Student Guide & Problem Statement

Emergency service (fire service)
Problem Statement & Student Guide
Version 4: 7th January 2016
Scenario description
Turing Hill Fire and Rescue Service (THFRS) is responsible for the Turing Hill Metropolitan
County, a large urban conurbation in the North of England. It has always sought to exploit
technology, both to improve efficiency and to improve safety for its officers.
Information about commercial properties which can be used to establish safety and fire
risks (Site Specific Risk Information) is collected from a variety of sources, including
surveys by fire officers, fire measures in place, construction and CAD drawings of
premises. This information is critical to establish the risks should a fire occur at the
premises, and is held at the THFRS Data Centre. It is clearly vital that such information is
not out of date.
Each fire appliance carries a Mobile Data Terminal (MDT) which provides (offline) access
to the key risk information and standard operating procedures for the fire type. The MDT
is synchronised with the THFRS Data Centre while the appliance is in its base fire station.
Senior officers take charge of larger incidents, and there is a requirement for them to
have access to this risk critical information at the scene of incidents together with access
to standard operating procedures. This information was carried in paper form in an
officer’s car. This manual system made it difficult to ensure information was current and
the volume of material carried also posed difficulties for rapid access.
A new system is to be introduced, where senior officers have mobile devices, connected
by a 4G mobile phone network to provide real-time access to data held on THFRS network
via Microsoft SharePoint. This enables officers to be fully informed of necessary
information whilst they are managing the incident and ensures information is up-to-date.
After consultation with business users, the mobile device selected was the Apple iPad,
though this was not the preference of the ICT department.
Learning Outcomes
On successful completion of the scenario, students will be able to:
1. Articulate the major security risks and legal compliance issues for a Fire and Rescue
2. Identify and justify technical controls for securing remote access and data
3. Explain the key features of ISO27001 and risk assessment
4. Explain key features and requirements for an Information Security culture and
suggest activities for developing it.
5. Identify and outline key policies required and HR processes.
Your Task – Stage 1
You are the newly appointed Chief Information Risk Owner for THFRS and you are
concerned about the additional risks that will occur when using this mobile platform. Your
discussions with your new colleagues and your boss give you a fair amount of confidence
that security is taken seriously and the back-end controls seem appropriate.
However, before addressing the risks associated with the new system, you decide that it
would be sensible to ensure the organisation is fully compliant with the UK Government’s
Security policy framework (Cabinet Office, 2014).
1. Identify a list of the checks that you need to make for an initial audit.
You have some limited experience of ISO27001 in a previous role, and whilst you are not
(at this stage) considering certification against the standard, you would like to know how
well THFRS’ Information Security Management System (ISMS) aligns with ISO27001
2. What are the checks you would make to ensure that there is overall alignment?
 A Report and presentation addressing all of the above points.
Your Task - Stage 2
Having been satisfied that THFRS’ ISMS adheres to current good practice, you turn your
attention to the new risks associated with using iPads to access potentially sensitive data
in real time over a 4G network. Furthermore, you discover that, to gain maximum
benefit, the mobile devices are also used for usual day-to-day business functions including
email and calendar and that users will also be allowed to use the devices for their
personal use!
You therefore create a working party to perform a risk assessment for this system.
Your terms of reference are:
1. To identify the threats, vulnerabilities and associated risks with utilising iPads in
this way.
2. To propose a set of controls that are cost-effective in mitigating the risks within
acceptable limits for THFRS.
3. To identify any potential commercial products that could meet these
 A Report and presentation addressing all of the above points.
Reflection on Learning
It is also important that at the end of the scenario you should reflect on your learning and
team working and identify what worked well, what didn’t and actions for future
The Consulting Process
One of the benefits of Problem-based Learning is that you learn professional skills as well
as technical knowledge. The process we ask you to follow to explore and provide
solutions to the problem also mirror those used in consultancy.
In order to assist you with the process, the following table shows the activities we would
expect you to complete in your PBL team. You should read this carefully and make sure
you are familiar with both the generic activities (in column 2) and the specific ones in
column 3.
Steps 1 & 2 will be conducted in the first PBL tutorial.
Step 3 a) and b) comprises your individual research, and summarizing your learning.
Step 3 c) takes place as a sharing and teaching session at the next tutorial. This process of
sharing and teaching others is extremely beneficial to your own learning.
Step 4, 5 consist of team work and whilst they are logically distinct, they may take place at
the same meeting as stage 3c) depending on the schedule of meetings.
