Write a Technical Report

This gives you the freedom of choosing a standard risk management framework. Ideally you may choose NIST 800-37, ISO 27005 & OCTAVE. The scenario is as follows, you are being asked to complete a comprehensive security assessment of an organization. The organization can be an existing company which you are/were working for, or you may create a made-up scenario. In this case, make sure you clearly introduce essential information about the fictitious company first. Note the scale of the organization is irrelevant, although your choice of organization will affect your choice of a suitable framework. You may use any appropriate framework for the security assessment; obvious choices are NIST 800-37, ISO 27005 & OCTAVE. If the framework is a well-known standard provide key references in your report. TASK DESCRIPTION Identify potential members of the company team required to assess and deliver the solution (Only include job roles, e.g. Network Administrator, Company Director, etc.). Following this, the potential scope to be assessed should be specified (be it functional or geographical, etc.). Through your assessment of the organisation, you are to highlight a small number of key critical assets, including both hardware and software. You should then identify potential threats to these assets. You must then also suggest technologies and architectures that could/should be employed to protect the highlighted assets. Explanations of how they counter them are required and a comparison with other possible solutions will gain extra credit. You are not being asked for the exact details or configuration of the proposed solutions, it is enough to specify the technologies. You can also suggest policies and guidelines for the future implementation within the organization. For the purposes of the coursework, you should understand that you are being asked to assess the security (and dependability) requirements for the organisation and outline preferred solutions. Once your initial report has been submitted, you would head up the team performing a second more detailed exercise starting with the writing of a full Information Policy and the design of a secure architecture, which is NOT within the scope of this report. REPORT STRUCTURE The report should be divided into three sections. Each section will have different audiences, therefore it is important to adjust your writing style accordingly. The first section is to be a single-page executive summary (around 500 words), which is targeted at the firm’s board of directors, CEO, managers and executives (so you should be careful about the use of technical terms and colloquialism/slang). This part of the report should contain the following:  An outline of the key issues  A statement of the recommendations to be adopted In the second section, a more detailed analysis is required. This can take up to 3-5 pages; depending on diagrams and figures (Maximum word limit for this section is 2000 words). This is directed at the technical staff within the firm and/or the technical specialists you will use for the implementation. In this section, you should state the background to the company and project. The key assets should be highlighted along with your reasons for selection. Then identify the proposed architecture of your recommendations (a network diagram may help illustrate your solution, but remember that you don’t need to have done a full detailed design). You should state any assumptions you make about the organization’s requirements. The third section should be a summary(250 – 500 words) of the proposals and recommendations for the technical staff, indicating key tasks that need to be performed and hardware that needs to be purchased (don’t list equipment exhaustively, rather state in what order equipment should procured and deployed). You should complete this within 24 hours and you can select any construction company or a mobile phone operator company...