Assignment Specification

School of Computer and Engineering Sciences

Module Code Module Title Assessment No Weighting

CO7602 Business Implications of Cybersecurity 1 of 2 40%

Title In-Year Reassessment Generative AI

Offered
Individual Report Not Allowed
No

Summary Submission Date Feedback Due

Organisational Security Compliance Assessment 13/11/2024 at 13:00 11/12/2025
7-day Submission
Window Allowed

Instructions
Task – Organisational Security Compliance Assessment

The case study, Chester Business Ltd (CBL), for this task is on the next page. Study it carefully
before attempting the task.

Relevant definitions:

“A security compliance assessment is a structured evaluation process conducted to ensure

that an organization's information technology systems, processes, and practices adhere to
relevant security standards, regulations, and best practices. The primary goal of such
assessments is to identify and address security vulnerabilities, mitigate risks, and
demonstrate compliance with legal requirements and industry standards.”

“The CBL Security Control Catalog (CSC2) is a mapping of ISO 27002, CIS Controls, and
the NIST Cybersecurity Framework (CSF). The catalog is a set of best practices defined by
CBL to help it strengthen its cybersecurity posture. The catalogue is organised into key
domains for better structuring.”

Chester Business Ltd processes sensitive data for its day-to-day business. There is a decision
to pursue a detailed security project to help strengthen the organisation’s cybersecurity
posture and safeguard it against cyber threats. The new chief information officer (CIO) has
decided that the starting point is to conduct a project security baseline assessment based on
the company’s security control catalogue (CSC2). This is to ascertain the level of adherence
to their own security objectives.

You have been approached as a consultant and are required to assess CBL’s organisational
structure and network architecture for compliance with the CSC2 Controls. CBL’s structure,
business processes, office plan, network dossier/documentation, and CSC2 are provided
below. The assessment criteria for this project is the CSC2 Controls – so, your job is to assess
the information (the case study, office plan, and network dossier) that have been provided by
the customer against all the controls (also known as ‘best practices’) and decide, with
justification, whether each control (best practice) has fully, partially, or not been complied with.
If you decide that a control is not applicable for CBL, you must provide detailed justification. It
means that the assessment outcome/status for each of the controls must be one of the
following:

▪ Fully Compliant (FC)

▪ Partially Compliant (PC)
▪ Not Compliant (NC)
▪ Not Applicable (NA)

Your assessment table should look like this example:

Control Domain ID & Title Description Statu Justification

number s
1 Governance & G1: Establish Develop, document, and implement an FC Reason/evidence for
Risk an Information organization-wide security policy that the FC assessment
Management Security Policy provides high-level security objectives
(G) and aligns with regulatory and business
requirements.
2 Governance & G2: Conduct Perform periodic risk assessments to PC Reason/evidence for
Risk Regular Risk identify, analyze, and mitigate potential the PC assessment
Management Assessments threats and vulnerabilities to information
(G) systems and data.
14 Protection (P) P1: Implement Enforce strong access control NC Reason/evidence for
Strong Access mechanisms that restrict access to the NC assessment
Controls sensitive data and systems based on
the principle of least privilege.
35 Detection (D) D4: Analyze Implement network monitoring tools to NA Reason/evidence for
Network Traffic detect unusual or malicious activities, the NA assessment
for Anomalies such as unauthorized access or data
exfiltration.

Activities and requirements:

▪ Carefully study all the provided information about CBL. This will give you clear
understanding of the case study.
▪ Study the CSC2 to understand how it is organised.
▪ Conduct the assessment using the example in the table above. Note that quality of the
assessment depends on the strength of your ‘justification’. Analyse the result of the
assessment and present your outcome in meaningful formats/ways that will be helpful
to the organisation. For example, you can identify the areas (Security Domains) where
the organisation is doing well/bad, where they need to focus more, use a
chart/table/graph of your choice to present the security status of the organisation. If
you use a Spreadsheet, you must copy the entire assessment table into the report. The
table MUST NOT be an image. Parts of the table will have high similarity level (in
Turnitin) because of the controls catalogue, and that’s fine.
▪ Present your report using any format of your choice. However, the report must contain
the following deliverables:
o Executive summary: A concise, high-level summary of the key findings, insights,
and recommendations from the assessment. It does not go into technical details.
o Findings: Detailed discussion and presentation of the assessment findings,
including summary of the company’s compliance with each CSC2 Control
Domain.
o Recommendations: Recommendations for remediation and compliance
improvements.