Step 6,7: In this Scenario you will not be planning or implementing a solution, so these
steps are not undertaken in this scenario
Step 8 should be completed at the end of the scenario, both individually and as a team, to
identify what you’ve learned and how you can improve your learning and team
performance in future.
Your tutor/ facilitator will discuss it with you.
The CSKE Consulting/ Learning Model
Problem-solving model
organizational history
and context
What PBL normally includes’
Determining the problem
to be resolved
Scenario analysis
Socio-technical organizational analysis.
Clarification of ambiguities
Requirements Analysis: identify key
Simulated consultation with
stakeholders (e.g. through role-play
and/or online interaction).
Reviewing technology/ processes in
What you will be doing at each stage
Identifying/ learning
necessary knowledge
Identifying alternative
Choosing optimal
Planning the
Determining and agreeing evaluation
criteria and process.
Identifying technical possibilities,
considering acceptance issues and
organizational fit.
Facilitator Guidance.
Deciding on best technical,
organizational and social outcomes.
Proposing solution with justification
Individual research & learning to
resolve knowledge gaps.
Individually creating summary of
learning and how it applies to the
Team sharing learning/ teach each
Determining evaluation criteria through
team discussion.
Team identification of options
considering acceptance issues and
organizational fit.
Facilitator Guidance.
Team decision and justification.
Produce Report.
Presentation to tutor in role of main
Team evaluation of performance and
project success.
Individual reflection on personal
learning & development.
Applying planning and scheduling
Proposing plan and deadlines.
Building the solution (if appropriate).
Deploying the solution (if
Formal evaluation methods re project
Personal reflection and evaluation.
Individual research & learning to
resolve knowledge gaps.
Summarising & reflection.
Teams share learning.
Final evaluation
Team review of scenario: identifying key
Identifying learning goals.
Team publish action list & summary in
Identifying learning goals.
Facilitator Guidance.
Individual and team review of scenario
text and video resources.
Team discussion.
Clarification of ambiguities with
There are a number of resources available to you:
Alnatheer, M., Chan, T. & Nelson, K. (2012) Understanding And Measuring Information
Security Culture. Proceedings of the Pacific Asia Conference on Information Systems
A useful review of Security culture factors, followed by development of metrics,
which are probably less useful for this task.
British Standards ISO 27001 Overview: [Last accessed 22-Nov-2015]
A very useful introduction to ISO27001, before looking at the standards
documents themselves.
Cabinet Office (2014) Security policy framework: [Last accessed
The security policy framework describes the standards, best-practice guidelines
and approaches that are required to protect UK government assets (people,
information and infrastructure).
It focuses on the outcomes that are required to achieve a proportionate and riskmanaged approach to security that enables government business to function
effectively, safely and securely.
Home Office (2013) Emergency services mobile communications programme: [Last accessed 22-Nov -15]
The emergency services mobile communications programme will provide a new
communication system for the 3 emergency services and other public safety
users. This system will be called the emergency services network (ESN). In the
document you will find:
o information about the development of ESN
o a timeline for ESN
o information about procurement for ESN
o latest procurement news
o information about supporting programmes
ISACA, 2009. An Introduction to the Business Model for Information Security. Rolling
Meadows: ISACA.
An excellent discussion of how to integrate Information Security into the
Business, essential for this scenario
ISACA, 2013. CISM Review Manual. Rolling Meadows: ISACA.
The CISM review manuals provide detailed, though quite dense discussion of the
knowledge, skills and tasks associated with each of the CISM domains. A
p[particularly useful aspect is the inclusion of test questions (and answers) which
are very thought provoking and good for discussion.
ISO 22301:2012 Societal security -- Business continuity management systems --Requirements
A related standard that clearly is relevant, but more detailed than necessary for
this scenario
ISO/IEC 27001:2013 Information technology — Security techniques — Information security
management systems — Requirements
A surprisingly readable and brief standard that is well-worth reading for this
ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for
information security controls
The partner to ISO27001, providing details of the controls, a useful reference
document to help explain the annex in ISO27001.
ISO/IEC 27035:2011 Information technology — Security techniques — Information security
incident management
This standard is being updated, 2011 is the old version. There is increasing
acknowledgement that the question of how to respond to incidents is one of the
most critical, it is not a matter of if you will suffer, but when. Thus, increased
emphasis on incident management is important.
