Information Security Case Study

This Assessment utilises a case study approach based on role-playing. You will be asked to impersonate an information security consultant tasked with producing a report for the CEO of SkillPlat, a fictitious training company. You will find the scenario and your tasks below, but a short overview of some key elements is as follows: Nature: Organisational cybersecurity report. Structure: Your choice, but an Executive Summary (max. 1 page) and References MUST be included. Usage of titled sections (and/or subsections) is highly recommended. Appendices can be used to include information that is not essential to the main body of the report. Please submit your report as a .doc or .pdf file only (no MAC formats).

 

Please note: you are expected to write a professional report, on the model of the work done by consulting companies. This means that your report needs to be written in a professional style: your arguments need to be well-supported, using solid information sources and referencing them as appropriate; your analysis should be logical and you should make reference to different materials to support your points (e.g., materials explored in the classroom; industry reports; statistics; academic and ‘grey literature’ papers, etc.); your arguments should flow well in the report; usage of bullet points and lists should be limited and so should be the usage of tables and figures. Keep in mind that your report is for a CEO: she will expect something easy to read, not too technical, yet solid and convincing! Moreover, she will expect you to validly justify your points (e.g., explaining the ‘why’ for your arguments). See on Blackboard (under Assessment 2) for some resources on consulting reports.

 

Wordcount: Max. 3,500 (including everything except Titles, Sub-Titles, Executive Summary, References and Appendices)

 

The scenario described in the present case is fictitious. It reflects a real-world situation but was adapted for educational purposes. The suggestion for you is not to fight against the scenario but play by it: try and immerse yourself in the environment described in the case and embrace the conditions that it presents as much as possible. As you will see, the scenario provides minimal information about the fictitious company and its industry. A good starting point is therefore to immerse yourself in the scenario and reflect on how a company like Skillplat works on a daily basis: who are its typical customers, how do they interact with the company, what online platforms is the company likely to utilise, what cybersecurity implications derive from all of this, etc.

 

The Scenario: SkillPlat was founded as a private company in 1985 and has always been very loyal to its original mission: connecting people with great skills with potential employers, whilst delivering outstanding training, both on the job and in the classroom. The company offers a wide range of customised solutions for the modern workforce and has basically two types of clients: 1) as a business-to-consumer organisation, Skillplat identifies apprenticeship and traineeship opportunities for people who need a job and to acquire new skills or strengthen their existing ones; it therefore serves young graduates in search for a job but also young people who would like to specialise in a specific industry/role; and 2) as a business-to-business organisation, it offers exceptionally skilled workers to employers in need for human resources. Moreover, Skillplat takes care of all the insurance and contractual arrangements, dramatically reducing the paperwork for both employers and employees. As a training organisation, Skillplat also offers a wide range of traditional and flexible training programs, ranging from IT skills development, to carpentry, to horticulture and farming, etc. In sum, for any possible training need one may have, Skillplat offers a course in that area. Skillplat also delivers customised training programs to external companies for the professional development of their employees.

SkillPlat has a total of around 400 employees and an annual turnover of around $80million. Since 1985, the company has had a total of around 70,000 customers and helped hundreds of organisations find skilled workforce. They have delivered thousands of training programs and courses and are today a key provider in Queensland and New South Wales for apprenticeship and traineeship services. Skillplat has one headquarter, located in Queensland, and 5 branches: 2 in Queensland and 3 in New South Wales. The HQ oversees the activity of all Skillplat’s branches and also delivers the company’s services to its local area. Under the HQ’s supervision, the 5 branches are quite independent from an organisational perspective and deliver the company’s services to their local areas. With the exception of the HQ, which is somehow larger, the 5 branches have very similar size, in both terms of number of employees and market. To more efficiently deliver their services, Skillplat has signed collaboration agreements with 6 affiliate colleges, one per branch, including the HQ. These colleges act as sub-contractors for Skillplatin the 6 local areas and deliver several training programmes on behalf of Skillplat, according to the following arrangement: students and workers interested in training programmes that Skillplat does not deliver in house, first contact Skillplat; based on the students and workers location, Skillplat then identifies the most appropriate affiliate college; the affiliate college acts as information collection point and manages all the administrative tasks associated with students and workers enrolment, including payment of fees, collection of academic records and transcripts, etc.; once enrolment completed, the students and workers receive their training locally at the identified college;finally, the affiliate college transfers a portion of the collected fees to Skillplat, based on the number of students and workers that came through from Skillplat. Once the training programme is completed, Skillplat takes care of finding jobs and/or apprenticeship and traineeship opportunities for the students and workers. To make this arrangement work, the affiliate colleges collect and store students and workers’ data and information and share them with Skillplat. The 6 affiliate colleges are Savi College (which works with Skillplat’s HQ), Carles Community College, and Bright Future College (in Queensland); and Rowan College, Carrus College, and Oikia College (in New South Wales). In its expansion strategy, the company is looking to open a branch in Victoria too.

 

Your task: The CEO of Skillplat hired you to write a report on Skillplat’s cybersecurity management. These are the points she would like you to cover in your report:

– Provide an overview of the status quo of the Education & Training industry in terms of cybersecurity: main threats and attractiveness to cyber-criminals; overall situation compared to other industries; degree of exposure to cyber-risks; industry-specific weaknesses; general trend (i.e., has this industry’s exposure to cyber-risks increased or decreased in recent years?); etc. Feel free to focus on Australia or the global scale or a mix of both.

– Reflecting on the size, industry, and organisational structure of Skillplat, what cybersecurity governance structure would you suggest for the company? How big do you think the IT department should be? How many cybersecurity employees should the company have? What roles should they have? Or should Skillplat have other cybersecurity governance arrangements in place? Or a mix of different models? Should it seek accreditation/certification with any international standards? If yes, which ones? If not, what other cybersecurity best practices should the company follow?

– How do you think Skillplat could improve its cybersecurity culture? What programmes do you think it should deliver? What contents? To whom should it deliver them? How often? What delivery formats/modes do you think would work best for Skillplat’s workforce?

 

– Carrus college has joined the group of affiliate colleges working with Skillplat only one week ago. No training programme for the young graduates that Skillplat usually serves has been delivered yet through this college. Despite the quality of the training programmes that Carrus delivers, there are rumors that this college has major cybersecurity issues, which could lead to potential data breaches in the future. Under major time pressures, Skillplat’s executives have decided to sign the agreement with Carrus college despite such rumors. Nonetheless, they now need to find ways to protect Skillplat’s reputation, should something go wrong at Carrus college in terms of cybersecurity. What do you think Skillplat could do? What measures do you suggest they put in place to prevent reputational damage in case of a data breach at Carrus college?

 

– Finally, the CEO is considering the opportunity of hiring you in the near future to conduct a more detailed assessment of the status quo of Skillplat’s cybersecurity: what works, what does not work, and what practical recommendations for improvement you would suggest. Now, she would like to know what information you would need to conduct such an assessment: what organisational documents would you want to examine? How would you collect data for your assessment? From where? From whom? What sources of information would you want to access?