Note:
▪ It is important that you attend classes, especially the assignment support sessions,
as we will be discussing the assignment in great details.
 ▪ Knowledge of the referenced security frameworks (ISO27002, CIS Controls, and NIST
CSF) will be helpful.
▪ Do NOT make any assumptions for the assessment. Use only the information you have.

Assessment Criteria
Marks will be affected if the above instructions are not adhered to. The following criteria will
apply:
• Knowledge [30%]: Demonstration of knowledge and understanding of subject matter,
tailoring of discussion to case study, and coverage
• Cognitive skills [30%]: Clarity of discussion, coherency, perception, articulation of
views, thoughtful interpretation etc.
• Practical/professional skills [25%]: Technical understanding and use of materials,
breadth and depth of material, academic writing, formatting and strength of argument.
• Communication [10%]: Presentation, vocabulary and style, spelling and punctuation
• Referencing [5%]: Using literature to support argument. Acknowledging and
accurately presenting sources.
 The Chester Business Case Study

Introduction
Chester Business Ltd is a Medium IT company that develops software applications for clients.
Their major clients include schools, NHS trusts, and some government departments. They
also collaborate with other IT companies, both locally and internationally, on major IT projects.
The diagram below shows their office plan based in Chester. The company also has other
interests, including bidding for research funds and carrying out research for IT innovations.
They do not have an offsite backup centre. All their assets are located in their facility in
Chester. They also let out their conference room to external organisations for conferences
and meetings. Chester Business Ltd employs 100 staff and all are trained (and retrained) to
recognise social engineering attacks. They are also trained in data classification and the
dangers of transmitting data over insecure networks.

Management Structure
Chester Business is managed by a Board, comprising the Chief Executive and Heads of IT,
Business, Facilities and Research departments. Each department has a number of
employees covering different roles.

IT
The Head of IT manages a team of four IT support staff and 10 software developers. The
support staff provide technical support to all staff of the company. Each staff of the company
is allocated a desktop computer with full Internet and email access. The company also
operates an undocumented BYOD (bring your own device) policy that allows employees to
bring their own personal mobile devices into work and use those devices to connect to the
company network and/or the Internet. The support analysts are free to use any external
storage of choice to share and move data. The company runs a Windows Server 2010 R2, a
Linux server (Apache 2.3.49), and a variety of Windows 7 (for legacy applications), Windows
10, and Linux workstations. The software developers are skilled in Microsoft .Net technologies
as well as C++ and Visual Basic and can reuse code snippets lifted from open sources or
programming forums. They can also use any version control software of choice. IT also
maintains a website that runs WordPress 5.9.3. The department maintains an inventory of all
assets. However, the inventory only contains high-level information about the assets. On the
other hand, there is no central inventory of software installed on the organisation's assets.

Business
The Head of Business department oversees the day-to-day running of the company. She is
in charge of contract negotiations and all project managers report to her. She travels a lot on
business trips and as every other employee, she can access company resources remotely.
The company has a VPN service for secure remote access to the company. However, on odd
occasions, staff used opensource remote desktop applications to connect remotely.

Facilities
This department manages and maintains the company’s facilities including conference room
bookings. They are responsible for managing physical security as well as overseeing security
guards/staff who are sometimes outsourced. This department enforces very strict security
measures. For example, physical security can only be outsourced to government-approved
and professionally certified security companies, all security staff/guards are DBS checked, the
conference room can only be rented by carefully vetted organisations (however, no further
checks are carried out on individuals attending meetings), everyone on the company’s
premises must wear a visible relevant card, and restricted/sensitive areas are clearly marked
using appropriate signs.

Research
This department oversees the company’s research effort. They work closely with other
researchers both locally and internationally. They are involved in several research
collaborations across different research groups and consortiums. They have no dedicated (or
restrictions on) communication medium within themselves and with their research
collaborators.

