7COM1066 assignment task
Question # 49965 | Computer Science | 3 weeks ago |
---|
$ 50 |
---|
Assignment Task:
Scenario: On Monday 3 June 2024, Synnovis – a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust, King’s College Hospital NHS Trust and SYNLAB - was the victim of a ransomware cyberattack, resulting in interruptions to many of their services. The criminals behind the attack published data files on June 20. Synnovis confirmed on 24 June 2024, through an initial analysis, that the data published was stolen from some of their systems.
The investigation is still under way. Latest updates can be found from their Cyber Attack Information CentreLinks to an external site.
Following statement is from Synnovis CEO's to their stakeholders on 19th Sept 2024, "I am pleased to report that we successfully transferred the final cohort of GP services back to Synnovis this week, meaning that all GPs have access to our full repertoire of medical diagnostic services once again. At the same time, our programme to restore remaining IT systems continues apace.The majority of hospital services are now operating as they were before the cyberattack, although some of our processes are still being conducted manually while we rebuild digital interfaces to reconnect our laboratories with service users. The restoration of Blood Transfusion services remains on track to be completed by Autumn and we expect to be in a position to confirm dates soon"
Synnovis also updated on what Synnovis has done since the attack below;
"Unfortunately, this is a harsh reminder that this sort of attack can happen to anyone at any time and that, dispiritingly, the individuals behind it have no scruples about who their actions might affect. We take cybersecurity very seriously at Synnovis and have invested heavily in ensuring our IT arrangements are as safe as they possibly can be, and will continue to do so. We continuously invest in the security of our IT systems and processes as well as the awareness of employees to protect its infrastructure and data.
We have taken several steps to further secure our infrastructure and implement operational mitigations for partners. These have included but are not limited to:
· Working with a taskforce of IT experts from Synnovis and the NHS, together with third-party advisers
· Standing up new data centre infrastructure
· Resetting all service platform passwords and expiring MFA tokens
The incident has been reported to law enforcement and the Information Commissioner. Our teams are working with leading cybersecurity experts, including the National Cyber Security Centre (NCSC) and the Cyber Operations Team, and we will continue to provide updates as further information is made available."
Assume that you have been appointed as the new CISO, and after a careful study of the existing policies, your team has identified the need of a new Protection of Records Policy to protect Synnovis records from loss, destruction, falsification, unauthorised access and unauthorised release ensuring compliance with legal, statutory, regulatory and contractual requirements, as well as community and societal expectations related to the protection and availability of records.
Your task is to research and draft a Protection of Records Policy along the lines of the ISO27000 family for Synnovis. You are advised to create a clear set of policy statements with controls and examples. You may wish to refer to ‘ISO 27002Links to an external site. 5.1 Policies for Information Security and 5.33 Protection of records to ensure that the policy aligns with requirements for ISO compliance.
You should take into consideration any confidentiality, integrity, and availability (CIA) issues of the information assets of Synnovis and assess all relevant risks, taking into account Synnovis’s overall organisational strategy and objectives. This can be facilitated or supported through an information security specific risk assessment. This should result in the determination of the controls necessary to ensure that the residual risk to the organisation meets its risk acceptance criteria.
You should also research the General Data Protection Regulation (GDPR) and any other relevant legal, statutory, regulatory and contractual requirements that Synnovis and its interested parties (government, public, media, partners, service providers, etc.) have to comply with and their sociocultural environment;
Brief relevant description of the Synnovis Context will help set up a personalised case study scenario for the assessment. You may also research publicly available information on the principles, objectives and organisational requirements of Synnovis and make assumptions for the "life cycle of information" it may have to support its operations. You may also need to identify information classification, storage and handling procedures, access controls and data retention schedules Where relevant you may make assumptions/fictitious data (but indicate that).
Submission Requirements:
The final report is expected to have the following structure:
· Cover Page
o Module code
o Module title
o ID number (the submission MUST be anonymous)
o Month and year, e.g. November 2024
· Context Establishment - Research into the organisation, its environment and threat landscape goes here. You may also include a list of assumptions here (maximum 2 pages/1000 words)
· Risk assessment - You do not have to write anything in this section of the word document. Produce an asset based risk register using the template given in Appendix 2 - The results of the risk assessment should help prioritise implementing controls for managing information security risks including appropriate policy statements necessary to protect against residual risks.
