ICTCY

Student
Assessment Guide:
ICT60220 Advanced Diploma of Information Technology (Cyber Security)
Student Assessment Guide: ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
ICTCYS606 Evaluate an organisation's compliance with cyber

security standards and law
Student Assessment Guide: ICTCYS606 Version: v21.0 Page 2 of 80
Developed by: ACBI Approved by: DoS Issued: April 2022 Review: April 2022
Copyright 2022
 Australian College of Business Intelligence
All rights reserved
Version: 22.0
Date Modified: March 2022
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Australian College of
Business Intelligence.
Disclaimer:
The Australian College of Business Intelligence does not invite reliance upon, nor accept responsibility for, the information it
provides. The Australian College of Business Intelligence makes every effort to provide a high-quality service. However, neither
the Australian College of Business Intelligence, nor the providers of data, gives any guarantees, undertakings or warranties
concerning the accuracy, completeness or up-to-date nature of the information provided. Users should confirm information from
another source if it is of sufficient importance for them to do so.
Content
ICTCYS606 Evaluate an organisation's compliance with cyber security standards and
law................................................................................................................................................1
1. Assessment Information............................................................................................................4
A. Purpose of the assessment....................................................................................................4
B. What you are required to do................................................................................................4
C. Competencies being assessed................................................................................................4
D. Important resources for completing this assessment.........................................................5
E. A note on plagiarism and referencing.................................................................................5
F. A note on questions with role plays......................................................................................5
G. Instructions for completing this assessment.......................................................................6
2. Assessment Coversheet..............................................................................................................7
ICTCYS606 Evaluate an organisation's compliance with cyber security standards and
law................................................................................................................................................7
3. Assessment Questions................................................................................................................8
A. Task A - Demonstrate knowledge of cyber security standards and laws.........................8
B. Task B - Research Cyber security standards and laws in organization.........................16
C. Task C - Analyse the implementation of cyber security standards and laws in
organization..............................................................................................................................18
D. Task D - Implement and align organization with the standards and laws....................20
4. Student Self Checklist..............................................................................................................23
A. Student Self Checklist for Tasks A - D..............................................................................23
1. Assessment Information
A. Purpose of the assessment
This assessment will develop your skills and knowledge required to understand the cyber
security laws and standards and their value in compliance.
B. What you are required to do
For this assessment, you are required to complete 4 tasks:
 Task A – Demonstrate knowledge of cyber security standards and laws
 Task B –Research Cyber security standards and laws in organization
 Task C – Analyse the implementation of cyber security standards and laws in
organization
 Task D – Implement and align organization with the standards and laws
Tasks B, C and D of this assessment require you to use the provided case study information
relating to the fictional company UniqueStore.
C. Competencies being assessed
Elements
To achieve competency in this unit you must demonstrate your ability to:
1. Understand Cyber security standards and laws
2. Analyze Cyber Security standards and laws
3. Plan and implement Cyber security standards and laws
Performance Evidence
Evidence of the ability to:
 identify cyber security standards and laws and analyse an organisation’s operations and
compliance to required laws and standards on at least one occasion.
Knowledge Evidence
To complete the unit requirements safely and effectively, the individual must:
 Conduct a cyber security compliance assessment on at least one occasion
For further information on the competencies of this unit, please refer to:
https://training.gov.au/Training/Details/ICTCYS606
D. Important resources for completing this assessment
To complete this assessment, please refer to the following resources provided on Moodle:
 ICTCYS606 learner guide
 ICTCYS606 Observation checklist
 ICTCYS606 Marking Guide
 ICTCYS606 Case study folder
 Additional student assessment information
E. A note on plagiarism and referencing
Plagiarism is a form of theft where the work, ideas, inventions etc. of other people are presented
as your own.
When quoting or paraphrasing from a source such as the Internet, the source must be recognised.
If you are quoting a source, make sure to acknowledge this by including “quotation marks”
around the relevant words/sentences or ideas. Note the source at the point at which it is included
within your assessment, such as by using a citation. Then list the full details of the source in a
‘references’ section at the end of your assessment.
All sources used for your assessment should be detailed in a ‘references’ section. It is advisable
to never copy another person’s work.
F. A note on questions with role plays
The following questions involves role plays:
 Task D, Question D2
For these questions, as outlined below, you will be assessed on your ability to role play being an Cyber
Security Specialist. These questions require you to manage meetings and take notes on what is
discussed.
Your Trainer & Assessor will also observe your meeting for Task D, Question D2 and complete an
observation checklist.
Please note: You will also need to attend separate meetings organised by other students whereby
you role play being other people. This allows other students in your unit to also role play being
the CTO and Operational Manager. You do not need to take notes at meetings during which you
are not role playing being the CTO.
G. Instructions for completing this assessment
Answer the questions below using the spaces provided:
 Answer all parts of each question
 Use your own words and give examples wherever possible
 The quality of your answer is more important than how long it is
 Enter your answers in this document
You may use various sources of information to inform your answers, including your resources
provided by ACBI, books, and online sources. You must acknowledge and cite your sources.
Submission via Moodle
Please refer to the “Instructions for Submitting Your Assessment” found within the unit course
page on Moodle.
NOTE: Please take care to follow all instructions listed. Assessments uploaded with a draft
status on Moodle may not be graded.
2. Assessment Coversheet
Candidate Name:
Student ID:
Contact Number:
Email:
Trainer / Assessor Name:
Qualification: ICT60220 Advanced Diploma of Information Technology (Cyber Security)
ICTCYS606 Evaluate an organisation's compliance with cyber security

