Management 1: Information Security Report - Federation University

Verified

Added on 2022/11/14

AI Summary

This report analyzes the information security landscape at Federation University (FedUni), focusing on vulnerabilities and potential threats. The report highlights critical areas of concern, including data security, internet usage, and security for both students and staff. The analysis reveals that a significant portion of students are vulnerable to data security breaches, emphasizing the need for immediate policy amendments and awareness programs. The report also examines the risks associated with internet usage and the security of student and staff access points, such as key cards. Recommendations are provided to enhance FedUni's information security policy, improve its credibility, and protect its reputation against potential financial and social damages. The report underscores the importance of a comprehensive approach to information security to safeguard sensitive data and maintain the integrity of the university's digital infrastructure. The report suggests measures to strengthen the security of data, internet usage, and student and staff security. The report provides detailed insights and recommendations for improving the university's overall security posture.

Management 1
Dealing with Information Security
By (Name)
Name of the Course
Title of the Instructor
Institutional Affiliation

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Management 2
Executive summary
Federation University (FedUni) is an Australian based public university that is affiliated to the
Regional University Network (RUN). Their information security policy applies to the university
students, staff members and the university community such as the Ballarat Technology Park. Members
of the park include the International Business Machine (IBM), the Global Innovation Centre, the
Country Fire Authority, Ambulance Victoria, etc. Based on the joint research and survey conducted by
the institution, there is a niche in their existing information security policy. The vulnerability would
result to significant social and financial damages as a result of breaching of the students and staff
privacy, theft of confidential administrative documents among others (Abduljabbar and Basendwh
2016). These threats and vulnerabilities will compromise the university’s credibility, reputation and
security capabilities. Strategies and recommendations have been presented to be made on various areas
of interest on the information security policy. These areas include data security, internet usage, student
security and staff security. The recommendations on data security present an urgent attention from the
university. 55% of the student population are vulnerable to threats under data security. This requires
urgent attention from the relevant authorities before irreversible damage is incurred.
Introduction
Federation University and its stakeholders greatly invest in its digital services and infrastructure. This
is quite evident from the institution’s website, free internet connectivity, online courses the university
offers and the Ballarat Technology Park. The International Business Machine (IBM) has plans to set up
a $10 million structure on the park. However, these advancements in technology present new loopholes
and vulnerabilities for the institution (Aljawarneh and Yassein 2016). The threats are presented by both
internal and external factors. A full proof information security plan and policy would therefore be able
to mitigate the existing threats and cater for any vulnerability that may surface in the future. The areas
of interest are data security, internet usage, student security and staff security (Birk et al. 2016). The
underscore goes to data security as it would result to a greater financial and social damage compared to
the other areas.

Management 3
Data Security
Data security can be classified into two major areas namely; data confidentiality and communications
security. As a necessity, the Federation University has a website where both the students and staff are
supposed to login to their respective portals. They are supposed to give out their personal details such
as their emails and passwords which are meant to enhance the security of their information. These
portals contain the personal details of the users such as the user ID, address, emergency and personal
contacts. A hacker who is a threat agent may decide to carry out an attack through social engineering
techniques such an attack such as a phishing or pharming. In the case for phishing, the attacker will
disguise as an entrusted source. In such a case, the attacker will create a similar website from the
original institution’s website and host it on the internet. The host name and address of the fraudulent
website will be very similar to the original website. Majority of the students and staff members will not
be aware of the existence of this fraudulent website and they will just log in using their usernames and
passwords. This information will be collected by the attacker and used for malicious purposes. In the
case for pharming, once you click onto the correct website, it will automatically redirect you into the
fraudulent website (Ismail and Ali 2016).
Most of the times, the attackers are disgruntled students or staff members. This is because in order to
carry out such attacks one has to have substantial information about the institution. Penetration testing
on this particular area was carried out with the Centre for Informatics and Applied Optimisation (CIAO)
which is a research centre in the institution. The results were astonishing, over 55% of the students
logged into the fraudulent website. The university should formulate an awareness program to enlighten
the students on the existence of fraudulent websites. This could be through internal conferences or
seminars (Sommestad, Karlzén and Hallberg 2015).
This therefore created the need to amend the information security policy on data security. The policy
would be based on the assumption that the attacker is either the students or the staff members.
Development of a convincing fraudulent website would require the attacker to have access to an