· Protection of Records Policy - Title page of your policy and your developed policy goes here (Maximum 3 pages/1500 words).
o
You will use an AI tool (such as ChaptGPT, to help you develop the policy; however, you must first obtain prior approval from your tutor regarding the tool you plan to use.
Additionally, you must provide evidence, along with commentary, explaining the approach and decision-making process you used to guide the AI tool, and any manual writing/amendments you have made in tailoring the policy to the specific context we have defined.
You will also provide a self-written evaluation of the tool you used based on your experience that includes stregths and weaknesses of using AI for policy writing.
· References
· Appendix 1 - Evidence of any additional work related to formulating the Context Establishment, Risk Assessment, and Protection of Records Policy can go here.
· Appendix 2: Work completed using the Risk Assessment template attached here ra cw TEMPLATE 24-25_7COM1066 lu 24-09-2024.xlsxDownload ra cw TEMPLATE 24-25_7COM1066 lu 24-09-2024.xlsx
You are expected to use appropriate peer reviewed sources to develop your arguments and use Harvard style referencing.
This is an individual assessment and it is essential that you develop your context, risk assessment and policy based on your own research and analysis. You should also avoid the direct use of publicly available policies and statements from the standards.
You are strongly encouraged to make use of Turnitin prior to submitting your policy.
The report should be prepared as follows:
· The same font should be used throughout. We would prefer you to use 12-point Times, though any reasonable alternative (such as Arial) will be accepted.
· Lines should be single-spaced, with between 1/2 a line and a whole line of extra space after each paragraph.
· Margins: at least 20mm left and right; 25mm top and bottom.
A policy written without evidence of appropriate process (context establishment and risk assessment) and/or did not adhear the conditions given when using and AI tool, will receive zero marks.
Any content that avoids turn-it-in similarity scans (such as images) will not be marked.
You are required to submit the final report as one document via StudyNet in a .doc or .docx format using "student-number-report" as the filename. Submit the risk assessment template (excel worksheet) as a separate file in .xls format using "student-number-Appendix2".
Module leader reserve the right to conduct an oral examination with the student about the subject matter in his/her assessment submission.
Marks Awarded for:
Assessment Criteria
Mark Available
Context Establishment
15
Risk Risk Assessment
20
Protection of Records Policy (using an AI tool)
15
Presentation, design and references (at least 20 authentic references including standards and papers accessed from UH library)
10
Total
60
Type of Feedback to be given for this assignment:
Formative verbal feedback will be given for the during the scheduled sessions as per the module delivery plan. Individual summative feedback will be given through Canvas for the final submission. The assignment will be marked according to the above marking scheme as such you should address each of the marking components within your assignment.
Every week, review & reflection questions related to the assessment activities will be posted on StudyNet. These questions will help you to reflect on the activities you will be undertaking as part of the assessed work for the module. Self-assess your work as you progress through the module which will help you understand the subject better. Feedback is not just the marks and the commentary at the end of the assessment – it is also the regular advice about your work as you undertake the practical activities. If you fail to undertake the practical activities and you fail to engage with the class and with the instructors, you will disadvantage yourself.
Additional information:
• Regulations governing assessment offences including Plagiarism and Collusion are available from https://www.herts.ac.uk/__data/assets/pdf_file/0007/237625/AS14-Apx3-AcademicMisconduct.pdf Links to an external site. (UPR AS14).
• Guidance on avoiding plagiarism can be found here: https://herts.instructure.com/courses/61421/pages/referencing-avoidingplagiarism?module_item_id=779436
• For postgraduate modules:
o a score of 50% or above represents
a pass mark.
o late submission of any item of coursework for each day or part thereof (or
for hard copy submission only, working day or part thereof) for up to five days
after the published deadline, coursework relating to modules at Level 7
submitted late (including deferred coursework, but with the exception of
referred coursework), will have the numeric grade reduced by 10 grade points
until or unless the numeric grade reaches or is 50. Where the numeric grade
awarded for the assessment is less than 50, no lateness penalty will be
applied.
© University of Hertfordshire 2024.
This assignment is created by the 7COM1066 MODULE TEAM and is a property of the University of Hertfordshire. Students should not share this assignment specification or the assignment solution with anyone apart from their module tutors.
View Rubric
Attachments:
![payment options](https://www.studyfull.com/front-end/img/payment-4.png)