Case Study Scenario

Cybersoft Solutions
Case Study
ICTICT443 - Work collaboratively in the ICT industry
BSBXCS404 - Contribute to cyber security risk

management
ICTCYS404 - Run vulnerability assessments for an

organisation
Case Study
ICTSAS432 Identify and resolve client ICT problems
ICTSAS442provide first-level remote help desk support
ICTICT451 Comply with IP, ethics and privacy policies in
ICT environment
Company profile:
Cybersoft Solutions is a leading cybersecurity company in Australia. It offers a
variety of services from information security consulting to assessing, testing and
improving the protection of applications and networks for companies operating in
healthcare, manufacturing, banking, retail, telecommunications, and other industries.
APPLICATION SECURITY
Poorly coded and insufficiently protected applications can put a company at risk and
result in data breaches. Cybersoft offers their skills and knowledge in assessing and
testing the security of applications (web, mobile, desktop), as well as finding ways to
help their customers to achieve the effective protection of the corporate data stored
locally or remotely.
NETWORK PROTECTION
By increasing corporate network security specifically, you may decrease the risk of
becoming the victim of privacy spoofing, identity or company’s proprietary
information theft, Man-in-the-Middle and DDoS attacks.
New Project along with organisation environment, network, systems and

requirements:
The training organisation has approached your company to perform at least one
vulnerability test assessment and define and run at least one basic penetration test.
You will perform the vulnerability assessment on the organisation’s medium size
LAN network. The Network consists of Two switches, one Router and 10-15
Computer systems. Several confidential applications are installed on these systems.
Case Study Version:23.0 Page 2 of 28
Developed by: ACBI Approved by: DoS Issued: July 2023

Case Study
ICT environment
You are the penetration tester in your company. The management of the
organisation wants you to perform a vulnerability test assessment and define and run
a basic penetration test. They also want you to assess web-based, network-based
and hardware-based vulnerabilities and adhere to organisational procedures and
document and report activities. This includes:
 Prepare to run vulnerability assessment

 Run vulnerability assessment and penetration test
 Finalise vulnerability assessment process
Organisational procedure to perform vulnerability assessment

Case Study
ICT environment
Take an active role When a company decides to do a vulnerability assessment,
it should take an active approach to determine the existing
status of security. It is critical to actively assess potential
suppliers, participate in the scoping process, equip security
consultants with the tools they need to do their jobs, and
participate in the process to ensure success. When key
stakeholders decide to become participants and students in
the process, the knowledge gained from that collaboration
will allow the business to consume the results more
effectively, putting them on a better footing to face the
issues of tomorrow, having been guided through the process
by an experienced professional today.
Identify and Identify and comprehend your organisation's business
understand your processes, paying special attention to those that are crucial
business processes and sensitive in terms of compliance, customer privacy, and
competitive position. IT can't achieve this in a vacuum.
Collaboration between IT and representatives from business
units, the finance department, and legal counsel is required
in many firms. Many firms organise security strategy task
forces comprised of officials from each department, who
collaborate for several weeks to assess business processes
as well as the information and infrastructure on which they
rely. Those with extensive domain knowledge are the most
valuable resources in this process of discovery. The
fundamental goal is to capture "how it's done" and
comprehend the true process.
Pinpoint the Once the business processes have been identified and
applications and data ranked in terms of mission criticality and sensitivity, the next
that underlie step is to identify the apps and data on which those mission-
business processes critical processes rely. Again, only coordination between IT

Case Study
ICT environment
and other business stakeholders will allow this to happen.
You may discover applications that are more important than
imagined as a result of prolonged collaborative
conversations. Email, for example, maybe vital in one
department but eclipsed by in-house instant messaging in
another.
Find hidden data When searching for applications and data sources, keep in
sources mind mobile devices like smartphones and tablets, as well
as laptops and desktop PCs. While some data may be
stored in a single location, the vast majority will exist and
interact in a network of devices and information channels.
These devices, as a group, frequently hold the most recent,
sensitive data that your organisation possesses. Work with
the business units to determine who is accessing and
sharing corporate applications and data via mobile devices.
Recognise the data flow between these devices and the
data centre applications and storage.
Determine what Continue working your way down the infrastructure levels to
hardware underlies find the servers, both virtual and physical, that power your
applications and data mission-critical applications. For Web/database applications,
you may need three or more sets of servers — Web servers,
application middleware, and a database — for each
application. Identify the data storage devices that contain the
mission-critical and sensitive data that those apps rely on.
Map the network Understand the routers and other network devices on which
infrastructure that your applications and hardware rely for quick, secure
connects the performance. It is critical to ascertain whether individual
hardware subnets are intended to house sensitive assets such as
Windows domain controllers or a specific business unit such
as Development or Human Resources. Understanding how