Chester Business Office Plan

Network Dossier
Network Overview:
• Network Name: CBL Network
• Network Size: Small Business Network
• Network Purpose: Support daily business operations, file sharing, web hosting,
and data storage.
Infrastructure Components:
1. Windows Server 2012 R2:
• Hostname: WinServer2012R2
• Role: Domain Controller, File Server
• Active Directory Domain: cbl.local
 • Services: DHCP, DNS, Active Directory, File Sharing
• Security: Configured with up-to-date antivirus and regular security patch
updates. Access control lists are configured based on user’s need to know.
MFA is required for external/remote access to the server.
2. Linux Apache 2.3.49 Server:
• Hostname: LinuxWebServer
• OS: Linux (Distribution: CentOS)
• Role: Web Server

• Services: Apache 2.3.49 for web hosting

• Security: Regularly updated with security patches, and firewall rules restrict
access to necessary ports.
3. Workstations:
• Operating System: Windows 7 and 10, Linus OS
• Security: Endpoint security software installed, regular OS updates,
and user accounts managed through Windows Active Directory.
• Purpose: Used for various business tasks, including document
processing, email communication, and accessing network resources.
Networking Equipment:
1. Router/Firewall:
• Model: Cisco ASA 5505
• Function: Connects the internal network to the internet, provides firewall
protection, and manages NAT.
• Security: Regularly updated firmware, access controls, and firewall rules.

2. Switch:
• Model: Cisco SG200-24
• Ports: 24 Gigabit Ethernet Ports
• Function: Provides network connectivity for workstations and servers.

Network Security Measures:

• Firewall Rules: Strict firewall rules implemented on the router and server firewall to
control traffic flow.
• Antivirus/Anti-Malware: Endpoint security software installed on all workstations.
• User Authentication: User accounts managed through Windows Active
Directory with strong password policies.
• Regular Backups: Scheduled backups of critical data to ensure data recovery in
case of failures. Backup data stored on the same network.
Additional Notes:
• Regular network maintenance and monitoring are performed to ensure optimal
performance and security.
• The Linux Apache server hosts the company website and is accessible from the
internet via port forwarding on the router.
• Workstations are named and assigned to specific users.
• Network documentation is maintained, including diagrams, configuration files,
and asset inventories.
 This network dossier provides an overview of the key components and configurations of the
network, helping to ensure transparency and effective management of the network resources
and security.

CBL Security Control Catalog (CSC2)

Governance & Risk Management (G)

1. G1: Establish an Information Security Policy

Develop, document, and implement an organization-wide security policy that provides high-
level security objectives and aligns with regulatory and business requirements.
2. G2: Conduct Regular Risk Assessments
Perform periodic risk assessments to identify, analyze, and mitigate potential threats and
vulnerabilities to information systems and data.
3. G3: Maintain an Asset Inventory
Maintain a current and comprehensive inventory of hardware, software, and data assets,
ensuring all assets are classified and protected according to their criticality.
4. G4: Classify and Label Information Assets
Develop a classification scheme for data and systems based on sensitivity and value, and
ensure assets are labeled accordingly to enforce appropriate security controls.
5. G5: Develop a Risk Treatment Plan
Based on risk assessment results, create a risk treatment plan to address identified risks by
applying mitigation, transfer, acceptance, or avoidance strategies.
6. G6: Define Roles and Responsibilities
Establish clear security roles and responsibilities within the organization, including
responsibilities for IT, management, and staff.
7. G7: Perform Security Awareness Training
Regularly train employees on security policies, procedures, and the importance of adhering
to security best practices, ensuring they understand how to identify and respond to security
threats.
8. G8: Implement Third-Party Risk Management
Evaluate the security practices of third-party vendors and partners, and ensure they adhere
to your organization’s security requirements through contracts and assessments.
9. G9: Define an Acceptable Use Policy
Establish and communicate an Acceptable Use Policy (AUP) to guide employees on the
proper use of organizational assets, including internet and email usage.
10. G10: Establish Incident Management Processes
Develop an incident management framework to quickly identify, contain, and mitigate
security incidents, ensuring lessons learned are fed back into risk management processes.
11. G11: Develop a Business Continuity Plan
Create and maintain a Business Continuity Plan (BCP) to ensure critical functions can
continue in the event of a disruption or disaster.
12. G12: Conduct Regular Security Audits and Assessments
Regularly audit security processes and controls to ensure their effectiveness, and make
necessary adjustments based on the results.
13. G13: Define Compliance Obligations
Identify and document all applicable legal, regulatory, and contractual requirements related
to information security, ensuring compliance.

