 Where is it? A Simon. So I've added some more instructions. So let's briefly go through what the first steps are. Read through the instructions. Here you need to write about attacks on S-I-T. So there's some ethics thing that we've mentioned at the start of the course, but basically don't do any attacks. Just think about them. Design them. And I think there are many simple things that you can think about that you can perform an attack on S-I-T. So read through that. Don't capture other traffic. Don't try and guess other people's passwords. Just if you want to test something, use your virtual network. You can use that to test some attacks. You have your groups, three tasks. First one is categorizing information systems. So we'll talk a bit about each. And I'll go through an example of there are many standards or guidelines for how to analyze the security of a system, to look at the risks involved, to classify the features of different systems. And one organization that creates many popular standards or guidelines is called NIST, the National Institute of Standards and Technology in the US. And they have many documents that talk about ways to make your organization secure. Secure information systems. So you'll see many references to NIST documents. FIPS, some federal standard in the US, FIPS 199, SP, some special publication with many different numbers they have. So what your task in the assignment is to first think about SIT and think about the information systems. What's an information system? Think about as a student, the different computer systems that are available in SIT and that to use and store some information about students, about faculty, about other things. I'll give you some examples in a moment. Think about those information systems in SIT and then categorize what their requirements are in terms of CIA. Your first exam question. Confidentiality, what's I? Integrity, A, availability. Okay. So the general requirements, we will be confidentiality, integrity, availability. Then the next task will be to go through and look at the SIT information assets in SIT and think about the risks from a security perspective. And there's some methods for doing risk analysis for security systems, and that's what SP 800 dash 30 describes a methodology for doing risk analysis. Very complex and long. And then think about some controls to reduce the risks. So we talk about we use mechanisms to implement some security controls to reduce those risks. So attacks are unlikely to occur. We can't always remove all risks. We try to reduce them. And there's another document that lists many different controls that are available. I've tried to summarize the the way to categorize information systems to do a security risk analysis and some of the controls. So of these large documents, which are hundreds of pages long, I've tried to summarize the procedure into this overview which you have in front of you. To make it a little bit easier, let's open up the one you have in front of you. This summary of the procedure that you can go through. And I've taken a lot from those documents as well as from the textbook. It's what this is. It's a summary from those. I'll not go through all of it. You need to read it. For the first task, classify the different information systems in SIT. And this is what I want you to do in the next week and submit something in the next week. It's very easy. The idea is that we think of an information system like the grading system in SIT. Let's say there's some system for maintaining the grades for all students. We think about the different types of information in that system. Okay, the list of student names and ideas, the grades, the courses, so the information, and then we think about with respect to CIS, A, Confidentiality, Integrity, and Availability. If that information is compromised in some way, what impact would that have on the organization? And so what's the potential impact on an organization or individuals if some security breach occurs? With respect to each of these. And we will classify them as either low, moderate, or high. That is, if we have some information and someone, it's supposed to be confidential, but someone gets access to it, what impact does that have on SIT? Or on the student. That's what you need to think about. And then give some classification. Is it low impact, a moderate impact, or a high impact? And give some description here very broad descriptions. The other documents give some more detailed examples. And then we categorize the security for each information type. And let's go straight to an example, which is here. I've done an example. Let's say we have any the student, some system called a student management system, which contains two types of information, at least two types. Grades and student contact information, like your address, your phone number, and so on. So we say there are two information types, the grades and the contact info. Let's treat them separately. And for each of those types of information, we look at the potential impact if that information is breached in somehow. With respect to confidentiality, integrity, and availability. So with respect to grades, let's say there's a database that stores all of your grades. What happens if someone gets access to that? Breaches the confidentiality of those grades. What's the impact if someone from outside of SIT can see your grades? So from the perspective of confidentiality, you consider the impact. In this example, I say, well it's a moderate impact. It doesn't mean SIT has to shut down. It means that someone has seen the grades of the students. Not too bad, but not nice because that information should be confidential because it's private information to you. You don't want to be published on the web that you've got Fs in all of your courses. It can be embarrassing. So you give it some impact, low, moderate, or high. There's no one correct answer. I want you to think about the impact. That's if confidentiality is breached. Someone reads the values. What about the integrity of the grades? What if someone can access the database and change the grades? Impact high. If someone can access and change all the grades from Fs to A, then that's a very bad situation for SIT and the individuals in SIT. So integrity is very important. So the impact is high in that case. What about the availability of this information? We have a database such that students can access it and see their grades. What if someone does a denial of service attack and means for a week that those grades are not available to the students to