Sandbox Industry Project

  • Manage contemporary organisational cyber security challenges
  1. Develop problem-solving skills and learner agency that will serve you in the long-term
  2. Work effectively in a collaborative environment
  3. Get exposed to professional practices with support from industry mentors
  4. Enrich your professional profile with industry-relevant experience

 

Part B: Assignment Format

  1. This assignment is to be undertaken as a group assignment
  2. Team size: 4-5 students
  3. Team formation method: Self-selection (students in the same tutorial)
  4. There are three industry projects available. Your team will be given the opportunity to select one of the challenges on a first-come first-serve basis

 

Part C: Marking

  1. This assignment is graded upon 30 marks (i.e., 30% of the course total marks)
  2. The marks will be divided into two parts (Project Plan 5%, Final Project Submission 25%) – details can be found in this outline

 

Part D: Important Deadlines

  1. Team formation: Week 2 Monday, 22nd February 2021, 12.00PM (AEDT)
  2. Project nomination: Week 3 Monday, 1st March 2021, 12.00PM (AEDT)
  3. Project Plan (5%): Week 4 Monday, 8th March 2021, 12.00PM (AEDT)
  4. Final Project Submission (25%): Week 10 Monday, 19th April 2021, 12.00PM (AEST)

 

 

 

* All due dates are set in Australian Eastern Standard/Daylight Time (AEST/AEDT). If you are located in a different time-zone, you can use a time and date converter.

 

 

Last Updated 01 February 2020                    1

 

 

 

Step 1: Overview

Your group project is designed as a Sandbox Industry Project (see LinkedIn page and unsw.to/edusandbox). This means you will have the opportunity to learn contemporary knowledge and industry practices by solving real-life challenges together with your peers and mentors.

 

You will see that solving real-life problems is an inherently complex and messy process, but such a process also offers plenty of learning opportunities. You will learn about agency, collaboration, resilience, creativity, and being comfortable with changing paths where necessary.

Know that in this course, you will have a safe space to experiment, to fail, and to try again because we value the process as much as the outcome. We designed assessments that reward you for your ongoing engagement, persistence and resilience, in addition to the quality of your deliverables.

 

In order to succeed in this project, you will need to manage your learning process carefully – including demonstrating agency in performing self-directed learning, conducting research, taking initiative, and more. These tasks are expected to take an average of 12-15 hours (per week) of your time.  Now, to get started, you need to first form a team of 4 or 5 and nominate a project of your choice.

 

Step 2: Team Formation

When tackling major initiatives, companies rely on teams of individuals to get the job done. These teams are often convened quickly to meet an emerging need and work together virtually and sometimes over long distances. Appointing such a team is frequently the only way to assemble the knowledge and breadth required to pull off many of the complex tasks that businesses face today.

 

Effective collaboration and teamwork are often cited as one of the key factors for a project’s success.

Today, they are also one of the most sought-after skills companies are looking for. In the Information Technology (IT) industry, which is broad and diverse, learning how to work in a team, to communicate, negotiate and solve problems, is particularly important to ensure effective leveraging of different skill sets for greater outcomes. These skills can be as important as your subject knowledge in enabling you to be an effective professional.

In this course, you will have the opportunity to work in a team of your choice to complete the project. The team formation process is detailed below:

  • You will use the Team Formation link on Moodle (detailed instructions can be found via the link) to form your team before the deadline: Monday, 22nd February 2021, 12.00PM (AEDT) (Note: Students who have not joined a team by the deadline will be randomly allocated to teams).
  • You can only form a team with students from the same tutorial. We will have many group assignment related activities in the tutorials, and your team will get the best support when all of you get to work together in the same tutorial session.

 

We know that teams that have similar expectations, complementary skill sets, and interest in the same topic(s) are more likely to have a successful and productive collaboration. It is therefore highly recommended that you meet with your potential team members (through a virtual group meeting) before finalising your team and nominating it on Moodle. In the group meeting, discuss about your expectations, learning objectives, your strengths and weaknesses, and your preferred project topic(s). Please also make sure to discuss the commitment each of you has in the course: is everyone committed to complete this course in this particular term, or could there be changes in study plans?