Protection (P)
14. P1: Implement Strong Access Controls
Enforce strong access control mechanisms that restrict access to sensitive data and
systems based on the principle of least privilege.
15. P2: Use Multi-factor Authentication (MFA)
Implement multi-factor authentication to verify users' identities before granting access to
critical systems and data.
16. P3: Secure Configuration for Hardware and Software
Establish secure configuration baselines for all systems and applications to reduce
vulnerabilities and maintain security.
17. P4: Patch Management Process
Develop a patch management process to ensure that operating systems, software, and
firmware are updated regularly to mitigate known vulnerabilities.
18. P5: Network Segmentation
Segment networks based on sensitivity, ensuring critical assets are isolated to limit
unauthorized access.
19. P6: Enable Data Encryption at Rest and in Transit
Encrypt sensitive data both at rest and in transit to prevent unauthorized access during
transmission or storage.
20. P7: Implement Secure Software Development Lifecycle (SDLC)
Integrate security throughout the software development lifecycle, ensuring secure coding
practices and regular security testing.
21. P8: Protect Wireless Access Points
Secure wireless networks by using encryption, strong authentication methods, and regular
monitoring to prevent unauthorized access.
22. P9: Use Antivirus and Anti-Malware Solutions
Deploy antivirus and anti-malware tools on all endpoints and regularly update them to
protect against malware infections.
23. P10: Establish a Data Loss Prevention (DLP) Program
Implement DLP tools to monitor and protect sensitive data from unauthorized sharing or
leakage, especially via email and cloud services.
24. P11: Monitor Physical Access Controls
Ensure that physical security measures are in place, such as surveillance cameras and
access controls, to monitor and control entry into sensitive areas.
25. P12: Implement Email and Web Filtering
Use email and web filtering solutions to block phishing attempts, malware, and unwanted
content from entering the network.
26. P13: Control Use of Administrative Privileges
Limit and monitor the use of administrative privileges to reduce the risk of insider threats or
misuse by malicious actors.
27. P14: Implement a Secure Backup Strategy
Ensure that regular backups are performed and that backups are encrypted, securely
stored, and tested for recoverability.
28. P15: Protect Removable Media
Control the use of removable media (e.g., USB drives) through encryption and access
control measures, reducing the risk of data loss or malware.
29. P16: Use Application Whitelisting
Implement application whitelisting to ensure that only authorized software is allowed to run
on critical systems.
30. P17: Deploy Honeypots for Attack Detection
Set up honeypots to lure attackers and detect their activities before they reach sensitive
systems.
31. P18: Establish Change Management Procedures
Implement change management processes to ensure that changes to systems and
applications are reviewed, tested, and approved before being implemented.
Detection (D)

32. D1: Implement Continuous Monitoring

Continuously monitor the organization's systems for security threats, anomalies, and
suspicious activities using automated tools.
33. D2: Centralize Security Logging
Aggregate and centralize security logs from all systems to ensure comprehensive visibility
and support incident response efforts.
34. D3: Perform Regular Vulnerability Scans
Conduct routine vulnerability scans to identify weaknesses in the organization’s systems
and applications, and take timely action to remediate them.
35. D4: Analyze Network Traffic for Anomalies
Implement network monitoring tools to detect unusual or malicious activities, such as
unauthorized access or data exfiltration.
36. D5: Implement Intrusion Detection Systems (IDS)
Use IDS to monitor and detect unauthorized activities, intrusions, or attacks on the network.
37. D6: Establish a Security Information and Event Management (SIEM) System
Implement a SIEM solution to correlate security data from various sources, enabling real-
time detection of security incidents.
38. D7: Use File Integrity Monitoring (FIM)
Monitor file integrity to detect unauthorized changes to critical files, system configurations,
and applications.
39. D8: Monitor User and Entity Behavior Analytics (UEBA)
Use behavioral analytics tools to detect anomalous user behaviors that may indicate insider
threats or compromised accounts.
40. D9: Monitor Network Devices and Endpoints
Continuously monitor network devices and endpoints for signs of compromise,
misconfigurations, or vulnerabilities.
41. D10: Conduct Regular Log Reviews
Regularly review and analyze system, network, and security logs to detect potential security
incidents and anomalies.
42. D11: Perform Threat Hunting Exercises
Proactively search for indicators of compromise (IoCs) and potential security threats in the
network, systems, and applications.
43. D12: Establish Incident Detection Capabilities
Develop the capability to detect incidents early by integrating multiple detection
mechanisms, such as IDS, SIEM, and behavioral analytics.
44. D13: Monitor for Insider Threats
Implement monitoring to detect suspicious activities by internal users that may indicate
insider threats or privilege misuse.