Posthumus, S., & Von Solms, R. (2004). A framework for the governance of information
security. Computers & Security, 23(8), pp. 638-646. [Online]. Available from: [Accessed on
Whilst this is not a new article, it is a good discussion of Information Security
Sonnenreich,W. Albanese,J. and Stout,B. (2006) Return on Security Investment (ROSI) – A
Practical Quantitative Model, Journal of Research and Practice in Information Technology,
38, 1,
A paper that is well-written and useful reading for ROSI in this scenario.
Stuntz,J. (2014) A Review of Return on Investment for Cybersecurity , McDonough School
of Business
Provides a good overview of ROSI. Not as detailed as Sonnereich
Von Solms, R., Thomson, K. L., & Maninjwa, M. (2011). Information security governance
control through comprehensive policy architectures. In Information Security South Africa
(ISSA), (pp. 1-6). IEEE. [Online]. Available from:, [Accessed on
A short (6-page) conference paper that gives a useful overview of InfoSec
governance and argues for a “more complete information security policy
architecture that will facilitate complete control, and therefore compliance, to
ensure sound Information Security Governance.”
Assessment Grading Criteria
Learning Outcome
(graded on)
Pass (40-49%)
Most appropriate threats,
vulnerabilities and reasoned
risk levels assigned.
LO1. Articulate the major security
risks and legal compliance
issues for a Fire and Rescue
LO2. Identify and justify technical
controls for securing remote
access and data governance. Team Report
LO3. Explain the key features of
ISO27001 and risk
LO4. Explain key features and
requirements for an
Information Security culture
and suggest activities for
developing it.
LO5. Identify and outline key
policies required and HR
Appropriate risk treatment
measures for major risks.
Key features of ISO27001 &
Security Policy Framework
Security culture and standards
discussed briefly.
Some risks relating to legal
regulations explicitly identified.
Reports are structured with
appropriate headings.
Acceptable spelling and
Mostly relevant content.
Some good quality references
Presentation is As pass and presentation
consistent with, emphasises key points and has
balanced content.
Working With Others:
Participate constructively in team
by Taking responsibility, Showing
sensitivity and provide supportive
feedback to others, Meeting
VLE postings,
timeliness of
work produced.
Usually communicates quickly
with others if problems
attending or meeting
commitments, On time for most
meetings, Completes most work
allocated. NB Students can be
excluded from teams for not
meeting these requirements.
Sound Pass (50-59%)
Almost all threats and risks
identified correctly and in suitable
format, and prioritised
Addresses all major risks, with
appropriate controls. Links are
made between risks/threats and
solutions, including culture.
Most risks relating to legal
regulations explicitly identified.
Very Good Pass (60-69%)
Consistent treatment of
assets/threats/risks, correct id & in
suitable format.
As sound pass and clearly linked to
most requirements. Benefits of
solution identified.
Systematic and complete
treatment of legal regulations.
Key features of ISO27k, & Security
Policy framework explained.
ISO27k, & Security Policy
framework integrated into the
Alternatives are discussed, but may
be briefly.
Alternatives are discussed
highlighting key issues.
Report structured with appropriate
Written in clear consistent and
appropriate (business) style of
Generally appropriate level of
detail, but inconsistent.
Good quality references provided
with correct syntax. Range may be
As sound pass and presentation
clearly links features/ benefits of
solution with client needs and
An appropriate range of good
quality references provided with
correct syntax.
Excellent (70-100%)
Comprehensive list of threats, risks,
and impact clearly related and in
suitable format, evaluated and
prioritised appropriately.
Report is detailed, addresses all major
risks, appropriate controls, including
culture, clearly linked to most
requirements and critical evaluation
of alternate solutions provided.
Systematic and complete treatment
of legal regulations.
ISO27k, & Security Policy framework
integrated into the report
Key points of ROSI explicitly discussed
Alternatives are discussed critically
highlighting key issues
complete/consistent solution.
Clear, concise and complete with
appropriate level of detail throughout
almost all report.
Presentation is persuasive,
balanced, thorough and clearly
links features/benefits of solution
to client needs/problems
Presentation is consistent with, and
relates to report.
Considered reliable by team mates.
Almost always communicates quickly As Sound pass and on time for
with others & renegotiates if
almost all meetings, Completes all
problems attending or meeting
work as agreed.
commitments, Shares work with
others in timely way.
As Very good pass and shows
initiative / leadership in some areas
of work.