HIGHER COLLEGES OF TECHNOLOGY

Computer and Information Science

Non-Exam Based Assessment Cover Sheet

CIS 2103 – Principles of Information Security & Privacy
Group Project

Course Name CIS2103 - Principles of Info. Assurance, Security & Privacy

Percentage of Final Grade. 25%

This assessment will assess the following Course learning outcomes:

CLO1 CLO2 CLO3 CLO4 CLO5

Question No. X X X X X

 The entire project/case study/poster is designed and developed by me (and my team members).
 Proper citation has been used when I (and my team members) used other sources.
 No part of this project has been designed, developed or written for me (and my team members)
by a third party.
 I have a copy of this project in case the submitted copy is lost or damaged.
 None of the music/graphics/animation/video/images used in this project have violated the Copy
Right/Patent/Intellectual Property rights of an individual, company or an Institution.
 I have the written permission from people who are featuring in this project.

Student Signature: Date:

Student Signature: Date:
Student Signature: Date:
Student Signature: Date:

For Examiner’s Use Only

Question No. Report Presentation Total Marks
Marks Allocated 50 50 100

Marks Obtained (Student 1)

Marks Obtained (Student 2)

Marks Obtained (Student 3)

Marks Obtained (Student 4)

CIS 2103 Group Project Guidelines
An Investigation of the use of Security Principles in a Selected Organization
This document provides the guidelines that students have to follow and the tasks they have to complete while
working on this group project. The instructions provided cover the requirements for both the written report, and the
project presentation and oral defense.

201910
CIS 2103 Group Project Guidelines
An Investigation of the use of Security Principles
in a Selected Organization

General Information
This document provides you with the instructions you need to
follow to work on the group project that is assigned to you in
Topics Covered
the CIS 2103 course this semester. This will guide you through
the steps you need to follow to perform all the tasks in a
The topics covered in this
successful and professional way.
group project are the

CIS 2103 Group Project Guidelines

This project is worth 25% of the course grade. The total marks following:
assigned are 100. These 100 marks are divided into the
 Describing the business needs of
following parts: a selected organization.

 Project Part 1 – Written Report: 50 marks.  Describing the business needs

 Project Part 2 – Presentation/Oral Defense: 50 marks. for Information Security.

 Identifying and classifying the

Project Selection: company’s assets.

Each team has the option to select the company or  Defining how risk is identified
and assessed in a selected
organization they like. The organization chosen can be any
company.
organization that have implemented the principles of
Information Security. Note that the more information security  Maintenance and enforcement
measures and controls the selected organization implements, of information security policy,
the easier you can find answers to your questions. Examples standards, practices,
of organizations that teams can select include but are not procedures, and guidelines.
limited to the following:  Describing the different types of
• A bank. policies and explaining how
these policies support the
• An oil company.
information security program.
• A university/college.
• A governmental entity.  Understanding and evaluating
• A hospital. different security measures used
• A big insurance company in an organization.
• The headquarters of Dubai Police Details about what to do
In each of these areas
are provided in the next
sections of this document.
 Part 1: (Written Report) Instructions:
This part is worth 50% of the project’s grade. In this part, each group of students are required
to choose a company/organization and understand the security requirements based on the
nature of its business. They need to use the collected information about the company to
describe and analyze the security measures this organization is implementing. They need to
report all kinds of measures. This includes the following:

 The technology used to prevent system intrusions.

 The Security, Education, Training, and Awareness (SETA) programs.
 The information security policies.

Members of each group need to use the following to come up with a report:
CIS 2103 Group Project Guidelines

 Good communication skills: when they communicate with companies/organizations.

 Good research skills: when they search for suitable security-­­related security, SETA
programs, and IS policies.
 Good analytical skills: when they study the need for security related to the chosen
company/organization, and find out the most suitable security controls.
 Good writing skills: when they write the required sections in their report.
 Good presentation skills: when students present their project in front of the audience.
The prepared report must demonstrate the students’ understanding of the chosen business and
a comprehensive understanding of the seven different categories of the expanded CIA triangle,
the classification of the company’s assets, and the vulnerabilities that exist in the company’s
assets. In addition to that, students need to demonstrate their understanding of the
countermeasures that companies can use to control the risks. This includes the technology
used, the SETA program used, and the different kinds of security policies that are needed.

