IS SECURITY FOUNDATIONS WORK
The submission word limit is 2000 words. You must comply with the word count guidelines. You may
submit LESS than 2000 words but not more.
You are required to use only Harvard Referencing System in your submission.
Assessment Brief

Section A describes what you have to do as an assignment that satisfies the assessment
requirements of the module. You have to provide answers to a request for information
posed by senior management of a fictional company described in the case study. Their
request consists of a number of questions and your response will go into an advisory report.



You must provide answers to all the parts specified in Section A
The case study can be found in Section B
Section C contains an overall marking guide.
Section A: Assignment
The consultancy firm that you work for as an Information Security expert continues to work closely
with the Verdilan group of companies. The consultancy firm has previously advised Verdilan about
raising awareness of IS security, documenting risks and has assisted in the management of a security
incident. The group has received significant financial backing from investors with explicit instructions
from the board to enhance the group’s information security defences.
You will be expected to address Verdilan’s request for information by providing advice on
information security topics, which ultimately will help inform the group’s investment strategy. Your
rationale and discussions will both be understandable to non-technical management and reassuring
to technically minded employees. By clear, succinct explanations you need to convince all readers of
your document that you, as the IS security expert, have appropriate knowledge and skills. This
includes you being able to cite examples of suitable publications as evidence to support your advice
and recommendations.
The responses you provide must be relevant to the case study. It must not overly rely on
generalities. Examples must be related to the Verdilan Group in the case study and not based on
other situations (although some comparison is acceptable). If you make an assumption about the
case study, then ensure that you explicitly state what the assumption is.
You need to use a minimum of 3–5 references in the report to support analysis, explanations or
proposed solutions. The references may be published standards or research articles.
The title of the assignment is:
Verdilan Group Information Security Advisory Report
The report must be structured in four sections using the following headings:
1. Chief Financial Officer Requests
2. Technology Transformation
3. Database Security
4. References
What you write in each report section must match to the requirements for it. Each report section
states the number of marks it attracts.
1 Chief Financial Officer Requests
The Chief Finance Officer (CFO) is not fully convinced about the need for investment in information
security and would prefer to focus on the marketing strategy. The CFO is overwhelmed by the
number of vendor reports about threats and was recently sent a statistical report about different
types of threats.
1.1 In the context of Verdilan’s business role, describe the impact of an information security breach
on the organisation and how a further attack would damage the business to assist in re-focussing
the CFO’s priorities. [10 marks]
1.2 The CFO is interested in deceptive threats but doesn’t fully appreciate the concept and what it
means to her business. You are required to cover three areas to provide advisory assistance: [15
marks]



