Assessment Task 2: Review

cyber security policy

Course code and 22603VIC Certificate IV in Cyber Security
title

Unit code and

VU23213 Utilise basic network concepts and protocols required in cyber security
title

Due date DD/MM/YYYY or week number

Resources Learner to provide:

required
 Access to computer and internet
Provided:
 Learner resource
 MP Tech cyber security policy

Decision making To achieve an overall satisfactory result for this assessment task:
rules
 All questions must be answered satisfactorily.

Learner In this written task you will review the organisation’s security policy and
instructions identify current procedures and areas for continual improvement to
protect the business from cyber threats.
For this task you will:
 Complete it individually.
 Write answers to all questions.
 Complete it in your own time and submit it by the due date.
 Have time to read and review the assessment task in class.
 Submit your assessment via Moodle.

If you have any questions about the task or concerns about your ability to
complete the task, please discuss this with your assessor.
Safety:
 You must follow all safety requirements set for the assessment
environment to ensure the safety of yourself and others.
 If you feel unsafe for any reason, stop participating in the assessment
and inform your assessor.
 The assessor will stop the assessment immediately if the safety of any
person or property is at risk.
 If an assessment is stopped, alternative arrangements for assessment
can be discussed with the assessor.
Scenario
You are a cyber security technician at MP Tech and are required to review the organisation’s
security policy. You will need to source the MP Tech cyber security policy from the VU23213 Moodle
site, read the document and answer all of the questions.

a. Does the policy include provisions for visitors’ access and external technical
personnel access? Yes or No
1 b. Do you consider this access information needed in the policy? Why?
c. List 4 associated risks to the business

ANSWER

a. NO

Yes, it is important to include provisions for visitors' access and external technical
personnel access in the policy. Visitors and external technical personnel may pose
b. potential security risks if their access is not properly managed and controlled.
Including specific guidelines for these scenarios helps ensure that security measures
are in place, reducing the risk of unauthorized access and potential security breaches.
Unauthorized Access: Without clear policies for visitors and external technical
personnel, there is an increased risk of unauthorized individuals gaining access to
sensitive areas or information, potentially leading to security breaches.

Data Breach: Lack of controls for external technical personnel could result in
unauthorized access to sensitive data, leading to data breaches and potential legal
and reputational consequences for the business.

c.
Physical Security Concerns: Visitors' access without proper guidance may pose
physical security risks, such as tailgating or entry to restricted areas, compromising
the overall security posture of the business.

Disruption of Operations: If external technical personnel are not properly managed,

there is a risk of disruptions to business operations, including the potential for
introducing vulnerabilities or misconfigurations that could impact the stability and
functionality of systems.
ASSESSOR ONLY: ☐ SATISFACTORY ☐ NOT SATISFACTORY
 Review the current policy stand on social media usage.
2 List 2 suggestions to improve this section.

ANSWER

The policy could provide more specific guidelines on acceptable social media use. For
example, it could specify what constitutes professional and responsible use, outline
1. potential risks associated with social media activities, and provide examples of
prohibited actions.

To enhance cybersecurity, the policy could include a section on best practices for
securing personal and organizational information on social media platforms. This
might include recommendations on privacy settings, two-factor authentication, and
2. guidelines for recognizing and avoiding social engineering threats on social media.

ASSESSOR ONLY: ☐ SATISFACTORY ☐ NOT SATISFACTORY

List the people in the organisation with access to official-sensitive data and how they

3 are authorised.

ANSWER

The policy does not explicitly specify the individuals or roles within the organization that have
access to official-sensitive data and how their authorization is granted.

ASSESSOR ONLY: ☐ SATISFACTORY ☐ NOT SATISFACTORY

Are the current measures secure for electronic data and the printed

4 Data? Answer in 1-2 sentences for each response

List 1 strategy or procedure to improve the security of the data.
ANSWER

Implementing a multifactor authentication (MFA) system for accessing sensitive

Electronic electronic data can significantly enhance security. MFA adds an extra layer of
data protection by requiring users to provide multiple forms of identification before
gaining access, reducing the risk of unauthorized entry.

Printed For printed documents, introducing a secure printing and release system can
documents enhance security. This ensures that sensitive documents are only printed when
 Are the current measures secure for electronic data and the printed

4 Data? Answer in 1-2 sentences for each response

List 1 strategy or procedure to improve the security of the data.
ANSWER

the authorized user is physically present to collect them, preventing unauthorized

access to printed materials left unattended in shared printing areas.