Management 4
unlimited source of information. Therefore, the staff members who have been granted the access to
crucial information should practice integrity (Iglesias 2016). Failure will result to the staff member
being subjected to denial of access and may/may not result to the termination of his/her employment
contract. Legal steps will also be taken against the staff member (Yaokumah, Brown and Dawson 2016).
When a student is involved either directly or indirectly in the development of the fraudulent website
he/she will also be liable for punishment. They may/may not keep their status as students of the
institution. They will also be required to write a report to the Dean of Students and suspended for one
thousand academic days (Trabelsi and McCoey 2016).
So why is data security the centre of interest? The documents obtained through such attacks
could severely dent the reputation of the institution (Madadi and Piroozi 2016). The leaked, shared or
sold documents obtained from such attacks could severely dent the reputation of the institution. This is
considering that Federation University is an affiliate to the Regional University Network (RUN). On the
year 2017, the university was ranked top 20% of Australian universities with an 83% satisfaction by
former undergraduate students. The rankings would also significantly drop. Institutions such as the
International Business Machine would also pull out from the institution if their information is
compromised (Mingers 2013).
Internet usage and acceptability
On the quest to improve on the quality of learning resources, the university has been able to provide
free internet connectivity to both the student and staff members. This however, presents the university in
a very vulnerable state. Attacks involving Metasploit rely on exploiting information of the people who
are connected to the same network infrastructure such as a router. A student may decide to carry out a
Denial of Services (DoS) attack. He/she will be able to lock out other users from accessing the internet
connectivity. Personal information such as pictures, contacts, videos, documents and messages can be
able to be collected using Metasploit. If a professor has an examination or future assignment in his/her
laptop and is connected to the same network with an indiscipline student, the student can be able to
access the professor’s laptop and steal the information. This can be sent or sold to other students. This

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Management 5
would in turn reduce the credibility of the examinations given in the institution (Mouratidis and Giorgini
2017). This information was collected and complied with the Centre for Multimedia Computing,
Communications, and Artificial Intelligence Research (MCCAIR) which is a research centre in
Federation University. The results showed that only 85% of the students’ and staffs’ mobile devices are
totally secure. This would mean that only 15% of the students and staff members are liable to such
attacks (Lim et al. 2015). This therefore reduces the urgency to address this area of interest. The
university should also encourage the students to protect their mobile device with strong and reliable
software such as the Kaspersky Anti-virus (Garba et al. 2015).
The policy would involve the students caught conducting a Denial of Service attack and Metasploit
attack. The student caught performing Denial of Service attack would be required to write a report to the
Dean of Students and suspended from utilizing the university internet for the entire academic year. The
students involved in the Metasploit attack would be required to write a report to the Dean of Students
and a letter of apology to the affected person. The student would also be required to return or destroy all
the information collected either in digital or physical copy or both. The student would further be
suspended from school for the entire academic year. The students should therefore uphold decorum
when using the institutions internet facilities (Yasar and Kontostathis 2016).
Student and staff security
Most of the information facilities and infrastructures are shared among the students and the staff
members. These include the institution’s website, internet connectivity, printing services, computers in
the research labs which have been integrated and finally the Ballarat Technology Park. This research
was conducted with the Centre for eResearch and Digital Innovation (CeRDI) which is a research centre
in Federation University when identifying the consequential vulnerabilities involving the student and
staff security. The results showed that the institution give out a certain user ID to the students which is
supposed to grant to grant them access to almost all of these facilities. The user ID is used in the website
to log into the students portal, it is used for the printing services, internet connectivity and also
registering to the Ballarat Technology Park. The user ID is printed on the students’ key card. The key