Define the cyber threat category of deception
Describe the likely consequence of the threat category
Describe deceptive attack methods and discuss the different ways they could be achieved in
Verdilan’s environment considering the company’s assets.
1.3 Verdilan want to move away from solely relying on consultancy services for IT security and to
permanently hire an IT security officer. Outline the key IT security responsibilities required of the
role in an enterprise. [5 marks]
2 Technology Transformation
Previous risk assessments by the consultancy firm indicated that Verdilan’s poor management and
operation of on-premise IT assets is one of the greatest risks faced by the company. The case study
demonstrates that Verdilan already consume some cloud services. The company are considering how
to best address this risk.
2.1 Outline the advantages and disadvantages of a technology transformation program that would
see the firm’s IT services being moved entirely to the cloud. [10 marks]
2.2. Identify and describe the key threats to a cloud deployment, considering both existing cloud
services and potential IT services that would migrate from the company’s office. [10 marks]
2.3 Provide advice on good practice cloud security measures that the transformation program would
need to consider. [10 marks]
3 Database Security
The company are concerned about their current lack of understanding of database security.
3.1 Explain how encryption can be used to protect a database architecture. [5 marks]
3.2 Describe ways that a database can be attacked, the consequences for data and propose
countermeasures to secure the asset. [15 marks]
3.3 Outline a security management process that could be followed to improve the security posture
of the organisation’s databases. [10 marks]
4 References [10 marks]
Marks will be awarded for the entire task of formatting, referencing, and use of language including
use of the Harvard Referencing Style.
Section B: Case Study
The Business and its Organisation
This case study describes a 2-year old, medium-sized business in garden work and landscaping, called
Verdilan, which is organised as a small group of companies. The group has 320 permanent staff, with
about 40% employed full-time; at the busiest part of the year another 200 contract staff may be
hired. The business was formed from two existing companies – Felltree and VLI (Verdant Landscape
Innovations) – with different histories and organisational culture. These two companies generate
revenue by selling services to customers. VLI also sells some products. These original companies
(Felltree and VLI) became subsidiaries of a holding company, and a third – Verdant Services – was
added to, over time, to provide shared services, like IT. The three subsidiaries operate, in effect, as
different divisions of Verdilan and plan to maintain their separate identities and brands until the
whole business becomes more mature.
The Felltree subsidiary is a service business that clears land of unwanted or problem trees, shrubs,
hedges, and other planting. Felltree started 4 years before and originally worked only in domestic
settings, but since becoming part of Verdilan it has been successfully expanding into large-scale
projects and ongoing programmes of work, clearing land for construction companies, maintain
campuses for universities and hospitals, and working for local councils to maintain parks and other
public spaces. Whereas for domestic projects, Felltree is the main contractor for a client, for
commercial projects or maintenance programmes it is often a sub-contractor. When a client requires
new planting after it has cleared a site, Felltree often needs to sub-contract to a horticulture or
landscaping company to re-plant the site, and often uses its sister company VLI.
For over twenty years the VLI subsidiary developed a thriving business in large-scale landscaping
using ethically managed plants and organic fertilisers and treatments, several of which it developed.
itself. Because of the success of the organic products, for the past two years VLI has been
increasingly focusing its R&D on organic products for other landscapers to use as well as itself. Now,
the services VLI provides to its customers are often consultancy services, rather than all being about
sourcing plants and planting them. It frequently acts as a specialist subcontractor to Felltree, when
Felltree’s contract with its customer involves new planting.
Verdilan Services is an internal division of the group that does not interact directly with customers,
except for drawing up service contracts and issuing invoices to customers of the other subsidiaries. It
was formed in the past year to (a) provide common administrative and IT services to Felltree and VLI,
and (b) reduce costs in the group overall by developing common policies and processes and
employing expertise that both subsidiaries can share.
There is one management team for the whole group. It consists of five directors: the three founders
(two who created Felltree, and one who created VLI), a new MD (managing director) and a new CFO
(chief finance officer). There is no director who is a specialist in IT, and none of the directors have
any real expertise in IT, so the CFO takes on the IT leadership role for the group.
Use of IT in Different Divisions
The CFO is ultimately responsible for the IT services provided to the group. As with the creation of
service contracts and invoicing, her aim is to streamline the IT used internally and to safeguard the
business’s assets. There is considerable IT diversity in the business, and she believes that this will
need to be reduced to some extent. Two IT helpdesk technicians support the entire IT needs of the
group. They report directly into the CFO.
VLI, the older of the divisions, has used internal computers since it was founded, but no particular
principles or policies were used in the purchase and use of computers, which were relatively
expensive when VLI started. Hence, purchases, and subsequent integration was done in a haphazard
way. Most computers are office-based desktop computers, mostly Windows computers running a
variety of versions of the operating system dating as far back as Windows XP, but some are Macs,
and several are scientific workstations, generic PCs, typically running Linux. VLI’s email service was
originally provided via an internal server, and although all members of staff in the group now use an
external Exchange server via whatever client mail application they prefer (on their desktop
computers, laptops, tablets and phones) the old mail server still works and some people use it
almost as a private server.
Many of the senior staff in VLI would not describe themselves a ‘tech savvy’. They do not think about
IS security. A quarter of the staff members are scientists that use Unix and Linux systems and are
used to managing their systems without the interference of others. They will write scripts in a variety
of scripting languages and use C, C++ and Java for programming.
When Felltree started, it mostly used web services to run its business, and the processes and
systems for the business are still mostly web-based. Since most of the Felltree team members are
often out of the office, working on sites or visiting clients, they are more comfortable with tablet
computers, smartphones and laptops, almost always connected by wi-fi when it is available or by 3G
or 4G mobile phone services. The Felltree team uses WhatsApp, Skype IM and text messages as
much as email, and each member of staff to use their own favourite apps. The entire team uses
Trello for project management. The only people in Felltree to use desktop computers are the graphic
designers and website developers. They use iMacs. The website developers code with HTML, CSS,
PHP, JavaScript and JQuery.
Although all the members of Felltree have Verdilan email accounts on Exchange, the name “Felltree”
is still seen as a strong brand and most of the original team, including directors, use a “Felltree”
email id, with email services provided by the hosting service that runs the company’s website.
Felltree staff are generally younger than their colleagues and are very ‘tech savvy’. They are used to
finding out what works for them and then as a group will discuss (probably using external social
network technology) and agree to use a tool like Trello, but they are less inclined to follow rules for
the sake of following rules.
Since the creation of Verdilan services, there has been a more systematic approach to IT across the
group and common information systems are beginning to take over in all the subsidiaries, but the
CFO often does not have the time or staff to consult others on new policies and supervise the
implementation of the planned changes. All staff in Verdilan Services use Windows 10 laptops and
smartphones of their choice that integrate using Microsoft Office 365. One change that Verdilan
Services would like to see, is the entire group standardising on the use of cloud email and
collaboration tools like Office 365, Dropbox, Box, or Google Docs, but it is concerned about security
and has not decided which to use. The CFO would also like to procure a VOIP service, but this is not a
high priority as most staff and customers use mobile phones. The company does not supply or
corporately manage mobile phones, but does supply, but does not manage iPads with cellular
connectivity, because of their use on customer sites, especially by Felltree.
Overall Use of IT/IS
IT is an integral part of the business, but is used in different ways in different divisions and not all
users would recognise the information systems they use. Information systems are used for at least
the following across the three divisions/subsidiaries (nobody is quite sure what is used where):
1. producing, disseminating and managing marketing content (e.g. via the Web and social media);
2. customer relationship management (CRM) database, both for existing clients and for prospective
clients;
3. email, instant messaging of various types, VOIP and video-conferencing, e.g. via Skype;
4. financial management, e.g. for modelling and forecasting, budgeting, procurement, invoicing and
payments, paying taxes (including PAYE), employee national insurance, and insurances; (Databases
are utilised for this).
5. governance and administration, including management support, contracting;
6. human resource management, specifically for staff, sub-contractors, and casual workers;
7. sales management, including recording sales opportunities, prioritising, pre-sales support, and
after-sales care, exhibitions and local sponsored events;
8. operations, e.g. assessing proposed projects, scheduling, planning, resource allocation, hiring and
maintenance of mechanical and electric resources.
The Suppliers
There are several IT suppliers that the company management has chosen to provide services within
the group, as in the following list. Other suppliers of ad-hoc purchases by the different divisions are
not included.