Case Study
ICT environment
data moves from point A to point B is vital, as is knowing
where a specific sort of data resides.
Identify which Document the security controls you already have in place,
controls are already such as policies and technical controls like firewalls,
in place application firewalls, intrusion detection and prevention
systems (IPS/IDS), virtual private networks (VPNs), data
loss prevention (DLP), and encryption, to protect each set of
servers and storage devices hosting mission-critical
applications and data. Understand the key capabilities of
these safeguards and which vulnerabilities they most
effectively address. This is the heart of the “defence in
depth” strategy and may necessitate some in-depth
investigation, such as scouring websites and reviews and
consulting with security company representatives.
Run vulnerability Only when you've thoroughly understood and mapped out
scans your application and data flows, as well as the underlying
hardware, network infrastructure, and security controls,
should you execute vulnerability scans. The intellectual
activity completed to this stage is what enables security
analysts to analyse the scan results clearly and objectively
on the essential parts of the business.
Apply business and Your scanner may generate scores for host and other
technology context to vulnerabilities, as well as severity ratings, but because
scanner results results and scores are based on objective metrics, it is
critical to understand your organisation's business and
infrastructure environment. Take into account the following:
 The number and importance of assets touched
by the vulnerabilities
If a vulnerability affects many different assets, particularly
those involved in mission-critical processes, this may

Case Study
ICT environment
indicate that you need to address it immediately and
comprehensively. On the other hand, if the scanner finds
multiple vulnerabilities in infrastructures running less critical
applications accessed only by a few users, they may not
have to be addressed as aggressively. Triage should be
performed based on the new knowledge acquired through
the assessment process.
 Existing controls
If the vulnerabilities identified by the scan affect
infrastructure that already has multiple layers of protection in
place, some of those vulnerabilities may be addressed
already by existing technologies. For example, a
vulnerability found on a server protected by application
firewalls, encryption, and other countermeasures may not be
as important to address as the same vulnerability found in a
less-protected infrastructure used in testing and
development, particularly if it makes use of data with
stringent compliance requirements. It’s important to weigh
criticality against existing protections to determine which
vulnerability could expose your business to serious risk.
 Available security technologies
Your vulnerability assessment report may recommend
scores of software patches and upgrades to address
security holes, but constantly applying patches and
upgrades can drain IT time and resources. There may be
other security technologies that are more efficient and
effective. For example, cross-site scripting vulnerabilities
may be more easily and comprehensively addressed
through a strategically placed Web application firewall
(WAF) than by constantly applying patches and upgrades to

Case Study
ICT environment
multiple components. The key is to understand how the risk
profile would change when certain security technologies and
policies are applied.
 Location
Cyber-attacks frequently take advantage of the weakest
links in your infrastructure — and frequently those weak
links can be found at branch offices or among mobile and
IoT devices. If your scan reveals many vulnerabilities at a
branch office or another remote infrastructure, this could
indicate that further investigation and protection measures
are required. Professional IoT security assessments,
including standard discovery and assessment services and
targeted evaluations of specific devices and platforms, can
help you evaluate the vulnerability of the organisation’s
devices and establish an understanding of associated attack
vectors.
Conduct penetration Once the vulnerability assessment is finished and the
testing company believes it has remedied enough issues to improve
its security posture, it is vital to have a fresh set of eyes
review the environment and challenge assumptions.
Penetration testing is intended to push your security
practices to see if a bad actor can exploit a vulnerability to
obtain access to important information.
Organisational procedure to run a basic penetration test
Information Gathering The first of the seven stages of

penetration testing is information
gathering. The organisation
being tested will provide the