Units of Competency:
standards and law
☐ Task A – Demonstrate knowledge of cyber security standards
and laws
☐ B. Task B –Research Cyber security standards and laws in
organization
Assessment Tasks:
☐ Task C – Analyse the implementation of cyber security
standards and laws in organization
☐ Task D – Implement and align organization with the standards
and laws
Due Date: Date Submitted:
Declaration: I have read and understood the following information at the
beginning of this assessment guide (please tick):
☐ Assessment information
☐ Submitting assessments
☐ Plagiarism and referencing
I declare this assessment is my own work and where the work is of
others, I have fully referenced that material.
Name (please print):
Candidate signature:
Date:
3. Assessment Questions
A. Task A - Demonstrate knowledge of cyber security standards and
laws
Task A instructions
Answer the questions below to demonstrate your knowledge of ICTCYS6 06.
A1. Describe the term ‘Cybercrime’.
Answer in 40-80 words.
Cybercrime is the crime resulted from the use of a computer and the network, for
instance sending an individual malware. Technology has come with many mistakes and one of
them is committing crimes. Once the user of computer commits a crime using the computer, it
is called cybercrime (Brush, 2021).
A2. Describe a cyber security risk, what risks could commonly be present in an organization
from cybersecurity perspective?
A cyber security risk is the probability of exposing confidential information incase
there exists a cyber-attack. Many times, organisations lose their information as a result of
cyber-attack. Some of the most common risks that cyber security risks that organisations get
exposed to are; phishing which is gaining someone’s sensitive data by trying using a contact
which is trustworthy, ransomware which is using malware software to get someone’s
information, hacking whereby hackers get access to one’s computer and get access to all the
information they need, and lastly insider threat, this happens when the staff leaks confidential
information , and it happens when organisation employs a bigger staff (Faculty, 2016).
A3. What is Risk management? What are key principles of risk management?
Risk management is the process of identifying the threats, analysing the threats,
evaluating and then address the threats in the organisation. The security team has always to be
vigilant whenever it comes to risks that can rise up due to threats. This constitutes to what is
called risk management. This enables the organisation to know how best to deal the emerging
threats. The process of cyber security risk management is ongoing process to cub the effects of
cyber threats (HYPERPROOF, 2019).
The key principle of cybersecurity risk management are five, and these are (Gaffey, 2022);
 Identification, which is identifying the possible risks.
 Risk analysis, after identification, then analyse the possible effect.
 Risk control, the risk has then to be controlled to avoid the organisation from the
effects.
 Risk financing, which is financing the risks which were unable to be controlled.
 Claims management. Here a claim is filed to claim the damages.
A4. What does it mean by tolerance of risk in an organization?
Risk tolerance can be understood as the level uncertainty or degree of risk which can
be accepted by the organisation. Risks cause damages to organisations, but small risks maybe
ignored since it is hard to operate a free risk organisation. This risks that are ignored are
termed as risk tolerant.
A5. What laws in Australia are related to the cyber security? Provide brief description of these
laws.
Just like any country, Australia has a number of laws governing the use of computers.
These laws if violated result into punishment by the state of Australia. Some of the laws are
are (Gibson, 2021);
1. The security of critical infrastructure Act 2018. This Act was commenced on July 11th 2018.
It is there to ensure management of the national security risks espionage, sabotage and
coercion which is posed by the entities which are not native. This act came in response of the
cyber security risks that had increased due to technological changes from high connectivity of
the critical infrastructures.
2. The Privacy Act of the 1988. This Act is regarded as the principal piece for the Australian
Legislation which aims at protecting how the private information of people is handled by the
private sector in the federal public sector. This Act protects confidential information of people
from being exposed to the public by the companies that are concerned.
3. The Telecommunications Act of the 1996 (Commission, 2020). This law has been the major
overhaul when it comes to the telecommunications law for over the last 62 years. This law
protects all those that want to enter the business of Telecommunication and those who want to
leave at any time. This means it aims at letting there be competition in the telecom industry of
Australia.
A6. Describe ISO standards in relation with cyber security and governance.
The ISO standards are known for keeping the standards of the organisation they apply to.
When it comes to information security, the ISO/IEC 27000 family has the standards that
govern the security measures of the state or organisation follow to protect the confidential
information of the individuals.
The ISO/IEC 27001 is known for equipping the standards which govern the security
management of information systems. There are over a dozen of the standards but they all fall
under the ISO/IEC 27000 family. Using these standards helps the organisations to manage the
security of the assets like the intellectual property, the financial information, employment
detail and so on. This implies that the confidential information of people who use devices
connected these organisations or the login credentials can’t be shared by the organisations and
any other third-party which is not entitled to this information. This implies that people always
have their confidential information kept safe with any organisation due to these standards. The
standards are strictly followed by the state which limits violation of the information of the
innocent people. Whenever the organisations violate their employee’s confidential
information, an action is always put on the organisation by the state. This cuts across all the
public organisations and the private organisations/ sectors. The aim of the standards is to
protect the citizens.
A7. Describe parts 10.7 and 10.8 of the Criminal Code Act 1995 of Australia.
The Criminal Code Act 1995 of Australia in 10.7 part says that access to the
information which is in a computer or making changes on the information which is in the
computer or impairing of the electronic communication from or to the computer has limited
access, modification and even impairment caused, either indirectly or directly, by any
execution of any computer function (Office of Legislative Drafting and Publishing, 2019).
Thus, means that access or impairment or modification of information in a computer by a
person who is not supposed to have access to that information is not allowed. Access of the
information and tempering with it is only supposed to be done by a person who is supposed to
access that information. This protects information from being leaked or being modified by
people who not supposed to access the information like the hackers. This act is about computer
offence once its violated.
The next chapter of the Act which is 10.8 is about the financial information offence. Any
person who obtains a deal while using information which does not belong to him to access a
financial benefit or funds commits a crime. The part goes ahead to talk about the information
which relates to an individual, the corporation or the living or dead person. Information which
is used even when the person is dead should be authorised by those who are concerned. This
results into cybercrime if one uses information without being authorised for his personal
financial benefits.
A8. Describe PCI DSS and its main features.
PCI DSS stands for Payment Card Industry Data Security Standard. This is a set of
security standards that was designed to protect all the companies and organisations that accept,
store, process and transmit the credit card information for maintaining an environment which
is secure. PCI DSS is the security standard for protecting information for companies the deal
with branded credit cards from different card schemes. This standard was formed with an
intension of reducing fraud of credit card and augment the card controls of the card holders.
Before information of the data holder is given in to be handled, the people in charge should
always be vigilant and should be aware of the governing standards. These standards are the
PCI DSS standards. This aims at keeping information that is processed in these companies to
be secure from being modified or tempered with by an external entity that is not supposed to
access the information. The main features of the PCI DSS are;
i. Access to the data of the cardholder is restricted when it comes to a business need-to-
know basis.
ii. Wherever the data of the cardholder is stored, it should always be protected, and no
one should have access to it.
iii. The systems are always protected with updated anti-virus. No third-party anti-virus
software used.
iv. The networks are always tested and monitored to ensure security measures. This makes
it safe from being hacked by hackers on the network.
A9. Describe the Essential Eight Security model.
There has not existed a model or a set of rules that can help to cub cybercrime when
followed. Many different organisations have recommended the use of the essential eight
security model to mitigate the cybercrime rate. People who use third-party software ought to
know how or where the software should be placed to help people perceive the amount of threat
exposed. Emotional perception of the third-party software security development lifecycle is
essential in addressing the risks. When the software users know the software development
process, they can quickly formulate security steps against the threat involved with the use of
third-party software. Businesses find it hard to fully secure the third-party software they use in
their daily operations to ensure that they do not cause vulnerabilities and security risks that
may affect their mobile devices. Therefore, the security of the third-party software is in the
hands of various software developers. Sometimes webpage becomes disguised when there is a
virus on the device. Even if a given antivirus package does not entirely prevent the malicious
code, for most computer users, it remains the most vital defense they can freely attain against
malicious code attacks. The essential eight security model id based on the ACSC’s Strategies
to Mitigate Cyber Security Incidents. The strategy consists of the eight essentials being;
1. Application control
2. Patch application
3. Configure Microsoft office macro settings
4. User application hardening
5. Restrict administrative privileges.
6. Patch operating systems
7. Multi factor authentication
8. Regular backups
A10. Describe the privacy act 1988 and how it affects the cybersecurity requirements for a
business?
The privacy act 1988 aims at protecting the handling of information of the people of
Australia. The act includes the collection process of the personal information, the use of the
information, storage and the disclosure of that personal information when it comes to the
federal private and public sector. This Act gives guarantee to someone having confidential
information on a computer that even when shared, it won’t be exposed with the aim of
tarnishing his or her name. The privacy policy affects the cybersecurity requirements for a
