CAB240 Information Security – Semester 2 2019 Mobile Phone Security Investigation Report Part 2 – Task Requirements This task is an investigation of information security issues associated with your personal mobile phone, performed by applying the information security risk management process described in Lecture 3, although in a limited way (not all risks will be identified). Your report on the investigation will have three parts, with submission points across the semester. The focus of your analysis in each part is as follows: • Part 1 is establishing the context, identifying relevant examples of information security threats and vulnerabilities and identifying risks to your information. • Part 2 is on privacy aspects related to mobile applications, and the associated risks. • Part 3 is on countermeasures to mitigate the risks you identified in Parts 1 and 2. PART 2 Task requirements (and page length guidelines) In Part 2 you will extend your Part 1 report to include consideration of the impact of mobile phone apps on privacy. Details on the report requirements for Part 3 form a separate document. Your Report Part 2 should consist of the following sections: 1. An introduction (1-2 pages, certainly no more than two pages). Your introduction should a. discuss the importance or significance of your mobile phone security b. define the purpose of this report (extends the Part 1 report) c. outline the issues to be discussed (add some text into your Part 1 introduction to include the privacy material you will introduce in Part 2). d. inform the reader of any limitations to the report, or any assumptions made. For example, you only consider the privacy policy connected with one application, although you have many on your phone. What did you base your selection on? 2. Context establishment (This is existing material from your Part 1 report) a. A brief description of the information assets (2 pages) b. An overview of your use of the device (1-2 pages) 3. Risk Assessment (This is existing material from your Part 1 report) (one example for each of the following four categories – 1 page for each example) a. A summary of a *recent article identifying a security issue associated with a mobile device application b. A summary of a *recent article identifying a security issue associated with a mobile device operating system (the operating system, not an application issue), c. A summary of a *recent article identifying a security issue associated with mobile device user behavior, d. A summary of a *recent article identifying a physical threat to a mobile phone e. A risk assessment conclusion relating issues you have identified in this risk 4. Privacy Analysis (This is new material in your report) a. Privacy Policy Summary – A summary of the privacy policy for an app you use frequently, (3-4 pages) including: i. The name of the app, ii. The type of information the app collects, iii. How the information is collected, iv. When the information is collected (only when you are actively using the app, or at other times; if so provide details), v. How relevant the collected information is to your use of the app, vi. How the information is used by the app providers, vii. How long collected information is stored for, and how and where it is stored, viii. Whether encryption is used for data transmission and/or storage, ix. Whether collected information is shared, who information may be shared with, and how the shared information may be used by third parties, and x. Whether you (the app user) have access to the information held and, if so, how to obtain access to your data. b. Privacy risk identification and risk analysis (1-2 pages) for the data associated with the app. i. Which sort of analysis can you perform – quantitative or qualitative? ii. Outline any limitations in the process or discuss difficulties you encounter in completing the risk analysis (such as difficulty in obtaining information on how the organization handles the information it collects). c. A privacy conclusion relating the information use by the app discussed in your report to your personal information security and to user privacy (1 page). i. This should make connections between the points discussed in the earlier sections. How frequently do you use the app? How important is it to you? What sort of information is involved? What is important about that information (relate to CIA goals). ii. Which assets are most at risk – what are the vulnerabilities and the threats that could exploit them? What would the impact be, and why is this important for you, as the device owner/user? iii. How is this connected to user privacy? How closely does the app privacy policy meet the requirements of Australian privacy legislation? 5. Reference list. Details of source material referred to in the report. Some of the listed items will be from Part 1, but you will have additional privacy investigation references to add. Remember to include citations in the text of your report that connect to the references listed here. Academic writing An important aspect of this assessment task is locating relevant information. However, your report should be in your own words. Do not just ‘cut and paste’ or copy information from any source into the body of your report: that is plagiarism (a breach of academic integrity) and is not acceptable in Australian universities. A useful guide to referencing, citation and report writing is: http://www.citewrite.qut.edu.au/ . QUT librarians will also provide assistance; check the QUT Library homepage for links. SERIOUS WARNING! When breaches of academic integrity are detected, the Unit Coordinator must notify the Faculty Academic Integrity Committee. The penalties imposed may be severe (See QUT MOPP for details). In previous years, students have failed this unit as a result of the applied penalty. . Also, the time taken to determine the penalty varies depending on the committee’s case load, and could be months. This may delay your progress in your course, or hold up your graduation date. Report presentation Please include the CAB240 unit code and your name and student number in the header or footer of each page. Use 12 point sized font. Report submission Electronic submission of a single file is via the Turnitin link on the CAB240 blackboard site. Look for the Submission Link for Report Part 2. Under QUT’s Late Assessment policy, late submissions without an approved extension receive a mark of 0 (so do submit before the deadline!).