Case Study
ICT environment
penetration tester with general
information about in-scope
targets.
Reconnaissance The reconnaissance stage is
crucial to thorough security
testing because penetration
testers can identify additional
information that may have been
overlooked, unknown, or not
provided. This step is especially
helpful in internal and/or external
network penetration testing,
however, we don’t typically
perform this reconnaissance in
web applications, mobile
applications, or API penetration
testing.
Discovery and Scanning The information gathered is used
to perform discovery activities to
determine things like ports and
services that were available for
targeted hosts, or subdomains,
available for web applications.
Vulnerability Assessment A vulnerability assessment is
conducted to gain initial
knowledge and identify any
potential security weaknesses
that could allow an outside
attacker to gain access to the
environment or technology being

Case Study
ICT environment
tested. A vulnerability
assessment is never a
replacement for a penetration
test, though.
Exploitation After interpreting the results from
the vulnerability assessment, our
expert penetration testers will
use manual techniques, human
intuition, and their backgrounds
to validate, attack, and exploit
those vulnerabilities.
Final Analysis and Review This comprehensive report
includes narratives of where we
started the testing, how we found
vulnerabilities, and how we
exploited them. It also includes
the scope of the security testing,
testing methodologies, findings,
and recommendations for
corrections.
Where applicable, it will also

state the penetration tester’s
opinion of whether or not your
penetration test adheres to
applicable framework
requirements.
Utilise the Testing Results The last of the seven stages of
penetration testing is so
important. The organisation

Case Study
ICT environment
being tested must use the
findings from the security testing
to risk rank vulnerabilities,
analyse the potential impact of
vulnerabilities found, determine
remediation strategies, and
inform decision-making moving
forward.
Intel LazyFP This is a vulnerability that can be exploited to leak the state
of the FPU (floating-point unit), a unique arithmetic
coprocessor found in recent Intel CPUs. The FPU is
generally used to enhance mathematical processors on
point numbers. Hackers can use this vulnerability to cause
local presses to disclose the contents of floating-point unit
registers that connect to another process.
Organisational policies and other procedures
Privacy and Security Policy
At Cybersoft, we are committed to providing quality products and services to you.
This policy outlines our ongoing obligations to you in respect of how we manage
your personal information. We have adopted the Australian Privacy Principles
(APPs) contained in the Privacy Act 1988 (Cth) (the Privacy Act). The NPPs govern
how we collect, use, disclose, store, secure and dispose of your
Passwords
a. Requirements
i. All system-level passwords (Administrator, etc.) must be changed every quarter, at
a minimum.
ii. All user-level passwords (e.g., email, web, desktop computer, etc.) must be
changed at least every six months.
iii. All user-level and system-level passwords must conform to the standards
described below.

Case Study
ICT environment
b. Standards - All users at Cybersoft should be aware of how to select strong
passwords. Strong passwords
have the following characteristics:
i. Contain at least three of the five following character classes:
1. Lower case characters
2. Upper case characters
3. Numbers
4. Punctuation
5. “Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:”;’<>/ etc)
ii. Contain at least eight to fifteen alphanumeric characters.
iii. The password is NOT a word found in a dictionary (English or foreign).
iv. The password is not a common usage word such as:
1. Computer terms and names, commands, sites, companies, hardware, software.
Passwords should NEVER be “Password1” or any derivation.
2. The words “Cybersoft”, “Sydney”, or any derivation.
3. Names of family, pets, friends, co-workers, etc.
4. Birthdays and other personal information such as addresses and phone numbers.
5. Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
6. Any of the above is spelled backwards.
7. Any of the above preceded or followed by a digit (e.g., secret1, 1secret).
v. Try to create passwords that can be easily remembered. One way to do this is to
create a password based on a song title, affirmation, or another phrase.
c. Protective Measures
i. Do not share Cybersoft passwords with anyone, including administrative assistants
or secretaries. All passwords are to be treated as sensitive, confidential Cybersoft
information.
ii. Passwords should never be written down or stored online without encryption.
iii. Do not reveal a password in email, chat, or other electronic communication.
iv. Do not speak about a password in front of others.
v. Do not hint at the format of a password (e.g., “my family name”).