business as it doesn’t allow anyone who participates in a business to give out his personal
information yet it is vital for state. Any person willing to start a business should give in his
information about him so that the state finds it easy in tax collection. However, the privacy act
contradicts with it hence making business hard. This in turn makes states that embrace this act
to find it had in managing the business of persons whom they don’t have whereabouts when it
comes to tax collection. This brings about less tax collection by the state and also lead to tax
evasion by individuals. This in turn affects businesses in a negative way.
A11. Describe what is data governance?
Data governance is the process of handling with care the available, usable, security and
integrity of the enterprise systems data which is based on the polices and the internal standards
which are used for controlling data usage. Data governance ensures trustworthy and
consistency in data (Stedman, 2019). Data governance simply means how data is handled.
When it is handled recklessly, it may easily be mismanaged and hence hackers may get to
temper with it.
A12. Describe security requirements to protect business processes in an organization.
The main security requirements are confidentiality, integrity and availability. These three form
what is abbreviated as CIA in security of the information systems. They are explained as
below;
1. Confidentiality. This term originates from confidential. Confidential information is
information that is not to be viewed by anybody else except the one who is supposed to have
access to that information. Information regarding business processes of an organisation should
be kept with care since it is confidential.
2. Integrity. Information regarding an organisation process should not be changed. Integrity in
security means information should never be changed by a person who is not authorised to do.
This is the same here.
3. Availability. The term availability is information security means that information should
always be available once the owner needs it. The same happens here, even if the storage
facilities of information pertaining the processes of the organisation are not working, the
organisation should be able to access its information.
A13. Would there be security requirements specific to a process or you will prefer to
implement security governance guidelines that are implemented across the organization?
Discuss.
There are many specific security requirements that can be implemented at all
processes. However, it is better to implement the security governance which is availed by the
organisation. This is because these organisations are set up with different processes and they
work differently. This means that some security requirements may not be well implemented in
case they are used. Using the requirements implemented by the organisation makes it easy for
every user to cope up with the organisation processes hence making implantation easy. Also,
this makes the workers in the organisation to be organised other than implementing what each
one knows differently yet they work for the good of the organisation. This in turn reduces
confusion and bring uniformity in the organisation. It is better that all organisations set up the
security requirements in their organisations and avail then to their employees before they get
fully committed to working with that organisation. This reduces the errors that the workers
may bring into the company.
A14. Describe principles of cyber security to protect an organization from compliance
perspective.
There are several principles that are used to protect the organisation from the perspective of
compliance. These are;
1. P1. The systems and the application of the organisation are designed, maintained,
deployed and also decommissioned by the organisation values and the CIA
(confidentiality, integrity and availability) principles.
2. P2. The system and the applications should be delivered by trusted suppliers.
3. P3. The systems and the applications are must be configured to reduce attack surface.
4. P4. The systems and applications must be administered in accountable and secure
manner.
5. P5. The vulnerabilities of the systems and the applications must be identified in time
6. P6. Operating systems, applications and the computer code which are trustworthy used.
7. P7. The data encrypted at transit and rest between the systems
8. P8. The information which is to be communicated between two different systems must
be controllable and also inspectable.
9. P9. Data and all the applications must be well backed up in a system which is secure.
10. P10. Only authorised personnel should be given access to the system.
11. P11. Personnel should be granted less access to information.
A15. Describe the CIA (confidentiality, integrity, availability) Triade.
1. Confidentiality. This term originates from confidential. Confidential information is
information that is not to be viewed by anybody else except the one who is supposed to have
access to that information. Information regarding business processes of an organisation should
be kept with care since it is confidential.
2. Integrity. Information regarding an organisation process should not be changed. Integrity in
security means information should never be changed by a person who is not authorised to do.
This is the same here.
3. Availability. The term availability is information security means that information should
always be available once the owner needs it. The same happens here, even if the storage
facilities of information pertaining the processes of the organisation are not working, the
organisation should be able to access its information.
A16. What is a cyber security incident?
Cybersecurity incident is an event or happening the determines an impact when it comes to the
organisation hence prompting need for recovery or response. An incidence is like an alert. This
indicates that there is immediate attention on the system of the organisation pertaining
security. When an incident happens, it is a warning to the persons who are responsible for
security of the organisation. This gives a go ahead to check the function ability of the
organisation and hence repairing the system accordingly. Security incidents always happens
to systems when they have weak security. This helps the people who store information in this
system to have an option in case they feel their information is not safe. Always information is
not safe to be stored in these systems once they have security incidents, unless they are solved.
A17. Describe MAPE-K.
The abbreviation MAPE-K stands for Monitor then Analyse then Plan then Execute over a
shared Knowledge. This is feedback loop which is among the influential reference control
model used for self and automatic adaptive systems. This system is used when having
communication which is to and from system users and the system develops to cub the element
of cybersecurity. It takes the shape below
A18. What is SIEM and what SIEM tools you ae aware of? Describe at least three tools.
SIEM is security information and event management. SIEM is a combination of SIM (security
information system) and SEM (security event system). SIEM offers on time monitoring plus
analysing in real time of the events and also logging and tracking of the security data for better
compliance and auditing of the processes. SIEM is a security solution used by organisation in
detecting the threats and the security vulnerabilities that could attack their system before they
attack and disrupt the operations of the businesses in the organisation. SIEM uses Artificial
Intelligence in automation of many different manual processes which are associated with
detection and response of the threats (IBM, 2019). Some of the SIEM tools are 1. Log Data
Management. The process of collecting data is the first step or foundation of the security
information and event management. Collection of real-time data, analysis and also correction
of maximum productivity and then efficiency.
2.Network Visibility
SIEM analysis the packets inspected between visibility into the network flows by using its
analytics engine, which gets insights added into assets, protocols and IP addresses to detect
malicious files from personal information.
3. Threat Intelligence.
SIEM is able to combine both the open-source and proprietary intelligence feeds into the
SIEM solution for the purpose of combating and recognizing modern attack and vulnerability
signatures.
A19. What is a security incident response plan? What are the components of the plan?
An incident response plan is a group of tools and protocols that a security team should use in
identifying, eliminating and recovering from the cybersecurity threats. It is implemented to
help the security team respond to threats and possible effects of the threats. This helps the
security team to cub the threats and to protect the system from being attacked by external
threats. These protocols aim at minimizing the possible dangers and damages that could be
resulted from the external threats, like data lose, trust lose of the customers and the abuse of
the resources.
An incidence response plan typically consists of the following;
1.The incident response strategy of the organisation and how the strategy supports the
objectives of the business.
2. The responsibilities and the roles of the organisation’s stakeholders included in the incident
response.
3. The communication procedures which is in the response team in the organisation should be
included in the response plan.
4. Lastly, the previous incidents should be included in the plan so as to improve the security
posture of the organisation.
The response plan forms what is called the incident response cycle. The incident response
cycle is represented as in the diagram / chart as below;
A20. Describe different types of cyber security incidents including security vulnerabilities and
malware.
Cyber security incident is an event or act or an omission or some action that can give rise or
permission to a person who is unauthorised to get access to an information system or data or a
network. This means that the action or risk is caused by the persons having the access to the
system. The authorized person thereby gains access to the system and his actions gives
advantage to the person who is not authorised to get access to the system, thereby accessing
the system, but in that process, the authorised person is not aware of having given access to
one who is not authorised.
Some of the most common cyber security incidents are;
1. Unauthorised attempt of access of data and systems.
Unauthorised users will always look for ways to getting access to confidential
information. This can be prevented by implementing the two-factor authentication.
2. Phishing attack.
This is process is always successful after the responsible person gives his logins to
unauthorised person, and hence gaining access to the information system and data on
the system.
3. Malware attack
Many hackers develop malwares with an aim of getting access to this data on their
computers. The term malware means malicious software. This includes Trojan,
worms, adware, ransomware and many more.
4. Security vulnerabilities. The hackers will always look for system vulnerabilities.
Vulnerabilities are weak possible spots on the system that can give access to the system
by unauthorised person.
B. Task B - Research Cyber security standards and laws in
organization
Task B instructions:
For Task B you are to use the case study scenario relating to UniqueStore.
You are the cyber security analyst and advisor for the company responsible to develop
strategies and implement them to protect the information assets of the company.
Ensure you have read the “Tasks A, B & C information” in the “ICTCYS606 Case study
