Assignment Two is comprised of two parts and your report
should be no more than 5 pages excluding the cover page, table of contents and
Plan, Develop and Manage a Security
Policy (10 marks)
that the Commonwealth Government of Australia is planning to launch ‘My Health
Record’ a secure online summary of an individual’s health information. The
system is available to all Australians, My Health Record is an electronic
summary of an individual’s key health information, drawn from their existing
records and is designed to be integrated into existing local clinical
‘My Health Record’ is driven by the need for the Health Industry to continue a
process of reform to drive efficiencies into the health care system, improve
the quality of patient care, whilst reducing several issues that were apparent
from the lack of important information that is shared about patients e.g.
reducing the rate of hospital admissions due to issues with prescribed medications.
This reform is critical to address the escalating costs of healthcare that
become unsustainable in the medium to long term.
will control what goes into their My Health Record, and who is allowed to
access it. An individual’s My Health Record allows them and their doctors,
hospitals and other healthcare providers to view and share the individual’s
health information to provide the best possible care.
'My Health Record' is used by various staff such as System Administrator,
Doctor, Nurse, Pathologist and Patient. In order to convey and demonstrate the
rules and regulations to the users of this system, Commonwealth Government of
Australia needs a security policy.
are employed as the Security Advisor for the organization. The task that is
handed to you by the Chief Information Officer now is to create, develop and
manage "System Access Security Policy” for atleast any 3 users of the
the following in your security policy:
Plan System Access Security Policy
Develop System Access Security
Manage System Access Security Policy
Conducting a Risk Assessment (10
will be given a list of organisation in week 3 by your lecturer and you can
select any one organisation from them. The organisation uses various IT systems
for its daily operations. Assume that you are appointed as an IT Systems
Auditor for the chosen organisation and you are asked to provide a risk
register must come up for the IT systems in the organisation.
A brief introduction of the
organisation and the IT systems
Identify and explain any major risk
in the IT systems components
Discuss the consequences of the
Inherent risk assessment, that
is the assessed, raw/ untreated risk inherent in a process or activity without
doing anything to reduce the likelihood or consequence
Mitigate the risk
Residual risk assessment, that
is the assessed, risk in a process or activity in terms of likelihood and
consequence after controls are applied to mitigate the risk.
Create a Risk Register based on the
risks identified in the IT systems and prioritise of the risk using a
standardised framework such as the ANSI B11.0.TR3 Risk Assessment Matrix
the fact there is no clear prioritisation framework NOR risk appetite
framework, the risk register is your professional assessment of the likelihood
and consequence of the risks you identify. When preparing your risk register
you should think carefully about the assets the chosen organisation may have
and how these may be compromised from the perspective of Information Security.
This assessment task will assess the following
- be able to justify the goals and various key terms used
in risk management and assess IT risk in business terms.
- be able to apply both quantitative and qualitative risk
management approaches and to compare and contrast the advantages of each
- be able to critically analyse the various approaches
for mitigating security risk, including when to use insurance to transfer
- be able to critically evaluate IT security risks in
terms of vulnerabilities targeted by hackers and the benefits of using
intrusion detection systems, firewalls and vulnerability scanners to