Case Study
ICT environment
vi. Do not reveal a password on questionnaires or security forms.
vii. If someone demands a password, refer them to this document and direct them to
the IT Department.
viii. Always decline the use of the “Remember Password” feature of applications.
d. Passphrases - Access to the Cybersoft Networks via remote access is to be
controlled using either one-time password authentication or a public/private key
system with a strong passphrase.
i. A good passphrase is relatively long and contains a combination of upper and
lowercase letters and numeric and punctuation characters. An example of a good
passphrase: “Joe&Me1RBudz”
ii. All of the rules above that apply to passwords apply to passphrases.
Encryption
a. Standards - Proven, standard algorithms should be used as the basis for
encryption technologies. These algorithms represent the actual cipher used for an
approved application. Key lengths must be at least 128 bits. Cybersoft’s key length
requirements will be reviewed annually and upgraded as technology allows.
b. Mobile Device Encryption
i. Scope - All mobile devices containing stored data owned by Cybersoft must use an
approved method of encryption to protect data at rest. Mobile devices are defined to
include laptops, tablets, and smartphones.
ii. Laptops - Laptops must employ full disk encryption with an approved software
encryption package. No Cybersoft data may exist on a laptop in cleartext.
iii. Tablet and smartphones - Any Cybersoft data stored on a smartphone or tablet
must be saved to an encrypted file system using Cybersoft-approved software.
Cybersoft shall also employ remote wipe technology to remotely disable and delete
any data stored on a Cybersoft tablet or smartphone which is reported lost or stolen.
iv. Keys - All keys used for encryption and decryption must meet the complexity
requirements described in Cybersoft’s Password Security policy.
SERVICE PROVIDER CONFIDENTIALITY AGREEMENT FOR EMPLOYEE

Case Study
ICT environment
It is the policy and practice of Cybersoft Solutions that the confidentiality of all client,
law office business and related matters is carefully guarded and protected in every
possible and reasonable manner at all times.
For that reason, you are being asked in your capacity as an employee or
representative of the “data security department “, a service provider to “Cybersoft
Solutions” to review and sign this confidentiality form. Your signature below
represents and documents your acknowledgement and agreement to maintain
complete and strict confidentiality regarding any client information and any other
office matters that you may be told or inadvertently or otherwise learn in the course
of your work with “Law Firm.”
Any breach of this confidentiality policy to third parties will result in the immediate
termination of our business relationship. Further, should you breach this
confidentiality policy in any way, you and your company will be jointly and severally
liable for all damages and expenses including attorney fees cause to “Cybersoft
Solutions,” its clients or employees
I, ____________________________________________, am an employee and
authorised representative for “data security department” and
have read, understand and agree to abide by the provisions of the foregoing stated
policy.
Signed this _____ day of _________________, 20___.
_____________________________________
Intellectual Property Policy and Procedure
• The company will protect intellectual property (IP) and conduct business
following applicable IP laws in the Republic of India, as well as its agreements
with other firms.
• The company will vigorously defend its intellectual property.
• The company must maintain an effective IP asset management system,
which includes keeping track of all IP-related assets and agreements.
• The company will not wilfully infringe on a third party's intellectual property in
its goods, services, or components, nor will it divulge or utilise a third party's

Case Study
ICT environment
trade secrets without the owner's express or implied approval or as
authorised by law.
• All significant transactions and uses involving the exercise of IP rights must
be documented and kept in writing by the company. (This includes, for
example, licencing or rights assignments; manufacturing, replication, or
distribution of patentable, trademarked, or copyrighted objects; and trade
secret disclosure and usage.)
• The Company will compel its employees and contractors to follow the
applicable IP laws, as well as the Company's IP policies and IP-related
clauses in agreements with other firms, through enforceable policies or
agreements with them.
• The company will create and execute a management system to guarantee
that all employees adhere to the company's IP rules.
Personal Information.
A copy of the Australian Privacy Principles may be obtained from the website of The
Office of the Australian Information Commissioner at www.aoic.gov.au.
What is Personal Information
Personal Information is information or an opinion that identifies an individual.
Examples of Personal Information we collect include names, addresses, email
addresses, and phone numbers.
This Personal Information is obtained in multiple ways including email, telephone,
correspondence, via our website www.Cybersoft.com.au, from cookies, from other
publicly available sources, and third parties. We don’t guarantee website links or the
policy of authorised third parties. When we collect Personal Information we will,
where appropriate and where possible, explain to you why we are collecting the
information and how we plan to use it.
Need to collect personal information
We collect your Personal Information for various internal functions and service
delivery processes. This may include, but is not limited to:
 Managing business services and products enquiries.