information” document provided on Moodle. Then answer the questions below.
B1. Review the company policies, industry and Australian government’s regulations,
standards and laws required for organisations cyber security operations and summarise your
findings.
Answer in 300 words.
Cybercrime is punishable in by law in Australia both by the Federal Legislation and State. For
instance, hacking is considered an offense by the Federal jurisdiction under the Criminal Code
Act 1995 (Cth). In Australia, cybercrime is regulated by the Australian Competition and
Consumer Commission (ACCC) that punishes the businesses that engage in deceptive and
misleading conducts towards the customers. Cybercrime policy and legislation are created to
shield the natives from prosecute offenders and crimes as well promote and regulate a
desirable improvement in the ICT sector of Australia.
Today, the world is widely digitalized in all industrial sectors. Different service providers and
organizations often search for means of reducing risks in their operation that is connected to
cybersecurity.
New South Wales (Australia) cybers security standards Harmonization taskforce was created
with an intention of increasing the rate of implementation of cyber security industry standards.
The cooperation in the government of New South Wales (Australia) resulted in the creation of
standards for Australia and Aust-Cyber and included telecommunications, financial services,
energy, and the defense sectors. The collaboration that was in NSW would lead the
implementation of cyber security standards that would be internationally recognized and
beginning from Australia. Customers of Unique Store today do not know how to judge
whether the tools they are purchasing are made according to mutual securities doings, or if
they are being tested by their manufacturers, or how the security-linked bugs are handled.
Customers of the IoT tools also do not know the nature of the information the manufacturer of
such devices obtains from them while they are using the devices, whom the manufacturers
share the information concerning customers with or if the IoT systems are constantly tried by
third parties that are independent to the connection between the custom and the IoT device.
The extent of connectivity offered by the internet of things causes safety vulnerabilities, as
well as security concerns, are given that each of the connected things has a possibility of being
misused or attacked. For instance, according to some researches, power plants, voting
machines, and cars can easily be hacked if they are having the connectivity of the internet of
things. These researches showed the ransomware feats counter to the home-based thermostats
and thus exposing weaknesses of the people that were vulnerable in the entrenched heart
peacemakers.
However the cyber security standards that were set by Australia are very essential in the
endeavour of reducing cybercrime.
1 B2. Perform analysis to align required laws and standards to organisational cyber
operations, provide your recommendations
Laws to cyber operation include measures that protect computer systems and information
technology intended to forcing organizations and companies t safeguard their information and
systems from cyber attacks like control system attacks, unauthorized access, denial of service
attacks, phishing, Trojan horses, worms, and viruses. The measure against cybercrime include
login passwords, encryption, prevention systems, intrusion detection systems, anti-virus
software, and firewalls. Various attempts have been established through collaborative
endeavours and regulations between the private sectors and the government to enable
voluntary proceedings to augment cybersecurity in different organisations. For instance, the
industry regulators like banking regulators take caution of cybersecurity risks and plan start to
regard cybersecurity as a form of regulatory examination.
The Australian laws and standards to organisation cyber operations are explained below
(Agarwal, 2018);
Australian Privacy Principles (APP): This law controls the disclosure, collection, and
holding of private data included in records. The APP law applies only if the private or
government organisation concerned has an annual turnover of more than AUD 3 million.
Cybercrime Act: Total regulation of internet-related crimes and computers crimes is
availed by this act, for instance, a website of child pornography, cyberstalking, computer
trespass, cyber harassment, computer fraud, theft of data, damaging data, unlawful access,
hampering access to mobile devices, and others.
Spam Act: A scheme for regulation of electronic messages especially commercial emails
is established by this act. The spam act stops the unsolicited and unauthorized electronic
messages with few exceptions. The Media Authority and Australian Communications regulate
the spam act.
Access and Interception (Telecommunications) Act: The major aim of the
telecommunications act is to safeguard the secrecy of all individual that utilise
telecommunication systems in Australia. The other purpose of the act was to clarify the
circumstances that are acceptable for access to or interception of communication to occur.
Although there are laws that are formulated to enforce cybersecurity, the rate of
cybercrimes continually rises. The users of computers should be taught what they can do to
prevent falling victims of cybercrimes, for instance, the measures below can be taken;
The user should be careful when installing plug-ins: Extensions and Plug-ins may put
the device being used at risk. For instance, previously, Chrome revealed that some extensions
in Chrome browsers changed the ownership or service without the user's knowledge. However,
Chrome later fixed the issue. Users should be cautious when making extensions or plug-ins in
different browsers.
Installing security plug-ins on the users’ computers: Although most extensions and
plug-ins are safe, it is essential to boost the browser's security by installing plug-ins for one's
mobile device security. For example, HTTPS is an extension used by Opera, Chrome, and
Firefox developed by the Electronic Frontier Foundation to secure communitarians that occur
over computer networks. Most people commonly use the HTTP protocol, but it is not as secure
as HTTPS. The ‘S’ in HTTPS represents ‘secure.’ HTTPS secures users' browsing experiences
by encrypting communication everywhere on the internet.
2 B3. Analyse organisation’s existing cyber security compliance strategies and document
outcomes according to organisational policies and procedures. This is necessary to develop
a baseline for comparison with standards and further development for compliance.
Most cybersecurity concerns arise when computer user carelessly click on links to
them without analyzing them well. The most effective way to prevent clicking on suspicious
links is essential for the user to think about and search its contents, especially if the link
connects to one's email account, social networking site, bank, or if it involves making online
money transactions. Most browsers show a change in color on the left-hand side of the
location bar that shows that the site is legitimate, for instance, Microsoft Edge, Chrome, and
Firefox. Therefore, if the user does not see a green color background on https, that link should
not be clicked on, and click on it only with caution. Through proper analysis of the links, a
computer user can easily comply with cybersecurity strategies set by the government.
Organizations today ensure that they comply with organisational procedures and
policies against cybercrimes through examining the third-party software they use to ensure that
they do not contain malware. Securing a third-party software that is open source, outsourced,
or off-the-shelf commercial software is not easy to execute by any given company. Today,
most businesses depend on third-party applications/software while utilizing mobile computing
and cloud computing to fully gain from the computing organization (quick and flexible to
market). Businesses find it hard to fully secure the third-party software they use in their daily
operations to ensure that they do not cause vulnerabilities and security risks that may affect
their mobile devices. Therefore, the security of the third-party software is in the hands of
various software developers. In most cases, different individuals conform to make the
development cycles secure. Still, since many third-party libraries are utilized in one
application, large amounts of code probably do not obtain similar levels of security checking
that are needed. People who use third-party software ought to know how or where the software
should be placed to help people perceive the amount of threat exposed. Emotional perception
of the third-party software security development lifecycle is essential in addressing the risks.
When the software users know the software development process, they can quickly formulate
security steps against the threat involved with the use of third-party software.
Therefore, one can ensure that the third-party software has a mechanism for security updates
by using safelists. Safelisting is done by taking back control and selecting only the third-party
software appropriate to an individual or organization.
Suspicious links have existed for a long time and continue to plague people who use mobile
devices. Many people have fallen victims by clicking on unknown links in documents, web
pages, and emails, critically thinking about them, and thus installing dangerous malware on
their computers, phones, and other mobile devices. Clicking on the link without thinking tells
the computer that you accept whatever is contained in that link regardless of whether they are
dangerous, and thus it has to execute it. After clicking on the link, the hacker has complete
control over the mobile device into which the malware is installed. Randomly clicking on links
puts the user at risk of covert software disabling or damaging the computer, phone, or other
mobile devices. With emails, one can easily click on undesired links that share their personal
information without their consent or install malware on the device.
3 B4. How much time will it to determine compliance evaluation requirements and
benchmarking of the organizational practices against the standards and laws? Prepare a
plan for the CTO along with executive summary, your findings, and recommendations.
This plan will be followed in the analysis phase.
Determining the compliance of the organization’s practices with the set standards and
laws is done with help of a legal audit. The audit agenda determines the analysis procedure
through determining the functionality of the company on basis of legal standards and
establishing regions in which adherence ought to be made stricter. Organizations ought to
comply with the state and federal corporate governance standards as well as the ethical and
moral code of conduct with an intension of sustainability, accountability, and transparency.
The legal compliance agenda ought to address different parts of the organization’s governance
practices. The audit checklist should analyze the registration of the organization to ensure that
its existence is lawful and thus includes decisions relating to performance of the organization,
profit distribution, tax remittances, shareholder meetings, investment practices, procurement,
and appointment of directors as these all can affect the cyber security of the computer devices
used in the organization.
Ensuring that the data of the company is very secure is so important given the keeping
records of activities executed in a company ensures continuity. Data that is stored can be used
in determining how carry out the present activities with emphasis on the past stored