access? Inconvenient? Yes. Doesn't mean SIT needs to shut down? Well, probably not. Making the grades available to people to read. In many cases it's not so important. We usually only need them at the end of the semester or when you create a transcript, for example. So maybe the impact there is low if the availability is breached. So this is the security categorization of the grades information. Then do it for other information types like contact information. All right, it should be confidential. But again, if someone finds your phone number, privacy not so good. Does it mean SIT is going to fail? Well, probably not. Integrity, what if someone accesses and changes your phone number? Well, maybe not cause any problems. So classification of low. Availability, maybe low. It doesn't matter so much if it's unavailable for some limited time. So think about the information types and then give some classification of the impact. And again, there's no one answer. People may have different answers and it's okay. That's of the information types. Then we consider the entire information system. The grading system or the student management system includes both the grades and the contact info. So of the student system, we give an overall impact. And the way to calculate it is that we look at confidentiality for each of the information types in the system and we take the highest value. So with confidentiality of grades, moderate impact, contact info, moderate, therefore for the system, moderate. Integrity for grades, high, contact info, low. For the system, high. It's the maximum of the values of the information. Saying that for this system, we need to make the integral. If the integrity is compromised for this system, there may be a high impact because it may be the grade information. So we take the highest of these really. And low and low of course produces low here. So that's easy. Once you've given some categories for each information type, you can determine the categories for the information system which contains that information. That's your first task in the assignment. And you can read in the assignment instructions. I give a template. Nothing special, but just so you can produce it in some format. So just an example. Sorry, let's zoom in. Almost done. So this is what you'll submit for task one. For your group, your group number, your names. I just need your first name so I know who's in the group. Then think about all the information systems with respect to SIT. Give them some name. The grading system. As an example, you may give it a different name. Give it a description. What do you mean by this system? What is it? And what types of information are in this system? Grades of students. Student ID numbers. So list the information types in the system. And then for another system in SIT, maybe the payroll system. So there are staff, faculty members that get paid. That's another information system. Separate from grades. There's no connection really there. But it's another information that's important to the operation of the organization. What information is in there? Okay. Staff contact info. Staff bank account. Staff salaries. That would be an accounting or payroll system. And then do that for others. Websites. Servers. Different, maybe a library. So different. Think of all the information that SIT maintains about you and about employees. And list them. Then of all the information types that have multiple, categorize using this approach for the information type. Maybe describe it. And just give this equation that says confidentiality, integrity, availability, and choose an impact. Easy. Low, moderate, high. It's the process of thinking about it that's important in this task. Do it for all the information types. And once you've done that, you determine the categorization for the different information systems which is just combined from the information types. You take the maximum for each of the information types and you get the impact here. Task one done if you can do that. I want you to submit by next Thursday your initial draft of this. Okay? So it will not be graded, but I'll give feedback on it if you submit. So if you don't submit, you won't get... Well, there will be no feedback on what you've done. But if you submit online, then I'll give some feedback to the class and maybe individually saying, yeah, this is on the right track or this is wrong. Okay? So just to force you to start doing something. And then we'll talk about task two and task three in more detail. They will follow on. Systems, I don't know. How many are there in SIT? Approximately more than three, less than 20, I guess. I would think so. I think you can easily think of more than three. I've given you two examples. Sometimes you can break them into more specific information systems. You can think of others, I'm sure. So you don't have to get them all. Okay? There's no complete set of information systems. So someone may have seven and someone else may have 10. And there may be some overlap, but there may be some distinct ones there as well. That's okay. But just try and think about different ones. It's a good exercise because it forces you to think about, well, what does SIT store about you in terms of information? And where do they store it and how important is that information? So think about it from a student's perspective, but also try and think you're an employee at SIT, a staff member, a faculty member. What information do you think that needs to be stored about them? Any other questions? No, this is just a thinking exercise. You don't need to really know much more than you already know about SIT because I think you can guess that with employees, there's some payroll or accounting system. Okay? With students, there are other information systems. Think about websites, servers, things that users access to find out about SIT, things that are needed to manage the organization. So it's just a thinking exercise. You don't need any software to do this. Any other questions? Okay. That will get you started. Again, read through the rest of the tasks, but once we get some feedback on task one, then I'll explain further about task two and then task three. We can do it in stages. The next task two is about risk analysis. So again, read through this overview, the one you've got the hard copy of. It looks complex at the start, but you find it's not so hard. There's a lot of information in these tables copied from the other source documents. Browse through them. You don't need to remember them all. It just gives examples. And then we'll explain how to use that.