Case Study
ICT environment
 Providing support correspondence or account invoices.
 Sending out product and service information or updates.
 Sending out information on industry updates relevant to our customers.
 Sending newsletters and targeted marketing content.
Also, for each visitor to reach our site, we expressively collect the following non-
personally identifiable information, including but not limited to browser type, version
and language, operating system, pages viewed while browsing the Site, page
access times and referring website address. This collected information is used solely
internally to gauge visitor traffic, trends and deliver personalised content to you while
you are at our website. From time to time, we may use customer information for
new, unanticipated uses not previously disclosed in our privacy notice. If our
information practices change at some time in the future we will use them for these
new purposes only, data collected from the time of the policy change forward will
adhere to our updated practices.
Sensitive Information
Sensitive information is defined in the Privacy Act to include information or opinion
about such things as an individual's racial or ethnic origin, political opinions,
membership of a political association, religious or philosophical beliefs, membership
of a trade union or other professional body, criminal record or health information.
Sensitive information will be used by us only:
 For the primary purpose for which it was obtained
 For a secondary purpose that is directly related to the primary purpose
 With your consent; or where required or authorised by law.
Third Parties
Where reasonable and practicable to do so, we will collect your Personal Information
only from you. However, in some circumstances, we may be provided with
information by third parties. In such a case we will take reasonable steps to ensure
that you are made aware of the information provided to us by the third party.
Disclosure of Personal Information

Case Study
ICT environment
Your Personal Information may be disclosed in several circumstances including the
following:
Third parties where you consent to the use or disclosure.
Industry partners of Cybersoft who are involved in the delivery of your services or
products.
Where required or authorised by law.
Security and Storage of Personal Information
Your Personal Information is stored in a manner that reasonably protects it from
misuse and loss and unauthorised access, modification or disclosure. This is
primarily in Cybersoft’s CRM and account management platform.
When your Personal Information is no longer needed for the purpose for which it
was obtained, we will take reasonable steps to destroy or permanently de-identify
your Personal Information. However, most of the Personal Information is or will be
stored in client files which will be kept by us for a minimum of 7 years.
Access to your Personal Information
You may access the Personal Information we hold about you and update and/or
correct it, subject to certain exceptions. If you wish to access your Personal
Information, please contact us in writing.
Cybersoft will not charge any fee for your access request but may charge an
administrative fee for providing a copy of your Personal Information.
To protect your Personal Information, we may require identification from you before
releasing the requested information.
What are your data protection rights?
Cybersoft would like to make sure you are fully aware of all of your data protection
rights. Every user is entitled to the following:
 The right to access – You have the right to request Cybersoft for copies of
your data. We may charge you a small fee for this service.
 The right to rectification – You has the right to request that Cybersoft correct
any information you believe is inaccurate.

Case Study
ICT environment
 You also have the right to IBT to complete the information you believe is
incomplete.
 The right to erasure – You has the right to request that Cybersoft erase your
personal data, under certain conditions.
 The right to restrict processing – You have the right to request that Cybersoft
restrict the processing of your personal data, under certain conditions.
 The right to object to processing – You have the right to object to Cybersoft ‘s
processing of your personal data, under certain conditions.
Legislative requirements
“Personal Data”
Personal information is an equivalent phrase used in the Privacy Act. This is defined
as information or an opinion on an identified individual, or a reasonably identifiable
individual, as specified in section 6 of the Privacy Act:
• whether or if the information or viewpoint is correct;
• Whether or not the information or viewpoint has been recorded in a
tangible form.
“Processing”
The Privacy Act governs ‘dealing with' personal information in terms of ‘use' and
‘disclosure,' rather than ‘processing' (See Part 3 of the APPs). Even though neither
word is specified under the Privacy Act, the OAIC claims that:
• The processing or carrying out of action concerning information within its
effective control is referred to as ‘use.'
• ‘To disclose' implies making information available to those outside the
entity and relinquishing control over later handling of that information.
“Controller”
The Privacy Act does not mention "controllers," but it does encompass APP
companies' data-processing operations. Agencies and organisations are examples
of APP entities. The following are some of the agencies:
• ministers or departments of the government;
• bodies created with a public purpose in mind;

