Level 1, 37 – 39 George Street, Parramatta, NSW 2150 Australia

T: +61 2 8844 1000 | [email protected] | RTO ID: 45432 | CRICOS Code: 03717E

Student Assessment Tasks

ICTCYS606 Evaluate an organisation’s
compliance with cyber security standards
and laws
 CONTENTS
Introduction 4
Assessment Task 1: Knowledge Questions 5
Assessment Task 1: Checklist 8
Assessment Task 2: Project Portfolio 9
Assessment Task 2: Checklist 13
Final Results Record 15

ICTCYS606 Student Assessment Tasks v1.1 September 2022

Page 2 of 17
Introduction
The assessment tasks for ICTCYS606 Evaluate an organisation’s compliance with cyber security
standards and laws are outlined in the assessment plan below. These tasks have been designed to
help you demonstrate the skills and knowledge that you have learnt during your course.
Please ensure that you read the instructions provided with these tasks carefully. You should also
follow the advice provided in the IT Works Student User Guide. The Student User Guide provides
important information for you relating to completing assessment successfully.

Assessment for this unit

ICTCYS606 Evaluate an organisation’s compliance with cyber security standard and laws
describes the skills and knowledge required to identify cyber security standards and laws and
evaluate an organisation’s working practices and compliance to these standards and laws as well
as determine changes required to continue compliance.
For you to be assessed as competent, you must successfully complete two assessment tasks:
 Assessment Task 1: Knowledge questions – You must answer all questions correctly.
 Assessment Task 2: Project – You must work through a range of activities and complete a
project portfolio.

ICTCYS606 Student Assessment Tasks v1.1 September 2022

Page 3 of 17
Assessment Task 1: Knowledge Questions

Information for students

Knowledge questions are designed to help you demonstrate the knowledge which you have
acquired during the learning phase of this unit. Ensure that you:
 review the advice to students regarding answering knowledge questions in the IT Works
Student User Guide
 comply with the due date for assessment which your assessor will provide
 adhere with your RTO’s submission guidelines
 answer all questions completely and correctly
 submit work which is original and, where necessary, properly referenced
 submit a completed cover sheet with your work
 avoid sharing your answers with other students.

i Assessment information
Information about how you should complete this assessment can be found in Appendix
A of the IT Works Student User Guide. Refer to the appendix for information on:
 where this task should be completed
 the maximum time allowed for completing this assessment task
 whether or not this task is open-book.
Note: You must complete and submit an assessment cover sheet with your work. A
template is provided in Appendix C of the Student User Guide. However, if your RTO
has provided you with an assessment cover sheet, please ensure that you use that.

ICTCYS606 Student Assessment Tasks v1.1 September 2022

Page 4 of 17
Questions
Provide answers to all of the questions below:

1. Document and describe three cyber security risks.

Cyber security risk Description

Malwares Malwares are cyber security threats that are malicious in

nature. It comes in different forms such as spyware,
ransomware, virus and worms. These malwares can block
access to the network components of an organization, spy
on their activities, damage the intellectual property of the
organization and steal the data from organizations.

Denial of Service A denial-of-service attack is a form of cyber-attack that

intents to disrupt the network of an organization by flooding
the network traffic with requests to which the network of the
organization is not able to respond to. It seeks to disrupt the
operations of organizations and when it is done in large
scale by using botnets and such, it is called Distributed
Denial of Service.

Phishing attack Phishing attack is an attack that uses communication

means to gain personal information of an individual. It
seeks to trick an individual by sending them email which
looks legitimate at first but it is fake email which is disguised
as such and if the individual carries out the instructions in
the email, their personal information gets stolen by the
adversary.

2. Explain what is meant by tolerance of risk relevant to cyber security. Give examples of high,
medium and low risk tolerance.

Risk tolerance refers to the amount of risk an organization is willing to incur to achieve its aim
and objectives. It is the decision to face the risk itself rather than mitigating the risk. This is
done when the cost and time for mitigating the risk is higher than the loss that the risk itself
can cause. Risk damage the assets of an organization which means that as long as the
important and critical assets of the business are not vulnerable and the business operations
can be carried out as required, it is within risk tolerance. If an asset of the company is insured
and is not that critical to business operations and it is vulnerable to threats like deleting a file
that an employee has been working on for a day is risk tolerance. High risk tolerance is when
the investors who are willing to take on risks to achieve their goal in these assets of the
organizations are vulnerable to threats which may result in collapse of the company. Medium
low risk tolerance is when the investors are not willing to risk the critical assets of the
organizations and wishes the keep the business afloat even after the risk occurrence. Low risk

ICTCYS606 Student Assessment Tasks v1.1 September 2022

Page 5 of 17
 tolerance is those who do not wish to incur lot of risk and prioritizes losses rather than making
gains.