(Note: while teams are allowed to nominate your preferred projects, the allocation of projects is on a first-come-first-serve basis (see Step 3 below). It is therefore useful to discuss with your potential team members at least your Top 2 project preferences).

You are also encouraged to explore new working relationships with peers you have not worked with before. We have created a Student Common Room on Teams to assist you. You can recruit team members using the room or introduce yourself and request to join a team. The room will also remain active throughout the term – feel free to use it to interact with your peers and make new friends.

Finally, please make sure that all team members are happy with the team formation before submitting it on Moodle. The team formation nomination cannot be modified after the deadline.

 

Step 3: Project Nomination

Your finalised team allocation will be announced by Wednesday, 24 February 2021, 5pm (AEDT). You will then have a few days to finalise your project rankings with your team members. By Monday, 1st March 2021, 12PM (AEDT), you will need to submit your project preferences on Moodle. There are three industry projects available:

Project Option 1: Let’s Go Phishing (Industry Partner: KPMG)

Project Option 2: Cyber Security Requires Holistic Management (Industry Partner: Ernst & Young)

Project Option 3: Moving to Cloud? Don’t forget Security (Industry Partner: Salesforce)

 

Please read the detailed project briefs attached to the end of this document to understand more about each project.

 

The project nomination process is as follows:

  • A project preference template is available for download here on Moodle. Please complete this template with your team members (zIDs are required) ahead of time (i.e., before the deadline below). You will need to rank all 3 projects.
  • A Moodle submission link will be opened on Monday, 1st March 2021, from 9am (AEDT) to 59am (AEDT) for anyone in your team to submit your preferences. Only one nomination per team is needed.
  • You must use the provided template. Your preferences will not be considered if the template is not used.
  • Allocation of projects is on a first-come first-serve basis. To ensure each project is taken by a sufficient number of teams, you may be allocated the project of your second or third preferences, depending on the time you submitted your preferences and the project availability.
  • The final project allocations will be announced by Tuesday, 2nd March 2021, 5PM (AEDT). Please note that from this point onwards, teams are not allowed to change their projects
  • Note: this nomination process is not If your team is happy to take on any of the projects, you do not need to submit a nomination. Any available project will be allocated to you.

 

Step 4: Getting Started with Your Project! 

Yay! Now you have your team and your project. It is time to get started. First of all, read and study your project brief very carefully. These project briefs were prepared by your industry mentors from KPMG, Salesforce and EY – they contain details about the cyber security problem you are going to solve, its significance and relevance in the industry environment, and the expectations. Unlike textbook case studies, these real project specifications will not have step-by-step guidance or a pre-defined solution. They are just like the projects you will be working on as industry professionals – you will need your learning skills, critical thinking and problem-solving abilities, creativity and proactiveness to do well.

Nevertheless, to further support you in this process, we have provided marking criteria below and clearly defined the minimum requirements. Please read and analyse this information carefully. Note that what we provide is the minimum expectation. You can include any content that you deem relevant for your specific project. We encourage you to think outside the box and design your deliverables creatively to showcase your idea and effort. For example, rather than writing descriptions about your proposed security education program, you can present a mock-up of your program, or role-play some relevant training scenarios and report your findings.

While each project has a different problem/topic, all group projects (30%) will involve the following twopart deliverables:

Part 1 – Project Plan (5%) Deadline: Monday, 8th March 2021, 12.00PM (AEDT)

All teams are required to submit a one-page project plan that provides:

  • Name, zID and a one-liner introduction of each team member.
  • A concise statement of the specific objective of your project (for example, “this project aims to develop an intuitive data collection tool for use by business professionals to self-assess their cyber security maturity”).
  • A plan to execute the project to achieve the objective. Your plan should include, at a minimum: (i) action items and brief descriptions, (ii) timeline, and (iii) individuals who will be leading the

execution of each item. You can use any appropriate project management frameworks and tools to illustrate the timeline, for example, a Gantt Chart.