Case Study
ICT environment
• the Governor-General or a Minister establishes bodies;
• a person who is appointed to a position by an act or the Governor-
General;
• a federal court of appeals; or
• the Australian Federal Police Service (AFPS).
“Processor”
Although the term "processor" is not mentioned in the Privacy Act, the APPs
automatically apply to APP organisations that store personal information. According
to the OAIC, this is wide enough to include outsourced service providers who, in
Europe, could be classified as "processors."
“Data Subject”
The Privacy Act governs personal information concerning individuals described as
"natural people" under section 6.
Furthermore, the new CDR system applies to those classified as ‘consumers,' which
means they must be reasonably identifiable from the data. It must be related to them
or one of their associates because products or services were supplied to them or
their associates.
“Sensitive Personal Data”
Section 6 of the Privacy Act defines sensitive information as follows:
• knowledge about a person's personal life:
• ethnic or racial origin;
• political opinions;
• being a member of a political party;
• religious connections or beliefs;
• philosophical beliefs;
• Professional trade association membership;
• belonging to a labour union;
• a person's sexual orientation or habits; or
• criminal record;
• genetic information;

Case Study
ICT environment
• health information;
• biometric information
“Data Breach”
Section 26WE (2) of the Privacy Act defines an eligible data breach as one in which:
unauthorised access to, or disclosure of, information (or it is lost in circumstances
where such access or disclosure is likely to occur); and a reasonable person would
conclude that such access or disclosure is likely to result in serious harm to any
individual to whom the information relates.
Other important definitions - please include them (e.g., “Pseudonymous Data,”
“Direct Personal Data,” and “Indirect Personal Data”).
Organisational Documentation strategy

Title Section – This includes the name of the author (s) and the date of report
preparation.
Purpose – In this section purpose of the document is to be written along with
encryption requirements.
Summary - A summary of the important points, conclusions, and recommendations
is required. It must be brief because it is a general overview of the report. Because
some people will only read the summary and scan the report and provide all the
pertinent information. Writing this last to include everything, including any points that
may be added at the last minute.
Introduction - An introduction should be on the opening page of the report. You will
explain the problem and demonstrate to the reader why the report is being written.
You must define any terms that were not defined in the title section and describe
how the report's details are organised.

Case Study
ICT environment
Body - This is the report's primary part. There should be numerous divisions, each
with its subtitle. Typically, information is organised in order of significance, with the
most significant information appearing first.
In the Body part following vulnerabilities are to be explained:
 Cross-site scripting (XSS)

 Broken access control
 Directory indexing
 Encapsulation
 Poor Firewall Configuration
 Hardware Issues
 Weak Passwords
 Single Factor Authentication
 Rowhammer
 Bounds Check Bypass Store (BCBS)
 Foreshadow
 Intel LazyFP
Conclusion - This is the point at which everything comes together. Keep this section
clean of jargon because the majority of people will only read the summary and
conclusion.
Recommendations - These are the actions that must be taken. Explain your
recommendations in clear English, ranking them in order of priority.
Appendices - This section contains material that only experts on the topic will read. It
contains all of the technical details that back up your conclusions.
Organisational procedure Vulnerability assessment reporting strategy
Executive Summary This section reviews the vulnerability scan’s results. It

gives readers a look into how well or poorly a system

Case Study
ICT environment
performed. It can then classify the organisation as having a
low, medium, high, or critical risk level.
As the title suggests, this is simply a summary. Too many

details will overwhelm the reader, so graphs are used to
depict how many vulnerabilities exist within the system and
how critical they are.
In short, this section offers a big picture view of issues,

especially for senior executives who may not be well-
versed in security.
Assessment Overview This section should clearly and concisely state the
validation, investigation, and deliverables given by the
vulnerability assessment. The open-source, commercial,
and custom tools used by the scan should be included.
The reader should be able to leave this portion of the

report with enough information that, if warranted, he or she
could investigate further.
Results and Mitigation This section lists and describes each security vulnerability,
Recommendations including (ideally):
 Name of the vulnerability
 Date of discovery
 Vulnerability score
 Detailed description
 The process to detect the vulnerability
 Proof of concept of the vulnerability
 Guidance for remediation

