Enterprise Security Case Study
Case study report
Provide a security architectural design for the Logical and Higher Schooling (LAHS), a NSW department of the Ministry of Education, whose brief it is to provide a range of tertiary courses in the field of applied technology. LAHS is currently implementing new IT systems, something
that also requires a complete overhaul of their IT security. This latter task is your responsibility. LAHS is worried about several security issues:
- Compliance with departmental security policies and privacy legislation,
- Cybersecurity - attacks from external sources, as well as from internal sources (rogue students),
- Confidentiality of student records,
- Protection of LAHS computer systems from inadvertent damage.
LAHS NSW has IT systems in all of their offices:
Head office 1 - central administration of staff and students, central office systems
Regional offices 8 - student records, regional office systems, payroll
Regional campuses 40 - IT teaching laboratories, staff workstations, local office systems (file servers, printers)
Components to deliver:
- High-level security architecture (SABSA contextual and conceptual levels). I suggest that you use reference architectures if you can find these. The purpose of this work product is to show what types of security services you intend to provide, what types of networks and servers are required, for each type of location (head office, regional office, regional campus).
Indicative example only:
You will need to make reasonable assumptions about sizing, capacity, etc. of the various IT systems, and you need to provide a design for best security practice, i.e. cost is less of an issue than having security exposures and weaknesses.
- Detailed (SABSA logical level) security architecture for each type of office (HO, RO, RC). This will include specific details of what security services you will provide at office type, what networking you will provide, what application systems you will be protecting, what tools you will be using.
- Detailed design (SABSA physical level) for HO, 1 RO, 1 Campus. This will include security equipment, networking devices, storage sizing, management tools, operational components for the detailed security architecture.
- Costing estimates (both labour, hardware and software, both for implementation and operation)
- Planning estimates with enough detail to show estimates at the equipment installation level
- Resourcing estimates
For these latter components, you would benefit from using the SABSA Framework for Security Service Management.
Use the SABSA framework as a guide for your work products. Concentrate on the How, Who and Where (Process, People and Location) columns. You will need to describe the existing LAHS IT systems for which you will need to provide security services based on your security architecture. That means you have to do some research about how an organisation like LAHS would be running its IT systems and what they would consist of. TAFE NSW or equivalent departments in other states could be a good starting point...
Deliverable work products:
Included in the set of work products you need to produce are:
- Business requirements and risk assessments on which you will base your designs.
- Use cases - to describe interactions between LAHS users, systems and subsystems.
Indicative example only:
- High-level security architectural diagrams and explanatory notes. See point 1. above under components.
- High-level logical network diagrams - you should have one each for HO, one for an RO, and one for a Campus. These should show what security systems you plan to implement, and where they are located in relation to the network, and to other TAFE IT components.
These should be accompanied by descriptions of the detailed security architectures they depict.
Indicative example only:
- Description of the security services you are planning to provide, why, and where they will be located in relation to the LAHS IT systems and networks.
- Equipment lists describing what equipment you will be implementing to provide these security services.
Due date: Week 11 ,Friday 5 pm
Format: report, suggested length 40-50 pages (incl. diagrams and tables), in a standard report format, in a paper-based format
This work is worth 40% of the final subject mark but will be marked out of 100.
Marks will be awarded for:
- Report format and style - 10
- Thoroughness and reasonableness of your assumptions - 10
- Application of use cases to your assumptions - 10
- Linking of business requirements to your solution - 10
- Consistency between high-level architecture, detailed architectures and detailed designs -10
- The relevance of your architectures and designs to business requirements and use cases - 15
- Delivery of all required work products and completeness of your solution - 20
- Proof of application of security best practice in your solution -15