  • If you would like to receive more early feedback, you can include a summary of the research you have performed so far, for example, the existing solutions available in the industry and your proposed ideas. But this is optional.

Submit this project plan as a one-page PDF on Moodle > Assessments > Group Assignment Action Items > Project Plan Submission by the deadline. Only one submission is needed per group.

 

Marking Criteria for Project Plan (5%)

This Project Plan submission is a formative milestone task. It is designed to encourage your team to begin planning for the project, and also for the teaching team to provide early feedback. You don’t need to submit something “perfect” right away, what counts is that your team makes a sincere attempt and learns as much as possible from the feedback given. You can modify your objective and plan as you progress.    

 

Part 2 – Final Project Submission (25%) Deadline: Monday, 19th April 2021, 12.00PM (AEST)

All teams are required to present their solutions in the form of a comprehensive slide deck (20%). There is no word limit for this slide deck, but the page limit is 25 slides, including the title and end slides, but not the references.

Each team is also required to create a 3-minute video pitch (5%) to summarise the project. Include the URL of this video pitch (a UNSW SharePoint link) in the last page of your slides deck (this page is included within the page limit). Please make sure the video URL is accessible by all UNSW email accounts (refer to Moodle > Assessments > Group Assignment Action Items for more video upload instructions).

 

(a) Overview: Requirements for the final slide deck (20%):

  • The main objective of this slide deck is to present comprehensive information that can be used as a standalone reading resource (some examples include: this and this). In other words, the slide deck is NOT meant to be a presentation – ALL relevant information should be present in the slides (NOT in the presenter’s note section). The presentation/pitching of your solution is done through the 3min video, see below
  • The slide deck should, minimally, (i) analyse and discuss the problem, (ii) evaluate existing solutions and requirements, (iii) propose a feasible solution and justify its relevance, practicality, and impact. There is no pre-defined structure for the slide deck, you have the flexibility to structure it in a way that works best for you. Nevertheless, a detailed marking rubric (see page 7) has been provided to assist you in preparing the content
  • Please make sure to include a valid, accessible UNSW SharePoint video URL in the last page (this slide is included within the page limit)
  • A full list of references must be provided as an Appendix (this is not included within the page limit)
  • Only one single PDF submission per group is required

 

 

(b) Overview: Requirements for the 3-min video pitch (5%):

  • The main objective of this video pitch is to provide an engaging summary of your team’s work. The pitch should be targeted to senior cyber security professionals and managers – which means your pitch should be concise, logical, professional and free of unnecessary jargon. You should NOT try to cover every detail of your work, but instead highlight the most interesting and significant parts to attract the attention and interest of your audience
  • You can use the same slide deck your team has prepared in (a) or create a simplified version. Using simpler presentation slides will allow for a more engaging pitch, so creating a separate, brief presentation slide deck is recommended
  • Your video must be under 3 minutes. Any content beyond the 3-minute mark will not be assessed
  • NOT all team members have to present in this pitch. It is up to your team to decide how to make the pitch more engaging and to deliver the content in the most effective way. Team members who are not presenting should still help in the preparation of the pitch (for example, scripting and content design)
  • Do not attach the video with your slide deck. You should upload the video to SharePoint (more instructions on Moodle) and provide a URL in your slide deck
  • Please refer to the Marking Criteria (page 7) for more details

 

After the course concludes, the Top 10 teams (based on the 30% group assignment marks) will be invited to present their solutions to senior cyber security professionals and managers from KPMG, EY and Salesforce in an exclusive industry event. This presentation is not marked, and attendance is not compulsory (though highly encouraged). More details will be provided later in the term.

 

We release your group project very early in the term so that you can “begin with the end in mind” – as learners, we learn better when we are motivated to find answers to a problem; when we get to apply every new piece of knowledge we gain to solve the problem progressively; and ultimately, when we get to manage and direct our own learning.  