Management 6
card is meant to give the students security clearance on the school gate, hostels or access to restricted
area such as the Server rooms for the staff members. Around 30% of the students replace their key cards
yearly. The university has a student population of 14,107. The 30% translates to around 4,232 students
misplacing their key cards. Based on the issued out questionnaires 65% claim that their key card got
misplaced during the long holiday while 30% believed that their key cards got stolen. The remaining 5%
is miscellaneous. Further observation and conclusions were made based on the data that had been
gathered. The results showed that over the past two years, 20% of the student population reported a
breach in their personal information contained on the school website. About 88% of this can be
attributed to the disappearance of the students’ key card. Whether the key cards were stolen by fellow
students or outsiders, this still poses a huge threat to the institutions security capabilities. The university
should also consider coming up with other innovative ideas and disintegrate all the exclusive security
features from the key card. This can be done be the use of biometrics such as fingerprint scanners on the
school gate, hostel or to the Ballarat Technology Park. The user ID should also not be included on the
key card.
The policy would touch on the responsibility of students and teachers when handling the institution’s
property; that is, the key card. A hefty price should be put for the replacement of the key card. The
students are supposed to write a report to the Dean of Students immediately they realise they have
misplace their key cards. Any student who will be found with a key card that does not belong to him/her
will write a report to the Dean of Students. If evidence is found linking a student to using a key card that
does not belong to him/her, the student will be suspended for the entire academic year. Staff members
who are found to have shared their key card or passwords will write a report to their supervising officer.
Their employment contract may/may not be terminated. This depends on the scale and subsequent
consequences as a result of that misdemeanour.
Conclusion
The Federation University should amend their information security policy on the mentioned
areas of interest. The underscore goes to data security where 55% of the student population being

Management 7
vulnerable to the threat. However, with the implementation of these strategies and policies the
credibility, reputation and security capabilities of the institution will be upheld.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Management 8
References
Abduljabbar, M. and Basendwh, M. (2016). Complications of hyaluronic acid fillers and their
managements. Journal of Dermatology & Dermatologic Surgery, 20(2), pp.100-106.
Aljawarneh, S. and Yassein, M. (2016). A conceptual security framework for cloud computing issues.
International Journal of Intelligent Information Technologies (IJIIT), 12(2), pp.12-24.
Birk, T., McGrady, A., MacArthur, R. and Khuder, S. (2016). The effects of massage therapy alone and
in combination with other complementary therapies on immune system measures and quality of life in
human immunodeficiency virus. The Journal of Alternative and Complementary Medicine, 6(5),
pp.405-414.
Garba, A., Armarego, J., Murray, D. and Kenworthy, W. (2015). Review of the information security and
privacy challenges in Bring Your Own Device (BYOD) environments. Journal of Information privacy
and security, 11(1), pp.38-54.
Iglesias, M. (2016). The language tourism market system: conceptualising language tourism.
International Journal of Scientific Management and Tourism, 2(1), pp.25-40.
Ismail, R. and Ali, M. (2016). Workplace Incivility a Hurdle in TQM Practices Implementation in
Higher Education Institutes of Balochistan. Journal of Education and Practice, 7(16), pp.60-72.
Lim, J., Maynard, S., Ahmad, A. and Chang, S. (2015). Information security culture: Towards an
instrument for assessing security management practices. International Journal of Cyber Warfare and
Terrorism (IJCWT), 5(2), pp.31-52.
Madadi, A. and Piroozi, E. (2016). estimation of Soil erosion and sediement yield in Lay Chay basin.
Scientific Journals Management System, 16(42), pp.177-195.
Mingers, J. (2013). The paucity of multimethod research: a review of the information systems literature.
Information systems journal, 13(3), pp.233-249.

Management 9
Mouratidis, H. and Giorgini, P. (2017). Secure tropos: a security-oriented extension of the tropos
methodology. International Journal of Software Engineering and Knowledge Engineering, 17(02),
pp.285-309.
Sommestad, T., Karlzén, H. and Hallberg, J. (2015). A meta-analysis of studies on protection motivation
theory and information security behaviour. International Journal of Information Security and Privacy
(IJISP), 9(1), pp.26-46.
Trabelsi, Z. and McCoey, M. (2016). Ethical hacking in Information Security curricula. International
Journal of Information and Communication Technology Education (IJICTE), 12(1), pp.1-10
Yaokumah, W., Brown, S. and Dawson, A. (2016). Towards modelling the impact of security policy on
compliance. Journal of Information Technology Research (JITR), 9(2), pp.1-16.
Yasar, H. and Kontostathis, K. (2016). Where to Integrate Security Practices on DevOps Platform.
International Journal of Secure Software Engineering (IJSSE), 7(4), pp.39-50.