information. Organizations that often use mobile devices in their activities ought to ensure that
comprehensive, proper, and updated data concerning the operations they execute is not
corrupted at any point in time. Various organizations utilize information communication
technologies in creating, transferring, and storing their digital data. The law against
cybercrimes necessitates all entities made regarding the data of the client stays confidential
and private and only utilised for the right purposes. The legal compliance therefore agenda
(checklist) ought to consider all the needed organization information and ensure that the
cybersecurity measures are followed so that the organization does not fall victim.
One should also secure the browser by allowing automatic software updates that may
be available. The vendor's website may provide updates for the browser (Rafail, 2017).
Therefore, when the web pages are disguised, the user should search for the updates of that
browser from the vendor's websites and install them so that they usually function. Most
computers have browsers like Apple Safari, Mozilla Firefox, or Microsoft Internet Explorer
installed. Securing these web browsers is vital because they are used often. If the browser is
not secured, computer problems may result in the installation of spyware on one's computer
device even without their knowledge. The computers sold today have software installed on
them already by retail stores, internets service providers, operating system makers, or the
manufacturer; thus, the user ought to ensure that the programs on the computer and the
software installed interact in the right way. However, sometimes the web page addresses on
the web browsers are disguised and thus take the users to unexpected sites when they are
clicked.
C. Task C - Analyse the implementation of cyber security standards
and laws in organization
Task C instructions:
For Task C, you are to continue using the case study scenario of UniqueStore. Task C
continues on from Task B.
NOTE: Ensure you have read the “Tasks B & C information” in the “ICTCYS606 Case study
information” document provided on Moodle. Then answer the questions below.
4 C1. Conduct organizational compliance assessment according to organisational and
legislative requirements, review the documents and policies provided in the case study.
A compliance assessment is very important in Unique store as it is utilised in assessing
and identifying gaps in the controls that are prevailing in the business. At Unique store, the
assessment compliance is used in determining the actions that can be taken so that the
operation done can comply with the set standards.
The importance of a compliance assessment is to determine if the employees and the
stakeholders are adhering to the external and internal standards and policies. The managers of
the company get a peace of mind after proving that the business programs and control program
are being followed and efficiently managed.
The compliance assessment for Unique store will be done as explained in the steps below;
1. Planning the Assessment.
Planning the assessment is vey important as it identifies the scope that will be covered.
In this step, one should know the goal of the company.
2. Carry out the Compliance Review.
After planning the target to be achieved during the compliance assessment, assessment
of compliance in the organization will then be done. During theis step, the strengths and
weaknesses within a particular compliance area are identified and corrected. One of the
regulatory requirements to be complied with are procedures, policies, and standards. The
following factors in Unique store will be assessed for compliance;
 Leadership and Oversight: The senior management should be evaluated to determine if
it is overseeing and aware of the prevailing compliance programs of the organization. It
is essential for the management to be convinced with the efficiency of every program
running in the company.
 Valuation of Current Risks: Compliance-related and organizational risks ought to de
singled out so that corrective measures can be taken. The data concerning the company
should not be corrupted by malware attacks that may be sent to the employees through
different links.
 Reviewing Feedback and Employee Training: Reviewing the previous times in which
employees were trained about practices that comply with the company standards. It is
important for employees to be able to report any issues bothering them to the
management without fear.
3. Evaluating Findings and executing a Gap Assessment.
After assessing the compliance achieved by the activities carried out in Unique store,
the position of the company is determined. The results attained will be recorded for reference.
Appropriate measures are then taken to obtained the required compliance during the gap
assessment. The results recorded will be properly kept for use in the future.
4. Reporting the findings to the Key Stakeholders.
The results attained and the gap that are in the compliance level of the company will be
reported to the key stakeholders so that a plan to correct the mistakes is drafted and executed.
C2. Document assessment findings according to organisational policies and procedures
The organisational policies are the rules that the employees in the company follow so
that the business operations run smoothly. At unique store, the internet is widely used in
making sales and communicating to customers since many people using the internet today. It
is therefore very important that the operations carried out using mobile devices are in
compliance with the company policies so as to avoid cyber threats. Using the internet to make
transactions therefore ought to be done with caution to avoid making losses resulting from
cyber attacks. The employees that continually interact with mobile devices at unique store are
trained on how to ensure that they do not unintended install malware into the company
computers.
The owners mobile devices at Unique store take various measures to ensure that they
do not cause fall victims of cyber-attacks especially unintended installation of malware on to
their computers. Web browsers are often exposed to questionable dynamic content that may
risk the user's mobile device. Most websites necessitate the installation of certain features on
the computers, which puts them at risk. For the users to configure their web browsers' security,
the following ways are taught to employees at Unique store so that their web browsers are
secure;
Shaping browser’s privacy and privacy settings: The users ought to review their
browsers' security and privacy settings to ensure that they are ok with what is unchecked or
checked. For instance, the users should check their browsers to find out whether the third-party
cookies in their browsers are blocked so that the advertisers do not easily track the computer
users' online activities.
Ensuring that the employees have Antivirus installed on the computer: When
antivirus is installed on the computer, the potentially unwanted programs may (PUPs) not
affect the user's device (Alarm, 2014). Having a legitimate antivirus program like Zone Alarm
is vital in preventing the PUPs from attacking the user's browser. The antivirus software
program is created to find, avoid and take any appropriate action to prevent malicious
programs on one's browser. Although a person may be intelligent in using a mobile device to
avoid viruses, the antivirus program should be installed for security purposes. The antivirus
installed on the computer runs in the background even without the user's consent to prevent
malware actions on the browsers that one may be using. If the antivirus software finds any
virus that seems dormant in the computer system, it stops that virus from running and puts it
into quarantine.
Ensuring that the user’s browser is updated: Browser updates usually are made to
correct the challenges that existed with the previous version of the browser. The users,
therefore, ought to update their browsers to more secure versions.
Signing up for security alerts: Users of mobile devices that can access the internet at
Unique store should sign up for security alerts to be informed of any security to their devices.
The user can choose to attain immediate, weekly, or daily alerts every time news or any other
information relevant to the security of their devices hits the web. In case, the computer notices
any form of cyber-attack, it alerts the user so that a corrective action is taken.
5 C3. Identify and document areas of non-compliance and near misses, use a suitable format
to present your findings
The objective of Unique store is to maximize profits with customer and employee
satisfaction. However, the non-compliances in Unique store are poor performance
management which leaves most employees unsatisfied at the work place. Performance
management focuses on the performance of the employees, activities, and the organization at
large. The standards and values based on performance management are disseminated and
organized by the top management in an organization who specify what is expected of the
employees, provide coaching, feedback and compare the employees’ behavior and their actual
performance with what is expected of them. Most businesses today need to have an efficient
performance management system to cope with the competitive world (Alexe, 2020). The
department of human resources tries hard to always meet the needs of the people that are
constantly changing. Failure to perceive the desires that the employees have towards work
disengages and demotivates them and thus leading to poor team performance.
The performance culture at Unique store is also not good. The paybacks of a proper
performing culture are inevitable given that a unifies and strong performance management
improves the operations in the organization. If the culture of employees in an organization is
properly managed, a steadily progressing organization that can endure hard times are formed. The
success that most organizations realize is due to having a high-performing culture among the
employees (Obiora, 2020). The culture in the organization affects everything that occurs in the
business including the involvement of the employees, that is to say, if the employees align with the
culture in the company, they feel connected to the company easily. The employees at Unique store
do not fully get a chance to engage in all business decision even decisions regarding the dissipation
of company information. Different businesses have different working cultures but the growth
and development of the business occur when the culture values, engages and empowers the
employees. The employers in businesses therefore ought to discuss with their employees to
find out whether the culture at the workplace is in line with what they believe is right for them,
common purpose, and vision so that the employers easily create unity among people in the
organization. Organizations that also form cultures of gratitude for their workers and set
strategies for achieving the goals and objectives of the organization. Therefore, for the
objectives of Unique store to be obtained, proper performance management ought to be done.
The poor performance management prevalent at Unique store today makes the employees less
productive. The employees are intimidated to report data losses to their managers and
supervisors due to fear of loss of their jobs. This is the reason why Unique store is not as
profitable as it ought to be.
6 C4. How will you align organisation’s activities to required standards, to fill the gaps as
per your findings? Research and use industry best practices.
The activities of Unique store will be organized using the performance management