General information about the Project

1. What should be included in the report?
Students are required to include the following sections:

A. Section 1: Introduction.
B. Section 2: Overview of the chosen company.
C. Section 3: The Information Systems’ Characteristics (Using the Expanded CIA
triad).
D. Section 4: Classification of the company’s Assets.
E. Section 5: Naming the threats the company/organization is currently facing.
F. Section 6: Recognizing the Vulnerabilities in the company’s assets.
G. Section 7: Calculate the risk values related to all vulnerabilities
H. Section 8: Listing and classifying the countermeasures used or recommended.
This includes the following subsections:
a. The Security-­­Related Technology implemented/needed.
b. The SETA program implemented/needed
c. The Information Security policies implemented/needed
I. Section 9: Conclusion
J. Section 10: References
2. What should be included in each one of these section?
The following is a summary of what students need to include in each section:

A. Section 1: Introduction

Students need to write general information about the project. This may include the method of

CIS 2103 Group Project Guidelines

collecting the information on the company, which might be a pure research or a real company. It
can also include an overview of the sections in the report, and a summary of what is covered in each
section.

B. Section 2: Overview of the chosen company

In this section, students need to provide an overview of the company. This may include: What is the
nature of the business? What is the number of employees? How many branches or locations? How
many computers? How many servers? Do they have a data center? If yes, where is it located in the
building? How many locations are needed to be Secure Facilities? How many people are working in
the security team? What are the main roles and titles of the security team?

C. Section 3: Applying the Expanded CIA triad

Members of each team are requested to evaluate how the information systems are used in the
chosen organization. They need to use the Extended CIA triad “the widely-­­used information assurance
model”. The seven expanded categories to the Expanded CIA Triad include Confidentiality, Integrity,
Availability, Accuracy, Authenticity, Utility, and Possession.

Students need to provide their recommendation of the characteristics that the information and the
information systems must have. For example, they can write the following in regards to
Confidentiality:

The security specialists in this company must make sure that the information in the
Accounts Receivables database is only accessed by the authorized personnel who are the
accountants. – This feature is what we refer to as Confidentiality

D. Section 4: Classification of the company’s Assets

Another requirement in this assignment is to name and classify the company’s assets. The
classification of these assets must be based on what students have learnt in this course. They need
to provide the required details from the security point of view and prepare their report based on a
table that resembles the following:
CIS 2103

E. Section 5: Naming the threats the company is currently facing

In this section, students are requested to list at least six different threat categories that the company
assets are facing on a daily basis. To accomplish this task, students are advised to refer to the 14
threat categories that have been explained earlier in this course. Students might need to conduct a
quick research in which they can find out the most common threat categories that affect different
types of businesses nowadays.

F. Section 6: Recognizing the Vulnerabilities in the company’s assets

After listing both the assets and the threats, students are requested list at least six different
vulnerabilities (weaknesses) that exist in some of the assets in the chosen company.
4
Note:
If students find it difficult to collect information about the vulnerabilities (which is expected
as companies would not talk about this sensitive issue), then students are allowed to make
some assumptions. These assumptions are supposed to be logical and realistic. If this is the
case for your group, please check with your instructor at this stage before continuing.

G. Section 7: Calculate the risk values related to vulnerabilities

Apply calculations to calculate the risks of these vulnerabilities using the formulas studied in this course

Note:
You can assume the values you use for each one of the variables (The value of the asset, the
Likelihood, the percentage of the controlled risk, and the percentage of uncertainty)

CIS 2103 Group Project Guidelines

H. Section 8: Classifying the countermeasures used or recommended

Students are requested to list the controls that are being used by the company or suggest some
controls to be used. The used or suggested controls include the following:

1. The technology used to prevent from system intrusions

Under the Technology subheading, students are requested to explain 2 different technology
controls that are currently used or proposed by the team.

2. The Security Education, Training, and Awareness (SETA) programs

Under the SETA subheading, students are requested to give an example about each one of the used
measures that are (Education, Training, and Awareness programs). This could be something the
company is currently using, or something the team is proposing.

3. The information security policies

Under the Information security policies subheading, students need to compose a single
comprehensive Issue-Specific Information Security Policy (ISSP) document covering any 3 of the
following 5 issues:
 1. Email Security Policy
2. Laptop Security Policy
3. Wireless LAN Security Policy
4. Backup Security Policy
5
5. Physical Security Policy
Each of these policies must contain all the elements that are listed in the PPT slides.

