|Information Security Management
Background to the Case Study Company
FlySafe is a Scottish company which has been operating for the last three years in the private aviation sector where it provides a Software-as-a-Service (SaaS) Flight Management System (FMS) for world-wide operators, corporate
flightdepartments oflarger corporations,brokers and fixed-based operators to manage flights on behalfof their clients.The FMS helps organisations manage their flightoperations byproviding a web-based application where they can sign in to perform a variety of functions such as:
Organisations are not able to create accounts on the SaaS platform directly as this is done by someone from FlySafe’s sales team who onboards them to the platform. FlySafe has currently two front-facing websites:
• FMS web application: hosted on Amazon Web Services.
• The company’s website: hosted on Digital Ocean.
Currently, FlySafe is comprised of the CEO (Director), the CTO (Chief Technology Officer) who also doubles as a software developer, one other software developer and two sales/marketing staff (one of whom is head of
All decisions are made by the CEO who relates to the CTO and head of sales/marketing, before they then talk to their team members.
Before the COVID pandemic,FlySafe maintained an office used by the CEO and CTO while othermembers of staff worked from their respective locations (scattered across the UK).
However, the pandemic pushed the company to full remote work and this will remain the case for the foreseeable future.
Staffcommunicateviaemail(Gmail),WhatsAppandZoom.CollaborationisdoneusingConfluence(byAtlassian) and the Google doc suite of applications. TeamsID Business Password Manager is used to store the passwords for all software the company has a subscription for. The sales/marketing team uses Mail Chimp for emailing clients and Calendly to schedule meetings with them. The software developers use Trello to manage their software projects and GitHub for source code version control.
FlySafe does not issue work computers to staff. Instead, all staff are expected to use their own devices. This means that staff are now using a combination of Windows 10 (for CEO and sales/marketing), macOS and Linux operating
system (for the tech team).
Last summer, FlySafe recruited a student (intern) from our MSc course for 3-months placement. The intern was tasked with conducting a risk assessment, which was documented in a risk register (RiskRegister.xlsx) available on
Moodle. It includes the following:
- An inventory of the company’s assets (see the Assets sheet)
- A vulnerability scan on the FMS and the company’s website, using Qualys Web Application Scanner (see the Qualys Scan sheet)
- An analysis of risks and suggested treatments (see Risks sheet).
- The aim of this coursework is to produce a report, documenting your answers to the following 4 tasks. Your discussion should be explained and justified using evidence from the literature.
Task 1 – Risk Assessment
The aim of this task is to critically appraise the risk assessment conducted by the student.
i. What sources of information would the student have used to identify the company’s assets?
ii. How much do you agree with the “value” assigned by the student to each asset?
i. For the web application (asset A1) and company’s website (asset A2), discuss whether the student’s conversion of CVSS scores (as provided by Qualys scanner), into vulnerability values is adequate?
ii. What sources of information would the student have used to complete the vulnerability descriptions and values for the remaining assets (A3 to A19)?
iii. Choose ONE vulnerability associated with any of the assets A3 to A19 (excluding A4), and explain/justify whether you agree with the value that the student assigned to that vulnerability.
c. Threats, Likelihood and Impact:
i. What sourcesofinformation wouldthestudent haveusedtoidentify threats, likelihood andimpact?
ii. Would the student have used different sources for different assets? Justify using examples.
iii. What factors would (should) the student have used when estimating the likelihood?
iv. Choose ONE threat in the register and explain/justify whether you agree with the value assigned to its likelihood.
i. Discuss whether, in your opinion, the studenthas consistently used specific criteria in deciding a value for the “Treatment Option” (Column X of the Risks sheet)? i.e., whether risks should be mitigated,avoided,accepted, or transferred. Illustrate your answer using examples from the risk register.
ii. Discuss the advantages and disadvantages of using integer values to calculate risk. Illustrate with examples from the risk register.
Task 2 –Security Controls & Security Program
The aim of this task is to appraise the student’s choice of security controls. While conducting the risk assessment, thestudentoptedforusing the ISO 27001 AnnexA security controls asa basis for the “Treatment Plan” (Columns
U and Y of the Risks sheet). These security controls are listed in a separate sheet within the risk register for ease of reference.
a. Discuss the student’schoice ofISO 27001.Is ISO 27001 relevant and appropriate for thecompany?
b. Propose an alternative framework and critically compare it to ISO 27001. The comparison mustbe relevant to this case study instead of being just theoretical.
c. Analyse and discuss the mix of security control types (preventive, detective, corrective, recovery, deterrent or compensating) suggested in the “Treatment Plan” (Column Y) for asset A17 (Software Developers). As part of documenting your answer, copy and complete the table (You may also find it useful to produce visual charts to help you with your analysis).
d. Assuming the student was offered a permanent role within the company (Web Developer and Information Security Officer), produce a security program, in the form of a one-year plan, that outlines the student’s key tasks
and deliverables. Briefly explain/justify your program.
Note: Part of your plan should be to consider the implementation/prioritisation of the proposed risk “Treatment Plan” to move from the current position to the projected “Residual Risk” position. For example, explain how to
prioritise risks with the same/similar values within the program.
Task 3 – Cryptography
The aim of this task is to appraise the company’s practices in the use of crypto as a key security control.
a. In the risk register, the student identified “Insufficient Encryption” as a vulnerability for asset A4 (customer details). Assuming this related to the encryption of data in transit, explain the reason that led the student to create
this entry in the register.
b. Apart from the setting-up of a “Policy on the Use of Cryptographic Controls” recommended by the student in the “Treatment Plan”, what else should the student recommend?
c. While reading an article on the “The Panama papers” breach, the student learnt that the hacktivist who leaked the documents leveraged an SSL cryptographic flaw, known as the DROWN attack. Briefly explain (i) how this attack works and (ii) what the company needs to do to protect against it.
d. Whilehavingachatwithoneof thesoftwaredevelopers(Mike), thestudent learntthatMikeusesJava8insome
of his backend coding. The conversation led into a discussion about how to generate pseudo-random data for cryptographic use. Specifically, Mike always makes sure that he explicitly seeds the generator using settled method
(of the SecureRandom class) before generating a random value (using a next* method) instead of relying on selfseeding (i.e., using the OS implementation’s defaults). Discuss whether Mike is adopting a secure coding practice.
Explain/Justify your answer, including bad/good examples of code.
Task 4 – Recommendations
Propose a setof recommendations to the companyto summarise the issues identified in task 1,2 and 3 above. These recommendations should be included as part of your report’s executive summary.
Looking for an on Information Security Management? then don’t look further. At we have a team of diligent writers who have several years of experience to provide fresh and original coursework solutions on before the deadline.