process procedures as explained below to prevent threats that can result into cyber attacks and
employee unsatisfaction. Every step is essential and all the steps together create the backbone
of the performance management for Unique store. The four steps are explained below;
1. Planning.
Planning of activities to be executed is the initial step in eliminating gaps in a company. The
management and HR ought to organize the activities required to be completed including the
objectives to be achieved, short and long-term goals, and the comprehensive description. The
goals set ought to time-bound, relevant, attainable, measurable, and specific (SMART). During
planning, the employees should be given a chance to give ideas on what they think will work
best for the customers. When the employees are involved in deciding activities of the
company, they work hard to see that the company achieves the set objectives. Since both the
management and the employees agree on the objectives and goals to be attained in a particular
time, the employees perform better in their different offices.
2. Do.
The activities that were planned are executed in this step. Individual to do different activities
are trained in their field so that there is no room for confusion. The activities executed in this
stage ought to ensure that the objectives and goals that were planned are being achieved. At
Unique store, the employees that perform well will be rewarded as a way of encouraging
others to work hard as well. At this stage, the actual work required to be executed is done
according to the company demands.
3. Check.
To ensure that the plan is being followed, managers have to check the performance being
achieved. Therefore, the performance attained at Unique Store will be determined and
compared with the performance that was planned to achieved. The employees will be required
to get involved in determining the progress that has been achieved.
4. Act.
This is the last step in ensuring that the gaps in performance management are eliminated. The
employees that perform as expected will be rewarded so that other employees in the company
can be encouraged and work hard as well. It is very essential to give the employees a reason
for working hard to achieve the company goals. In this stage, the faults that are in the company
management are analyzed and corrective measures suggested and implemented to improve
performance. Improved performance at Unique store implies satisfied customer and happy
employees who love their work. If the culture of employees in an organization is properly
managed, a steadily progressing organization that can endure hard times are formed. The success
that most organizations realize is due to having a high-performing culture among the employees.
D. Task D - Implement and align organization with the standards
and laws
Task D instructions:
For Task D you are to use case study scenario for UniqueStore.
Ensure you have read the “Task D information” in the “ICTCYS606 Case study information”
document provided on Moodle. Then answer the questions below.
7 D1. Develop and document all compliance requirements and present a report to the CTO.
The activities carried out at Unique stores should be done in such a way there is no
data breach. A data breach refers to a situation where confidential information is accessed
without prior knowledge and permission from the system owners. Data breaches include theft
or loss of hard copy notes, mobile phone devices, USB drives, or computers. Stolen data have
confidential or sensitive information such as trade secrets, issues of national security, credit
card details, and customer data. Data breaches can potentially destroy the image of an
organization, cause financial loss to the customers, and theft of the victim's identity.
Cybersecurity, on the other hand, is the use of technology, control systems, and processes to
defend programs, processes, devices, data, and system networks from malicious attacks.
Cybersecurity aims to reduce the danger of cyber-attacks and safeguard against access by
unauthorized persons and exploitation of technologies, networks, and systems. Given that
some sales are made over the internet at Unique store (online), the data on computers should
be protected. The data on computer may be about how to over competitors in the market and
thus should be guarded from being corrupted.
The employees should follow the ethical code of conduct at the company. Ethics are
the moral principles utilized to determine whether an action is right or wrong. In business
operations where ethics are applied, the activities of the business and the people in it should
reflect fairness, integrity, and honesty. Making actions that are always ethical is not easy, and
people often experience ethical dilemmas in cases when their actions are contrary to what is
ethically correct. Nevertheless, a leader in a business organization ought to make decisions that
prioritize the business objectives rather than personal interests. The employees who conduct
themselves unethically at Unique stores ought to be punished.
Proper organizational performance should be observed so that the employees work
efficiently to achieve the company objectives. Performance management enables the employers
to reward their workers that have done remarkable work for the organization. Recognizing and
encouraging workers is very important for its success as it gives them better retention,
engagement, and employee performance. Most employees become happy and motivated to do
more work when they feel appreciated by their bosses. When the employees in a company are
aligned with the goals and objectives of the company, their focus on what should be done to
attain the objectives is raised. Performance management formulates a culture of support and
trust, creating proper relationships between the organization and its employees. Therefore, the
employers in businesses ought to analyze their objectives and determine the culture, beliefs,
and values that should be followed while the employees are working to improve relationships.
Proper relationships between the employees and managers at Unique store will enable the
company to attain its objectives.
The computers used in the company should be having anti-virus software installed on
them to prevent cyber-attacks. When antivirus is installed on the computer, the potentially
unwanted programs may (PUPs) not affect the user's device. Having a legitimate antivirus
program like Zone Alarm is vital in preventing the PUPs from attacking the user's browser.
The antivirus software program is created to find, avoid and take any appropriate action to
prevent malicious programs on one's browser. Although a person may be intelligent in using a
mobile device to avoid viruses, the antivirus program should be installed for security purposes.
The antivirus installed on the computer runs in the background even without the user's consent
to prevent malware actions on the browsers that one may be using. If the antivirus software
finds any virus that seems dormant in the computer system, it stops that virus from running
and puts it into quarantine.
8 D2. Distribute requirements to required personnel in preparation to realign business
activities to requirements, prepare a presentation and present to the stakeholders.
(For this activity you will perform a role play and present to your class your
recommendations and obtain the feedback)- Please attach your presentation with the
assessment.
The activities at Unique store will be realigned in the following ways so that better compliance
with the company policies is achieved.
The employees will be grouped into department as a way of creating specialization that
can create efficiency in operation of activities. At unique store, the departments there are sales
department, marketing department, accounting department, security department, the IT
department, and customer relations department. However, division of labor does not mean that
there will be no cooperation among the employees. Small companies normally delegate the
role of operations to a single individual yet the company owner and employees should work
together to the improvement of the day-to-day activities of the business. Whether a person
provides services, sells products, or manufactures the products, every business person ought to
monitor and manage the things that occur behind the scenes. Grouping the employees will
enable the management to supervise the activities done by the employees easily.
The operation management system at Unique store ought to assign resources to
different activities, protect the resources needed for each activity, and permit the sharing of
information between the service or goods providers with their customers. Operations
management is normally elaborated in the form of production and manufacturing and is
multidisciplinary. It is accountable for effectively transforming input to outputs given that it
delivery-focused. The inputs for retailing at Unique store include human resources,
technology, and production equipment. Operations management also includes monitoring the
relations in a company to obtain the organization’s sustainability. Processes like controlling,
leading, staffing, organizing, and planning are all involves in operation management. The
organization of tasks in Unique store will be done with the help of operation management.
Change the way of executing activities in a company to suit the constantly changing
needs of the customers. Normally, changing the way things are done is beneficial to the
company. The constantly changing needs of the customers necessitate varying the way of
hailing different circumstances in the company to keep the customers satisfied. New entrants
require effective market operations to minimize the barriers related to exclusive dealings.
Expertise in dealings is acquired from proper operations management as it sets the strategies to
cope with the changing needs of the customers. It depends on the behavior or leadership role
of the new entrants as they can establish a flexible system that can be settled in a new
environment without facing structure-based challenges (PENDLETON, 2012). Adopting new
market strategies is necessary to sell in the market due to demographic and cultural needs. The
demographic factors are of great value in terms of human resources and the supply chain of the
products. However, when embracing the change, it is important for the company to ensure that
they are free from cyber-attacks especially malware software.
Observed question with meeting
D3..
THE SCENARIO:
You are discussing your findings and recommendations in relation to cyber security
compliance requirements for UniqueStore
 You, acting as the Cyber Security Specialist
 A CTO of the company, as role played by another student in your unit
 An Operations Manager at UniqueStore, as role played by another student in your
unit
NOTE: Your Trainer & Assessor will also observe this meeting and complete an
observation checklist.
WHAT YOU NEED TO DO BEFORE YOUR MEETING:
Organise a day and time for your meeting, in line with the availability of other students in
your unit as well as your Trainer & Assessor. This meeting should take no more than 5
minutes.
You are required to manage the meeting. Prior to the meeting ensure you have read the
instructions below on what you’ll be required to do during the meeting and prepare as
necessary.
WHAT YOU NEED TO DO DURING YOUR MEETING:
Use the meeting to:
 Describe the objectives of your presentation
 Outline the areas of shortcoming and gaps
 Provide recommendations for future improvement
Ensure you take note of what you discuss during the meeting.
WHAT YOU NEED TO DO AFTER YOUR MEETING:
Record notes of what was discussed during your meeting. Answer in 40-80 words.
Meeting notes
