulnerabilities
4. Security Risk Assessment (Likelihood Vs. Consequences)
5. Risk Mitigation Strategies
6. Monitoring and review

The system security risk assessment should be based on perceived external and internal threats. As the Risk Assessment is the key component of the plan, based your security risk assessment on the following vulnerabilities, assuming that the following incidents have previously occurred at different occasions;

• System compromise
• Unauthorised data access
• Unauthorised information disclosure
• Loss of data
• Denial of service (DoS)

Prepare a structured Risk Management Plan covering the above areas. The plan should be word-processed and written as a formal document. You may use the in-lab network set up to test firewall and router filtering configurations, authentication mechanisms, e-mail and DNS server configurations, network-layer Web server exploits, database server configurations, SNMP, and FTP settings to develop the required security context for this task.

Your trainer/assessor will play the role of your manager/supervisor for this task. Ensure that you maintain an effective consultation throughout and seek clarifications when needed. 

Assessment Criteria

The following assessment criteria will be used for marking this assessment task. Ensure that you have addressed all of the criteria in your work;

• The risk management is appropriately structured and presented as a formal document
• Appropriate headings and sub-headings are used to structure the contents
• The content flow covers all the required elements of the analysis and contains a logical sequence of the topics
• Appropriate consultation is maintained within the team and with the manager/supervisor (role-play) throughout
• Organisational and risk management contexts are established based on the given business profile, requirements, and the scope of risk perceived
• Potential business, information, and network assets are identified and described based on the Organisational and risk management contexts
• Tangible and intangible values are determined based on their importance, and business and legal implications
• Potential threats are identified and categorised based on the perceived system vulnerabilities
• Conducted/analysed the given network configurations, and settings to identify and contextualise the potential risk areas
• Acceptable and unacceptable risks are clearly distinguished as per the organisation’s Security Policy
• Consequences of identified risks are considered and assessed against possible likelihood of occurrence
• Risk assessed in conducted using an appropriate and acceptable risk assessment tool/table
• Existing network control mechanisms (based on a sample network or network topology) are evaluated to determine impact on risk occurrence
• High risk areas/items are emphasised and specified to ensure the development of appropriate risk mitigation strategies
• Risk mitigation strategies are developed based on the typical model of elimination, substitution, modification, technical, and administrative measures
• Contingency plans/arrangements for occurrence of risks are developed and incorporated in the plan
• A plan monitoring and review arrangement is included to periodically evaluate effectiveness and performance of the risk management options and strategies
• Overall, the plan demonstrates the ability to evaluate existing systems, and apply technical and analytical skills to develop risk management solutions

Submission Guidelines

▪ Word processed Risk Management Plan

Note: Keep a copy of all your work/documents as you may need them in the subsequent tasks.

Students should upload the assessment tasks on the MEGA Student Portal in the respective unit.

Assessment Task 4:

Description:

This task continues from, and builds on, the previous assessment tasks. Continuing in your role-play and organisational context, in this task, you will be required to develop a Network Security Plan, incorporating various plan components developed in the previous tasks.

A Network Security plan typically translates incorporates business/organisational objectives, and security/risk management strategies into actionable activities outlining specific steps/projects/measures, required resources and suggested timeline. 

From network security perspective, you will also need to include a proposed security design based on the perceived attacker scenarios and threats. Develop a Network Security Plan that covers;

• Introduction and background
• Network security goals and objectives
• Network security policy (Summary of Task1)
• Network Security o Critical system assets (From Task1)
  • Network security risk assessment (Summary of Task2) o Recommended Security Measures
  • Proposed new/improved network topology and diagram o Emergency response procedures
• Phases of security design
• Audit and Compliance

Assume that the company has had the following attack/security incidents at different occasions - assuming them as known incidents and risks;

• System compromise (Botnets and malware attack)
• Unauthorised data access (former disgruntled employees)
• Information disclosure (Employee mistake)
• Loss of data (cyber-attacks)
• Denial of service (DoS)

IN ADDITION, the company wants you to develop additional security measures to include non-PC devices with an IP address such as internet-enabled cameras, and employee badge readers. 

Prepare a structured Network Security Plan covering the above areas. The plan should be word-processed and written as a formal document. 

Assessment Criteria

The following assessment criteria will be used for marking this assessment task. Ensure that you have addressed all of the criteria in your work;

• The risk management is appropriately structured and presented as a formal document
• Appropriate headings and sub-headings are used to structure the contents
• The content flow covers all the required elements of the analysis and contains a logical sequence of the topics
• Appropriate consultation is maintained within the team and with the manager/supervisor (role-play) throughout
• Developed and used the required organisational context and discussed the need for a network security plan
• Summarised and aligned contents from previous assessment tasks as required, including the risk assessment
• Network security goals and objectives are specific, measurable, achievable, realistic, and time-bound
• Considered and outlined possible attacker scenarios and security threats
• Outlined specific security risks based on known breaches and vulnerabilities
• Developed and suggested security countermeasures for the connected network components against perceived vulnerabilities and threats
• Developed and suggested additional security measures for non-pc network components (e.g. internet-enabled cameras, and employee badge readers)
• Developed a suggested network security design incorporating the new security measures
• Defined planning, building, and managing phases to implement the proposed security design
• Proposed solutions are consistent with industry best practice and basic network security principles
• Illustrated the new security solutions through network diagram/topology
• Outlined procedures for responding to security incidents and treating the risks
• The plan identifies key stakeholders and arrangement to obtain ongoing feedback
• Overall demonstrated the ability to evaluate security information and suggest countermeasures through a structured planning approach