This also means you won’t have all the answers at the beginning, and that is completely fine – many, if not most problems we face in our life do not come with instructions or guidebooks – but we learn and grow as we piece together the solutions.

 

 

 

 

Marking Criteria for Final Submission Slide Deck (20%)

 

Below Expectations                                                             Meets Expectations        Outstanding Performance

Required Content/Objective          %

(FL)                                                                 (PS – CR)                                            (DN – HD)

  • Articulates the central Clearly discusses and addresses the ideas and their problem through the application of rigorous significance analysis and critical thinking
  • Provides some Clearly analyses the solution domain and justification to identifies requirements and/or potential use demonstrate the cases; assumptions are clearly articulated relevance and • Demonstrates innovative thinking; project

practicality of the outputs show plenty of in-depth analyses solution that support the solution development

process

  • Presents a highly relevant and practical solution; provides strong justifications to demonstrate its feasibility and impact
  • Applies relevant Makes clearly informed and effective knowledge and selection and application of knowledge that

sufficiently discusses are highly appropriate for the project context the problem and • Uses relevant examples, frameworks, solution concepts, and/or case studies from course

  • Provides some materials AND additional research to synthesis of provide insightful content that advances knowledge, but some knowledge on the problem and solution discussions are over- domains

simplified and/or lack • Makes good references to timely and examples and relevant work, demonstrating extensive

evidence    research, ability to consolidate information

from various sources and informed decision

making

 

Problem Solving                             8%

  • Apply appropriate and rigorous analysis to understand the problem domain
  • Demonstrate capacity for independent critical enquiry
  • Propose evidence-based solutions that are relevant and practical, and clearly addressing the problem
  • Does not develop a feasible solution and/or limited justifications

were provided to

illustrate the feasibility of the proposed solution

  • Does not provide a

solution that sufficiently addresses the right problem

 

Business Knowledge                     7%

  • Analyse the problem and discuss its significance through rigorous research
  • Present recent and relevant knowledge to support arguments and discuss them with accuracy and depth
  • Provide knowledge that are relevant for understanding the practicality and impact of the proposed solution
  • Does not demonstrate appropriate application of knowledge to rigorously analyse the problem domain
  • Does not identify knowledge that are relevant to the problem and solution domain, and/or adequately justify the impact of the

completed work

 

 

Business Communication

•       Present relevant contents that can effectively address the specific target audience

•       Present contents in a clear logical flow, effectively delivering important information

•       Effective consolidation of information from multiple sources

3%

Does not engage the target audience with a sufficiently professional deliverable  Does not present discussions in a logical manner; individual parts are not integrated

 

Content is not presented in a way that is best suited to the target audience  Deliverable meets basic business communication requirements but does not demonstrate high

quality

Harnesses, manages, and communicates information effectively for the target audience, using plenty of examples and evidence

Selection of structures is highly effective and demonstrates clear logical flow; Writing demonstrates confident control of correct terminologies without jargon

All information is presented in an engaging manner, with key messages effectively highlighted with appropriate designs

Teamwork and Leadership

•       Collaborate effectively in a team to achieve project outcomes

•       Project outputs are wellintegrated and presented as a group effort

2%

Does not present a group effort (e.g., individual parts were submitted without integration)

Does not proactively collaborate, resolve conflicts, and/or seek assistance

Presents a collective deliverable, but with some inconsistencies in wording, tone, and/or style Lacks logical

sequence in some

parts

Presents forward-thinking, innovative ideas that are clearly developed through effective collaboration

Manages collaboration effectively (including proactively resolving conflicts, if any) to create outcomes that successfully address the proposed objectives

Presents a well-integrated output, with consistent wording, tone, and style across all components and a strong logical flow

 

 

Marking Criteria for 3-min Video Pitch (5%)

 

Below Expectations                                                             Meets Expectations        Outstanding Performance

Required Content/Objective               %

(FL)                                                                 (PS – CR)                                            (DN – HD)