The meeting was intended to determine the position of Unique Store in terms of
security from Cyberattacks and the causes of the attacks that occur. When the data on some
computers becomes corrupted, some employees fear to report to their immediate supervisors
due to fear of being blamed or even losing their jobs. However, if employees are free to let
the management know the problem, the issues can be easily solved. Therefore, the
relationships between the employees and workers should be improved.
9 D3. Develop an evaluation strategy according to organisational policies and procedures to
be used in future for compliance analysis, gap findings, solution identification and
implementation of the recommendations
In future, the following measures should be incorporated to improve compliance;
Causality that occur during operation of activities at Unique Store should be reported
immediately. Problems that occur in a company always have a cause from which they result.
To avoid the occurrence of the problem, one has to eliminate the causes as well. A lack of
understanding of markets is a great challenge in retailing. It becomes a challenge when a new
need of the customers enters a market; they may not develop a strategy as per the regional
culture. This is another challenge that reduces the ability to develop market segments. For
establishing retail stores in a new market, understanding and knowledge are a few important
aspects. The operations management provides effective information about the market trends
from information about market demographics and various tools that can help reach more
customers in the target market (Team, 2020). It is therefore important for retailing to know the
needs of customers before they stock items.
In a company, continuous improvement is a tradition that ensures that all the workers
in a company focus on how to achieve the goals of the company. Therefore, the workers in
Unique store ought to contribute ideas they think can be implemented to improve the
efficiency of the company operations, avoid participating in unproductive work, cyber-attacks,
and analyze the contemporary practices to know where to improve.
Signing up for security alerts: Users of mobile devices that can access the internet
should sign up for security alerts to be informed of any security to their devices. The user can
choose to attain immediate, weekly, or daily alerts every time news or any other information
relevant to the security of their devices hits the web. Web browsers are often exposed to
questionable dynamic content that may risk the user's mobile device. Most websites
necessitate the installation of certain features on the computers, which puts them at risk. The
users should also ensure that their browser is updated. Browser updates usually are mas to
correct the challenges that existed with the previous version of the browser. The users,
therefore, ought to update their browsers to more secure versions.
10 D4. Submit all documents to required personnel as a report and seek and respond to
feedback obtained. You will prepare a brief for your class and discuss it in the class to
receive feedback and to adjust your strategy accordingly, then finalize your report. Use an
appropriate report format.
Add your report here along with the brief you have prepared.
Cybercrime is very common in different companies today. It is very important to
prevent data breach at Unique Store so that the company may not lose important data to its
competitors. Data breaches are sophisticated; thus financial sector must continuously apprise
its security system to avert scams. The most prevalent cause of data breaches includes the
disregard for adjustment to more innovative security approaches and third-party dangers.
Some of the most applicable mechanisms to avert possible data breaches and cyber-attacks
physical protections to the operational area, applying planned human resource worker exit
policies, procedures on far-flung projects, information storage practices, appropriate data
handling, and periodic risk assessment. The bank and any financial institutions must ensure
that data breaches and cyber-threats can be contained by restricting third-party access to
sensitive customer information.
Securing a third-party software that is open source, outsourced, or off-the-shelf
commercial software is not easy to execute by any given company. Today, most businesses
depend on third-party applications/software while utilizing mobile computing and cloud
computing to fully gain from the computing organization (quick and flexible to market)
(Magalhaes, 2014). Businesses find it hard to fully secure the third-party software they use in
their daily operations to ensure that they do not cause vulnerabilities and security risks that
may affect their mobile devices. Therefore, the security of the third-party software is in the
hands of various software developers. In most cases, different individuals conform to make the
development cycles secure. Still, since many third-party libraries are utilized in one
application, large amounts of code probably do not obtain similar levels of security checking
that are needed. People who use third-party software ought to know how or where the software
should be placed to help people perceive the amount of threat exposed.
4. Student Self Checklist
A. Student Self Checklist for Tasks A - D
Candidate name:
Unit of
ICTCYS606 Evaluate an organisation's compliance with cyber security standards and law
Competency:
Instructions:
Place a tick ‘✓ ’ in the Yes (“Y”) column for each question you have completed all parts for.
Task A
Y
Did you:
✓
A1. Describe the term ‘Cybercrime’.
A2. Describe a cyber security risk, what risks could commonly be present in an
organization from cybersecurity perspective?
A3. What is Risk management? What are key principles of risk management?
A4. What does it mean by tolerance of risk in an organization?
A5. What laws in Australia are related to the cyber security? Provide brief
description of these laws.
A6. Describe ISO standards in relation with cyber security and governance.
A7. Describe parts 10.7 and 10.8 of the Criminal Code Act 1995 of Australia.
A8. Describe PCI DSS and its main features.
A9. Describe the Essential Eight Security model.
A10. Describe the privacy act 1988 and how it affects the cybersecurity
requirements for a business?
A11. Describe what is data governance?
A12. Describe security requirements to protect business processes in an
organization.
A13. Would there be security requirements specific to a process or you will
prefer to implement security governance guidelines that are implemented across
the organization? Discuss.
A14. Describe principles of cyber security to protect an organization from
compliance perspective.
A15. Describe the CIA (confidentiality, integrity, availability) Triade.
A16. What is a cyber security incident?
A17. Describe MAPE-K.
A18. What is SIEM and what SIEM tools you ae aware of? Describe at least
three tools.
A19. What is a security incident response plan? What are the components of the
plan?
A20. Describe different types of cyber security incidents including security
vulnerabilities and malware.
Task B
Did you:
✓
B1. Review the company policies, industry and Australian government’s
regulations, standards and laws required for organisations cyber security
operations and summarise your findings
B2. Perform analysis to align required laws and standards to organisational cyber
operations, provide your recommendations
B3. Analyse organisation’s existing cyber security compliance strategies and
document outcomes according to organisational policies and procedures. This is
necessary to develop a baseline for comparison with standards and further
development for compliance.
B4. How much time will it to determine compliance evaluation requirements and
benchmarking of the organizational practices against the standards and laws?
Prepare a plan for the CTO along with executive summary, your findings, and
recommendations. This plan will be followed in the analysis phase.
Task C
Did you:
C1. Conduct organizational compliance assessment according to organisational
and legislative requirements, review the documents and policies provided in the
case study.
C2. Document assessment findings according to organisational policies and
procedures
C3. Identify and document areas of non-compliance and near misses, use a
suitable format to present your findings
C4. How will you align organisation’s activities to required standards, to fill the
gaps as per your findings? Research and use industry best practices.
Task D -
Did you:
✓
D1. Develop and document all compliance requirements and present a report to
the CTO.
D2. Distribute requirements to required personnel in preparation to realign
business activities to requirements, prepare a presentation and present to the
stakeholders.
D3. Develop an evaluation strategy according to organisational policies and
procedures to be used in future for compliance analysis, gap findings, solution
identification and implementation of the recommendations
D4 Submit all documents to required personnel and seek and respond to feedback
obtained. You will prepare a brief for your class and discuss it in the class to
receive feedback and to adjust your strategy accordingly.
References
Agarwal, H. (2018, January 21). A Glance At Australia’s Cyber Security Laws. Retrieved from
https://www.appknox.com/blog/glance-australias-cyber-security-laws
Alarm, Z. (2014, May 8). 6 Ways to Secure Your Web Browser. Retrieved from
https://blog.zonealarm.com/2014/05/6-ways-to-secure-web-browser/
Alexe, G. (2020, April 9). Managing performance through organizational culture. . Retrieved
from https://doi.org/10.1080/15700760500484019
Brush, K. (2021). cybercrime. Retrieved from What is cybercrime?:
https://www.techtarget.com/searchsecurity/definition/cybercrime
Commission, F. C. (2020). TSYHipqP7DWdD7n4Z5skWsyriHfBvM21fD. Retrieved from Federal
Communications Commission: https://www.fcc.gov/general/telecommunications-act-
1996
Faculty, I. I. (2016). Top five cyber risks. 6.
Gaffey, A. D. (2022). 5 basic principles of risk management. Retrieved from
https://www.sedgwick.com/blog/2015/09/10/5-basic-principles-of-risk-
management#:~:text=The%20five%20basic%20risk%20management,most%20any
%20situation%20or%20problem.
Gibson, P. (2021). ICLG.com. Retrieved from https://iclg.com/practice-areas/cybersecurity-laws-
and-regulations/australia#:~:text=The%20following%20laws%20in%20Australia,)
%20Act%201979%20(Cth).
HYPERPROOF. (2019). Cybersecurity Risk Management: Frameworks, Plans, & Best
Practices. Retrieved from HYPERPROOF: https://hyperproof.io/resource/cybersecurity-
risk-management-process/#:~:text=Cybersecurity%20risk%20management%20is
%20an,has%20a%20role%20to%20play.
IBM. (2019). What is SIEM? Retrieved from IBM: https://www.ibm.com/topics/siem
Magalhaes, R. M. (2014, September 12). Third-Party Software is a Security Threat (Part 1).
Retrieved from https://techgenix.com/third-party-software-security-threat-part1/
Obiora, C. (2020). Organizational culture and employee performance in selected higher
institutions in Edo State, Nigeria. International Journal of Innovative Social Sciences &
Humanities Research, 20–32.
Office of Legislative Drafting and Publishing, A.-G. D. (2019). Criminal Code Act 1995. Act
No.12 of 1995 as amended, 667.
PENDLETON, D. (2012). Leadership: All You Need to Know.
Rafail, W. D. (2017). Securing Your Web Browser. Retrieved from
https://www.cisa.gov/uscert/publications/securing-your-web-browser
Stedman, C. (2019). What is data governance and why does it matter? Retrieved from
https://www.techtarget.com/searchdatamanagement/definition/data-governance
Team, K. (2020, February 25). What is Operations Management? . Retrieved from
https://blog.kintone.com/business-with-heart/what-is-operations-management

