ITNET301A – Assignment 1 (Due 15 Oct 2018)

Introduction
You are the IT Manager/CIO/CISO of an organisation of your choice. You are required to design the organisation’s
mobility policy present the report the company’s CEO.

The primary goal of the policy is end user enablement; at the same time, the policy must also be enforceable,
manageable, user friendly (hence adoption and compliance), and secure.

Minimum Requirement
You must

1. Define which company/organisation you are working form, real or fictitious are both acceptable. (Lockheed
Martin/ Frank Underwood 2016 Campaign Team/SPECTRE/ABC Hospital/ Meadowbank TAFE/ The
Anonymous /NSA/ Jiro’s Sushi Train etc.)

2. Describe the organisation’s nature (Defence, NFP, Government, Underground Revolutionaries, Finance,
School etc.) and unique policy and/or security challenges. Minimum Users in your Organisation – 25

3. Define Mobility Use Case such as:

a. Sushi Ordering Kiosk
b. Mercedes-Benz Configurator Kiosk
c. Westpac Branch Mobile Concierge
d. Manual Delivery System for Pilots on A350s for QANTAS
e. Peer-to-Peer/ Spoke-and-Hub duress button, see http://www.bbc.com/news/technology-28247504
f. Emergency Communication for your Underground Anti-Government Movement
g. Augmented Reality Zombie Shooting Game
h. Any other creative uses; note that most organisations will have multiple use cases for their devices

4. Define your likely opponent(s):

a. Typical Opponent Profiles
b. Likely attack vector
c. Mode of operations

5. Detail the policy itself, and explain your rationale. You may want to consider:
a. Is BYOD Allowed?
b. Physical Security
c. Do you have a standardised device type, what happened when they are end-of-life?
d. Minimum OS Requirement
e. Lost and Stolen Policy, Device Pool Replenishment
f. Are users allowed to install their personal apps?
g. Are personal use allowed? Limits on personal use? Can the organisation wipe personal data?
h. Device passcode requirement/ Encryption requirement
i. Is SD Cards on devices allowed
j. Periodic Wipe?
k. Compromise Device Policy (i.e. what would you constitute a compromised device that is consider
unsafe?)
l. Must the user bring their device to work? What if they didn’t?
m. Can the organisation track the owner’s location? Do we tell them they are being tracked?
n. Etc.
Assignment Format
Minimum Deliverables

Please consider all of the following areas:

• Policy
• Standard
• Baseline
• Guideline
• Draw the procedure/process of ONE of the following using Cross-Functional Flow Chart1:
o Lost or Stolen
o Security Breach
o New Device/Breach
o Device Troubleshooting
o App Troubleshooting
o New Device Procurement/Provisioning
o Any other relevant procedure/process

Choose ONE

Written Report Video Presentation

Professional Report, approximately 8-10 pages long, Professional Presentation, 30-45 min long
including cover page, executive summary and table of Submitted via Youtube Public or Private Channel.
contents. Shared with ITNET301@gmail.com

Filename: You will receive an email from the company’s CEO

firstname_lastname_A1.docx asking you question. Respond with a half page email
firstname_lastname_A1.vsdx addressing the question.

o You will still be required to draw a process of your

choice using Cross-Functional Flow Chart

Hints:
This is an individual assessment, you are to demonstrate to your boss that:

• You understand the organisation

• You understand the risks
• You understand your likely opponents
• You understand the end users
• Your policy is adequate in addressing the organisation’s needs

There are many, many policies that you can discuss. You must balance between breadth and depth. Focus your
policies that are unique to your use cases and ignore ones that are obviously not applicable:

• In Audi showroom kiosk, you need not discuss BYOD policies, but consider physical security of the device, are
you going to design a special mount? Can the user press the home button or power button?
• If you started a next-gen internet café that people run around with a phone shooting zombies, you may not
worry about encryption, but maybe you need really tough cases so they can survive drops

1
Use Visio if you have access to Visio. If not, LucidChart is a reasonable alternative, MS Paint is fine, pen, paper and rulers are
also perfectly acceptable. You will NOT be penalised for not having access to the right software.
Optional Questions (Will NOT be marked but feedback provided)
Part A – Short Answer, 2 marks each. Point form answers are acceptable.
A1. A Windows 10 laptop with information on Trump Tower was stolen from the Secret Service on 17 March 2017.
The laptop is MDM Enrolled, the laptop is reported last seen 10:10am on the MDM Console, the same day. A device
wipe command was issued on 10:30am, 17 March 2017 but execution cannot be validated. List 2 possible causes.

A2. Apps from the Apple App store requires "signing" prior to being published. Explain how app signing improves the
security of iOS devices and the Apple Ecosystem.

Part B – Paragraph Answer, 5 marks each, you should write about one paragraph for each question.
B1. A Windows 10 laptop with information on Trump Tower was stolen from the Secret Service on 17 March 2017.
After investigation, it is determined that it was the doing of a 17-year-old opportunistic thief. What are the possible
motive from this opportunistic thief? Discuss how an MDM solution, if utilised, would help secure the information in
the laptop.

B2. What is an OS Kernel? What function does a Kernel provide? What three main types of kernels are there?

Part C – Below scenario question is worth 15 marks. You should write about one page in total (part a
– e)
Scenario

Chuck is the sole owner of Norris Sushi. Like most sushi trains, customers may either get the sushi from the train/belt,
or order special sushi (and drinks) with a waitperson.

Chuck, being multitalented, developed a Sushi ordering app for Android, created the database and infrastructures
required to support the app overnight. The use case is that customer should be able to order sushi wirelessly without
needing a waitperson. Chuck decided that he will select his devices based primarily on price, and decided on an
unknown brand of 8" Intel Atom based Android tablet sold at Officeworks for $39 each. These devices do not have a
SIM-slot.

Chuck also ordered 25 custom-made bacteria-proofed case mount specifically designed for the device to be
permanently mounted at each table. Devices are not physically locked, but dismounting a device requires super-
human strength and is sufficient to discourage thieves. Once the device is mounted, users will not have access to
buttons (soft and hard) on the devices.

Question:

a) Explain how an MDM system would help Chuck to manage his fleet of devices. (2 marks)
b) List the MDM Profiles and other settings/configurations/etc. to be pushed that Chuck will likely need for the
successful management of the devices. (3 marks)
c) Before a device can be managed by an MDM, a device will needed to be enrolled into the MDM. Describe the
enrolment process. (4 marks)
d) Upon enrolment to MDM, the MDM server rejects the devices straight away, explain likely cause. (1 mark)
e) Chuck managed to negotiate with Officeworks to replace the budget devices with solid gold iPads for free:
• Device mount has been redesigned and now has a locking mechanism. Chuck is the sole person who
owns the key to the new device mount,
• Chuck’s son, Mike, is responsible for MDM administration, and
• A waitperson is responsible for enrolling new devices.

Using a cross functional flowchart, design a new device provisioning process to provision these new iPads.
(5 marks)