Response (R)

45. R1: Develop and Test Incident Response Plans

Create and periodically test incident response plans to ensure they are effective in
identifying, containing, and eradicating security incidents.
46. R2: Define Communication Channels for Incident Response
Establish clear internal and external communication channels for responding to incidents
and coordinating with stakeholders during an event.
 47. R3: Conduct Incident Response Training and Simulations
Provide incident response training to employees and conduct simulations to improve
response readiness and coordination.
48. R4: Establish an Incident Reporting Mechanism
Implement a clear mechanism for employees, partners, and customers to report security
incidents promptly.
49. R5: Perform Incident Analysis and Root Cause Analysis
After every incident, perform a thorough analysis to determine its root cause and take
corrective actions to prevent recurrence.
50. R6: Maintain an Incident Response Team (IRT)
Establish and maintain an IRT responsible for investigating, managing, and resolving
security incidents.
51. R7: Conduct Post-Incident Reviews
Perform reviews after each significant incident to capture lessons learned and update
security policies and procedures accordingly.
52. R8: Define Legal and Regulatory Incident Notification Requirements
Ensure that incident notification requirements are identified and complied with, especially in
cases involving personal data breaches.
53. R9: Establish Chain of Custody for Evidence
Develop a chain of custody process to ensure that evidence collected during incidents is
properly preserved and handled for potential legal actions.
54. R10: Document and Track Incidents
Maintain a log of all reported incidents, their impact, and the actions taken, ensuring
detailed documentation for future reference and analysis.
55. R11: Establish Remediation Plans for Security Incidents
Develop and implement remediation plans to address vulnerabilities and other security
weaknesses identified through incident response activities.

Recovery (RV)

56. RV1: Establish a Disaster Recovery Plan

Develop a Disaster Recovery (DR) plan to restore normal business operations in the event
of a major system disruption or failure.
57. RV2: Perform Regular Backups and Verify Restores
Regularly back up critical systems and data, and periodically verify that backups can be
restored successfully.
58. RV3: Conduct Regular Disaster Recovery Testing
Test disaster recovery procedures regularly to ensure their effectiveness and alignment
with current systems and business priorities.
59. RV4: Establish Data Recovery Procedures
Implement documented data recovery procedures that prioritize the restoration of essential
systems and data within specified timeframes.
60. RV5: Define Roles and Responsibilities for Recovery
Assign clear roles and responsibilities for individuals and teams responsible for disaster
recovery efforts.
61. RV6: Ensure Alternate Communication Channels during Recovery
Set up alternative communication channels to ensure continuity of coordination during
recovery efforts in case primary systems fail.
62. RV7: Update Recovery Procedures Based on Testing
Regularly update disaster recovery procedures based on the results of tests and actual
incidents to improve future resilience.
 63. RV8: Conduct Business Impact Analysis (BIA)
Perform a BIA to assess the potential impact of disruptions on critical business functions
and define recovery priorities.
64. RV9: Ensure Redundancy for Critical Systems
Implement redundant systems and failover mechanisms to minimize the impact of system
outages on critical services.
65. RV10: Establish Coordination with External Recovery Partners
Work closely with external vendors, partners, and stakeholders to ensure coordinated
recovery actions in the event of a major disruption.