ICTCY

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ICTCY

Uploaded by

Copyright:

Available Formats

Student

ICTCYS606 Evaluate an organisation's compliance with cyber

Student Assessment Guide: ICTCYS606 Version: v21.0 Page 2 of 80

 Australian College of Business Intelligence

All rights reserved

Date Modified: March 2022

Student Assessment Guide: ICTCYS606 Version: v21.0 Page 3 of 80

another source if it is of sufficient importance for them to do so.

Student Assessment Guide: ICTCYS606 Version: v21.0 Page 4 of 80

ICTCYS606 Evaluate an organisation's compliance with cyber security standards and

A. Purpose of the assessment....................................................................................................4

B. What you are required to do................................................................................................4

C. Competencies being assessed................................................................................................4

D. Important resources for completing this assessment.........................................................5

E. A note on plagiarism and referencing.................................................................................5

F. A note on questions with role plays......................................................................................5

G. Instructions for completing this assessment.......................................................................6

ICTCYS606 Evaluate an organisation's compliance with cyber security standards and

Student Assessment Guide: ICTCYS606 Version: v21.0 Page 5 of 80

A. Task A - Demonstrate knowledge of cyber security standards and laws.........................8

B. Task B - Research Cyber security standards and laws in organization.........................16

C. Task C - Analyse the implementation of cyber security standards and laws in

4. Student Self Checklist..............................................................................................................23

A. Student Self Checklist for Tasks A - D..............................................................................23

Student Assessment Guide: ICTCYS606 Version: v21.0 Page 6 of 80

A. Purpose of the assessment

security laws and standards and their value in compliance.

B. What you are required to do

For this assessment, you are required to complete 4 tasks:

 Task A – Demonstrate knowledge of cyber security standards and laws

 Task B –Research Cyber security standards and laws in organization

 Task C – Analyse the implementation of cyber security standards and laws in

Student Assessment Guide: ICTCYS606 Version: v21.0 Page 7 of 80

relating to the fictional company UniqueStore.

C. Competencies being assessed

1. Understand Cyber security standards and laws

2. Analyze Cyber Security standards and laws

3. Plan and implement Cyber security standards and laws

Evidence of the ability to:

compliance to required laws and standards on at least one occasion.

Student Assessment Guide: ICTCYS606 Version: v21.0 Page 8 of 80

 Conduct a cyber security compliance assessment on at least one occasion

D. Important resources for completing this assessment

 ICTCYS606 learner guide

 ICTCYS606 Observation checklist

 ICTCYS606 Marking Guide

 ICTCYS606 Case study folder

 Additional student assessment information

Student Assessment Guide: ICTCYS606 Version: v21.0 Page 9 of 80

E. A note on plagiarism and referencing

‘references’ section at the end of your assessment.

to never copy another person’s work.

F. A note on questions with role plays

The following questions involves role plays:

Student Assessment Guide: ICTCYS606 Version: v21.0 Page 10 of 80

are not role playing being the CTO.

G. Instructions for completing this assessment

Answer the questions below using the spaces provided:

 Answer all parts of each question

 Use your own words and give examples wherever possible

 The quality of your answer is more important than how long it is

Student Assessment Guide: ICTCYS606 Version: v21.0 Page 11 of 80

 Enter your answers in this document

Submission via Moodle