3. Complete the table below by describing the relevance of each of the following standards and
laws to cyber security.

Standards and laws Relevance to cyber security and risk management and
web site reference

Data protection and This act deals with how personal information of an individual
privacy - Privacy Act 1988 is handled by organization such as gathering, storing, using
and disclosing. Organization gains lot of personal information
from their own employees to their customers. This Act
prevents organizations from misusing this information. This
Act ensure privacy settings of consumers ensuring that
consumers can trust the organization with their personal
information.

Notifiable data breaches - This Privacy Amendment Act 2017 is an act that is
Privacy Amendment amendment of Privacy Act 1988 which defines data breaches
(Notifiable Data like unauthorized access, unauthorized disclosure or loss of
Breaches) Act 2017 personal information. When disclosure or loss can harm
result in harm to any individual, it is defined as data breach.
This is relevant in cyber security as this will allow entities to
understand what they need to do and require to do use and
secure the personal information in their organization.

Standards - Essential Essential Eight Strategies are the strategies recommended

Eight Strategies by Australian Cyber Security Centre (ACSC) which helps in
prevent malware delivery and mitigate the impact of cyber-
attacks in organizations. These essential eight strategies are
Application Control, Application Patching, Restrict
Administrative Privileges, Patch Operating Systems,
Configure Microsoft Office Macro Settings, Using Application
Hardening, Multi-Factor Authentication and Regular Backups.
By following this strategies organizations are able to secure
their network from malware attacks and able to recovery after
a malware attack.

4. List three examples of business process and cyber security requirements associated with
these requirements.

Business process Example of a cyber security requirement

Hosting Website Many organizations have their own website through which
they provide services and information to customers which
can get attacks using DDoS attacks. To do so, Anti-DDoS
hardware and software should be used in the organizations

ICTCYS606 Student Assessment Tasks v1.1 September 2022

Page 6 of 17
 as these tools will mitigate or repel the damages done by
DDoS attack

Day-to-Day employee Employees can make mistakes when working in an

operations organization. It is bound to happen at some point and the
damage can hinder the business. To mitigate the damages
done by it or prevent the mistake itself, proper policies and
procedures should be developed which can be used by
employees to reference what they can do and cannot do.

Employee Remote Employees who are required to travel will need to access the
Access organization network when outside the company which may
cause some compromise if security measures are not taken
which is why Virtual Private Networks should be used to
secure employee remote access.

5. List the principles of cyber security.

The principles of cyber security are as follow:

 Layering: Layering is the process of implanting as many security measures as
possible in the organization so that the adversaries will have a harder time to get to
the core data and information of the business.
 Limiting: Limiting process that limits the privileges of employees and customers to
access only what is necessary. By doing so, in case of compromise of an employee’s
account, the damage that can be done is limited.
 Diversity: Diversity defines cybersecurity should be diverse and different meaning for
each threat different security measures should be implemented. Similar to layering but
it focuses on using different types of security measures than having more layers.
 Obscurity: Obscurity is the principle that explains how the business process of
organization should be made vague to the public as this will allow adversaries limited
vectors of attack which in return secures the organizations system as the adversaries
are unable to completely understand the business process and operations.
 Simplicity: Cyber security options and measures should be made as simple as
possible so that employees can follow through and understand what is required of
them to do. Simplifying the security systems does not using simple cyber security
measures as it will compromise the whole cyber security

6. List three methods of identifying cyber security incidents.

The three methods of identifying cyber security incidents are as follow:

 Logging systems: Logs are the records of event that occurred in the systems and
network of the organization. Logs contain information of the event and time of the
event. Logs can allow one to detect cyber security incidents as it provides information
on every event on the network. By enabling and managing the logs of the
organizations, one can understand any malicious activities going on in their network.