Case Study
ICT environment
 Prioritisation of vulnerability
This portion of the report is crucial, which means attention
to detail is paramount.
Industry Standards for cyber security operations

Data Protection Standards
Organisations should have regard to their obligations under the Privacy Act,
Archives Act 1983 (Archives Act) and TIA Act when creating standards for the
collection, use and storage of particular information.
The OAIC’s Privacy Framework, detailed at 3.2 Consensus or Commonly Applied

Framework, may be considered a de facto standard for data protection.
Cybersecurity Standards
In July 2019, APRA issued CPS 234 on Information Security. This regulation
requires APRA-regulated financial, insurance and superannuation entities to comply
with legally binding minimum standards of information security, including by:
 Specifying information security roles and responsibilities for the entities’
board, senior management, governing bodies and individuals;
 Implementing and maintaining appropriate information security capabilities;
 Maintaining tools to detect and respond to information security incidents in a
timely way; and
 Notifying APRA of any material information security incidents;
 These standards provide that an entity’s board is ultimately responsible for
information security and that the board must ensure that its entity maintains
information security in a manner that is commensurate with the size and
vulnerability of that entity’s information assets.

Case Study
ICT environment
APRA-regulated entities are required to externally audit their organisation’s
compliance with CPS 234 and report to APRA in 2021.
If organisations are non-compliant, they may be required to issue breach notices and
create rectification plans. If organisations are unable to comply with the standards
following this process, APRA may undertake a more formal enforcement process
which may include enforceable undertakings or court proceedings.
Data protection standards Requirements
ISO/IEC 27001 is an international standard on the management of information

security. While the Australian government recommends that organisations comply
with this standard, it is not mandatory.
ASIC’s "Cyber reliance good practices" guide Australian corporations on information

security. The guide includes recommendations for periodic review of company cyber
strategies, using cyber-resilience as a management tool, engaging in responsive
cybersecurity governance, collaboration and information sharing, third-party risk
management, and implementing continuous monitoring systems.
The Australian Government Information Security Manual (ISM) outlines a voluntary

cybersecurity framework for organisations based on ACSC advice and includes
security protection principles for designing, implementing and reviewing appropriate
security systems, policies and practices.
Data Protection
The Privacy Act APPs provide a legally binding framework for APP entities to the
collection, processing, use, storage and dissemination personal information.

Case Study
ICT environment
APP entities are obliged to take "reasonable steps" to implement policies, practices
and systems to ensure compliance with APPs. The "Privacy Management
Framework", developed by the OAIC, provides governance steps that APP entities
should undertake to meet their privacy compliance obligations, including by
embedding a privacy-compliant culture and by establishing and evaluating privacy
practices and systems.
Legislation for cyber security operations

Data Protection and the APPs
The Privacy Act APPs comprise legally binding obligations for APP entities for:
 Managing personal information openly and transparently (APP1);
 Permitting individuals the right to anonymity/pseudonymity (APP2);
 Collecting solicited personal information (APP3);
 Dealing with unsolicited personal information (APP4);
 Notifying individuals about their collected information (APP5);
 Using or disclosing personal information (APP6), including for direct
marketing (APP7);
 Disclosing personal information overseas (APP8);
 Using government-issued identifiers of individuals (APP9);
 Ensuring the accuracy, currency completeness of personal information
(APP10);
 Securing personal information (APP11); and
 Permitting individuals to access (APP12) and correct (APP13) their personal
information.
Regulations for cyber security operations

Data Protection
The Privacy Act
The Privacy Act regulates the handling of personal information federally.