  • Engages with the target High quality presentation with audience but lacks logical clear logical flow and engaging

sequence                                                            content

  • Reasoning and evidence are Topics discussed are relevant presented but not well for the target audience;

organised                          effectively highlights the key

  • Delivery is sufficiently clear findings/ideas of the work but time management (e.g., Presents well-evidenced

content felt rushed) and arguments with accurate and engagement need relevant examples improvement

  • Sufficiently discusses the Demonstrates a very clear problem and solution understanding of the problem domains with some relevant and solution domains with a

examples                            thoughtfully designed pitch

  • Demonstrates some Makes good references to

synthesis of knowledge, but relevant work, demonstrating some parts of the pitch are extensive research over-simplified, lack • Well structured, clearly wellexamples and evidence, rehearsed, good engagement and/or is inaccurate  throughout the entire pitch with

full clarity of speech

 

Business Communication                    3%

  • Present relevant contents that can effectively address the specific target audience
  • Present contents in a clear logical flow, effectively delivering important information
  • Effective consolidation of information from multiple sources
  • Engaging and professional
  • Does not engage the target audience
  • Does not present arguments in a logical

manner; communication is unclear for the audience

  • Delivery is not sufficiently professional (e.g., audio too weak, lack of visual aid, etc.)

 

Business Knowledge                             2%

  • Analyse the problem and discuss its significance
  • Present recent and relevant knowledge to support arguments and discuss them with accuracy and depth
  • Provide knowledge that are relevant for understanding the practicality and impact of the proposed solution
  • Does not provide relevant information to demonstrate an understanding of the problem and solution domains
  • Does not clearly justify the impact of the completed work

 

Sandbox Industry Project 1 – Let’s Go Phishing

Industry Partner: KPMG Australia 

 

Part (A) Project Background

Social engineering, and specifically phishing, is one of the most prevalent sources of cyber security. It is the nut that is hardest to crack and the most frequent cause of cyber security incidents, either in organisations or homes. In this Project, you will be creating a solution to help organisations improve their phishing resilience.

Phishing resilience is the measure of how resilient an organisation is to phishing attacks. It can be measured in metrics such as how many employees click on a phishing URL or open a phishing attachment. It can also be measured with positive metrics such as how many people report phishing emails vs those who fall victim.

 

Resource 1: A conference presentation      Resource 2: A recent discussion about about Phishing Resilience   phishing and cyber scams

 

Phishing, at its core, is more of a human problem than a technology problem. Currently it requires individuals to know the signs and recognise phishing. However, the malicious actors that design phishing emails are getting smarter and more professional. They send hundreds of thousands of emails every day, emulating organisations with the goal of duping a percent of those people into handing over their passwords, credit card details or transferring money to them; or installing malware and falling victim to ransomware.

Some malicious actors – the people who perpetrate these crimes – are professional organisations – with technical support teams who answer victims’ ransomware requests, or salespeople who sell tech support for the phishing software they have developed. Others are nation states with sophisticated software designed to slip past even the best organisational security defences through the people to gain intelligence.

Part (B) Expected Solution

Currently, in organisations, we have solutions such as email filters which can block known email addresses, or identify similar properties in emails such as servers, IP addresses and email text. We also educate employees on the common signs and how to report phishing; and we test our cyber security defences to see what can get through and learn from these test (or real) scenarios.

But in this project, we want you to think outside the box and design a solution to improve organisational phishing resilience that either improves on something available or develops a whole new concept. Your proposed solution could be composed of any of the following components, but isn’t restricted to these – they are just some examples to get you started:

  • New technological solutions, including existing technologies that have not been widely used for improving phishing resilience, or new technologies that are in their early stages of development
  • New ways to perform security education, awareness, and training
  • Security governance mechanisms (including policies, procedures, standards and processes) that can significantly improve phishing resilience)
  • Existing concepts, practices, mechanisms, or innovations in other fields that have not been adapted in the cyber security or phishing domains
  • New ways of working that can significantly improve phishing resilience

 

Sandbox Industry Project 2 – Cyber Security Requires Holistic Management

Industry Partner: Ernst & Young (EY) Australia 

 

Part (A) Project Background

As businesses embrace digital platforms, appropriate cyber security management becomes more important for the long-term health of the business. In this Project, you will play the role of an information security consultant, assessing the cyber security processes of a fictional company. You will dive deep into how decisions are made regarding the implementation, maintenance, and enforcement of cyber security processes, and the importance of taking a “whole of business” outlook to incorporate perceived risks, company strategy, budget, process optimisation etc. in cyber security management.