ICTCYS606 Student Assessment Tasks v1.1 September 2022

Page 7 of 17
  Real-time monitoring of network: Real-time monitoring of a network refers to the
monitoring of network 24/7. It allows one to detect security incidents as soon as they
occur. Pattern recognition systems can recognize the patterns of the malwares and
how they act which then is detected by the system and informed to the user. Anti-
malware software has real-time protection option which monitors the computer
systems as long as it is active.
 Intrusion Detection System: Intrusion Detection System (IDS) is also a monitoring
system which detects suspicious activities and generates alerts immediately after the
threats are detected. IDS work on the principle of monitoring and detecting security
incidents in the network it is connected to by using Signatures and Anomalies. While
IDS work on the end point of the network and detect security incidents, it provides no
measures to deal with the incident.

7. Describe how Malware constitutes a cyber security incident.

Malwares are the most common type of cyberattack. Malwares are the malicious software that
act on the victims’ systems. Malwares can be infected to victims’ email from various sources
like phishing email, untrusted websites in the Internet, shared networks, and more. There are
different types of malwares but all of them infect their victims’ computer for the personal gain
of adversaries. Ransomwares locks out victims from their computers to demand for ransom.
When it is acted on organization, one can demand millions of dollars for unlocking their system
or the sensitive data of the organization will be leaked out which will damage the company
reputation and causes customers to lose trust in the company. Rootkits on the other hand gain
unauthorized access to victims’ computers and steal sensitive data from their computers which
can be valuable depending on who the data is being sold to.

8. List and describe three other types cyber security incidents (including security vulnerabilities).

Ransomware Data encryption leading to cost in ransom

DDoS Attack DDoS attack causing organizations’ web services to

go down making it impossible for customers to
receive the web services of the organization. This
occurs when organization does not have DDoS
response plan set out.

Worms Infection The computers in the organization being infected by

worms which consumes the resources of computers
and network interrupting the business process of the
organization. This will waste the time of organization
and can cause some detrimental damage to
organizations. This occurs when security measures
such as anti-malware software have not been put in
place.

Phishing attack Employee of the company falling victim to phishing

attack and giving out sensitive information of the
company which may damage the reputation of the

ICTCYS606 Student Assessment Tasks v1.1 September 2022

Page 8 of 17
 company. This happens when the policies and
procedures of company are not clearly defined and
employees are not aware of cyber threats.

ICTCYS606 Student Assessment Tasks v1.1 September 2022

Page 9 of 17
Assessment Task 1: Checklist

Student’s name: Muhammad Usman

Did the student provide a Completed

sufficient and clear answer successfully? Comments
that addresses the
suggested answer for the Yes No
following?

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Task outcome:  Satisfactory  Not satisfactory

Assessor signature:

Assessor name:

Date:

ICTCYS606 Student Assessment Tasks v1.1 September 2022

Page 10 of 17
Assessment Task 2: Project Portfolio

Information for students

In this task, you are required to demonstrate your skills and knowledge by working through a
number of activities and completing and submitting a project portfolio.
You will need access to:
 a suitable place to complete activities that replicates a business environment including a
meeting space and computer and internet access
 your learning resources and other information for reference
 Project Portfolio template
 ICTCYS606 Simulation Pack.
Ensure that you:
 review the advice to students regarding responding to written tasks in the IT Works Student
User Guide
 comply with the due date for assessment which your assessor will provide
 adhere with your RTO’s submission guidelines
 answer all questions completely and correctly
 submit work which is original and, where necessary, properly referenced
 submit a completed cover sheet with your work
 avoid sharing your answers with other students.

Assessment information
i
Information about how you should complete this assessment can be found in Appendix
A of the IT Works Student User Guide. Refer to the appendix for information on:
 where this task should be completed
 how your assessment should be submitted.
Note: You must complete and submit an assessment cover sheet with your work. A
template is provided in Appendix B of the Student User Guide. However, if your RTO
has provided you with an assessment cover sheet, please ensure that you use that.

ICTCYS606 Student Assessment Tasks v1.1 September 2022

Page 11 of 17
Activities
Complete the following activities:

1. Carefully read the following:

This assessment tasks requires you to identify cyber security standards and laws
and based on this evaluate an organisation’s compliance with these, as well as
changes that are required.
This project can be based on the case study business in the ICTCYS606 simulation
pack or you may like to base this on your own business, or a business you are
currently working for or are familiar with. Speak to your assessor to get approval if
you want to base this on your own business or one you work for.

2. Planning

Make sure you are familiar with the business you are basing this assessment on
and have read through the necessary background information and policies and
procedures. For the case study business, this is all of the documents included in
the ICTCYS606 simulation pack. If it’s your own business or a business where you
are working or are familiar with, it’s important at this step that you have your
business or case study approved by your assessor.
Complete Page 4 of your Project Portfolio for this unit.
Read through the requirements of Section 1, 2, 3 and 4 of your Project Portfolio.