I. Section 5: Conclusion
Students can use this section to summarize the outcomes of their project and give some details on
how applying these policies will help the company in general.

J. Section 6: References (2 marks)

Students are requested to list the sources they reviewed and used to be able to write their IS
policies.

Part 2: Final Presentation

This part is worth 50% of the project grade. The marks for this part are for individual student
CIS 2103 Group Project Guidelines

performance. Students are required to present their project and be ready to defend it. Each
group member is expected to demonstrate knowledge of all the sections of the report.
Following are some points you need to take in consideration while working on the second part
of this project:

First: The Final Presentation

 The presentation will start with a general discussion about what you did during working
on your group project.
 A PowerPoint presentation or any other presentation tool can be used to prepare the
slides.
 The presentation slides should include a reference to each one of the required tasks.

Second: The Question & Answer Session (Oral Defense)

 The presentation will be followed by a question/answer session in which each one of
the team members will be asked to answer some questions related to what they did in
the project.
 The question/answer session is an individual mark. The way students answer
questions will be evaluated individually.

6
Project Progress Guidelines

Within TWO weeks of Handout ( 17 November 2019 ) – Show your teacher and get feedback
for your work
A. Section 1: Introduction.
B. Section 2: Overview of the chosen company.
C. Section 3: The Information Systems’ Characteristics (Using the
Expanded CIA triad).
D. Section 4: Classification of the company’s Assets.
E. Section 5: Naming the threats the company/organization is currently facing.
F. Section 6: Recognizing the Vulnerabilities in the company’s assets.

Within THREE weeks of Handout ( 24 November 2019 ) – Show your teacher and get
feedback for your work
G. Section 7: Calculate the risk values related to all vulnerabilities
H. Section 8: Listing and classifying the countermeasures used or
recommended. This includes the following subsections:
a. The Security-‐Related Technology implemented/needed.
b. The SETA program implemented/needed
c. The Information Security policies implemented/needed

Within FOUR weeks of Handout (1 December 2019 ) – Show your teacher and get feedback
for your work
A. Section 9: Conclusion
B. Section 10: References

Submitting the Group Project (5 December 2019 )

Project Interviews/ demos/ presentation (8 December 2019 )

 Group Project -­­ Rubric for marking the Report

Maximum Marks
Task # Task Description
Marks obtained

1 Section 1: Introduction. 5

2 Section 2: Overview of the chosen company. 7

3 Section 3: The Information Systems’ Characteristics (Using the Expanded CIA

8
triad).

4 Section 4: Classification of the company’s Assets. 10

5 Section 5: Naming the threats the company is currently facing. 10

6 Section 6: Recognizing the Vulnerabilities in the company’s assets. 10

7 Section 7: Calculate the risk values related to vulnerabilities 15

CIS 2103 Group Project Guidelines

8 Section 8: Listing and classifying the countermeasures used or recommended.

This includes the following subsections:
a. The Security-Related Technology implemented/needed. (5 marks)
b. The SETA program implemented/needed (10 marks) 25
c. The Information Security policies implemented/needed (10 marks)

9 Section 9: Conclusion 5

10 Section 10: References 5

Part 1 Mark – Group Mark (Out of 100) 100

8
 Group Project -­­ Rubric for marking Oral Defense/Demo
Un-Satisfactory Satisfactory Good work Competent
Unable to Demonstrates Demonstrates Demonstrates
demonstrate any some knowledge good knowledge extensive
knowledge of the of the topic by of the topic by knowledge of
Marks
Question Topic topic, or by responding to responding the topic by
Obtained
responding some questions accurately and responding
inaccurately and and making appropriately to confidently,
inappropriately to mistakes in almost all precisely and
questions. answering other questions appropriately to
questions. questions.

Expanded CIA Triad 0 10 15 20

Assets Classification and
Categories of threats 0 10 15 20

Vulnerabilities
0 10 15 20
Risk Calculation

CIS 2103 Group Project Guidelines

0 10 15 20

Countermeasures
(Technology, SETA, and 0 10 15 20
Policies

Part 2 Mark – Individual Mark (Out of 100)