Company Background

Koala Counters Pty Ltd (KC) is a new start-up company that specialises in counting koalas and wildlife. Their proprietary new Artificial Intelligence means they can count koalas faster than any other company at much cheaper rates. Their technology makes them very useful to businesses involved in environmental science and conservation, but especially government departments such as the Department of Agriculture and Department of Science & Innovation. KC won multiple small projects with private firms off the back of a successful launch and demonstration of their technology, and they adopted a policy of aggressive, rapid expansion to capitalise on this success and maintain their momentum.

KC now believe they are ready for bigger projects and want to bid for a large government tender with the Australian Government Department of Agriculture. KC has contracted you to perform an independent maturity assessment against the Australian Cyber Security Centre Essential 8 (ACSC E8) Framework. In order to hold and process federal government data, and thus be successful in their bid, they must demonstrate sufficient maturity against each of the ACSC E8 mitigation strategies.

In order to understand KC’s current approach to cyber security, particularly around the ACSC E* processes, you have interviewed a few key stakeholders from the company. Your meeting notes (4) are attached in the next page.

 

Part (B) Expected Solution

You are tasked with conducting a maturity assessment of KC using the ACSC E8. Your assessment should:

  1. Accurately assess the current state of cyber security processes in place at KC
  2. Propose a target future state for uplift, including the reasons why you are proposing this target state and the benefit for KC to move to this target state
  3. Provide an actionable roadmap for KC to uplift any mitigation strategies that aren’t meeting the required maturity. Your roadmap should clearly show how the steps you recommend will help KC meet and maintain their target state of maturity

Your maturity assessment should be easily understood by a non-technical audience yet should still be sufficiently technical and detailed to properly guide decision making and implementation.

Meeting #1

A meeting was held with Head of IT at KC, Anne Breach and her IT Officer Greg Hacker. Your notes are as follows:

  • Business has 80 employees plus 20 external contractors.
  • All employees use Windows based workstations except for the marketing department who have about 10 iMac workstations. Contractors use their own devices.
  • Business has 5 Windows based servers on-premise and 10 cloud-based servers in AWS.
  • All on-premise servers are backed up bi-weekly to a dedicated on-premise backup server running CentOS.
  • No restores from backups have ever been performed, and checks are performed monthly to ensure backups are running as expected.
  • The Information Technology team has developed an “IT Policy” and “IT Standards” document to guide their control implementation.
  • Application blacklisting is enforced on all employee workstations and servers using Windows SCCM.
  • Vulnerability scanning is performed monthly on all network connected devices.
  • There is a known backlog of critical vulnerabilities to patch, some of them are up to four weeks overdue.
  • Administrative accounts are limited to users with a documented need. Anyone requesting administrative access to a system must send an email with Line Managers approval to the IT Security team. A list of admin accounts (approximately 30) is tracked in a spreadsheet and reviewed annually.
  • Accounts, both privileged and non-privileged, are often modelled on another users’ access when provisioned.
  • All users, privileged and non-privileged, can access their workstations remotely using Citrix by signing in with their LAN ID and password.
  • Macro’s are restricted in all Microsoft office programs and require users to enable them before they can run. This is centrally managed through SCCM and Config Manager.
  • Employee workstations come with Internet Explorer pre-installed and employees are required to only use this browser. Internet Explorer is configured to block flash and adverts by default.