Case Study
ICT environment
"Personal information" under the Privacy Act is defined broadly as information or an
opinion about an identified or reasonably identifiable individual. Personal information
also includes "sensitive information", which includes information or opinions on an
individual’s race, ethnicity, politics, religion, sexual orientation, health, trade
associations and criminal records. Sensitive information is often afforded a higher
level of protection than other personal information.
The Privacy Act applies to "APP entities" which, subject to some exceptions,
including federal government agencies, private sector organisations with an annual
turnover of over AUD3 million and smaller entities with data-intensive business
practices (including private health providers, businesses that sell or purchase
personal information and service providers to the federal government).
NDB scheme
In February 2018, the Privacy Act was amended to include the NDB scheme, which
requires APP entities to notify affected individuals and the OAIC where there are
reasonable grounds to believe that an "eligible data breach" has occurred.
Other data protection laws
Entities dealing with personal information in Australia should also be aware of their
obligations for:
 privacy legislation enacted at the state and territory level, which is largely
similar to the Privacy Act;
 the My Health Records Act, which imposes specific obligations for health
information collected and stored in Australia’s national online health
database;
 state and territory health records legislation enacted in New South Wales
(NSW), Victoria (Vic) and the Australian Capital Territory (ACT); and
 federal, state and territory surveillance legislation, which regulate video
surveillance, computer and data monitoring, GPS tracking and the use of
listening devices on individuals
Codes for cyber security operations

Case Study
ICT environment
Industry Standards relating to Data and technology are further divided into the
following categories by committee:
Committee Code Committee Name
CT-001 Communications Cabling
CT-002 Broadcasting and Related Services
CT-097 Communications Cabling Manual
CT-098 CT-098
CT-099 Dummy committee for ACA Standards
ET-005 ET-005
ET-099 ET-099
EX-004 Graphic Technology
IS-001 IS-001
IT-001 Information Systems - Interconnection
Organisational needs
To provide Network Security Network security is a technique that enables
organisations to secure computer networks from
intruders, targeted attackers, and opportunistic
malware. As the Internet has an assortment of
networks associated with various websites, it is often
observed that the organisations become targeted with
unauthorised intrusion, with malicious intent.
To provide Cloud Security Most organisations are now inclined towards utilising
artificial intelligence to improve their businesses,
enhance customer experience, and for efficient
operations. With the plethora of data available at
each step of organisational set-up, it becomes difficult
for organisations to store these data in physical form.

Case Study
ICT environment
To provide Internet of The Internet of things is being observed to be the
Things Security next tool for the technological revolution. With the
help of its security network, IoT provides the user with
a variety of critical and non-critical appliances such as
appliances, sensors, printers, and Wi-Fi-routers
amongst routers.
To provide Application The users get infatuated with different applications,
Security which include hardware, software, and devices. But
an application becomes equally prone to cyber-attack
or malware like the networks.

Case Study Scenario

Uploaded by

Copyright:

Available Formats

Case Study Scenario

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Case Study Scenario

Uploaded by

Copyright:

Available Formats

Cybersoft Solutions

ICTICT443 - Work collaboratively in the ICT industry

BSBXCS404 - Contribute to cyber security risk

ICTCYS404 - Run vulnerability assessments for an

New Project along with organisation environment, network, systems and

Case Study Version:23.0 Page 2 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

 Prepare to run vulnerability assessment

Organisational procedure to perform vulnerability assessment

Case Study Version:23.0 Page 3 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Case Study Version:23.0 Page 4 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Case Study Version:23.0 Page 5 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Case Study Version:23.0 Page 6 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Case Study Version:23.0 Page 7 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Organisational procedure to run a basic penetration test

Information Gathering The first of the seven stages of

Case Study Version:23.0 Page 8 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Case Study Version:23.0 Page 9 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Where applicable, it will also

Case Study Version:23.0 Page 10 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Case Study Version:23.0 Page 11 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Case Study Version:23.0 Page 12 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Case Study Version:23.0 Page 13 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Case Study Version:23.0 Page 14 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Case Study Version:23.0 Page 15 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Case Study Version:23.0 Page 16 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Case Study Version:23.0 Page 17 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Case Study Version:23.0 Page 18 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Case Study Version:23.0 Page 19 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

Organisational Documentation strategy

Case Study Version:23.0 Page 20 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

In the Body part following vulnerabilities are to be explained:

 Cross-site scripting (XSS)

Organisational procedure Vulnerability assessment reporting strategy

Executive Summary This section reviews the vulnerability scan’s results. It

Case Study Version:23.0 Page 21 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023

As the title suggests, this is simply a summary. Too many

In short, this section offers a big picture view of issues,

The reader should be able to leave this portion of the

Case Study Version:23.0 Page 22 of 28

Developed by: ACBI Approved by: DoS Issued: July 2023