Technical Security (T)

66. T1: Use Secure Coding Practices

Ensure secure coding practices are followed to prevent vulnerabilities such as buffer
overflows, SQL injection, and cross-site scripting.
67. T2: Apply Configuration Baselines
Define and enforce secure baseline configurations for all systems, applications, and
devices.
68. T3: Implement Endpoint Detection and Response (EDR)
Deploy EDR solutions on all endpoints to detect and respond to advanced threats such as
ransomware and zero-day exploits.
69. T4: Deploy Web Application Firewalls (WAF)
Use WAFs to protect web applications from common exploits, such as injection attacks and
cross-site scripting.
70. T5: Use Secure Network Protocols
Ensure that only secure network protocols (e.g., HTTPS, SSH) are used to protect data in
transit.
71. T6: Regularly Test Application Security
Conduct regular security tests on applications, including vulnerability scans, penetration
tests, and code reviews.
72. T7: Implement Strong Session Management
Enforce secure session management practices, such as automatic session timeouts, to
prevent unauthorized access.
73. T8: Monitor API Security
Implement security controls for APIs, including input validation, authentication, and
encryption, to prevent unauthorized access and data breaches.
74. T9: Perform Static and Dynamic Application Testing (SAST/DAST)
Conduct both static (SAST) and dynamic (DAST) application testing to identify and address
security vulnerabilities during development and production.
75. T10: Securely Configure Databases
Ensure that databases are securely configured, with restricted access, encryption, and
regular patching to prevent unauthorized access.
76. T11: Use Strong Encryption Standards
Adopt strong encryption standards for data at rest and in transit, such as AES-256, to
protect sensitive data.
77. T12: Implement Anti-Spoofing Mechanisms
Use mechanisms like DNSSEC and email authentication protocols (SPF, DKIM, DMARC)
to prevent spoofing attacks.
78. T13: Secure DNS Configurations
Ensure that DNS configurations are secure to prevent hijacking, cache poisoning, and other
DNS-based attacks.
 79. T14: Implement Firewall and Router Security Configurations
Ensure firewalls and routers are configured securely, with minimal open ports and services,
and apply access control lists to filter traffic.
80. T15: Use Data Masking Techniques
Apply data masking to obscure sensitive data, such as personally identifiable information
(PII), in non-production environments.

Emerging Technologies (E)

81. E1: Secure Cloud Infrastructure

Implement security controls for cloud environments, including data encryption, access
management, and monitoring, ensuring compliance with best practices.
82. E2: Implement Cloud Access Security Broker (CASB)
Deploy CASB solutions to gain visibility and enforce security policies on data moving to and
from cloud services.
83. E3: Establish Security Controls for IoT Devices
Secure IoT devices by enforcing strong authentication, network segmentation, and
monitoring of communication patterns.
84. E4: Implement Blockchain Security Practices
Apply security practices specific to blockchain technologies, such as securing private keys,
validating transactions, and mitigating potential consensus attacks.
85. E5: Protect AI and Machine Learning Models
Implement security controls to protect AI/ML models from adversarial attacks, ensuring data
integrity and privacy in the training and operation phases.
86. E6: Secure Quantum Computing Initiatives
Begin assessing quantum-resilient encryption algorithms and explore potential impacts of
quantum computing on encryption methods and data security.
87. E7: Manage Edge Computing Security
Implement security controls for edge computing environments, including data encryption,
endpoint protection, and secure communication channels.
88. E8: Secure 5G Networks
Develop and implement security strategies for 5G network architecture, including secure
communications, encryption, and infrastructure management.
89. E9: Implement Privacy by Design in AI
Ensure that privacy is integrated into AI systems from the design stage, emphasizing
transparency, data minimization, and compliance with privacy regulations.
90. E10: Monitor and Secure Blockchain Infrastructure
Regularly monitor blockchain networks for vulnerabilities or potential attacks and ensure
that consensus mechanisms are secure from manipulation.

Additional Information

Learning Outcomes Assessed

• LO1: Demonstrate knowledge of the role of an Information Security Management System in achieving
information security objectives.
• LO2: Master the key aspects of information risk management and business continuity.
• LO5: Demonstrate a critical awareness of key government cybersecurity initiatives.