 

Meeting #2

A meeting was held with Chief Financial Officer, Olivia Penny, and Chief Technology Officer, Tyrell Powers. Your notes are as follows:

  • KC exec team (CEO, CTO and CFO) believe that continued rapid expansion is key to gaining control of the market.
  • KC plans to open offices in 3 cities next quarter to facilitate expansion.
  • KC is reviewing budget across the organisation. IT Development and Sales are slated for the biggest budget increases. Most other teams to remain the same.
  • The CFO believes that an overall security uplift is not feasible in this financial year and may conflict with the expansions.
  • As part of the expansion, the CFO is exploring moving on-premise systems to a cloud provider who should provide all the security KC needs.

 

Meeting #3

A meeting was held with Head of Audit and Risk, Jason Trailing. Your notes are as follows:

  • Jason believes CEO, CFO, CTO are too preoccupied with expansion and aren’t doing their due diligence. He has mentioned this to the CFO who said they’ll “take it into consideration”.
  • He has advocated for budget and resource increases for audit and risk management teams and is quietly confident he’ll get more money when the new budget is released.
  • Jason has been handling a lot of work with compliance audits across the whole business. Typically, results are not what they should be but he is hopeful he can turn this around.
  • Jason believes that cybersecurity is not limited to IT and KC must have a distinct Cybersecurity Policy.

 

Meeting #4

A meeting was held with Chief Executive Officer, Kate Eucalyptus. Your notes are as follows:

  • She knows KC doesn’t have a handle on managing their cybersecurity risk but feels like every time she talks to the security team and head of audit and risk, the sky is falling down, which doesn’t add up given that KC hasn’t had a security breach yet.
  • She knows she needs to set aside budget for security for the new expansion plan but doesn’t know how much. She believes that the CFO thinks we are already spending too much on security as a cost centre and the Head of Security is asking for a budget twice as big compared to last year. The security team has given her proposed projects, but she hasn’t seen them prioritised and articulated in a way that conveys the business benefit of doing them. It sounds like security just for the sake of security to her.
  • She has spoken to her peers at other start-ups but has no tangible way to compare KC’s security to theirs.
  • She is ultimately responsible for answering to the Board who has the capability to fire her if the expansion plans don’t go according to plan and is seeking our guidance on trusted advisors as to what KC should do.

 

Sandbox Industry Project 3 – Moving to Cloud? Don’t forget Security

Industry Partner: Salesforce (SFDC Australia Pty Ltd.)

 

Part (A) Project Background

Organisations are adopting cloud more so in the pandemic than before due to flexible resources and economies of scale. Cloud has become a critical part of IT and everything in the digital world is connected to the cloud in some way or another.

Cloud security may come across as complex due to the shared responsibilities model however it applies the same set of security controls that we have always used in our on-premise infrastructure, neatly dividing the ownership and responsibility of some controls on the cloud service provider whilst some with the cloud consumer depending on the service model.

In this Project, you will be playing the role of a trusted security, enterprise risk and regulatory compliance advisor to the CISO of an organisation that has recently adopted a cloud service. In spite of significant investment and uplift of phishing resilience, this organisation has recently suffered a data breach from a social engineering attack. The perpetrators were able to successfully obtain employee credentials to a cloud-based email, collaboration, storage platform and through these credentials, they were able to download emails, internal memos, confidential client contact lists, etc. and exfiltrate this sensitive data out of the cloud platform. Your CISO is looking at you to assist him with responding to this incident, including deploying the appropriate security controls to strengthen the security of the new cloud model, but also in winning the customer, shareholder, business stakeholders trust back.

 

Part (B) Expected Solution

To successfully complete this Project, you will need to propose a sequence of steps that the organisation needs to take right from the time they discovered that they have been compromised. Given the focus of this Project on the Technology component of cyber security, your proposal will need to, minimally, include details on how to run a security health check and the outcomes (e.g., weighted risk scores), how to deploy appropriate technical controls and their implications, as well as what a shared responsibility matrix of a cloud model should look like. Discuss how you prioritise the steps identified in your proposal, keeping the objective at the centre of your solution and the big picture perspective. Make sure to also state any assumptions you have made very clearly.