3. Research

You are now to complete Section 1 of your Project Portfolio.

When you complete Section 1, you need to:
 Research and report on standards and laws relevant to cyber security and the
organisation’s operations.
 Review and report on the organisation’s existing cyber security compliance
strategies.
 Determine the time period during which you will evaluate compliance with
cyber security standards and laws, as well as benchmarks.
Complete Section 1 of your Portfolio.

ICTCYS606 Student Assessment Tasks v1.1 September 2022

Page 12 of 17
4. Compliance assessment preparation

You are now to prepare to conduct your compliance assessment. Assume that you
have been instructed to focus your compliance assessment on;
 Surveying employees to find out their knowledge on security and compliance
issues.
 Reviewing the company’s cyber security policy and procedures.
To survey employees, you will need to develop a number of questions to find out
about knowledge of cyber security and compliance issues. Develop your questions
for use in the next activity.
Note these questions down in your Section 2 of your Portfolio.

5. Compliance assessment

You are now to conduct your compliance assessment.

First of all conduct your survey of employees. If you are completing this in your
RTO this will be in a roundtable discussion with a small group of students ( 4 – 5
students) who are also studying this unit. Each person will ask questions about
other students’ knowledge of cyber security and compliance issues. Make notes on
the discussion for use in the next assessment.
If you are completing this at work, you may survey employees in any appropriate
way such as through a meeting or survey.
Following the survey of employees, you are also to review and evaluate the Cyber
Security Policy and Procedures. You may either review the Cyber Security Policy
and Procedure in the simulation pack or your workplace’s procedure.
Complete Section 3 of your Portfolio to report on your findings. Your findings should
include areas of non-compliance/near misses as relevant.

6. Compliance strategy

Now that you have completed your compliance assessment, you are to develop a
strategy to address compliance requirements and to ensure that the organisation is
continually meeting its obligations.
Once you have developed your Strategy, submit your Portfolio to your assessor
and request feedback (follow the instructions in your Portfolio.
You will also need to document their feedback and respond to it before finalising
your Portfolio and submitting it to your assessor.
Submit Section 4 of your Portfolio on completion of all of the above.

ICTCYS606 Student Assessment Tasks v1.1 September 2022

Page 13 of 17
7. Submit your completed Project Portfolio

Make sure you have completed all sections of your Project Portfolio, answered all
questions, provided enough detail as indicated and proofread for spelling and
grammar as necessary.
Submit to your assessor for marking.

ICTCYS606 Student Assessment Tasks v1.1 September 2022

Page 14 of 17
Assessment Task 2: Checklist

Student’s name:

Completed
successfully? Comments

Did the student: Yes No

Identify standards and laws required for

the organisation’s cyber security
operations and summarise findings?

Analyse cyber security laws and

standards and how these relate to the
organisation’s cyber operations?

Obtain and analyse organisation’s

existing cyber security compliance
strategies?

Document analysis of cyber security

compliance strategies review?

Determine the time period for

undertaking the compliance evaluation,
as well as the benchmarks that will be
used?

Conduct compliance assessment

following instructions provided?

Document the findings of the compliance

assessment findings in the Portfolio?

Identify and document areas of non-

compliance and near misses?

Develop and document all compliance

requirements?

Develop an ongoing evaluation strategy

for cyber security?

Submit requirements to assessor?

Submit all documents and seek and

respond to feedback?

ICTCYS606 Student Assessment Tasks v1.1 September 2022

Page 15 of 17
 Task outcome:  Satisfactory  Not satisfactory

Assessor signature:

Assessor name:

Date:

ICTCYS606 Student Assessment Tasks v1.1 September 2022

Page 16 of 17
Final Results Record

Student name:

Assessor name:

Date

Final assessment results

Result

Task Type Satisfactory Unsatisfactory Did not submit

Assessment Task 1 Knowledge questions S U DNS

Assessment Task 2 Project Portfolio S U DNS

Overall unit results C NYC

Feedback

 My performance in this unit has been discussed and explained to me.

 I would like to appeal this assessment decision.

Student signature: _________________________________________ Date: _________________

 I hereby certify that this student has been assessed by me and that the assessment has been
carried out according to the required assessment procedures.

Assessor signature: _______________________________________ Date: _________________

ICTCYS606 Student Assessment Tasks v1.1 September 2022

Page 17 of 17