Assessment Support
Assessment support sessions will be organised.
Submission Window, Exceptional Circumstances, and Assessment Regulations
You are expected to submit work by the submission date specified at the start of the assignment specification.
Some assignments may support a 7-day window in which students can submit work late without penalty and this
will be specified below the submission date at the start of this brief. Any work submitted outside of the submission
date (or submission window where allowed) will be given a mark of zero.
You can find details about what you need to do if you are unable to submit the assessment on time on the Registry
Services Exceptional Circumstances Portal page. Any deferral request must be submitted online within 7-days of
the final submission date (or submission window where allowed). In all cases, evidence will be required to support
the deferral.
You can find out more about University regulations related to assessment on the Registry Services Assessment
Regulations page.

Academic Conduct
The material you submit must be your own work. You must not collude with your peers on your work unless the brief
explicitly allows this (such as in the case of group work). The penalties for breaching the academic conduct policy are
severe. The minimum penalty is usually zero for that piece of work. Further information is available below:
• Academic Conduct
• Excess Word Count Penalties
• Cite Them Right Online guidance

Generative AI
The use of generative AI tools where not permitted will be treated as a breach of the academic conduct policy.
This assignment does not permit the use of any generative AI tools, including but not limited to ChatGPT, Gemini,
Copilot, Midjourney, and others.

Submission Information
This 2000 words report (with 10% flexibility - 5 marks penalty per 1000 words excess, e.g. if a 1000-word
assignment, 5 marks deducted for 1101-2100 words) should be submitted online via Turn-it-in on CO7602
Moodle page. The work should be submitted as a Word or PDF (.pdf) and should be properly referenced
using the APA referencing system.

Permissible word count excludes the student’s name, title of module and assignment, references to sources,
bibliography, graphs, tables, maps, diagrams, captions and appendices.

The submitted file must be named with your assessment (J number), e.g. J123456.pdf or J123456.docx.
Files submitted in an incorrect format will usually be marked as zero.
Assessment Criteria Postgraduate

Assignment Task Fail Pass Merit Distinction

(LOs Covered) (<50%) (50-59%) (60-69%) (>=70%)

Assignment Task Fairly basic knowledge, Content generally relevant Breadth and depth of Extensive subject
limited consistency of and accurate, most central coverage, accurate and knowledge, thorough
• LO1: Demonstrate depth and accuracy of issues identified; basic relevant in detail. Well- coverage of topic, focused
knowledge of the detail; not all aspects knowledge sound but may tailored to case study. use of detail and
role of an addressed, some be patchy. examples. Excellent
Information Security omissions. understanding of case
Management Perceptive, thoughtful
study.
System in achieving Sound explanation; this interpretation.
information security Some interpretation or may be partly descriptive
insight; may be largely and factual; ideas tend to
objectives. Consistent development of Excellent perception,
descriptive, or superficial; be stated rather than critical insight and
critical analysis and
• LO2: Master the key over-reliance on narrative. developed. articulation of views; interpretation.
aspects of coherently presented.
information risk Some evidence of Some attempt at critical Very good depth and
management and rationale; minimal attempt analysis using theory; may breadth of critical analysis;
business continuity. to examine strengths and Accurate technical
be limited and lack sustained, thorough
• LO5: Demonstrate a weaknesses of an understanding and
consistency or conviction. questioning informed by
critical awareness argument. judgement; good level of
theory.
of key government competence in use of
cybersecurity Mostly accurate technical materials and appropriate
initiatives. Adequate though only understanding and application of working Thorough technical
partially accurate technical judgement; satisfactory processes and understanding and
understanding and level of competence in use techniques. judgement; excellent level
judgement; adequate level of materials and of competence in use of
of competence in use of appropriate application of materials and appropriate
High standard of accuracy
materials and application working processes and application of working
in spelling, punctuation,
of working processes and techniques. processes and
punctuation, presentation
techniques. techniques.
and syntax.
Inaccuracies in spelling, Overall competence in Sources acknowledged Near perfect spelling,
punctuation, presentation spelling, punctuation, and accurately presented punctuation, punctuation,
and syntax do not usually punctuation, presentation presentation and syntax.
interfere with meaning. and syntax, although there
may be some errors. All sources acknowledged
Sources acknowledged; and accurately presented
references not always Sources acknowledged
correctly cited/presented and referencing mostly
accurate