Introducing regular security training and awareness programs for employees can
contribute to an overall improvement in data security. Educating personnel on
Improvemen
best practices, recognizing social engineering tactics, and reinforcing the
t
importance of data protection can help create a security-aware culture within the
organization

ASSESSOR ONLY: ☐ SATISFACTORY ☐ NOT SATISFACTORY

Review the Privacy Impact Assessment section. How could this section be improved?
5
ANSWER

 Provide a brief overview of the Privacy Impact Assessment process, outlining the key steps
involved.
 Specify how frequently PIAs should be conducted.
 Offer specific examples of risks that the PIA is designed to address. This could include
potential breaches of confidentiality, unauthorized access, or unintended data uses.
Providing concrete examples helps employees understand the importance of the PIA
process.
 Include contact information for individuals or departments that employees can reach out
to if they have questions or concerns about the PIA process.

ASSESSOR ONLY: ☐ SATISFACTORY ☐ NOT SATISFACTORY

Review the Bring your Own Device section.

6 List 4 potential risks of using external devices and the consequences to the business.

ANSWER
RISK CONSEQUENCE

Virus/malware Personal devices may not have the same

level of security features as company-
provided devices, leading to an increased
 Review the Bring your Own Device section.
6 List 4 potential risks of using external devices and the consequences to the business.

ANSWER
RISK CONSEQUENCE

risk of malware, data breaches, and

unauthorized access.

Employees may unintentionally expose

sensitive company data if proper
Data breach/leak measures, such as encryption and secure
data handling, are not enforced on
personal devices.

The use of personal devices may pose

challenges in adhering to regulatory
Compliance issues compliance standards, potentially
resulting in legal consequences and
reputational damage for MP Tech.

Compatibility issues between personal

devices and company systems may arise,
Compatibilty impacting productivity and hindering
seamless collaboration within the
organization.

ASSESSOR ONLY: ☐ SATISFACTORY ☐ NOT SATISFACTORY

List 3 three resources or strategies that could be implemented by the organisation to

7 increase the workforce’s awareness of industry cyber security.

ANSWER

Implementing regular training programs and workshops on cybersecurity best

a. practices can significantly increase the workforce's awareness. These sessions can
cover topics such as recognizing phishing attempts, creating strong passwords,
understanding social engineering tactics, and adhering to security policies.

b. Conducting simulated phishing exercises provides a hands-on experience for

employees to recognize and respond to phishing attacks.

c. Regularly communicate cybersecurity updates, tips, and relevant information through

various channels within the organization. This can include email newsletters, internal
 List 3 three resources or strategies that could be implemented by the organisation to
7 increase the workforce’s awareness of industry cyber security.

ANSWER

forums, posters, and intranet announcements.

ASSESSOR ONLY: ☐ SATISFACTORY ☐ NOT SATISFACTORY

Assume that a recent network check report has identified a significant increase in the
number of ARP attacks detected. Although the current detection tool works, more is
needed in the long term.

8 What are 2 reasons you can use to justify and convince management about
the need to update the current security systems and tools.

Answer in 2-3 sentences per reason.

ANSWER

Outdated security systems may lack the necessary features and capabilities to
effectively counter newer, more sophisticated attack methods.

a.

Newer tools often incorporate machine learning algorithms and provides more
accurate and proactive identification of malicious activities. This will strengthen our
b. ability to thwart ARP attacks but also enhances the overall security posture of the
network.

ASSESSOR ONLY: ☐ SATISFACTORY ☐ NOT SATISFACTORY

Assessment Task Summary: Task 2 – Review cyber security
policy

TRAINER/ASSESSOR TO COMPLETE THE FOLLOWING:

YES NO
THE LEARNER:

1. Satisfactorily answered all questions

FEEDBACK
Assessor must include constructive feedback such as what was done well, where improvement is
needed and specific suggestions about how to achieve improvement.

SATISFACTORY

NOT SATISFACTORY
OVERALL TASK RESULT
Resubmission required (if not satisfactory)
Due date:

DATE ASSESSMENT RETURNED

TRAINER/ASSESSOR NAME

TRAINER/ASSESSOR SIGNATURE

LEARNER DECLARATION: READ AND SIGN BELOW

I, ____________________________ have been advised of the outcome of this assessment task.

PRINT NAME

LEARNER SIGNATURE DATE