GreenCRM – suppliers of the CRM system used by the group; GreenCRM supplies tens of
thousands of companies across the world;



KeepConnected – a provider to all the group of Microsoft email and calendar services via an
external Exchange server;
Microsoft – provides Office 365;
PayUS – an online payroll and expenses service used by the group, except VLI, which uses is
still partially using its own systems developed 10 years ago; PayUS is a UK-only service with
hundreds of SME clients;
Network Facilities
All processing devices – computers, tablets, phones, the server and printers – are connected to a
LAN and then to the Internet, by either Ethernet cables (the desktop computers) or Wi-Fi (all
portable devices). The network operates throughout and between two adjacent buildings, one being
a large warehouse. The premises are located in a rural business park with little 4G phone coverage. A
number of switches are used in the cabled network.
IT Problems and Concerns
A number of concerns have been expressed by Verdilan’s management, its advisors, and by staff.
These problems, or potential problems have been articulated in response to problems that have
occurred over the past 4–5 years and have affected either part of the business or individuals, often
before the current company structure existed, and mostly to VLI. The problems include:




a concern about theft of a product design in VLI when a competitor product appeared that
resembled an early design created by VLI;
the IT administrators are responsible for approving requests for permission changes on file
servers using discretionary access control (DAC)
the loss of a number of laptops and iPads containing customer information and commercial
data;
the old VLI server that is still used as a shared file store and to run some printer services;
crucially it contains information on much of the companies


an attempt by an outsider to impersonate the MD by email and approve an emergency
payment of a lost invoice;
a DOS attack experienced by the suppliers of Verdilan’s email and calendar services that
affected Verdilan for two days one summer, their peak business period.
Uncertainties and Assumptions
The relatively new Verdilan Services division is trying to document the group’s IT and IS assets, but
progress is slow. Staff often bring their own devices to work and use them for some special reason,
e.g. a project manager will bring a home laptop to work after spending much time working at home
on a difficult scheduling problem. In VLI there are an unknown number of Linux-capable computers
discarded that are sometimes used to create a temporary grid facility to run computationally
demanding software. In dealing with the Verdilan Group at this stage of its development, many
assumptions will need to be made.
Disclaimer: the business described is fictitious and no companies with the names Verdilan or Felltree
are known to exist. Furthermore, the names GreenCRM, KeepConnected and PayUS are made up for
this assessment. Any similarity with real companies or their businesses is wholly accidental.
Section C: Assessment Marking Guide (Student Version)
The assignment is marked out of 100. The following table shows the mark allocation and the
approach required.
Appendix A – General Grading Criteria