You can take advantage of the Salesforce developer org platform to create a sandbox organisation instance to experiment with a security health check process and the deployment of security controls. Using the platform to test out the implementations of various security controls is an extremely useful practical exercise to enrich your understanding of the process and therefore will allow you to develop a more feasible plan for the CISO.

 

 

Supporting Resources and Links

1. Consultation and Advice

Resources will be provided throughout the term to support you and your team in completing this project. We will also have the industry mentors join us in the lectures to discuss about the latest approaches, tools and processes in the industry in Weeks 3, 4, and 5. It is highly recommended that you attend all of these sessions as you will have the opportunity to interact with your industry mentors and ask questions.

If you or your team need further assistance on your project, please feel free to book a time with your Project Mentor/LIC – Yenni Tim. You can use the Moodle Scheduler to book a consultation session.

 

2. Dealing with Group Issues

Conflict is almost inevitable when you work with others. People have different viewpoints and under some circumstances, these differences may escalate to conflict. It is common for groups to experience issues at some point. What matters is how you handle that issue or conflict. This will determine whether it works to the team’s advantage or contributes to its demise.

Understanding and appreciating the various viewpoints involved in a conflict are key factors in its resolution. One of the objectives of this project is to help you build communication and conflict resolution skills. Resources are included on Moodle to support you (see Moodle > Assessments)

It is also strongly recommended that you speak to your LIC if your attempts to resolve any arising conflicts are unsuccessful. The earlier we can work together to resolve the issue, the less disruption this will have on your work.

 

3. Writing and academic support

Smarthinking is the official online writing support service for UNSW, which is aimed at providing detailed and personalised evaluation and feedback of your written work. It is accessible online 24/7 from anywhere and it provides both real-time and on-demand support. Click on the link below to access the service.  Access Smarthinking

 

Academic support: If you need additional help with writing, referencing, speaking or presenting, the Business School offers individual consultations, online academic writing and communication modules, communication workshops, and additional online resources. Click on the link below to read more about what is available to you.

Read more about academic support

 

 

 

 

 

4. Special Consideration

Special consideration is the process for assessing the impact of short-term events beyond your control (exceptional circumstances), on your performance in a specific assessment task. Always seek advice from your Course Coordinator or tutor first, before applying for any special consideration.

What are circumstances beyond my control?

These are exceptional circumstances or situations that may:

  • Prevent you from completing a course requirement,
  • Keep you from attending an assessment,
  • Stop you from submitting an assessment,
  • Significantly affect your assessment performance.

 

Available here is a list of circumstances that may be beyond your control. This is only a list of examples, and your exact circumstances may not be listed.

You can find more detail and the application form on the Special Consideration site, or in the UNSW Special Consideration Application and Assessment Information for Students.

 

5. Late Submissions

If you submit your assessment after the due date, a penalty of 10% of your total marks for that assessment will be incurred per 24 hours of lateness (including weekends and public holidays). For example, if you are late by 26 hours, you will suffer a 20% deduction from the score you obtained for the assessment. It is therefore highly advisable that you allocate sufficient time for your submission. You may encounter some technical issues during last minute submission.

 

Final Note – Please Read

Important Note on File-sharing Websites
There are some file-sharing websites around that specialise in buying and selling academic work to and from university students. Examples of such websites include, but are not limited to Course Hero, StudyMode, etc.

You should be aware that you would be committing plagiarism if you download a piece of work from these websites and present it as your own either wholly or partially. For more information about Academic Integrity and Plagiarism, please click here.

If you upload your original work to these websites, and if another student downloads and presents it as their own either wholly or partially, you might be found guilty of collusioneven years after graduation.

These file-sharing websites may also accept purchase of course materials, such as copies of lecture slides and tutorial handouts. By law, the copyright on course materials, developed by UNSW staff in

the course of their employment, belongs to UNSW. It constitutes copyright infringement, if not plagiarism, to trade these materials.